NAT example
NAT example is a fully functional network address translation program written entirely in userspace using NFF-Go. To run it it is necessary to configure two interfaces, one for private network and another for public. NAT example supports multiple private-public interface pairs, but this instruction describes running NAT with just one pair.
To run NAT on virtual machines configured by NFF-Go vagrant script you need to create three systems. The following command creates three VMs which are connected with double links, e.g. VM=VM=VM:
VM_GROUP_SIZE=3 VM_TOTAL_NUMBER=3 VM_LINKS_NUMBER=2 vagrant up
To login to these hosts use the same environment values, e.g.
VM_GROUP_SIZE=3 VM_TOTAL_NUMBER=3 VM_LINKS_NUMBER=2 vagrant ssh nff-go-2
The middle machine nff-go-1 is the NAT host which is connected to two networks and has four network interfaces. NFF-Go vagrant script uploads configuration scripts to let network configuration easy on all three systems. First system nff-go-0 is a system in private NAT network and to configure it you should use command natclient. Second system nff-go-1 is NAT host and network configuration on it is done with natsetup. After that it is necessary to execute command bindports on this system to bind two network interfaces to DPDK driver. Third system is server, and configuration is done with natserver.
Setup commands assign static IPs, sets routing and forwarding rules on all three systems which create two chains, first one for NFF-Go NAT, second one for Linux NAT:
nff-go-0: NFF-Go NAT client 192.168.14.2 which is connected to nff-go-1 port 1, where IP address is supposed to be 192.168.14.1
nff-go-1: NFF-Go NAT with interface 0 for private network and interface 1 for public network
nff-go-2: NFF-Go NAT server 192.168.16.2 which is connected to nff-go-1 port 0, where IP address is supposed to be 192.168.16.1
and
nff-go-0: Linux NAT client 192.168.24.2 which is connected to nff-go-1 interface enp0s9
nff-go-1: Linux NAT which has iptables rules to forward packets from enp0s9 to enp0s16 and has IP addresses 192.168.24.1 and 192.168.26.2 respectively
nff-go-2: Linux NAT server 192.168.26.2 which is connected to nff-go-1 interface enp0s9
After network setup is done it should be possible to use Linux NAT chain, e.g. ping nff-go-2 from nff-go-0:
nff-go-0# ping 192.168.26.2
or download web pages from Apache web server on nff-go-2:
nff-go-0: wget --no-proxy http://192.168.26.2/index.html
or run Apache benchmark against nff-go-2 web server:
nff-go-0: ab -c 10 -n 10000 http://192.168.26.2/index.html
To run NFF-Go NAT it is necessary to correct configuration file for the NAT because currently NAT cannot send ARP requests on the server side. On configuration of public-port it is necessary to specify MAC address of interface enp0s8 on nff-go-2, e.g.
{
"port-pairs": [
{
"private-port": {
"index": 0,
"subnet": "192.168.14.1/24"
},
"public-port": {
"index": 1,
"dst-mac": "11:22:33:44:55:66",
"subnet": "192.168.16.1"
}
}
]
}
This configuration file tells NAT to use IP address 192.168.14.1 on port 1, connected with nff-go-0 and 192.168.16.1 on port 0 connected with nff-go-2. Run NFF-Go NAT like this:
nff-go-1# cd $nff-go/examples/nat/main
nff-go-1# sudo ./nat -config config.json
When NFF-Go NAT is running it should be possible to use ping and download files from web server using 192.168.16.2 address of nff-go-2:
nff-go-0# ping 192.168.16.2
or download web pages from Apache web server on nff-go-2:
nff-go-0: wget --no-proxy http://192.168.16.2/index.html
or run Apache benchmark against nff-go-2 web server:
nff-go-0: ab -c 10 -n 10000 http://192.168.16.2/index.html
When using address 192.168.16.2 the routing rules make packets go through network interface connected to NFF-Go instead of Linux iptables.