Changes between Version 1 and Version 2 of JoeSandbox/OpenFlowNATTremaExample/Execute
- Timestamp:
- 08/27/14 13:45:43 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
JoeSandbox/OpenFlowNATTremaExample/Execute
v1 v2 20 20 = STEPS FOR EXECUTING EXAMPLE = 21 21 22 In this section, we are going to build a router for a private address space that needs one-to-many NAT (IP Masquerade) for some reason (e.g. short on public IP or security) using OpenFlow. As shown in the figure below, hosts `inside1` and `inside2` are inside the LAN, while host `outside` is outside. The LAN has only one public IP — '''128.128.129.1'''. (The external IPs we use, 128.128.128.0/24 and 128.128.129.0/24, are just an example. If your public IP happens to be in this subnet, change them to others.)22 In this section, we are going to build a router for a netwrok with a private address space that needs a one-to-many NAT (IP Masquerade) for some reason (e.g. short on public IP space or security) using OpenFlow. As shown in the figure below, hosts `inside1` and `inside2` are part of the private network, while host `outside` is outside. The LAN has only one public IP — '''128.128.129.1'''. (The external IPs we use, 128.128.128.0/24 and 128.128.129.0/24, are just an example. If your public IP happens to be in this subnet, change them to others.) 23 23 24 24 [[Image(openflow-nat.png, 50%, nolink)]] … … 26 26 === 1.1 Login to your hosts === 27 27 28 To start our experiment we need to ssh all of our hosts. Depending on which tool and OS you are using there is a slightly different process for logging in. If you don't know how to SSH to your reserved hosts take a look in [wiki:HowTo/LoginToNodes this page.] Once you have logged in, follow the rest of the instructions.28 To start our experiment we need to ssh into all of our hosts. Depending on which tool and OS you are using there is a slightly different process for logging in. If you don't know how to SSH to your reserved hosts take a look in [wiki:HowTo/LoginToNodes this page.] Once you have logged in, follow the rest of the instructions. 29 29 30 30 === 1.2 Test reachability === 31 31 32 a. First we start a ping from `inside1` to `inside2`, which should also work since they areinside the same LAN.32 a. First we start a ping from `inside1` to `inside2`, which should work since they are both inside the same LAN. 33 33 {{{ 34 34 inside1:~$ ping 192.168.0.3 -c 10 … … 42 42 c. Similarly, we cannot ping from `insideX` to `outside`. 43 43 44 d. You can also use Netcat (nc) to test reachability of TCP and UDP. The behavior should be the same.44 d. You can also use Netcat (`nc`) to test reachability of TCP and UDP. The behavior should be the same. 45 45 46 46 == 2 Start controller to enable NAT == 47 47 48 === 2.1 Inside source === 49 '''We definitely need a better naming for this one''' 48 === 2.1 Access a server from behind the NAT === 50 49 51 You can try to write your own controller to implement NAT. However, we've provided you a functional controller, which is a file called nat.rb under /tmp/.50 You can try to write your own controller to implement NAT. However, we've provided you a functional controller, which is a file called `nat.rb` under `/tmp/` . 52 51 53 a. Start the controller on ` switch` host:52 a. Start the controller on `NAT` host: 54 53 {{{ 55 switch:~$ trema run /tmp/nat.rb54 nat:~$ trema run /tmp/nat.rb 56 55 }}} 57 56 You should see following log after the switch is connected to the controller … … 78 77 Note that there should be only one log per connection, because the rest of the communication will re-use the mapping. 79 78 79 {{{ 80 #!comment 80 81 === 2.2 Outside source === 81 82 … … 105 106 106 107 e. Common solution of handling outside source is providing some way to manually create mapping in advance. We will leave it as an exercise for you to implement it. 108 }}} 107 109 108 110 == 3 Handle ARP and ICMP == … … 134 136 You should see it's receiving two groups of icmp packets, differentiated by icmp_id. 135 137 138 {{{ 139 #!comment 136 140 d. 137 141 Note that, again, you cannot start the ping from the outside, similar to TCP/UDP. The common solution is to manually map the ping destination to a specific inside IP in advance. We will leave it as an exercise for you to implement it, as well. 138 142 }}} 139 143 140 144