Version 11 (modified by, 6 years ago) (diff)


Wiki Home Welcome GENI Experimenters Sign Up For a GENI Account Run Hello GENI example Image Map

OpenFlow Firewall and NAT Devices


This is a very simple tutorial with two topologies demonstrating an OpenFlow Firewall and an OpenFlow NAT.


For this tutorial you need a GENI Experimenter Portal account and be a member of at least one project.
  • If you have a ProtoGENI (emulab) account, then you can follow this version of the tutorial.
  • If you don't have an account yet sign up!


All the tools will already be installed at your nodes. For your reference we are going to use:

Where to get help:

For any questions or problem with the tutorial please email

Step-by-step Instructions


Step 1: Get Ready:

The first thing we need to do is login to the portal.
  1. Go to the GENI Experimenter Portal press the Use GENI button
  2. and from the Drop Down menu select your institution. If you got an account through the GENI Identity Provider, please select GENI Project Office.
    Tip: Start typing the name of your institution and see the list become smaller.
  • You will be transferred to the Login Page of your institution. Fill in your username and password.
  • Step 2: Launch your experiment:

    1. At the portal home page press the create slice button from your project.
      Tip: If you are not a member of any project and you don't know how to procede, email us
    2. Name your slice something like xxxopenflow (where xxx are your initials)
    3. Once the slice page loads, click the Add Resources button placed at the top left part of the screen.
      NOTE: If you get a warning about not having uploaded ssh keys just follow the instructions on providing an ssh key before you proceed.
    4. In the Choose RSpec section, choose the FW and NAT choice, which should contain:
    5. You will need to choose an aggregate where you want this topology to be instantiated. Click on the Site 0 box and a panel on the left side of the canvas will appear. Choose any aggregate with InstaGENI in it's name.
    6. Click on the Reserve Resources button on them bottom left part of the screen.
    7. Wait while your resources are being reserved. This will take several minutes so be patient. The nodes will turn green to signify that your resources are ready.
    Add Aggregate

    Step 3: Firewall

    For this experiment we will run an OpenFlow Firewall.
    1. Log into switch and run the following commands to download and run the firewall controller:
      gunzip gpo-ryu-firewall.tar.gz 
      tar xvf gpo-ryu-firewall.tar
      /tmp/ryu/bin/ryu-manager loading app
    2. Log into right and run a nc server:
      nc -l 5001
    3. Log into left and run a nc client:
      nc 5001
    4. Type some text in left and it should appear in right and vis versa.
    5. In the terminal for switch you should see messages about the flow being passed or not:
      Extracted rule {'sport': '57430', 'dport': '5001', 'sip': '', 'dip': ''}
      Allow Connection rule {'dport': '5001', 'dip': '', 'sip': '', 'sport': 'any'}
    6. CTRL-C to kill nc in each terminal.
    7. Run a nc server on port 5002, then 5003. Compare the observed behavior to the contents of ~/gpo-ryu-firewall/fw.conf. Does the behavior match the configuration file? Feel free to modify the configuration file to block other traffic.

    Step 4: NAT

    Follow the steps on this page to test the NAT topology.

    Step 5: Cleanup experiment:

    After you are done with your experiment, you should always release your resources so that other experimenters can use the resources. In order to cleanup your slice :
    1. Press the Delete button in the bottom of your Jacks canvas.
    Wait and after a few moments all the resources will have been released and you will have an empty canvas again. Notice that your slice is still there. There is no way to delete a slice, it will be removed automatically after its expiration date, but remember that a slice is just an empty container so it doesn't take up any resources.

    Attachments (1)

    Download all attachments as: .zip