Configuring NAT Using PF Firewall in Solaris 11 / 12 Zones

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Solaris 11/12 PF Firewall NAT Configuration

Below is an update on how to configure NAT in Solaris 11/12, the original post used IPfilter(IPF). Since Solaris now officially switched to the BSD firewall(PF) I created the updated example below.

Assumptions

The network used in the kernel zones are 10.10.1.0/24
The network used on the global zone is 192.168.1.50 – this will be used as your external gateway(NAT).

  • Create a vNic and assign to each kernel zone.
  • Create a vNic for use on the global zone.
  • Set the default gateway to the global zone vnic.

An example is below:
Create vNics

global # dladm create-vnic kz1
global # dladm create-vnic kz2
global # dladm create-vnic gl1

vNic and zone configuration

zonecfg -z kz1 info
[..]snip
net:
	configure-allowed-address: true
	physical: kz1
	id: 1
[..]snip
Zone IP address assignments
kz1 # ipadm create-addr -a 10.10.1.11/24 net0
kz1 # route -p add default 10.10.1.1

ipadm
NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/v4        static     ok           --         10.10.1.11/24
   net0/v6        addrconf   ok           --         fe80::8:20ff:feaa:b14f/10

netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface 
-------------------- -------------------- ----- ----- ---------- --------- 
default              10.10.1.1            UG        2      16542           
10.10.1.0            10.10.1.11           U         3         19 net0      
127.0.0.1            127.0.0.1            UH        2       9716 lo0       

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If   
--------------------------- --------------------------- ----- --- ------- ----- 
::1                         ::1                         UH      2      38 lo0   
fe80::/10                   fe80::8:20ff:feaa:b14f      U       2       0 net0 

Global zone vNic and IP address

global # ipadm create-addr -a 10.10.1.1/24 gl1

Now we are ready for the PF configuration.
Below is how the /etc/firewall/pf.conf
Note: The pf.conf is a very simplified configuration just for the purpose of NAT.

ext_if = "localnet0"    # macro for external interface
int_if = "kz1"          # macro for internal interface, Note: this is not used in this example.

pass out on $ext_if from 10.10.1.0/24 to any nat-to 192.168.1.50

Finally enable firewall with svcadm

svcadm enable svc:/network/firewall:default

Helpful tips
Check the PF active running rule set.
Tip: I have struggled with this for a while, as my rule-set had an syntax issue. I was using the old nat keyword which is now obsolete, causing my rule-set to break(and not being used), but by checking the service it will still show online, but it will be loading a default rule-set.
Note: Its always a good idea especially if things don't work properly to verify the active rule set.

To verify the active rule set, just run the below (make sure it is waht you expect it to be).

pfctl -s rules
pass out on localnet0 inet from 10.10.1.0/24 to any flags S/SA nat-to 192.168.1.50

The below will show you the current active sessions (i.e. NAT being used).

pfctl -s state
all udp 192.168.1.50:57472 (10.10.1.11:59700) -> 10.10.3.1:53       MULTIPLE:SINGLE
all tcp 192.168.1.50:54106 (10.10.1.11:63464) -> 10.10.1.207:22       ESTABLISHED:ESTABLISHED
all udp 192.168.1.50:53081 (10.10.1.11:63814) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:63694 (10.10.1.11:63222) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:65501 (10.10.1.11:57828) -> 10.10.3.1:53       MULTIPLE:SINGLE
all udp 192.168.1.50:52717 (10.10.1.11:50207) -> 10.10.3.1:53       MULTIPLE:SINGLE

Anther handy option is, to verify the new/modified rule set for syntax errors.

pfctl -vnf pf.conf

Reference
Official documentation

Leave a Reply

avatar
3000
  Subscribe  
Notify of