Configuring NAT Using PF Firewall in Solaris 11 / 12 Zones

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Solaris 11/12 PF Firewall NAT Configuration

Below is an update on how to configure NAT in Solaris 11/12, the original post used IPfilter(IPF). Since Solaris now officially switched to the BSD firewall(PF) I created the updated example below.

Assumptions

The network used in the kernel zones are 10.10.1.0/24
The network used on the global zone is 192.168.1.50 – this will be used as your external gateway(NAT).

  • Create a vNic and assign to each kernel zone.
  • Create a vNic for use on the global zone.
  • Set the default gateway to the global zone vnic.

An example is below:
Create vNics

vNic and zone configuration

Global zone vNic and IP address

Now we are ready for the PF configuration.
Below is how the /etc/firewall/pf.conf
Note: The pf.conf is a very simplified configuration just for the purpose of NAT.

Finally enable firewall with svcadm

Helpful tips
Check the PF active running rule set.
Tip: I have struggled with this for a while, as my rule-set had an syntax issue. I was using the old nat keyword which is now obsolete, causing my rule-set to break(and not being used), but by checking the service it will still show online, but it will be loading a default rule-set.
Note: Its always a good idea especially if things don’t work properly to verify the active rule set.

To verify the active rule set, just run the below (make sure it is waht you expect it to be).

The below will show you the current active sessions (i.e. NAT being used).

Anther handy option is, to verify the new/modified rule set for syntax errors.

Reference
Official documentation

Leave a Reply

avatar
  Subscribe  
Notify of