4

I need to construct a NAT for certain machines within the network. Wish to do this with dvSwitch - as it seems the logical way of attacking the problem as in this scenario there's just under 30 hosts.

In order for the NAT'ed VM's to have access to the 'real' network. I am providing a 'router' VM, which will have access to the WAN/outside network, and also act as the DHCP server for the NAT'ed machines.

Problem Space

When the machines connected to the NAT interface and the router are on the same host, then they get an IP from the router VM, and work perfectly (routed outside).

Unfortunately machines on other Hosts that are connected to the dvSwitch do not get an IP and further tcpdump shows no network data getting through across the hosts within the dvSwitch.

Has anyone achieved a NAT solution using a dvSwitch before that they could share?!

Thank you.

EDIT:

Including the diagram.

Community
  • 1
romant
  • 526
  • 5
  • 21
  • 3
    Oh man, you're going to have to re-write that question sorry, it's barely intelligable - it's certainly not in a state anyone could give a good answer to. – Chopper3 Mar 11 '10 at 08:41
  • I would strongly recommend adding a network map also. I work a bit with vmware, but I can't even figure out what the scenario is. – pehrs Mar 11 '10 at 09:21
  • 1
    @Chopper3 - was in a hurry last night. Hopefully the reworded version makes more sense. @pehrs - will draw up a diag later this afternoon. – romant Mar 11 '10 at 22:38
  • still not clear sorry – Chopper3 Mar 16 '10 at 07:11
  • 1
    If you end up drawing a diagram I think it will help a **lot** – Mark Henderson Mar 16 '10 at 07:20
  • One thing I ran into when doing something similar was that if you do not add a physical card to the network, you can't use TCP Offloading. This is a problem at least on Linux clients. http://serverfault.com/questions/118536/extremely-slow-nat-within-a-vmware-esxi-host-using-linux-vms But I'm only running the network inside one host, so your question is, as far as I see, that your dvSwitch network doesn't work at all? – tstm Mar 16 '10 at 13:23
  • I don't (think) I have an enterprise plus license, so I can't try this out, but what happens if you enable promiscuous mode on the dvSwitch ? Cheers, Graham. – bortoelnino Nov 14 '11 at 23:21

4 Answers4

1

Answer Synergy

Well your problem may be that your setup is as overcomplicated as your question :)

DHCP does not pass router boundries without enabling a relay

Once you have that actualized then your other 'machines' will be able to touch base with your DHCP server :P

JamesRyan
  • 8,138
  • 2
  • 24
  • 36
1

Some questions that might help clarify things:

  • Which system in your diagram is the DHCP server?
  • Where is the NAT being performed?
  • Have you verified that the dvSwitch is in fact working properly? (You might try assigning a static IP to one of the VMs on the other host and see if it can ping or otherwise connect to the other VMs).

I have set up systems with DHCP traversing a dvSwitch without any problem, so it is possible to do this sort of thing. My guess is that the dvSwitch just isn't configured properly.

Good luck,

--jed

Jed Daniels
  • 7,172
  • 2
  • 33
  • 41
1

Ok, finally I think I understand, let me test my assumptions;

  1. You have a number of VMs that need to access some form of 'proper' network in a NAT'ey way, they also need to obtain their DHCP addresses too - I'm unclear if they need to access another internal network at the same time - perhaps you could clarify this.
  2. You wish to use a dvSwitch to save on admin (actually most VCPs are steering clear of dvSwitches in production environments right now, preferring to wait for the next version).
  3. You're seeing inconsistent behaviour across the dvSwitch (see item 2 by the way).

If this is right then I think you can make things easier for yourself by doing the following;

  1. Create your dvSwitch, attach to vNIC1 of all appropriate VMs AND your nominated 'router/DHCP' VM's vNIC1, set clients to use DHCP.
  2. Attach 'router/DHCP' VM's vNIC2 to your 'proper' network dv/vSwitch port.
  3. Install OS and router/DHCP daemons/services on 'router/DHCP' server, configure to as appropriate.

Optionally attach VMs vNIC2 to other internal network if required.

This should allow all your appropriate VMs to get their DHCP information from the 'router/DHCP' VM, which will also pass itself as default gateway - in turn it will then NAT route all traffic from that interface. If required you can simply use static routing on the VMs to point non-NAT-requiring traffic to their vNIC2 to be handled by the internal network as required.

Does this make sense - I know it's pretty close to what I think you're suggesting but in lieu of clearer text/diagrams it's the best I can do right now.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
1

Without a lot more information about your environment I can't say precisely what's wrong. I suspect the problem that you are having may be related to how you have set up (or more specifically not set up) VLAN's and PVLAN's within your distributed switch environment and your physical switch(es) but it may simply be that the uplink ports aren't configured correctly on all hosts. The precise configuration of your dVSwitch across all the hosts is therefore highly relevant. As others have pointed out dVSwitches aren't the easiest things to work with at the moment, and making changes to them can be both counter intuitive and prone to error. A screenshot of your dVSwitch with the NAT dVPortgroup highlighted to identify the uplink paths on all hosts would be very illuminating.

The best place to start is with the vSphere Networking Guide and even though it's not directly relevant the VMware\Cisco Nexus1000v DMZ Guide is worth reading too.

Helvick
  • 19,579
  • 4
  • 37
  • 55