dynamically nat lab devices behind the eve primary ip

This post explains how to configure EVE-NG as a DHCP server (isc-dhcp-server) assigning IPs to lab devices that are then dynamically NATed behind the primary EVE management IP address (iptables masquerade) to provide Internet breakout.


EVE has 10 bridges that are associated on a one-to-one basis to each physical NIC or vNIC. In the CLI these are called PNETs and in the GUI clouds. For example, cloud0 is mapped to pnet0 that is associated to eth0 which is the management NIC you use to connect to EVE.

brctl is a tool used for managing the ethernet bridge configuration in the linux kernel, this link provides some some other useful brctl commands.

Cloud NAT takes one of these clouds and uses it for the purpose of Internet breakout. I find it a quick and simple way to give any lab device Internet access as all you need to do is to enable DHCP on the lab device and attach it to the cloud network.

DHCP Server

The first thing you need to do is install the DHCP server.

Within the /etc/default/isc-dhcp-server DHCP server file define on which bridge the DHCP server should serve DHCP requests by adding this line to the bottom of the file. This is the pnet/cloud that you will put lab device in to give them Internet access.

The /etc/dhcp/dhcpd.conf DHCP configuration file defines the IP address information to be given out to the DHCP clients and makes EVE the authoritative server for that local network.

The following commands can be used to verify and troubleshoot the DHCP process.

The DHCP service status will show as status=1/FAILURE) with the error Not configured to listen on any interfaces! until the interface (pnet9) has been assigned an IP address.

Apply temporary

The following configuration will not survive a reboot so is useful if you want to first test the solution works.

Add an IP address from within the DHCP range to the pnet bridge interface

Enable IP routing in the linux kernel

PAT the DHCP range to the pnet0 IP address (EVE management interface address)

Apply permanent

The following configuration applies cloud NAT permanently so that it will survive reboots.

Add an IP address within the DHCP range to the pnet bridge interface by editing /etc/network/interfaces

Enable IP routing in linux kernel by editing /etc/sysctl.conf

PAT the DHCP range to the pnet0 IP address (EVE mgmt interface address) by installing and editing iptables-persistent


Port based NATs

In some situations you may want port based NATs to allow RDP, SSH or HTTPS access to a device within your EVE lab. I find this particularly useful when hosting EVE in Azure. Below are a few useful examples of what you can do, they once again use iptables.

Traffic to on port 3389 is forwarded to on 3389

HTTPS traffic is forwarded to lab device Note, this will break all internet access to 443 as it applies to all HTTPS traffic

Connections inbound on port 444 are forwarded to on port 443 (so that it doesn’t break HTTPS for other devices)

Connections inbound on port 23 are forwarded to on port 22 (so that it doesn’t break SHH access to EVE itself)

Also ties the NAT to an exact interface (pnet1)

Forwards traffic from the specific source address on port 443 to

To delete any of the iptable entries you need to get the rule line-number with the first command and use that in the second command to delete it.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *