EVE-NG Cloud NAT
dynamically nat lab devices behind the eve primary ip
This post explains how to configure EVE-NG as a DHCP server (isc-dhcp-server) assigning IPs to lab devices that are then dynamically NATed behind the primary EVE management IP address (iptables masquerade) to provide Internet breakout.
EVE has 10 bridges that are associated on a one-to-one basis to each physical NIC or vNIC. In the CLI these are called PNETs and in the GUI clouds. For example, cloud0 is mapped to pnet0 that is associated to eth0 which is the management NIC you use to connect to EVE.
brctl is a tool used for managing the ethernet bridge configuration in the linux kernel, this link provides some some other useful brctl commands.
Cloud NAT takes one of these clouds and uses it for the purpose of Internet breakout. I find it a quick and simple way to give any lab device Internet access as all you need to do is to enable DHCP on the lab device and attach it to the cloud network.
The first thing you need to do is install the DHCP server.
Within the /etc/default/isc-dhcp-server DHCP server file define on which bridge the DHCP server should serve DHCP requests by adding this line to the bottom of the file. This is the pnet/cloud that you will put lab device in to give them Internet access.
The /etc/dhcp/dhcpd.conf DHCP configuration file defines the IP address information to be given out to the DHCP clients and makes EVE the authoritative server for that local network.
The following commands can be used to verify and troubleshoot the DHCP process.
The DHCP service status will show as status=1/FAILURE) with the error Not configured to listen on any interfaces! until the interface (pnet9) has been assigned an IP address.
The following configuration will not survive a reboot so is useful if you want to first test the solution works.
Add an IP address from within the DHCP range to the pnet bridge interface
Enable IP routing in the linux kernel
PAT the DHCP range to the pnet0 IP address (EVE management interface address)
The following configuration applies cloud NAT permanently so that it will survive reboots.
Add an IP address within the DHCP range to the pnet bridge interface by editing /etc/network/interfaces
Enable IP routing in linux kernel by editing /etc/sysctl.conf
PAT the DHCP range to the pnet0 IP address (EVE mgmt interface address) by installing and editing iptables-persistent
Port based NATs
In some situations you may want port based NATs to allow RDP, SSH or HTTPS access to a device within your EVE lab. I find this particularly useful when hosting EVE in Azure. Below are a few useful examples of what you can do, they once again use iptables.
Traffic to 10.20.10.5 on port 3389 is forwarded to 192.168.99.254 on 3389
HTTPS traffic is forwarded to lab device 192.168.99.99. Note, this will break all internet access to 443 as it applies to all HTTPS traffic
Connections inbound on port 444 are forwarded to 192.168.99.99 on port 443 (so that it doesn’t break HTTPS for other devices)
Connections inbound on port 23 are forwarded to 192.168.99.97 on port 22 (so that it doesn’t break SHH access to EVE itself)
Also ties the NAT to an exact interface (pnet1)
Forwards traffic from the specific source address 22.214.171.124 on port 443 to 192.168.99.99
To delete any of the iptable entries you need to get the rule line-number with the first command and use that in the second command to delete it.