Chapter 12: How SNAT works

In Source Network Address Translation (SNAT), the NAT router modifies the IP address of the sender in IP packets. SNAT is commonly used to enable hosts with private addresses to communicate with servers on the public Internet.

Basically we can have 'N' number of Private IP hosts using one Public IP to communicate the internet. SNAT will be enabled in Router.

https://docs.openstack.org/mitaka/networking-guide/intro-nat.html

Configuration:

There is no special config required.

But make sure you have no-auth in contrail-analytics-api.conf and contrail-api.conf. (this is for disable the RABC)

aaa_mode = no-auth

Also, make sure you have configured the vnc_api_lib.ini correctly.

Steps to enable SNAT:

1. Create a Network and Subnet(Ex: Network1, 192.168.1.0/24).
2. Create a Router
3. Set the Gateway as Public Network (Externel Network)
4. Add Interface to the Router with the Network(Network1,192.168.1.0/24).

Now, SNAT is setup and ready.

Create a VM on Network1(192.168.1.0/24), these VMs are reaching the Internet via SNAT.

https://www.juniper.net/documentation/en_US/contrail3.2/topics/task/configuration/snat-vnc.html

Internal verifications:

Refer opencontrail SNAT Implementation guide for mode details.

1. Verify the SNAT SI is created in, introspect of contrail-vrouter-agent.
2. SNAT Network Namespace will be created in compute node. Verify the interfaces, default routes, nat tables.

cloud@devstack1:~$ sudo ip netns list
vrouter-171406b2-af22-4505-91d4-706a1b7ab143
cloud@devstack1:~$
cloud@devstack1:~$ sudo ip netns exec vrouter-171406b2-af22-4505-91d4-706a1b7ab143 ifconfig
gw-f18fe4c0-8c Link encap:Ethernet  HWaddr 02:0f:98:5e:65:97  
          inet addr:172.24.4.10  Bcast:172.24.4.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:325 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3683 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14990 (14.9 KB)  TX bytes:155726 (155.7 KB)

int-017748d4-5 Link encap:Ethernet  HWaddr 02:97:51:ff:63:c3  
          inet addr:100.64.0.4  Bcast:100.64.0.7  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2079 errors:0 dropped:0 overruns:0 frame:0
          TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:186602 (186.6 KB)  TX bytes:14396 (14.3 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:196 (196.0 B)  TX bytes:196 (196.0 B)

cloud@devstack1:~$
cloud@devstack1:~$ sudo ip netns exec vrouter-171406b2-af22-4505-91d4-706a1b7ab143 route   
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 gw-f18fe4c0-8c
100.64.0.0      *               255.255.255.248 U     0      0        0 int-017748d4-5
172.24.4.0      *               255.255.255.0   U     0      0        0 gw-f18fe4c0-8c
cloud@devstack1:~$ sudo ip netns exec vrouter-171406b2-af22-4505-91d4-706a1b7ab143 iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
cloud@devstack1:~$

Now ping the internet from the VM, it should ping.

Note:

in my setup, traffic doesnt reach internet due to contrail-vrouter-agent proxy arpdoesnt work as expected . so manually aded the ARP entry for the destination IP.

sudo ip netns exec vrouter-171406b2-af22-4505-91d4-706a1b7ab143 arp -s 8.8.8.8 00:00:5e:00:01:00

Note : I am pining 8.8.8.8 , hence added arp entry for that.

Debugging:

There could be many reasons , that SNAT instances (netns) might not created.

1. Check the contrail-svc-monitor log files. Please make sure you enabled the DEBUG logs .

            \_ \[SYS\_ERR\]: SvcMonitorLog: No vrouter available for VM default-domain\_\_openstack
   
    It means,  SI creation not success.  It must be due to contrail-analytics-api  or contrail-api communication failure.  Please make sure you have given correct Auth credentials\(RBAC\) otherwise simply disable the RBAC `aaa_mode = no-auth`
   

2. Check the svcmonitor introspect for Service instances.

http://svc-monitor:8088/Snh_ServiceInstanceList?si_name=

References:

• Opencontrail SNAT Implementation details
• https://www.juniper.net/documentation/en_US/contrail3.2/topics/task/configuration/snat-vnc.html
• https://gist.github.com/dsundarraj/f8477ba553d323a9b3ab