March 13, 2024

Transforming an OmniOS server into a router with NAT, DNAT, and DHCP server

For this tutorial, we will use an OmniOS server named 'ROUTER' to transform it into a router.
It will provide internet access to LAN machines (10.10.10.0/24) by supplying them with IP configuration via a DHCP server directly configured on ROUTER and allow connection to the SFTP server (10.10.10.210) via DNAT from the WAN zone (192.168.10.0/24).
The SFTP server can then be accessed by SSH through port forwarding: 192.168.10.46:52333 -> 10.10.10.210:22.

ROUTER has 2 network interfaces:

- a WAN interface: vioif0

For easier testing, the IP configuration of vioif0 will be done via DHCP. We will remain in a private IP configuration, but you are free to build an old version of rp-pppoe (or use kppp from the pkgsrc repository) and connect directly to the internet.

- a LAN interface: vioif1

The IP configuration of vioif1 will be set manually (static): 10.10.10.1/24

1) Adjusting the time!

If your server is not properly set to the correct time, there will be issues. This is particularly important for time zones where there is daylight saving time (in Europe and the USA, for example).
ROUTER needs to be configured to retrieve the time from the time server in our zone.

Here is an example for France:

- Install ntpsec

pkg install ntpsec

- Use a French time server:

/usr/bin/ntpdate 0.fr.pool.ntp.org

- Update the time

date

- Enable NTP startup at server boot :

svcadm enable svc:/network/ntp:default && sleep 5

2) Configure the LAN network interface e1000g1:

ipadm delete-if vioif1

ipadm create-if vioif1

ipadm create-addr -T static -a 10.10.10.1/24 vioif1/v4

3) Enable IPv4 forwarding

- Check the status of routing services:

routeadm

- Enable IPv4 forwarding :

svcadm enable ipv4-forwarding

# or

routeadm -e ipv4-forwarding && sleep 5 && routeadm -u

- Verify that the activation is successful.

routeadm

4) Configure the isc-dhcp DHCP server:

- Install isc-dhcp :

pkg install pkg:/network/service/isc-dhcp

- Fill /etc/dhcpd.conf with :

subnet 10.10.10.0 netmask 255.255.255.0 {    
    option domain-name-servers 1.1.1.1;
    option routers 10.10.10.1;
    authoritative;    
    range 10.10.10.2 10.10.10.200;
    }

- Start our dhcp server

/usr/sbin/dhcpd

Perform a test from a LAN client computer; it should now receive an IP configuration from ROUTER.

5) IPFilter Firewall Configuration

- in /etc/ipf/ipnat.conf :

# NAT for LAN
map vioif0 10.10.10.1/24 -> 0.0.0.0/32

DNAT for SFTP server :
rdr vioif0 192.168.10.46 port 52333 -> 10.10.10.210 port 22

- in /etc/ipf/ipf.conf :

# Default blocking rules
block in log all
block out log all
block in log quick proto tcp from any to any with ipopts
block in log quick proto tcp from any to any with short
Allow on loopback
pass in quick on lo0 all
pass out quick on lo0 all
Allow all stateful traffic from LAN to INTERNET
pass in all keep state
pass out all keep state
Block any connection from the WAN to this server (only allow DNAT to SFTP and NAT)
block in on vioif0 from any to 192.168.10.46

- Enable IPF :

svcadm enable svc:/network/ipfilter:default

ipf -Fa -f /etc/ipf/ipf.conf

ipnat -CF -f /etc/ipf/ipnat.conf

Your router is now ready.