Configuring Networks, DHCP, NAT and Firewall Rules

On the Networks Tab you have a number of options and configuration items that focus around DHCP, NAT, and Firewall.

Below are details on configuration available in the Networks tab for your NSX Advanced Networking Edge.  For information about other features of NSX Advanced Networking click here.

Network Tab Overview

  1. Networks Tab
  2. Network Interface Drop Down Selection
  3. Refresh Interfaces and Add Isolated Network to vDC
  4. Network Services ? DHCP, NAT, Firewall
  5. Interface Details ? Uplink and Internal
  6. Edit/Configure Interfaces

Network Tab Details

Config Tab

Shows an overview of the selected Network Interface and lets you configure and/or edit the Network as selected from the Drop Down.

  • Shows the Type and details as set during the provisioning of the NSX Edge. The first Gateway IP is shown as well as enabled Services, DNS settings and additional IPs
  • Clicking on the Edit Button allows you to modify the Uplink Name and give you ability to connect/disconnect the interface.

Internal Interfaces

  • By default there are no Internal Interfaces configured and the NSX Edge is not connected to your vDC or is sharing any Interfaces with other vDCs in your Organization. There are 9 Internal Interfaces that can be configured on your NSX Edge
  • To configure an internal Interface, drop down to the vnic number you want to configure and click on the Edit button. You should see the Connected To status as Unconfigured.
  • Fill in details relating to the Internal Network as shown below:
  • The Network Name as seen in MyAccount will be different from the VirtualWire/vOrg Network (see below) name presented in vCloud Director.Note: * At the moment Interfaces can not be deleted (Please raise a support request if you require one removed)
  • Once You hit Save, Please Wait will appear until the job completes?this can take up to 2 minutes.
  • In the background a NSX VirtualWire has been created and linked through to your vDC. You can see that the Connected To details now list a VirtualWire Name that will match a vCloud Director vORG Network. This is the network that you then connect your vCloud VMs and vApps to.

DHCP Tab

Used to configure DHCP Scopes for the connected Virtual Data Centers. Each DHCP Scope is configured per configured Interface subnet.

  • Once on the Networks Tab, to configure your first DHCP Scope, click on the DHCP Tab and on Add DHCP Pool. (Note that you need to have created at least one Internal Interface)
    The DHCP Pool needs to be configured to not overlap the networks configured on the matching interface. Going back to the Interface configuration you will need to take note of the IP Range as the DCHP Pool can not overlap this pool.Using the example Interface configured here the IP range goes from 192.168.0.2 ? 192.168.0.20 Therefore the DHCP Start and End IP?s needs to fall outside of that range as shown below.The default lease time is 3600 seconds, but that can be adjusted if required.The default Gateway should be the same as the one configured on the Interface.If you want the DHCP Pool to use the Domain Name Servers of the Edge you can leave them blank?otherwise you can specify custom values.Once You hit Save, Please Wait will appear until the job completes?this can take up to 2 minutes
  • vCloud Director VMs that are connected to the Interface and set for DHCP will now pick up their DHCP settings from the configured pool.

NAT Tab

Used to configure Inbound and Outbound Network Address Translation for each configured Interface. Each NAT rule is configured on the selected Interface. NAT services translate source or destination IP addresses and port numbers.

  • There are two kinds of NAT rules that you can create:
    • Source NAT (SNAT): This kind of rule translates the packet?s source address and, optionally, source IP port to the values you specify.
    • Destination NAT (DNAT): This kind of rule translates the packet?s destination address and, optionally, destination IP port to the values you specify.

To create a NAT, you need to know what IP addresses are accessible outside the network and what IP addresses are accessible inside the network.

  • Typically you will use the Primary IP which is the Default Gateway IP shown below.
    • The Internal IPs to use as part of the NAT rules can either by IP Ranges that have been configured on the internal interfaces or individual VM IPs that are assigned either by DHCP, from the vCloud Director Pool or manually set during VM deploying and configuration.
    • You can create either a Source NAT or Destination NAT. Source NAT means that sources inside the vDC are going out. Destination NAT means that the destination is inside the vDC from the outside coming in.
      • Below we are creating a Destination NAT to direct traffic coming from the Internet to a VM IP. This is applied on the Uplink.
        In the Add/Edit NAT Rule window, complete the following fields as shown above:

         

        • This example is used to configure NAT to allow web services on port 80 through from the Internet to the VM
        • Rule Type: Destination NAT
        • Original IP/range: Use the external IP address identified above
        • Protocol: Set to TCP
        • Original Port: 80
        • Translated IP/range: Use the internal IP address of the VM
        • Translated port: Set to 80.
  • Below we are creating a Source NAT to direct traffic from a configured Interface Subnet out through the Uplink Interface
    In the Add/Edit NAT Rule window, complete the following fields as shown above:

     

    • This example is used to configure NAT to allow outbound Internet access from all VMs on the configured Interface Subnet.
    • Rule Type: Destination NAT
    • Original IP/range: Use the Internal IP Range of the desired Interfact
    • Translated IP/range: Use the Uplink Gateway IP
  • Once saved you have the option to go back in and edit the rule where you can move the rule to a different position. It?s suggest as a best practice that SNATs are moved to the top.

 

Firewall Tab

Used to configure Inbound and Outbound Firewall rules . Firewall rules are Global to the Edge Gateway

  • To create a Firewall Rule, you need to know what IP addresses are accessible outside the network and what IP addresses are accessible inside the network.
  • Typically you will use the Primary IP which is the Default Gateway IP shown below.
    • Before configuring the Firewall make note of the following
      • The firewall is enabled by default.
      • The firewall is set to Deny for all rules.
      • You must add rules to let specific traffic through.
    • In the Example below we will be creating a simple rule that allows ICMP (ping requests)
      • In the Add Firewall Rule window, complete the following fields:
        • Enable Rule: On
        • Policy: Allow
        • Description: ICMP_IN
        • Source IP: Enter Any.
        • Destination IP: Enter Any
        • Protocol: Select ICMP.
      • Once the Rule has been saved and the Firewall configuration updated you will see the rule listed under the Firewall Rules section
      • Once multiple rules have been applied you can reorder the rules by clicking on the Edit Button
      • You can also enable/disable the rule or change the action from Allow to Deny