cyberia
/
capsul-flask
7
6
Fork 7
Code Issues 21 Pull Requests 3 Projects Releases Wiki Activity

feature request: implement 1:1 NAT support #35

New Issue
Open
opened 2022-04-07 15:55:53 +00:00 by knoflook · 3 comments
knoflook commented 2022-04-07 15:55:53 +00:00
Copy Link

while setting up a test instance of capsul we had to set up 1:1 NAT because our provider didn't give us a subnet, only a couple of discrete IP addresses. It would be great if capsul could figure this situation out and give the right IP address in the web interface.

while setting up a test instance of capsul we had to set up 1:1 NAT because our provider didn't give us a subnet, only a couple of discrete IP addresses. It would be great if capsul could figure this situation out and give the right IP address in the web interface.
forest commented 2022-04-11 19:59:57 +00:00
Owner
Copy Link

Thanks for raising this issue, to be honest I don't know what a 1:1 NAT is or what this feature would entail. Could you please post a more in-depth explanation of what this is or what it would look like? Even just links to documents that explain what a 1:1 NAT is would help.

Thanks for raising this issue, to be honest I don't know what a 1:1 NAT is or what this feature would entail. Could you please post a more in-depth explanation of what this is or what it would look like? Even just links to documents that explain what a 1:1 NAT is would help.
knoflook commented 2022-04-19 11:17:12 +00:00
Author
Copy Link

Ah yes, sorry for being so cryptic about it, i put this text with the intent to edit it later :) I don't have a deep understanding of this topic either, so what I say might be simplified or not 100% correct, but with that said, a 1:1 NAT is used in this context to map x public IP addresses to x local IP addresses with all ports passed trough.

Normally this doesn't need to be done, because your ISP will typically give you a subnet which you then put into libvirtd so it can give these addresses to VMs. So when you go to look at your capsuls you'll be able to see the public IP address that you can SSH to.

In our case however, we (servers.coop) went for an extremely cheap dedicated server provider for our test instance which didn't give us a subnet, but a bunch of discrete IP addresses with the last octet 124-129 and a /24 netmask. If I understand correctly it's impossible to configure libvirt to use discrete IP addresses, so we had to map each of these to a local subnet 10.0.0.{4,9}. This is done in the PREROUTING chain in nat table in iptables. Unfortunately this means that the VM doesn't know its public IP address, and capsul also shows 10.0.0.x.

So in this case it would be great to have an option to replace these addresses in the web interface with the public ones by either putting the mapping range in manually or allowing capsul to read iptables. It's possible that we'll either find a better way to deal with these IP addresses (and then document it properly), or write this feature ourselves and open a PR here.

Ah yes, sorry for being so cryptic about it, i put this text with the intent to edit it later :) I don't have a deep understanding of this topic either, so what I say might be simplified or not 100% correct, but with that said, a 1:1 NAT is used in this context to map `x` public IP addresses to `x` local IP addresses with all ports passed trough. Normally this doesn't need to be done, because your ISP will typically give you a subnet which you then put into libvirtd so it can give these addresses to VMs. So when you go to look at your capsuls you'll be able to see the public IP address that you can SSH to. In our case however, we (servers.coop) went for an extremely cheap dedicated server provider for our test instance which didn't give us a subnet, but a bunch of discrete IP addresses with the last octet 124-129 and a /24 netmask. If I understand correctly it's impossible to configure libvirt to use discrete IP addresses, so we had to map each of these to a local subnet `10.0.0.{4,9}`. This is done in the `PREROUTING` chain in `nat` table in iptables. Unfortunately this means that the VM doesn't know its public IP address, and capsul also shows `10.0.0.x`. So in this case it would be great to have an option to replace these addresses in the web interface with the public ones by either putting the mapping range in manually or allowing capsul to read iptables. It's possible that we'll either find a better way to deal with these IP addresses (and then document it properly), or write this feature ourselves and open a PR here.
forest commented 2022-05-01 00:47:12 +00:00
Owner
Copy Link

Gotcha. This might fit in with a refactor i had planned for the future, moving towards manually managing all of the IP address allocations instead of letting the DHCP server allocate them

Gotcha. This might fit in with a refactor i had planned for the future, moving towards manually managing all of the IP address allocations instead of letting the DHCP server allocate them
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
rathouse
self-service-change-email
development
jes/add-nixos
docker-test
serial-console-access
ptyhunter
console-access
dhcp-wip
j3s/update-distros
deleteme
autonomic
autonomic-yolocolo
tests-with-logs
tests3
tests2
autonomic-webapi
docs-reshuffle2
mock-hub-create
optional-btcpay
generated-prices
tests
autonomic-public-api-tests
autonomic-docker-api
managed-ips
asd
multiple-hosts
forest-wip
0.1.0
0.0.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cyberia/capsul-flask#35
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?