HOW CAN I ACCESS ALL MY VMS USING ONE PUBLIC IP (NAT)?
So, you're looking at your resources and you see that you have only one floating IP. This makes you wonder, how can I possibly access my VMs with just one IP?
Rest assured, there is no sadistic intention from our part. This is a quite common problem with IPv4 addresses and as a matter of fact, your Internet provider has faced the same issue and the solution sits next to your telephone plug. That's right, your router.
This guide should cover the necessary steps to turn a VM with a public IP address into a router that can provide Internet access to all of your VMs.
You can find an index of the guide below. The basic sections are the instructions/configurations for your VMs, but we suggest you read the rest of the guide too, if this is your first time you encounter this subject.
Necessary background
In order to follow the rest of this guide, you first need to understand what the router in your home network does. Don't worry, we 'll try to make it as simple as possible. Fasten your seatbelts and here we go!
On the following picture, you can see a common home network setup.
In your home setup, usually all your devices are connected to your router (192.168.1.0), forming a private network. Your router is also connected to the Internet, or public network, and is assigned a public IP by your Internet Provider (203.0.113.80).
Explanation of NAT
So, if your laptop wants to connect to http://example.com (93.184.216.119) it must construct a request like this:
From: 192.168.1.1, Port: 12345 To: 93.184.216.119, Port: 80
Since your laptop has no direct access to the Internet, it will ask your router (192.168.1.0) to forward the request to the Internet. This means that the laptop uses the router as a gateway.
The router's job doesn't end here though. After all, if the above request was forwarded as is, how would http://example.com respond? Keep in mind that the 192.168.1.1 address is valid only for your home network.
Instead, your router will replace 192.168.1.1 with its own public IP address (203.0.113.80). Also, it will replace 12345 with a random port of its own, e.g. 54321, which leads to the following altered request:
From: 203.0.113.80, Port: 54321 To: 93.184.216.119, Port: 80
Now, what if your smartphone also wanted to connect to http://example.com? Easy, it would send the following request to the router:
From: 192.168.1.2, Port: 9999 To: 93.184.216.119, Port: 80
and the router would translate it to:
From: 203.0.113.80, Port: 6969 To: 93.184.216.119, Port: 80
So, when http://example.com sends a reply to the router, you have two cases:
- The target port is 54321, so the router will forward the reply to your laptop.
- The target port is 6969, so the router will forward the reply to your smartphone.
This is possible because your router has stored a mapping of the laptop/phone {private IP address:port} and its own {public IP address:port}. This is called NAT (Network Address Translation) and the devices that reach the Internet through the router are commonly called NATed devices.
Explanation of port forwarding
Now that we have covered how your devices communicate with the outside world, let's see how you can do the opposite, e.g. reach your laptop's web server from somewhere out of your private network, say your friend's home. So, what would you do?
Well, you would open your browser and you would enter the IP address of your laptop (192.168.1.1). No, wait a second, you are at your friend's house, you can't use that address! Hm, how about your router's address (203.0.113.80)? Good thinking, but where would the router forward your request to? Your laptop, your charging phone, that guy across the street that steals your Internet?
No, in this scenario you need to use a technique called port forwarding. So, before you go to your friend's house, you should have instructed your router to do the following:
- Reserve a router port, e.g. 8080
- Forward any request that reaches this router port to your laptop (192.168.1.1) and its http port (80).
Had you done that, you could enter in the browser of your friend's laptop the following address:
203.0.113.80:8080
and enter your web server.
Next steps
Before you continue with the rest of the guide, you need to do the following:
- Create a private network and add all your VMs to it.
- Attach a floating IP to one of your VMs. That VM will be used as a router.
Next, you must decide on what you want to do.
- Do you want to connect to a VM that has no public IPv4 address via SSH/RDP?
- Do you want to provide Internet access to a VM that has no public IPv4 address?
- Do you want a combination of the above?
Most users would choose the latter, so what we suggest is:
- Add the RRAS role (Routing and Remote Access service) to your Windows router VM. (not for Linux routers).
- Configure NAT on your router VM.
- Enable port forwarding to all your NATed VMs. For example, if your NATed VMs
are two, a Linux VM (192.168.1.2) and a Windows VM (192.168.1.3),
you can use the following port forwarding scheme:
- Use router port 10022 to forward requests to 192.168.1.2 and port 22 (SSH).
- Use router port 13389 to forward requests to 192.168.1.3 and port 3389 (Remote Desktop).
- Connect to your NATed VMs. If you have a Windows router, you can connect to each of your VMs through the console. Else, if you have a Linux router, you can connect to each of your VMs using the ports you have specified during port forwarding (or you can just as well use the console).
- Apply the necessary configurations to all your NATed VMs .
RRAS role addition (Windows only)
Depending on the version of your Windows Server, choose one of the categories below to view the appropriate instructions:
Windows Server 2012 VMs
From your taskbar, go to Server Manager. Then, on the right sidebar, right-click on "Manage" and press "Add Roles and Features".
Select your server and click on "Next" three times.
From the list of roles, choose "Remote Access".
Press "Add Features".
Press "Next", "Next" again and finally press "Install". Press "Next" three times and from "Role services select also the option Routing ".
Press "Next", "Next" again and finally press "Install". You might be asked to restart your VM, before closing "Add Roles and Features Wizard".
You will have to wait for a few moments while the services are installed. Once they are installed, you can close the "Add Roles and Features Wizard" window.
Windows Server 2008 VMs
From your taskbar, go to Server Manager. Then, on the left sidebar, right-click on "Roles" and press "Add Role".
Click on "Next" and from the list of roles choose "Network Policy and Access Services". Press "Next". Press "Next" again and then choose from the list the "Routing and Remote Access Services". Press "Next" and finally press "Install".
You will have to wait a few moments while the services are installed. Once they are installed, you can close the "Add roles Wizard" window.
Router instructions for Windows Server 2012/2008 VMs
Note: You can read the official NAT instructions from the site of Microsoft. Alternatively, you can follow the steps below:
NAT
From your taskbar, go to Server Manager. Expand "Roles", expand "Network Policy and Access Service" and click on "Routing and Remote Access". On the right sidebar, under "Routing and Remote Access", choose "More actions" and then "Configure and Enable Routing and Remote Access".
On the wizard, Click on "Next", click on "Network address translation (NAT)" and then "Next".
On the next window, you will see a network card list. One of these should have a public IP address, typically 83.212.x.x, and one should have a private IP address, typically 192.168.x.x. Click on the public network card and then click on "Next".
On the next window, choose the private network card that you wish to give Internet access to. Click "Next" and finally click "Finish". Once more, you will need to wait a bit for the changes to take effect.
Once the window has closed, you should be all set. If you want to continue with port-forwarding, you can follow the instructions below:
Port forwarding
Under "Routing and remote services", expand "IPv4" and then click on "NAT". On the middle window, you should see your public and private networks. Right-click on your public network and click on "Properties"
Click on "Services and Ports", then click on "Add...".
Finally, enter on the new window a name for the service (free choice), the IP address of the NATed machine you want to connect to (192.168.1.2 in this case) and its port (3389 in this case). Also, select a router port of your choice that will forward requests to the above port (1134 in this case). Click "OK", "Apply" and that's it!
After you have applied the necessary configurations to your NATed VM (192.168.1.2), you should be able to connect to it using the router's IP and the specified port, in our case:
83.212.X.X:1134
Router instructions for Linux VMs
For this section, we have used the following example setup:
- eth0 is the public network card.
- eth1 is the private network card.
- 192.168.1.2:22 is the private IP (192.168.1.2) and port (22) of the NATed machine you want to connect to.
- 1134 is the port of the router VM that will forward requests to the above destination.
You must replace the above in the following commands according to your
setup. Also, the following commands assume that you are the root user of the
machine.
NAT
Use the following commands to enable NAT:
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -F iptables -t nat -F iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Port forwarding
If you want to connect through your router VM to a specific port of a NATed machine, use the following commands:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp --dport 1134 -j DNAT \ --to-destination 192.168.2.1:22
You should now be able to connect to your NATed VM (192.168.2.1 in this case) using your router's public IP address and the specified port (1134 in this case)
Note: To make IP forwarding permanent, you can check this IP forwarding article. Also, to make IP tables persistent, i.e. not get lost after a reboot, you can check this iptables article.
Configuration for NATed VMs
A NATed VM needs to know only the private IP address of the router VM, for example 192.168.1.1.
For Windows VMs, we suggest you use your command prompt and add a default gateway as per Microsoft's instructions:
route add 0.0.0.0 mask 0.0.0.0 192.168.1.1
Linux VMs must issue a similar command:
route add default gw 192.168.1.1
Once you have configured a default gateway, your VM can have Internet access through your router VM.
Performance concerns
You must keep in mind that using a VM to route the traffic for your private network puts a lot of strain to it and will have the following effects:
- Increase your network latency.
- Increase the load in your router VM.
Having said that, for regular SSH/RDP sessions or for a light web server, you should experience no issues.
CYCLADES USER GUIDE
- How to create a VM?
- How do I connect to a VM?
- How do I manage my VM?
- How can I resize the CPU/RAM of an existing VM?
- How can I attach/detach an IP on a running VM?
- How can I add extra disks to my VMs?
- How can I detach an extra disk from a VM?
- How can I add tags to my VMs?
- How can I assign my VM to a project?
- What are SSH keys and how can I use them?
- What are private networks?
- What is a firewall and which one should I choose?
- How to create VMs from custom images?
- How can I access all my VMs using one public IP (NAT)?
- How can I update the VirtIO drivers of my Windows VM?
- How can I add IPv6 nameservers on my CentOS/Oracle Linux VM?
