šŸ‘Øā€šŸ’»Implementing a CGNAT Agg on a VPSšŸŒ

Ronald BartelsRonald Bartels
2 min read

The purpose is to have Fusionā€™s SD-WAN provisioned on a VPS in a hosting environment and then to connect PWANs to the Agg and use it as an Internet breakout while using only the public IP of the VPS.

The first step is to install an Agg on a VPS.

Here is the configuration:

eth1.200 is the interface connecting the space and ospf. Any edge using the designated space via a PWAN will be able to use the CGNAT. Hundreds of edges can connected via the space.

The following nft file needs to be created in /etc/nftables/natcontainer.nft and configured to run on startup.

table ip cntnat {
   chain postrouting {
      type nat hook postrouting priority 100; policy accept;

        # Masquerade for traffic coming from interface container and going
        # out on eth0
        iif "eth1.100" oif "eth0" masquerade
    }
}

Here is the PWAN configuration:

Now you need to install a container using this example:

https://hubandspoke.amastelek.com/deploying-containers-on-fusions-edge-using-nspwan

In this case the container.nspawn file is as follows:

[Exec]
Boot=yes
[Network]
VirtualEthernet=yes
VirtualEthernetExtra=eth1.100
VirtualEthernetExtra=eth1.200

The containerā€™s interface file is as follows:

auto eth1.100
iface eth1.100  inet static
   address 100.100.127.255/31
   gateway 100.100.127.254
auto eth1.200
iface eth1.200 inet static
   address 192.168.79.1/24

Quagga needs to be installed on the container with this ospfd.conf:

router ospf
  router-id 192.168.79.1
  network 192.168.0.0/16 area 0.0.0.0
  network 100.64.0.0/10  area 0.0.0.0
  area 0.0.0.0 range 192.168.0.0/16
  area 0.0.0.0 range 100.64.0.0/10
     default-information originate always
     redistribute kernel
     redistribute connected
     redistribute static

interface eth1.200
     ip ospf area 0.0.0.0

The following nft file is used on the container":

# /etc/nftables/masquerade-cnt.nft
table ip nat {
   chain postrouting { type nat hook postrouting priority 100; policy accept;

      # Masquerade all traffic going out via eth1.100
      oif "eth1.100" masquerade comment "Masquerade traffic via eth1.100"
    }
}

And that is it, surfs up!

0
Subscribe to my newsletter

Read articles from Ronald Bartels directly inside your inbox. Subscribe to the newsletter, and don't miss out.

vpsospfnspawndebianPWANSD-WAN

Written by

Ronald Bartels
Ronald Bartels

Driving SD-WAN Adoption in South Africa