OS X: How to Setup NAT on Lion and Mountain Lion
It appears Apple changed the way NAT works, starting in Lion and this upset a lot of people. Apparently, nat would just stop working for some folks after they upgraded to Lion from Snow Leopard.
Finding really in-depth information about Apple's NAT implementation is surprisingly hard. While attempting to figure out how to setup a virtual network for two MacBooks connected to one another over Ethernet, I found a few helpful resources, but none helped me understand exactly how OS X does natd within InternetSharing and no matter whose blog or tutorial I followed, I just couldn't get /usr/sbin/natd to forward my packets. This is how my setup first looked...
I experimented with VLANs, bridges, routing tables, Parallels NAT, Apple NAT, InternetSharing, ipfw, config files and other stuff I've forgotten. I typed in netstat -nr|more and ifconfig more times than I can count. One thing I didn't get into was pf, though. It looked a little too complex.
First, the reason(s) why I didn't want to use Apple's InternetSharing app even though while using it, the VMs on both MacBooks could ping one another and the Internet. I'm a control freak. I want to manage my own everything. My own DNS, my own DHCP server and I want to pick my own damn subnet. Apple says that you can change the subnet by modifying SharingNumberStart in the nat defaults file but this won't work if you already have any device assigned to an IP in that subnet. To avoid conflicts, InternetSharing takes it upon itself to modify the subnet by one octet (172.20.0.1 -> 172.20.1.1) which is the opposite of what I want. I was also unable to find any documentation on how to modify the subnet mask, so I don't even think that's possible with InternetSharing.
My network requirements aren't that common, admittedly. It's not often that someone will want to hook up two MacBook Pros and run a lil virtual network between them using only an Ethernet cable but, eh, I do. Btw, did you know that you don't need a crossover cable for MacBooks to talk to one another directly over gigabit Ethernet? Me either. Anyway, I didn't want to buy a gigabit router because this is a very short term project. And I thought I'd enjoy the challenge of figuring this out.
I knew my nat configs were mostly right, I was just missing something with the routes. I finally found the last piece using route monitor and watching what InternetSharing changed when it was turned on and all client VMs could ping each other and the Internet(s).
Check out the routing table InternetSharing created:
192.168.1.1 is my Wireless connection, 192.168.2.1 is Apple's NAT subnet and the other nets were created by Parallels. Most network admins I talked to immediately thought the multiple gateways were causing an issue but this is the setup that actually worked, it just wasn't customizable enough. By the way, BSD has one of the few tcp/ip stacks that allow you to have multiple gateways (so I read.)
So after about a week of prodding, I figured out that this is what Apple basically does within InternetSharing:
gwdev=en1
ifconfig bridge0 create
ifconfig bridge0 up
ifconfig bridge0 addm en0
ifconfig bridge0 172.20.0.1
route add default -interface bridge0 -ifscope bridge0 -cloning
sysctl -w net.inet.ip.forwarding=1
/sbin/ipfw add 100 divert natd ip from any to any via $gwdev
/usr/sbin/natd -interface $gwdev -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0
That and a bunch of error handling and things related to DHCP and DNS. It also checks to see if the Internet connection exists and deletes the nat/bridge if it doesn't and recreates it when the connection is back up.
Here's a visual of my network after running that script:
I need to start working on my project so further error handling and automation are going to be dealt with later.
Below is the code I've started using on my machine. My guest OS network runs a Windows domain and has its own DNS and DHCP servers so those are not addressed in this script. They are really important services, though so if you don't have them setup, you'll want to do that.
Oh, it also doesn't make any changes to the firewall except to add a forwarding rule. You'll want to setup your firewall, too. Annnd this script doesn't use a specific network interface. I make it detect the current gateway then use that interface. If it can't find a gateway, it uses en1. I should probably make it just die but whatever.
#!/bin/bash
# Get the interface name for the gateway
gwdev=`netstat -nr | grep default | awk '{ print $6 }' | head -1`
# If none are found, set the gateway to en1 (generally Wifi on OS X)
if [ -z "$gwdev" ]; then
gwdev=en1
fi
# Create a bridge, add the Ethernet device
ifconfig bridge0 create
ifconfig bridge0 up
ifconfig bridge0 addm en0
# Give it an IP, route bridge0's traffic to bridge0
ifconfig bridge0 172.20.0.1
route add default -interface bridge0 -ifscope bridge0 -cloning
# Enable IP forwarding, add a firewall rule to send all natd traffic to the real gateway
# Start natd with a whole bunch of options
sysctl -w net.inet.ip.forwarding=1
/sbin/ipfw add 100 divert natd ip from any to any via $gwdev
/usr/sbin/natd -interface $gwdev -use_sockets -same_ports -unregistered_only -dynamic -clamp_mss -enable_natportmap -natportmap_interface en0
And to stop...
#!/bin/bash
# All these steps look excessive but address
# network instability issues created by not doing them
gwdev=`netstat -nr | grep default | awk '{ print $6 }' | head -1`
if [ -z "$gwdev" ]; then
gwdev=en1
fi
killall natd
/sbin/ipfw delete 100 divert natd ip from any to any via $gwdev
sysctl -w net.inet.ip.forwarding=0
ifconfig $gwdev down
ifconfig en0 down
route delete default -interface bridge0 -ifscope bridge0
ifconfig bridge0 172.20.0.1 delete
ifconfig bridge0 deletem en0
ifconfig bridge0 destroy
ifconfig en0 up
ifconfig $gwdev upOne big important thing for laptop users is that natd becomes unstable after the laptop wakes from sleep. To address that, I created the scripts above, installed sleepwatcher, and set sleepwatcher to run /sbin/stopnat on sleep and /sbin/startnat it on wake. This makes natd run 24/7 so make sure that's what you want. I also need to put it in the startup but haven't yet.
Here's that setup, real quick:
sudo port install sleepwatcher
/usr/local/sbin/sleepwatcher -d --wakeup /sbin/startnat --sleep /sbin/stopnat
It's likely I'll keep develop this more over time, but for now, my clusters need my attention. I know it's a bit of a pain just copy/pasting so give me about a month or eight and I'll package up the files nice and put em up here.
Update: If you're looking to do this without NAT, check out Thomas' post about bridging ethernet interfaces in OS X.
References: OS X Advanced Server Guide, Mac OS X for Unix Geeks, a blog post by akutz and every support forum for OSX, FreeBSD and Parallels ever.
[Solved] Parallels Desktop: Interface vmnet1 is not present. This should be created at boot time.
I recently modified my Parallels DHCP settings because I'm really particular about the internal subnets I work with in the lab (192.168 is the ugliest subnet ever). Once I modified the file at /Library/Preferences/VMware\ Fusion/networking (OS X) my Parallels Desktop erred out and said
Interface vmnet1 is not present. This should be created at boot time.
Someone on this thread suggested a reinstall but that only worked as a temporary fix. Turns out, when you modify the networking file, you also need to restart your vmnet-cli service. You can do this with the following commands:
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --stop
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --config
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --start
/Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli --status
I ended up just throwing the stop and start commands into a script and running it each time I modified my settings.
Patterns and Practices: A Guide to Claims-Based Identity and Access Control – Free ebook.
While I usually like conversation-style technical books (think: Manning's In Action series and many Wrox books), Microsoft's Patterns and Practices series is one of my favorite even though they feel so formal. Recently, my buddy Buck Woody posted a link to the freely available Patterns and Practices book for A Guide to Claims-Based Identity and Access Control, Second Edition.
Courtesy of Avkash Chauhan's Blog
It's the same book that can be purchased at Amazon.com for 23 dollars (make you holler.)
OpenVPN: Update Client DNS Servers on Mac OS X Using the Command Line.
There's a bit of a debate on how best to update your DNS resolver on Mac OS X when connecting to an OpenVPN Server. For whatever reason, even if use DHCP on the VPN server, OS X won't use the assigned DNS server(s). It's been recommended to use scutil, but the scripts are crazy long and I've read the resolver order sometimes gets reset anyway.
The usual route of using /etc/resolv.conf does not work on OS X but specifying DNS servers in your Network Preferences does. If you use public network servers like 8.8.8.8 or 4.2.2.2, you're already set. Move along 
But if you rely on DHCP assigned DNS servers, the the script below will do the trick. This script specifies or clears (sets back to DHCP default) the DNS servers on each of the adapters listed in networksetup.
#!/bin/bash
# Set bash delimeter to be line break
IFS=$'\n'
# VPN DNS Server
vpndns='172.20.0.1'
# Get adapter list
adapters=`networksetup -listallnetworkservices |grep -v denotes`
for adapter in $adapters
do
echo updating dns for $adapter
dnssvr=(`networksetup -getdnsservers $adapter`)
if [ $dnssvr != $vpndns ]; then
# set dns server to the vpn dns server
networksetup -setdnsservers $adapter $vpndns
else
# revert back to DHCP assigned DNS Servers
networksetup -setdnsservers $adapter empty
fi
doneAgain, if you already set your DNS servers, your OpenVPN connection will use those. This script is effective for people who use DHCP assigned DNS servers by default and would like to tunnel their DNS requests when connecting to an OpenVPN server.
OpenWRT & PPTPD: A Love Story
Firesheep got me thinkin' that I should probably do a little more to beef up the security of my Internet connection on public networks. PPTP has always been a favorite of mine, because it hides traffic well enough to deter most people and it's easy to setup on both Linux and Windows. I ran a Windows PPTP server for years, but recently decided to just host the service my WRT54GS v3 router running OpenWRT. Three hours later, I've got it running smoothly. Here's how I did it:
First, I installed and setup OpenWrt Backfire 10.03 and set my internal IP pool to be on the 172.16.x net, with the gateway (OpenWRT router being 172.16.1.1). Then, I headed over to OpenWRT's PPTPD HOW-TO.
opkg update
opkg install pptpd
opkg install kmod-crypto
opkg install kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start
I believe my /etc/ppp/options file doesn't have any modifications, but just in case, this is what it looks like:
#debug
logfile /dev/null
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1
Now that I think about it, very few modifications were ultimately made to /etc/ppp/options.pptpd
auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
chapms-strip-domain
# Otherwise, your chap-secret file will have to include "DOMAIN\\user" instead of user.
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf
If you compare this to the original file, you'll notice I deleted the entry "172.16.1.1:" at the top of the file, and added the entry: ms-dns 172.16.1.1. I don't know why, but DNS didn't work well when the the client's defaults were used so I forced them to use the router's LAN DNS server.
Then I added some users to the /etc/ppp/chap-secrets file. I'll paste the contents, then go over the details. Oh, and don't forget to chmod 600 /etc/chap-secrets because the file's perms are insecure by default:
#USERNAME PROVIDER PASSWORD IPADDRESS
iphone pptp-server suprAdv4ncedPwd! 192.168.80.1
ipad pptp-server rlyAdv4ncedPwd! 192.168.80.11
hackbook pptp-server megaAdv4ncedPwd! 191.68.80.3
windows pptp-server ttllyAdv4ncedPwd! 192.168.80.2
extra pptp-server megaAdv4ncedPwd! 192.68.80.4
The chap-secrets file alone suggests that OpenWRT/PPTP is not an enterprise solution. I wouldn't propose it for any company with a decent budget, but times are tough and ghetto is looking better than ever to many companies.
I would actually have fewer entries in this file if the IPADDRESS field was not such a big issue. Unfortunately, it seems that the DHCP pool has been compiled into the service. It sets up the router's pppN to be 192.168.0.x and assigns the clients a 192.168.1.x address by default. Which is unfortunate, because SO DOES EVER OTHER RESIDENTIAL ROUTER, EVER. So routing issues keep pop up. Because of that, I force PPTPD to assign each user a specific IP, in the 192.168.80.x range because I've never seen any router use that subnet.
The usernames are whatever you'd like them to be (I made them the name of my devices) but if you are dialing-in from a Windows machine, you will have to preface the username with the Windows domain name or the name of your workstation if you are not on a domain UPDATE: adding chapms-strip-domain to options.pptpd fixes this. The "pptp-server" is what the service was named in options.pptd, the password is just that, and the IPADDRESS is the IP that the given client will be assigned.
Initially, my /etc/firewall.user didn't have all the proper entries, so my client was able to authenticate and all that, but no traffic was being routed to the 172.16.x subnet, nor was it being routed to the Internet. Here's what worked:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables -A input_wan -p gre -j ACCEPT
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
The first block allows clients to connect to the PPTP service and the second one allows it to communicate with both the Internet and the local network. And voila, you are done. I know it seems straightforward and doesn't deviate much for the default install, but it took over three hours of trial and error to get here. I've logged in successfully with an iPhone (over 3G, EDGE and wifi), an iPad, a Windows 7 machine and Mac OS X. The iPhone is of special importance to me -- after connecting to a local coffee shop's unsecured network on my laptop and my iPhone, I successfully hijacked my iPhone's Facebook app session using FireSheep. So, now I'll be encapsulating all of my traffic by sending it over to the fiber connection at my office, what what.
Next up, I'll probably start playing around with the RADIUS plugin. Stay tuned.
HOWTO: Simply Connect Mac OSX to a dd-wrt OpenVPN Server on TCP Port 443
If you find yourself on a really restrictive network but still want to connect to a remote VPN, consider this solution. It allows you to connect a Mac OS X OpenVPN client to an OpenVPN server using a static key. I figured it out using a combination of webistes, including dd-wrt's OpenVPN wiki, OpenVPN's documentation, and tinyapps.org.
This solution can probably be way more automated using tunnelblick, but I'm alright with running a couple scripts (for now) to get my VPN going. Here's what you'll need:
Network
- No web proxy or a proxy that allows persistent connections.
Server
- A Linksys WRT54GL router
- dd-wrt.v24_vpn_generic.bin (follow instructions on the website to flash from scratch.)
Client
- MacOS X Snow Leopard
- OpenVPN v2.1.3
- tuntap_20090913.tar.gz
- lzo 2.02
I downloaded all of these then compiled and installed them myself. Not because I'm leet, but because the network I was on blocked sync and I couldn't use MacPorts. So go download and compile these or use MacPorts.
First thing is first, I changed the subnet on my wireless router. I hate the 192.168 subnet; it's aesthetically unappealing and overused. Now 172.20.0.x is something pretty. Let's go with that.
We will not be using dd-wrt's GUI to enable or configure OpenVPN, but rather startup and firewall scripts in the /tmp directory. I also avoid using the default protocol and port (udp, 1194) and go with tcp port 443.
Here's a step by step
Server
- Generate the static key: openvpn --genkey --secret static.key
- Cat that key and place it in your clipboard
- Open up dd-wrt's admin webpage, and go to Administration -> Commands. Paste the following:
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
echo "
-----BEGIN OpenVPN Static key V1-----
[Insert your static key here]
-----END OpenVPN Static key V1-----
"> /tmp/static.key
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 443 --proto tcp-server --verb 3 --daemon
- Save that to Startup Scripts
- Next, back in the blank box, we'll place the code for the firewall and NAT:
iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEClient
You will be creating 2 scripts and one key: openvpn.conf, startvpn.sh and secret.key. Place them in ~/Library/openvpn.
For your key, copy/paste your static.key from the dd-wrt router into a file named secret.key. Save the following two scripts as openvpn.conf and startvpn.sh, respectively. Don't forget to make startvpn.sh executable.
#openvpn.conf
remote my.vpn.external.ip
port 443
dev tap0
secret static.key
proto tcp-client
comp-lzo
Now this part is kinda ghetto. I want to route all my traffic through the VPN but I was unable to get route-gateway and redirect-gateway to work inside of openvpn.conf. I decided to save time and just do it through the startup script instead.
kill -9 `ps aux | grep openvpn.conf |grep config| awk '{ print $2 }'`
openvpn2 --config openvpn.conf --script-security 2 &
sleep 3
# Change your vpn server and internal subnet here
vpnserver='my.external.vpn.ip'
vpngw='172.20.0.1'
# If you use DHCP supplied DNS Servers, leave this as true
changedns=true
previousgw=`cat ./gateway 2> /dev/null`
currentgw=`netstat -nr | grep '^default' | awk '{ print $2 }'`
if [ -f ./gateway ]
then
# Set it back to the regular gateway
route delete default
route delete $vpnserver $previousgw
route add default $previousgw
rm ./gateway
echo gateway set back
if [ $changedns ]; then
networksetup -setdnsservers Ethernet empty
networksetup -setdnsservers Airport empty
echo dns reset
fi
else
# Set it to the VPN gw
route add $vpnserver $currentgw
sleep 7
route delete default
route add default $vpngw
echo $currentgw > ./gateway
# Tunnel your DNS Requests too.
if [ $changdns ]; then
networksetup -setdnsservers Ethernet $vpngw
networksetup -setdnsservers Airport $vpngw
echo new dns set
fi
fiCheck out this post on updating client-side DNS servers if you'd like to update all of your adapters instead of the ones most often used (Ethernet and Airport.)
Or something like that... Simple, right? 
SCO UNIX: Permanently Change a Static IP Address in SCO
If you need to temporarily add an IP address in SCO, you can use ifconfig
ifconfig net0 inet 172.16.1.10 netmask 255.255.255.0
But really, that just creates an alias that will disappear once the server has been rebooted. In order to permanently change an IP address on a SCO OpenServer Release 5, I used SCO's menu driven tcp configuration tool, netconfig.
My version of SCO was so fonky and old, though, that I didn't even have the option to use DHCP. And I was told by my client that the color completely left my face when I saw the following screen once I exited netconfig:
The UNIX Operating System will now be rebuilt. This will take a few minutes. Please wait.
Root for this system build is /
The UNIX Kernel has been rebuilt.
That's right.. SCO's kernel has to be completely recompiled in order to make a change to TCP! Ridiculous. Thankfully, the kernel recompiled, and the system rebooted with the desired changes. Oh, and here's a nice resource for SCO on VMware that I found while researching for this blog post.
VMware ESXi 4.0: Create Virtual Machine Error Caused by NSF File on Western Digital MyBook WE
Such an awkward title, I know. It's just hard to encapsulate the following error message into a blog post title:
Create virtual machine 172.16.1.129 Error caused by file /vmfs/volumes/0-cb8d2a5-20-f15722/win-2k8.vmdk
Basically, I'm taking ghetto to the next level by using my Dell Optiplex 745 workstation as an ESXi 4.0 server, and using a Western Digital MyBook World Edition as an NFS server which will store the VM images. The MyBook is actually very cool; it's a quiet, visually appealing mirrored 1TB NAS. After manually enabling the NFS server, I was able to mount the shares in VMware but was unable to write to it. Attempting to create a VM would error out with the following in the messages log:
Hostd: [2010-01-22 19:45:36.384 5AA03B90 verbose 'ha-host'] ModeMgr::Begin: op = normal, current = normal, count = 0
Hostd: [2010-01-22 19:45:36.385 5AA03B90 info 'ha-eventmgr'] Event 18 : Creating win2k8 on host whateves.lan in ha-datacenter
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'HostsvcPlugin'] CreateEntry '64'
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'ResourcePool ha-root-pool'] Added child 64 to pool
Hostd: [2010-01-22 19:45:36.385 5AA03B90 verbose 'Vmsvc'] Create VM initiated [64]: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: [2010-01-22 19:45:36.387 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory with _file = [N7Vmacore6System8FileImplE:0x5af0ae58]
Hostd: [2010-01-22 19:45:36.388 5AA03B90 info 'App'] CreateDirectory: Calling _file->CreateDirectory for /vmfs/volumes/0cb8d2a5-20f15722/win2k8
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir (as vm principal user) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'.
Hostd: [2010-01-22 19:45:36.389 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Creating vm dir (as superuser) '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.390 5AA03B90 warning 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] CreateVmDirectory: Failed to create vm dir '/vmfs/volumes/0cb8d2a5-20f15722/win2k8'
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create failed with given spec: /vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx
Hostd: (vim.vm.ConfigSpec) { dynamicType = <unset>, changeVersion = <unset>, name = "win2k8", version = "vmx-07", uuid = <unset>, instanceUuid = <unset>, npivWorldWideNameType = <unset>, npivDesiredNodeW
wns = <unset>, npivDesiredPortWwns = <unset>, npivTemporaryDisabled = <unset>, npivOnNonRdmDisks = <unset>, npivWorldWideNameOp = <unset>, locationId = <unset>, guestId = "winLonghorn64Guest", alternateGuestName = "Microsoft Wi
ndows Server 2008 (64-bit)", annotation = <unset>, files = (vim.vm.FileInfo) { dynamicType = <unset>, vmPathName = "[VMs]", snapshotDirectory = "[VMs]", suspendDirectory = <unset>, logDirectory = <unset>, },
tools = (vim.vm.ToolsConfigInfo) { dynamicType = <unset>, toolsVersion = <unset>, afterPowerOn = true, afterResume = true, beforeGuestStandby = true, beforeGuestShutdown = true, beforeGuestReboot = true,
toolsUpgradePolicy = <unset>, pendingCustomization = <unset>, syncTimeWithHost = <unset>, }, flags = (vim.vm.FlagInfo) null, consolePreferences = (
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Exception thrown vim.fault.FileFault
Hostd: [2010-01-22 19:45:36.391 5AA03B90 info 'TaskManager'] Task Completed : haTask-ha-folder-vm-vim.Folder.createVm-172 Status error
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'ha-host'] ModeMgr::End: op = normal, current = normal, count = 1
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] RemoveFromAutoStart
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Request spec is (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefaults) null, powerInfo
= (vim.host.AutoStartManager.AutoPowerInfo) [ (vim.host.AutoStartManager.AutoPowerInfo) { dynamicType = <unset>, key = 'vim.VirtualMachine:64', startOrder = -1, startDelay = -1, waitForHeartbeat = "n
o", startAction = "none", stopDelay = -1, stopAction = "none", } ], }
Hostd: [2010-01-22 19:45:36.391 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Updated AutoStart sequence.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Hostsvc::AutoStartManager'] Autostart info after reconfiguration: (vim.host.AutoStartManager.Config) { dynamicType = <unset>, defaults = (vim.host.AutoStartManager.SystemDefault
s) { dynamicType = <unset>, enabled = <unset>, startDelay = 120, stopDelay = 120, waitForHeartbeat = false, stopAction = "PowerOff", }, }
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'Vmsvc'] Released Vm Id: 64.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry '64'
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'HostsvcPlugin'] RemoveEntry succeeded
Hostd: [2010-01-22 19:45:36.392 5AA03B90 verbose 'ResourcePool ha-root-pool'] Removed child 64 from pool
Hostd: [2010-01-22 19:45:36.392 5A9C2B90 verbose 'App'] Looking up object with name = "64" failed.
Hostd: [2010-01-22 19:45:36.392 5AA03B90 info 'vm:/vmfs/volumes/0cb8d2a5-20f15722/win2k8/win2k8.vmx'] Create worker thread failed
Hostd: [2010-01-22 19:45:36.393 5AA03B90 verbose 'Statssvc'] EntityRemovedListener: Deleting stats for entity 64
Hostd: [2010-01-22 19:45:36.565 5AA44B90 verbose 'DvsTracker'] FetchDVPortgroups: added 0 items
Hostd: [2010-01-22 19:45:41.690 5AA03B90 verbose 'App'] Looking up object with name = "haTask-ha-host-vim.host.DatastoreSystem.removeDatastore-114" failed.
After searching the 'nets for about an hour, I found a post on MyBook World that addressed my issue. By default the MyBook mounts NFS shares as read-only. To change that, I modified the /etc/exports file, changing all instances of "ro" to "rw."
/nfs/Public *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
/nfs/Download *(rw,all_squash,sync,insecure,anonuid=65534,anongid=65534)
Then, I restarted the service by issuing /etc/init.d/S80nfsd restart. Once the restart was complete, my VM creation was successful
OpenWRT: iptables-based Firewall Rules for PPTP and IPsec
Just a handy little reference for myself.
#Internal PPTP Server
vpnserver="172.16.1.10"
iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
iptables -A pptp -p gre --dst $vpnserver -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i $WAN -p tcp --dport 1723 -j DNAT --to $vpnserver
iptables -t nat -A pptp -i $WAN -p 47 -j DNAT --to $vpnserver
iptables -t nat -A PREROUTING -j pptp
### Gateway Router-based IPSEC VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPTSetting Up a Site-to-Site VPN using a Linksys RV082 and OpenWrt/Openswan on a WRT54GS
After a week of trying out several different types of VPNs (PPTP, SSTP, IPSEC) at my new office, I finally figured out a solution to setup a WAN between my Linksys WRT54GSv3 and a Linksys RV082 business router. The solution was initially presented by Joe Kelly at NerdBoys.com but I couldn't get it to actually work until tonight.
Being a big fan of DD-WRT, I was hoping that I would be able to use it for my IPSEC VPN but DD-WRT only supports OpenVPN, not Openswan, which is what I need to connect to the remote RV082 router.
The techniques provided by Joe worked but the software did not. Apparently, I had to downgrade to OpenWrt from his suggested RC6 to RC4. With RC6, I could establish a tunnel successfully, but I could not ping and traffic did not go through either side. I thought it was my routing table but RC4 has the same routing table and it works perfectly.
Setting up a tunnel is actually easier than I expected -- I had to modify just 3 files on my OpenWrt install and add one tunnel to my RV082. So here's what my network looks like:
| OpenWRT (LFT) | RV082 (ATX) | |
| External IP | 24.0.175.222 | 4.2.2.2 |
| External Gateway | 24.0.175.221 | 4.2.2.1 |
| Internal IP | 172.16.1.1 | 172.16.0.1 |
| Internal Subnet | 172.16.1.0 | 172.16.0.0 |
| Internal Subnet Mask | 255.255.255.0 | 255.255.255.0 |
File 1: /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="none"
klipsdebug="none"
nat_traversal=no
interfaces=%defaultroute
# Add connections here
conn LFT-to-ATX
authby=secret
keyexchange=ike
ikelifetime=480m
keylife=60m
pfs=yes
left=24.0.175.222
leftsubnet=172.16.1.0/24
leftsourceip=172.16.1.1
leftnexthop=24.0.175.221
right=4.2.2.2
rightsubnet=172.16.0.0/24
rightnexthop=4.2.2.1
auto=start
dpddelay=10
dpdtimeout=30
dpdaction=hold
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
File 2: /etc/ipsec.secrets
: PSK "mybigolsecret"
I appended the following on file 3: /etc/firewall.user
### IPSec VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24 -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
After restarting ipsec on OpenWrt (ipsec setup restart), the following routing table was produced:
| Destination | Gateway | Genmask | Flags | Metric | Ref | Use | Iface |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | ipsec0 |
| 24.0.175.220 | 0.0.0.0 | 255.255.255.252 | U | 0 | 0 | 0 | vlan1 |
| 172.16.1.0 | 0.0.0.0 | 255.255.255.0 | U | 0 | 0 | 0 | br0 |
| 172.16.0.0 | 24.0.175.221 | 255.255.255.0 | UG | 0 | 0 | 0 | ipsec0 |
| 0.0.0.0 | 24.0.175.221 | 0.0.0.0 | UG | 0 | 0 | 0 | vlan1 |
As for the configuration on the RV082 side, it looks like this:
Click
The RV082's routing table looks like so:
| Destination IP Address | Subnet Mask | Default Gateway | Hop Count | Interface |
| 4.2.2.0 | 255.255.255.248 | * | 40 | ixp1 |
| 4.2.2.0 | 255.255.255.248 | * | 45 | ipsec0 |
| 172.16.1.0 | 255.255.255.0 | 4.2.2.1 | 10 | ipsec0 |
| 172.16.0.0 | 255.255.255.0 | * | 50 | ixp0 |
| default | 0.0.0.0 | 4.2.2.1 | 40 | ixp1 |
And voila! A secure, perma-VPN is born. There are big ol gaps in information here, but Joe's fab post fills in much of that if you need it.
About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Chrissy LeMaire
Tweet to @cl
Brandon Abshire
Categories
- Oracle
- OS X & iDevices
- PowerShell
- Security
- SharePoint
- SQL Server
- VBScript
- Virtualization
- Windows
- Wordpress
