This is a set of instructions to demonstrate how to set up a pair of zones where one of them is performing NAT for the other.
This could be generalized to a zone that performs NAT for a collection of zones/VMs, or other configurations as well.
nictagadm add -l stub0
This example happens to result in double NAT to reach the internet. My SmartOS machine is on a 192.168.0.1/24 network that is itself NATed to the Internet. The “firewall” zone is NATing the client zone from a 10.0.0.1/24 network onto that 192.168.0.1/24 network.
Note the allow_ip_spoofing setting on the firewall zone NICs
Example JSON for “Firewall” Zone
{
"alias": "firewall",
"hostname": "firewall",
"brand": "joyent",
"max_physical_memory": 256,
"image_uuid": "31bc4dbe-5e06-11e1-907c-5bed6b255fd1",
"default_gateway": "192.168.0.1",
"nics": [
{
"nic_tag": "admin",
"ip": "192.168.0.100",
"netmask": "255.255.255.0",
"allow_ip_spoofing": true,
"gateway": "192.168.0.1",
"primary": true
},
{
"nic_tag": "stub0",
"ip": "10.0.0.1",
"netmask": "255.255.255.0",
"allow_ip_spoofing": true,
"gateway": "10.0.0.1"
}
]
}
Example JSON for “Client” Zone/VM
{
"alias": "client",
"hostname": "client",
"brand": "joyent",
"max_physical_memory": 256,
"image_uuid": "31bc4dbe-5e06-11e1-907c-5bed6b255fd1",
"nics": [
{
"nic_tag": "stub0",
"ip": "10.0.0.2",
"netmask": "255.255.255.0",
"gateway": "10.0.0.1"
}
]
}
Create the zone
vmadm create -f firewall.json
vmadm create -f client.json
Log into the zone
zlogin <uuid-of-firewall-zone>
Example /etc/ipf/ipnat.conf
map net0 10.0.0.2/32 -> 0/32
# Uncomment the following line if you want clients to be able to talk to the firewall at its other IP address
#rdr net1 192.168.0.100/32 -> 10.0.0.1
Turn on packet forwarding and ipfilter
routeadm -u -e ipv4-forwarding
svcadm enable ipfilter
ipnat -l