Create a NetFoundry Gateway VM on Your Own Equipment

Introduction

This will walk you through the steps required to stand up a NetFoundry gateway VM running on your own equipment. We call this type of gateway "virtual customer premises equipment" (VCPE) as opposed to a VM type that runs on a public cloud platform e.g. Azure.

Before You Begin

Data sessions inside your NetFoundry Network are established outbound from your on-premises gateway to the NetFoundry cloud.  The return path of the data session is utilized to receive data from other endpoints in the network.  As a result, edge firewall configuration is generally not required for full functionality. This method is similar to STUN/TURN.

See Edge Gateway Sizing Guide for information on sizing your gateway VM for required throughput.

Please note that our gateway image has default configuration for deployment with a single network interface. Please consult with customer support if your requirements include a gateway VM with multiple interfaces (multi-homed). The Hyper-V gateway image does not allow multi-homing.

Step 1: Ensure that the Gateway has Access to the Internet

Description Port Numbers
Needed one time for initial gateway install/registration to the NetFoundry Network
  • TCP 18443, 49012
For regular gateway connectivity to the NetFoundry Network
  • TCP 80, 443
  • UDP 49002
  • TCP/UDP 5520-5550  

Step 2: Choose a Gateway Installation Configuration

Configuration #1 - Single LAN/WAN interface

image.png

  • Virtual Interfaces: ONE (1x LAN/WAN - Must have Internet Gateway Reachability)
  • ISP/Public Circuit Aggregation: NO, single interface
  • Firewall: NO, all traffic is forwarded normally unless matching an AppWAN or other configured WAN route
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same network

Configuration #2 - 1 LAN + 1 WAN interface

image.png

  • Virtual Interfaces: TWO (1x WAN, 1x LAN)
  • ISP/Public Circuit Aggregation: NO, Single WAN interface
  • Firewall: NO, all traffic is forwarded normally unless matching an AppWAN or other configured WAN route
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same network

Configuration #3 - 1 LAN + 2 WAN interfaces

image-2.png

  • Virtual Interfaces: THREE (2x WAN, 1x LAN)
  • ISP/Public Circuit Aggregation: YES, Per-packet balancing and throughput aggregation over all available circuits (auto-failover)
  • Firewall: NO, all traffic is forwarded normally unless matching an AppWAN or other configured WAN route
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same network

Step 3: Download a NetFoundry Gateway VM Image

Select the correct image from the NetFoundry Downloads page:

  • VMware: VMDK disk, VMware specific ovf file. open-vm-tools is installed.
  • Virtualbox: VMDK disk, VirtualBox specific ovf file.
  • KVM: QCOW2 disk with README file
  • Hyper-V: Gen1 VHD disk with README file
  • RAW: compressed .img disk image

Installing the Gateway Software

You must use the host console to configure the VM:
  • Login credentials are: "nfadmin" / "nfadmin" or may require SSH pubkey authorization through the first-boot configuration management.

Step 1: Launch the IP Configuration Tool

The default image contains configuration for a single interface, called "eth0". If you add another interface, it will follow the naming schema "eth[n]", where [n] is incremented numerically.

CentosOS provides an easy interface called "Network Manager Text User Interface" that can be used to configure the local interfaces.

A static assigned LAN IP or DHCP reservation is mandatory to ensure that the Gateway is always reachable by devices in the network.

Launch the tool by running "sudo nmtui":

> sudo nmtui

image.png

image-2.png

Step 2: Configure Network Interfaces

Modify IP/Network/Routes/DNS/etc configurations as needed for each network interface.

image.png

Requirements

  1. You MUST have a valid Internet Gateway IP and DNS resolver configuration for at least one interface for registration to succeed.
  2. If assigning a static IP within the "Edit Connection" screen of "nmtui", you must use CIDR notation to also specify the network prefix. For example, "10.1.1.4/24" means the IP address is 10.1.1.4 with a 255.255.255.0 netmask.  If you do not include the network prefix, the system will assume it to be /32. Refer to this TechTarget article for more information.

Configuration 1 (default)

Single Interface, must be able to reach Internet.

  1. eth0 = Both LAN & WAN

Configuration 2

Two interfaces: 1 LAN + 1 WAN
  1. eth0 = WAN1
  2. eth1 = LAN1

If your LAN interface has access to other subnetworks, please ensure you add the routes in the "Edit Connection" screen under the field "Routing".

Configuration 3

Three interfaces: 1 LAN + 2 WAN

  1. eth0 = WAN1
  2. eth1 = WAN2
  3. eth2 = LAN1

If you add a secondary interface for WAN (with an Internet accessible default Gateway), please select the option for "Automatically Connect" within the options screen of the WAN2 interface.

Step 3: Configuring VTC

This step is only needed for installation options 2 & 3.

The VTC client needs to know which interface will act as the "trusted" interface.  In our example installation options, the "trusted" interface will always be the LAN interface.

Edit the VTC configuration file

> sudo vi /opt/dispersive/dvn/cfg/vtc_local.json

Find the key "trusted_nic"

The default value is "eth0". Update the value that match your configuration option:

  • If configuration 2, use value "eth1"
  • If configuration 3, use value "eth2"

Save your changes & restart the dvn service

> sudo systemctl restart dvn

Step4: Configuring Firewalld

This step is only needed for installation options 2 & 3.

Firewalld is configured by default to only allow traffic to flow from eth0 to eth0.

Configuration options 2 & 3 require a change to allow traffic from the LAN to the WAN ports.

Configuration 2: 1 LAN + 1 WAN interfaces

> sudo rm -f /etc/firewalld/direct.xml
> sudo firewall-cmd --zone=drop --permanent --add-interface=eth1
> sudo firewall-cmd --zone=drop --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT
> sudo systemctl restart firewalld

Configuration 3: 1 LAN + 2 WAN interfaces

> sudo rm -f /etc/firewalld/direct.xml
> sudo firewall-cmd --zone=drop --permanent --add-interface=eth1
> sudo firewall-cmd --zone=drop --permanent --add-interface=eth2
> sudo firewall-cmd --zone=drop --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth0 -j ACCEPT
> sudo firewall-cmd --zone=drop --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -j ACCEPT
> sudo systemctl restart firewalld

Step 5: Reboot and Validate

Ensure that your machine comes up with the correct configuration after a reboot.

Check IP/Network configurations for validity

> ifconfig -a

Check the default gateway on both WAN1 and WAN2 (or LAN1 if using configuration 1)

> route -n

Check the DNS settings for validity

> ping netfoundry.io

Step 6: Register the Gateway

Register the gateway with your NetFoundry Network to enable it to be provisioned and used. The Registration Key is obtained using the Console, by creating a new gateway. The Registration Key will appear on screen once it is created.

Register the gateway to your NetFoundry Network

Look for errors in the registration process output, or "Success" if registration completes successfully.

> sudo nfnreg [one time registration key]

Validate that the VM is now active on the NetFoundry Network

The output should report "ACTIVE".

> sudo systemctl status dvn.service 

Troubleshooting Registration

Locating the registration logs on the gateway

See the Support Hub article: Troubleshoot client and gateway registration errors.

Recommended Next Steps

Update the YUM package management system

> sudo yum clean metadata && sudo yum update

Ensure you change the password for the "nfadmin" and "root" user accounts, per your company guidelines.

> sudo passwd nfadmin
> sudo passwd root

Should you require RADIUS, please contact NetFoundry.

3. Enable key-based SSH authentication

If you wish to setup key-based SSH authentication, use the "/home/nfadmin/.ssh/authorized_keys" file and add your public key.

You may optionally turn off password login in "/etc/sshd/sshd_config", which is highly recommended.

 

 

Was this article helpful?
2 out of 2 found this helpful

Comments

1 comment

  • Most of the step: "Step 3: VTC & firewalld configuration for multi-nic deployments" has to be run as root, or have "sudo" in front of the commands.

    0

Article is closed for comments.