Launch a NetFoundry vCPE gateway on a hypervisor

Introduction

This install guide will walk you through the steps required to stand up a NetFoundry Gateway VM on a local virtualization platform.

Before you begin

Data sessions in the NetFoundry Network are established outbound to the NetFoundry Cloud.  The return path of the data session is utilized to receive data from other endpoints in the network.  As a result, edge firewall configuration is generally not required for full functionality.  This method is similar to STUN/TURN.

Step 1: Ensure that the gateway has access to the Internet on the following ports.

For gateway install/registration to the NetFoundry Network

TCP 18443, TCP 49012

For gateway connectivity to the NetFoundry Network

TCP 80, TCP 443, UDP 49002, TCP/UDP 5520-5550  

Step 2: Choose a gateway capacity

Administrators should utilize these recommendations for allocation of CPU, RAM, and Disk Storage to allocate to Virtual Machine Instances running the NetFoundry Gateway on a VM Hypervisor.

Reference CPU - Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz

NOTE - NetFoundry recommends a physical to logical (1:1) association for network interfaces.

Usage Level: LOW-MED, 100 Simultaneous Data Sessions, 100-200 Mbps Throughput

  • CPU Cores: 4
  • Memory RAM: 4 GBytes
  • Disk Storage: 8 GBytes
  • Interface Options (See Step 3): Configuration #1 or #2 or #3

Usage Level: MED, 500 Simultaneous Data Sessions, 500 Mbps Throughput

  • CPU Cores: 8
  • Memory RAM: 6 GBytes
  • Disk Storage: 20 GBytes
  • Interface Options (See Step 3): Configuration #2 or #3 (Recommended)

Usage Level: HIGH, 1000+ Simultaneous Data Sessions, 500+ Mbps Throughput

  • CPU Cores: 10
  • Memory RAM: 8 GBytes
  • Disk Storage: 20 GBytes 
  • Interface Options (See Step 3): Configuration #2 or #3 (Recommended)

Step 3: Choose a gateway installation configuration

Configuration #1 - Single LAN/WAN interface

  • Virtual Interfaces: ONE (1x LAN/WAN - Must have Internet Gateway Reachability)
  • ISP/Public Circuit Aggregation: NO, Single WAN interface
  • Firewall Support: NO, LAN interface expected to be behind site firewall
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same network

 

Configuration #2 - 1 LAN + 1 WAN interface

  • Virtual Interfaces: TWO (1x WAN, 1x LAN)
  • ISP/Public Circuit Aggregation: NO, Single WAN interface
  • Firewall Support: YES, Applied to WAN interface only, Egress traffic permitted only, No NAT allowed from LAN interface
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same network

Configuration #3 - 1 LAN + 2 WAN interfaces

  • Virtual Interfaces: THREE (2x WAN, 1x LAN)
  • ISP/Public Circuit Aggregation: YES, Per-packet balancing and throughput aggregation over all available circuits (auto-failover)
  • Firewall Support: YES, Applied to WAN interfaces only, Egress traffic permitted only, No NAT allowed from LAN interface
  • Can Support NetFoundry Egress High Availability (HA): YES, When secondary VM is instantiated in the same network
  • Can Support NetFoundry Egress Round Robin (RR): YES, When N+M VMs are instantiated in the same networ

Step 4: Download a NetFoundry Gateway VM image

Select the correct image from the NetFoundry Downloads page:

  • VMware: VMDK disk, VMware specific ovf file.  open-vm-tools is installed.
  • Virtualbox: VMDK disk, VirtualBox specific ovf file.
  • KVM: QCOW2 disk with ReadMe file
  • Hyper-V: Gen1 VHD disk with ReadMe file

Installing the gateway software

You must use the host console to configure the VM:
  • The current generation login credentials are: "nfadmin" / "nfadmin"
  • The previous credentials were: "nfn" / "initpass1"

Step 1: Launch the IP configuration tool

The default image contains configuration for a single interface, called "eth0". 

If you add another interface, please note they will follow the naming schema "ethX", where X is incremented numerically. 

A static assigned LAN IP or DHCP reservation is mandatory to ensure that the Gateway is always reachable by devices in the network.

CentosOS provides an easy interface called "Network Manager Text User Interface" that can be used to configure the local interfaces.

Launch the tool by running "sudo nmtui":

> sudo nmtui

Step 2: Configure network interfaces

Modify the IP/Network/Routes/DNS/Etc. as needed for each network interface. 

Requirements

  1. You MUST have a valid Internet Gateway IP and DNS resolver configuration for at least one interface for registration to succeed.
  2. If assigning a static IP within the "Edit Connection" screen of "nmtui", you must use CIDR notation to also specify the network prefix. For example, "10.1.1.4/24" means the IP address is 10.1.1.4 with a 255.255.255.0 netmask.  If you do not include the network prefix, the system will assume it to be /32. Refer to this TechTarget article for more information. 

Configuration 1 (default)

Single Interface, must be able to reach Internet.

  1. eth0 = Both LAN & WAN

Configuration 2

Two interfaces: 1 LAN + 1 WAN
  1. eth0 = WAN1
  2. eth1 = LAN1

If your LAN interface has access to other subnetworks, please ensure you add the routes in the "Edit Connection" screen under the field "Routing".

Configuration 3

Three interfaces: 1 LAN + 2 WAN

  1. eth0 = WAN1
  2. eth1 = WAN2
  3. eth2 = LAN1

If you add a secondary interface for WAN (with an Internet accessible default Gateway), please select the option for "Automatically Connect" within the options screen of the WAN2 interface. 

Step 3: VTC & firewalld configuration for multi-nic deployments

This step is only needed for installation options 2 & 3.

VTC

The VTC client needs to know which interface will act as the "trusted" interface.  In our example installation options, the "trusted" interface will always be the LAN interface.

1. Edit the vtc configuration file

vi /opt/dispersive/dvn/cfg/vtc_local.json

2. Find the key "trusted_nic"

The default value is "eth0". Update the value that match your configuration option:

  • If configuration 2, use value "eth1"
  • If configuration 3, use value "eth2"

3. Save your changes & restart the dvn service

systemctl restart dvn

FirewallD

Firewalld is configured by default to only allow traffic to flow from eth0 to eth0. Configuration options 2 & 3 require a change to allow traffic from the LAN to the WAN ports.

1. Add all interfaces into the DVN Zone

Configuration 2
firewall-cmd --zone=dvn --permanent --add-interface=eth1
Configuration 3
firewall-cmd --zone=dvn --permanent --add-interface=eth1
firewall-cmd --zone=dvn --permanent --add-interface=eth2

2. Adjust the direct firewall rules to allow forwarding

Configuration 2
> rm -f /etc/firewalld/direct.xml
> firewall-cmd --zone=dvn --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -j ACCEPT
Configuration 3
> rm -f /etc/firewalld/direct.xml
> firewall-cmd --zone=dvn --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth0 -j ACCEPT
> firewall-cmd --zone=dvn --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -j ACCEPT 

3. Restart firewalld for changes to take affect

systemctl restart firewalld

Step 4: Reboot and Validate

Ensure that your machine comes up with the correct configuration after a reboot.

1. Check IP/Network configurations for validity

> ifconfig -a

2. Check the default gateway on both WAN1 and WAN2 (or LAN1 if using Option #1)

> route -n

3. Check the DNS settings for validity

> ping netfoundry.io

Step 5: Register the gateway

Register the gateway with your NetFoundry Network to enable it to be provisioned and used. The registration key is obtained using the Console, by creating a new gateway. The registration key will appear on screen once it is created.

1. Register the gateway to your NetFoundry Network

Look for errors in the registration process output, or "Success" if registration completes successfully.

> sudo nfnreg [key]

2. Validate that the VM is now active on the NetFoundry Network

The output should report "ACTIVE".

> sudo systemctl status dvn.service 

Troubleshooting Registration

Locating the registration logs on the gateway

TBD @nick

See the Support Hub article: Troubleshoot client and gateway registration errors.

Recommended next steps

1. Update the YUM package management system

> sudo yum clean metadata && sudo yum update

2. Ensure you change the password for the "nfadmin" and "root" user accounts, per your company guidelines.

> sudo passwd nfadmin
> sudo passwd root

Should you require RADIUS, please contact NetFoundry.

3. Enable key-based SSH authentication

 If you wish to setup key-based SSH authentication, use the "/home/nfadmin/.ssh/authorized_keys" file and add your public key.

You may optionally turn off password login in "/etc/sshd/sshd_config", which is highly recommended.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment

  • Most of the step: "Step 3: VTC & firewalld configuration for multi-nic deployments" has to be run as root, or have "sudo" in front of the commands.

    0

Please sign in to leave a comment.