Today I’m going to show you how to break GNS3 out of your virtual world into the real world of the internet.
GNS3 is a great resource for anyone who needs access to live Cisco gear but doesn’t have the money to purchase the hardware. You can create complete network topologies in the isolated safety of the lab. You can configure Network Address Translation (NAT), setup a DMZ with a Cisco ASA and even configure DHCP servers to offer IP addresses to VirtualBox clients.
All of this takes place in an sandbox environment. In other words, there’s no way you can injure your real network because all the activity is confined to the lab. Most of the time this is exactly what you want but sometimes you may need to connect your virtual computer to the real world.
Wouldn’t it be nice if you could setup a PC such as Windows XP in VirtualBox? Then connect it to virtual switch which is connected to a virtual Cisco route? And finally configure IP routing in such a way that your Windows XP machine can actually surf the web through all that virtualized gear?
That’s what I’m going to show you how to do today.
There are a few elements we need to setup but if you follow me closely I’ll show you how to open the door to getting online. The best part is that none of the servers online will have any idea that your client machine is communicating with it from an entirely virtual environment.
The secret to getting online
I’m about to let you in on a little secret. The magic that allows your virtual machines to get online through your virtual equipment is based on a virtual adapter called TunTap.
Every client machine has one or more network adapters. For example, my Macbook Air has a Wireless LAN adapter (en0) that lets me associate with a wireless access point. But I also have a physical USB-to-Ethernet adapter. When I plug this little dongle into my USB port I can attach an Ethernet plug and then get on the wired network.
TunTap is a little peice of software that allows you have to have multiple logical adapters. You can assign IP addresses to these adapters and generally use them for testing. By default, the TunTap adapter can’t really do anything useful by itself. But I’m about t show you how we can bridge the TunTap adapter with our real wireless adapter so that we can have a virtual bridge to get online.
If all this sounds a little confusing now don’t worry – I’ll clarify as you read.
For now, let’s just start from the beginning and get TunTap.
Go to http://tuntaposx.sourceforge.net/ and download and install TunTap. After installing the package, open a Terminal Window (Command + Space type “terminal“)
ls -l /dev | egrep 'tap|tun'
You should see a bunch of interfaces. If so, bingo you’re good to go.
By the way, you might wonder why you can’t just type:
and search for the interface there. The reason is because the tap interfaces won’t show up until you assign the interface in GNS3. Sounds weird I know which is why it can cause a lot of confusion.
We’re going to assign the GNS3 interface next.
Assigning the tap interface in GNS3
After installing GNS3, we need to run it as the root user so it can create the first tap interface, tap0. This requires root access therefore GNS3 must be running as root for it work.
To run tap0 as root type:
Great, now drag out a new cloud from the devices list in the left pane, right click it and choose Configure.
Expand the cloud group in the left pane then choose the NIO TAP tab in the right pane.
Under TAP interfaces (require root access) type:
Click Add and then choose OK. By the way, if you don’t click Add it won’t work – I’ve made this mistake many times.
Alright, now drag out a network device like an Ethernet Switch and then click the Add a link button in the bottom left corner of the GNS3 window to connect any port on your Switch to the nio_tap:/dev/tap0 interface of your cloud.
The act of connecting this link causes GNS3 to create logical tap0 interface on your Mac.
For example, if you type ifconfig now you’ll see a new tap0 interface hanging out at the bottom of your interface list.
This is huge progress because it now means we can connect our Mac to GNS3.
Let me show you what I mean…
Assign an IP address to the tap0 interface:
sudo ifconfig tap0 10.0.0.2/24 up
Now drag out a GNS3 router and connect it to the Ethernet switch you created earlier.
Right click and Start the router and choose Idle-PC. We’re going to want a value with a checkmark next to it. This little step guarantees that the router won’t eat up all your CPU resources while it’s running.
Once you set the Idle-PC value, double click the router and press enter until you get to the R1# prompt.
We need to put the interface connected to the switch in the same subnet as the tap0 interface. You can check which interface to configure by expanding your R1 device in the topology summary pane. It’s located alone the right side of GNS3.
Here we go:
config t int fa0/0 ip address 10.0.0.1 255.255.255.0 no shut do wr do ping 10.0.0.2
The top window in the graphic the result of assigning 10.0.0.2/24 to the tap0 interface on my Mac. And the bottom window shows the successful ping to 10.0.0.2 from my virtual router’s fa0/0 interface assigned to 10.0.0.1/24.
Now that we know tap0 works, we can bridge it to our real interface, which is en0 on my Mac.
sudo ifconfig bridge0 create sudo ifconfig bridge0 addm en0 sudo ifconfig bridge0 addm tap0 sudo ifconfig bridge0 up
Now we need to assign an IP address on your real network to the bridge interface. I find the easiest way to do this is to simply use DHCP. That way you’ll automatically get an unassigned IP address and there’s no need to worry about conflicting IPs on your real network.
sudo ifconfig set bridge0 DHCP
Of course if that doesn’t work you can always manually assign a free IP address too.
sudo ifconfig bridge0 x.x.x.x/y up
Where each x represents each decimal value of your IP address and the y is the number of bits in your subnet mask.
You should now be able to ping your bridge0 ip address from R1.
The next step is setting up your default route on R1.
If you do a show ip route you’ll see there’s no default route. This means if R1 sees a packet destined for a network that it doesn’t have in its routing table it’ll simply discard it. But we don’t want that. By default, R1 should route any less specific routes to the internet out your default gateway through your bridge0 interface. So let’s change that.
Back on R1, type:
ip route 0.0.0.0 0.0.0.0 192.168.0.1
This says: “For any packet not in my routing table route it through my default gateway on my real live network at 192.168.0.1′
Now configure R1’s fa0/1 interface to have the IP address of the bridge id.
In the final step, you can configure NAT/PAT on R1 so that the internal network (10.0.0.0/24 in my example) get’s translated to your “global” address on the 192.168.0.0/24 subnet.
First you can create an access list for all the hosts insides your network. Let’s say all your hosts inside the GNS3 network are on the 10.0.0.0/24 subnet you would type the following on R1:
access-list permit 1 10.0.0.0 0.0.0.255
This just sets up the rule to match all the hosts on your internal network.
Then go to your inside interface and type:
int fa0/1 ip nat inside
Then go to your external interface and type
int fa0/0 ip nat outside exit
Now setup the translation rule:
ip nat inside source list 1 interface fa0/0 overload
That should do the trick.
Alternatively, another way to get your router out to the internet is to:
- Disable your Wi-Fi adapter
- Plug in the Mac to the network using your Ethernet adapter
- Type ifconfig to get your adapter name: en0, en1 etc…
- Launch GNS3 as root, create a cloud and under the settings for that cloud in the NIO Ethernet tab, choose your Ethernet adapter from the drop down list
- Connect R1 to the cloud using the Add a link tool
- Make the interface connecting R1 to the cloud get an IP from DHCP.
- config t
- int fa0/0
- ip address dhcp
- do ip domain-lookup
This will force the router to get an IP address from the cloud and should let you get out.
I hope this helps. I know this tutorial was a little sloppy and might seem confusing. If so, just leave a comment or shoot me and email and I can help you with the finer details.