OVN Test

ovn_test_nat.ps1

# This script will set up a OVN based tenant network that can reach the internet from the host 
# using windows NAT.

# Warning: 
# Before using this script please make sure that you don't use network 192.168.137.0/24 currently. 
# If you allready have configured a Windows NAT network (get-NetNAT should be empty) please remove it first.

# Preparations: 

# 1. install Cloudbase OpenVSwitch
# 2. change the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovn-northd\ImagePath:
#       --ovnsb-db=unix:"C:\ProgramData\openvswitch\ovnnb_db.sock" should be => --ovnsb-db=unix:"C:\ProgramData\openvswitch\ovnsb_db.sock"
#       (this is required because without it the sb db will not be found bei northd service
# 3. Restart service ovs-northd
# 4. Create a OVS switch with enabled extension. A internal switch will also work!
# 5. prepare a VM in hyper-v (e.g. Ubuntu) and configure networking to DHCP
# 6. Set the OVS port name of the VM to the same name as in the following variable

$vm_ovs_port_name = "basic3-eth0"


ovn-sbctl set-connection ptcp:6642
ovn-nbctl set-connection ptcp:6641

# local sb <-> nb
ovs-vsctl set open . external-ids:ovn-remote=tcp:127.0.0.1:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
ovs-vsctl set open . external-ids:system-id=local

# cleanup
ovn-nbctl --if-exists lr-del edge1
ovn-nbctl --if-exists lr-del tenant1

ovn-nbctl --if-exists ls-del dmz
ovn-nbctl --if-exists ls-del outside
ovn-nbctl --if-exists ls-del transit

Get-NetAdapter br-nat -ErrorAction SilentlyContinue | Remove-NetIPAddress -Confirm:$false -ErrorAction SilentlyContinue
ovs-vsctl --if-exists del-br br-nat
ovs-vsctl --if-exists del-port $vm_ovs_port_name


# create dmz network
ovn-nbctl ls-add dmz


# create router port for the connection to dmz
ovn-nbctl lr-add tenant1
ovn-nbctl lrp-add tenant1 tenant1-dmz 02:ac:10:ff:01:29 172.16.255.129/26

# create the dmz switch port for connection to tenant1
ovn-nbctl lsp-add dmz dmz-tenant1
ovn-nbctl lsp-set-type dmz-tenant1 router
ovn-nbctl lsp-set-addresses dmz-tenant1 02:ac:10:ff:01:29
ovn-nbctl lsp-set-options dmz-tenant1 router-port=tenant1-dmz

ovn-nbctl lsp-add dmz dmz-vm1
ovn-nbctl lsp-set-addresses dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"
ovn-nbctl lsp-set-port-security dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"

# DHCP for dmz-vm1
$dhcp_option = ovn-nbctl create DHCP_Options cidr=172.16.255.128/26 options="server_id=172.16.255.129 server_mac=\`"02:ac:10:ff:01:29\`" lease_time=3600 router=172.16.255.129"
ovn-nbctl lsp-set-dhcpv4-options dmz-vm1 $dhcp_option

# add VM port and link it to OVN port name
ovs-vsctl add-port br-int $vm_ovs_port_name
ovs-vsctl set Interface $vm_ovs_port_name external_ids:iface-id=dmz-vm1


# create router edge1
ovn-nbctl create Logical_Router name=edge1 options:chassis=local

# create a new logical switch for connecting the edge1 and tenant1 routers
ovn-nbctl ls-add transit

# edge1 to the transit switch
ovn-nbctl lrp-add edge1 edge1-transit 02:ac:10:ff:00:01 172.16.255.1/30
ovn-nbctl lsp-add transit transit-edge1
ovn-nbctl lsp-set-type transit-edge1 router
ovn-nbctl lsp-set-addresses transit-edge1 02:ac:10:ff:00:01
ovn-nbctl lsp-set-options transit-edge1 router-port=edge1-transit

# tenant1 to the transit switch
ovn-nbctl lrp-add tenant1 tenant1-transit 02:ac:10:ff:00:02 172.16.255.2/30
ovn-nbctl lsp-add transit transit-tenant1
ovn-nbctl lsp-set-type transit-tenant1 router
ovn-nbctl lsp-set-addresses transit-tenant1 02:ac:10:ff:00:02
ovn-nbctl lsp-set-options transit-tenant1 router-port=tenant1-transit

# add static routes
ovn-nbctl lr-route-add edge1 "172.16.255.128/25" 172.16.255.2

ovn-nbctl lr-route-add tenant1 "0.0.0.0/0" 172.16.255.1


ovn-nbctl lr-route-add edge1 "0.0.0.0/0" 192.168.137.1
ovn-nbctl lrp-add edge1 edge1-outside 02:0a:7f:00:01:29 192.168.137.10/24

# create new logical switch and connect it to edge1
ovn-nbctl ls-add outside
ovn-nbctl lsp-add outside outside-edge1
ovn-nbctl lsp-set-type outside-edge1 router
ovn-nbctl lsp-set-addresses outside-edge1 02:0a:7f:00:01:29
ovn-nbctl lsp-set-options outside-edge1 router-port=edge1-outside

# create a bridge for eth1
ovs-vsctl add-br br-nat

# create bridge mapping for eth1. map network name "externalNET" to br-nat
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=externalNet:br-nat

# create localnet port on 'outside'. set the network name to "externalNet"
ovn-nbctl lsp-add outside outside-localnet
ovn-nbctl lsp-set-addresses outside-localnet unknown
ovn-nbctl lsp-set-type outside-localnet localnet
ovn-nbctl lsp-set-options outside-localnet network_name=externalNet

# NAT from DMZ network to externalNet
ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=172.16.255.128/25 external_ip=192.168.137.10 -- add logical_router edge1 nat `@nat


# wait for net adapters to be created
Start-Sleep -Seconds 2
Enable-NetAdapter "br-nat"
Get-NetAdapter "br-nat" | Remove-NetIPAddress –IPAddress 192.168.137.1 -Confirm:$false -ErrorAction SilentlyContinue
Get-NetAdapter "br-nat" | New-NetIPAddress –IPAddress 192.168.137.1 -PrefixLength 24

# create Windows NAT for the external network 
New-NetNat -Name NAT -InternalIPInterfaceAddressPrefix 192.168.137.0/24 -ErrorAction Continue

# you should now be able to ping from host to OVN router:
# ping 192.168.137.10

# and you should be able to reach the internet from the VM:
# nslookup google.com
# wget http://google.com
# sudo apt-get update
# sudo apt-get upgrade (with OVS 2.9 a bluescreen BAD_POOL_HEADER will happen here).

ovn_test_phys.ps1

# This script will set up a OVN based tenant network that can access a physical network 

# Preparations: 

# 1. install Cloudbase OpenVSwitch
# 2. change the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovn-northd\ImagePath:
#       --ovnsb-db=unix:"C:\ProgramData\openvswitch\ovnnb_db.sock" should be => --ovnsb-db=unix:"C:\ProgramData\openvswitch\ovnsb_db.sock"
#       (this is required because without it the sb db will not be found bei northd service
# 3. Restart service ovs-northd
# 4. Create a OVS switch with enabled extension on the adapter that has access to external network
# 5. create a bridge br-pif (variable see below), and add the physical adapter to the bridge
# 6. prepare a VM in hyper-v (e.g. Ubuntu) and configure networking to DHCP
# 7. Set the OVS port name of the VM to the same name as in the following variable

$vm_ovs_port_name = "basic3-eth0"
$externalnet_router_ip = "192.168.3.1"
$edge1_outside_ip = "192.168.3.100"
$externalnet_prefix_length = "24"
$external_network_bridge="br-pif"


ovn-sbctl set-connection ptcp:6642
ovn-nbctl set-connection ptcp:6641

# local sb <-> nb
ovs-vsctl set open . external-ids:ovn-remote=tcp:127.0.0.1:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
ovs-vsctl set open . external-ids:system-id=local

# cleanup
ovn-nbctl --if-exists lr-del edge1
ovn-nbctl --if-exists lr-del tenant1

ovn-nbctl --if-exists ls-del dmz
ovn-nbctl --if-exists ls-del outside
ovn-nbctl --if-exists ls-del transit

Get-NetAdapter br-nat -ErrorAction SilentlyContinue | Remove-NetIPAddress -Confirm:$false -ErrorAction SilentlyContinue
ovs-vsctl --if-exists del-br br-nat
ovs-vsctl --if-exists del-port $vm_ovs_port_name


# create dmz network
ovn-nbctl ls-add dmz


# create router port for the connection to dmz
ovn-nbctl lr-add tenant1
ovn-nbctl lrp-add tenant1 tenant1-dmz 02:ac:10:ff:01:29 172.16.255.129/26

# create the dmz switch port for connection to tenant1
ovn-nbctl lsp-add dmz dmz-tenant1 -- lsp-set-type dmz-tenant1 router -- lsp-set-addresses dmz-tenant1 02:ac:10:ff:01:29 -- lsp-set-options dmz-tenant1 router-port=tenant1-dmz

ovn-nbctl lsp-add dmz dmz-vm1
ovn-nbctl lsp-set-addresses dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"
ovn-nbctl lsp-set-port-security dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"

# DHCP for dmz-vm1
$dhcp_option = ovn-nbctl create DHCP_Options cidr=172.16.255.128/26 options="server_id=172.16.255.129 server_mac=\`"02:ac:10:ff:01:29\`" lease_time=3600 router=172.16.255.129"
ovn-nbctl lsp-set-dhcpv4-options dmz-vm1 $dhcp_option

# add VM port and link it to OVN port name
ovs-vsctl add-port br-int $vm_ovs_port_name
ovs-vsctl set Interface $vm_ovs_port_name external_ids:iface-id=dmz-vm1


# create router edge1
ovn-nbctl create Logical_Router name=edge1 options:chassis=local

# create a new logical switch for connecting the edge1 and tenant1 routers
ovn-nbctl ls-add transit

# edge1 to the transit switch
ovn-nbctl lrp-add edge1 edge1-transit 02:ac:10:ff:00:01 172.16.255.1/30
ovn-nbctl lsp-add transit transit-edge1
ovn-nbctl lsp-set-type transit-edge1 router
ovn-nbctl lsp-set-addresses transit-edge1 02:ac:10:ff:00:01
ovn-nbctl lsp-set-options transit-edge1 router-port=edge1-transit

# tenant1 to the transit switch
ovn-nbctl lrp-add tenant1 tenant1-transit 02:ac:10:ff:00:02 172.16.255.2/30
ovn-nbctl lsp-add transit transit-tenant1
ovn-nbctl lsp-set-type transit-tenant1 router
ovn-nbctl lsp-set-addresses transit-tenant1 02:ac:10:ff:00:02
ovn-nbctl lsp-set-options transit-tenant1 router-port=tenant1-transit

# add static routes
ovn-nbctl lr-route-add edge1 "172.16.255.128/25" 172.16.255.2

ovn-nbctl lr-route-add tenant1 "0.0.0.0/0" 172.16.255.1


ovn-nbctl lr-route-add edge1 "0.0.0.0/0" $externalnet_router_ip
ovn-nbctl lrp-add edge1 edge1-outside 02:0a:7f:00:01:29 $edge1_outside_ip/$externalnet_prefix_length

# create new logical switch and connect it to edge1
ovn-nbctl ls-add outside
ovn-nbctl lsp-add outside outside-edge1
ovn-nbctl lsp-set-type outside-edge1 router
ovn-nbctl lsp-set-addresses outside-edge1 02:0a:7f:00:01:29
ovn-nbctl lsp-set-options outside-edge1 router-port=edge1-outside

# create bridge mapping for eth1. map network name "externalNET" to br-nat
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=externalNet:$external_network_bridge

# create localnet port on 'outside'. set the network name to "externalNet"
ovn-nbctl lsp-add outside outside-localnet
ovn-nbctl lsp-set-addresses outside-localnet unknown
ovn-nbctl lsp-set-type outside-localnet localnet
ovn-nbctl lsp-set-options outside-localnet network_name=externalNet

# NAT from DMZ network to externalNet
ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=172.16.255.128/25 external_ip=$edge1_outside_ip -- add logical_router edge1 nat `@nat