This page has been moved from ThinClientHowtoNAT on 2009-07-23
Thin Client How-To NAT
This document explains how you configure an LTSP server to act as gateway for computers on the thin client network using Network Address Translation. If it seems long, it's only because we're trying to catch every possible scenario. There are six steps which include tests to make sure each one worked.
Traditional thin clients don't need this as their applications run on the LTSP server. This is generally only necessary if you have the LTSP server running with two interfaces, one facing the main network and internet, the other facing the thin clients. In that instance, for machines on the thin client network to get direct internet access (eg a thin client booted into windows, a local app on a thin client), they must use the LTSP server as a gateway.
You will need:
- A Thin Client Server fully configured, with at least 2 network interfaces, one connected (or that can go) to the internet and one dedicated to the Thin Client Network.
- To know the ip address of the LTSP server on the thin client network (we assume it's 192.168.0.254 below, but it might not be).
- To know the network address and netmask of your ltsp network. The default is 192.168.0.0/24, historically expressed as the pair of (192.168.0.0, 255.255.255.0).
- To know the IP address of the DNS server on your main network (/etc/resolv.conf on the ltsp server should tell you that).
- A normal PC (not thin client) you can plug into the ltsp network temporarily to run tests.
If you don't know the information above, you can find it out. Skip down to the section below on "information gathering".
So how do you do it?
The conceptual steps are:
- Ensure the LTSP server has internet access and the clients boot on the LTSP network.
- Set up a test PC on the thin client network.
- Ensure the PC on the LTSP network has the LTSP server as default gateway.
- Ensure the LTSP server will route requests out to its main network.
Ensure response traffic will get successfully routed back to the client by setting up Network Address Translation (explanation on wikipedia).
- Ensure the PC on the LTSP network can successfully make DNS requests.
Each of these steps matches the ideas above. Please carry out the tests as you go, so you know you're on the right track:
Sitting at the LTSP server itself, test its web access by opening firefox and going to some webpages, eg http://www.ubuntu.com. If this doesn't work, you need to go back to the basic ltsp server setup first.
- Boot a normal PC (not a thin client) on the thin client network. A laptop or desktop running windows or linux is fine. Test web access. It should not work. If it does work, you've either already got NAT working, or something else is wrong.
Edit /etc/ltsp/dhcpd.conf (sudo gedit /etc/ltsp/dhcpd.conf) setting the routers option to the ip address of the ltsp server on the ltsp network. eg
option routers 192.168.0.254;
and restart the dhcp server
sudo /etc/init.d/dhcp3-server restart
ON 11.10 restart the dhcp server
sudo /etc/init.d/ish-dhcp-server restart
Test: Reboot the test PC on the thin client network and check if it sees the new default gateway (on linux type ip route and look at the line beginning "default"; on windows type "route print" into a command prompt and look for default gateway).
On the LTSP server edit /etc/sysctl.conf (sudo gedit /etc/sysctl.conf) and either add this line or uncomment if it's already there:
which will take effect at next server reboot. To make the setting effective immediately, now run the command
sudo sysctl -w net.ipv4.ip_forward=1
Enable network address translation. By default the ltsp network address/mask is 192.168.0.0/24. Remember to change the example to fit your network setup. Use a command like:
sudo iptables --table nat --append POSTROUTING --jump MASQUERADE --source 192.168.0.0/24
to enable NAT. To make this setting permanent run
sudo sh -c 'iptables-save > /etc/ltsp/nat'
and add the extra line up iptables-restore < /etc/ltsp/nat to the bottom of the eth0 (or whichever is your LTSP interface) stanza of /etc/network/interfaces so it looks something like
auto eth0 iface eth0 inet static address 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255 network 192.168.0.0 up iptables-restore < /etc/ltsp/nat
. This creates a script called /etc/ltsp/nat which restores the NAT next time the eth0 network interface comes up. Test: ping the dns server on the main network from the test PC.
Again, edit /etc/ltsp/dhcpd.conf, as above, setting the dns option to the ip address of the main network DNS server (listed in /etc/resolv.conf on the LTSP server beside the word "nameserver"), eg
option domain-name-servers 192.168.1.1;
and again restart the dhcp server
sudo /etc/init.d/dhcp3-server restart
. Test: Reboot the test PC again, to update its DNS server. Try pinging a real world server from the test PC by name, eg
At this point, unless there are some issues upstream (eg firewall rules on the main router), you should be able to get internet access on the PC on the ltsp network AND on your thin clients.
If you don't know the information needed above, here are some tricks to find out:
The main DNS Server is listed in /etc/resolv.conf on the LTSP server beside the word "nameserver". If there's more than one, just choose the top one.
search lan nameserver 192.168.1.1
The IP address and network address/mask of your LTSP server on the thin client network is usually 192.168.0.254 and 192.168.0.0/24 by default. The command ip route on the LTSP server will list all of this:
gavin@robin ~> ip route 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.33 169.254.0.0/16 dev eth0 scope link metric 1000 default via 192.168.1.1 dev eth1 metric 100The first two lines tell you there are two networks visible directly to the LTSP server and the network address and netmask of those networks. One is the main network, one is the ltsp network. The last line, "default" tells you where the ltsp server goes when it wants the internet. It goes to eth1, so eth1 must be the main network and eth0 must be the ltsp network. The "src" at the end of the first two lines is the ltsp server's IP address on that network. So, in this example, the default route is to eth1 so that's my main network. eth0 must then be my LTSP network which has network address/mask of 192.168.0.0/24 and the server's ip on that network is 192.168.0.254.
Still not working???
If these steps fail or you find them confusing, please email firstname.lastname@example.org and we'll help you through it in person as well as try and improve this page for future users.