Virtual Router 3.6


This guide describes how to use the Virtual Router in OpenNebula.

When instantiated in a network, this appliance provides the following services for other Virtual Machines running in the same network:

  • Router (masquerade)
  • Port forwarding
  • DHCP server
  • NTP server
  • DNS server

A big advantage of using this appliance is that Virtual Machines can be run in the same network without being contextualized for OpenNebula.

This appliance is controlled via CONTEXT. More information in the following sections.

Considerations & Limitations

This is a 64-bit appliance and will run both in KVM and Xen environments. It will run with any network driver.

Since each virtual router will start a DHCP server and it's not recommended to have more than one DHCP server per network, it's recommend to use it along network isolation drivers if you're going to deploy two or more router instances in your environment:

:!: Due to a known issue, the private network of the router must be a RANGED network and not FIXED.


The appliance is based on archlinux. There's only one user account: root. The default password for the root user is router. This can be changed using CONTEXT along with root's public key.

  • ROOT_PUBKEY: If set, it will be set as root's authorized_keys.
  • ROOT_PASSWORD: To change the root account password use this attribute. It expects the password in an encrypted format as returned by openssl passwd -1 . To disable password login set: !


The virtual router can be used in two ways:

DHCP or NTP server

Only one interface. Useful if you only want DHCP or NTP.

To enable this you need to add the following context to the VM:

TARGET   = "hdb"
PRIVNET  = "$NETWORK[TEMPLATE, NETWORK=\"private_network_name\"]",
DHCP     = "YES|NO"
NTP      = "YES|NO"

If you're going to a use a netmask different to '' you will have to add the following to the private network's template:


Full Router

In this case, the Virtual Machine will need two network interfaces: a private and a public one. The public one will be masqueraded. In this mode you can also configure a DNS server by setting the DNS and optionally the SEARCH attribute (useful for domain searches in /etc/resolv.conf). This mode also includes all the attributes related to the previous section, i.e. DHCP and NTP servers.

This is an example context for the router mode:

TARGET     = "hdb"
PRIVNET    = "$NETWORK[TEMPLATE, NETWORK=\"private_network\"]",
PUBNET     = "$NETWORK[TEMPLATE, NETWORK=\"public_network\"]",
DHCP       = "YES|NO"
NTP        = "YES|NO"
DNS        = ""
SEARCH     = "local.domain"
FORWARDING = "8080:"


This attribute expects a list of dns servers separated by spaces.


This attribute expects a list of forwarding rules separated by spaces. Each rule has either 2 or 3 components separated by :. If only two components are specified, the first is the IP to forward the port to, and the second is the port number. If there are three components, the first is the port in the router, the second the IP to forward to, and the third the port in the forwarded Virtual Machine. Examples:

  • 8080: This will forward the port 8080 in the router to the port 80 to the VM with IP
  • This will forward the port 22 in the router to the port 22 to the VM with IP

If the public network uses a netmask different to or if the gateway is not the ip's network with one as the last byte: x.y.z.1 it can be explicitely set adding the following attributes to the public network's template:

GATEWAY      = ""