For context, we're exploring using Docker For Windows for developer machines, and I've been tasked with determining if things have matured enough on Windows to actually be of use to us.
There's a lot networking behavior that docker does on windows that is...less than transparent. Without getting into the minutia, my current hunch is that the rosetta stone to this behavior has something to do with understanding "NetNat objects" versus "NetNat instances".
I know this is a long shot since I'm guessing most folks on this subreddit don't do Windows work, but here's hoping.
In short, after a Docker For Windows installation, there is definitely Network Address Translation happening as evidenced by the output of the Get-NetNatExternalAddress cmdlet (see my Git Gist for sample output: https://gist.github.com/pldmgg/3914df33e622f96179983bd9cc179ce9)
Given that there is NAT activity happening, I would expect to see NAT objects returned by the Get-NetNat cmdlet...but unfortunately, it doesn't return anything.
To add to the mystery, if I add NAT myself via some PowerShell:
$NATSubnet = "10.10.3.0/24" $NATIP = "10.10.3.1" $NATNetworkMask = 24 New-NetNat -Name LocalNAT -InternalIPInterfaceAddressPrefix $NATSubnet New-VMSwitch -Name ForLocalNAT -SwitchType Internal Get-NetAdapter "vEthernet (ForLocalNAT)" | New-NetIPAddress -IPAddress $NATIP -AddressFamily IPv4 -PrefixLength $NATNetworkMask
...the Get-NetNat cmdlet does, in fact, show a NAT object:
PS C:\Users\pdadmin> Get-NetNat Name : LocalNAT ExternalIPInterfaceAddressPrefix : InternalIPInterfaceAddressPrefix : 10.10.3.1/24 IcmpQueryTimeout : 30 TcpEstablishedConnectionTimeout : 1800 TcpTransientConnectionTimeout : 120 TcpFilteringBehavior : AddressDependentFiltering UdpFilteringBehavior : AddressDependentFiltering UdpIdleSessionTimeout : 120 UdpInboundRefresh : False Store : Local Active : True
...and it works as expected.
(EDIT: To clarify, nothing is / was ever broken, I'm just trying to understand how docker can perform NAT without creating a NAT object like the above PowerShell does).
So my question boils down to - what is the difference between "NAT instances" that don't seem to need "NAT objects" to perform Network Address Translation and "NAT objects" (and their corresponding "NAT instances") that perform Network Address Translation?
Another related mystery that is bothering me. If you look at the output of Get-NetNatExternalAddress in my above Git Gist, you'll notice that some of the objects' NatName properties reference 'ICS', aka Internet Connection Sharing. I'd love to know what this means in this particular context (all ICS documentation that I could find doesn't really speak of ICS in this context).
No comments:
Post a Comment