I'm still quite new to FreeBSD, so I hope I didn't make some stupid mistake or miss something obvious.
I'm running multiple jails on my VPS. They all use the interface lo1 that has multiple IPs assigned to it: 192.168.2.1 for the host and 192.168.2.11, 192.168.2.12 etc. for the jails.
No jail binds to 192.168.2.1, that is the internal address that I want to use for the host.
The jails can connect to the outside world (PF handles NAT) and connecting to them from outside works too.
All connections to the jails go through the host, so, to the jails, they should look like they're coming from the host's internal address.
However, both the source and target IP will always be the jail's IP: When connecting to a jail that uses the IP 192.168.2.11, the connection will be originating from 192.168.2.11 too. How can I set this up so connections originate from another internal address that just the host uses, e.g. 192.168.2.1?
I can solve this for nginx (which I'm using to proxy connections to the jails) using the proxy_bind directive, but that seems like a cheap workaround to me, considering it doesn't cover other services. I feel like there has to be a system-level solution.
I'm running multiple jails on my VPS. They all use the interface lo1 that has multiple IPs assigned to it: 192.168.2.1 for the host and 192.168.2.11, 192.168.2.12 etc. for the jails.
No jail binds to 192.168.2.1, that is the internal address that I want to use for the host.
The jails can connect to the outside world (PF handles NAT) and connecting to them from outside works too.
All connections to the jails go through the host, so, to the jails, they should look like they're coming from the host's internal address.
However, both the source and target IP will always be the jail's IP: When connecting to a jail that uses the IP 192.168.2.11, the connection will be originating from 192.168.2.11 too. How can I set this up so connections originate from another internal address that just the host uses, e.g. 192.168.2.1?
I can solve this for nginx (which I'm using to proxy connections to the jails) using the proxy_bind directive, but that seems like a cheap workaround to me, considering it doesn't cover other services. I feel like there has to be a system-level solution.