Hello
I have 3 servers with public IPs, also with 3 network interface (switch) to communicate to internal. I am FreeBSD newbie and I have several days trying to run the scenario and read on to see if I find the problem, but I have much knowledge of routing.
On these servers, I have a few jails with private IPs (10.xxx/8) linked to the internal interface, but I want to nat some of the services from the public network. Since the jails I can access the public IPs of the different servers and private ips (I guess that will do routing for the internal network), but I can´t install ports, not ping the router, not outside or anything. Does anyone can help or tell me where to go? thanks
Best regards
Diagram:
# rc.conf
# pf.conf
I have 3 servers with public IPs, also with 3 network interface (switch) to communicate to internal. I am FreeBSD newbie and I have several days trying to run the scenario and read on to see if I find the problem, but I have much knowledge of routing.
On these servers, I have a few jails with private IPs (10.xxx/8) linked to the internal interface, but I want to nat some of the services from the public network. Since the jails I can access the public IPs of the different servers and private ips (I guess that will do routing for the internal network), but I can´t install ports, not ping the router, not outside or anything. Does anyone can help or tell me where to go? thanks
Best regards
Diagram:
Code:
180.x.x.55 180.x.x.63
____|____ ____|____
| SERVER1 |---em1---| SERVER2 |
--------- ---------
Code:
# sysctl
srv02# sysctl -a | grep jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 2
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0
srv02# sysctl -a | grep forward
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0
# rc.conf
Code:
defaultrouter="180.X.X.1"
static_routes="internal"
route_internal="-net 10.0.0.0/8 10.0.0.1"
ifconfig_em0="inet 180.X.X.63 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 180.X.X.64 netmask 255.255.255.0"
ifconfig_em1="inet 10.0.0.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.0.0.5 netmask 255.0.0.0"
ipv6_enable="NO"
hostname="srv02.internal.local"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ezjail_enable="YES"
# pf.conf
Code:
# Interfaces
external="em0"
internal="em1"
intnet="{ 10.0.0.0/8 }"
table <dnsserver> const { 180.x.x.55, 188.x.x.63 }
table <dnsserver_int> const { 10.10.1.1, 10.10.2.1, 10.0.0.5 }
table <privnets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
icmp_types="echoreq"
set block-policy drop
set skip on lo0
nat on $internal from $internal:network to any -> ($external)
#nat on $external from $internal:network to any -> ($external)
# DNS
rdr on $external inet proto {tcp, udp} from any to <dnsserver_int> port 53 -> <dnsserver>
block in log all
block drop quick on $external from <privnets> to any
block drop quick on $external from any to <privnets>
pass in on $external proto tcp from any to <dnsserver> port domain flags S/SA modulate state
pass in on $external proto udp from any to <dnsserver> port domain keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $internal from $internal:network to any keep state
pass out quick on $internal from any to $internal:network keep state
pass out on $external proto tcp all flags S/SA modulate state
pass out on $external all keep state