Cannot reach jail from another PC

[martinrame]

I want to connect to a service running on jail on 192.168.1.102:8888. From the host 192.168.0.111 it works, but cannot connect from other PCs for example 192.168.0.105.

Client PC (linux):

ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.105  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fd3d:6864:a08a::cb0  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::dd09:574c:bea9:37d3  prefixlen 64  scopeid 0x20<link>
        inet6 fd3d:6864:a08a:0:8469:ea11:9bd8:2090  prefixlen 64  scopeid 0x0<global>
        inet6 fd3d:6864:a08a:0:f0b1:9542:bff9:eedf  prefixlen 64  scopeid 0x0<global>
        ether f0:de:f1:f0:ca:b4  txqueuelen 1000  (Ethernet)
        RX packets 2645534  bytes 1681306384 (1.6 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2725006  bytes 460540505 (460.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf1600000-f1620000

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp0s25

Server's /etc/rc.conf

hostname="ws1.local.domain"
ifconfig_re0="inet 192.168.0.111 netmask 0xfffffe00"
defaultrouter="192.168.0.1"
sshd_enable="YES"
kld_list="linux vmm nmdm nvidia nvidia-modeset fuse"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
dbus_enable="YES"
linux_load="YES"
vmm_load="YES"
nmdm_load="YES"
iohyve_enable="YES"
slim_enable="YES"
vboxnet_enable="YES"
vm_enable="YES"
vm_dir="zfs:datos/vms"
vm_list=""
vm_delay="5"
cloned_interfaces="bridge0 tap0 tap1 lo1"
ifconfig_bridge0="addm re0 addm tap0 addm tap1"
gateway_enable="YES"
pf_enable="yes"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
jupyter_enable="YES"
iocage_enable="YES"
jail_enable="YES"
jail_list="jupyterlab"
pflog0_enable="YES"

Server's /etc/pf.conf

# vim: set ft=pf
# /etc/pf.conf

#Declare the interfaces, Public IP, private subnet,
EXT_IF0 = "re0"
EXT_IF1 = "lo1"

IP_PUB="192.168.0.111"
NET_JAIL="192.168.1.0/24"
LAN_IP="192.168.0.1"
PSQL_JAIL_IP="192.168.1.101"
JUPYTERLAB_JAIL_IP="192.168.1.102"
nat pass on $EXT_IF0 from $NET_JAIL to any -> $IP_PUB
nat pass on $EXT_IF1 from $NET_JAIL to any -> $LAN_IP
# Log
rdr pass log(all) on $EXT_IF0 proto tcp from any to $IP_PUB port 8888 -> $JUPYTERLAB_JAIL_IP
# PostgreSql Jail
rdr on $EXT_IF0 proto tcp from any to $IP_PUB port 5432 -> $PSQL_JAIL_IP
rdr on lo0 proto tcp from any to 127.0.0.1 port 5432 -> $PSQL_JAIL_IP
# JupyterLab Jail
rdr on $EXT_IF0 proto tcp from any to $IP_PUB port 8888 -> $JUPYTERLAB_JAIL_IP
rdr on lo0 proto tcp from any to 127.0.0.1 port 8888 -> $JUPYTERLAB_JAIL_IP

Server's /etc/jail.conf

# Global settings applied to all jails
host.hostname = "$name.domain.local";
path = "/datos/jails/$name";
exec.consolelog = "/var/log/jail.$name.console.log";

vnet;
vnet.interface = ${epair}b;
exec.prestart += "ifconfig $epair create up";
exec.prestart += "ifconfig bridge0 addm ${epair}a";
exec.created = "ifconfig ${epair}b";
exec.clean;
exec.start = "ifconfig ${epair}b inet 192.168.1.$ip/23";
exec.start += "route add default 192.168.0.111";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop = "ifconfig bridge0 deletem ${epair}a";
exec.poststop += "sleep 2";
exec.poststop += "ifconfig ${epair}a destroy";

jupyterlab {
    $ip = 102;
    $epair = "epair$ip";
    allow.raw_sockets;
}

As you can see, I created a pf rule that should redirect all packets pointing to 192.168.0.111:8888 to 192.168.1.102:8888.

I did these tests from the Server:

1. telnet 192.168.1.102 8888 WORKS
2. telnet 192.168.0.111 8888 DOESN'T WORK
3. telnet 127.0.0.1 8888 DOESN'T WORK

Also from the other PC I can't do telnet 192.168.0.111 8888.

If I do a telnet 127.0.0.1 8888 while having tcpdump -nei pflog0t running I get:

tcpdump -nei pflog0                          
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
11:51:48.897480 rule 1/0(match): rdr in on lo0: 127.0.0.1.59591 > 192.168.1.102.8888: Flags , seq 2989949149, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 1289705900 ecr 0], length 0
11:51:48.897491 rule 1/0(match): rdr out on lo0: 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 68

 

[SirDice]

Don't fall into the NAT trap, there's no reason to use NAT here. It's all about routing. Your other PCs simply need a route to the 192.168.1.0/24 network.

This will need to be done on all your other PCs and will tell them they can find the 192.168.1.0/24 network behind 192.168.0.105.
route add 192.168.1.0/24 192.168.0.105

 

[martinrame]

Yes, of course that works, and maybe for this jail I'll use that, but what I want to create is a network of jails inside the server, and allow external access to their services through port forwarding.

 

[genneko]

I wonder if assigning the host's IP to bridge0 instead of re0 makes any difference.

 

[SirDice]

allow external access to their services through port forwarding.

A port can only be forwarded once.

 

[martinrame]

Well, finally I just created the jail sharing the host's ip, way easier than I thought.