I have a server with 2 network interfaces, bge1 with 3 public routable IP's and bge0 internal private 172.16.1.1 with some few alias, 172.16.1.2, 172.16.1.3, 172.16.1.4, etc
The master server (FreeBSD 8.1) host 2 types of jails, ones that contain a public IP so they can be reached over the internet with out need of NAT and other jails with a private segment the ones that need NAT to be available to reach internet.
On the same master server I have an IPSEC VPN that reaches network 10.0.1.0/24 so all traffic from jails with IP's 172.16.1.X can ping/connect/telnet/ssh to machines on network 10.0.1.0/24
So far everything works fine, jails with public IP's can be reached from internet with out problem, and jails with private IP's can be reached over NAT and they also can reach external network via IPSEC.
But my problem begins when I try to create 'hybrid' jail, I mean a jail that has a primary routable public IP and a private IP's
the /etc/rc.conf part containing the jail configuration looks like this:
and the output of the command ifconfig inside the jail looks like this:
within the jail, I can ping the internal network 172.16.1.X and also I can still access to the jail via ssh from the public IP but what I can't do is to reach the network 10.0.1.0/24.
Any ideas for solving this ? I am afraid that this won't be possible since ipsec can not go under nat but please correct 'me if I am wrong.
The master server (FreeBSD 8.1) host 2 types of jails, ones that contain a public IP so they can be reached over the internet with out need of NAT and other jails with a private segment the ones that need NAT to be available to reach internet.
On the same master server I have an IPSEC VPN that reaches network 10.0.1.0/24 so all traffic from jails with IP's 172.16.1.X can ping/connect/telnet/ssh to machines on network 10.0.1.0/24
Code:
Internet
|
|
SERVER ---> private jails with NAT bge1 ---> 172.16.1.0/24 <---/ VPN network/ ---> 10.0.1.0/24 ---< Internet
| -----> public jails 89.181.195.XSo far everything works fine, jails with public IP's can be reached from internet with out problem, and jails with private IP's can be reached over NAT and they also can reach external network via IPSEC.
But my problem begins when I try to create 'hybrid' jail, I mean a jail that has a primary routable public IP and a private IP's
the /etc/rc.conf part containing the jail configuration looks like this:
Code:
jail_ddns_rootdir="/jails/ddns/"
jail_ddns_hostname="ns1.ddns.mx"
jail_ddns_ip="89.181.195.154,172.16.1.3"and the output of the command ifconfig inside the jail looks like this:
Code:
> ifconfig
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1e:c9:e1:ad:18
inet 172.16.1.3 netmask 0xffffffff broadcast 172.16.1.3
media: Ethernet autoselect (none)
status: no carrier
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:1e:c9:e1:ad:16
inet 89.181.195.154 netmask 0xffffffff broadcast 89.181.195.154
media: Ethernet autoselect (100baseTX <full-duplex>)
status: activewithin the jail, I can ping the internal network 172.16.1.X and also I can still access to the jail via ssh from the public IP but what I can't do is to reach the network 10.0.1.0/24.
Any ideas for solving this ? I am afraid that this won't be possible since ipsec can not go under nat but please correct 'me if I am wrong.