Hello,
I've already mentioned this issue in the thread about IPFW rules for minidlna (https://forums.freebsd.org/threads/ipfw-rules-for-minidlna.82048/), but since this is a more general problem and not only minidlna related, I thought I make this an own thread:
Is it possible to route multicast packages via IPFW NAT to a jail?
In my scenario I'm running a minidlna server inside a jail. A client tries to discover the minidlna server in my local network via a SSDP multicast to IP 239.255.255.250.
To allow such multicast packages pass through the firewall directly on my host I figured out the following rule:
(port 1900 is used by minidlna).
But for isolation purposes I want to run minidlna in a jail and I haven't figured out how to forward this multicast package vi IPFW NAT to my jail.
The NAT rule I'm using is
where 192.168.0.2 is the IP of my jail on a cloned lo1 interface.
This rule doesn't seem to match a multicast package on 239.255.255.250. I've also tried without the unreg_only property, but that didn't help.
Does anyone has experience with that? Is it possible at all to NAT multicast packages? And if so, how?
Any help is welcome - thanks!
Kind regards, Fool
I've already mentioned this issue in the thread about IPFW rules for minidlna (https://forums.freebsd.org/threads/ipfw-rules-for-minidlna.82048/), but since this is a more general problem and not only minidlna related, I thought I make this an own thread:
Is it possible to route multicast packages via IPFW NAT to a jail?
In my scenario I'm running a minidlna server inside a jail. A client tries to discover the minidlna server in my local network via a SSDP multicast to IP 239.255.255.250.
To allow such multicast packages pass through the firewall directly on my host I figured out the following rule:
Code:
allow udp from any to 239.255.255.250 1900 in via ${wan_if} keep-stateBut for isolation purposes I want to run minidlna in a jail and I haven't figured out how to forward this multicast package vi IPFW NAT to my jail.
The NAT rule I'm using is
Code:
${fw} -q nat 1 config if ${wan_if} same_ports unreg_only reset \
redirect_port udp 192.168.0.2:1900 1900This rule doesn't seem to match a multicast package on 239.255.255.250. I've also tried without the unreg_only property, but that didn't help.
Does anyone has experience with that? Is it possible at all to NAT multicast packages? And if so, how?
Any help is welcome - thanks!
Kind regards, Fool