jail to inet via pf

[alphaer]

Hello,
please can me point how can I get external net from jail?
I wish to do it via pf.

Setuation 1
I have a server with external ip on rl0, and have an alias for rl0 10.10.10.1 for jail.
internet<-->[rl0=external_ip, rl0_alias_jail=10.10.10.1]<-->jail
how can I go out to inet from jail (all ports)

/etc/rc.conf fragment

defaultrouter="213.27.0.1"
ifconfig_rl0="inet 213.27.0.8  netmask 255.255.255.0"
ifconfig_rl0_alias0="inet 10.10.10.1  netmask 255.255.255.255"
gateway_enable="YES"
pf_enable="YES"
jail_DEC_ip="10.10.10.1"

/etc/pf.conf

my_jail="10.10.10.1"
if="rl0"
if_ip=213.27.0.1
lo="rl0"
nat on $if from $lo to any -> $if

Setuation 2
I have a server behind a router.

internet<-->[router ip=192.168.0.100]<-->[fxp0=192.168.0.1, fxp0_alias_for_jail=10.10.10.1]<-->jail(ip=10.10.10.1)


May anybody post me what correct /etc/pf.conf should be?

 

[SirDice]

Try:

nat on $if from $my_jail to any -> ($if)

Edit: Have a look at this thread, his setup looks similar to what you want.
http://forums.freebsd.org/showthread.php?t=2813

 

[alphaer]

It seems no.
I cant resolve names in jail even.

 

[alphaer]

What pf.conf should be in this case?

 

[alphaer]

Forget to say,
defaultrouter 192.168.0.100 cannot be accessed - it is from another net of course.
How can I route jails 10.10.10.0/24 into inet?

 

[SirDice]

In the other thread he used a cloned lo1 interface for his jail to attach. Then you would need an alias on your external interface with an IP address in the jail's subnet. The host will the route the traffic from the cloned interface to the external interface. The natting will take care of translating the rfc-1918 address to the public ip address.

 

[vivek]

Try something as follows in your pf.conf

lan_if="em0"
lan_if_subnet="10.0.0.0/8"
lan_if_ip="10.28.11.10"
jail_vps_server_ip="202.54.2.3"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if_subnet -> $lan_if_ip

Change interface and other values as per your setup.

 

[alphaer]

with your pf.conf

now I can ping anything in 192.168.0.0/24 from jail,
but cannot any behind.
Looks like jail has no any default router.
How can I set default router to 192.168.0.100 ?


ping 192.68.0.100
64 bytes from 192.168.0.100: icmp_seq=0 ttl=254 time=1.426 ms

PING google.com (209.85.171.100): 56 data bytes
......





/etc/pf.conf:
-------------------
lan_if="rl0"
lan_if_subnet="192.168.0.0/24"
lan_if_ip="192.168.0.6"
jail_vps_server_ip="10.10.10.1"
nat on $lan_if inet proto { tcp, udp, icmp } from $jail_vps_server_ip to $lan_if
_subnet -> $lan_if_ip

 

[alphaer]

The final trouble was in unixproute parameter:

should be:
sysctl security.jail.socket_unixiproute_only=0

Thanks for all

 

[alphaer]

Sorry, it seems I've mistaked
the problem still here

 

[vivek]

default router is defined in /etc/rc.conf file:

defaultrouter="xxx.yyy.zzz.eee"

Once done restart the networking.

 

[SirDice]

You need a default route on the same subnet as your jail. One way to do it is to add another alias to your interface. Set the jail's default route to that ip address.