Hello there.
I'm trying to set up a jail server which will have jails hooking into two different networks.
One is my LAN, the other is reserved for 'exposed to the public' services (such as webservers etc).
I have a pfsense box hooking in to both networks, routing traffic between them (with filtering).
A single jail will only be hooked into one of these networks.
Description:
Jail "rsync" has sshd running on port 22, IP 10.1.1.12.
Connecting to this works fine from an IP in the lanif:network range works fine.
If I
This is, in my opinion, unexpected behaviour, and if I'm to take a guess, it indicates jail traffic is routed out on the wrong interface.
Any ideas why this is happening?
Related settings
/etc/rc.conf
/usr/local/etc/ezjail/rsync
/etc/pf.conf
^^ I've tried both the commented-out one, and the non-commented one. Neither seems to make any difference (except I can't ping 10.1.1.12 from the console with the commented-out one)
I'm trying to set up a jail server which will have jails hooking into two different networks.
One is my LAN, the other is reserved for 'exposed to the public' services (such as webservers etc).
I have a pfsense box hooking in to both networks, routing traffic between them (with filtering).
A single jail will only be hooked into one of these networks.
Description:
Jail "rsync" has sshd running on port 22, IP 10.1.1.12.
Connecting to this works fine from an IP in the lanif:network range works fine.
If I
# ifconfig lanif down
, I can no longer connect to the SSHd from an IP in the lanif:network range. Pinging the IP still works fine.This is, in my opinion, unexpected behaviour, and if I'm to take a guess, it indicates jail traffic is routed out on the wrong interface.
Any ideas why this is happening?
Related settings
/etc/rc.conf
Code:
defaultrouter="10.0.1.1"
cloned_interfaces="vlan0 vlan1"
ifconfig_re0="up mtu 9000 polling name netif"
ifconfig_vlan0="inet 10.0.1.19/24 vlan 1 vlandev netif name lanif"
ifconfig_vlan1="inet 10.1.1.2/24 vlan 10 vlandev netif name jailif"
# Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
/usr/local/etc/ezjail/rsync
Code:
export jail_rsync_ip="10.1.1.12"
export jail_rsync_interface="jailif"
/etc/pf.conf
Code:
# Settings
set block-policy drop
# Aliases
jailif="jailif"
lanif="lanif"
jailnet="10.1.1.0/24"
jailnet_gw="10.1.1.1"
#Routing
#pass out route-to ($jailif $jailnet_gw) from $jailnet to !$jailnet
pass out on lanif route-to ($jailif $jailnet_gw) from $jailnet to !$jailnet