Solved NAT attribution, I Guess ?

Fawst

Member

Reaction score: 1
Messages: 23

Hello everyone,

I'm new in the word of FreeBSD and more on firewall ...

I'm struggle with building a good pf.conf in order to run plex media server inside a jail.

I don't know if I'm in the right topic, but after many try I guess is due to pf rules.

So here is my /etc/rc.conf

Code:
hostname="MFserver"

##############Internet############
defaultrouter="192.168.2.1"
ifconfig_re0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"

##############Stockage############
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

#############Firewall#############
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

###########Services################
noip_enable="YES"
ezjail_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

##########Cloned loopback#######

cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 192.168.2.21 netmask 255.255.255.255"
gateway_enable="YES"
local_unbound_enable="YES"
here my /etc/pf.conf

Code:
ext_if="re0"
int_if="lo1"


tcp_pass = "{ 22 25 53 80 110 123 }"
udp_pass = "{ 53 110 631 }"
SSH= "{ 22 }"
IP_PUB="192.168.2.16"
IP_JAIL_plex="192.168.2.21"
PORT_WWW="{32400}"

scrub in all

pass out proto tcp to port $SSH
pass in on $ext_if proto udp to any port $udp_pass keep state
pass in quick on $ext_if proto tcp to any port 32400 keep state
pass in on $int_if from $int_if:network to ($int_if) keep state
My ifconfig

Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.2.16 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.2.21 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
And finally my jails :

Code:
 JID  IP Address      Hostname                      Path
     1  192.168.2.21    plex                          /usr/jails/plex
For symptom, when I go on my browser and tap 192.168.2.21:32400/web I can sign up plex but plex can't find my server.

Have you any idea, on all stupid things I do ?

I thank you in advance for your help :)
 
Last edited by a moderator:

Remington

Well-Known Member

Reaction score: 145
Messages: 489

Turn off the firewall and change jail to use re0 nic. Plex and Serviio don't work too well with firewall especially with broadcast. If your server is behind home router then pf isn't needed. Just keep it simple.
 
Last edited by a moderator:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,182
Messages: 29,471

If I'm not mistaken Plex uses UPnP/DLNA to find devices. DLNA uses UDP/1900 to broadcast and find devices, and usually a TCP port in the 5000 range for the actual connection.
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

If I'm not mistaken Plex uses UPnP/DLNA to find devices. DLNA uses UDP/1900 to broadcast and find devices, and usually a TCP port in the 5000 range for the actual connection.
That's correct. As I recall, Serviio uses the same thing but its unnecessary to have server's firewall enabled behind a home router's firewall.
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

Hello,

thank's for your reponse.

I did a clone of my Re0 and plex work well know. :)

But my knew trouble is this, I have nextcloud set on an other jail, I did another clone of Re0, everithing work well on local, again thank you guy, but I have set No-IP and I can't reach my nextcloud jail because No-IP is set on my server adress.

So I try to create PF.conf rule to redirect trafic from my Re0 known by the router and the jail.

It's look like this /etc/pf.conf

Code:
#interfaces
    WAN="re0"

### Networks
    LOCAL="192.168.2.16"      # IP-server
    nextcloud="192.168.2.20"  # Jails nextcloud

set loginterface $WAN

### REDIRECTION ###

### Bridge subnet
   # nat on $WAN to $WAN port 80 -> $nextcloud port 80
   # nat on $WAN from $nextcloud to any -> ($WAN)

### NGINX
    rdr pass on $LOCAL proto 80 from any to $LOCAL port 80 -> $nextcloud port 80


### DENY any redirection not defined above
    no rdr
My ifconfig look this

Code:
root@MFserver:/usr/home/Flow # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.2.21 netmask 0xffffffff broadcast 192.168.2.21
        inet 192.168.2.20 netmask 0xffffffff broadcast 192.168.2.20
        inet 192.168.2.16 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@MFserver:/usr/home/Flow #
So, should I setup PF.conf or it's possible to do something with out PF?

And yes I'm behind the compagny's router (Bell Canada) who selling internet.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,182
Messages: 29,471

Code:
### NGINX
    rdr pass on $LOCAL proto 80 from any to $LOCAL port 80 -> $nextcloud port 80
This is never going to work.

Code:
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.
From pf.conf(5).
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

You can only redirect from re0 to lo0 using pf otherwise routing will not work. Can you redirect the port in the company's router to nextcloud's IP address?
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

Unfortunately, no I can't redirect ports because the router don't see jail ip, maybe because router see only Mac adress and after that assign an ip adress, It's a supposition.

Should I don't use DHCP protocol?

For my pf.conf rule, I know pfctl - svf /etc/pf.conf told it to me :p
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

It would be better to set static IP addresses in the company's router. I know you can limit the range for DHCP and use static IP addresses outside of DHCP's range for the server. DHCP isn't good for the server as addresses can change during reboots that is if your server is using DHCP.
 

kpa

Beastie's Twin

Reaction score: 1,801
Messages: 6,318

Unfortunately, no I can't redirect ports because the router don't see jail ip, maybe because router see only Mac adress and after that assign an ip adress, It's a supposition.

Should I don't use DHCP protocol?

For my pf.conf rule, I know pfctl - svf /etc/pf.conf told it to me :p
Routers do not just see "Mac addresses", they are fully aware of the connected networks and they support every bit of the IP protocol that is necessary for normal routing operation. What may not be possible on every router is address rewriting also known as "NAT" which allows port forwarding and outbound NAT. Looking at the addresses used on your network it's clear however that your router is doing outbound NAT but it may not have controls for the user to add port forwards.
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

I did, I set a static ip adress for the server outside the plage of DHCP router.

Code:
IP-server=192.168.2.16
Router-plage=192.168.2.25 to 192.168.2.250
But I can't assign a static ip on the router to the jail, can I create a feak Mac adress to my jail?

Edit : OK, so if my router don't support NAT my two options are :

-using my server as NAT
- configuring my jail under Lo0

Could be possible to the first option?
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

You can't create fake MAC address for Jails. Only VIMAGE can do that but you'll have to customize the kernel and do a buildworld which is more of a challenge so let's keep it simple for now.

Your router should have Port Forwarding which allows you to redirect router's port 80 to 192.168.2.20 port 80 in your router's configuration.
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

OK, I will try that and give you a fee back.

As usual, many thanks, I like this world of sharing :)
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

It'S work ! (Try it outside ...)

So it's bringing to me annoter question, why I can use the adress set with No-IP on my local network ?

When I type http://xxxxx.hotpto.org outside that work, I can connect to my nextcloud, but when I do it localy my browser talled me "This site is inaccessible".
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

Public and private IP addresses are separate. No-IP will not be able to see the private (local) IP addresses because of the router's NAT and firewall. If you're using 192.168.2.20 and your not the only ones who is using the number. There are probably over million users using the same private IP address so No-IP will not work. Public IP address is unique as nobody else has that except for your company. If you want more public IP addresses then you will have to contact your internet provider. If they can provide you static IP address for an additional fee then you won't need No-IP.

You will have to add your local IP address for nextcloud in hosts file so your computer will use the hosts instead of DNS to find the local server. I don't know what OS you are using so here's the link that will explain how to do it.

https://support.rackspace.com/how-to/modify-your-hosts-file/
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

Thank you very much for your help and fast response .

I try to folow how modify hosts file, but it doesn't work.

I'm using FreeBSD 10.3 :)
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

You will have to edit the hosts file in your desktop computer (windows, mac or linux) so your web browser can find the local server.
 
OP
OP
F

Fawst

Member

Reaction score: 1
Messages: 23

That's work really well, thank you for your many tips and your patience.

We can properly say, it's solved :)
 

kpa

Beastie's Twin

Reaction score: 1,801
Messages: 6,318

You will have to edit the hosts file in your desktop computer (windows, mac or linux) so your web browser can find the local server.
This is not a good solution on any larger scale than two computers. The proper solution is to have a DNS forwarder like dns/unbound serving your network with overrides that return private address responses for the FQDNs of your services.
 

Remington

Well-Known Member

Reaction score: 145
Messages: 489

This is not a good solution on any larger scale than two computers. The proper solution is to have a DNS forwarder like dns/unbound serving your network with overrides that return private address responses for the FQDNs of your services.
I agree but its something that should be done by experienced admin.
 
Top