I'm having trouble with routing when trying to run a
The jail has VNET, gets its IP from the router using DHCP, and was built using
From the remote laptop, I can
However, I can't yet ping the LAN's router from the remote laptop by routing through the jail.
I assumed that I could learn some
Is there a way to perform NAT in the jail?
At the moment I'm trying to follow man route to add a static route in the jail to pass everything that arrives on the
Inside the jail, before starting
After starting, like this:
Can I forward all incoming traffic for 192/24 on wg0 to the router at 192.168.1.1?
Or is that entirely the wrong way to go?
I don't yet understand enough about routing to know what my options are, or if it's even possible to do this.
wg client inside a 13.3R jail, on a home network behind multiple NAT, with the wg server out on a VPS.
Code:
laptop VPS | NAT | ER-X router jail
wg-client wg-server | | wg-client
10.13.13.3 --- 10.13.13.1 ------------------------------ 10.13.13.2
142.93.57.184:51820 | | 192.168.1.1 192.168.1.173The jail has VNET, gets its IP from the router using DHCP, and was built using
iocage:
sh:
# iocage create -n "wg" -r 13.3-RELEASE --thickjail vnet="on" allow_raw_sockets="1" boot="on" bpf="yes" dhcp="on"From the remote laptop, I can
ping the jail using both its wg subnet address and its LAN subnet address, so I think I have wg configured properly.
sh:
root@laptop# ping -c 2 10.13.13.2
PING 10.13.13.2 (10.13.13.2) 56(84) bytes of data.
64 bytes from 10.13.13.2: icmp_seq=1 ttl=63 time=158 ms
64 bytes from 10.13.13.2: icmp_seq=2 ttl=63 time=147 ms
root@laptop# ping -c 2 192.168.1.173
PING 192.168.1.173 (192.168.1.173) 56(84) bytes of data.
64 bytes from 192.168.1.173: icmp_seq=1 ttl=63 time=148 ms
64 bytes from 192.168.1.173: icmp_seq=2 ttl=63 time=152 msHowever, I can't yet ping the LAN's router from the remote laptop by routing through the jail.
sh:
root@laptop# ping -c 2 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1020msI assumed that I could learn some
pf for this and just NAT between the subnets in the jail, but I have not been able to get pf configured and running inside the jail. I understand that jails have security considerations that might be getting in the way.Is there a way to perform NAT in the jail?
At the moment I'm trying to follow man route to add a static route in the jail to pass everything that arrives on the
wg0 interface in the jail to the router, but every variation I've tried says route already in table.Inside the jail, before starting
wg, the routing looks like this:
sh:
# cat /etc/rc.conf
[...]
wireguard_interfaces="wg0"
gateway_enable="YES"
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS epair0b
127.0.0.1 link#1 UH lo0
192.168.1.0/24 link#2 U epair0b
192.168.1.173 link#2 UHS lo0After starting, like this:
sh:
# wg-quick up wg0
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.13.13.2/32 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] resolvconf -a wg0 -x
[#] route -q -n add -inet 0.0.0.0/1 -interface wg0
[#] route -q -n add -inet 128.0.0.0/1 -interface wg0
[#] route -q -n delete -inet 142.93.57.184
[#] route -q -n add -inet 142.93.57.184 -gateway 192.168.1.1
[+] Backgrounding route monitor
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Netif Expire
0.0.0.0/1 link#3 US wg0
default 192.168.1.1 UGS epair0b
10.13.13.2 link#3 UH lo0
127.0.0.1 link#1 UH lo0
128.0.0.0/1 link#3 US wg0
142.93.57.184 192.168.1.1 UGHS epair0b
192.168.1.0/24 link#2 U epair0b
192.168.1.173 link#2 UHS lo0Can I forward all incoming traffic for 192/24 on wg0 to the router at 192.168.1.1?
Or is that entirely the wrong way to go?
I don't yet understand enough about routing to know what my options are, or if it's even possible to do this.
