Route traffic from jail 1 to jail 2 on host

[johnathan55]

Hello dear FreeBSD community,

I just recently began using this great OS and while I do have a background in Windows networking, I'm very new to how I can achieve certain tasks on FreeBSD, especially with jails.

Basically I'm trying to figure out how to route traffic from one jail to another, all managed and setup from the host system itself (preferably one ruleset, so I only have to connect to the host and configure everything there if changes come along).

So here's my layout (default-gateway is my router at .1):

FreeBSD ip=.50 igb0 ipfw0 bridge0 epair0a epair1a default-gw=.1
-> openvpn-jail ip=.201 epair0b default-gw=.1
-> other-jail ip=.200 epair1b default-gw=.1

So what I want to achieve is that the 'other-jail' at .200 does not communicate through my router, but instead sends all traffic to the 'openvpn-jail' at .201

Currently I've enabled pf on my host (.50), but I haven't created any rules yet. This is the part where I'd be glad if someone could hold hands and explain this to me with examples.

1. I assume I'll have to change the default-gateway for the 'other-jail' to .201, or would it need to be the host at .50, which is ultimately where I would set up the rules, correct?

2. Do I just enable the ipv4 gateway and create a "rdr" rule on .50 then? Something like:

rdr on epair1a inet proto tcp to port {custom application port} -> epair0a

Would that be enough to achieve the goal I have in mind here?

Thank you for any help and understanding,
happy holidays

 

[johnathan55]

Hmph, so I tried to accomplish this and I edited my rc.conf on my host as follows:

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"

#alias
ifconfig_igb0_alias0="inet 192.168.1.201 netmask 255.255.255.0"
ifconfig_igb0_alias1="inet 192.168.1.200 netmask 255.255.255.0"

I then added .201 (OpenVPN jail) as the default gateway for .200 (other jail), but I had issues with connectivity, so I went into the OpenVPN jail and added this to the rc.conf and rebooted the jail:

gateway_enable="YES"

The jails can successfully ping each other now, and the host can also ping each of them. Another machine inside this network can also see both jails like this. Running a traceroute on the other-jail shows that it's going through the .201 OpenVPN jail. However it can't communicate to the outside world, so pinging Google or Yahoo doesn't go anywhere.

But.. turns out, if I stop the OpenVPN service, my other-jail can reach the outside world and traceroute shows it takes the .201 -> .1 route, which is correct and works. But once I start the OpenVPN service, the other-jail can not communicate with anything on the outside, only with devices on my LAN. In this case traceroute shows .201 as the first hop, but after that it's just * * *, * * * ...

Do I need to set up a pf rule? But it already works without one if the OpenVPN daemon is stopped, could it have something to do with OpenVPN not allowing another machine to send its traffic through a client like this?

I also ran a tcpdump on the OpenVPN jail and started a ping on the other jail. This is what it looks like with OpenVPN started:

IP 192.168.1.200 > google-public-dns-a.google.com: ICMP echo request, id 7519, seq 2, length 64;

And with OpenVPN stopped:

IP 192.168.1.200 > google-public-dns-a.google.com: ICMP echo request, id 53087, seq 0, length 64;
IP openvpn.18121 > google-public-dns-a.google.com.domain: 64744+ PTR? 201.1.168.192.in-addr.arpa. (43);
ARP, Request who-has 192.168.1.200 tell 192.168.1.1, length 46;
IP google-public-dns-a.google.com.domain > openvpn.18121: 64744 NXDomain 0/0/0 (43);

 

[quamenzullo]

Don't know if you've resolved your problem.

I'm no expert about these questions, but as for the jails communicating to internet, I don't know if configuring and running pf is necessary, but I did it this way, following the explanations from this thread (pf configuration and start is in step 4., but you should also check the other steps).

 

[da1]

You can also just use 127.0.0.0/8 for your jails. This way, they will communicate via the lo0 interface to each other but if you need the to access the internet, you will need a router (be it the host or the .1 gw). If you need services, you can redirect ports from the host to the 127.0.0.x/8 jail.

Or do you have to have an internal class C IP assigned to the jails?