Good afternoon everyone,
I am trying to setup jail that will run some gaming server using linux_base-c7-7.9.2009 inside of jail. I am using ezjail to manage all jails (find it easier). Problem I have is I cannot get rdr rule to work properly and I cannot ping my jail from my laptop. Server is Dell PowerEdge 1950.
uname -a:
pf.conf:
ifconfig from host:
ezjail for gameserver conf file:
and rc.conf on host:
from host I can ping my jail but not from my laptop. From what I figured out it's probably routing issue:
netstat -rn
netstat -rn from jail:
Ports are not being redirect from host to jail. Tried all combinations and didn't work.
from my laptop ping:
I am trying to setup jail that will run some gaming server using linux_base-c7-7.9.2009 inside of jail. I am using ezjail to manage all jails (find it easier). Problem I have is I cannot get rdr rule to work properly and I cannot ping my jail from my laptop. Server is Dell PowerEdge 1950.
uname -a:
Code:
FreeBSD ldrive 13.1-RC3 FreeBSD 13.1-RC3 #1 r372073M: Thu May 5 11:08:31 BST 2022 root@ldrive:/usr/obj/usr/src/amd64.amd64/sys/LDRIVE amd64
pf.conf:
Code:
##################################################
# Firewall (PF) by Airost made on 27/04/2022 #
##################################################
##############################
# Makra i tabele #
##############################
lo_if="lo0" #loopback
wan_if="tun0" #PlusNet
lan_if="bce1" #LAN
lan_net="172.16.0.1/16" #Siec LAN
my_ip="212.159.22.253" #IP WAN
uzytkownicy="{ 172.16.0.1,
172.16.0.2,
172.16.0.3,
172.16.0.4,
172.16.0.5,
172.16.0.6,
172.16.0.7,
172.16.0.8,
172.16.0.9,
172.16.0.10,
172.16.0.11,
172.16.0.12,
172.16.0.13,
172.16.0.14,
172.16.0.15,
172.16.0.16,
172.16.0.17,
172.16.0.18,
172.16.0.19,
172.16.0.20,
172.16.0.21,
172.16.0.22,
172.16.0.23,
172.16.0.24,
172.16.0.25 }"
jails="{ 172.16.10.1,
172.16.10.2,
172.16.10.3,
172.16.10.4 }"
set loginterface $wan_if
set loginterface $lan_if
set optimization normal
##############################
# Normalizacja pakietow #
##############################
scrub in all
scrub on $wan_if no-df
##############################
# AltQ - upload #
##############################
altq on $wan_if cbq bandwidth 1Gb queue { std_out \
accesspoint_out \
airost_out \
airostmobile_out \
aszka_out \
aszkamobile_out \
aszkaipad_out \
PS4_out \
amazontv_out \
bluray_out \
jailwwwserver_out \
jailmailserver_out \
jailgameserver_out }
queue std_out bandwidth 30Mb cbq(default red)
queue accesspoint_out bandwidth 15Mb cbq(red)
queue airost_out bandwidth 1Mb cbq(red)
queue airostmobile_out bandwidth 1Mb cbq(red)
queue aszka_out bandwidth 10Mb cbq(red)
queue aszkamobile_out bandwidth 1Mb cbq(red)
queue aszkaipad_out bandwidth 1Mb cbq(red)
queue PS4_out bandwidth 1Mb cbq(red)
queue amazontv_out bandwidth 1Mb cbq(red)
queue bluray_out bandwidth 1Mb cbq(red)
queue jailwwwserver_out bandwidth 10Mb cbq(red)
queue jailmailserver_out bandwidth 10Mb cbq(red)
queue jailgameserver_out bandwidth 10Mb cbq(red)
##############################
# AltQ - download #
##############################
altq on $lan_if cbq bandwidth 1Gb queue { std_in \
accesspoint_in \
airost_in \
airostmobile_in \
aszka_in \
aszkamobile_in \
aszkaipad_in \
PS4_in \
amazontv_in \
bluray_in \
jailwwwserver_in \
jailmailserver_in \
jailgameserver_in }
queue std_in bandwidth 78Mb cbq(default red)
queue accesspoint_in bandwidth 78Mb cbq(red)
queue airost_in bandwidth 30Mb cbq(red)
queue airostmobile_in bandwidth 5Mb cbq(red)
queue aszka_in bandwidth 20Mb cbq(red)
queue aszkamobile_in bandwidth 5Mb cbq(red)
queue aszkaipad_in bandwidth 5Mb cbq(red)
queue PS4_in bandwidth 10Mb cbq(red)
queue amazontv_in bandwidth 10Mb cbq(red)
queue bluray_in bandwidth 10Mb cbq(red)
queue jailwwwserver_in bandwidth 10Mb cbq(red)
queue jailmailserver_in bandwidth 10Mb cbq(red)
queue jailgameserver_in bandwidth 10Mb cbq(red)
##############################
# NAT -> LAN #
##############################
nat on $wan_if from $uzytkownicy to any -> ($wan_if)
nat on $wan_if from $lan_if to any -> ($wan_if)
nat on $wan_if from $jails to any -> ($wan_if)
##############################
# Redirect LAN -> WAN #
##############################
#Serwer Steam [Jail]
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443, 27015, 27016, 7777 } -> 172.16.10.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27005, 27020, 51840 } -> 172.16.10.3
#rdr pass on $wan_if inet proto tcp to vlan1 port 21 -> 172.16.10.1
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 30033, 10011 } -> 172.16.10.3
#rdr pass on $wan_if proto { tcp, udp } from any to any port 9987 -> 172.16.10.3 port 9987
#rdr pass on $wan_if proto { tcp, udp } from any to any port 10011 -> 172.16.10.3 port 10011
#rdr pass on $wan_if proto { tcp, udp } from $jails to any port 30033 -> 172.16.10.3 port 30033
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 10011, 30033 } -> 172.16.10.3
##### Dziala na hoscie
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 10011, 30033 } -> 212.159.22.253
##############################
# Firewall #
##############################
pass out all
pass in all
##############################
# AltQ - uzytkownicy #
##############################
pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)
##############################
# Tagowanie pakietow LAN #
##############################
pass in on $lan_if from 172.16.0.1 to any tag server keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspoint keep state
pass in on $lan_if from 172.16.0.3 to any tag airost keep state
pass in on $lan_if from 172.16.0.4 to any tag airostmobile keep state
pass in on $lan_if from 172.16.0.5 to any tag aszka keep state
pass in on $lan_if from 172.16.0.6 to any tag aszkamobile keep state
pass in on $lan_if from 172.16.0.7 to any tag aszkaipad keep state
pass in on $lan_if from 172.16.0.8 to any tag PS4 keep state
pass in on $lan_if from 172.16.0.9 to any tag amazontv keep state
pass in on $lan_if from 172.16.0.10 to any tag bluray keep state
pass in on $lan_if from 172.16.10.1 to any tag jailwwwserver keep state
pass in on $lan_if from 172.16.10.2 to any tag jailmailserver keep state
pass in on $lan_if from 172.16.10.3 to any tag jailgameserver keep state
##############################
# AltQ - Upload #
##############################
pass out on $wan_if all tagged server keep state queue server_out
pass out on $wan_if all tagged accesspoint keep state queue accesspoint_out
pass out on $wan_if all tagged airost keep state queue airost_out
pass out on $wan_if all tagged airostmobile keep state queue airostmobile_out
pass out on $wan_if all tagged aszka keep state queue aszka_out
pass out on $wan_if all tagged aszkamobile keep state queue aszkamobile_out
pass out on $wan_if all tagged aszkaipad keep state queue aszkaipad_out
pass out on $wan_if all tagged PS4 keep state queue PS4_out
pass out on $wan_if all tagged amazontv keep state queue amazontv_out
pass out on $wan_if all tagged bluray keep state queue bluray_out
pass out on $wan_if all tagged jailwwwserver keep state queue jailwwwserver_out
pass out on $wan_if all tagged jailmailserver keep state queue jailmailserver_out
pass out on $wan_if all tagged jailgameserver keep state queue jailgameserver_out
##############################
# AltQ - Download #
##############################
pass in on $lan_if all tagged server keep state queue server_in
pass in on $lan_if all tagged accesspoint keep state queue accesspoint_in
pass in on $lan_if all tagged airost keep state queue airost_in
pass in on $lan_if all tagged airostmobile keep state queue airostmobile_in
pass in on $lan_if all tagged aszka keep state queue aszka_in
pass in on $lan_if all tagged aszkamobile keep state queue aszkamobile_in
pass in on $lan_if all tagged aszkaipad keep state queue aszkaipad_in
pass in on $lan_if all tagged PS4 keep state queue PS4_in
pass in on $lan_if all tagged amazontv keep state queue amazontv_in
pass in on $lan_if all tagged bluray keep state queue bluray_in
pass in on $lan_if all tagged jailwwwserver keep state queue jailwwwserver_in
pass in on $lan_if all tagged jailmailserver keep state queue jailmailserver_in
pass in on $lan_if all tagged jailgameserver keep state queue jailgameserver_in
##############################
# Blokada portow #
##############################
block in log quick on wan_if proto tcp from any to any port = 135
block in log quick on wan_if proto tcp from any to any port = 136
block in log quick on wan_if proto tcp from any to any port = 137
block in log quick on wan_if proto tcp from any to any port = 138
block in log quick on wan_if proto tcp from any to any port = 139
block in log quick on wan_if proto tcp from any to any port = 445
block in log quick on wan_if proto tcp from any to any port = 593
block in log quick on wan_if proto tcp from any to any port = 1024
block in log quick on wan_if proto tcp from any to any port = 1025
block in log quick on wan_if proto tcp from any to any port = 1026
block in log quick on wan_if proto tcp from any to any port = 1027
block in log quick on wan_if proto tcp from any to any port = 1028
block in log quick on wan_if proto tcp from any to any port = 1029
block in log quick on wan_if proto tcp from any to any port = 1030
block in log quick on lan_if proto tcp from any to any port = 135
block in log quick on lan_if proto tcp from any to any port = 136
block in log quick on lan_if proto tcp from any to any port = 137
block in log quick on lan_if proto tcp from any to any port = 138
block in log quick on lan_if proto tcp from any to any port = 139
block in log quick on lan_if proto tcp from any to any port = 445
block in log quick on lan_if proto tcp from any to any port = 593
block in log quick on lan_if proto tcp from any to any port = 1024
block in log quick on lan_if proto tcp from any to any port = 1025
block in log quick on lan_if proto tcp from any to any port = 1026
block in log quick on lan_if proto tcp from any to any port = 1027
block in log quick on lan_if proto tcp from any to any port = 1028
block in log quick on lan_if proto tcp from any to any port = 1029
block in log quick on lan_if proto tcp from any to any port = 1030
ifconfig from host:
Code:
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:19:b9:f0:22:25
inet 192.168.2.11 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
ether 00:19:b9:f0:22:23
inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
syncpeer: 0.0.0.0 maxupd: 128 defer: off
syncok: 1
groups: pfsync
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.1.0.0 netmask 0xffff0000
inet 127.1.0.1 netmask 0xffffffff
inet 127.1.0.2 netmask 0xffffffff
inet 127.1.0.3 netmask 0xffffffff
inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
options=80000<LINKSTATE>
inet 212.159.22.253 --> 195.166.130.254 netmask 0xffffffff
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 696
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
ether 00:19:b9:f0:22:23
inet 172.16.10.1 netmask 0xffffffff broadcast 172.16.10.1
groups: vlan
vlan: 1 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
ether 00:19:b9:f0:22:23
inet 172.16.10.2 netmask 0xffffffff broadcast 172.16.10.2
groups: vlan
vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
ether 00:19:b9:f0:22:23
inet 172.16.10.3 netmask 0xffffffff broadcast 172.16.10.3
groups: vlan
vlan: 3 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
media: Ethernet autoselect (1000baseT <full-duplex,master>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ezjail for gameserver conf file:
Code:
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#
export jail_gameserver_hostname="gameserver"
export jail_gameserver_ip="vlan3|172.16.10.3,lo1|127.1.0.3"
export jail_gameserver_rootdir="/usr/jails/gameserver"
export jail_gameserver_exec_start="/bin/sh /etc/rc"
export jail_gameserver_exec_stop=""
export jail_gameserver_mount_enable="YES"
export jail_gameserver_devfs_enable="YES"
export jail_gameserver_devfs_ruleset="devfsrules_jail"
export jail_gameserver_procfs_enable="YES"
export jail_gameserver_fdescfs_enable="YES"
export jail_gameserver_image=""
export jail_gameserver_imagetype=""
export jail_gameserver_attachparams=""
export jail_gameserver_attachblocking=""
export jail_gameserver_forceblocking=""
export jail_gameserver_zfs_datasets=""
export jail_gameserver_cpuset=""
export jail_gameserver_fib=""
export jail_gameserver_parentzfs=""
export jail_gameserver_parameters="allow.raw_sockets=1 allow.sysvipc allow.mount.nullfs enforce_statfs=1 allow.mount.linprocfs allow.mount.linsysfs allow.mount.tmpfs allow.socket_af linux=i
export jail_gameserver_post_start_script=""
export jail_gameserver_retention_policy=""
and rc.conf on host:
Code:
sendmail_enable="NONE"
hostname="ldrive"
keymap="pl.kbd"
sshd_enable="YES"
moused_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
################
#Network interfaces
ifconfig_bce0="inet 192.168.2.11 netmask 255.255.255.0"
ifconfig_bce1="inet 172.16.0.1 netmask 255.255.0.0"
ifconfig_lo1="inet 127.1.0.0/16"
#PPPoE connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"
ppp_profile="plusnet"
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
#Internet forwarding
gateway_enable="YES"
#DHCP server
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bce1"
#Linux emulator
linux_enable="YES"
#Ez_jails
#jail_enable="YES"
ezjail_enable="YES"
cloned_interfaces="lo1"
cloned_interface="vlan1"
ifconfig_vlan1="inet 172.16.10.1 netmask 255.255.0.0 vlan 1 vlandev bce1"
cloned_interface="vlan2"
ifconfig_vlan2="inet 172.16.10.2 netmask 255.255.0.0 vlan 2 vlandev bce1"
cloned_interface="vlan3"
ifconfig_vlan3="inet 172.16.10.3 netmask 255.255.0.0 vlan 3 vlandev bce1"
from host I can ping my jail but not from my laptop. From what I figured out it's probably routing issue:
netstat -rn
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 195.166.130.254 US tun0
127.0.0.1 link#3 UHS lo0
127.1.0.0 link#6 UH lo1
127.1.0.1 link#6 UH lo1
127.1.0.2 link#6 UH lo1
127.1.0.3 link#6 UH lo1
172.16.0.0/16 link#2 U bce1
172.16.0.1 link#2 UHS lo0
172.16.10.1 link#8 UH lo0
172.16.10.2 link#9 UH lo0
172.16.10.3 link#10 UH lo0
192.168.2.0/24 link#1 U bce0
192.168.2.11 link#1 UHS lo0
195.166.130.254 link#7 UHS tun0
212.159.22.253 link#7 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#3 UHS lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
fe80::%lo1/64 link#6 U lo1
fe80::1%lo1 link#6 UHS lo0
ff02::/16 ::1 UGRS lo0
netstat -rn from jail:
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
127.1.0.3 link#6 UH lo1
172.16.10.3 link#10 UH lo0
Ports are not being redirect from host to jail. Tried all combinations and didn't work.
from my laptop ping:
Code:
ping 172.16.10.3 -t
Pinging 172.16.10.3 with 32 bytes of data:
Reply from 172.16.0.3: Destination host unreachable.
Reply from 172.16.0.3: Destination host unreachable.