RPi3+, Jail, IPFW and NAT

I have a RPi3 + here. On this a Jail is to run with NAT. IPFW should be used here (Yes, I know, there is also PF. But IPFW is the company's default)

Gateway: 192.168.2.1

RPi3+: 192.168.2.35 / 255.255.255.0
Jail: 10.0.0.2 ( /usr/jails/jail2icinga )

/etc/rc.conf:

Code:
hostname="raspberrypi3"
ifconfig_ue0="inet 192.168.2.35 netmask 255.255.255.0"
defaultrouter="192.168.2.1"

sshd_enable="YES"

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

growfs_enable="YES"

#JAILS
jail_enable="YES"

#IPFW
firewall_enable="YES"
firewall_type="open"

#NAT
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0"
gateway_enable="YES"

/etc/jail.conf:
Code:
exec.start="/bin/sh /etc/rc";

exec.stop="/bin/sh /etc/rc.shutdown";

exec.clean;

mount.devfs;

# Netzwerkkarte
interface="lo1";

jail2icinga {
 host.hostname = "jail2icinga.local";
 path = /usr/jails/jail2icinga;
 ip4.addr = "10.0.0.2";
 allow.raw_sockets=1;
 allow.chflags;
 allow.mount.procfs;
 allow.mount.devfs;
}

/etc/sysctl.conf:
Code:
# ALLOW JAIL RAW SOCKETS
security.jail.allow_raw_sockets=1

# ALLOW UPGRADES IN JAIL
security.jail.chflags_allowed=1

security.jail.sysvipc_allowed=1
net.inet.ip.forwarding=1

ifconfig:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128 
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
   inet 127.0.0.1 netmask 0xff000000 
   groups: lo 
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 10.0.0.2 netmask 0xffffffff 
   groups: lo 
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
   ether b8:27:eb:b5:d1:a3
   inet 192.168.2.35 netmask 0xffffff00 broadcast 192.168.2.255 
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Since I have chosen the profile "open" in IPFW, no extra config should be needed here.
Code:
% uname -a
FreeBSD raspberrypi3 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  arm64
Problem: The jail can not establish a network communication (pinging on IP and FQDN does not work), this is not a problem from mainhost. Where is the error?
 
There's no NAT happening. So your packets go out but the responses are sent elsewhere. This can work without NAT but your network needs to have a route for 10.0.0.0/24.
 
I'm wondering why the handbook talks about natd when IPFW has a built-in NAT rule.
I don't have natd enabled on my router, but instead I have these in my firewall rules:
Code:
ipfw nat 1 config if $pif log unreg_only

#################################################################
# No restrictions on Inside Lan Interface for private network
#################################################################
ipfw add 005 allow all from any to any via $iif

#################################################################
# No restrictions on Loopback Interface
#################################################################
ipfw add 010 allow all from any to any via lo0

#################################################################
# Wait for fragments to be reassembled before going through
#################################################################
ipfw add 011 reass all from any to any in

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
ipfw add 014 nat 1  ip from any to any via $pif in

# here go the rest of my rules, e.g. allowing access to DNS/DHCP and whatever I want to allow out/in
$pif is my public interface, $iif is my internal interface

I am not an expert on IPFW though, I cobbled my firewall config together from multiple configs I found on the internet. If someone thinks what I did isn't good, please correct me.
 
Back
Top