Tailscale with jails and IP alias on my main interface ?

[Freedom]

Hi,

I have a home server running FreeBSD with multiple services running in jails (using bastille).
Right now I have the simplest networking setup using private IP addresses alias to my main re0 interface (as describe here https://bastille.readthedocs.io/en/...red-interface-on-home-or-small-office-network)

So I end up with

ifconfig
re0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 84:47:09:24:28:fd
    inet 10.0.0.6 netmask 0xffff0000 broadcast 10.0.255.255
    inet 10.0.1.1 netmask 0xffff0000 broadcast 10.0.255.255
    inet 10.0.1.2 netmask 0xffff0000 broadcast 10.0.255.255
    inet 10.0.1.3 netmask 0xffff0000 broadcast 10.0.255.255
... all the other jails 10.0.1.x
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I would like to use Tailscale to access those services.

I have tried to install Tailscale in every jails but it adds a lot of complexity.
So I was wondering, would it be possible to access my jails with this jail setup and using Tailscale installed only on my host and Tailscale Subnet router (https://tailscale.com/kb/1019/subnets)

I haven't found anybody doing that so I am not sure it is possible as I am new to Tailscale and kind of suck at networking anyway

If this is not possible I would guess I would have to upgrade my jails to VNET jails right?

Many thanks for your help

 

[Freedom]

Right now I solved the problem quickly by simply adding redirections to my host pf rules

rdr pass log on tailscale0 proto tcp from any to any port 2731 -> 10.0.1.2 port 1883

I am pretty sure this is not the right way to do this since rdr pass causes all other filter rules to be ignored and this is not good...

It also create all sort of problems with software like syncthing.

 

[SirDice]

I am pretty sure this is not the right way to do this since rdr pass causes all other filter rules to be ignored and this is not good...

Split it up, one rdr and a separate pass rule. That said, why filter your monitoring connection? You're going to want to whitelist it if there's any chance of it hitting a blocking rule. And on the rdr pass you could change the from any to any to a more restricted range (or IP address).

 

[Freedom]

Split it up, one rdr and a separate pass rule.

Yes, of course. Thanks

That said, why filter your monitoring connection?

What do you mean by "monitoring connection" ?

 

[SirDice]

What do you mean by "monitoring connection" ?

I honestly didn't know what "tailscale" was, figured from your description it was some kind of monitoring solution, actually looked it up, it's a VPN.