From owner-freebsd-stable@FreeBSD.ORG Thu Nov 22 10:38:12 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 23310ECA for ; Thu, 22 Nov 2012 10:38:12 +0000 (UTC) (envelope-from simond@irrelevant.org) Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 86F168FC16 for ; Thu, 22 Nov 2012 10:38:11 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id j13so7691217lah.13 for ; Thu, 22 Nov 2012 02:38:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.org; s=irrelevant; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=DpODEJXw6JmloUq6Voy5G58svzNlcTv8JVXw2gz37TA=; b=g7IySdxp3QRbCngvlXBA4imaZDdfKm3GwAuK6sJXxJLV4nIptMZ//LZvoeuLcs+ifZ s4eo1zfXphuhAVAWZgREzeaLAzvdoo4/6BjJReIUBaROfW4R+oJlBC9Ubgq4GtntwfnK QwxjyLfkG96a91T9BaRdavFsfyO/yRHQfUNuk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=DpODEJXw6JmloUq6Voy5G58svzNlcTv8JVXw2gz37TA=; b=hFrHjq0GQUMthYmhbAqABCQszo41W7Rw9+vi2pzKpfnBLdc415gb+13P33nuPB6btD whfgONnnUNxUMvbd+09Sh0E3HK+m+1qCOAYRDA2C4EZeOTan73MCvL9ZK73Ezvbqh1gM ae/rSIt8EbpMJmhtoo3IzQbCY3tww8npIgSwI6pSshzzNS2zp3Nuhp5yAdl2nS1+zRn0 tMqKfQc1vyUs6vEoEeu0xJHlkhv0CImZBTR0NiuwFn9XhieftFrgaVFpnaQzjuTLMCuD dpgr4I+blHnmApbSwPNZxR1i4aixVT1s+PuCUVxLs4e1/PvvjjsYN9dcwWczX12VfSXk PLAQ== MIME-Version: 1.0 Received: by 10.152.103.38 with SMTP id ft6mr57394lab.40.1353580690223; Thu, 22 Nov 2012 02:38:10 -0800 (PST) Received: by 10.114.63.83 with HTTP; Thu, 22 Nov 2012 02:38:10 -0800 (PST) X-Originating-IP: [94.31.26.5] In-Reply-To: References: Date: Thu, 22 Nov 2012 10:38:10 +0000 Message-ID: Subject: Re: natd in a jail From: Simon Dick To: Morgan Reed X-Gm-Message-State: ALoCoQmrfCO5IKPlLcBsdM0b1DwITdPI/qyB/TMTo5aUqNO8mPuAGLXgyn7g7opYldwCDihC7+2g Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-stable@freebsd.org" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 10:38:12 -0000 On 22 November 2012 04:00, Morgan Reed wrote: > Hi All, > > I've a bit of an odd query which I hope somebody may be able to > assist with. > > I'm looking to set up several OpenVPN tunnels on a single machine > (each residing in its own jail) and route data to different > destinations over different tunnels by selectively routing the traffic > via a particular jail. > > I have three jails set up with OpenVPN tunnels terminated in each, > they all work as expected from the "local" machine. > > I can't do a straight forward route over the VPN tunnel as I don't > control the other end of the tunnel, I need to treat it as a > point-to-point connection as a result, hence I need to use NAT. > > I've tested this setup with a single tunnel running off a "real" > machine with natd providing NAT, it works like a charm, however, when > I move the config into a jail I run into issues, natd doesn't seem to > be able to see the incoming traffic, nothing shows up in the logs at > all. > > I'm not even sure if this is actually possible, I'm starting to > suspect that natd can't hook in low enough from the jails to access > the incoming traffic. > > Traffic gets into the jail by way of an epair interface between the > host and the jail, bridged to the ethernet adapter by way of a bridge > device, I can see the traffic attempting to route over the tun > interface in the jail (but obviously it's not being NATted so nothing > comes back) so the traffic is making it in and through the routing > engine, just not via natd. > > Any suggestions here? > > The host is FreeBSD-8.3. > I've not used it myself, but this sound like something VIMAGE may be good for, basically it's a virtual tcp stack per jail, there's some docs at http://wiki.freebsd.org/Image but I seem to remember a more up to date one elsewhere but can't find it at the moment!