From owner-freebsd-questions@FreeBSD.ORG Thu Jul 21 22:21:24 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D7E16A435 for ; Thu, 21 Jul 2005 22:21:24 +0000 (GMT) (envelope-from jaco@coocoo.za.net) Received: from riot.premsoft.co.za (mail.accountmate.co.za [196.38.54.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBB2D43D45 for ; Thu, 21 Jul 2005 22:20:51 +0000 (GMT) (envelope-from jaco@coocoo.za.net) Received: (qmail 34815 invoked by uid 1003); 21 Jul 2005 22:15:22 -0000 Received: from jaco@coocoo.za.net by riot.premsoft.co.za by uid 89 with qmail-scanner-1.22 (clamscan: 0.65. spamassassin: 2.63. Clear:RC:1(196.38.54.1):. Processed in 13.526435 secs); 21 Jul 2005 22:15:22 -0000 Received: from unknown (HELO ?196.38.54.1?) (jaco@coocoo.za.net@196.38.54.1) by mail.accountmate.co.za with SMTP; 21 Jul 2005 22:15:08 -0000 Message-ID: <42E01FB2.3090402@coocoo.za.net> Date: Fri, 22 Jul 2005 00:20:34 +0200 From: Jaco van Tonder Organization: Private User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Chad Leigh -- Shire.Net LLC" References: <2217.196.37.144.120.1121958167.squirrel@webmail.premsoft.co.za> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: [Jail] Setting default route in Jail? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jaco@coocoo.za.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2005 22:21:24 -0000 Chad, Chad Leigh -- Shire.Net LLC typed on a keyboard not too far away, on 7/21/2005 5:19 PM: > > On Jul 21, 2005, at 9:02 AM, jaco@coocoo.za.net wrote: > >> Hello All, >> >> My setup looks like this: >> The FreeBSD machine have a public range IP address, and I set up a >> couple >> of jails with private range IP addresses (192.168.x.x) on the same box. >> >> The private range ip adresses are set up as aliases, using the procedure >> as described in the jail(8) man page. >> >> All works fine, except for the fact that from within the jails I do not >> have internet connectivity as the default route is the same as my jail >> hosts default route. For this to work I would have to be able to set my >> default route in the jail environment to the IP address of my jail host >> and enable the jail host as a gateway. >> >> The problem is that you are not allowed to set the default route >> inside of >> the jail, and currently this default route is the default route of the >> jail host. >> >> I am sure other people must have had this problem before and found a >> solution. :) >> >> Anybody know any workrounds? Or maybe a better way to set this up? > > > Hi > > I got it working though I don't remember exactly how. I set my host as > a gateway and maybe played around with some ipfw rules. I did do some > ipfw rules and set up natd but I don't remember exactly what it was I > was doing with them (meaning why) as I had some other needs as well... > > The xxx out addresses are the public netblock we have. I am not an > ipfw expert and came up with these through trial and error and reading > web pages in the middle of the night > > waymoot# more rc.firewall > #!/bin/sh > # > /sbin/ipfw -f flush > /sbin/ipfw add pass all from x.x.x.0/24 to me > /sbin/ipfw add pass all from me to x.x.x.0/24 via bge0 > /sbin/ipfw add pass all from 192.168.2.0/24 to me > /sbin/ipfw add pass all from 192.168.1.0/24 to me > /sbin/ipfw add pass all from me to 192.168.2.0/24 via bge1 > /sbin/ipfw add pass all from me to 192.168.1.0/24 via bge0 > /sbin/ipfw add divert natd all from any to any via bge0 > /sbin/ipfw add pass all from any to any > waymoot# Thanks, Your post actually made me think a bit for a change and I COMPLETELY forgot about the NAT. :P After adding the following rule to my pf.conf, it started working: nat on em0 from 192.168.53.1 to any -> 192.168.10.56 Thanks again! ---Jaco -- Jaco van Tonder Software Developer Direct: +27 11 312 2122 :: Fax: +27 11 312 2122 :: Mobile: +27 83 417 5424 Email: jaco@coocoo.za.net :: Web: http://www.coocoo.za.net/ Real Software Engineers don't debug programs; they verify correctness. This process doesn't necessarily involve execution of anything on a computer, except perhaps a Correctness Verification Aid package.