Date: Fri, 01 Jun 2007 20:05:49 +1000 From: Mikhail Goriachev <mikhailg@webanoide.org> To: rapopp@eastcentral.edu Cc: freebsd-questions@freebsd.org Subject: Re: Static Routes, gateways and the end of my sanity Message-ID: <465FEF7D.1060205@webanoide.org> In-Reply-To: <200705291242.16640.rapopp@eastcentral.edu> References: <200705291242.16640.rapopp@eastcentral.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Reuben A. Popp wrote:
> Hello everyone, can someone please (_please_!!) let me know what I'm doing
> wrong in the following example? I am near my wits end on implementing this,
> any suggestions are greatly appreciated!
>
> The scenario is that I have a server here with twin nics, bce0 and bce1; I
> would like bce0 to be connected to our dmz network (192.168.x.x), while bce1
> would be on our internal network. A jail will reside on the ip assigned to
> bce0, while the regular base system will bind to bce1.
>
> My current rc.conf consists of the following:
> -------------------------------------------
> defaultrouter="10.228.228.254"
> ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0"
> ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex
> netmask 255.255.255.0"
>
> # Enable Jails for multi-homed box (video)
> jail_enable="YES"
> jail_list="video"
> jail_video_rootdir="/usr/local/jail/video"
> jail_video_hostname="video.eastcentral.edu"
> jail_video_ip="192.168.4.80"
> jail_named_exec_start="/bin/sh /etc/rc"
> jail_video_devfs_enable="YES"
>
> # Routed and gateway settings
> static_routes="net1"
> route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254"
> ------------------------------------------
>
> Of course there's other things in there like binding various services (inetd,
> syslog, et al) to the internal ip.
>
> On bringing the machine up, I can ping both ips just fine; what I can't do is
> ssh to the dmz address. Yes, sshd is running inside the jail ;). The output
> of tcpdump shows a connect to that ip on bce0, but all responses appear to be
> going out on bce1.
>
> Again, any suggestions or comments are welcome and appreciated. For the
> record, the machine is a Dell PowerEdge 2950 running the amd64
> 6.2-RELEASE-p4 branch. I will gladly supply more info if this isn't enough.
You can't bind both host and jail to the same IP. I'd suggest the
following re-arrangement:
ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0"
ifconfig_bce0_alias0="inet 192.168.4.81 netmask 255.255.255.255"
^^^^^^ ^ ^^^
ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex
jail_enable="YES"
jail_list="video"
jail_interface="bce0"
^^^^^^^^^^^^^^^^^^^^^
jail_video_rootdir="/usr/local/jail/video"
jail_video_hostname="video.eastcentral.edu"
jail_video_ip="192.168.4.81"
^
jail_named_exec_start="/bin/sh /etc/rc"
jail_video_devfs_enable="YES"
In other words:
Your host binds to bce0 (192.168.4.80) and bce1 (10.228.228.228). The
jail binds to bce0_alias0 (192.168.4.81). Also jails will always try to
bind to bce0 interface (jail_interface="bce0").
You don't need any routes if your machine acts as a gateway. All traffic
from 10.0.0.0/8 will find its way to 192.168.0.0/16 through bc1 and from
other net via bc0.
Hopefully I didn't misinterpret your problem.
Regards,
Mikhail.
--
Mikhail Goriachev
Webanoide
Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: mikhailg@webanoide.org
Web: www.webanoide.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465FEF7D.1060205>