From owner-freebsd-questions@FreeBSD.ORG Fri Jun 1 10:06:00 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7FA4D16A41F for ; Fri, 1 Jun 2007 10:06:00 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from shanshito.webanoide.org (shanshito.webanoide.org [150.101.108.110]) by mx1.freebsd.org (Postfix) with ESMTP id D7A8913C457 for ; Fri, 1 Jun 2007 10:05:59 +0000 (UTC) (envelope-from mikhailg@webanoide.org) Received: from maxito.hba.navalradio.cl (maxito.hba.navalradio.cl [172.26.4.34]) (authenticated bits=0) by shanshito.webanoide.org (8.13.8/8.13.8) with ESMTP id l51A5o58034928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 1 Jun 2007 10:05:55 GMT (envelope-from mikhailg@webanoide.org) Message-ID: <465FEF7D.1060205@webanoide.org> Date: Fri, 01 Jun 2007 20:05:49 +1000 From: Mikhail Goriachev Organization: Webanoide User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: rapopp@eastcentral.edu References: <200705291242.16640.rapopp@eastcentral.edu> In-Reply-To: <200705291242.16640.rapopp@eastcentral.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Static Routes, gateways and the end of my sanity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jun 2007 10:06:00 -0000 Reuben A. Popp wrote: > Hello everyone, can someone please (_please_!!) let me know what I'm doing > wrong in the following example? I am near my wits end on implementing this, > any suggestions are greatly appreciated! > > The scenario is that I have a server here with twin nics, bce0 and bce1; I > would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 > would be on our internal network. A jail will reside on the ip assigned to > bce0, while the regular base system will bind to bce1. > > My current rc.conf consists of the following: > ------------------------------------------- > defaultrouter="10.228.228.254" > ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" > ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex > netmask 255.255.255.0" > > # Enable Jails for multi-homed box (video) > jail_enable="YES" > jail_list="video" > jail_video_rootdir="/usr/local/jail/video" > jail_video_hostname="video.eastcentral.edu" > jail_video_ip="192.168.4.80" > jail_named_exec_start="/bin/sh /etc/rc" > jail_video_devfs_enable="YES" > > # Routed and gateway settings > static_routes="net1" > route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" > ------------------------------------------ > > Of course there's other things in there like binding various services (inetd, > syslog, et al) to the internal ip. > > On bringing the machine up, I can ping both ips just fine; what I can't do is > ssh to the dmz address. Yes, sshd is running inside the jail ;). The output > of tcpdump shows a connect to that ip on bce0, but all responses appear to be > going out on bce1. > > Again, any suggestions or comments are welcome and appreciated. For the > record, the machine is a Dell PowerEdge 2950 running the amd64 > 6.2-RELEASE-p4 branch. I will gladly supply more info if this isn't enough. You can't bind both host and jail to the same IP. I'd suggest the following re-arrangement: ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" ifconfig_bce0_alias0="inet 192.168.4.81 netmask 255.255.255.255" ^^^^^^ ^ ^^^ ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex jail_enable="YES" jail_list="video" jail_interface="bce0" ^^^^^^^^^^^^^^^^^^^^^ jail_video_rootdir="/usr/local/jail/video" jail_video_hostname="video.eastcentral.edu" jail_video_ip="192.168.4.81" ^ jail_named_exec_start="/bin/sh /etc/rc" jail_video_devfs_enable="YES" In other words: Your host binds to bce0 (192.168.4.80) and bce1 (10.228.228.228). The jail binds to bce0_alias0 (192.168.4.81). Also jails will always try to bind to bce0 interface (jail_interface="bce0"). You don't need any routes if your machine acts as a gateway. All traffic from 10.0.0.0/8 will find its way to 192.168.0.0/16 through bc1 and from other net via bc0. Hopefully I didn't misinterpret your problem. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: mikhailg@webanoide.org Web: www.webanoide.org