From owner-freebsd-pf@freebsd.org Tue Nov 15 14:49:20 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E588C42F37; Tue, 15 Nov 2016 14:49:20 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5F5B1FC4; Tue, 15 Nov 2016 14:49:19 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22f.google.com with SMTP id c47so73299355qtc.2; Tue, 15 Nov 2016 06:49:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YoyZdHLXjvjQcyRTdwxo5YbIQmEHYGkWo1Tv/Yfb6uc=; b=byiNRbTZ2AwGYyjseVsK7i5+bXZVUNSwOxC4/ggS3d0DsEPqgFbwtaHkHtOcGjZ+jb xnVAxepMkZlTFcEPDQ2veJ7VA+V+fc9xHavTmLnrbQepWfUp5UPaGAfIGYYSTneQKwX8 hqGPAg80z8RdfNLODUQOS6VmgctQS4aEW8GVB3dHy+AaIzq/MYwcK+bEABBPTm1a5aS2 LGKDmFmV0HTnhbOrc+DplUhFP+AD3eT1BnC2bYpbmADBj6tky4IgKA2W/Iwod7y9nnqN y6i1JkXPw6054krEoEiqBPCN2KWGepM8Yfi1jgyjqQH81Y7QiyXzBD/PYDK24A9mDTb0 VWZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YoyZdHLXjvjQcyRTdwxo5YbIQmEHYGkWo1Tv/Yfb6uc=; b=QTN7jtMuCoM/93f28DjIaKfJZJX6rZ7GPEVYwDf3LuiAYxwQc1Ljb49vUDcS51zoqW 9IxiwFUpy7nfquZiY9UHOo7aBbw0UXce0ub90yTmgYCIt3a0lECr2NjHu40LOtDbxtHH 18Y+OxgxE48ItZGUt+Rm2b5TtCFBm5eRh7jv11094pq8IpMdXS0K9YZUF2tyZkAbY7Bu IeXTdIyizWzKLV0TnMPFaMR8tU+vkoW8rlcnLY7npCNo78mqluUh8YK5uDghhHy7h4mb FodRfnyR8KQlolxaOvEz60q5JvUzOXMhAOasNBWxLbFuOo+5zlBRChvqPfVlNaAM5gCD +O3g== X-Gm-Message-State: ABUngvdZxE+U00c/DuKFp1ViZQGpdN1UoIfJ5aTBA2WLkzY6q5yiDyjshB7pkH45IfSnqKiUaNusukzJh1NpVA== X-Received: by 10.200.48.44 with SMTP id f41mr13891039qte.94.1479221359053; Tue, 15 Nov 2016 06:49:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.58.231 with HTTP; Tue, 15 Nov 2016 06:49:18 -0800 (PST) In-Reply-To: <20161115132609.GC1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> <20161115132609.GC1675@mail.opdns.de> From: Big Lebowski Date: Tue, 15 Nov 2016 14:49:18 +0000 Message-ID: Subject: Re: NAT Reflection rules for FreeBSD PF To: Oliver Peter Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 14:49:20 -0000 On Tue, Nov 15, 2016 at 1:26 PM, Oliver Peter wrote: > On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter > wrote: > > > > > El duderino, > > > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that > needs > > > > to be able to talk to services on other jails, just as if they'd be > > > clients > > > > from outside of the network. Apparently, this is called 'NAT > reflection' > > > > and I was able to find examples for OpenBSD PF here: > > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to > achieve the > > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, > via > > > the > > > > $ext_if external IP? > > > > > > We did something similar in a customer setup a while ago: > > > > > > nat on $int_if from $jail_host to any -> $int_ip > > > rdr pass on $int_if proto { tcp, udp } from $jail_host to > $ext_if > > > port{ $service1, service2 } -> $int_lb > > > > > > Cheers > > > > Thanks for your response Olivier! Would you mind elaborating on it a bit > > more? I don't understand what you're trying to achieve here, since the > NAT > > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if > > only holds the jail's IP addresses from the $jail_net range. How does > that > > compare? > > Ah, it could be that this is a bit different since you only have a single > machine, our example was a gateway with two interfaces (ext/int) doing NAT > for some machines behind. Since your packets are created on lo0 and > routed to xn0 it might be different. > Another idea would be to re-route the packets between the two interfaces: > pass out quick on $ext_if route-to $int_if from ($int_if:network) > to $ext_if:network > > This might interfere with your regular outgoing traffic; maybe the "to" > part needs a bit tuning. Furthermore I'm not sure about the source > addresses... We have this in production to route some DNS traffic via > VPN. > > Split horizon DNS is no option? > Sorry for not being very helpful. No worries, you've been most helpful so far :) The host has two interfaces, I simply chose lo0 for jails, because I wasn't aware it would matter, so, if needs be, I can migrate jails IP's from lo0 to xn1 - would it make difference in that I'd now be able to implement the reflection somehow, or would I need to get the jails out of the host entirely and make the host to provide gatefway functionality only? Regards, BL