From owner-freebsd-net@freebsd.org Mon Nov 14 22:31:01 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2913C41676; Mon, 14 Nov 2016 22:31:01 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 80E101E4C; Mon, 14 Nov 2016 22:31:01 +0000 (UTC) (envelope-from spankthespam@gmail.com) Received: by mail-qt0-x22e.google.com with SMTP id n6so57283030qtd.1; Mon, 14 Nov 2016 14:31:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=p9EJBkZgsjKuOfkMwDcwhLAyqOFcr5tA/TVIdq52bYg=; b=bYJlttYMVNG4oPc12J6AiOErNctf+G4UxtpDCC06btUcvxNBZn5Ac4C+MfXJVsAWO1 qItTmivcnLuUFGZ0Kt2A4JmoUZxBte1VS6NAFEnCA+3HF9rkEwJCSF9+/MamNoQcrUqZ 8U8ESqWsEb57bx0FDc5izj2laOAwV4+Z2XMoFPgnB1b0hNl7QCgFTnIqQJbJln7my8Ry dHnK7u2iRa9qavoiB8X8ZOFfUVo0qxNshdXiGbJTvOgf+01Y3kx1nFU4oO3pSRY3vOem rneKBwZsCdG0ajH+5f36E7iteIcHU96fRB8nb5JLMKsNsf2NOPLcpQIJ22+6jzSn5S6l +lsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=p9EJBkZgsjKuOfkMwDcwhLAyqOFcr5tA/TVIdq52bYg=; b=F4emqiVg5IYIrEmXJYc3ylwbTE4SgR0C91FF1XgnruluWVrHtjBNOmpNVDKEpUjB+M fbP+SWr/4Dfz5NU7YVsdrFjoiSVkw65uMzP0By9bi8c8eYBdRxcWfBdJUz6q3dKXgCmX D6aDWUrxWfDGo3P6Vi1jow9eqfFyXwOF5w3/DH5d+uWQt+DiRjM9wL5DE022awNm5BtW sjr0V9EZdXLF9mMRzKC2PmA7vXfbD3QiHi2uy5AH4pJuyW9J3LPeD3EH1LNgPuO5L0fM zJdGCRNr7gdFtu7Huoi+Gw/wWovCqglB+S8KK+MjVt5LN1p1RZ3p7UX0BEAMbOWc06am Qlyw== X-Gm-Message-State: ABUngvfK0bD9ljt91R3oiZvzv6tKpkRYVU3bSACInYd1wJCbkXEI+872B7F9rCd/HXA7223tPgm+yxg5z9n3Nw== X-Received: by 10.237.32.70 with SMTP id 64mr8017675qta.163.1479162660356; Mon, 14 Nov 2016 14:31:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.58.231 with HTTP; Mon, 14 Nov 2016 14:30:59 -0800 (PST) From: Big Lebowski Date: Mon, 14 Nov 2016 22:30:59 +0000 Message-ID: Subject: NAT Reflection rules for FreeBSD PF To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2016 22:31:01 -0000 Hi, I am trying to set up a 11.0-R PF based NAT for group of jails that needs to be able to talk to services on other jails, just as if they'd be clients from outside of the network. Apparently, this is called 'NAT reflection' and I was able to find examples for OpenBSD PF here: https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the same thing? How to allow jails NAT'd on $ext_if (xn0) coming from $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the $ext_if external IP? Regards, BL