From owner-freebsd-jail@FreeBSD.ORG Tue Apr 22 21:08:53 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 970E91065672 for ; Tue, 22 Apr 2008 21:08:53 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4BE8FC17 for ; Tue, 22 Apr 2008 21:08:53 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 842F919E023; Tue, 22 Apr 2008 23:08:51 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 2412419E019; Tue, 22 Apr 2008 23:08:49 +0200 (CEST) Message-ID: <480E53F2.5010502@quip.cz> Date: Tue, 22 Apr 2008 23:09:06 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> In-Reply-To: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2008 21:08:53 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > I have a ipsec/vpn on FreeBSD 6.3 from one master server to another > server the one has multiple jails. each jail has is own public IP and i > need to do something like this: > > vpn point >----------------------< master server with jails <-------> > jail (75.76.78.80) > 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 > > when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the > jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 > been available to telnet the other vpn point 10.10.10.1. > > I am trying to route trafic using PF but is not working for the tunel > only for the non encrypted trafic, example: > rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 > > but if i use the gif0 interface (the one for the tunnel) insted of em1 > does not work. I am using slightly different setup. I have lo1 with IPs 172.16.1.0/24 for jails and public IPs are RDR / NATed from public interface to local (jails). I have one jail, where I need to connect throught OpenVPN on tap0 to the MSSQL database server and from the other and (MS Windows Server) allow connection in to jailed MySQL database server. Apache from this jail is publicly accessible on ports 80 and 443. jail_addr_0="172.16.1.2" jail_tcp_0_inports="{ 80, 443 }" vpn_dtc_if="tap0" vpn_dtc_addr_local="10.0.0.29" vpn_dtc_addr_remote="10.0.0.10" vpn_dtc_inports="{ 3306 }" # let incoming to local mysql # outgoing connections nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> $vpn_dtc_addr_local # incomming connections rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 rdr pass on $vpn_dtc_if inet proto tcp from any to $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 Miroslav Lachman