From owner-freebsd-stable@FreeBSD.ORG Thu Nov 22 04:00:27 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F583ECA for ; Thu, 22 Nov 2012 04:00:27 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id CB7248FC08 for ; Thu, 22 Nov 2012 04:00:26 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so6157785iec.13 for ; Wed, 21 Nov 2012 20:00:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=QOI1MtdHi9+nbTX56eFLQ9yNasSAP1n7m09TkYx03Bk=; b=LQFbs0qbwk2aenCHNJnq11Ax8XlQz8aMIYyXqFW4zxmbenz9A6vtCbSaAL3hglWD5h 2rySFzmVViKuw+FAeqHvJfdgMih8Ylo2H7Kf7LnLEbrT6dVqIq4BMNMjvP7m/vmwEuzM 0w6YXmrp/Y+OlepZodaDvkoqDUg+Hik/JS4w+MSdbDgyVq/ePCgF06JtHPrJ18W1t9zi BXum91OekHAcyrVgQyw/rloSRWYM1hrbY8IO6leVmH3fzUPzCpK49zeuNwOy+gjGT4hU QSO3Sbg77TYxbXKmLW6YPLD1IWTjUO4wAlFjBB9AIVx0sDgs5/QH6irKExd9Ug7dTiUs PJTQ== Received: by 10.50.53.147 with SMTP id b19mr1860510igp.12.1353556825986; Wed, 21 Nov 2012 20:00:25 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.6.71 with HTTP; Wed, 21 Nov 2012 20:00:05 -0800 (PST) From: Morgan Reed Date: Thu, 22 Nov 2012 15:00:05 +1100 Message-ID: Subject: natd in a jail To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 04:00:27 -0000 Hi All, I've a bit of an odd query which I hope somebody may be able to assist with. I'm looking to set up several OpenVPN tunnels on a single machine (each residing in its own jail) and route data to different destinations over different tunnels by selectively routing the traffic via a particular jail. I have three jails set up with OpenVPN tunnels terminated in each, they all work as expected from the "local" machine. I can't do a straight forward route over the VPN tunnel as I don't control the other end of the tunnel, I need to treat it as a point-to-point connection as a result, hence I need to use NAT. I've tested this setup with a single tunnel running off a "real" machine with natd providing NAT, it works like a charm, however, when I move the config into a jail I run into issues, natd doesn't seem to be able to see the incoming traffic, nothing shows up in the logs at all. I'm not even sure if this is actually possible, I'm starting to suspect that natd can't hook in low enough from the jails to access the incoming traffic. Traffic gets into the jail by way of an epair interface between the host and the jail, bridged to the ethernet adapter by way of a bridge device, I can see the traffic attempting to route over the tun interface in the jail (but obviously it's not being NATted so nothing comes back) so the traffic is making it in and through the routing engine, just not via natd. Any suggestions here? The host is FreeBSD-8.3. Thanks, Morgan