From owner-freebsd-stable@FreeBSD.ORG Thu Nov 22 11:38:35 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B509074C for ; Thu, 22 Nov 2012 11:38:35 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 782498FC13 for ; Thu, 22 Nov 2012 11:38:35 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so6734115iec.13 for ; Thu, 22 Nov 2012 03:38:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=XU2OW6M/+gvP1f6vbRtxKjIpXzLS+MIapMa39bo3AY8=; b=y8WSzKwVXH7hEsLgwkHqaA1L6XODULGjtXNO8GIWFktH4n5XG4B1PpNHuyGbbAWQ2q RPLPtri4l/KGX4NovyL+dJnhGhf+N+JlT8H+m4zNcPYny3gYj4d8BGF7Ak+FLkWUFuSt oiFD72faeY/YYk1b5xbLTbHiTaMci4/46meynIwH1mbwbtUYal9szosRtXBSd79RFzR+ nsRozylpfgRqJlkyzDRJ+oChc08zbUYRNpLOqCJBNSzBlrjF7z0McGLdi2GYsBzYsY1S 5NIRnd0G7Cn5d+wQ5Cw3VrqoP8UgSIs3HcuZEXcKHXAZl+ccpbyogySt6HZ940lh6D4U EMaQ== Received: by 10.50.152.197 with SMTP id va5mr289435igb.12.1353584315127; Thu, 22 Nov 2012 03:38:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.6.71 with HTTP; Thu, 22 Nov 2012 03:38:14 -0800 (PST) In-Reply-To: References: From: Morgan Reed Date: Thu, 22 Nov 2012 22:38:14 +1100 Message-ID: Subject: Fwd: natd in a jail To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 11:38:35 -0000 Hmm, list was missing from reply-to on this one. ---------- Forwarded message ---------- From: Morgan Reed Date: Thu, Nov 22, 2012 at 10:36 PM Subject: Re: natd in a jail To: Dewayne Geraghty On Thu, Nov 22, 2012 at 9:33 PM, Dewayne Geraghty wrote: > We run a lot of jails with kernel nat and ipfw (& ipsec but that's not what > you need here). Some of the hosts haven't migrated from natd to kernel nat, > so we're probably similar to your setup. Sounds very similar, just substituting OpenVPN for IPSec. > 90% of our jails have an 192.168/16 that nat via an external interface with > a routable address, and an internal non-routeable address (ie non-RFC1918); > which is probably what you're doing for your VPN stuff. > > Our openvpn's all use tun, I would suggest that your natd isn't doing > exactly like you'd wish - on a good day it can be tricky to get right and > tcpdump is your friend, which should be monitored in both your host > environment and within the jail. You'll need to enable allow.raw_sockets > and you'll probably want to enable bpf to be available in your jail, if you > haven't already done so. BPF is enabled for the jails, and the traffic is getting to where it needs to (but not via natd). I'll try enabling raw_sockets in the jails, it is entirely conceivable that natd requires that functionality. Thanks for your assistance, I'll see how I go and report back. Best Regards, Morgan Reed -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759