Date: Thu, 22 Nov 2012 22:38:14 +1100 From: Morgan Reed <morgan.s.reed@gmail.com> To: freebsd-stable@freebsd.org Subject: Fwd: natd in a jail Message-ID: <CAKnh_YvzbYty4z=TXvSLOpmWr0hBeH8nYE_CTUCJ49NAfs-ozA@mail.gmail.com> In-Reply-To: <CAKnh_YtaY8uMo0W=LQ8L=Ntz6j9bVv8bOkQ_xFoAtz86qLZKDA@mail.gmail.com> References: <CAKnh_YtF5f_0-vuGO0ov%2BJDKa_gxF%2Bf80-DCcfxPYyew0_ZG7Q@mail.gmail.com> <D0670FDB8ED04E92BD4A44BB347E786F@white> <CAKnh_YtaY8uMo0W=LQ8L=Ntz6j9bVv8bOkQ_xFoAtz86qLZKDA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmm, list was missing from reply-to on this one. ---------- Forwarded message ---------- From: Morgan Reed <morgan.s.reed@gmail.com> Date: Thu, Nov 22, 2012 at 10:36 PM Subject: Re: natd in a jail To: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> On Thu, Nov 22, 2012 at 9:33 PM, Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> wrote: > We run a lot of jails with kernel nat and ipfw (& ipsec but that's not what > you need here). Some of the hosts haven't migrated from natd to kernel nat, > so we're probably similar to your setup. Sounds very similar, just substituting OpenVPN for IPSec. > 90% of our jails have an 192.168/16 that nat via an external interface with > a routable address, and an internal non-routeable address (ie non-RFC1918); > which is probably what you're doing for your VPN stuff. > > Our openvpn's all use tun, I would suggest that your natd isn't doing > exactly like you'd wish - on a good day it can be tricky to get right and > tcpdump is your friend, which should be monitored in both your host > environment and within the jail. You'll need to enable allow.raw_sockets > and you'll probably want to enable bpf to be available in your jail, if you > haven't already done so. BPF is enabled for the jails, and the traffic is getting to where it needs to (but not via natd). I'll try enabling raw_sockets in the jails, it is entirely conceivable that natd requires that functionality. Thanks for your assistance, I'll see how I go and report back. Best Regards, Morgan Reed -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKnh_YvzbYty4z=TXvSLOpmWr0hBeH8nYE_CTUCJ49NAfs-ozA>