From owner-freebsd-net@freebsd.org Tue Nov 15 11:47:12 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD7A4C41573; Tue, 15 Nov 2016 11:47:12 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8BB0E18A2; Tue, 15 Nov 2016 11:47:12 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id 83E01FFCA9; Tue, 15 Nov 2016 12:37:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479209828; bh=L9HdwGY5etYoe/ZH5aVtMvcQ81nKAlfyPQVL3+X7jqs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CwvtcpFNSZ+hzJ5rWZvdr0l3fy05bKiTJL9XpQlnDkdGicAncDc/ECew8VbWDn2OV m5jgKzpvSfAb+olkIoQZFSJYayZMKYHgInh8FU4DRrFortAUcDFcBaTxeCJssT2lAu GvBJ9zgf+PxzRutMSdEc5Z11eSitw16xZgjF2esM= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bjgXp0VkF2A; Tue, 15 Nov 2016 12:37:07 +0100 (CET) Received: from mail.opdns.de (ipbcc19187.dynamic.kabel-deutschland.de [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id ABB00FFC9A; Tue, 15 Nov 2016 12:37:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479209827; bh=L9HdwGY5etYoe/ZH5aVtMvcQ81nKAlfyPQVL3+X7jqs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=lCC8MofJnw5mj67lSxypD/2URzTsQrJDp7t/lVcMPhbe7EOYjYLl7IClnuc8y8LIx +feBmggimQqueAF5aFwopCufUOVdo5rXIt9Rp+yZ7ulHTOSTDBLdMg7g7idFdLWGt3 eOeGyCe/tXWr2SgJCQwqsMwBmACF9b5AItUQI7zE= Date: Tue, 15 Nov 2016 12:37:06 +0100 From: Oliver Peter To: Big Lebowski Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161115113705.GB1675@mail.opdns.de> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 11:47:12 -0000 --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable El duderino, On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: >=20 > I am trying to set up a 11.0-R PF based NAT for group of jails that needs > to be able to talk to services on other jails, just as if they'd be clien= ts > from outside of the network. Apparently, this is called 'NAT reflection' > and I was able to find examples for OpenBSD PF here: > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). >=20 > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the > $ext_if external IP? We did something similar in a customer setup a while ago: nat on $int_if from $jail_host to any -> $int_ip rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $s= ervice1, service2 } -> $int_lb Cheers --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgq82EACgkQ6LH/IUVtaI+zTwCgq0aICUrq/ZwQjI422E+0Av5C mtMAnRFEK1s1QWtGs6UehOuPZW7KozSt =dzYI -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp--