Date: Tue, 15 Nov 2016 12:37:06 +0100 From: Oliver Peter <lists@peter.de.com> To: Big Lebowski <spankthespam@gmail.com> Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161115113705.GB1675@mail.opdns.de> In-Reply-To: <CAHcXP%2BeMrDO0V276DuYKwHMoK8BrAYMhH6b16%2BVhtXRDrKAuAQ@mail.gmail.com> References: <CAHcXP%2BeMrDO0V276DuYKwHMoK8BrAYMhH6b16%2BVhtXRDrKAuAQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable El duderino, On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: >=20 > I am trying to set up a 11.0-R PF based NAT for group of jails that needs > to be able to talk to services on other jails, just as if they'd be clien= ts > from outside of the network. Apparently, this is called 'NAT reflection' > and I was able to find examples for OpenBSD PF here: > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). >=20 > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the > $ext_if external IP? We did something similar in a customer setup a while ago: nat on $int_if from $jail_host to any -> $int_ip rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $s= ervice1, service2 } -> $int_lb Cheers --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgq82EACgkQ6LH/IUVtaI+zTwCgq0aICUrq/ZwQjI422E+0Av5C mtMAnRFEK1s1QWtGs6UehOuPZW7KozSt =dzYI -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161115113705.GB1675>