From owner-freebsd-pf@FreeBSD.ORG Tue Jun 2 15:13:31 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 852FE10656FD for ; Tue, 2 Jun 2009 15:13:31 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f164.google.com (mail-ew0-f164.google.com [209.85.219.164]) by mx1.freebsd.org (Postfix) with ESMTP id 08D2A8FC15 for ; Tue, 2 Jun 2009 15:13:30 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: by ewy8 with SMTP id 8so5304692ewy.43 for ; Tue, 02 Jun 2009 08:13:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=EDpq9GZ6ZdelNmuI00ryw8P4ghIfZNs4K6UY+Q/kaoo=; b=QpOxd35hCw1Jza8bfKe6nb/FTxqS3SmL+MGL34LWLzCksr4CQwxWlOujzeHL6JGDTw 5CJABcPehKp2W5k3lh51Ljhl8FjHcz/ZNshK/dtuFlggRqltnNEp04Q7I02j1lXOfv4D ig4z/2SAJ1Iol7IE+mhJjArfcUx4AKsr/stn0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=EnTnsjDHe78z+FH+h23OylOBv6H55CZq7rfRisX9/HSgBHQtFodP59LnQ6nSx7Qqis bBFt+7cj724S6eB6Bt8EdAKLbCYs4hHSh4hYjftAtdLjZVvTrWZMLXZIuGTYGX/fvZcd PSKMXnS7LrFCGp4V1BXto1alvnEMONIcZsFp8= MIME-Version: 1.0 Received: by 10.216.51.202 with SMTP id b52mr2174126wec.38.1243955609565; Tue, 02 Jun 2009 08:13:29 -0700 (PDT) Date: Tue, 2 Jun 2009 17:13:29 +0200 Message-ID: From: Kevin Smith To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem: nating jails with private ip addresses. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jun 2009 15:13:32 -0000 Hi guys, Please help if you can, I have a problem, and I can't get my config to work. I have one public ip address, and several jails with private ip addresses in the 172.20.0.0/24 area. I don't know how to make this work, maybe somewhere I blocked the traffic, but dns request are coming through, I can open (redirected)http on the jail itself inside from the internet, but i can't connect to any host on the internet from the jails, the main problem comes with installing from ports and downloading the distfiles. My System is 7.1-RELEASE.with pf,pflog,pfsync devices, and ALTQ,ALTQ_CBQ,ALTQ_RED,ALTQ_RIO,ALTQ_HFSC,ALTQ_PRIQ,ALTQ_NOPCC options compiled in the kernel! Is this possible, or should I pop in another card and bind the jails to that card? The corresponding config is here(really partial): tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, ftp, ftp-data }" ext_if = "bge0" jails = "172.20.0.0/24" nat on $ext_if proto { tcp, udp, icmp } from $jails to any -> ($ext_if) rdr pass on $ext_if inet proto tcp from any to $ext_if port http -> 172.20.0.100 pass out proto tcp to any port $tcp_services keep state pass out proto tcp from any to any keep state Thanks in advance, Best Regards, Kevin