Date: Tue, 15 Nov 2016 13:03:54 +0000 From: Big Lebowski <spankthespam@gmail.com> To: Oliver Peter <lists@peter.de.com> Cc: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <CAHcXP%2Bcfn7%2B_6pH=cSJ2mEnNPaH1N3Dv7na%2BJiu0=PR-wBZR0A@mail.gmail.com> In-Reply-To: <20161115113705.GB1675@mail.opdns.de> References: <CAHcXP%2BeMrDO0V276DuYKwHMoK8BrAYMhH6b16%2BVhtXRDrKAuAQ@mail.gmail.com> <20161115113705.GB1675@mail.opdns.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter <lists@peter.de.com> wrote: > El duderino, > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that needs > > to be able to talk to services on other jails, just as if they'd be > clients > > from outside of the network. Apparently, this is called 'NAT reflection' > > and I was able to find examples for OpenBSD PF here: > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via > the > > $ext_if external IP? > > We did something similar in a customer setup a while ago: > > nat on $int_if from $jail_host to any -> $int_ip > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if > port{ $service1, service2 } -> $int_lb > > Cheers Thanks for your response Olivier! Would you mind elaborating on it a bit more? I don't understand what you're trying to achieve here, since the NAT doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if only holds the jail's IP addresses from the $jail_net range. How does that compare? Regards, BL
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHcXP%2Bcfn7%2B_6pH=cSJ2mEnNPaH1N3Dv7na%2BJiu0=PR-wBZR0A>