From owner-freebsd-jail@FreeBSD.ORG Thu Apr 24 11:20:22 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32706106564A for ; Thu, 24 Apr 2008 11:20:22 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 11D118FC54 for ; Thu, 24 Apr 2008 11:20:21 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1FC4019E023; Thu, 24 Apr 2008 13:20:20 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 00F5119E019; Thu, 24 Apr 2008 13:20:17 +0200 (CEST) Message-ID: <48106D04.5040103@quip.cz> Date: Thu, 24 Apr 2008 13:20:36 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> In-Reply-To: <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2008 11:20:22 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > In your example what values are for ext_addr_3, ext_if? Server has external interface bge0 (connected to internet) ext_if="bge0" and 4 public IP addresses, $ext_addr_3 is one of them (dedicated to this jail usage) > On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: > >> Nicolas de Bari Embriz Garcia Rojas wrote: >> >>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to another >>> server the one has multiple jails. each jail has is own public IP >>> and i need to do something like this: >>> vpn point >----------------------< master server with jails <------- >>> > jail (75.76.78.80) >>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that >>> the jail with ip 75.76.78.80 to respond, and also from jail >>> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. >>> I am trying to route trafic using PF but is not working for the >>> tunel only for the non encrypted trafic, example: >>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >>> but if i use the gif0 interface (the one for the tunnel) insted of >>> em1 does not work. >> >> >> I am using slightly different setup. I have lo1 with IPs >> 172.16.1.0/24 for jails and public IPs are RDR / NATed from public >> interface to local (jails). >> I have one jail, where I need to connect throught OpenVPN on tap0 to >> the MSSQL database server and from the other and (MS Windows Server) >> allow connection in to jailed MySQL database server. Apache from this >> jail is publicly accessible on ports 80 and 443. >> >> jail_addr_0="172.16.1.2" >> jail_tcp_0_inports="{ 80, 443 }" >> vpn_dtc_if="tap0" >> vpn_dtc_addr_local="10.0.0.29" >> vpn_dtc_addr_remote="10.0.0.10" >> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql >> >> # outgoing connections >> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 >> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> >> $vpn_dtc_addr_local >> # incomming connections >> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 >> rdr pass on $vpn_dtc_if inet proto tcp from any to >> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 >> >> Miroslav Lachman > > >