From owner-freebsd-net@freebsd.org Tue Nov 15 13:26:18 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B51BC43233; Tue, 15 Nov 2016 13:26:18 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3A00A1302; Tue, 15 Nov 2016 13:26:17 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id F2158FFCA9; Tue, 15 Nov 2016 14:26:14 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479216374; bh=crfbysknwe+Ts/vgrpMylzWZd9kh6dmcquuO5t1xgI8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dazRBtSdUEFggqXUBpb/1XZ5zbLWWUgNMGo5spioKCxLBfy0cCFPe6V9LcBG8oc6j rrwPB5XGGYBUHJkqRdith53CYLilXOZLzsgODP3VTrg2jLL7OH0wQCchs0ZnjUUQmM DXHMGEtgJeampunCq3Qjxtg8zcVEccUljr6c61NI= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPONx5ylO3g1; Tue, 15 Nov 2016 14:26:14 +0100 (CET) Received: from mail.opdns.de (ipbcc19187.dynamic.kabel-deutschland.de [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id E304CFFC9E; Tue, 15 Nov 2016 14:26:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479216374; bh=crfbysknwe+Ts/vgrpMylzWZd9kh6dmcquuO5t1xgI8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=dazRBtSdUEFggqXUBpb/1XZ5zbLWWUgNMGo5spioKCxLBfy0cCFPe6V9LcBG8oc6j rrwPB5XGGYBUHJkqRdith53CYLilXOZLzsgODP3VTrg2jLL7OH0wQCchs0ZnjUUQmM DXHMGEtgJeampunCq3Qjxtg8zcVEccUljr6c61NI= Date: Tue, 15 Nov 2016 14:26:09 +0100 From: Oliver Peter To: Big Lebowski Cc: Oliver Peter , freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161115132609.GC1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0vzXIDBeUiKkjNJl" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 13:26:18 -0000 --0vzXIDBeUiKkjNJl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter wrote: >=20 > > El duderino, > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails that n= eeds > > > to be able to talk to services on other jails, just as if they'd be > > clients > > > from outside of the network. Apparently, this is called 'NAT reflecti= on' > > > and I was able to find examples for OpenBSD PF here: > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve= the > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via > > the > > > $ext_if external IP? > > > > We did something similar in a customer setup a while ago: > > > > nat on $int_if from $jail_host to any -> $int_ip > > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_= if > > port{ $service1, service2 } -> $int_lb > > > > Cheers >=20 > Thanks for your response Olivier! Would you mind elaborating on it a bit > more? I don't understand what you're trying to achieve here, since the NAT > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if > only holds the jail's IP addresses from the $jail_net range. How does that > compare? Ah, it could be that this is a bit different since you only have a single machine, our example was a gateway with two interfaces (ext/int) doing NAT for some machines behind. Since your packets are created on lo0 and routed to xn0 it might be different. Another idea would be to re-route the packets between the two interfaces: pass out quick on $ext_if route-to $int_if from ($int_if:network) to $ext_= if:network This might interfere with your regular outgoing traffic; maybe the "to" part needs a bit tuning. Furthermore I'm not sure about the source addresses... We have this in production to route some DNS traffic via VPN. Split horizon DNS is no option? Sorry for not being very helpful. --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --0vzXIDBeUiKkjNJl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgrDPEACgkQ6LH/IUVtaI8zBACfeEc/PVrUMFjpRlXd3kTIDwwb GvMAn18PeLgqisfez8deS3U34YmsxjRR =crGi -----END PGP SIGNATURE----- --0vzXIDBeUiKkjNJl--