From owner-freebsd-jail@FreeBSD.ORG Sat Apr 26 20:59:28 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F939106564A for ; Sat, 26 Apr 2008 20:59:28 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 0B61B8FC0A for ; Sat, 26 Apr 2008 20:59:27 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id b2so2667132nfb.33 for ; Sat, 26 Apr 2008 13:59:26 -0700 (PDT) Received: by 10.210.47.7 with SMTP id u7mr4096855ebu.14.1209243566610; Sat, 26 Apr 2008 13:59:26 -0700 (PDT) Received: from ?89.214.99.242? ( [89.214.99.242]) by mx.google.com with ESMTPS id g17sm5432146nfd.10.2008.04.26.13.59.20 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 26 Apr 2008 13:59:22 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <48106D04.5040103@quip.cz> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sat, 26 Apr 2008 15:59:16 -0500 References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> <48106D04.5040103@quip.cz> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2008 20:59:28 -0000 I used your rules an worked is just that for an know reason if I restart the vpn on the master host it stops working. also takes some time for work. any ideas ? regards On Apr 24, 2008, at 6:20 AM, Miroslav Lachman wrote: > Nicolas de Bari Embriz Garcia Rojas wrote: > >> In your example what values are for ext_addr_3, ext_if? > > Server has external interface bge0 (connected to internet) > ext_if="bge0" > and 4 public IP addresses, $ext_addr_3 is one of them (dedicated to > this jail usage) > > >> On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: >>> Nicolas de Bari Embriz Garcia Rojas wrote: >>> >>>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to >>>> another server the one has multiple jails. each jail has is own >>>> public IP and i need to do something like this: >>>> vpn point >----------------------< master server with jails >>>> <------- > jail (75.76.78.80) >>>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >>>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want >>>> that the jail with ip 75.76.78.80 to respond, and also from >>>> jail 75.76.78.80 been available to telnet the other vpn point >>>> 10.10.10.1. >>>> I am trying to route trafic using PF but is not working for the >>>> tunel only for the non encrypted trafic, example: >>>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >>>> but if i use the gif0 interface (the one for the tunnel) insted >>>> of em1 does not work. >>> >>> >>> I am using slightly different setup. I have lo1 with IPs >>> 172.16.1.0/24 for jails and public IPs are RDR / NATed from >>> public interface to local (jails). >>> I have one jail, where I need to connect throught OpenVPN on tap0 >>> to the MSSQL database server and from the other and (MS Windows >>> Server) allow connection in to jailed MySQL database server. >>> Apache from this jail is publicly accessible on ports 80 and 443. >>> >>> jail_addr_0="172.16.1.2" >>> jail_tcp_0_inports="{ 80, 443 }" >>> vpn_dtc_if="tap0" >>> vpn_dtc_addr_local="10.0.0.29" >>> vpn_dtc_addr_remote="10.0.0.10" >>> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql >>> >>> # outgoing connections >>> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 >>> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote - >>> > $vpn_dtc_addr_local >>> # incomming connections >>> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 >>> rdr pass on $vpn_dtc_if inet proto tcp from any to >>> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 >>> >>> Miroslav Lachman