From owner-freebsd-net@freebsd.org Tue Nov 15 14:50:22 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA995C43068 for ; Tue, 15 Nov 2016 14:50:22 +0000 (UTC) (envelope-from krn@krn.dk) Received: from fjotte.krn.dk (fjotte.krn.dk [62.242.64.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 697371DD for ; Tue, 15 Nov 2016 14:50:22 +0000 (UTC) (envelope-from krn@krn.dk) Received: from [127.0.0.1] (slttdk13dsk84.tdu.dk [80.63.62.29]) (authenticated bits=0) by fjotte.krn.dk (8.13.6/8.13.6) with ESMTP id uAFEo3vk094276 for ; Tue, 15 Nov 2016 15:50:04 +0100 (CET) (envelope-from krn@krn.dk) Subject: Re: NAT Reflection rules for FreeBSD PF To: freebsd-net@freebsd.org References: <20161115113705.GB1675@mail.opdns.de> From: Kristen Nielsen Message-ID: <582B209E.1080000@krn.dk> Date: Tue, 15 Nov 2016 15:50:06 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <20161115113705.GB1675@mail.opdns.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2016 14:50:22 -0000 Hi. We have had the same needs earlier, but solved it in our network. Although I have been considering the possibility if there was an easy ACL based way to get jails to talk with each other e.g with sockets and related filters in the 127.0.0.0/8 ip range. Without having deep insights in the kernel network code I would believe it may be not to difficult to realise a solution like this. Of cause it will only work on jails on single hosts (on the same host) and would introducing tighter bonds between jails using this feature. Just a tought I would like to share with the list. Kristen Den 15-11-2016 kl. 12:37 skrev Oliver Peter: > El duderino, > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: >> I am trying to set up a 11.0-R PF based NAT for group of jails that needs >> to be able to talk to services on other jails, just as if they'd be clients >> from outside of the network. Apparently, this is called 'NAT reflection' >> and I was able to find examples for OpenBSD PF here: >> https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). >> >> Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the >> same thing? How to allow jails NAT'd on $ext_if (xn0) coming from >> $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the >> $ext_if external IP? > We did something similar in a customer setup a while ago: > > nat on $int_if from $jail_host to any -> $int_ip > rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $service1, service2 } -> $int_lb > > Cheers > >