From owner-freebsd-net@freebsd.org Wed Nov 16 11:05:30 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1288C44362; Wed, 16 Nov 2016 11:05:30 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from elsa.gfuzz.de (elsa.gfuzz.de [78.46.164.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6E34611D2; Wed, 16 Nov 2016 11:05:30 +0000 (UTC) (envelope-from lists@peter.de.com) Received: from localhost (localhost [127.0.0.1]) by elsa.gfuzz.de (Postfix) with ESMTP id 7EE30FFF68; Wed, 16 Nov 2016 12:05:27 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479294327; bh=ZkY+HEF3f0SCEzPq9+dPMCCyOH5RMBgIel1ES52xbJ0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JLBZvjEPyUpNupy73kWHDaAcPG7hOr5sC0Pos47B8ywY1L1m+rHpmYe0IeRb78/N5 8f0PBrgs4RyYdUwPB9ji1focGkjJweNBSh+1xyBUCH8gk+5ct993bYCTvSRf7aXbcQ Z9nY3X2CfR+zXeJhMTIrBvd+hS+xoJGP3ymaAzqM= X-Virus-Scanned: Debian amavisd-new at elsa.gfuzz.de Received: from elsa.gfuzz.de ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAjf72CVEYPt; Wed, 16 Nov 2016 12:05:26 +0100 (CET) Received: from mail.opdns.de (unknown [188.193.145.135]) (Authenticated sender: oliver@gfuzz.de) by elsa.gfuzz.de (Postfix) with ESMTPSA id 3C3CAFFEE7; Wed, 16 Nov 2016 12:05:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=peter.de.com; s=mail; t=1479294326; bh=ZkY+HEF3f0SCEzPq9+dPMCCyOH5RMBgIel1ES52xbJ0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iMvqIfNecCWHH5v2ean0xcbIXDMrw4sClbg8bkcfofkKPUqyyCfDCmYrOm77JMoj/ ij4rs4QinRTWQKUjODzln5R36JXRjCUBz5B6RcTzqMiEwlZGH8RSAyqJ+T5oUYuwds zhu2ryZopmQVLShuyZsS9u0zWfEFdIQwX+N8xXpA= Date: Wed, 16 Nov 2016 12:05:22 +0100 From: Oliver Peter To: Big Lebowski Cc: Oliver Peter , freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: NAT Reflection rules for FreeBSD PF Message-ID: <20161116110522.GD1675@mail.opdns.de> References: <20161115113705.GB1675@mail.opdns.de> <20161115132609.GC1675@mail.opdns.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zS7rBR6csb6tI2e1" Content-Disposition: inline In-Reply-To: X-Operating-System: Linux 4.4.21-1-pve x86_64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2016 11:05:30 -0000 --zS7rBR6csb6tI2e1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 15, 2016 at 02:49:18PM +0000, Big Lebowski wrote: > On Tue, Nov 15, 2016 at 1:26 PM, Oliver Peter wrote: >=20 > > On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote: > > > On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter > > wrote: > > > > > > > El duderino, > > > > > > > > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote: > > > > > > > > > > I am trying to set up a 11.0-R PF based NAT for group of jails th= at > > needs > > > > > to be able to talk to services on other jails, just as if they'd = be > > > > clients > > > > > from outside of the network. Apparently, this is called 'NAT > > reflection' > > > > > and I was able to find examples for OpenBSD PF here: > > > > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page). > > > > > > > > > > Obviously, their syntax doesn't work on FreeBSD PF, so how to > > achieve the > > > > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from > > > > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, > > via > > > > the > > > > > $ext_if external IP? > > > > > > > > We did something similar in a customer setup a while ago: > > > > > > > > nat on $int_if from $jail_host to any -> $int_ip > > > > rdr pass on $int_if proto { tcp, udp } from $jail_host to > > $ext_if > > > > port{ $service1, service2 } -> $int_lb > > > > > > > > Cheers > > > > > > Thanks for your response Olivier! Would you mind elaborating on it a = bit > > > more? I don't understand what you're trying to achieve here, since the > > NAT > > > doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $in= t_if > > > only holds the jail's IP addresses from the $jail_net range. How does > > that > > > compare? > > > > Ah, it could be that this is a bit different since you only have a sing= le > > machine, our example was a gateway with two interfaces (ext/int) doing = NAT > > for some machines behind. Since your packets are created on lo0 and > > routed to xn0 it might be different. > > Another idea would be to re-route the packets between the two interface= s: > > pass out quick on $ext_if route-to $int_if from ($int_if:networ= k) > > to $ext_if:network > > > > This might interfere with your regular outgoing traffic; maybe the "to" > > part needs a bit tuning. Furthermore I'm not sure about the source > > addresses... We have this in production to route some DNS traffic via > > VPN. > > > > Split horizon DNS is no option? > > Sorry for not being very helpful. >=20 >=20 > No worries, you've been most helpful so far :) >=20 > The host has two interfaces, I simply chose lo0 for jails, because I wasn= 't > aware it would matter, so, if needs be, I can migrate jails IP's from lo0 > to xn1 - would it make difference in that I'd now be able to implement the > reflection somehow, or would I need to get the jails out of the host > entirely and make the host to provide gatefway functionality only? Well, you made me curious about this so I created two jails on a 11-RELEASE test machine with a single external address. jail0 is on lo0 jail1 is on lo1 For outgoing service I have: nat on em0 from lo0:network to any -> ($ext_if) nat on em0 from lo1:network to any -> ($ext_if) The interesting thing here is that /all/ traffic happens on lo0 - even for jail1 which sits on lo1 only - which I don't understand. Furthermore it seems that since the target machine is also the source machine and does not need any routing the packets are not translated but directly routed, I tested this with: rdr pass on lo0 proto tcp from lo1:network to $ext_ip port 2224 -> $jail0 = port 22 jail0 only sees the internal IP since we do not route here. I was thinking about a mixture of PF and IPFW but this is getting nasty now. --=20 Oliver PETER oliver@gfuzz.de 0x456D688F --zS7rBR6csb6tI2e1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlgsPXEACgkQ6LH/IUVtaI/LIACdHdPwKXl0GLm91Kp7pRXEw+Mn ofUAn1ow+dsoP6cEuf565fcdSSGAQ2HM =8pJP -----END PGP SIGNATURE----- --zS7rBR6csb6tI2e1--