Date: Thu, 22 Nov 2012 10:38:10 +0000 From: Simon Dick <simond@irrelevant.org> To: Morgan Reed <morgan.s.reed@gmail.com> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: natd in a jail Message-ID: <CAPyG9gM4Ht560WEerVXvxx=W8Q=thC7FtGyaFMC5Pou2kijLBw@mail.gmail.com> In-Reply-To: <CAKnh_YtF5f_0-vuGO0ov%2BJDKa_gxF%2Bf80-DCcfxPYyew0_ZG7Q@mail.gmail.com> References: <CAKnh_YtF5f_0-vuGO0ov%2BJDKa_gxF%2Bf80-DCcfxPYyew0_ZG7Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 November 2012 04:00, Morgan Reed <morgan.s.reed@gmail.com> wrote: > Hi All, > > I've a bit of an odd query which I hope somebody may be able to > assist with. > > I'm looking to set up several OpenVPN tunnels on a single machine > (each residing in its own jail) and route data to different > destinations over different tunnels by selectively routing the traffic > via a particular jail. > > I have three jails set up with OpenVPN tunnels terminated in each, > they all work as expected from the "local" machine. > > I can't do a straight forward route over the VPN tunnel as I don't > control the other end of the tunnel, I need to treat it as a > point-to-point connection as a result, hence I need to use NAT. > > I've tested this setup with a single tunnel running off a "real" > machine with natd providing NAT, it works like a charm, however, when > I move the config into a jail I run into issues, natd doesn't seem to > be able to see the incoming traffic, nothing shows up in the logs at > all. > > I'm not even sure if this is actually possible, I'm starting to > suspect that natd can't hook in low enough from the jails to access > the incoming traffic. > > Traffic gets into the jail by way of an epair interface between the > host and the jail, bridged to the ethernet adapter by way of a bridge > device, I can see the traffic attempting to route over the tun > interface in the jail (but obviously it's not being NATted so nothing > comes back) so the traffic is making it in and through the routing > engine, just not via natd. > > Any suggestions here? > > The host is FreeBSD-8.3. > I've not used it myself, but this sound like something VIMAGE may be good for, basically it's a virtual tcp stack per jail, there's some docs at http://wiki.freebsd.org/Image but I seem to remember a more up to date one elsewhere but can't find it at the moment!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyG9gM4Ht560WEerVXvxx=W8Q=thC7FtGyaFMC5Pou2kijLBw>