routing

Miroslav Lachman 000.fbsd at quip.cz
Wed Apr 23 10:45:00 UTC 2008 

Nicolas de Bari Embriz Garcia Rojas wrote:
> Thanks, I tried to base my rules on your but still do not have luck.
> 
> I do not know if maybe is because of the IPSEC vpn, also what i would  
> like to do i to access the the end vpn poing from the jails but still  
> havent made that or know how to doit.

I know nothing about IPSec VPN, so I can't help you any further.
You can add keyword "log" in to your block rules in pf.conf, start pflog 
(pflog_enable="YES" in rc.conf and /etc/rc.d/pflog start) and then watch 
with tcpdump which rule blocks your needed traffic and what next should 
be allowed / redirected.
http://www.openbsd.org/faq/pf/logging.html

Or you can ask some network / PF guru in freebsd-pf@ mailinglist.

> On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote:
> 
>> Nicolas de Bari Embriz Garcia Rojas wrote:
>>
>>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to  another  
>>> server the one has multiple jails. each jail has is own  public IP 
>>> and  i need to do something like this:
>>> vpn point >----------------------< master server with jails <------- 
>>> >  jail (75.76.78.80)
>>> 64.68.69.79/10.10.10.1         75.76.78.79/10.10.10.2
>>> when doing a telnet to 10.10.10.2 80  from 10.10.10.1 I want that  
>>> the  jail with ip 75.76.78.80 to respond, and also from jail  
>>> 75.76.78.80  been available to telnet the other vpn point 10.10.10.1.
>>> I am trying to route trafic using PF but is not working for  the  
>>> tunel  only for the non encrypted trafic, example:
>>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80
>>> but if i use the gif0 interface (the one for the tunnel) insted of  
>>> em1  does not work.
>>
>>
>> I am using slightly different setup. I have lo1 with IPs  
>> 172.16.1.0/24 for jails and public IPs are RDR / NATed from public  
>> interface to local (jails).
>> I have one jail, where I need to connect throught OpenVPN on tap0 to  
>> the MSSQL database server and from the other and (MS Windows Server)  
>> allow connection in to jailed MySQL database server. Apache from  this 
>> jail is publicly accessible on ports 80 and 443.
>>
>> jail_addr_0="172.16.1.2"
>> jail_tcp_0_inports="{ 80, 443 }"
>> vpn_dtc_if="tap0"
>> vpn_dtc_addr_local="10.0.0.29"
>> vpn_dtc_addr_remote="10.0.0.10"
>> vpn_dtc_inports="{ 3306 }"    # let incoming to local mysql
>>
>> # outgoing connections
>> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3
>> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote ->  
>> $vpn_dtc_addr_local
>> # incomming connections
>> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0
>> rdr pass on $vpn_dtc_if inet proto tcp from any to  
>> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0
>>
>> Miroslav Lachman
> 
> 
> -- 
>  > nbari

More information about the freebsd-jail mailing list