Multi-homing, jails, and source address selection

Stefan Bethke stb at lassitu.de
Thu Mar 12 08:30:32 PDT 2009


I'm having some trouble configuring a dual-homed jail host, running - 
current from about 4 weeks ago.

My machine has one external interface em0 connected to an /27 IPv4  
network. Additionally, I have a VPN interface tun0 provided by an  
OpenVPN instance with a private /18 range.

I'd like my jails to be dual-homed, with a public and a VPN address  
each. Processes in the jail should pick the appropriate source address  
depending on the destination address, so that the source address for a  
connection going to a VPN address will be the jails' VPN address, and  
all other connections will use the jails' public IP.

I have a couple of questions that I can't seem to find answers to:

How do I get the VPN addresses configured? tun0 won't accept them  
(since ptp interfaces require a destination address).  If I use lo0, I  
seem to have source address selection issues.  I've experimented with  
various setups, but haven't found one that would work just right.  In  
the example below, if I ping from foo to a VPN address, the source  
address is foo's public IP.  If I run ping with -S10.0.63.3, the  
source address still is 192.0.2.3.

Is there any documentation on how source addresses are selected? I  
thought I remembered that on unbound sockets the destination route  
would be used to pick the first address of the outgoing interface as  
the source address; the same address would be picked on connecting a  
socket.

I'm currently running with this configuration in rc.conf:

cloned_interfaces="tun0"
ifconfig_em0="192.0.2.2/27"
ifconfig_tun0="10.0.63.1 10.0.63.255"

defaultrouter="192.0.2.1"
inetd_flags="-wW -a 192.0.2.2"
static_routes="openvpn"
route_openvpn="10.0.0.0/18 10.0.63.255"

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_sysvipc_allow="YES"
jail_devfs_enable="YES"
jail_mount_enable="YES"

jail_list="foo bar baz"
jail_foo_rootdir="/jail/foo.example.com"
jail_foo_hostname="foo.example.com"
jail_foo_ip="em0|192.0.2.3,lo0|10.0.63.3"


Any suggestions?

-- 
Stefan Bethke <stb at lassitu.de>   Fon +49 151 14070811






More information about the freebsd-net mailing list