Re: iocage, vnet jail does not go outside

In reply to: Jacques Foucry : "Re: iocage, vnet jail does not go outside"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Gmelin <freebsd_at_grem.de>
Date: Fri, 23 Jul 2021 18:22:51 UTC

On Fri, 23 Jul 2021 20:04:41 +0200
Jacques Foucry <jacques+freebsd@foucry.net> wrote:

> Le vendredi 23 juil. 2021 à 19:51:42 (+0200), Michael Gmelin à écrit:
> 
> Hello Michael,
> 
> > You need to enable some sort of NAT at your end, e.g. using pf.
> > Traffic is leaving your host on a private IP.  
> 
> 
> I forgot to post the part of my pf.conf your right. I enabled a NAT
> (may be in a wroing way):
> 
> ext_if = em0
> int_if = "{lo0 lo1}"
> bridge_if = bridge0
> 
> icmp_types="{ echoreq, unreach }"
> 
> # ok loopback
> set skip on lo0
> set skip on lo1
> #set skip on bridge0
> 
> # define jails
> jails_net = "{192.168.12.0/24 10.0.10.0/24 2a01:4f9:4a:1fd8::/64}"
> 
> …
> 
> # nat
> nat on $ext_if from $jails_net to any -> $ext_if
> 
> …
> 
> # ExampleJail
> rdr on $ext_if inet proto tcp from any to $ext_if port
> $examplejail_ports -> $examplejail_v4 rdr on $ext_if inet6 proto tcp
> from any to $ext_if port $examplejail_ports -> $examplejail_v6
> 
> …
> 
> pass in log quick on $ext_if proto tcp from any to $examplejail_v4
> port $examplejail_ports flags S/SA keep state pass in log quick on
> $ext_if proto tcp from any to $examplejail_v6 port $examplejail_ports
> 
> …
> 
> # Allow icmp
> pass in inet proto icmp all icmp-type $icmp_types
> #IPv6 - pass in/out all IPv6 ICMP traffic
> pass in quick proto icmp6 Allow
> 
> 
> 
> Is there something wrong of missing? I was guessing that the NAT is
> correct because I can connect from outside (IPv4 and IPv6) to this
> jail.
> 
> 
> Thanks again for your time.

There's one thing on your bridge that looks wrong:

> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu 1500 description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
>	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
>	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>	member: vnet0.655 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>	        ifmaxaddr 0 port 6 priority 128 path cost 2000
>	member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>	        ifmaxaddr 0 port 1 priority 128 path cost 20000
>	groups: bridge
>	nd6 options=9<PERFORMNUD,IFDISABLED>
>

em0 shouldn't be part of the bridge, as you don't want to bridge with
your uplink, but NAT to it.

So try

    ifconfig bridge0 deletem em0

Once done, you might need to enable ip forwarding (if it isn't enabled
already).

   service gateway enable
   sysctl net.inet.ip.forwarding=1

-m

-- 
Michael Gmelin