Problem with pf route-to in jail
skridsko grafstrom
skridsko at gmail.com
Wed Sep 12 19:00:33 PDT 2007
Encountered a weird problem with pf, but before going into that, a
description of my network,
Network interfaces -
1) lnc0 - ethernet interface, inet 192.168.1.2 netmask 255.255.255.0
2) ng0 - netgraph pptp interface, 10.0.0.2 -> 10.0.0.1 point-to-point
3) vlan0 - virtual interface, inet 172.16.1.1 netmask 255.255.255.255
Default gateway - 192.168.1.1
I have a jail running on vlan0 IP, ie. 172.16.1.1 and I want to route
all traffic from the jail thru ng0, ie, all jail traffic goes thru
pptp. Since I'm unable to change the default route for the jail, I
resorted to using pf. Below are my rules,
nat on ng0 from vlan0 to any -> ng0
rdr on ng0 from any to ng0 -> vlan0
pass out route-to ng0 from vlan0 to !vlan0
This works, but only partially, with the following observations,
1) Ping works, but only for the first packet, subsequent packets are lost
ping -c4 google.com
PING google.com (64.233.187.99): 56 data bytes
64 bytes from 64.233.187.99: icmp_seq=0 ttl=244 time=278.728 ms
--- google.com ping statistics ---
4 packets transmitted, 1 packets received, 75% packet loss
round-trip min/avg/max/stddev = 278.728/278.728/278.728/0.000 ms
2) DNS resolutions work fine, as do traceroutes (a sign of UDP working?)
3) Using nc to connect to a remote listening port shows successful
connection but no data can be sent subsequently in the same nc
session.
Anyone can help with what's going on here? Or provide a better
solution on how to achieve the setup I want? Thanks!
More information about the freebsd-pf
mailing list