NAT Reflection rules for FreeBSD PF

Oliver Peter lists at peter.de.com
Tue Nov 15 11:47:12 UTC 2016


El duderino,

On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote:
> 
> I am trying to set up a 11.0-R PF based NAT for group of jails that needs
> to be able to talk to services on other jails, just as if they'd be clients
> from outside of the network. Apparently, this is called 'NAT reflection'
> and I was able to find examples for OpenBSD PF here:
> https://www.openbsd.org/faq/pf/rdr.html (bottom of the page).
> 
> Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the
> same thing? How to allow jails NAT'd on $ext_if (xn0) coming from
> $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via the
> $ext_if external IP?

We did something similar in a customer setup a while ago:

	nat on $int_if from $jail_host to any -> $int_ip
	rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if port{ $service1, service2 } -> $int_lb

Cheers


-- 
Oliver PETER       oliver at gfuzz.de       0x456D688F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20161115/d8cbbcb1/attachment.sig>


More information about the freebsd-pf mailing list