natd in a jail

Morgan Reed morgan.s.reed at
Thu Nov 22 04:00:27 UTC 2012

Hi All,

     I've a bit of an odd query which I hope somebody may be able to
assist with.

I'm looking to set up several OpenVPN tunnels on a single machine
(each residing in its own jail) and route data to different
destinations over different tunnels by selectively routing the traffic
via a particular jail.

I have three jails set up with OpenVPN tunnels terminated in each,
they all work as expected from the "local" machine.

I can't do a straight forward route over the VPN tunnel as I don't
control the other end of the tunnel, I need to treat it as a
point-to-point connection as a result, hence I need to use NAT.

I've tested this setup with a single tunnel running off a "real"
machine with natd providing NAT, it works like a charm, however, when
I move the config into a jail I run into issues, natd doesn't seem to
be able to see the incoming traffic, nothing shows up in the logs at

I'm not even sure if this is actually possible, I'm starting to
suspect that natd can't hook in low enough from the jails to access
the incoming traffic.

Traffic gets into the jail by way of an epair interface between the
host and the jail, bridged to the ethernet adapter by way of a bridge
device, I can see the traffic attempting to route over the tun
interface in the jail (but obviously it's not being NATted so nothing
comes back) so the traffic is making it in and through the routing
engine, just not via natd.

Any suggestions here?

The host is FreeBSD-8.3.



More information about the freebsd-stable mailing list