Fwd: natd in a jail

Morgan Reed morgan.s.reed at gmail.com
Thu Nov 22 11:38:35 UTC 2012

Hmm, list was missing from reply-to on this one.

---------- Forwarded message ----------
From: Morgan Reed <morgan.s.reed at gmail.com>
Date: Thu, Nov 22, 2012 at 10:36 PM
Subject: Re: natd in a jail
To: Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au>

On Thu, Nov 22, 2012 at 9:33 PM, Dewayne Geraghty
<dewayne.geraghty at heuristicsystems.com.au> wrote:
> We run a lot of jails with kernel nat and ipfw (& ipsec but that's not what
> you need here). Some of the hosts haven't migrated from natd to kernel nat,
> so we're probably similar to your setup.

Sounds very similar, just substituting OpenVPN for IPSec.

> 90% of our jails have an 192.168/16 that nat via an external interface with
> a routable address, and an internal non-routeable address (ie non-RFC1918);
> which is probably what you're doing for your VPN stuff.
> Our openvpn's all use tun, I would suggest that your natd isn't doing
> exactly like you'd wish - on a good day it can be tricky to get right and
> tcpdump is your friend, which should be monitored in both your host
> environment and within the jail. You'll need to enable allow.raw_sockets
> and you'll probably want to enable bpf to be available in your jail, if you
> haven't already done so.

BPF is enabled for the jails, and the traffic is getting to where it
needs to (but not via natd). I'll try enabling raw_sockets in the
jails, it is entirely conceivable that natd requires that

Thanks for your assistance, I'll see how I go and report back.

Best Regards,

Morgan Reed

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759

More information about the freebsd-stable mailing list