From owner-freebsd-net@FreeBSD.ORG Wed Aug 29 13:19:29 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB09516A41B for ; Wed, 29 Aug 2007 13:19:29 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outV.internet-mail-service.net (outV.internet-mail-service.net [216.240.47.245]) by mx1.freebsd.org (Postfix) with ESMTP id BCA0C13C45A for ; Wed, 29 Aug 2007 13:19:29 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Wed, 29 Aug 2007 06:19:16 -0700 Received: from julian-mac.elischer.org (fibhost-122-174.fibernet.bacs-net.hu [85.66.122.174]) by idiom.com (Postfix) with ESMTP id 2B4EA1261F2; Wed, 29 Aug 2007 06:19:14 -0700 (PDT) Message-ID: <46D5724E.8020208@elischer.org> Date: Wed, 29 Aug 2007 06:19:10 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Jeffrey Williams , freebsd-jail@freebsd.org, freebsd-net@freebsd.org References: <46D4983E.2050305@sailorfej.net> <20070828224314.GB4446@tcbug.org> In-Reply-To: <20070828224314.GB4446@tcbug.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Running jails on multiple subnets with multiple interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Aug 2007 13:19:29 -0000 Josh Paetzel wrote: > Jeffrey Williams wrote: >> I have a server with two interfaces, I want to run the host and a couple of >> jails using one interface on one subnet (internal interface, private IP, behind >> NAT/firewall) and some other jails using the other interface on another subnet >> (external interface, public IP, DMZ). >> >> Now my understanding of the challenge in doing this, is that the network stack >> is not "virtualized" in the jails, so all the jails use the same routing table, >> and for obvious reasons only one default router. (also just for sake of clarity >> I don't want to enable routing between interfaces on the jail host) >> >> Now if I understand all this correctly, then what will happen is, if I set the >> default router to the internal networks exit router (the NAT/firewall), then >> the jails listening on the external interface will only be able to talk to >> their local subnet, and because the internal subnet won't exist for them they >> won't be able to connect to the network at large. >> >> If I set the default router to the external networks exit router (the DMZ >> perimeter firewall) then the host and jails listening on the internal network >> won't be able to be able to talk to the internet beyond the local nets, the >> jails because the external network doesn't exist for them, and the host because >> even though it can talk to both nets, the services are configured to only >> listen to the internal net, and the it will be trying to send all outgoing >> traffic to the public net, thus not creating and NAT table entries on the >> NAT/Firewall for the return connections. >> >> Is there anyway to achieve what I have trying to do? >> >> Thanks >> Jeffrey williams > > PF makes a very effective workaround to this with it's route-to > option...effectively letting you bypass the routing table altogether > and set up per IP behavior. > > For instance, I use it in the following scenario, where a box has two > interfaces with public IPs and I don't want answers to connections on > the 'secondary' interface to go out the default route. ipfw can also do this using the fwd rule. in 7.x (and 6-stable) you can also do: ipfw table 1 add 1.2.3.4/28 2.2.2.2 <-- a specific route ipfw table 1 add 0.0.0.0/0 3.3.3.3 <-- a default route ipfw add 300 fwd tablearg ip from ${ADDRESS2} to table(1) out > > connection 1's router 192.168.1.1 > em0 ip 192.168.1.2/24 > > connection 2's router 10.0.0.1 > em1 ip 10.0.0.2/24 > > if connection 1 is the 'primary' link then set the default route to > 192.168.1.1 and put the following rule in pf.conf > > pass out route-to (em1 10.0.0.1) from 10.0.0.2 to ! 10.0.0.0/24 > > If you were to give more concrete examples of your config I could > probably help you out with a workable pf solution. >