Date: Fri, 3 Jan 2014 10:57:14 -0500 From: Alejandro Imass <aimass@yabarana.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-jail@freebsd.org Subject: Re: Allowing routing table visibility in jails to make multiple IPs work properly Message-ID: <CAHieY7Sb=yXWA57USQJ3bo%2BkENzsS_r_obkeGkEC-DREOeL3UQ@mail.gmail.com> In-Reply-To: <20140104005845.V35277@sola.nimnet.asn.au> References: <201311301000.rAUA00eG045983@freefall.freebsd.org> <52C66E09.80307@monkeybrains.net> <CAHieY7R_M95UxVX=sY%2B32hF1JUiC4tw2eRko7tNswChN8cw%2BZw@mail.gmail.com> <20140104005845.V35277@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 3, 2014 at 9:10 AM, Ian Smith <smithi@nimnet.asn.au> wrote: > On Fri, 3 Jan 2014 08:05:55 -0500, Alejandro Imass wrote: > > On Fri, Jan 3, 2014 at 3:00 AM, Rudy (bulk) <crapsh@monkeybrains.net> wrote: > > > > > > I'm having issues when putting multiple IPs on a jail... one external, one > > > internal (on a different vlan). The source IP from the jail is always the > > > first IP, so a solution is to use ipfw_nat to nat when using the internal > > > vlan to the 'second ip'. Ugly hack. and it doesn't work when there is an > > > MTU difference between the vlans: > > > > > > > Greetings Rudy, > > > > I had the same exact problem and found that the problem is natd. > > Actually it is mentioned in natd's documentation. > > Alejandro, hi, > > can you point out where in natd(8) it indicates .. what exactly? > It's what natd does "It changes all packets destined for another host so that their source IP address is that of the current machine." The problem is that it chooses the first IP assigned to the interface so for example if you have several public IP's assigned to the same physical interface and assign one to each jail, any outbound connection from either jail will show the first IP regardless of what IP is assigned to what jail. In fact outbound connections from the base host will also show the first IP even if using the -b switch which make FBSD behave like Linux when natd is running. When natd is in operation all source address will always be the first IP address assigned to that interface. You can test this with outbound ssh even by forcing with the -b switch in an outbound ssh from a jail and you will see it uses the first IP always. Turn off natd and you will see it uses the correct IP. I had a long discussion a while back, check the archives. > > If you want to get rid of this problem you need to get rid of natd and > > nat your jail traffic with some other means. Kernel nat should be a > > solution but I've never gotten around to test if it actually solves > > the problem. Please share if you find a way to fix this. > > I may have missed it, but I've yet to see anyone report any functional > differences between natd and ipfw_nat, ie of something working in one > but not the other. Both use the underlying libalias(3) after all. > I have never been able to solve this but thought I read somewhere that by using specific ipfw nat it could be solved. I still have the problem and is not my expertise obviously and I haven't had the time to investigate the problem further. I just know that using natd causes any outbound connection from a jail to always show the first IP assigned to that interface. Best, Alejandro Imass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7Sb=yXWA57USQJ3bo%2BkENzsS_r_obkeGkEC-DREOeL3UQ>