Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Nov 2016 14:26:09 +0100
From:      Oliver Peter <lists@peter.de.com>
To:        Big Lebowski <spankthespam@gmail.com>
Cc:        Oliver Peter <lists@peter.de.com>, freebsd-pf@freebsd.org, freebsd-net@freebsd.org
Subject:   Re: NAT Reflection rules for FreeBSD PF
Message-ID:  <20161115132609.GC1675@mail.opdns.de>
In-Reply-To: <CAHcXP%2Bcfn7%2B_6pH=cSJ2mEnNPaH1N3Dv7na%2BJiu0=PR-wBZR0A@mail.gmail.com>
References:  <CAHcXP%2BeMrDO0V276DuYKwHMoK8BrAYMhH6b16%2BVhtXRDrKAuAQ@mail.gmail.com> <20161115113705.GB1675@mail.opdns.de> <CAHcXP%2Bcfn7%2B_6pH=cSJ2mEnNPaH1N3Dv7na%2BJiu0=PR-wBZR0A@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--0vzXIDBeUiKkjNJl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote:
> On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter <lists@peter.de.com> wrote:
>=20
> > El duderino,
> >
> > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote:
> > >
> > > I am trying to set up a 11.0-R PF based NAT for group of jails that n=
eeds
> > > to be able to talk to services on other jails, just as if they'd be
> > clients
> > > from outside of the network. Apparently, this is called 'NAT reflecti=
on'
> > > and I was able to find examples for OpenBSD PF here:
> > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page).
> > >
> > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve=
 the
> > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from
> > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via
> > the
> > > $ext_if external IP?
> >
> > We did something similar in a customer setup a while ago:
> >
> >         nat on $int_if from $jail_host to any -> $int_ip
> >         rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_=
if
> > port{ $service1, service2 } -> $int_lb
> >
> > Cheers
>=20
> Thanks for your response Olivier! Would you mind elaborating on it a bit
> more? I don't understand what you're trying to achieve here, since the NAT
> doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if
> only holds the jail's IP addresses from the $jail_net range. How does that
> compare?

Ah, it could be that this is a bit different since you only have a single
machine, our example was a gateway with two interfaces (ext/int) doing NAT
for some machines behind.  Since your packets are created on lo0 and
routed to xn0 it might be different.
Another idea would be to re-route the packets between the two interfaces:
	pass out quick on $ext_if route-to $int_if from ($int_if:network) to $ext_=
if:network

This might interfere with your regular outgoing traffic;  maybe the "to"
part needs a bit tuning.  Furthermore I'm not sure about the source
addresses...  We have this in production to route some DNS traffic via
VPN.

Split horizon DNS is no option?
Sorry for not being very helpful.


--=20
Oliver PETER       oliver@gfuzz.de       0x456D688F

--0vzXIDBeUiKkjNJl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlgrDPEACgkQ6LH/IUVtaI8zBACfeEc/PVrUMFjpRlXd3kTIDwwb
GvMAn18PeLgqisfez8deS3U34YmsxjRR
=crGi
-----END PGP SIGNATURE-----

--0vzXIDBeUiKkjNJl--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161115132609.GC1675>