Date: Thu, 24 Apr 2008 13:20:36 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: Nicolas de Bari Embriz Garcia Rojas <nbari@k9.cx> Cc: freebsd-jail@freebsd.org Subject: Re: routing Message-ID: <48106D04.5040103@quip.cz> In-Reply-To: <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Nicolas de Bari Embriz Garcia Rojas wrote:
> In your example what values are for ext_addr_3, ext_if?
Server has external interface bge0 (connected to internet)
ext_if="bge0"
and 4 public IP addresses, $ext_addr_3 is one of them (dedicated to this
jail usage)
> On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote:
>
>> Nicolas de Bari Embriz Garcia Rojas wrote:
>>
>>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to another
>>> server the one has multiple jails. each jail has is own public IP
>>> and i need to do something like this:
>>> vpn point >----------------------< master server with jails <-------
>>> > jail (75.76.78.80)
>>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2
>>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that
>>> the jail with ip 75.76.78.80 to respond, and also from jail
>>> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1.
>>> I am trying to route trafic using PF but is not working for the
>>> tunel only for the non encrypted trafic, example:
>>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80
>>> but if i use the gif0 interface (the one for the tunnel) insted of
>>> em1 does not work.
>>
>>
>> I am using slightly different setup. I have lo1 with IPs
>> 172.16.1.0/24 for jails and public IPs are RDR / NATed from public
>> interface to local (jails).
>> I have one jail, where I need to connect throught OpenVPN on tap0 to
>> the MSSQL database server and from the other and (MS Windows Server)
>> allow connection in to jailed MySQL database server. Apache from this
>> jail is publicly accessible on ports 80 and 443.
>>
>> jail_addr_0="172.16.1.2"
>> jail_tcp_0_inports="{ 80, 443 }"
>> vpn_dtc_if="tap0"
>> vpn_dtc_addr_local="10.0.0.29"
>> vpn_dtc_addr_remote="10.0.0.10"
>> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql
>>
>> # outgoing connections
>> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3
>> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote ->
>> $vpn_dtc_addr_local
>> # incomming connections
>> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0
>> rdr pass on $vpn_dtc_if inet proto tcp from any to
>> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0
>>
>> Miroslav Lachman
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48106D04.5040103>