Re: NAT Reflection rules for FreeBSD PF

Tue, 15 Nov 2016 05:27:08 -0800 

On Tue, Nov 15, 2016 at 01:03:54PM +0000, Big Lebowski wrote:
> On Tue, Nov 15, 2016 at 11:37 AM, Oliver Peter <li...@peter.de.com> wrote:
> 
> > El duderino,
> >
> > On Mon, Nov 14, 2016 at 10:30:59PM +0000, Big Lebowski wrote:
> > >
> > > I am trying to set up a 11.0-R PF based NAT for group of jails that needs
> > > to be able to talk to services on other jails, just as if they'd be
> > clients
> > > from outside of the network. Apparently, this is called 'NAT reflection'
> > > and I was able to find examples for OpenBSD PF here:
> > > https://www.openbsd.org/faq/pf/rdr.html (bottom of the page).
> > >
> > > Obviously, their syntax doesn't work on FreeBSD PF, so how to achieve the
> > > same thing? How to allow jails NAT'd on $ext_if (xn0) coming from
> > > $jails_net (192.168.0.0/24 aliased on lo0) to talk to each other, via
> > the
> > > $ext_if external IP?
> >
> > We did something similar in a customer setup a while ago:
> >
> >         nat on $int_if from $jail_host to any -> $int_ip
> >         rdr pass on $int_if proto { tcp, udp } from $jail_host to $ext_if
> > port{ $service1, service2 } -> $int_lb
> >
> > Cheers
> 
> Thanks for your response Olivier! Would you mind elaborating on it a bit
> more? I don't understand what you're trying to achieve here, since the NAT
> doesn't happen on $int_if (lo0) but instead on $ext_if (xn0). The $int_if
> only holds the jail's IP addresses from the $jail_net range. How does that
> compare?

Ah, it could be that this is a bit different since you only have a single
machine, our example was a gateway with two interfaces (ext/int) doing NAT
for some machines behind.  Since your packets are created on lo0 and
routed to xn0 it might be different.
Another idea would be to re-route the packets between the two interfaces:
        pass out quick on $ext_if route-to $int_if from ($int_if:network) to 
$ext_if:network

This might interfere with your regular outgoing traffic;  maybe the "to"
part needs a bit tuning.  Furthermore I'm not sure about the source
addresses...  We have this in production to route some DNS traffic via
VPN.

Split horizon DNS is no option?
Sorry for not being very helpful.


-- 
Oliver PETER       oli...@gfuzz.de       0x456D688F

Attachment: signature.asc
Description: Digital signature

Reply via email to