Re: Kernel NAT issues

2015-11-28 Thread Dewayne Geraghty
Nathan, I've gone the same way that you have, ie bunch of jails that are individually providing services& kernel Nat. It takes careful planning and the knowledge that the default route will be the first IP in your jail.conf list for each jail. Getting jails to play nice means fiddling around with

Re: Kernel NAT issues

2015-11-28 Thread Julian Elischer
On 27/11/2015 12:55 PM, Nathan Aherne wrote: Hi Julian, Thank you for replying. I was completely off grid for a while and only got back on it today. I thought that Vimage was probably the way to achieve what I want. The main reason I was staying away from Vimage was the reported bugs with it,

Re: Kernel NAT issues

2015-11-26 Thread Nathan Aherne
Hi Julian, Thank you for replying. I was completely off grid for a while and only got back on it today. I thought that Vimage was probably the way to achieve what I want. The main reason I was staying away from Vimage was the reported bugs with it, another reason was the extra overhead. I woul

Re: Kernel NAT issues

2015-11-22 Thread Julian Elischer
On 21/11/2015 10:06 AM, Nathan Aherne wrote: I had a bit of a think about how to describe what I am trying to achieve. I am treating each jail likes its own little "virtual machine”. The jail provides certain services, using things like nginx or nodejs, php-fpm, mysql or postgresql. The jails

Re: Kernel NAT issues

2015-11-21 Thread Julian Elischer
I note, no answers yet.. I plan on spending some time tomorrow trying to understand this issue. just letting you know.. On 21/11/2015 10:06 AM, Nathan Aherne wrote: I had a bit of a think about how to describe what I am trying to achieve. I am treating each jail likes its own little "virtu

Re: Kernel NAT issues

2015-11-20 Thread Nathan Aherne
I had a bit of a think about how to describe what I am trying to achieve. I am treating each jail likes its own little "virtual machine”. The jail provides certain services, using things like nginx or nodejs, php-fpm, mysql or postgresql. The jails can control connections to themselves by config

Re: Kernel NAT issues

2015-11-20 Thread Nathan Aherne
I am not exactly sure how to draw the setup so it doesn’t confuse the situation. The setup is extremely simple (I am not running vimage), jails running on the 10.0.0.0/16 (cloned lo1 interface) network or with public IPs. The jails with private IPs are the HTTP app jails. The Host runs a HTTP Pr

Re: Kernel NAT issues

2015-11-18 Thread Ian Smith
On Wed, 18 Nov 2015 22:17:29 +0800, Julian Elischer wrote: > On 11/18/15 8:40 AM, Nathan Aherne wrote: > > For some reason hairpin (loopback nat or nat reflection) does not seem to > > be working, which is why I chose IPFW in the first place. > it would be good to see a diagram of what this ac

Re: Kernel NAT issues

2015-11-18 Thread Julian Elischer
On 11/18/15 8:40 AM, Nathan Aherne wrote: For some reason hairpin (loopback nat or nat reflection) does not seem to be working, which is why I chose IPFW in the first place. it would be good to see a diagram of what this actually means. ___ freebsd

Re: Kernel NAT issues

2015-11-17 Thread Nathan Aherne
Hi Everyone, I think I have worked this out and have a working Stateful IPFW NAT (its worked fine for a few weeks) rule set. Hopefully this saves someone else a few weeks of their lives. For some reason hairpin (loopback nat or nat reflection) does not seem to be working, which is why I chose

Re: Kernel NAT issues

2015-10-20 Thread Nathan Aherne
Hi Ian, Thank you very much for your response! Sorry about the late response, I have been offline for a few days. I think I may have worked this issue out. I am bringing up a bunch of Jails today to test my firewall rules in the hopes that I have corrected my problem. I will reply back either

Re: Kernel NAT issues

2015-10-14 Thread Ian Smith
On Tue, 13 Oct 2015 13:50:04 +1000, Nathan Aherne wrote: > Hi Ian, > > Thank you for your response. > > I didnÿÿt post my ruleset because I should be able to fix the issue > myself but I see now that my request to explain ÿÿhow NAT worksÿÿ was > incorrect. > > I have now included my r

Re: Kernel NAT issues

2015-10-12 Thread Nathan Aherne
To further illustrate my issue, this is a small log output. I am running “host google.com ” in the jail, which has the IP 10.0.0.1. The UNKNOWN line is logging on the check-state rule. I would expect the first piece of traffic out would be UNKNOWN (does not have an entry in

Re: Kernel NAT issues

2015-10-12 Thread Nathan Aherne
Hi Ian, Thank you for your response. I didn’t post my ruleset because I should be able to fix the issue myself but I see now that my request to explain “how NAT works” was incorrect. I have now included my ruleset below (as well as my initial email). # Enable NAT ipfw nat 1 config ip $jip same

Re: Kernel NAT issues

2015-10-12 Thread Ian Smith
On Tue, 13 Oct 2015 12:33:52 +1000, Nathan Aherne wrote: > I sent through a question to this list a little while ago and have > been trying to get IPFW NAT working since then. I have had some > success but not the success I need, everything is working correctly > except NAT rules for my par

Kernel NAT issues

2015-10-12 Thread Nathan Aherne
I sent through a question to this list a little while ago and have been trying to get IPFW NAT working since then. I have had some success but not the success I need, everything is working correctly except NAT rules for my particular use case. I have read every Google result on the first 50 pa