iocage jail: NAT option for plugins?

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
(Wasn't sure if this should be in the Development section, I'm on the Nightlies so this option may not apply in the released version)

I've noticed that during plugin creation that the NAT option is selected by default. This is all fine and dandy, as everything *seems* to be working (with respect to the actual jail still having access to the Internet), and it gets an IP address 172.16.0.X.

My problem/question is this: Normally things under NAT (if they're expected to be accessible outside the private LAN) will have port forwards set up so requests directed to the gateway IP (in this case, I assume the FreeNAS's primary IP) will be directed into the network, business as usual.

However, I'm not seeing any such configuration option, and there's precious little information about NAT on the googles with regards to iocage.

I'm really looking forward to this feature, as it would help me cut down on the number of IP addresses used by my FreeNAS boxes.
 
Joined
Jul 10, 2016
Messages
521

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
Hmm, according to the pull it should be just a few lines in the config.json. After careful reading through the ioc_start.py file, I came up with the following config entries that worked:

Code:
    "nat": 1,
    "nat_backend": "pf",
    "nat_forwards": "TCP(8081)",
    "nat_interface": "none",


By default, it seems to want to use ipfw, but that wasn't working for me.

In the context of plugins, the jail bootstrap script will need to be adjusted to set these as appropriate (i.e. this was for sickrage and 8081 was to be set here), and possibly an entry in the plugin's .json schema will need to be added if any more than a single port needs forwarding. Additionally, nat detection on the plugin list would be needed to adjust the value of %%IP%% that gets retrieved...

Well, in any case, it's a good start! :)

Edit: Oh, the ticket translations for those following along from the redmine links:
https://jira.ixsystems.com/browse/NAS-101215
https://jira.ixsystems.com/browse/NAS-101550
 

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
Ah... one thing I have noticed, is that the current launch script does not seem to add firewall rules for nat-d jails to talk to other nat-d jails through the forwarded ports. For example, Sickrage is not able to contact Deluge via the shared IP, despite both being accessible to other network clients...

You *can* use the 172.16.?.? IP addresses, but those seem to change each time the jails start up, making them somewhat start-dependant...

Edit: This can be worked around by adjusting nat_prefix to 172.17 etc so that that jail is the only one on that range.

Edit edit: Except sometimes the alter-nat'd jail doesn't get a proper connection to the Internet unless restarted...
 
Last edited:
Top