Jail can't reach Internet because of Host Nat

[apatik]

Hi everyone!

I have a tricky problem: it seems the Truenas Firewall is messing with my jail.
What I want to have is:

• a jail with Transmission running
• an OpenVPN server allowing me to reach my home network from the outside (so I can access my shares, my jail, my printer etc...)

All of this is working fine except:

• when I turn on the truenas Firewall: I can reach my network from the VPN, but Transmission can't reach anything
• when I turn off the truenas Firewall: I can't reache my network from the VPN, but Transmission is ok

Now, for the setup:
Hardware:

Show

• HP Proliant ML310e Gen8 V2
• Processor: Xeon E3
• RAM: 16Go ECC
• OS Disk: 256Go SSD
• Pool disk: 3x 4To HDD RaidZ1

Configuration of my network:

Show

• Network: 192.168.1.0/24
• Gateway: 192.168.1.1
• Truenas IP: 192.168.1.101
• Jail IP¨: 192.168.1.152

Configuration of the VPN:

Show

• The VPN is set from the Truenas Services (not in a jail)
• Network: 192.168.2.0/24
• Compression: none
• Protocl: UDP
• Device type: TUN
• Topology: Subnet
• TLS Crypt Auth Enabled
• Additionnal parametters:

1. push "route 192.168.1.0 255.255.255.0"
2. push "redirect-gateway def1 bypass-dhcp"
3. push "dhcp-option DNS 8.8.8.8"
4. push "dhcp-option DNS 1.1.1.1"

In order to activate the routing between the two subnet, I've setup those tunables:

Show

• firewall_enable: yes (I currently switch between transmission working, and network access)
• firewall_type: open
• gateway_enable: yes
• natd_enable: yes
• natd_flags: -dynamic -m
• natd_interface: bge0

And this static route:

Show

• Destination: 192.168.2.0
• Gateway: 192.168.1.101

I think I have a Truenas Firewall rule to add, but I can't find any. Does anyone know what's the problem?
Thanks for your help!

 

[apatik]

Ok, so. As I posted this topic, a few related topics were suggested, and I found some information.
I added this rule "as a test"(vnet0 being the jail interface), and it worked:
ipfw -q add allow from any to any via vnet0

So I tried to follow the best practices: create /etc/ipfw.rules and put:
#!/bin/sh ipfw -q add allow from any to any via vnet0
Then add the tunable value:
firewall_script | /etc/ipfw.rules
And I restarded my server to test it. It doesn't work, but worse: /etc/ipfw.rules disapeared during startup. I tried it 3 times, and the file is deleted. Does anyone knows what happen?

I'm looking for a /etc/ restoration at startup, but where can it be set?

Thanks for your help :)

 

[Patrick M. Hausen]

Run jails without NAT. Don't mess with the TrueNAS host firewall. Just add a static route for your OpenVPN network to your uplink router.

 

[apatik]

I'd love to have this functionnality on my router, infortunately, it has not. I'm stuck to configure stuff on Truenas

 

[jgreco]

/etc/ipfw.rules disapeared during startup. I tried it 3 times, and the file is deleted. Does anyone knows what happen?

Yup. Exactly.

I'm looking for a /etc/ restoration at startup, but where can it be set?

It can't. TrueNAS is an appliance OS and is not a general purpose OS for you to hack on. The things you may be used to doing on other FreeBSD or Linux systems are not going to work. It is designed like this.

The closest you can get is that you do have the ability to add a post-startup task script which you could potentially use to hook in some firewall rules. This is not recommended and not supported, though.

I'd love to have this functionnality on my router, infortunately, it has not. I'm stuck to configure stuff on Truenas

You can get an inexpensive little Ubiquiti or Mikrotik router to implement your rules upstream. It is going to be a bad idea in the long term to try to do this the wrong way ("stuck to configure stuff on Truenas[sic]").

 

[apatik]

Thanks for your answers. I didn't know about Truenas OS being limited about what is visible in the GUI, and in France, we nearly always use our internet supplier "box", wich act as a router, switch, firewall, even sometimes NAS, so I didn't plan to buy another router. I'm also kinda disapointed about not being able to tweak truenas with reliability but I don't have that much choice so the additional router option idea is making its way.
I guess, this explain why I was fixed about setting Truenas while you were telling me I need another router.

By the time I buy a router, may I ask help to set my truenas as I would like to, even if it will be change in a few month?

 

[jgreco]

By the time I buy a router, may I ask help to set my truenas as I would like to, even if it will be change in a few month?

Previously answered.

The closest you can get is that you do have the ability to add a post-startup task script which you could potentially use to hook in some firewall rules.