DearestDreamer
Dabbler
- Joined
- Nov 28, 2015
- Messages
- 42
So a qucik summary what I'm trying to achieve here.. basically I'm trying to figure out how to route traffic from one jail to another, all managed and setup from the host system itself (preferably one ruleset, so I only have to connect to the host and configure everything there if changes come along). Both jails are setup as standard and with VIMAGE.
So here's my layout (default-gateway is my router at .1):
FreeBSD ip=.50 igb0 ipfw0 bridge0 epair0a epair1a default-gw=.1 -> openvpn-client-jail ip=.201 epair0b default-gw=.1 -> other-jail ip=.200 epair1b default-gw=.1
What I want to achieve is that the 'other-jail' at .200 does not communicate through my router, but instead sends all traffic to the 'openvpn-jail' at .201
So I tried to accomplish this and I edited my rc.conf on my host as follows:
I then added .201 (openvpn jail) as the default gateway for .200 (other jail), but I had issues with connectivity, so I went into the openvpn jail and added this to the rc.conf and rebooted the jail:
The jails can succesfully ping each other now, and the host can also ping each of them. Another machine inside this network can also see both jails like this. Running a traceroute on the other-jail shows that it's going through the .201 openvpn jail. However it can't communicate to the outside world, so pinging google or yahoo doesn't go anywhere.
But.. turns out, if I stop the openvpn service, my other-jail can reach the outside world and traceroute shows it takes the .201 -> .1 route, which is correct and works. But once I start the openvpn service, the other-jail can not communicate with anything on the outside, only with devices on my LAN. In this case traceroute shows .201 as the first hop, but after that it's just * * *, * * * ...
Do I need to set up a pf rule? But it already works without one if the openvpn daemon is stopped, could it have something to do with openvpn not allowing another machine to send its traffic through a client like this?
I also ran a tcpdump on the openvpn jail and started a ping on the other jail. This is what it looks like with openvpn started:
And with openvpn stopped:
So here's my layout (default-gateway is my router at .1):
FreeBSD ip=.50 igb0 ipfw0 bridge0 epair0a epair1a default-gw=.1 -> openvpn-client-jail ip=.201 epair0b default-gw=.1 -> other-jail ip=.200 epair1b default-gw=.1
What I want to achieve is that the 'other-jail' at .200 does not communicate through my router, but instead sends all traffic to the 'openvpn-jail' at .201
So I tried to accomplish this and I edited my rc.conf on my host as follows:
Code:
pf_enable="YES" pflog_enable="YES" pflog_logfile="/var/log/pflog" gateway_enable="YES" #alias ifconfig_igb0_alias0="inet 192.168.1.201 netmask 255.255.255.0" ifconfig_igb0_alias1="inet 192.168.1.200 netmask 255.255.255.0"
I then added .201 (openvpn jail) as the default gateway for .200 (other jail), but I had issues with connectivity, so I went into the openvpn jail and added this to the rc.conf and rebooted the jail:
Code:
gateway_enable="YES"
The jails can succesfully ping each other now, and the host can also ping each of them. Another machine inside this network can also see both jails like this. Running a traceroute on the other-jail shows that it's going through the .201 openvpn jail. However it can't communicate to the outside world, so pinging google or yahoo doesn't go anywhere.
But.. turns out, if I stop the openvpn service, my other-jail can reach the outside world and traceroute shows it takes the .201 -> .1 route, which is correct and works. But once I start the openvpn service, the other-jail can not communicate with anything on the outside, only with devices on my LAN. In this case traceroute shows .201 as the first hop, but after that it's just * * *, * * * ...
Do I need to set up a pf rule? But it already works without one if the openvpn daemon is stopped, could it have something to do with openvpn not allowing another machine to send its traffic through a client like this?
I also ran a tcpdump on the openvpn jail and started a ping on the other jail. This is what it looks like with openvpn started:
Code:
IP 192.168.1.200 > google-public-dns-a.google.com: ICMP echo request, id 7519, seq 2, length 64;
And with openvpn stopped:
Code:
IP 192.168.1.200 > google-public-dns-a.google.com: ICMP echo request, id 53087, seq 0, length 64; IP openvpn.18121 > google-public-dns-a.google.com.domain: 64744+ PTR? 201.1.168.192.in-addr.arpa. (43); ARP, Request who-has 192.168.1.200 tell 192.168.1.1, length 46; IP google-public-dns-a.google.com.domain > openvpn.18121: 64744 NXDomain 0/0/0 (43);
Last edited:
