# Portsnap not working in jail with NAT



## Mormegil (Oct 25, 2009)

This is my first time setting up a jail with a non-routable IP.  I have NAT set up using PF on the host system, and can access the network from inside the jail so I know it works.

From a remote location:

```
$ ssh -p 9001 <host IP>
Password:

$
```

Portsnap doesn't work however, it just hangs


```
# portsnap fetch extract
Fetching snapshot tag from portsnap.FreeBSD.org... done.
Fetching snapshot metadata... fetch: http://portsnap.FreeBSD.org/t/63c28e0bbcac5ef29d4b00da39a8d88c0991c7c4c2b10617aee971ed3ac597a2: Operation timed out
```

Seems like FTP is the problem. portsnap tries to download from an FTP server, the ftp client hangs after typing ls or trying to run any commands.  Everything else works alright, and I added a rule in pf.conf to allow all traffic to and from this IP.  All other network programs work except for FTP.  I'm missing something really simple and stupid, aren't I?

Everything works and has worked fine on other jails using routable IPs.


----------



## Mormegil (Oct 26, 2009)

It doesn't work if I tunnel ftp through ssh, either.  I can connect to the remote machine, but no data transfer is possible.


----------



## SirDice (Oct 26, 2009)

If your host system already has a full ports tree why not just mount that using nullfs? There's no reason to have 10 jails each with its own ports tree.

Something like this does the trick for me (from the host):
`# mount -t nullfs /usr/ports /jail/j1/usr/ports`


----------



## Mormegil (Oct 26, 2009)

That's what I was originally doing. I'm trying the package-builder jail route now, it's the one with the internal IP.  I'm using nullfs to distribute the packages to the other jails on the system.  It works well, but only for the ports that download via HTTP and not FTP.  Beyond all else, I kind of just want to figure out why it's not working.


----------



## graedus (Oct 27, 2009)

I've tried the jail package builder route recently, and I've had no luck either making the jail to communicate to the exterior.

http://www.jeroen.se/articles/freebsd_jail_laptop_dhcp.php

I've as so far as reduce pf.conf to this three liner


```
nat on ath0 from 10.1.1.0/24 to any -> ath0
pass in on ath0 from any to any keep state
pass out on ath0 from any to any keep state
```

Any pointers?


----------



## Mormegil (Nov 1, 2009)

Still haven't resolved this, just wanted to pass on some changes. I created a cloned interface called lo1 and assigned it the same IP I was trying to use for the aliased IP on the real NIC.

All traffic is permitted if I add to pf.conf:


```
set skip on lo1
```

No other combination of filtering rules allows FTP traffic and other traffic only seems to work intermittently.


----------



## honk (Nov 1, 2009)

Don't have enough informations to understand your setup... but it looks like ftp data channel won't be established at all. I wonder how you want to tunnel ftp through ssh?! Ftp in passive mode and with dynamic port forwarding/socks?

Have you tried forcing fetch to passive mode when using ftp by setting the environment variable "FTP_PASSIVE_MODE"?


----------



## Mormegil (Sep 23, 2010)

It's been almost a year since I gave up on this. Just thought I'd give it another shot, and got it working.

The solution was a 1:1 mapping. In pf.conf:


```
binat from $src_ip to any -> $ext_ip
```


----------

