# Jail no access to Internet dual NIC setup DHCP gateway



## lib13 (Mar 2, 2014)

Previously, in my small server, with one NIC connected to a cheap modem/router I had a jail for mldonkey. It could be accessed from the local LAN and also from the Internet with the help of a dynamic DNS.  Mldonkey could connect to servers with HighID.  I'm using RELEASE-9.2.

Now, I changed my ISP, got a new modem/router and have two NICs at the small server, like this.

```
ISP --------- modem/router------------local network (internal interface em0)
                         |_____(bridged)__ external NIC re0
```

So, basically, I get a different IP for re0 than the one I get for the modem/router part that serves em0 as well as the other computers connected to the modem/router.  Both re0 and the modem/router get dynamic IPs from the ISP.

The good news is that I can access mldonkey from the local LAN, as well as from the Internet, as before. The bad news is that mldonkey cannot connect to servers.  I temporarily enabled raw_sockets for the jail and it can't connect to 8.8.8.8 or other hosts.

The relevant configuration parts are:

For the jail:

```
# cat /etc/rc.conf | grep -v '^#'
network_interfaces="re0 em0"
ifconfig_em0_alias="inet 192.168.1.20/24"
```

For the host system:

```
/etc/rc.conf.local:
ifconfig_em0="inet 192.168.1.4 netmask 255.255.255.0"
ifconfig_re0="DHCP"               # <----- bridged, second IP provided by ISP

#-----------------------JAILS----------------------------------
jail_enable="YES"
ezjail_enable="YES"
jail_list="mldonkey other"     # Space separated list of names of jails

#-----------------------JAILS-MLDONKEY-------------------------
ifconfig_em0_alias0="inet 192.168.1.20 netmask 255.255.255.0"
jail_mldonkey_hostname="mldonkey"    # jail's hostname
jail_mldonkey_ip="192.168.1.20"           # jail's IP address
jail_mldonkey_rootdir="/encriptado/jails/mldonkey"     # jail's root directory
jail_mldonkey_interface="em0"
jail_mldonkey_devfs_enable="YES"                        # mount devfs in the jail
jail_mldonkey_devfs_ruleset="devfsrules_jail"           # devfs ruleset to apply to jail

#----------------------PF--------------------------------------
pf_enable="YES"
pflog_enable="YES"
gateway_enable="YES"
```

`# cat /etc/pf.conf`

```
#INTERFACES
ext_if = "re0"
int_if = "em0"
mldonkey = "192.168.1.20"
rdr pass on $ext_if proto tcp from any to any port $mldonkey_web_port -> $mldonkey
rdr pass on $ext_if proto tcp from any to any port $mldonkey_tcp_port -> $mldonkey
rdr pass on $ext_if proto udp from any to any port $mldonkey_udp_port -> $mldonkey

rdr pass on $int_if proto tcp from any to any port $mldonkey_web_port -> $mldonkey
rdr pass on $int_if proto tcp from any to any port $mldonkey_tcp_port -> $mldonkey
rdr pass on $int_if proto udp from any to any port $mldonkey_udp_port -> $mldonkey

block in log on $ext_if
#block out log on $ext_if
set skip on lo0

pass in quick from <local> to any keep state
pass out from any to any keep state
# (several other rules that I think are not important for this issue)
```

So, what should I do differently?  I tried several changes to no avail.


----------



## lib13 (Mar 9, 2014)

I've been bumping my head against this problem, so as I had no help, I'll try to ask for something else.  I don't understand everything about this, so my questions:

What's the difference between creating a lo1 interface for the jail (let's say 127.0.0.20) and a lo0_alias (same IP)?

For the internal network.  Why is it not enough to create this rule?

```
binat pass log on $int_if from 127.0.0.20 to any -> 192.168.1.20
```
Am I wrong thinking that this rule implies that all packets coming fromlo1 (127.0.0.20) to any address are translated to 192.168.1.20 and thus available to all LAN computers?

The filter rules:

```
pass log quick from lo1 to any keep state
pass log quick from any to lo1 keep state
pass log quick to lo1 
pass out log all keep state
pass in log on $int_if inet proto tcp from any port 4080 to 127.0.0.20 port 4080 keep state  # in order to access web server running at port 4080
```
What am I still missing?


Now for the external interface. The FreeBSD box receives a DHCP IP address on re0.

```
# ifconfig re0 like:  inet 25.25.22.130 netmask 0xfffff800
```
Do I need to create an alias to re0 with an IP address as 25.25.22.131 for example?

If I don't need to configure such an alias, why does this binat rule shows an error?

```
binat on $ext_if from 127.0.0.20 to any -> ($ext_if)
```

I've read that$ext_ifbetween parenthesis are for dynamic IP addresses, but the error shows:

```
invalid use of interface (re0) as the redirect address of a binat rule
```

So, how to nat or binat lo1 for default traffic to the Internet?

EDIT:
The sooner I would post, the sooner I'd get some results.  I remove all rules for $int_if and added the IP address at the end of the rule:

```
binat on $ext_if from 127.0.0.20 to any -> 25.25.22.130
```
and I already get acess to the exterior and vice-versa
But: the 25.25.22.130 changes dynamically.  How can avoid hard coding the IP address.


----------

