# TeamSpeak 3 Server on ezjail



## Airost (Oct 15, 2017)

Hi,

I am trying to seperate our TeamSpeak 3 Server that is running on no license (free for up to 32 users) and move it to jails using ezjail. I have created and configure teamspeak. All running fine. I have created jail. All running fine. When I installed port teamspeak3 server on jail and tried to run nothing is happening. I read online that you need to mount
`mount -t tmpfs tmpfs /dev/shm`
and add line in
etc/fstab
`tmpfs /dev/shm tmpfs defaults 0 0`
For some reasons I get a message operation not permitted. I have uncommented in ezjail.conf all sets where is command mount used. I also found a thread 
https://forums.freebsd.org/threads/62192/
and possibly this could resolve my issue but I don't have jail.conf file anywhere and I have no idea how to create it, what should be in this file as it didn't create itself when port ezjail was installed. I have tried `mkdir` /dev/shm inside jail from host and can't. Please advise.


----------



## Airost (Oct 15, 2017)

I have tried with some examples and changes on them as well and it doesn't work. Anybody can help me? I get a message:
`Starting jails:jail: hfoj.dyn.pl: mount.devfs: /usr/local/jails/teamspeak/dev: No such file or directory`

 jail.conf 

```
# /etc/jail.conf
# Global settings applied to all jails.
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;

# The jail definition for fulljail1
hfoj.dyn.pl {
    host.hostname = "hfoj.dyn.pl";
    path = "/usr/local/jails/teamspeak";
         persist;
        children.max=99;
        allow.mount;
        allow.mount.devfs;
        allow.mount.procfs;
        allow.mount.zfs;
        allow.mount.nullfs;
        allow.mount.tmpfs;
        allow.raw_sockets;
        allow.socket_af;
        allow.sysvipc;
        allow.chflags;
        enforce_statfs=1;
        interface = "bce0";
        ip4.addr = 172.16.255.10;
}
```


----------



## Ordoban (Oct 16, 2017)

I running a teamspeak server in a ezjail-managed jail since years.
It is a "pure" default ezjail installation without tmpfs or something else.
Just installed teamspeak, setup pf for network connection and it works.

Thats the ezjail ts3 configfile

```
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_ts3_hostname="ts3.*******.com"
export jail_ts3_ip="lo1|192.168.1.3/24"
export jail_ts3_rootdir="/usr/jails/ts3"
export jail_ts3_exec_start="/bin/sh /etc/rc"
export jail_ts3_exec_stop=""
export jail_ts3_mount_enable="YES"
export jail_ts3_devfs_enable="YES"
export jail_ts3_devfs_ruleset="devfsrules_jail"
export jail_ts3_procfs_enable="YES"
export jail_ts3_fdescfs_enable="YES"
export jail_ts3_image=""
export jail_ts3_imagetype="zfs"
export jail_ts3_attachparams=""
export jail_ts3_attachblocking=""
export jail_ts3_forceblocking=""
export jail_ts3_zfs_datasets=""
export jail_ts3_cpuset=""
export jail_ts3_fib=""
export jail_ts3_parentzfs="zroot/jails"
export jail_ts3_parameters=""
export jail_ts3_post_start_script=""
export jail_ts3_retention_policy=""
```

TS3 wants to calling "home" for license reason at startup, so TS3 needs working internet connection.

Thats the pf.conf part of this jail

```
if = "em0"
jf = "lo1"
nat on $if inet proto {tcp udp icmp} from $jf to any -> $if
rdr pass on $if inet proto udp from any to $if port { 9988 } -> 192.168.1.3
```


----------



## SirDice (Oct 16, 2017)

Airost said:


> For some reasons I get a message operation not permitted.


Jails are not allowed to mount themselves. Do the mounting from the host using a /etc/fstab.<jailname>.


----------



## Airost (Oct 17, 2017)

I have tried to make "pure" jail like Ordoban says but before I wanted to remove old one I still have files that I cannot even remove manually.
I get below message:
`root@mclose:/usr/jails # rm -r /usr/jails/teamspeak/
rm: /usr/jails/teamspeak/dev/fd/0: Read-only file system
rm: /usr/jails/teamspeak/dev/fd/1: Read-only file system
rm: /usr/jails/teamspeak/dev/fd/2: Read-only file system
rm: /usr/jails/teamspeak/dev/fd/3: Read-only file system`
I have tried using mount as some websites advise with that sort of problems and won't help. Any ideas?


----------



## Airost (Oct 17, 2017)

As far as I understand jails it creates another system inside of a system (host) and seperates everything. Please tell me basejail and files I cannot delete are not linked to host files and this is the reason why I can't delete them. Otherwise I might have deleted some files I will need and I will have to reinstall system which is not what I wanted.


----------



## Ordoban (Oct 18, 2017)

Ezjail use the basejail to link many system files and folders to the jails as read-only filesystem. Jails (all jailsystems, not ezjail exclusive) also link the host /dev folder.
If you want to delete a jail, you have to stop them first. (the /usr/jails/teamspeak/dev/ should disappear...)
You should use the `ezjail-admin delete -fw teamspeak` instead of `rm` command.


----------



## getopt (Oct 18, 2017)

Airost said:


> As far as I understand jails it creates another system inside of a system (host) and seperates everything.


Not exactly. You may want to read http://wiki/FreeBSD/en_US.ISO8859-1/books/handbook/jails.html
Jails are based on the underlaying FreeBSD OS and share a few things reduced to a working minimum. This reduction is what increases security, while the jail host's Kernel with all its functionality is shared and serves all jails.

Now if some software is not functional in a jail because it is separated from some devices, this is a critical point for making good decisions.  That unaccessible devices could be made accessible in jail.conf but exactly that may make it senseless running that piece of software in a jail. You need carefully look, if you are going to ruin the security design of jails when doing so.


----------



## Airost (Oct 18, 2017)

Ordoban
I've got a message:
`root@mclose:/usr/home/airost # ezjail-admin delete -fw teamspeak
Error: Nothing known about jail teamspeak.`
Files are still there.
How do I remove that directory so I can create new jail with same name?
So if I used it in jail and it's on host I would like to rebuild those files @host in case of some files I might need and they have been removed but not all of them or run command that FreeBSD will check if all there.
Any way I can rebuild it rather than reinstall whole system?
I understand it's different system but in Windows you can delete half of C:\Windows including files like *.dll and system will still run.
I do apologize for so many questions but I am learning everything on my own by reading and I believe here I can find out a bit more from advanced users.


----------



## Ordoban (Oct 19, 2017)

How have you done your attempt to delete this jail? `ezjail-admin delete teamspeak` (without the -fw)? In this case maybe the jail is still running.
Please do `jls` command to show all running jails.

```
JID  IP Address      Hostname                      Path
     1  172.16.255.10     hfoj.dyn.pl              /usr/jails/teamspeak
```
If you see something like this, your teamspeak jail is still running - even without config file. Before you can delete the files, you must stop it.
`jail -R 1` will do this job (1 is the JID from above)
After this some filesystems from the jail maybe still mounted.
Check this by `mount | grep /usr/jails/teamspeak`
Maybe something like

```
zroot/jails/teamspeak on /usr/jails/teamspeak(zfs, local, noatime, nfsv4acls)
/usr/jails/basejail on /usr/jails/teamspeak/basejail (nullfs, local, read-only)
devfs on /usr/jails/teamspeak/dev (devfs, local, multilabel)
fdescfs on /usr/jails/teamspeak/dev/fd (fdescfs)
procfs on /usr/jails/teamspeak/proc (procfs, local)
```
Unmount everything from this. Finally `rm -rf` (or `zpool destroy` if you have used ZFS).

Alternativ from this all you can try to rename the teamspeak folder by `mv /usr/jails/teamspeak /usr/jails/teamspeak_old` (does not work if ZFS used)


----------



## Airost (Oct 19, 2017)

`shutdown -r now` did the trick. If I was running a website 24/7 for somebody then I can't afford to reboot server everytime there is an issue. That's why I tried to sort it out without restart. Now I would like to check if I haven't removed something system might need and I will check config from Ordoban


----------



## Ordoban (Oct 19, 2017)

One more thing you should know about Teamspeak servers:
It isn't allowed to run more than one servers on the same external IP address. If you try to start the jail one while the host one still running, this will not work.
Both TS3 instances connecting to the manufacture site, and get a license violation, who ends in termination of one or both TS3 instances.

You should also take a look to the logfiles on /var/log/teamspeak/


----------



## Airost (Oct 19, 2017)

2x logs created:

```
2017-10-19 21:47:21.056132|INFO    |ServerLibPriv |   |TeamSpeak 3 Server 3.0.13.8 (2017-07-19 08:26:51)
2017-10-19 21:47:21.056762|INFO    |ServerLibPriv |   |SystemInformation: FreeBSD 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #1: Sat Sep 24 00:28:31 BST 2016
2017-10-19 21:47:21.056839|WARNING |ServerLibPriv |   |The system locale is set to "C" this can cause unexpected behavior. We advice you to repair your locale!
2017-10-19 21:47:21.057268|INFO    |DatabaseQuery |   |dbPlugin name:    SQLite3 plugin, Version 3, (c)TeamSpeak Systems GmbH
2017-10-19 21:47:21.057345|INFO    |DatabaseQuery |   |dbPlugin version: 3.11.1
2017-10-19 21:47:21.057673|INFO    |DatabaseQuery |   |checking database integrity (may take a while)
2017-10-19 21:47:21.075102|INFO    |SQL           |   |db_CreateTables() tables created
2017-10-19 21:47:21.120455|WARNING |Accounting    |   |Unable to find valid license key, falling back to limited functionality
2017-10-19 21:47:21.621082|ERROR   |Accounting    |   |local accounting reports an already running instance, instance will shutdown
2017-10-19 21:47:21.621145|ERROR   |ServerLibPriv |   |Server() error while starting servermanager, error: instance limit reached
```
And from second one

```
2017-10-19 21:48:29.421752|INFO    |ServerLibPriv |   |TeamSpeak 3 Server 3.0.13.8 (2017-07-19 08:26:51)
2017-10-19 21:48:29.421951|INFO    |ServerLibPriv |   |SystemInformation: FreeBSD 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #1: Sat Sep 24 00:28:31 BST 2016
2017-10-19 21:48:29.422029|WARNING |ServerLibPriv |   |The system locale is set to "C" this can cause unexpected behavior. We advice you to repair your locale!
2017-10-19 21:48:29.422425|INFO    |DatabaseQuery |   |dbPlugin name:    SQLite3 plugin, Version 3, (c)TeamSpeak Systems GmbH
2017-10-19 21:48:29.422501|INFO    |DatabaseQuery |   |dbPlugin version: 3.11.1
2017-10-19 21:48:29.422819|INFO    |DatabaseQuery |   |checking database integrity (may take a while)
2017-10-19 21:48:29.437281|WARNING |Accounting    |   |Unable to find valid license key, falling back to limited functionality
2017-10-19 21:48:30.465956|INFO    |              |   |Puzzle precompute time: 953
2017-10-19 21:48:30.466651|ERROR   |FileManager   |   |bind failed on :::30033; reason: Protocol not supported
2017-10-19 21:48:30.466699|ERROR   |FileManager   |   |filetransfer bind failed on :::30033; reason: Protocol not supported
2017-10-19 21:48:30.466756|CRITICAL|VirtualSvrMgr |   |Could not start file manager 258 no network port available
```

I have stopped on host and tried to run on jail. Doesn't work


----------



## Ordoban (Oct 20, 2017)

Airost said:


> 2017-10-19 21:48:30.466756|CRITICAL|VirtualSvrMgr |   |Could not start file manager 258 *no network port available*



Have you done proper port-forwarding on the host? Seems the jailed TS3 is not reachable from outside.


----------



## Airost (Oct 21, 2017)

pf.conf 

```
...
jail_if="lo1"                           # Jail
...

nat on $wan_if inet proto {tcp udp icmp} from 172.16.255.10 to any -> $wan_if
rdr pass on $wan_if inet proto udp from any to $wan_if port { 9988 } -> 172.16.255.10
```

Doesn't work, same message. I have tried almost all combinations.
Just to give you a bit heads up, on host, lo0 has IP 127.0.0.1 and lo1 has no IP assigned. Host has 2 eth cards, bce0 called lan_if and has 172.16.0.1 IP and bce1 which has local IP 192.168.1.2 and it's connected to modem, also PPPoE connection established (tun0). tun0 is called wan_if. Jail IP is 172.16.255.10.

I can paste all pf.conf if this will help. I feel like another weekend with Jails, hopefully will get results this time.


----------



## Ordoban (Oct 21, 2017)

Airost said:


> lo1 has no IP assigned.


Thats it! The jail needs the IP assigned somewhere. 
lo1 was my choice for the host-internal network.

rc.conf

```
#++++++++++++++++ network +++++++++++++
cloned_interfaces="lo1"
ifconfig_em0="SYNCDHCP"
ifconfig_lo1_alias0="inet 192.168.1.1/24"
ifconfig_lo1_alias1="inet 192.168.1.2/24"
ifconfig_lo1_alias2="inet 192.168.1.3/24"
ifconfig_lo1_alias3="inet 192.168.1.4/24"
ifconfig_lo1_alias4="inet 192.168.1.5/24"
ifconfig_lo1_alias5="inet 192.168.1.6/24"
ifconfig_lo1_alias6="inet 192.168.1.7/24"
ifconfig_lo1_alias7="inet 192.168.1.8/24"
ifconfig_lo1_alias8="inet 192.168.1.9/24"

#++++++++++++++++ firewall ++++++++++++++
pf_enable="YES"
pf_rules="/etc/pf.conf"
gateway_enable="YES"
```

You can add an IP to a network interface on the run by `ifconfig` (just for the case you don't know).
Try `ifconfig lo1 inet 172.16.255.10/24`


----------



## Airost (Oct 21, 2017)

right, in  rc.conf 

```
ifconfig_em0="SYNCDHCP"
ifconfig_lo1_alias0="inet 192.168.1.1/24"
ifconfig_lo1_alias1="inet 192.168.1.2/24"
ifconfig_lo1_alias2="inet 192.168.1.3/24"
ifconfig_lo1_alias3="inet 192.168.1.4/24"
ifconfig_lo1_alias4="inet 192.168.1.5/24"
ifconfig_lo1_alias5="inet 192.168.1.6/24"
ifconfig_lo1_alias6="inet 192.168.1.7/24"
ifconfig_lo1_alias7="inet 192.168.1.8/24"
ifconfig_lo1_alias8="inet 192.168.1.9/24"
```

I didn't add this because I think it's aliases for other jails, but if I have only 1 then I don't need aliases do I? Please see my full  /etc/rc.conf  @Host

```
#Sysinstall config
hostname="mclose"
keymap="pl_PL.ISO8859-2.kbd"
local_unbound_enable="YES"
sshd_enable="YES"
#moused_enable="YES"
ntpd_enable="YES"
#powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
##############
#Network interfaces
ifconfig_bce1="DHCP"
ifconfig_bce0="inet 172.16.0.1 netmask 255.255.0.0"
##############
#PPPoE connection
ppp_enable="YES"
ppp_mode="ddial"
#ppp_program="/usr/sbin/ppp"
ppp_nat="NO"
#ppp_user="root"
ppp_profile="ee"
#ppp_ee_mode="ddial"
#ppp_ee_nat="NO"
##############
#Internet forwarding
gateway_enable="YES"
#defaultrouter=""
##############
#DHCPd
dhcpd_enable="YES"
#dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bce0"
#dhcp_withumask="022"
##############
#NO-IP domain
noip_enable="YES"
##############
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
##############
#Network File System Client
nfs_client_enable="YES"
nfs_client_flags="-n 4"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
##############
#Plexmediaserver
plexmediaserver_enable="YES"
##############
#Port forwarding with miniupnpd
miniupnpd_enable="YES"
##############
#TeamSpeak Server 3
teamspeak_enable="YES"
##############
#EZ IPUPDATE (Dynamic Domain)
ez_ipupdate_enable="YES"
##############
#Jails
ezjail_enable="YES"
cloned_interfaces="lo1"
##############
#
```


----------



## Airost (Oct 21, 2017)

and  /etc/pf.conf 

```
#       $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
#  KONFIGURACJA FIREWALLA
#
#########################################################

# Potrzebne makra i tabele
lo_if="lo0"                             # loopback
wan_if="tun0"                           # EE
lan_if="bce0"                           # LAN
jail_if="lo1"                           # Jail
lan_net="172.16.0.1/24"                 # Siec LAN
my_ip="172.16.0.1"                      # IP LAN
server="192.168.2.10"                   # Serwer WAN

ludzie="{       172.16.0.1,
                172.16.0.2,
                172.16.0.3,
                172.16.0.4,
                172.16.0.5,
                172.16.0.6,
                172.16.0.7,
                172.16.0.8,
                172.16.0.9,
                172.16.0.10,
                172.16.0.11,
                172.16.0.12,
                172.16.0.13,
                172.16.0.14,
                172.16.0.15,
                172.16.0.16,
                172.16.0.17,
                172.16.0.18,
                172.16.0.19,
                172.16.0.20,
                172.16.0.21,
                172.16.0.22,
                172.16.0.23,
                172.16.0.24,
                172.16.0.25,
                172.16.255.10
                                }"

set loginterface tun0
set fingerprints "/etc/pf.os"

# Normalizacja pakietow:
scrub in all
scrub on $wan_if no-df
#
# AltQ - upload:
#
#########################
altq on $wan_if cbq bandwidth 1Gb queue {       std_out         \
                                                accesspoint_out \
                                                airost_out      \
                                                airost8560w_out \
                                                airostmob_out   \
                                                iphone4s_out    \
                                                magda_out       \
                                                mclosedata_out  \
                                                staffline1_out  \
                                                amazon_out      \
                                                ps4_out}
queue std_out           bandwidth 100Mb cbq(default red)
queue accesspoint_out   bandwidth 100Mb cbq(red)
queue airost_out        bandwidth 62Mb cbq(red)
queue airost8560w_out   bandwidth 2Mb cbq(red)
queue airostmob_out     bandwidth 2Mb cbq(red)
queue iphone4s_out      bandwidth 2Mb cbq(red)
queue magda_out         bandwidth 1Mb cbq(red)
queue mclosedata_out    bandwidth 10Mb cbq(red)
queue staffline1_out    bandwidth 1Mb cbq(red)
queue amazon_out        bandwidth 2Mb cbq(red)
queue ps4_out           bandwidth 30Mb cbq(red)
#
# AltQ - download:
#
#########################
altq on $lan_if cbq bandwidth 1Gb queue {       std_in          \
                                                accesspoint_in  \
                                                airost_in       \
                                                airost8560w_in  \
                                                airostmob_in    \
                                                iphone4s_in     \
                                                magda_in        \
                                                mclosedata_in   \
                                                staffline1_in   \
                                                amazon_in       \
                                                ps4_in}
queue std_in            bandwidth 100Mb cbq(default red)
queue accesspoint_in    bandwidth 100Mb cbq(red)
queue airost_in         bandwidth 62Mb cbq(red)
queue airost8560w_in    bandwidth 40Mb cbq(red)
queue airostmob_in      bandwidth 40Mb cbq(red)
queue iphone4s_in       bandwidth 2Mb cbq(red)
queue magda_in          bandwidth 40Mb cbq(red)
queue mclosedata_in     bandwidth 40Mb cbq(red)
queue staffline1_in     bandwidth 2Mb cbq(red)
queue amazon_in         bandwidth 10Mb cbq(red)
queue ps4_in            bandwidth 31Mb cbq(red)
#
# NAT -> LAN
#
#########################
# NAT dla sieci LAN i Serwera:
nat-anchor miniupnpd
nat on $wan_if from $ludzie to any -> ($wan_if)
nat on $wan_if from $lan_if:network to any -> $wan_if static-port
#nat pass on $wan_if from 172.16.255.10 to any -> $wan_if
nat on $wan_if inet proto {tcp udp icmp} from $jail_if to any -> $wan_if
rdr pass on $wan_if inet proto udp from any to $wan_if port { 9988 } -> 172.16.255.10
#nat pass on $lan_if proto udp from 172.16.255.10 to any -> 172.16.0.1
#rdr pass on $wan_if proto tcp from any to $wan_if port 80 -> 172.16.255.10 port 80
#rdr pass on $wan_if proto tcp from any to $wan_if port 443 -> 172.16.255.10 port 443
#rdr pass on $wan_if proto tcp from any to $wan_if port 2020 -> 172.16.255.10 port 2020
#
# Redirecty LAN -> WAN:
#
#########################
rdr-anchor miniupnpd
#rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 192.168.10.2 port 6112
#rdr on $wan_if proto tcp from 88.55.79.190 to 192.168.10.1 port 8000 -> 80.55.79.190 port 8000
#rdr on $lan_if proto tcp from 192.168.10.1 to 192.168.10.254 port 8000 -> 80.55.79.190 port 8000
# Redirect portow dla eMule
#rdr on $wan_if proto tcp from any to any port 24859 -> 172.16.0.2 port 24859
#rdr on $wan_if proto udp from any to any port 43212 -> 172.16.0.2 port 43212
# Redirect portow dla DC++
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.2 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.2 port 43213
#rdr on $wan_if proto tcp from any to any port 24860 -> 172.16.0.4 port 24860
#rdr on $wan_if proto udp from any to any port 43213 -> 172.16.0.4 port 43213
# Redirect portow dla FTP:
#rdr on $lan_if proto tcp from any to any port 21 -> 192.168.1.254 port 8021
# Redirect portow dla  Warcraft III
#rdr on $lan_if proto {tcp, udp} from 172.16.0.1 to 192.168.0.1 port 6112 -> 80.54.27.29 port 61120
#rdr on $wan_if proto {tcp, udp} from any to any port 6112 -> 172.16.0.6 port 6112
# Redirect portow dla Bitcomet
#rdr on $wan_if proto {tcp, udp} from any to any port 21364 -> 172.16.0.10 port 21364
# Redirect portow dla Black Ops 3
#rdr on $wan_if proto {tcp, udp} from any to any port 3074 -> 172.16.0.10 port 3074
# Redirect portow dla Battlefield Hardline
#rdr on $wan_if proto udp from any to any port 3659 -> 172.16.0.10 port 3659
# Redirect portow dla Age of Empires 1
#rdr on $wan_if proto {tcp, udp} from any to any port 2300:2400 -> 172.16.0.10 port 2300:2400
#rdr on $wan_if proto {tcp, udp} from any to any port 2301 -> 172.16.0.10 port 2301
#rdr on $wan_if proto {tcp, udp} from any to any port 2302 -> 172.16.0.10 port 2302
#rdr on $wan_if proto {tcp, udp} from any to any port 2303 -> 172.16.0.10 port 2303
#rdr on $wan_if proto {tcp, udp} from any to any port 2304 -> 172.16.0.10 port 2304
#rdr on $wan_if proto {tcp, udp} from any to any port 2305 -> 172.16.0.10 port 2305
#rdr on $wan_if proto {tcp, udp} from any to any port 47624 -> 172.16.0.10 port 47624
#rdr on $wan_if proto tcp from any to any port 47624 -> 172.16.0.10 port 47624
#rdr on $wan_if proto {tcp, udp} from any to any port 2300:2400 -> 172.16.0.1 port 2300:2400
#Tunngle
#rdr on $wan_if proto udp from any to any port 11155 -> 172.16.0.10 port 11155
#Rainbow Six Siege
#rdr on $wan_if proto udp from any to any port 6015 -> 172.16.0.10 port 6015
#rdr on $wan_if proto tcp from any to any port 3074 -> 172.16.0.10 port 3074
#rdr on $wan_if proto tcp from any to any port 443 -> 172.16.0.10 port 443
#rdr on $wan_if proto tcp from any to any port 13000 -> 172.16.0.10 port 13000
#rdr on $wan_if proto tcp from any to any port 13005 -> 172.16.0.10 port 13005
#rdr on $wan_if proto tcp from any to any port 13200 -> 172.16.0.10 port 13200
#rdr on $wan_if proto tcp from any to any port 14000 -> 172.16.0.10 port 14000
#rdr on $wan_if proto tcp from any to any port 14001 -> 172.16.0.10 port 14001
#rdr on $wan_if proto tcp from any to any port 14008 -> 172.16.0.10 port 14008
#rdr on $wan_if proto tcp from any to any port 14020 -> 172.16.0.10 port 14020
#rdr on $wan_if proto tcp from any to any port 14021 -> 172.16.0.10 port 14021
#rdr on $wan_if proto tcp from any to any port 14022 -> 172.16.0.10 port 14022
#rdr on $wan_if proto tcp from any to any port 14023 -> 172.16.0.10 port 14023
#rdr on $wan_if proto tcp from any to any port 14024 -> 172.16.0.10 port 14024
#rdr on $wan_if proto udp from any to any port 10000:10099 -> 172.16.0.10 port 10000:10099
#rdr on $wan_if proto {tcp, udp} from any to any port 3658 -> 172.16.0.10 port 3658
#rdr on $wan_if proto tcp from any to any port 80 -> 172.16.0.10 port 80
#rdr on $wan_if proto {tcp, udp} from any to any port 3478 -> 172.16.0.10 port 3478
#rdr on $wan_if proto {tcp, udp} from any to any port 3479 -> 172.16.0.10 port 3479
#rdr on $wan_if proto tcp from any to any port 3480 -> 172.16.0.10 port 3480
#rdr on $wan_if proto udp from any to any port 3658 -> 172.16.0.10 port 3658
#rdr on $wan_if proto udp from any to any port 6115 -> 172.16.0.10 port 6115
#TeamSpeak 3 Server WI
#rdr on $wan_if proto tcp from any to any port 10011 -> 172.16.255.10 port 10011
#WWW Redirect
#rdr pass on $lan_if inet proto tcp from any to any port 80 -> 172.16.255.10 port 80
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port 30033 -> 172.16.255.10 port 30033
#
# Firewall:
#
#########################
pass out all
pass in all

#
# AltQ - Klienci:
#
#########################
pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)
pass in on $lan_if inet proto tcp from any to $wan_if port 80
# Tagowanie pakietow w sieci LAN:
pass in on $lan_if from 172.16.0.1 to any tag server            keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspoint       keep state
pass in on $lan_if from 172.16.0.10 to any tag airost           keep state
pass in on $lan_if from 172.16.0.12 to any tag airost8560w      keep state
pass in on $lan_if from 172.16.0.5 to any tag airostmob         keep state
pass in on $lan_if from 172.16.0.7 to any tag iphone4s          keep state
pass in on $lan_if from 172.16.0.6 to any tag magda             keep state
pass in on $lan_if from 172.16.0.17 to any tag mclosedata       keep state
pass in on $lan_if from 172.16.0.9 to any tag staffline1        keep state
pass in on $lan_if from 172.16.0.4 to any tag amazon            keep state
pass in on $lan_if from 172.16.0.11 to any tag ps4              keep state
# AltQ - UPLOAD:
pass out on $wan_if all tagged server           keep state queue server_out
pass out on $wan_if all tagged accesspoint      keep state queue accesspoint_out
pass out on $wan_if all tagged airost           keep state queue airost_out
pass out on $wan_if all tagged airost8560w      keep state queue airost8560w_out
pass out on $wan_if all tagged airostmob        keep state queue airostmob_out
pass out on $wan_if all tagged iphone4s         keep state queue iphone4s_out
pass out on $wan_if all tagged magda            keep state queue magda_out
pass out on $wan_if all tagged mclosedata       keep state queue mclosedata_out
pass out on $wan_if all tagged staffline1       keep state queue staffline1_out
pass out on $wan_if all tagged amazon           keep state queue amazon_out
pass out on $wan_if all tagged ps4              keep state queue ps4_out
# AltQ - DOWNLOAD:
pass in on $lan_if all tagged server            keep state queue server_in
pass in on $lan_if all tagged accesspoint       keep state queue accesspoint_in
pass in on $lan_if all tagged airost            keep state queue airost_in
pass in on $lan_if all tagged airost8560w       keep state queue airost8560w_in
pass in on $lan_if all tagged airostmob         keep state queue airostmob_in
pass in on $lan_if all tagged iphone4s          keep state queue iphone4s_in
pass in on $lan_if all tagged magda             keep state queue magda_in
pass in on $lan_if all tagged mclosedata        keep state queue mclosedata_in
pass in on $lan_if all tagged staffline1        keep state queue staffline1_in
pass in on $lan_if all tagged amazon            keep state queue amazon_in
pass in on $lan_if all tagged ps4               keep state queue ps4_in
#
# Blokada portow
#
########################
block in log quick on wan_if proto tcp from any to any port = 135
block in log quick on wan_if proto tcp from any to any port = 136
block in log quick on wan_if proto tcp from any to any port = 137
block in log quick on wan_if proto tcp from any to any port = 138
block in log quick on wan_if proto tcp from any to any port = 139
block in log quick on wan_if proto tcp from any to any port = 445
block in log quick on wan_if proto tcp from any to any port = 593
block in log quick on wan_if proto tcp from any to any port = 1024
block in log quick on wan_if proto tcp from any to any port = 1025
block in log quick on wan_if proto tcp from any to any port = 1026
block in log quick on wan_if proto tcp from any to any port = 1027
block in log quick on wan_if proto tcp from any to any port = 1028
block in log quick on wan_if proto tcp from any to any port = 1029
block in log quick on wan_if proto tcp from any to any port = 1030
block in log quick on lan_if proto tcp from any to any port = 135
block in log quick on lan_if proto tcp from any to any port = 136
block in log quick on lan_if proto tcp from any to any port = 137
block in log quick on lan_if proto tcp from any to any port = 138
block in log quick on lan_if proto tcp from any to any port = 139
block in log quick on lan_if proto tcp from any to any port = 445
block in log quick on lan_if proto tcp from any to any port = 593
block in log quick on lan_if proto tcp from any to any port = 1024
block in log quick on lan_if proto tcp from any to any port = 1025
block in log quick on lan_if proto tcp from any to any port = 1026
block in log quick on lan_if proto tcp from any to any port = 1027
block in log quick on lan_if proto tcp from any to any port = 1028
block in log quick on lan_if proto tcp from any to any port = 1029
block in log quick on lan_if proto tcp from any to any port = 1030
```


----------



## Airost (Oct 21, 2017)

ifconfig

```
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:25
        inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
        inet 172.16.255.10 netmask 0xffffffff broadcast 172.16.255.10
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 192.168.2.10 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 172.16.255.10 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 2.29.84.41 --> 172.16.16.148 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 517
```


----------



## Ordoban (Oct 21, 2017)

Airost said:


> right, in  rc.conf
> I didn't add this because I think it's aliases for other jails, but if I have only 1 then I don't need aliases do I? ...


Yes, thats also setup for the main interface and other jails.
Sure you need only one Alias for one Jail.

Edit:
Just see you have 172.16.255.10 twice on bce0 and lo1. Thats bad.
Delete one and pass the remaining one's interface to the jail.


----------



## Airost (Oct 21, 2017)

```
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:25
        inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 192.168.2.10 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 172.16.255.10 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 95.145.82.158 --> 172.16.16.148 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 518
```
Still no difference for teamspeak
Also after I was playing with pf.conf it won't open any websites, nginx, php and mysql running as normal. I am just beginner with BSD systems.

By the way thanks for helping me out with this one and being so patient.

I think the issue is in pf.conf and problem is with configuring it. The error for TeamSpeak in jail as far as I understand, it cannot connect to teamspeak to check license on port 30033, so there is two ways why - port is in use but I am stopping TS everytime before I want to try in jail. Second reason could be ports not forwarded / port being behind NAT. I was reading alot of tutorials etc. online before I got it to this stage where it is now.


----------



## Ordoban (Oct 21, 2017)

30033 is a incoming TCP4 socket, used for the TS3 filetransfer feature. TS3 working also if this port is blocked.

But why does your log say:
2017-10-19 21:48:30.466651|ERROR   |FileManager   |   |bind failed on :::30033; reason: Protocol not supported
2017-10-19 21:48:30.466699|ERROR   |FileManager   |   |filetransfer bind failed on :::30033; reason: Protocol not supported

Protocol not supported? IPv4 TCP? Strange!
Can you please post an `ifconfig` from inside the jail?

Should look like this:

```
# ezjail-admin console ts3
Welcome to FreeBSD!
root@ts3:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
	ether **:**:**:**:**:**
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 192.168.1.3 netmask 0xffffff00
```


----------



## Airost (Oct 21, 2017)

```
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:25
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:23
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 172.16.255.10 netmask 0xffffff00
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        Opened by PID 518
```


----------



## Ordoban (Oct 22, 2017)

Looks correct. 
On this point I am on the end of my knowledge. Sorry.


----------



## Ordoban (Oct 22, 2017)

Heureka! I've got two ideas while taking a bath.
1. How long have you wait between stop the host TS and start the jail TS? There is a wait time before a server socket can be re-opened on a specific port. Some forum talking about 60 seconds.
Try to wait between stop and start the TS servers.
(more info: https://unix.stackexchange.com/ques...ess-that-has-been-bound-unavailable-after-clo)
2. you using 172.16.0.1 netmask 0xffff0000 and 172.16.255.10 netmask 0xffffff00. This is not accurate in the aspect of routing, but I have no clue if this is a real issue. Just try out a different IP for your jail (like 172.*17*.1.1)


----------



## Airost (Oct 23, 2017)

I have some progress, managed to start service in jail after creating file  ts3server.ini  but nobody can connect to that server. So again firewall needs reconfig...


----------

