# jails and outgoing traffic ip



## miks (Jun 11, 2009)

My host have 2 public ip (primary + 1 alias).
Aliased ip is used by jail.
The problem is - all traffic is seen as come from primary address.
For example, if I telnet to some remote SMTP server from jail, then in remote server log my ip seen as host primary address, not jail (aliased).
Is there some way to correct it?


----------



## vivek (Jun 11, 2009)

That is weird, it should not use primary IP. Do you have firewall that on host that changes something like nat?


----------



## anomie (Jun 11, 2009)

From the host, post the output of `# ifconfig`


----------



## miks (Jun 12, 2009)

ifconfig: 

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
        ether 00:15:17:14:48:a6
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:0e:2e:8d:58:7e
        inet xxx.xxx.xxx.200 netmask 0xfffffff0 broadcast xxx.xxx.xxx.207
        inet xxx.xxx.xxx.201 netmask 0xffffffff broadcast xxx.xxx.xxx.201
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
```
ipfw:

```
00050 divert 8668 ip4 from any to any via re0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any
```
and I also have natd. natd.conf content:

```
same_ports yes
use_sockets yes
deny_incoming yes
log_ipfw_denied yes
log yes
dynamic yes
interface re0
```


----------



## vivek (Jun 12, 2009)

You are using NAT, so it is going to hide your real jail IP.


----------



## miks (Jun 13, 2009)

hmm, so it isn't possible for box to act as router and same time have jail with real ip in outgoing traffic?


----------



## vivek (Jun 13, 2009)

You can configure firewall to ignore your 2nd public IP from NAT. Provided that 2nd IP can route traffic to the Internet.


----------



## miks (Jun 13, 2009)

Solved with adding: "ipfw add 00010 skipto 100 ip4 from xxx.xxx.xxx.xxx to any", where "xxx.xxx.xxx.xxx" is second public ip, used by jail.


----------

