# Jail to Host networking - Gateway Question



## freebuser (Nov 1, 2022)

Hi All,

I think I have a unique scenario here:
1. Jails and host are set up with their own interfaces and ip through vnet (10.0.0.0/24)
2. Host has its own interface with IP 10.0.0.15
3. I also have a USB modem with ue0 and IP 192.168.8.*1* and associated lo0 192.168.8.*10 *(from netstat -r).

The issue is I am trying to send some shell commands to 192.168.8.*1* (USB modem gateway) so it can send and sms from jail.

However this is not working.

What is working so far:
1. I can ping to and from jail/host for both 10.0.0.15 and 192.168.8.*10* ips
2. Traceroute from jail (10.0.0.2) to 192.168.8.*10*

What is not working:
1. Cannot ping from jail (10.0.0.2) to ue0 (192.168.8.*1*) <-USB gateway.
2. Traceroute from jail (10.0.0.2) to 192.168.8.*1*


This setup is working on host (can send sms) without any problems.

I am guessing this is a gateway issue but not sure how to resolve this.


----------



## freebuser (Nov 3, 2022)

Alternative working solution:

caddy as a reverse_proxy server:

```
http://192.168.8.10 {

        bind 192.168.8.10
        # Set up a reverse proxy:
        reverse_proxy * 192.168.8.1 {
        header_up Host {http.reverse_proxy.upstream.host}


     }

}
```

added route to 192.168.8.10 thorugh 10.0.0.15 within jail.

Now I can send SMS through the USB 4G dongle from jail.


----------



## SirDice (Nov 3, 2022)

freebuser said:


> 2. Host has its own interface with IP 10.0.0.15
> 3. I also have a USB modem with ue0 and IP 192.168.8.*1* and associated lo0 192.168.8.*10 *(from netstat -r).


Can you show the relevant ifconfig(8) outputs? And I'd like to see the output from `netstat -rn` too.


----------



## freebuser (Nov 3, 2022)

SirDice said:


> Can you show the relevant ifconfig(8) outputs? And I'd like to see the output from `netstat -rn` too.



Host:

```
Internet:
Destination        Gateway            Flags     Netif Expire
default            10.0.0.1         UGS      ifhost
10.0.0.0/26      link#1             U        ifhost
10.0.0.15        link#1             UHS         lo0
127.0.0.1          link#11            UHS         lo0
192.168.8.0/24     link#2             U           ue0
192.168.8.10       link#2             UHS         lo0


ifhost: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        inet 10.0.0.15 netmask 0xffffffc0 broadcast 10.0.0.63
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.8.10 netmask 0xffffff00 broadcast 192.168.8.255
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

Jail:

```
webnet: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: bge1
        options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        inet 10.0.0.2 netmask 0xffffffc0 broadcast 10.0.0.63
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>


Internet:
Destination        Gateway            Flags     Netif Expire
default            10.0.0.1         UGS      webnet
10.0.0.0/26      link#3             U        webnet
10.0.0.2         link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0
192.168.8.0/24     10.0.0.15        UGS      webnet
```


----------



## SirDice (Nov 3, 2022)

Right. So traffic from the jail to 192.168.8.1 isn't working. Follow the routes. The jail sends this traffic to  10.0.0.15 because of the 192.168.8.0/24 -> 10.0.0.15 route. The 10.0.0.15 address (the host) receives this and sends it out on ue0 because 192.168.8.0/24 (and thus 192.168.8.1) is on that network. Packet probably arrives at the modem, but the modem doesn't know where to send the response back. It probably doesn't know where 10.0.0.2 is and will just chuck it out its default gateway. So you never get the responses back, thus no connection. Routes need to work both ways. Routes aren't 'remembered', all a router does is look at the destination address to see where to send it next, it doesn't record where it came from.

You probably need to add a static route on the modem, it needs to know it can find the 10.0.0.0/26 network behind 192.168.8.10.


----------



## freebuser (Nov 3, 2022)

SirDice said:


> Right. So traffic from the jail to 192.168.8.1 isn't working. Follow the routes. The jail sends this traffic to  10.0.0.15 because of the 192.168.8.0/24 -> 10.0.0.15 route. The 10.0.0.15 address (the host) receives this and sends it out on ue0 because 192.168.8.0/24 (and thus 192.168.8.1) is on that network. Packet probably arrives at the modem, but the modem doesn't know where to send the response back. It probably doesn't know where 10.0.0.2 is and will just chuck it out its default gateway. So you never get the responses back, thus no connection. Routes need to work both ways. Routes aren't 'remembered', all a router does is look at the destination address to see where to send it next, it doesn't record where it came from.
> 
> You probably need to add a static route on the modem, it needs to know it can find the 10.0.0.0/26 network behind 192.168.8.10.



Totally agree.
From curl, it even says it connects to 192.168.8.1 but nothing coming back.

Unfortunately, the modem is protected and unable to modify any setting in it (just the Huawei E3372-608 USB modem) .

If I could change the modem settings I would have set it to 10.0.0.0 subnet.


----------



## SirDice (Nov 3, 2022)

freebuser said:


> Unfortunately, the modem is protected and unable to modify any setting in it (just the Huawei E3372-608 USB modem) .


Then you will need to use NAT on ue0 and translate the 10.0.0.0/26 source addresses to 192.168.8.10.


----------



## freebuser (Nov 3, 2022)

SirDice said:


> Then you will need to use NAT on ue0 and translate the 10.0.0.0/26 source addresses to 192.168.8.10.



Can you please be a bit more specific.
Not sure how to achieve this.


----------



## freebuser (Nov 3, 2022)

Something like pf rdr..?


----------



## SirDice (Nov 3, 2022)

freebuser said:


> Can you please be a bit more specific.


It was extremely specific. 



freebuser said:


> Not sure how to achieve this.


With PF something like this would do it:

```
nat on ue0 from 10.0.0.0/26 to 192.168.8.10 -> (ue0)
```
(This is called a _source_ NAT because you're translating the _source_ address of a packet)




freebuser said:


> Something like pf rdr..?


PF's `rdr` is a _destination_ NAT. You are translating the _destination_ address of a packet.


----------



## freebuser (Nov 3, 2022)

SirDice said:


> It was extremely specific.
> 
> 
> With PF something like this would do it:
> ...



Almost perfect   


```
nat on ue0 from 10.0.0.0/26 to 192.168.8.1 -> (ue0)
```


----------

