# Series of Jails as Gateways/Tunnels ... Question re IP/netmasks



## BawdyAnarchist (Aug 13, 2020)

I'm creating a series of network gateway/tunnels with vnet and jails (FreeBSD 12.1p8).  The topology looks something like this:

NICjail:  Contains the physical NIC (igb0), bridge0, and epair members for connection to other tunnel jails (VPNs, Tor, I2P).
VPN1jail:  Connects to NICjail via epair.  Contains a bridge and epairs to connect to WORKjails for daily activities.
VPN2jail:  Same as VPN1, but for different identities purposes.
... And so on ...

No problems creating the jails or interfaces.  However, I'm a bit unsure about properly configuring the IP/netmask, whether I need to use NAT, or if I can just use my existing subnet address space.  For example, I set up the following:

NICjail:  igb0 has IP 192.168.1.11, and bridge0 has IP 192.168.1.12, with epair1a attached.
VPN1jail:  epair1b has 192.168.1.13 and bridge1 has IP 192.168.14, with epair2a attached.
WORKjail: epair2b has 192.168.1.15.  `traceroute 1.1.1.1` shows me hopping to 192.168.1.13 --> 192.168.1.11 --> 192.168.1.1(my physical router) --> internet --> 1.1.1.1

Tentatively, it appears that I have accomplished gateway isolation for WORKjail, forcing traffic through VPN1 --> NICjail.  Am I on the right track here?  Is this a reasonable way to configure the jail network topology and proceed with configuring packet filtering and setting up the VPN?  I'm not sure ... is it more secure to use NAT at each hop?  Or maybe further subnet the address space by doing something like:  NICjail: igb0 has IP 192.168.11/24, and bridge0 has IP 192.168.1.129/25.  Or even assigning something like 10.0.0.1/24 to bridge0. 

I have read through most of Michael Lucas Networking for SysAdmins book (and his Jails/FreeBSD books).  Still trying to get a handle on networking.  Any help is greatly appreciated.

EDIT:  I am actually completely unable thus far to even use a network like 10.0.0.1/24.  Any downstream jails on the 10.0.0.0/24 network are only able to ping back to 192.168.1.11 (igb0), but I have utterly failed to get them to ping to 192.168.1.1 (my router to the outside internet).  gateway_enable, net.inet.ip.forwarding=1, and default route 192.168.1.1 are set in the NICjail.  Do I have to do set up NAT on the NICjail?


----------



## BawdyAnarchist (Aug 19, 2020)

Updating my own post for posterity.  The answer to the above is that my router needs an IP table to my internal net at 10.0.0.0/24.  I decided to go with NAT instead of messing with my ISP owned router.  Also, my thinking is now that setting up gateways on the same subnet as my router is probably not as good as just NATing to my own subnet.  Otherwise, anyone else on my 192.168.100.0/24 network could theoretically find a path to my subnet jails, which I would like to keep as isolated as possible.  Packet filtering could also achieve this, but I think the more elegant solution is simply to NAT.  I get the added bonus of a more versatile internal network.


----------

