# Interjail access via public IPs



## Klinki (Jul 19, 2013)

FreeBSD 8.4-p1

Situation:

I have got one server with several jails and 4 routable external IPs.  Each jail runs one service.  I can access each service via the Internet as desired (e.g. a httpd server).  I can access each jail internally via a 10.0.0.0/24 network. Each jail has one internal IP.  I can download  files etc from the Internet (e.g.. Patches or ports).

But what I can not achieve is to download from one jail to a another jail via  `curl` and the public IP.  It says connection refused. 
`curl [url=http://myserver/somfile]http://myserver/somfile[/url]`

I can download using the mentioned URL above from my laptop at home with no problems.  I think I misconfigured something in my pf.conf.

Any ideas?

Here is my pf.conf:


```
#Interface declarations
ext_if="re0"
all_if="{re0, lo0}"

# Name and IP of our webserver
APACHE1_INTERNAL="10.10.10.1"
APACHE1_EXTERNAL="1.2.3.4"

APACHE2_INTERNAL="10.10.10.2"
APACHE2_EXTERNAL="1.2.3.5"


internal_net= "10.10.10.0/24"

# open ports
tcp_pass = "{ 53 223 }"
udp_pass = "{ 53 223 }"
icmp_type = "echoreq"

### Normalisation
scrub in all

# Allow traffic from apache1 jail to the Internet
nat on $ext_if from $APACHE1_INTERNAL to any -> $APACHE2_EXTERNAL
# Allow traffic from apache2 jail to the Internet
nat on $ext_if from $APACHE2_INTERNAL to any -> $APACHE2_EXTERNAL

### Tables
table <rfc1918> persist
table <spamd> persist
table <spamd-white> persist
table <whitelist> persist file "/etc/pf_files/whitelist.lst"
table <blacklist> persist file "/etc/pf_files/blacklist.lst"
#table <ssh_allowed> persist
table <sshguard> persist
table <internal_net> { 10.10.10.0/24 }
#table <bruteforce> persist

### Forward http traffic to apache1
rdr on $ext_if proto tcp from any to $APACHE1_EXTERNAL port http -> $APACHE1_INTERNAL port http
rdr on $ext_if proto tcp from any to $APACHE1_EXTERNAL port https -> $APACHE1_INTERNAL port https

### Forward http traffic to apache2
rdr on $ext_if proto tcp from any to $APACHE2_EXTERNAL port http -> $APACHE2_INTERNAL port http
rdr on $ext_if proto tcp from any to $APACHE2_EXTERNAL port https -> $APACHE2_INTERNAL port https
```


----------



## SirDice (Jul 24, 2013)

The problem is NAT and can't easily be solved. The packets get NAT'ed and travel out $ext_if. To make a connection back in the same interface and being redirected. Because the outside address is on $ext_if the packets never leave the interface so they never get translated.


----------



## Klinki (Jul 24, 2013)

That is what I would have guessed too - but I got a tip for a very easy solution: just add the public DNS name of the domain I want to access to the /etc/hosts of the jail I want to access from. It is so simple, sometimes one can't solve the easiest problems cause one things to complicated.


----------

