# "Hybrid" jail with two IPs and VPN



## nbari (Aug 18, 2011)

I have a server with 2 network interfaces,  *bge1* with 3 public routable IP's and *bge0*  internal private *172.16.1.1* with  some few alias, 172.16.1.2, 172.16.1.3, 172.16.1.4, etc 

The master server (FreeBSD 8.1) host 2 types of jails, ones that contain a public IP so they can be reached over the internet with out need of NAT and other jails with a private segment the ones that need NAT to be available to reach internet.

On the same master server I have an IPSEC VPN that reaches network *10.0.1.0/24* so all traffic from jails with IP's *172.16.1.X *can ping/connect/telnet/ssh to machines on network *10.0.1.0/24*


```
Internet                          
    |                                                                                                                                                                 
    |                                                                                                                                                                 
SERVER  ---> private jails with NAT bge1 ---> 172.16.1.0/24  <---/ VPN network/ ---> 10.0.1.0/24 ---< Internet
    | -----> public jails 89.181.195.X
```

So far everything works fine, jails with public IP's can be reached from internet with out problem, and jails with private IP's can be reached over NAT and they also can reach external network via IPSEC.

But my problem begins when I try to  create 'hybrid' jail, I mean a jail that has a primary routable public IP and a private IP's 

the /etc/rc.conf part containing the jail configuration looks like this:


```
jail_ddns_rootdir="/jails/ddns/"
jail_ddns_hostname="ns1.ddns.mx"
jail_ddns_ip="89.181.195.154,172.16.1.3"
```

and the output of the command ifconfig inside the jail looks like this:


```
> ifconfig 
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:1e:c9:e1:ad:18
        inet 172.16.1.3 netmask 0xffffffff broadcast 172.16.1.3
        media: Ethernet autoselect (none)
        status: no carrier
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:1e:c9:e1:ad:16
        inet 89.181.195.154 netmask 0xffffffff broadcast 89.181.195.154
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

within the jail, I can ping the  internal network *172.16.1.X *and also I can still access to the jail via ssh from the public IP but what I can't do is to reach the network *10.0.1.0/24.*



> bge0 172.16.1.3   -----> 172.16.1.1 --/  unreachable /-- 10.0.1.0/24
> bge1 89.181.195.154  ---> any



Any ideas for solving this ? I am afraid that this won't be possible since ipsec can not go under nat but please correct 'me if I am wrong.


----------



## Orum (Sep 4, 2011)

It could be something as simple as lacking an entry in your routing table.  What does [CMD="netstat"]-nr[/CMD] show?


----------



## nbari (Sep 5, 2011)

After restarting the jails and properly specifying the origin with something like:


```
ping -S 172.16.1.3 10.0.1.3
```

got it to work.


----------

