# Multiple Jails - Communication with each other



## rghq (Aug 22, 2009)

It's quite easy to do a multi Jail setup and let them communicate with each other, connecting to a DB as example running in another Jail.
First we create interfaces for the Jails in /etc/rc.conf


```
cloned_interfaces="lo1 lo2 lo3 lo4"
ifconfig_lo1="inet 127.0.10.1 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 127.0.10.2 netmask 255.255.255.0"
ifconfig_lo1_alias1="inet 127.0.10.3 netmask 255.255.255.0"
ifconfig_lo1_alias2="inet 127.0.10.4 netmask 255.255.255.0"
ifconfig_lo2="inet 127.0.20.1 netmask 255.255.255.0"
ifconfig_lo3="inet 127.0.30.1 netmask 255.255.255.0"
ifconfig_lo4="inet 127.0.30.1 netmask 255.255.255.0"
```

So we would have 127.0.10.1, 2, 3 and 4 and 3 more Interfaces, one or since FreeBSD 7.2 multiple IP's for each Jail.

Then we enable IP forwarding that the internal routing over the interfaces works:


```
gateway_enable="YES"
```

And finally using PF we first define which interfaces and IP's are used:


```
interface_db="lo1"
interface_imap="lo2"
interface_mail="lo3"
interface_www="lo3"

db_ip="127.0.10.1"
imap_ip="127.0.20.1"
mail_ip="127.0.30.1"
www_ip="127.0.40.1"
```

to then add the rules:


```
pass in quick on { $interface_db $interface_mail } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 3306

pass out quick on { $interface_db $interface_mail } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 3306
```

This would allow the Mail and the DB Jail to connect to each other on port 3306

When using a Webmail system as example that wants to access the IMAP Server and send Mails as well:


```
pass in quick on { $interface_imap $interface_www } proto tcp from { $imap_ip $www_ip } to { $imap_ip $www_ip } port 143
pass in quick on { $interface_mail $interface_www } proto tcp from { $mail_ip $www_ip } to { $mail_ip $www_ip } port 25

pass out quick on { $interface_imap $interface_www } proto tcp from { $db_ip $mail_ip } to { $db_ip $mail_ip } port 143
pass in quick on { $interface_mail $interface_www } proto tcp from { $mail_ip $www_ip } to { $mail_ip $www_ip } port 25
```

And so on. If something won't work as expected running a tcpdump on pflog (if pflog is active) helps to debug and finding out what's wrong.

And for the PF experts - I know these rules can be optimized - it's just an example.


----------



## vivek (Aug 23, 2009)

I've been doing this since ages without using pf with private IP ranges. Not sure why you are adding pf here...


----------



## SirDice (Aug 23, 2009)

Why are you using different subnets? Just use the same subnet and there's no need for complicated routing.


----------

