# Routing Bastille Jails with loopback (bastille0) strategy to Tailscale Network



## srey (Aug 14, 2022)

Hi !

I'm a Ubuntu user from long time, but i choose freebsd for my homelab, because stability, security, learning, but also jumping into new rabbit hole during summer ... 

I resume my objectives into one big schema with (false) ip to represent routing.

In two words i have :
- one machine run Freebsd 13.1 at home, a tiny machine (Dell Small Factor Form / homelab), on my *home network 192.168.1.xx *with *gateway 192.168.1.254 *running *Bastille Jails *using a loopback strategy* on interface bastille0  *
- one VPS that run Ubuntu and Docker containers running on *Docker Network (webnetwork bridge) 172.17.0.1/16*

With *Tailscale* *VPN* (*overlay network tailscale0*) installed on these two machine, they exist on the same network with *100.121.116.111* *(homelab)* and *100.64.200.29 (vps)*

I imagine that both type of containers are :

- a) exposed on tailscale network and
- b) exposed to internet with a reverse proxy (*Traeffik* on *docker container*) that listen on *public ip (135.180.90.110)*






Everything run well with Bastille, usring RDR rules, i see that jails are well exposed to localhost (*127.0.0.1*) on my homelab.

For example, i'm running a photoprism jails exposed to 2342, and `sockstat` on homelab return :



> root     photoprism 70095 7  tcp4   127.0.0.1:2342        *:*



But there is something i don't understand, how could i redirect localhost to tailscale network, in other word : *127.0.0.1:2342* on loopback0 is same as *100.121.116.111:2342 *to tailscale0.

Actually this is not the case, *100.121.116.111:2342 is not accessible. I don't understand how do reroute lo0 to tailscale0 ?*

In my mind, after that i could redirect traffic to tailscale ip using traeffik reverse proxy without too much problem after that.

Because i'm a beginer with freebsd/pf world, and knowing only the basic of routing in general, I don't know if this is the good way to expose thing.

Command `netstat -rn` return :



> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            192.168.1.254      UGS         re0
> 10.0.0.1           link#3             UH     bastille
> ...






> The `bastille rdr photoprism` list return
> rdr pass on re0 inet proto tcp from any to any port = 2342 -> 10.0.0.1 port 2342



`ifconfig -a` return the multiple interfaces



> re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
> ether c0:25:a5:86:18:33
> inet6 fe80::c225:a5ff:fe86:1833%re0 prefixlen 64 scopeid 0x1
> ...



pf.conf


> ext_if="re0"
> 
> set block-policy return
> scrub in on $ext_if all fragment reassemble
> ...



rc.conf


> clear_tmp_enable="YES"
> syslogd_flags="-ss"
> sendmail_enable="NONE"
> hostname="xxx"
> ...



I use ansible and the great work of eoli3n (https://eoli3n.eu.org/2021/06/14/jails-part-3.html) to do all the things with Ansible :

/etc/devfs.rules



> <!-- BEGIN ANSIBLE MANAGED vnet -->
> [bastille_vnet=13]
> add path 'bpf*' unhide
> <!-- END ANSIBLE MANAGED vnet -->





Thanks for your help !


----------

