iocage NAT cli?

[eminguez]

My LAN is 192.168.1.0/24 and I want to be able to create jails:

• in that LAN addresses (so reachable from the LAN) but also
• 'internal' only jails (like 10.0.2.1/24) that are not reachable from the LAN but natted to the outside world (so they can reach out internet and LAN services but no viceversa unless I specifically want to forward ports, which I don't at the moment)

For the LAN addresses jails, it is straightforward when using the GUI and reading the docs, but for the natted jails I've only being able to do it with the following jail settings:

• IPv4: 10.0.2.99 (some IP I choose)
• IPv4 netmask: /24
• IPv4 bridge: 10.0.2.1
• IPv4 bridge netmask: /24
• IPv4 default gateway: 10.0.2.1 (bridge IP)
• Sysctls: "allow.raw_sockets=true" (configured automatically by FreeNAS)
  
• Marked 'VIMAGE'
• Marked 'NAT'

Under the hood I've seen in /mnt/storage/jails/.jailname/ there are some files created with those settings as well as firewall rules created automatically for NAT (ipfw list):

Code:

00300 nat 100 IP from 10.0.2.99 to any out xmit bge0

Now my question is, how do translate that into iocage commands? I've been looking in the new ui and reading the iocage readthedocs site but couldn't find any parameter to specify those settings...

Thanks!!!

 

[kdragon75]

This would be considered an ADVANCED network setup. You would need a second bridge connecting your PATed jails to that and manually configurer pf to perform PAT from the main bridge to the new one. You probably also need a jail for a dhcp server and maybe depending on you DNS needs, a DNS forwarder at the least.
Note: Yes, I said PAT and not NAT. What you want is port address translation. That's what most SOHO routers do.
Edit: Also, yes, most people refer to PAT as pain NAT and it drives me nuts. Just like bandwidth. Bandwidth is not your speed. it the frequency range that you are able to modulate data onto. More bandwidth generally means higher capacity for THROUGHPUT the correct term.

 

[short-stack]

It would be fairly in-depth and difficult to do this with jails, but docker does this out of the box, so look at the doc about installing the new docker rancheros vm. It might be a lot easier to achieve/maintain.


Sent from my iPhone using Tapatalk

 

[kdragon75]

You might also look into something designed for this kind of flexibility and not something designed for storage.

 

[eminguez]

You might also look into something designed for this kind of flexibility and not something designed for storage.

But the point is it works with current warden jails and I am looking on how to do it with the new iocage tool instead...

Enviado desde mi ONEPLUS A5010 mediante Tapatalk

 

[kdragon75]

Yeah the new UI and jail system seem to have numerous functionality regressions.

 

[RegularJoe]

hypervisors have had this for a decade or two, not uncommon. Three roles are needed:
Bridged
routed
natted

that means that we need a software switch and a software router.... VMware ESXi does a great job but it will not boot my IOCage jails in 1 second... LOL

 

[kdragon75]

hypervisors have had this for a decade or two, not uncommon. Three roles are needed:
Bridged
routed
natted

that means that we need a software switch and a software router.... VMware ESXi does a great job but it will not boot my IOCage jails in 1 second... LOL

We don't need routing or NAT. vSphere dosent bother with this either. You should still be using a separate router for all of that. If you need one install one in a jail or vm. All we need is a UI for managing the bridges and vlans. They could do some abstraction and call it a virtualized switch but I don't think the more experienced users would like that.