Jail NAT Port Forward

[ipburbank]

Hello,,

I've set up a jail on my FreeNAS box and used the NAT option since my network wouldn't allow a non-dhcp device on. This works great. Now I want to forward a port onto that bridged adapter. How can I do this?

eg: www.myfreenasbox.com:8080 aught to be handled by port 80 on my jail which is running a web server.

Istvan.

 

[dlavigne]

Did you ever figure this out?

 

[ipburbank]

Sadly, no. I have not checked 9.2 yet though.

 

[DrumNBisco]

can you hit the webserver fine from another machine on your local network? have you configured port forwarding in your router? if so it should work fine, I forward port 4040 for my subsonic jail and can access it from outside my network just fine.

Although its unlikely, its possible that port 8080 is blocked by your isp. Have you tried any other ports other than 8080?

 

[ipburbank]

Hello DrumNBisco,
thanks for the reply. Perhaps I was unclear about the problem: I'm not looking to forward the port into my LAN from the WAN, but rather from my LAN into the Jail.

 

[DrumNBisco]

IPBurbank,
not your fault at all, I understand what you're trying to do now. From what I read after a brief google search regarding bsd jails and nat port forwarding, it looks like it would require some manual configuration via command line/editing some config files in freenas. I didn't see any options for it in the freenas web gui for it.

Have you done any additional research on this and tried anything else? Can you provide any specifics on the jail and web server? I'm willing to dig a little more into this and see if I can get it working on a freenas VM with similar jail config

 

[ipburbank]

Hello,
below is a screenshot of my configuration. Unfortunately many of these configurations aren't available for other jail templates, including Ubuntu.

In general, I'm looking for a way to connect to a Jail on a network that doesn't allow DHCP. If there is a solution that applies to Ubuntu images too it would be great.

Thanks,
Istvan.

 

[Yatti420]

You have 192.168.1.1 under bridge address.. Is this correct? Do not want it as the default gateway? If you have a router I don't think NAT is required.. Setup a dynamic dns service.. Then you can have an address like myfreenasbox.com:4334 pointing to your https on internal network etc.. Requires you to change settings on router etc..

Just remember opening up your box or having dns access/gateway to the outside could put your box at risk..

 

[SeaFox]

@IPBurbank: Keep in mind you DON'T want DHCP if you want to be able to be able to reach something reliably on your network by IP.

It would help if you clarified what you meant earlier when you said "my network wouldn't allow a non-dhcp device on". How do you physically connect to the Internet? Do you connect directly to your Internet service with your computers (like to LAN ports in each room of a university housing or apartment), or do you have a router of your own? Do you receive a public IP address on your own device, or do you get a routed (NAT) IP address on your service.

The IP addresses the Jails use come from the same source as the FreeNAS server gets it's IP from normally. You would really want a router of your own that you can control involved in this. You can then set up static IPs for FreeNAS and each of the Jails. It looks like you're trying to do that from the settings you posted, except Yatti is right, you need to have the 192.168.1.1 listed as the IPv4 default gateway if that is the IP of your router, and uncheck the NAT checkbox. Once everything is set up with static IPs (on YOUR network side), you can have FreeNAS talk to a DDNS service and set up port forwards on your router to whatever machine/Jail they need to go to.

 

[ipburbank]

Hello,
Thank you both for the advice. Here is a more detailed description of my network setup:

I am on a network administered by Cornell. They provide a 10.x.x.x address. The default gateway is: 10.32.148.1 - Addresses are given by DHCP only. A device whose IP wasn't given by the DHCP server can't pass any traffic over the network.

As per this link I believe that Jails can't receive DHCP addresses, therefore they can't be addressable on the network. My solution to this was to try to put the jails on a bridged network within my NAS and then forward myNas.someddns.com:8080 to a jail's port 80 for example. I know that on Linux this is possible with some configuration, but I have not been able to do that successfully on BSD/FreeNAS.

If there is no way to accomplish this I will go get my own router and do the static IP/port-forward as you suggested.

Istvan.

 

[Dusan]

As per this link I believe that Jails can't receive DHCP addresses, therefore they can't be addressable on the network.

That only applies to regular jails that share the network interface with the host. With VIMAGE you get a virtual network interface that should be able to receive a DHCP address. Uncheck the NAT option, but keep VIMAGE checked. Then run "ifconfig" in the jail to get the name of the virtual interface (it's epair0b in the first jail) and then run (again in the jail) "dhclient epair0b".

My solution to this was to try to put the jails on a bridged network within my NAS and then forward myNas.someddns.com:8080 to a jail's port 80 for example. I know that on Linux this is possible with some configuration, but I have not been able to do that successfully on BSD/FreeNAS.

FreeNAS is using ipfw to provide the NAT for jails. It's a full fledged statefull firewall / packet filter so you should be able to configure it to forward the connection. Check the documentation: https://www.freebsd.org/cgi/man.cgi?query=ipfw

 

[SeaFox]

@ipburbank: I would think getting a router anyway in your situation might be a good idea to keep the rest of Cornell off your NAS services that aren't meant to be public. I'm not sure how DDNS works as far as transversing through the Cornell NAT so the public IP routes to you, though. Maybe Dusan can shed some light on that?

@Dusan: Is FreeNAS itself providing the ipfw? I was trying to set up a web server in a jail awhile back (using a Standard jail) and found I could not configure ipfw on it -- turns out it is because ipfw was purposely left out of the kernel on the build used for the jails.

 

[Dusan]

@ipburbank: I would think getting a router anyway in your situation might be a good idea to keep the rest of Cornell off your NAS services that aren't meant to be public. I'm not sure how DDNS works as far as transversing through the Cornell NAT so the public IP routes to you, though. Maybe Dusan can shed some light on that?

Sorry, no idea.

@Dusan: Is FreeNAS itself providing the ipfw? I was trying to set up a web server in a jail awhile back (using a Standard jail) and found I could not configure ipfw on it -- turns out it is because ipfw was purposely left out of the kernel on the build used for the jails.

It was not included before, but it is included in the recent versions. The kernel is now compiled with these options:

Code:

options        IPDIVERT
options        IPFIREWALL
options        IPFIREWALL_VERBOSE
options        IPFIREWALL_FORWARD
options        IPFIREWALL_DEFAULT_TO_ACCEPT
options        IPFIREWALL_NAT
options        DUMMYNET
options        LIBALIAS

So, you basically get the whole enchilada. I'm not sure it makes sense to run it inside a jail. You should configure ipfw on the "host" (FreeNAS).

Btw. I tried running dhclient in a VIMAGE jail and it did receive a DHCP address.

 

[ipburbank]

That only applies to regular jails that share the network interface with the host. With VIMAGE you get a virtual network interface that should be able to receive a DHCP address. Uncheck the NAT option, but keep VIMAGE checked. Then run "ifconfig" in the jail to get the name of the virtual interface (it's epair0b in the first jail) and then run (again in the jail) "dhclient epair0b".

This worked great for my standard Jail! Many thanks.

Unfortunately I had less luck when using an Ubuntu jail.

My config:

.



My error:.

Thanks again,
Istvan.

 

[Dusan]

Sorry, here you are on your own. There are currently several problems with the Linux jails (especially regarding networking) so it may or may not work. Also check here for already reported problems: https://bugs.freenas.org/projects/freenas/issues (and possible solutions / workarounds).

 

[Richard van Naam]

Hi,

Just wanted to add that i had the same problem aswell. Within Jail I had no connection.

Code:

That only applies to regular jails that share the network interface with the host. With VIMAGE you get a virtual network interface that should be able to receive a DHCP address. Uncheck the NAT option, but keep VIMAGE checked. Then run "ifconfig" in the jail to get the name of the virtual interface (it's epair0b in the first jail) and then run (again in the jail) "dhclient epair0b".

This definately worked for me too.
Thank you!

 

[David Wingate]

Hello, all.

I have a similar situation, but I do not think it can be resolved in the same way as ipburbank's.

I have a FreeNAS server (v9.3-stable) with a single, statically allocated external IP address. There is no DHCP server. The server is in a datacenter, so installing custom routers is not possible.

I need to create a jail on the FreeNAS server, install a database on the jail, and then have that database be externally accessible. I feel like it ought to be possible to invoke some arcane ipfw command to accomplish this, but I can't figure it out for the life of me.

Some more details:

The FreeNAS server is 192.168.24.42. I have created a jail on the server, and using the NAT option during jail creation, have given it the (fake) IP address of 192.168.24.43. (This worked fine; from within the jail I can connect to anywhere on the internet, with traffic appearing to originate from 192.168.24.42). I have installed a mongo database on the jail. It's happily running and accepting traffic; I can SSH to the FreeNAS server, and from there I can connect to the database. But of course, I cannot access 192.168.24.43 from anywhere outside the FreeNAS server, since the datacenter does not route .43 traffic to my FreeNAS server.

So: I think I need to forward port 27017 on the FreeNAS server to port 27017 on the jail. But I cannot figure out how to do this, because of the combination of NAT'ing and port forwarding.

Here's my current ipfw config:

# ipfw list
00100 allow ip from any to any via lo0
00200 nat 100 ip from any to 192.168.24.42 in recv igb0
00300 nat 100 ip from 192.168.24.43 to any out xmit igb0
65535 allow ip from any to any​

I have tried various combinations of things like

ipfw add fwd 127.0.0.1,27017 tcp from any to 192.168.24.43 27017 in​

but it does not appear to do anything useful.

Any help would be appreciated. Thanks!

David

 

[Jailer]

You already asked about this in another thread that you started, no need to dig up a 2 year old thread and double post.