Co je cilem: Na stroji, ktery bude pripojen k internetu, bude privatni 'podsit', ktera bude pristupna pouze pres OpenVPN. Tato podsit je bindovana na adapter rl0 a bezi v jailu 'iota'. Externi adapter (fxp0) posloucha na 1194/tcp a forwarduje na rl0 1194/tcp. Tam posloucha OpenVPN daemon. Aby jail 'iota' mohl na internet, bezi na fxp0 natd. Tohle vsechno funguje. Problem je, ze kdyz se pripojim s OpenVPN klientem do privatni site, nemuzu pingovat IP jailu. Rozsah pro OpenVPN klienty je 192.168.158.200-192.168.158.254. Klienti mezi sebou se pinguji bez problemu, i komunikace mezi nima je bezproblemova. Protoze ale chci v jailu apache, mysql (bezicich na 192.168.158.100), potrebuji se na tu IP z klientu nejak dostat. ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# ifconfig -a rl0: flags=8843 mtu 1500 options=8 inet 192.168.158.100 netmask 0xffffffff broadcast 192.168.158.100 ether 00:e0:7d:e8:1c:46 media: Ethernet autoselect (none) status: no carrier fxp0: flags=8843 mtu 1500 options=8 inet 192.168.10.13 netmask 0xffffff00 broadcast 192.168.10.255 inet 192.168.10.201 netmask 0xffffffff broadcast 192.168.10.201 inet 192.168.10.202 netmask 0xffffffff broadcast 192.168.10.202 inet 192.168.10.203 netmask 0xffffffff broadcast 192.168.10.203 ether 00:11:11:0e:94:9f media: Ethernet 100baseTX status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 tap0: flags=8842 mtu 1500 ether 00:bd:98:38:00:00 Opened by PID 665 ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.10.1 UGS 0 56 fxp0 127.0.0.1 127.0.0.1 UH 0 3 lo0 192.168.10 link#2 UC 0 0 fxp0 192.168.10.1 00:0e:2e:3f:dd:31 UHLW 2 0 fxp0 1146 192.168.10.16 00:0d:61:39:fd:3d UHLW 1 272 fxp0 1148 192.168.10.201 00:11:11:0e:94:9f UHLW 1 3 lo0 => 192.168.10.201/32 link#2 UC 0 0 fxp0 192.168.10.202/32 link#2 UC 0 0 fxp0 192.168.10.203/32 link#2 UC 0 0 fxp0 192.168.158.100/32 link#1 UC 0 0 rl0 ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# jls JID IP Address Hostname Path 4 192.168.158.100 iota.marbal.net /home/iota.marbal.net 3 192.168.10.203 theta.marbal.net /home/theta.marbal.net 2 192.168.10.202 eta.marbal.net /home/eta.marbal.net 1 192.168.10.201 zeta.marbal.net /home/zeta.marbal.net ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# cat /etc/rc.conf defaultrouter="192.168.10.1" hostname="epsilon.marbal.net" ifconfig_lo0="inet 127.0.0.1" ifconfig_fxp0="inet 192.168.10.13 netmask 255.255.255.0 media 100BaseTX mediaopt full-duplex" ifconfig_rl0="inet 192.168.158.100 netmask 255.255.255.0" icmp_drop_redirects="YES" firewall_enable="YES" firewall_logging="YES" firewall_script="/etc/ipfw.rules" natd_enable="YES" natd_interface="fxp0" natd_flags="-redirect_port tcp 192.168.158.100:1194 1194" gateway_enable=YES openvpn_enable="YES" openvpn_if="tap" jail_enable="YES" jail_list="zeta eta theta iota" jail_set_hostname_allow="NO" jail_sysvipc_allow="YES" jail_zeta_rootdir="/home/zeta.marbal.net" jail_zeta_hostname="zeta.marbal.net" jail_zeta_ip="192.168.10.201" jail_zeta_interface="fxp0" jail_zeta_exec_start="/usr/local/bin/bash /etc/rc" jail_zeta_devfs_enable="YES" jail_zeta_mount_enable="NO" jail_eta_rootdir="/home/eta.marbal.net" jail_eta_hostname="eta.marbal.net" jail_eta_ip="192.168.10.202" jail_eta_interface="fxp0" jail_eta_exec_start="/usr/local/bin/bash /etc/rc" jail_eta_devfs_enable="YES" jail_eta_mount_enable="NO" jail_theta_rootdir="/home/theta.marbal.net" jail_theta_hostname="theta.marbal.net" jail_theta_ip="192.168.10.203" jail_theta_interface="fxp0" jail_theta_exec_start="/usr/local/bin/bash /etc/rc" jail_theta_devfs_enable="YES" jail_theta_mount_enable="NO" jail_iota_rootdir="/home/iota.marbal.net" jail_iota_hostname="iota.marbal.net" jail_iota_ip="192.168.158.100" jail_iota_interface="rl0" jail_iota_exec_start="/usr/local/bin/bash /etc/rc" jail_iota_devfs_enable="YES" jail_iota_mount_enable="NO" ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# cat /usr/local/etc/openvpn/openvpn.conf local 192.168.158.100 port 1194 proto tcp dev tap0 server-bridge 192.168.158.100 255.255.255.0 192.168.158.201 192.168.158.254 client-to-client ************************************************************************************* ************************************************************************************* sysctl -a net.link.ether.bridge.config: rl0,tap0 net.link.ether.bridge.enable: 1 ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# cat /etc/natd.conf redirect_port tcp 192.168.158.100:1194 1194 ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# cat /etc/ipfw.rules ipfw -q -f flush /sbin/ipfw add divert natd log all from any to any via fxp0 /sbin/ipfw add pass log all from any to any ************************************************************************************* ************************************************************************************* [root@epsilon: /home/mates]# arp -a ? (192.168.10.1) at 00:0e:2e:3f:dd:31 on fxp0 [ethernet] ? (192.168.10.16) at 00:0d:61:39:fd:3d on fxp0 [ethernet] ? (192.168.10.201) at 00:11:11:0e:94:9f on fxp0 permanent [ethernet]