PF Jail as default gateway

[leonardorame]

As I'm using pf in a jail that is the DMZ and I have some rdr rules for port forwarding I would like this jail also be the default gateway for the server and other jails and VMs running on it. This makes sense?, or it's better to leave the server pointing to the IP provided by the ISP?

 

[gpw928]

Horse or cart... Will your server boot without a functioning default gateway? Do you need that for DNS and NTP services at boot time?

 

[leonardorame]

Horse or cart... Will your server boot without a functioning default gateway? Do you need that for DNS and NTP services at boot time?

I don't think so. I must try that.

I ask this, because the DMZ jail has Nginx running as a reverse proxy to a couple of webservers running on other jails. If on those jails I use the DMZ as default gateway the packets pointing to port 443 on the DMZ doesn't make the whole round trip, but if I set the ISP default gw (192.168.0.1) they work as expected.

 

[tommiie]

Perhaps you could share a network diagram of your setup and the relevant configuration of the host and VMs?

 

[sko]

Just connect the uplink to the jail and let it handle the egress connection; don't do port forwarding and fiddling around with loopback interfaces on the host.

I've been running gateways in jails for several years now (since vnet became usable without nuking the host on teardown). Works as advertised and I wouldn't want it any other way now.

 

[gpw928]

...or it's better to leave the server pointing to the IP provided by the ISP?

...but if I set the ISP default gw (192.168.0.1) they work as expected.

Understanding the location of your firewall is germane to the problem. If your existing gateway is 192.168.0.1, then I'm guessing it's on some sort of appliance, and the "IP provided by the ISP" is actually attached to the appliance uplink, either statically or by DHCP when the appliance boots.

tommiie asked for a network diagram which would have clarified this.

I don't really see a problem using one VM (using an appliance as its default gateway) as the default gateway for other VMs. You would want to manage the boot order and the routing tables.

However, I'd be acutely reluctant to point a virtualisation server at one of its own VMs as a default gateway, as that gateway clearly will not exist at the point in time when the virtualisation server boots. The creation of the default route would very likely fail. You would have to arrange to plant the default gateway on the virtualisation server after the VM boots. Even if it can be made to work (it's messy, but it probably can), you will have created a fragile setup, likely to break easily, and obfuscate other problems.

 

[codeedog]

However, I'd be acutely reluctant to point a virtualisation server at one of its own VMs as a default gateway, as that gateway clearly will not exist at the point in time when the virtualisation server boots.

Admittedly, I'm new to all of this, but I'm in the midst of configuring a host with a handful of jails to run my gateway services. One of the jails is the gateway, another runs dnsmasq for DHCP and DNS. The host passes the WAN and trunked LAN interfaces to the jailed gateway. The host also has its own static IP and a default route that runs over a VLAN ultimately connected via a bridge to the jailed gateway. I haven't rebooted it in a few days, but it's working fine and I haven't noticed any problems with the default routes or what not when it comes up. The gateway comes up quick and fetches its DHCP "WAN" address—not really WAN, right now, as it's all running on a separated network with my current router which I'm replacing.

The most critical piece, which I think OP should consider is how to console into the system. The machine that's running the above is a NUC and I don't have it connected to a keyboard or monitor, but it does have a console port. It also happens to have 6 NICs. I could use one of the NICs to connect via SSH, but instead I'm currently using a Raspberry Pi and connect through to that then console via a USB-console cable adapter. And, I can VPN into the Pi, too. The Pi has its NIC and a USB NIC and lives on both networks, so I can connect into it and test gateway configurations as a client machine while also connecting to the console and run everything on the host/jails.

I have discovered tmux, and now I think my life is complete.

ssh>cu>tmux, everything I need to work on the system.