Solved NAT attribution, I Guess ?

[Fawst]

Hello everyone,

I'm new in the word of FreeBSD and more on firewall ...

I'm struggle with building a good pf.conf in order to run plex media server inside a jail.

I don't know if I'm in the right topic, but after many try I guess is due to pf rules.

So here is my /etc/rc.conf

hostname="MFserver"

##############Internet############
defaultrouter="192.168.2.1"
ifconfig_re0="DHCP"
sshd_enable="YES"
ntpd_enable="YES"

##############Stockage############
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"

#############Firewall#############
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

###########Services################
noip_enable="YES"
ezjail_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

##########Cloned loopback#######

cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 192.168.2.21 netmask 255.255.255.255"
gateway_enable="YES"
local_unbound_enable="YES"

here my /etc/pf.conf

ext_if="re0"
int_if="lo1"


tcp_pass = "{ 22 25 53 80 110 123 }"
udp_pass = "{ 53 110 631 }"
SSH= "{ 22 }"
IP_PUB="192.168.2.16"
IP_JAIL_plex="192.168.2.21"
PORT_WWW="{32400}"

scrub in all

pass out proto tcp to port $SSH
pass in on $ext_if proto udp to any port $udp_pass keep state
pass in quick on $ext_if proto tcp to any port 32400 keep state
pass in on $int_if from $int_if:network to ($int_if) keep state

My ifconfig

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.2.16 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.2.21 netmask 0xffffffff
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

And finally my jails :

 JID  IP Address      Hostname                      Path
     1  192.168.2.21    plex                          /usr/jails/plex

For symptom, when I go on my browser and tap 192.168.2.21:32400/web I can sign up plex but plex can't find my server.

Have you any idea, on all stupid things I do ?

I thank you in advance for your help

 

[Remington]

Turn off the firewall and change jail to use re0 nic. Plex and Serviio don't work too well with firewall especially with broadcast. If your server is behind home router then pf isn't needed. Just keep it simple.

 

[SirDice]

If I'm not mistaken Plex uses UPnP/DLNA to find devices. DLNA uses UDP/1900 to broadcast and find devices, and usually a TCP port in the 5000 range for the actual connection.

 

[Remington]

If I'm not mistaken Plex uses UPnP/DLNA to find devices. DLNA uses UDP/1900 to broadcast and find devices, and usually a TCP port in the 5000 range for the actual connection.

That's correct. As I recall, Serviio uses the same thing but its unnecessary to have server's firewall enabled behind a home router's firewall.

 

[Fawst]

Hello,

thank's for your reponse.

I did a clone of my Re0 and plex work well know.

But my knew trouble is this, I have nextcloud set on an other jail, I did another clone of Re0, everithing work well on local, again thank you guy, but I have set No-IP and I can't reach my nextcloud jail because No-IP is set on my server adress.

So I try to create PF.conf rule to redirect trafic from my Re0 known by the router and the jail.

It's look like this /etc/pf.conf

#interfaces
    WAN="re0"

### Networks
    LOCAL="192.168.2.16"      # IP-server
    nextcloud="192.168.2.20"  # Jails nextcloud

set loginterface $WAN

### REDIRECTION ###

### Bridge subnet
   # nat on $WAN to $WAN port 80 -> $nextcloud port 80
   # nat on $WAN from $nextcloud to any -> ($WAN)

### NGINX
    rdr pass on $LOCAL proto 80 from any to $LOCAL port 80 -> $nextcloud port 80


### DENY any redirection not defined above
    no rdr

My ifconfig look this

root@MFserver:/usr/home/Flow # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether xx:xx:xx:xx:xx:xx
        inet 192.168.2.21 netmask 0xffffffff broadcast 192.168.2.21
        inet 192.168.2.20 netmask 0xffffffff broadcast 192.168.2.20
        inet 192.168.2.16 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@MFserver:/usr/home/Flow #

So, should I setup PF.conf or it's possible to do something with out PF?

And yes I'm behind the compagny's router (Bell Canada) who selling internet.

 

[SirDice]

### NGINX
    rdr pass on $LOCAL proto 80 from any to $LOCAL port 80 -> $nextcloud port 80

This is never going to work.

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.

From pf.conf(5).

 

[Remington]

You can only redirect from re0 to lo0 using pf otherwise routing will not work. Can you redirect the port in the company's router to nextcloud's IP address?

 

[Fawst]

Unfortunately, no I can't redirect ports because the router don't see jail ip, maybe because router see only Mac adress and after that assign an ip adress, It's a supposition.

Should I don't use DHCP protocol?

For my pf.conf rule, I know pfctl - svf /etc/pf.conf told it to me

 

[Remington]

It would be better to set static IP addresses in the company's router. I know you can limit the range for DHCP and use static IP addresses outside of DHCP's range for the server. DHCP isn't good for the server as addresses can change during reboots that is if your server is using DHCP.

 

[kpa]

Unfortunately, no I can't redirect ports because the router don't see jail ip, maybe because router see only Mac adress and after that assign an ip adress, It's a supposition.

Should I don't use DHCP protocol?

For my pf.conf rule, I know pfctl - svf /etc/pf.conf told it to me

Routers do not just see "Mac addresses", they are fully aware of the connected networks and they support every bit of the IP protocol that is necessary for normal routing operation. What may not be possible on every router is address rewriting also known as "NAT" which allows port forwarding and outbound NAT. Looking at the addresses used on your network it's clear however that your router is doing outbound NAT but it may not have controls for the user to add port forwards.

 

[Fawst]

I did, I set a static ip adress for the server outside the plage of DHCP router.

IP-server=192.168.2.16
Router-plage=192.168.2.25 to 192.168.2.250

But I can't assign a static ip on the router to the jail, can I create a feak Mac adress to my jail?

Edit : OK, so if my router don't support NAT my two options are :

-using my server as NAT
- configuring my jail under Lo0

Could be possible to the first option?

 

[Remington]

You can't create fake MAC address for Jails. Only VIMAGE can do that but you'll have to customize the kernel and do a buildworld which is more of a challenge so let's keep it simple for now.

Your router should have Port Forwarding which allows you to redirect router's port 80 to 192.168.2.20 port 80 in your router's configuration.

 

[Fawst]

OK, I will try that and give you a fee back.

As usual, many thanks, I like this world of sharing

 

[Fawst]

It'S work ! (Try it outside ...)

So it's bringing to me annoter question, why I can use the adress set with No-IP on my local network ?

When I type http://xxxxx.hotpto.org outside that work, I can connect to my nextcloud, but when I do it localy my browser talled me "This site is inaccessible".

 

[Remington]

Public and private IP addresses are separate. No-IP will not be able to see the private (local) IP addresses because of the router's NAT and firewall. If you're using 192.168.2.20 and your not the only ones who is using the number. There are probably over million users using the same private IP address so No-IP will not work. Public IP address is unique as nobody else has that except for your company. If you want more public IP addresses then you will have to contact your internet provider. If they can provide you static IP address for an additional fee then you won't need No-IP.

You will have to add your local IP address for nextcloud in hosts file so your computer will use the hosts instead of DNS to find the local server. I don't know what OS you are using so here's the link that will explain how to do it.

https://support.rackspace.com/how-to/modify-your-hosts-file/

 

[Fawst]

Thank you very much for your help and fast response .

I try to folow how modify hosts file, but it doesn't work.

I'm using FreeBSD 10.3

 

[Remington]

You will have to edit the hosts file in your desktop computer (windows, mac or linux) so your web browser can find the local server.

 

[Fawst]

That's work really well, thank you for your many tips and your patience.

We can properly say, it's solved

 

[kpa]

You will have to edit the hosts file in your desktop computer (windows, mac or linux) so your web browser can find the local server.

This is not a good solution on any larger scale than two computers. The proper solution is to have a DNS forwarder like dns/unbound serving your network with overrides that return private address responses for the FQDNs of your services.

 

[Remington]

This is not a good solution on any larger scale than two computers. The proper solution is to have a DNS forwarder like dns/unbound serving your network with overrides that return private address responses for the FQDNs of your services.

I agree but its something that should be done by experienced admin.