Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Nat with multiple nat_prefix breaks others when using pf

Description

When setting a different prefix for nat_prefix (for the purpose of making the resultant NAT IP consistent), the last jail to start gets its prefix as the one that can NAT out, while others do not.

One possible solution would be to support not-psuedo-DHCP-ing the jail's IP (if the DHCP option is not checked but NAT is checked) so that the need to jerry-rig multiple nat_prefix-es would go away.

I'm not sure if the pf firewall lets you configure multiple nats, but in theory it could also involve merely letting more than one nat on igb0 from 172.16.0.0/24 to any -> (igb0:0) static-port entry on the list (one for each prefix).

I haven't tested what happens on ipfw because I couldn't get it to work yet.

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Waqar 
January 18, 2021 at 8:13 PM

Thank you for reporting this , can you please create a suggestion type issue in Jira for this ? Thanks again

Anthony Takata (Tsaukpaetra) 
August 7, 2019 at 7:46 AM

Addendum: If using the ipfw firewall, this code will also allow multiple nat prefixes:

To be inserted at around line 1611 if the above pf fix isn't also applied, right after the lines that read  f'Inserted: {final_line}{rdrs} into rules at index 1' and the closing parenthesis.

 

To me, these two miniscule fixes would be sufficient to fully support this feature, so I keep my peace. They're two simple additions I can continue doing by hand each update until a "proper" resolution is found and implemented later. 👍

Anthony Takata (Tsaukpaetra) 
July 29, 2019 at 8:20 PM

Yeah no worries. As mentioned I found a workaround above that I can apply that will let me function as desired until the "real" solution is figured out.

Waqar 
July 29, 2019 at 7:14 PM

thank you for letting me know. In essence i believe you only require static ip's for NAT so that you are able to determine which jail will have which ip on start up ( this means that different nat prefixes aren't required ). However this change requires more work and it could introduce other regressions, so for now we are retargeting it and will consider incorporating this in the future.

Thank you for your input, have a good day!

Anthony Takata (Tsaukpaetra) 
July 29, 2019 at 7:00 PM

Correct. I am using multiple prefixes because I need predictable IP addresses for some of the jails so I can have them talk to one another (in this case, sickrage to communicate with deluge), and that's difficult when their IPs change every time they start up.
By using different prefixes, I can ensure (for example) that the internal IP for deluge is always 172.17.0.2, since it's the only one that ever runs in that prefix.

This wouldn't be necessary if iocage would respect the DHCP setting (and whether it was off) and let me specify the IP address manually.

Won't Do

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created July 28, 2019 at 9:14 PM
Updated July 1, 2022 at 4:34 PM
Resolved January 18, 2021 at 8:13 PM