digital-ocean-icon

FreeBSD Digital Ocean Droplet – Present Floating IP for Outbound/External connections PF or IPTABLES NAT Overload/PAT

Posted on Posted in FreeBSD, Networking

As previously mentioned here I migrated from a UFS/Ezjail FreeBSD Digital Ocean droplet to a ZFS/IOCage droplet for easier backup and recovery. As part of making my life easier going forwards I decided to implement a floating IP for future migrations.

If you’re unfamiliar with floating IPs its a secondary IPv4 public address that sits in front of your droplet IPv4 public address. That is the address assigned to the interface presented inside the droplet. This floating IP can be moved to another droplet within the same DC manually/Automatically (scripting) at any point. Its designed to facilitate pseudo resilience if for example you were wealthy enough to run two droplets with the same services in an active/passive topology. Should your active droplet fail, you can point the floating IP to the passive droplet, maintaining servicing. My reason for implementing floating IPs was purely down to laziness and having to change a few A resource records.

Having setup all my A resource record to point to my floating IP, one thing I did not consider was where I had external (external from my droplet) services restricted by hostname which in turn resolve the hostname via DNS to the floating IP. As I was NATing on the public interface of my droplet, it was presenting that address as its source address externally. Luckily thanks to Digital Oceans metaservices and FreeBSD PF, you can NAT on what Digital Ocean calls the “Anchor” address. This will then translate to your floating IP.

To retrieve your anchor IP address run the following curl commmand.

curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/anchor_ipv4/address

If like me you’re using freeBSD’s PF change your current NAT rule to the following

     nat pass on $NIC from $Macro to any { port $PORT|$PORTRANGE } -> $ANCHOR_IP
e.g. nat pass on $ext_if from $jail_net  to any -> 10.x.x.x

Similarly, you can do this with any firewall that supports NAT, such as IPTABLES

    iptables -t nat -A POSTROUTING -p tcp  -o eth0 -j SNAT --to-source 10.x.x.x

Leave a Reply

Your email address will not be published. Required fields are marked *