internet access to jail

A

ac1115

I know this topic has been covered dozens of times at least, but I've been through every thread forum search and google search has given me. I've been bashing my head for hours on this.

I've a fresh install of FreeBSD on my box. I set up a jail and I can access my local network fine. I can ssh into and out of the jail without any problems. However, I cannot access the internet.

My network setup is pretty typical, nothing tricky.
Code: 
Internet ------>  router ---------->Host -------------> Jail
                  192.168.1.1/24   192.168.1.254/24    192.168.1.253/24

I can access the internet fine on the host machine and other devices on the network. It's only the jail which doesn't work.

HOST /etc/rc.conf (relevant portion)
Code: 
hostname="server.domain.local"

ifconfig_re0="192.168.1.254 netmask 255.255.255.0"
ifconfig_re0_alias0="inet 192.168.1.253/32"

defaultrouter="192.168.1.1"
inetd_flags="-wW -a 192.168.1.254"
sendmail_enable="NO"

JAIL /etc/rc.conf (entire file)
Code: 
hostname="test.domain.local"
sshd_enable="YES"
defaultrouter="192.168.1.1"

I am using ezjail, here is the jail config
Code: 
export jail_test_hostname="test"
export jail_test_ip="192.168.1.253"
export jail_test_rootdir="/usr/jails/test"
export jail_test_exec_start="/bin/sh /etc/rc"
export jail_test_exec_stop=""
export jail_test_mount_enable="YES"
export jail_test_devfs_enable="YES"
export jail_test_devfs_ruleset="devfsrules_jail"
export jail_test_procfs_enable="YES"
export jail_test_fdescfs_enable="YES"
export jail_test_image=""
export jail_test_imagetype=""
export jail_test_attachparams=""
export jail_test_attachblocking=""
export jail_test_forceblocking=""
export jail_test_zfs_datasets=""
export jail_test_cpuset=""
export jail_test_fib=""

Jail /etc/resolv.conf
Code: 
nameserver 192.168.1.1


Code: 
JAIL> host freebsd.org

freebsd.org has address 69.147.83.40
freebsd.org has IPv6 address 2001:4f8:fff6::28
freebsd.org mail is handled by 10 mx1.freebsd.org.
The Jail resolves dns correctly, since my router can handle those requests and the Jail can connect to the router fine.

However trying to build any ports fails on fetch.
 
ac1115 said:
JAIL /etc/rc.conf (entire file)
Code: 
hostname="test.domain.local"
sshd_enable="YES"
defaultrouter="192.168.1.1"
Click to expand...
You cannot set the defaultrouter inside a jail, it has to be set on the host. Hostname normally can't be set either unless jail_set_hostname_allow is set on the host.

However trying to build any ports fails on fetch.
Click to expand...
Please post the exact error.
 
ok,

I enabled raw sockets first
Code: 
sysctl security.jail.allow_raw_sockets=1

pinging router works fine.
Code: 
ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.419 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.396 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.393 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.403 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.388 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=0.394 ms
64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=0.407 ms
^C

pinging freebsd.org doesn't return anything,
Code: 
ping freebsd.org
PING freebsd.org (69.147.83.40): 56 data bytes
^C
--- freebsd.org ping statistics ---
35 packets transmitted, 0 packets received, 100.0% packet loss

Code: 
traceroute -n freebsd.org
traceroute to freebsd.org (69.147.83.40), 64 hops max, 52 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  *^A^A * *
11  *^C

removing the hostname line from Jail /etc/rc.conf has no effect.

There is no error message when I use fetch. It just runs without any output until I ctrl+c, similar to how ping had no output until I ctrl-C. Needless to say, the file wasn't fetched.
 
On what port? Some ports have very large distfiles and extracting those can take some time.
 
SirDice said:
On what port?
Click to expand...

Any and all.
Code: 
fetch www.google.com/index.html
doesn't work, that page is only 9KB.

I'm sure it's some sort of routing or configuration issue, not a connectivity problem.
 
Is the router NAT'ing properly? Any firewall rules on the host that might block traffic?
 
ac1115 said:
any and all.
Code: 
fetch www.google.com/index.html
doesn't work, that page is only 9KB
Click to expand...
That means it works. That page is only 9KB. So if you now have a index.html file 9184 bytes in size we can safely assume fetch and your network works.
 
Sorry if I wasn't clear. The index file doesn't download at all on the Jail. I mentioned the size to show it wasn't a matter of large files taking long to download and extract.
 
ac1115 said:
Code: 
hostname="server.domain.local"

ifconfig_re0="192.168.1.254 netmask 255.255.255.0"
ifconfig_re0_alias0="inet 192.168.1.253[B]/32[/B]"

defaultrouter="192.168.1.1"
inetd_flags="-wW -a 192.168.1.254"
sendmail_enable="NO"
Click to expand...
Change this to /24
 
gkontos said:
Change this to /24
Click to expand...

all the examples I've seen use /32 as subnet regardless of the actual value used on the network.

regardless, I tried /24 as well, no effect.
 
gkontos said:
Change this to /24
Click to expand...

No.

ifconfig(8):
alias
Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate.
Click to expand...
 
Ok, I ran this on HOST:

Code: 
tcpdump -i re0|grep 192.168.1.253
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:06:28.375759 IP 192.168.1.253.39408 > 192.168.1.1.domain: 418+ A? www.google.com. (32)
15:06:28.389775 IP 192.168.1.1.domain > 192.168.1.253.39408: 418 6/0/0 CNAME www.l.google.com., A 74.125.226.179, A 74.125.226.177, A 
74.125.226.180, A 74.125.226.178, A 74.125.226.176 (132)
15:06:28.389873 IP 192.168.1.253.23444 > 192.168.1.1.domain: 419+ AAAA? www.google.com. (32)
15:06:28.390648 IP 192.168.1.1.domain > 192.168.1.253.23444: 419 1/0/0 CNAME www.l.google.com. (62)
15:06:33.383749 ARP, Request who-has 192.168.1.253 tell 192.168.1.1, length 46
15:06:33.383755 ARP, Reply 192.168.1.253 is-at 40:61:86:07:22:51 (oui Unknown), length 28

The above bit of output is when I used the fetch below on JAIL. There was no other output other than that.

Code: 
fetch www.google.com/index.html
 
ac1115 said:
Ok, I ran this on HOST:
Code: 
tcpdump -i re0|grep 192.168.1.253
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:06:28.375759 IP 192.168.1.253.39408 > 192.168.1.1.domain: 418+ A? www.google.com. (32)
15:06:28.389775 IP 192.168.1.1.domain > 192.168.1.253.39408: 418 6/0/0 CNAME www.l.google.com., A 74.125.226.179, A 74.125.226.177, A 
74.125.226.180, A 74.125.226.178, A 74.125.226.176 (132)
15:06:28.389873 IP 192.168.1.253.23444 > 192.168.1.1.domain: 419+ AAAA? www.google.com. (32)
15:06:28.390648 IP 192.168.1.1.domain > 192.168.1.253.23444: 419 1/0/0 CNAME www.l.google.com. (62)
[B]15:06:33.383749 ARP, Request who-has 192.168.1.253 tell 192.168.1.1, length 46
15:06:33.383755 ARP, Reply 192.168.1.253 is-at 40:61:86:07:22:51 (oui Unknown), length 28[/B]

The above bit of output is when I used the fetch below on JAIL. There was no other output other than that.

Code: 
fetch www.google.com/index.html
Click to expand...

That is very interesting. Apparently your router is providing DNS info to your jail. But when your jail tries to reach to the internet then you have an ARP isssue. ARP is in layer 2, honestly you shouldn't be getting that. I can't think of anything else but a reboot at your router.

Again this is a wild guess.
 
well I reinstalled the host from scratch... and now it works...

I'm even more confused now than I was before. I don't think I did anything differently, but I wont' look a gift horse in the mouth. :e Thanks all for helping!

And yes, I'm using dd-wrt on a linksys router, it can double as a dns server as well.
 
You must log in or register to reply here.
Back
Top