Jail with no default route (bridge) - setfib 1

[lib13]

Hi,

I'm close to the solution but not yet at it. I've got two internet connections: igb0 connects to local router and get a private 192.168.1.x address and igb1 is connected to another line via bridge and gets a public IP. I want a jail to use igb1 for default route and be accessible also from local network via loopback device or igb0. The latter part is fine, the default route for igb1 is not. Here's what I have:

# grep fib /boot/loader.conf

net.fibs=4
net.add_addr_allfibs=0

/etc/rc.conf (relevant parts)

ifconfig_igb0="inet 192.168.1.30 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
gateway_enable="YES"

cloned_interfaces="bridge0 tap0 lo1 lo2 lo3"
ifconfig_bridge0="addm igb0 addm tap0"
jail_enable="YES"
ifconfig_lo1="inet 127.0.0.41 netmask 255.255.255.255"
ifconfig_igb0_alias0="inet 192.168.1.41 netmask 255.255.255.255"
pf_enable="YES"
ifconfig_igb1="fib 1 SYNCDHCP"
static_routes="dmz internal"
route_dmz_if="-net 95.95.88.0/21 -iface igb1 -fib 1"
route_dmz_gw="default 95.95.95.254 -iface igb1 -fib 1"
route_internal_if="-net 192.168.1.0/24 -iface igb0 -fib 0"

jail.conf

mldonkey {
interface = "igb1";
exec.fib = 1;
ip4.addr = "lo1|127.0.0.41/32";
ip4.addr += "igb0|192.168.1.41/32";
allow.raw_sockets = 1;
}

Everything seems fine for setfib 0::

setfib 0 netstat -nr -f inet

default 192.168.1.1 UGS igb0
127.0.0.1 link#3 UH lo0
127.0.0.41 link#6 UH lo1
192.168.1.0/24 link#1 U igb0
192.168.1.30 link#1 UHS lo0
192.168.1.41 link#1 UHS lo0
192.168.1.41/32 link#1 U igb0

But for fib 1, no default route:
setfib 1 netstat -nr -f inet

Routing tables (fib: 1)

Internet:
Destination Gateway Flags Netif Expire
95.95.88.0/21 link#2 U igb1
95.95.92.167 link#2 UHS lo0

igb1 seems to have acquired an IP as expected by DHCP
ifconfig igb1 | grep inet

inet 95.95.92.167 netmask 0xfffff800 broadcast 95.95.95.255

In the jail:

setfib 1 jexec 2 /bin/tcsh
# netstat -nr -f inet

Routing tables (fib: 1)
=== empty ===

setfib 0 jexec 2 /bin/tcsh #(is well configured)
# netstat -nr -f inet

Routing tables
127.0.0.41    link#6     UH    lo1
192.168.1.41    link#1    UHS    lo0

So, what should I add/modify in order for my jail to be able to access the internet via fib 1?

 

[lib13]

I've been trying to solve this issue, and now it seems that the problem is in defining a default route for igb1.
I've come across this patch that says that I can add _fib<number> to several configuration variables in rc.conf. Don't know if this patch is valid in 10.2-STABLE or not. Another thing that I read is that one cannot use the

defaultrouter

as it's meant for only one network.

So, considering my two network schema, doing (in /etc/rc.conf)

defaultrouter_fib0="192.168.1.1"
defaultrouter_fib1="95.95.95.254 -netmask 255.255.248.0"

doesn't produce any default route as shown by netstat -nr -f inet
Is this _fib<number> valid? Cannot find anything in the documentation about this. If not so, I to do it in another way?

Another question is about to know if the following syntax for rc.conf is fine:

static_routes="dmz:igb1 internal:igb0"
ifconfig_igb0="inet 192.168.1.30 netmask 255.255.255.0"
ifconfig_igb1="fib 1 SYNCDHCP"

I'd appreciate some help on this. Thanks in advance.

 

[junovitch@]

The _fib<number> syntax works for having a service start in a different FIB by the rc(8) framework. For routes it would be rc.conf entries like below:

static_routes="dmzigb1"
route_dmzigb1="default 192.168.102.1 -fib 1"

 

[lib13]

The _fib<number> syntax works for having a service start in a different FIB by the rc(8) framework. For routes it would be rc.conf entries like below:

static_routes="dmzigb1"
route_dmzigb1="default 192.168.102.1 -fib 1"

So, in

static_routes

I should only include the dmz one, not also the internal route?

And make no association with the interface it belongs to, i.e. ibg1?

Other question: when starting a jail with

setfib <n> jexec <nr jail> /bin/tcsh

, am I changing the routes of the jail? I say this because when inside the jail I issue:

netstat -nr

, the output differs according to the

setfib <n>

entered.