Solved Jail IP configuration

driesm

Developer
I've been diving into jails lately and I'm scratching my head.
In terms of pure configuration of jail.conf I have no real questions.

However in terms of IP usage and interface allocation I have a few.
I have read many threads about jails and have seen 2 approaches most widely used:

1) Jail IP addresses are set on the LAN interface as alliases (or WAN if you don't need NAT)

2) Jail IP addresses are set on seperate cloned lo1 interface as alliases

Is there a benefit to use one over the other configuration approach?
Its not that there is a potential security hole if you allias jail IP's on LAN interface?
Whereas when attaching jails to lo1 interface its seperate from LAN trafic.
I imagine that using a different subnet is recomended?
Maybe even a completely seperate private address range?
 
First of all I take it your not talking about vnet jails.
There are many ways to use local ip addresses for a normal jail.
It's a network thing not a jail thing.

The process of setting the ip address as an alias is just how jail networking works.
A jail is indifferent to what interface its alias too. The jail is only interested in having a unique ip address.
I have been a qjail user for many years and it uses the private host/LAN IP address method with alias to the interface facing the public internet. It can also be configured to use a lox interface. I have seen no performance benefit of one method over the other. Use what ever method you are comfortable with.
 
1) Jail IP addresses are set on the LAN interface as alliases (or WAN if you don't need NAT)
When using NAT, WAN is usually a better choice then LAN. The objective is to minimize traffic ie, you don't want packets bouncing around from interface to interface when trying to get to destination.

I imagine that using a different subnet is recomended?
Yes this is the better way. With a subnet, jails are only reachable through OS NAT. Where you place the subnet (WAN/LAN/lo) depends on what the jails are intended to do. If for example, a jail runs an HTTP proxy for LAN clients, you could place it on any of the 3. If the jail runs an HTTP server, you're better off placing the subnet on the WAN.

By the same token, imagine if you were running an HTTP server on a WAN alias IP without a subnet....
 
Back
Top