Combining an epair(4) member and WLAN interface via bridge(4) in VNET jail?

I've pieced together a jail for containing my wifi network. It has two interfaces:
  • jail0 - The jail half of an epair(4) interface (epairXb)
  • wlan0 - physical wlan0 from host
The wlan0 will host my local wireless network, but I want to create something like an Ethernet bridge between the wlan0 and jail0 interfaces. I did not assign jail0 an IP address, because I want this to happen at OSI layer 2. My thinking is, if I can do that, then traffic from wireless client stations will transit through jail0 to pop out on the host-side's epairXa interface with the wireless LAN IP addresses intact (so that I can avoid having to do double NAT or fiddling around with some weird UDP-encapsulated mess).

Is this possible? I have already tried putting wlan0 and jail0 into a bridge0 inside the jail, and my wireless client can ping the wlan0 interface fine. But IPv4 traffic is not moving from wlan0 through jail0 as far as i can tell. Oddly enough, IPv6 traffic is, as if I put tcpdump on the host epairXa interface, I can see attempts by the wireless client (an android phone) trying to get to Google, and the IPv6 packets are carrying the client's fe80 link-local IPv6 address as source and one of Google's IPv6 addresses as destination (but I haven't joined the IPv6 internet yet, so these packets won't go anywhere). So I kinda think the bridge idea is working, but I need it to forward IPv4 traffic only. However, I am somewhat stumped at this point, and really don't know the right Google keywords to look for to get any further.
 
do you have "net.inet.ip.forwarding=1" in your /etc/sysctl.conf - and you also might want to use pf inside that jail. My suggestion however is not to bridge wifi network
 
do you have "net.inet.ip.forwarding=1" in your /etc/sysctl.conf - and you also might want to use pf inside that jail. My suggestion however is not to bridge wifi network

I did not have that tunable set. Even after setting it, though, I still am not seeing traffic being forwarded by the bridge to/from jail0. I wonder if it is something to do with the routes? Do I need to teach it to forward all non-WLAN traffic through jail0 somehow?

And I currently have the firewall disabled in the jail while testing. It will be an IPFW firewall, which is the firewall language I've taught myself once I get to setting that up. As for the goal, this is currently on my router appliance, which handles both wireless and wired networking. It makes the IPFW script needlessly complex, though, so if I can put the wireless and wired router elements into their own jails, I can split and compartment both with simpler IPFW firewalls. Then on the host-side, I'll just have a bridge0 interface that ties the two epairXa interfaces to the WAN port and the host's own IPFW firewall will be much easier to manage and maintain. To test this idea, I am first attempting to jail the wifi network. It's easier (so I tell myself) to test this compared to the wired network router piece without bouncing my internet access up and down constantly.
 
It sounds like what you want to use is the /usr/share/examples/jails/jng script - have a look here: Thread vnet-netgraph-jail-s-fail-to-jng-bridge-to-lagg-interface.79295/#post-504059

Oddly enough, I found that exact thread last night. I haven't looked into using any existing tools or scripts yet, as I want to learn the raw commands to set things up manually, then switch to tools that do it via jail.conf or rc.conf (in the jail). Looking at the script, internally, it's using netgraph to set the bridge interface up. How exactly is this different from the standard ifconfig bridgeX commands? I have not read up too much on the whole netgraph subsystem yet.

Small progress, though! I turned off AP isolation in hostapd. It seems like that was stopping wireless traffic from my phone from getting to the bridge interface in the jail. I assigned the WLAN IPv4 address space to the bridge interface instead of the wlan0 interface, and also have ISC DHCPd listening on the bridge interface. My phone picks up an address assignment from DHCP, and running tcpdump on both bridge0 and jail0, I can see Android's hyper-chatty attempts to contact the Google mothership via the bridge interface, but none of those packets are showing up on the jail0 interface that is also attached to the bridge. So there is still some kind of disconnect where the traffic doesn't know it needs to route via jail0. I tried running route add default -iface jail0 as well, and that had no effect.

Also, does anyone know why hostapd's rc.d script has "nojail" in KEYWORDS? I cannot find any history on that. Thus far, hostapd seems to work perfectly fine from within a jail, provided you put the wlan0 interface inside the jail with it. I suspect it's some legacy thing that probably needs to be updated.
 
Oddly enough, I found that exact thread last night. I haven't looked into using any existing tools or scripts yet, as I want to learn the raw commands to set things up manually, then switch to tools that do it via jail.conf or rc.conf (in the jail). Looking at the script, internally, it's using netgraph to set the bridge interface up. How exactly is this different from the standard ifconfig bridgeX commands? I have not read up too much on the whole netgraph subsystem yet.

Small progress, though! I turned off AP isolation in hostapd. It seems like that was stopping wireless traffic from my phone from getting to the bridge interface in the jail. I assigned the WLAN IPv4 address space to the bridge interface instead of the wlan0 interface, and also have ISC DHCPd listening on the bridge interface. My phone picks up an address assignment from DHCP, and running tcpdump on both bridge0 and jail0, I can see Android's hyper-chatty attempts to contact the Google mothership via the bridge interface, but none of those packets are showing up on the jail0 interface that is also attached to the bridge. So there is still some kind of disconnect where the traffic doesn't know it needs to route via jail0. I tried running route add default -iface jail0 as well, and that had no effect.

Also, does anyone know why hostapd's rc.d script has "nojail" in KEYWORDS? I cannot find any history on that. Thus far, hostapd seems to work perfectly fine from within a jail, provided you put the wlan0 interface inside the jail with it. I suspect it's some legacy thing that probably needs to be updated.
If you’re looking for a manual configuration, you might search for genneko’s blog - those have a lot of really good information.
 
Back
Top