Solved Creating Separate Virtual Interface For Jail

D

Deleted member 62636

Guest


Hello, I have set up an jail with ezjail() while following this handbook tutorial.
After setting it up, my physical interface that host uses has two IPs, one for jail one for host. For some programs listening on all IPs in host's interface this is not ideal. Can I add a virtual interface with its own IP without having to do any physical modifications (adding a NIC etc.) ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,270
Messages: 38,773

You can clone lo1 and tie the jail to that. But this does mean you're going to have to do some NAT or static routing to make the jail accessible.

But you should bind the various services on the host to the host's IP address specifically instead of 0.0.0.0. The same for the jail's services, bind them to the specific IP address of the jail.
 
OP
D

Deleted member 62636

Guest


You can clone lo1 and tie the jail to that. But this does mean you're going to have to do some NAT or static routing to make the jail accessible.

But you should bind the various services on the host to the host's IP address specifically instead of 0.0.0.0. The same for the jail's services, bind them to the specific IP address of the jail.
Thanks! What is the most ideal way to do it? Binding IPs or doing NAT?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,270
Messages: 38,773

Depends on your usage. If you have the ability to add more IP address to your current physical interface then I'd use that. Less complicated to set up. But if you're limited to one (external) IP address, like a hosted server for example, then I'd use the lo1 clone trick.
 

im

Active Member

Reaction score: 46
Messages: 109

It works for me for the same purposes:

/etc/rc.conf
Code:
cloned_interfaces="lo1"
ifconfig_lo1="inet 192.168.111.1  netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 192.168.111.2  netmask 255.255.255.255"
ifconfig_lo1_alias1="inet 192.168.111.3  netmask 255.255.255.255"
ifconfig_lo1_alias2="inet 192.168.111.4  netmask 255.255.255.255"

Every jail has one of lo1 IP's.

Incoming traffic for jails is forwarded via NAT or NGINX.
"Nginx streams" may be an advanced solution.

Outgoing traffic of these jails is enabled via NAT.
 
Top