ezjail, setfib and loopback connectivity


I'm fairly familiar with ezjail, but quite a n00b to setfib concepts, hopefully someone can help me out.

I have a problem with services on loopback interfaces in jails which use separate fib - they don't work for me.

I've been configuring my ezjails as instructed in https://www.freebsd.org/doc/handbook/jails-ezjail.html, binding them to cloned lo1 interface with loopback address of 127.0.1.X (X being different for each jail) and physical interface with public IP address of 193.53.106.X. Jails serve clients from real IP address, but also use loopback interface for internal services (e.g. redis database).

Above works great with single fib, but now I got server with multiple network interfaces, and I'd like to serve both DMZ and LAN clients, on separate networks which can't communicate directly via jail host.


cloned_interfaces="lo1 lo2"
static_routes="dmz dmzd nix nixd"
route_dmz="-net -interface bce0 -fib 1"
route_dmzd="default -fib 1"
route_nix="-net -interface bce2 -fib 2"
route_nixd="default -fib 2"
corresponding ezjail's jail config:
export jail_somejail_fib="1"

As I said, service listening on physical interface appears to be working fine, but the one on loopback interface does not. I guess it's something about static routes for loopback interfaces but I struggle to figure out what.

Any help appreciated.
Jails don't have a loopback interface. Use file sockets for IPC.
SirDice thank you for the tip, that's definitely _a_ solution, but not _the_ solution for me :)

Should I conclude from your answer that cloned loopback interfaces in jails that use different fibs aren't possible, aren't preferred way to go, or just that you don't know? :)
I rarely use FIBs, I just bind my jails to lo1 and accept the fact there's no local loopback.
Well, I also bind my jails to lo1. I'm not quite sure what you mean by not having local loopback.

In non-fib setup, my jail has two interfaces with addresses (as seen by ifconfig from within the jail) - on lo1 and on bce0. I am successfully serving apache from, which successfully contacts redis at I'm giving apache and redis for example, but have a myriad of similar setups - unifi5 on public and mongodb on looback etc.

If I move my jail to fib1, it shows same interfaces as in non-fib setup. The problem is that public one works fine, but internal does not. Switching from IP to sockets is the last possible solution.

Hope someone else chimes in as well...