FreeBSD 12, jails, vnet (aka: "another release, another problem")

I

irukandji

Is there any guide how to set up jails (iocage) with vnet (I want to pf filter jails access to internal network)?

This is really starting to frustrate me, I am desperately trying to filter traffic from jails to internal network and wasted a few weeks worth of work in last 3 releases to no success. I have turned around all the freaking tutorials that exist on internet, to no success and in each release some different problems =/

Release 12, took iocage tutorial (bridge, vnets), jails can't connect anywhere =/

I have checked the kernel configuration and VIMAGE is compiled in by default. One of the things that I have disabled (well as much as I could without recompiling kernel) is IPV6 as it is a complete overhead of administration for home network, but I doubt this could be the reason.

In jail ping -S <jail ip> <gateway> doesn't work and returns "ping: bind: Can't assign requested address" which is somehow strange (raw sockets are enabled).

Routing table seems fine.

I am not clueless about networking but this one is wearing me down, I have capitulated two times already and not using jails as they are completely useless to me, if there is no way to DMZ them.

Code: 
cloned_interfaces="bridge1"
ifconfig_bridge1="addm re0 up"

Code: 
net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
net.link.bridge.pfil_member=0  # Packet filter on the member interface

Code: 
"defaultrouter": "192.168.1.1",
"interfaces": "vnet1:bridge1",
"ip4_addr": "vnet1|192.168.1.21/24",
 
Last edited by a moderator:
I'm not using iocage , because it was broken when I tried to use it, but I'm sure that 1.0 came out this week ?

Personally , I would recommend cbsd , but sure we can do it the hard way , which I like most :) .

To get vnet jails working you need this setup.

Create a bridge .

Attach the your phys. nic to the bridge.

Attach the vnet-a to the bridge.

Vnet-b will be in the jail.

Configure an ip address and default gateway inside the jail.

Now you should able to ping the internet.

From that point on , you can enable pf .

I have never used pf , but it is on my list !


-----

Don't disable IPv6 , it's worth it :) .

You don't need to enable any syctl values to get vnet stuff working.

Because your host does not route any traffic from subnet A to X , you can disable ip forwarding which is the default . You only activate it on routers or I have enable it on one of my vpn jails where I do routing stuff.



regards, sebastian
 
In jail ping -S <jail ip> <gateway> doesn't work and returns "ping: bind: Can't assign requested address" which is somehow strange (raw sockets are enabled).
Click to expand...

I suppose you may have given up, but can you provide your ifconfig output from the jail? This error would indicate that the address ("jail ip") is not available to the jail. Raw sockets not being enabled would result in a "Permission denied".


There are several ways to accomplish a "standard" network with vnet jails, but I personally prefer epair interfaces.
Basically, you create a bridge interface on the host, then create an epair interface. You attach one end of it to the bridge and the other you "put inside the jail" using a command that is something like ifconfig epair1b vnet <jailname> if I recall.

If you want this to be automatic upon launching the jail, you can put it in a script and refer to the script in jail.conf.

However I have not used iocage as we have done everything from scratch- it's not too much if you need the control. So I can't interpret or diagnose your iocage configuration.

If you're still working on this I can give you more details.
 
You must log in or register to reply here.
Back
Top