Solved FreeBSD 13.0-Release Jail slow networking

Hi, i use several Jails. When I upgraded the host from 12.2 to 13.0 (the Jails where upgraded, too) I realised that networking between the host and the Jails was really slow (after the upgrade). So I created a new Jail with 13.0-Release and networking was slow. Pinging the Jail IP from the host is fast, but starting a ssh connection into the Jail takes 20 seconds.
I reinstalled the host with 13.0 just to be sure it was not an upgrade failure. Imported one of the backup Jail and the network was still slow.
Created a new Jail from scratch with nothing in it, only 13.0 base system and sshd running. When I open an ssh connection from the host into the Jail it takes about 20 seconds before I can enter the password for the ssh user. Firewall is turned off, no vnet.
I created a clone for lo0 (lo1) and use that as Network interface for the Jail.
Here are the config files:
Host /etc/rc.conf
Code:
cat /etc/rc.conf
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="example.com"
ifconfig_vtnet0="DHCP"
ipv6_defaultrouter="fe80::1%vtnet0"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
gateway_enable="YES"
pf_enable="NO"
pflog_enable="NO"
jail_enable="YES"
cloned_interfaces="lo1"
Host /etc/jail.conf
Code:
cat /etc/jail.conf
$j="/jail";
path="$j/$name";
host.hostname="$name";
mount.devfs;
mount.fdescfs;
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
exec.consolelog="/var/tmp/$name";
$subnet="10.0.0";
interface="lo1";
ip4.addr="$interface|$subnet.$ip";

loghost {
        allow.raw_sockets;
        $ip = 1;
}
Jail /etc/rc.conf
Code:
root@loghost:~ # cat /etc/rc.conf
sshd_enable="YES"
sendmail_enable="NONE"
The sshd inside of the Jail uses port 22 and is bound to 10.0.0.1 as Listening Address.

Ifconfig output:
Code:
ifconfig
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether XX:XX:XX:XX:XX:XX
        inet xxx.xxx.xxx.xxx netmask 0xfffffc00 broadcast XXX.XXX.XXX.XXX
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.0.0.1 netmask 0xffffffff
        inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I have no idea why it takes so long to open an SSH connection from the host to the jail.
Any help on how to solve this issue would be much appreciated.
 
Last edited by a moderator:
No, DNS does not work inside the jail. The Jail is not connected to the public ip from the host and I disabled the firewall so NAT is turned off as well.
 
Hmmm.... thinking about DNS: I set UseDNS explicitly to "no" in the Jail sshd_config file:
Code:
UseDNS no
Now the ssh connection is created instantly.
I will enable pf again and see if DNS is working in the other jails.
 
Last edited by a moderator:
Ok, I found the problem. The NAT rule in my pf.conf didn't work under FreeBSD 13:
Code:
nat pass on $ext_if from $net_jail to any -> $ext_if # $ext_if is vtnet0
I changed it to
Code:
nat on $ext_if from $net_jail to any -> $ext_ip
The main difference is that I now use the public IP Address from the host at the end in the NAT rule and not the Public Interface.
After this change, DNS is working correct in the jails and networking is fast again.
 
Last edited by a moderator:
Use:
Code:
nat on $ext_if from $net_jail to any -> ($ext_if)
 
Back
Top