iocage jail can only reach its host but not the LAN

I'm in the middle of setting up a dedicated server. It's running ESXi and I installed a FreeBSD guest.
Using iocage I want to create some jails. I have done this before more than once and usually this is strait-forward... but this time I'm stuck somehow.
The jail is created with vnet=on and I assigned a static IP. From the jail I can ping the FreeBSD host but not for example the pfSense instance that's running in the same network. Reaching pfSense from the FreeBSD host is no problem.
To me it seems the traffic can't flow further than the FreeBSD host... but I'm not sure why. I compared the settings with what I have on my home server and things looks identical. Maybe there is something different because it's running inside ESXi but I'm not 100%.

Another issue I noticed: Usually I set the IP address on the bridge0 interface instead on em0 but this seems not to work properly in this scenario. When I set the IP on the bridge then the FreeBSD host itself had not connectivity. It feels that this could be related somehow...

Any ideas?

ifconfig host:
Code:
ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
    ether 00:0c:29:30:11:07
    inet 10.23.0.10 netmask 0xffff0000 broadcast 10.23.255.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:4c:98:3e:bd:00
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0.6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 4 priority 128 path cost 2000
    member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>

vnet0.6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: template as nic: epair0b
    options=8<VLAN_MTU>
    ether 00:0c:29:5a:d2:94
    hwaddr 02:bb:a1:19:51:0a
    inet6 fe80::20c:29ff:fe5a:d294%vnet0.6 prefixlen 64 scopeid 0x4
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ifconfig jail:
Code:
ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 00:0c:29:5a:d2:95
    hwaddr 02:bb:a1:19:51:0b
    inet 10.23.0.6 netmask 0xffff0000 broadcast 10.23.255.255
    inet6 fe80::20c:29ff:fe5a:d295%epair0b prefixlen 64 tentative scopeid 0x2
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

/etc/sysctl.conf freebsd host:
Code:
cat /etc/sysctl.conf
...
# vnet iocage
net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface
net.link.bridge.pfil_member=0  # Packet filter on the member interface

ping host:
Code:
ping 10.23.0.1
PING 10.23.0.1 (10.23.0.1): 56 data bytes
64 bytes from 10.23.0.1: icmp_seq=0 ttl=64 time=0.155 ms


ping 10.23.0.6
PING 10.23.0.6 (10.23.0.6): 56 data bytes
64 bytes from 10.23.0.6: icmp_seq=0 ttl=64 time=5.062 ms
ping jail:
Code:
ping 10.23.0.10
PING 10.23.0.10 (10.23.0.10): 56 data bytes
64 bytes from 10.23.0.10: icmp_seq=0 ttl=64 time=5.621 m


ping 10.23.0.1
PING 10.23.0.1 (10.23.0.1): 56 data bytes


ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
 
Last edited by a moderator:
It may be that the ESXi network settings on the guest VM itself are also filtering traffic. VirtualBox has Bridged and Promiscuous options that I set for jails.
 
  • Thanks
Reactions: k2c
Back
Top