Solved Jail host on a separate VLAN than its jail(s)

[hakova]

My host's network interface is em0. I would like to assign the host an IP address on 192.168.1.* range (VLAN1) and create jails that are on VLAN20. The host is on a trunk. As of now, host's IP address is static and declared in the /etc/rc.conf file as follows:

ifconfig_em0="inet 192.168.1.203 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

# ifconfig gives the following output:

em0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=4e520bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 3c:ec:ef:8f:53:18
        inet 192.168.1.203 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
em0bridge: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=0
        ether 58:9c:fc:10:ff:8f
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>

em0bridge is the bridge for the jails. It was created by bastille while creating a VNET jail.

I cannot create a jail with a working network on VLAN20 using bastille. I can do the same for jails that are on VLAN1 though.

In Debian, I was able to accomplish this by creating a bridge (something like em0.1bridge) and actually assigning the host's IP address to that bridge rather than to em0. Would that be the right way to do it in FreeBSD as well? If so, how can I accomplish this? Specifially, how can I design it in the /etc/rc.conf file?

Otherwise, I followed the documentation in Bastille website with still no success after spending hours on it. Please see the thread here. Any input will be greatly appreciated!

 

[lost_in_c]

It depends on how you set up networking for the jail. Whatever set up you accomplish, it won't be a 1:1 with Linux, you will have to design it from the ground up. There is a possibly relevant link, let me see if I can find it here for you (still, start with a review of jail types in the handbook, they are not all created equal):

It's a pdf file: https://freebsdfoundation.org/wp-content/uploads/2020/03/Jail-vnet-by-Examples.pdf

The problom (or, rather, feature) is that it's very hard to get network information in and out of a jail. So creating the bridge is a little more involved than just creating an interfece. A slight bit of voodoo seems to be involved.

 

[hakova]

Thank you so much for your quick reply lost_in_c , much appreciated. Unfortunately, it looks like a quick understanding of the root cause and a solution is not likely. After spending 8 hours on this problem today, and not being able to make any significant progress, it is hard for me to justify investing still more time on it. I will probably have to use other tools to achieve a similar result to what I was hoping for. I will be monitoring this topic here and other places and return to it in the future, when I get a bit more hope.

 

[lost_in_c]

I know the feeling. There is definitely a "FreeBSD way of doing things," which takes acclimitizing. On the other hand, unlike any other way of doing things with computers I have found, the answers are usually there, complete, functional, robust, and excrutiatingly documented.

Take a breather and come back to it. It won't be a Linux black hole, I promise you. You just have to dedicate a few minutes to understanding what a jail is, and why. The voodoo bridge in the document I linked is actually very intuitive and fairly simple once you reason it out. And it is guaranteed to be rock solid for many lifetimes.

The system you end up with will be fully yours, not some wrapper over some half assed interface that is meant for some company to do for you at the end of the day.

Walk it off and come back to it. My advice.

 

[hakova]

Wise words, thank you! it was my fault at the end. I didn't realize that the switch port, although being a trunk, didn't have membership to VLAN20. Once corrected, the problem solved itself.

 

[lost_in_c]

Hm, I guess bastille does some of the fancy stuff for you. I remember when I was looking into it, I had concluded that bastille missed something and it was better to do it by hand. But, knowing myself, I was probably looking at some weird and uncecessary edge case.

If your set up is getting too custom, maybe there was a simpler way of doing it. In my case there was.

Glad it worket out. Sometimes fresh air is better than a thousand docs.