Jail network configuration with VNET and bridge

[znahry]

Hi there,

I am trying to set up networking for a jail with VNET, and have been following the instructions from the handbook, but I can't get the jail to connect to anything beyond the host. I can ping the host from the jail and vice versa, but I cannot ping the gateway (or any other computers on the network).

I have found other posts with similar problems, but none of the solutions worked for me. I've also read that bridge and wireless cards sometimes don't play nice, so maybe that's the problem, but I don't know how to verify that.

Below is the rc and jail conf from the host and ifconfig and netstat -rn from both the host and jail.

Thanks for any help in advance.

# cat /etc/rc.conf
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="hateno"
wlans_iwlwifi0="wlan0"
ifconfig_wlan0="WPA DHCP"
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
powerd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
jail_enable="YES"
jail_parallel_start="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm wlan0 up"

# cat /etc/jail.conf.d/vnet_test.conf 
vnet_test {
  # STARTUP/LOGGING
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_console_${name}.log";

  # PERMISSIONS
  allow.raw_sockets;
  exec.clean;
  mount.devfs;
  devfs_ruleset = 5;

  # HOSTNAME/PATH
  host.hostname = "${name}";
  path = "/usr/local/jails/containers/${name}";

  # VNET/VIMAGE
  vnet;
  vnet.interface = "${epair}b";

  # NETWORK/INTERFACES
  $id = "202"; 
  $ip = "192.168.178.${id}/24";
  $gateway = "192.168.178.1";
  $bridge = "bridge0"; 
  $epair = "epair${id}";

  # ADD TO bridge INTERFACE
  exec.prestart += "ifconfig ${epair} create up";
  exec.prestart += "ifconfig ${epair}a up descr jail:${name}";
  exec.prestart += "ifconfig ${bridge} addm ${epair}a up";
  exec.start    += "ifconfig ${epair}b ${ip} up";
  exec.start    += "route add default ${gateway}";
  exec.poststop += "ifconfig ${bridge} deletem ${epair}a";
  exec.poststop += "ifconfig ${epair}a destroy";
}

# ifconfig
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 7c:83:34:b9:08:30
    media: Ethernet autoselect (none)
    status: no carrier
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=0
    ether 64:49:7d:f4:8a:b7
    inet 192.168.178.83 netmask 0xffffff00 broadcast 192.168.178.255
    inet6 fe80::6649:7dff:fef4:8ab7%wlan0 prefixlen 64 scopeid 0x3
    inet6 fd00::6649:7dff:fef4:8ab7 prefixlen 64 autoconf pltime 3600 vltime 7200
    inet6 fd1f:cc93:3c04:4a34:6649:7dff:fef4:8ab7 prefixlen 64 autoconf pltime 1800 vltime 1800
    groups: wlan
    ssid highspeed.vol.at-ME channel 1 (2412 MHz 11g) bssid dc:39:6f:1c:6f:b2
    regdomain FCC country US authmode WPA2/802.11i privacy ON
    deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 30 bmiss 7
    scanvalid 60 protmode CTS wme roaming MANUAL
    parent interface: iwlwifi0
    media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
    status: associated
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 58:9c:fc:10:9a:61
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair202a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    member: wlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 3 priority 128 path cost 370370
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
epair202a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: jail:vnet_test
    options=8<VLAN_MTU>
    ether 02:40:e9:1e:51:0a
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# jexec vnet_test ifconfig
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair202b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:40:e9:1e:51:0b
    inet 192.168.178.202 netmask 0xffffff00 broadcast 192.168.178.255
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

# netstat -rn 
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS       wlan0
127.0.0.1          link#2             UH          lo0
192.168.178.0/24   link#3             U         wlan0
192.168.178.83     link#2             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#2                        URS         lo0
::1                               link#2                        UHS         lo0
::ffff:0.0.0.0/96                 link#2                        URS         lo0
fd00::/64                         link#3                        U         wlan0
fd00::6649:7dff:fef4:8ab7         link#2                        UHS         lo0
fd1f:cc93:3c04:4a34::/64          link#3                        U         wlan0
fd1f:cc93:3c04:4a34:6649:7dff:fef4:8ab7 link#2                  UHS         lo0
fe80::%lo0/10                     link#2                        URS         lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
fe80::%wlan0/64                   link#3                        U         wlan0
fe80::6649:7dff:fef4:8ab7%lo0     link#2                        UHS         lo0
ff02::/16                         link#2                        URS         lo0
# netstat -j vnet_test -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.178.1      UGS    epair202
127.0.0.1          link#7             UH          lo0
192.168.178.0/24   link#6             U      epair202
192.168.178.202    link#7             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             link#7                        URS         lo0
::1                               link#7                        UHS         lo0
::ffff:0.0.0.0/96                 link#7                        URS         lo0
fe80::%lo0/10                     link#7                        URS         lo0
fe80::%lo0/64                     link#7                        U           lo0
fe80::1%lo0                       link#7                        UHS         lo0
ff02::/16                         link#7                        URS         lo0

 

[SirDice]

Bridging with wireless is not working. The wireless interface has to, in essence, spoof MAC addresses and the wireless interface isn't going to allow this.

 

[chrbr]

You can create a bridge to a cloned local network as lo1 instead to wlan0. Then you can use NAT or proxies to access wlan0.