Solved jail with network access

If I want to setup a jail during the freebsd install process, I would have to assign the jail an IP address on the same subnet as the host itself so that I can avoid needing to NAT? Is that correct?

Or is there another approach I could use?

I'd like to have everything configured during the installation process, so I can merely reboot into the new system and create a BE (and reboot again).
 
You can assign an IP address of the same subnet, that will work. This is the perfect starting point.

A different approach is to assign an LO1 address and to use proxies on the host which can listen on lo1 to transfer the traffic from and to the jail. Here I use dns/unbound for dns and www/tinyproxy for the web stuff and pkg. The proxies are running on the host.
 
I have never tried running a service on the host during installation and am not optimistic that it would work, but I should try.

How would I route traffic, isn't that the larger question? If it's on the same subnet, then it is easy, the gateway (default route) in the jail is the same as the host.

I'm not entirely sure what you mean by an L01 address, would it be an epair interface? Still, wouldn't I need routing or this is just a way around that?
 
I have never tried running a service on the host during installation and am not optimistic that it would work, but I should try.
The starting point is a running FreeBSD with the proxies up and running. In /usr/local/etc/pkg.conf of the jail you can specify a proxy which in in my situation www/tinyproxy listening at lo1 as below:
Code:
pkg_env: {
        http_proxy: "http://10.0.0.254:8181"
}
How would I route traffic, isn't that the larger question? If it's on the same subnet, then it is easy, the gateway (default route) in the jail is the same as the host.
The routing is until the proxies on the host which will forward everything to the jail and reverse. For example firefox as also the address 10.0.0.254:8181 as proxy configuration. For dns I have in etc/resolv.conf of the jail
Code:
nameserver 10.0.0.254
which is where dns/unbound is listening.
I'm not entirely sure what you mean by an L01 address, would it be an epair interface?
No, lo is normally 127.0.0.1. The lo1 is a cloned interface and used locally only.
In /etc/rc.conf you would enable them by
Code:
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
10.0.0.254 is in this case the lo1 address of the host. The lo1 of the jails can be configured in /etc/jail.conf as the example below
Code:
basejail {
        path = "/usr/jails/basejail";
        host.hostname = "basejail";
        ip4.addr = "10.0.0.1";
        interface = "lo1";
        mount.fstab = "/etc/fstab.basejail";
 }
Then all traffic between the host and the jail can be from 10.0.0.254 to 10.0.0.1 and vice versa. There is no need of NAT and one can use the log files of the proxies on the host for analysis.

I am not really good in explaining things. And I am just a hobbyist. I hope this is helpful anyhow :).
 
That worked, one follow-up question is now that I have my jail pretty much running the way I want, the only issue I have is getting it to automatically setup my WAN interface with DHCP. Normally, on a bare-metal system, in /etc/rc.conf, I'd use:

Code:
ifconfig_wan=DHCP

However, that doesn't appear to work in the jail as the interface is always down when starting my jail. Whenever I go into the jail, I simply run

Code:
dhclient wan

And, I'm good to go. I suppose I could also add a line to jail.conf to run dhclient wan, but that seems hackish and I'd like to have it in /etc/rc.conf if possible.
 
I would have to assign the jail an IP address on the same subnet as the host itself so that I can avoid needing to NAT? Is that correct?
Do you follow this path and not the lo1 approoach?
It seems to me that you assign the jail IP address on the same subnet as the host.
In this case I have no idea how to configure the sequence of DHCP for ther host and start of the jail.
 
For the initial jail setup, I used the lo1 approach. I assigned the host lo1 an address 10.0.0.254 as you have and the guest 10.0.0.1 and used the proxy and DNS servers. That let me setup the jail with the necessary packages etc.

Then, once everything was done, I commented out that assignment, added vnet, then assigned the wired and wan interfaces directly to the jail as this jail will function as the router for my network.

The hack that I ended up doing right now for the jail to get a DHCP address on the WAN interface when I start the jail is to merely add:

Code:
exec.created   += "jexec router dhclient wan";

Then, when starting the jail, it now has an IP address.

I would prefer to have it in the jail's /etc/rc.conf instead like a normal system though.
 
Back
Top