Hi all,
I may be misunderstanding something here, but I seem to be struggling to get host networking to allow traffic from jail to my NIC, regardless of the 'interface' setting in jail.conf. I think I know why, but I've no idea how to fix it whilst still using host networking.
I have a host running FreeBSD 14.1-RELEASE which has 2 IPs on 10/8; these are 1:1 NAT'd by the hosting provider to external IP addresses.
Default router = 10.0.0.1
IP 1 = 10.0.0.100
IP 2 = 10.0.0.200
My intention is to use 10.0.0.100 for the host and 10.0.0.200 for the jail. Everything on the host works fine.
In the jail:
jail.conf on the host:
The effect of this is that any traffic initiated from the jail leaves on lo0, when I want it to leave on vtnet0. I've confirmed this with tcpdump; any traffic initiated in the jail leaves on lo0 and not vtnet0. Therefore, it is not possible to initiate external connections from the jail, but incoming traffic is fine.
The default route on the host for vtnet0 is 10.0.0.1 and I assumed that the jail's instance of vtnet0 would use this. I'm not using vnet, and therefore sharing a networking stack as I understand it.
I realise that I could use netgraph or vnet, but I'd like to understand why this is not working.
I may be misunderstanding something here, but I seem to be struggling to get host networking to allow traffic from jail to my NIC, regardless of the 'interface' setting in jail.conf. I think I know why, but I've no idea how to fix it whilst still using host networking.
I have a host running FreeBSD 14.1-RELEASE which has 2 IPs on 10/8; these are 1:1 NAT'd by the hosting provider to external IP addresses.
Default router = 10.0.0.1
IP 1 = 10.0.0.100
IP 2 = 10.0.0.200
My intention is to use 10.0.0.100 for the host and 10.0.0.200 for the jail. Everything on the host works fine.
In the jail:
Code:
# ifconfig
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_I
PV6>
ether 02:00:17:01:43:58
inet 10.0.0.200 netmask 0xffffffff broadcast 10.0.0.200
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
pflog0: flags=1000141<UP,RUNNING,PROMISC,LOWER_UP> metric 0 mtu 33152
options=0
groups: pflog
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
10.0.0.200 link#2 UH lo0jail.conf on the host:
Code:
# STARTUP/LOGGING
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";
# PERMISSIONS
allow.raw_sockets;
exec.clean;
mount.devfs;
# HOSTNAME/PATH
host.hostname = "${name}.internal";
path = "/usr/jail/${name}";
development {
interface = "vtnet0";
ip4.addr = "10.0.0.200";
}The effect of this is that any traffic initiated from the jail leaves on lo0, when I want it to leave on vtnet0. I've confirmed this with tcpdump; any traffic initiated in the jail leaves on lo0 and not vtnet0. Therefore, it is not possible to initiate external connections from the jail, but incoming traffic is fine.
The default route on the host for vtnet0 is 10.0.0.1 and I assumed that the jail's instance of vtnet0 would use this. I'm not using vnet, and therefore sharing a networking stack as I understand it.
I realise that I could use netgraph or vnet, but I'd like to understand why this is not working.