Need help with setfib and routing/IPFW configuration for jails

[norbi771]

Hello,

I am using FreeBSD 9.1 with two NICs and two gateways set via setfib. I have a web server running on NIC1 in a jail. A database is running in the second jail hooked to NIC2. I can access both jails in the way I should, but I cannot access the database from the webserver jail.

Here is my rc.local

/sbin/route delete default
/usr/sbin/setfib 0 /sbin/route delete default
/usr/sbin/setfib 0 /sbin/route add default 10.x.x.x

/usr/sbin/setfib 1 /sbin/route delete default
/usr/sbin/setfib 1 /sbin/route add default 148.x.x.x


ipfw -f flush
ipfw add allow    ip from any to any via lo0
ipfw add setfib 0 ip from any to any via vmx3f1
ipfw add setfib 1 ip from any to any via vmx3f0
ipfw add allow    ip from any to any

Could you advise how to configure ipfw/routing, so I can access the DB from a Web server jail? I tried to figure out how to make it, but didn't succeed :-(

Thank you in advance.

 

[SirDice]

Please post the settings for your jails.

 

[norbi771]

Thank you for looking into that issue. My jails are configured via ezjail with fib support

/etc/rc.conf:

ipv4_addrs_vmx3f1="10.251.8.1-6/24"
ipv4_addrs_vmx3f0="148.x.x.75/24"
defaultrouter="NO"

ezjail_enable="YES"
jail_sysvipc_allow="YES"
gateway_enable="YES"

basic fib configuration:

/etc/rc.local:

/sbin/route delete default
/usr/sbin/setfib 0 /sbin/route delete default
/usr/sbin/setfib 0 /sbin/route add default 10.251.8.254

/usr/sbin/setfib 1 /sbin/route delete default
/usr/sbin/setfib 1 /sbin/route add default 148.x.x.71

ipfw -f flush
ipfw add allow    ip from any to any via lo0
ipfw add setfib 0 ip from any to any via vmx3f1
ipfw add setfib 1 ip from any to any via vmx3f0
ipfw add allow    ip from any to any

/boot/loader.conf:

vmxnet3_load="YES"
# Beginning of the block added by the VMware software - DO NOT EDIT
vmxnet_load="YES"
# End of the block added by the VMware software
accf_http_load="YES"
ipfw_load="YES"
net.fibs=2

/usr/local/etc/ezjail/db:

export jail_db_hostname="db"
export jail_db_ip="10.251.8.4"
export jail_db_rootdir="/usr/jails/db"
export jail_db_exec_start="/bin/sh /etc/rc"
export jail_db_exec_stop=""
export jail_db_mount_enable="YES"
export jail_db_devfs_enable="YES"
export jail_db_devfs_ruleset="devfsrules_jail"
export jail_db_procfs_enable="YES"
export jail_db_fdescfs_enable="YES"
export jail_db_image=""
export jail_db_imagetype=""
export jail_db_attachparams=""
export jail_db_attachblocking=""
export jail_db_forceblocking=""
export jail_db_zfs_datasets=""
export jail_db_cpuset=""
export jail_db_fib=""

/usr/local/etc/ezjail/www:

export jail_www_hostname="www"
export jail_www_ip="148.x.x.75"
export jail_www_rootdir="/usr/jails/www"
export jail_www_exec_start="/bin/sh /etc/rc"
export jail_www_exec_stop=""
export jail_www_mount_enable="YES"
export jail_www_devfs_enable="YES"
export jail_www_devfs_ruleset="devfsrules_jail"
export jail_www_procfs_enable="YES"
export jail_www_fdescfs_enable="YES"
export jail_www_image=""
export jail_www_imagetype=""
export jail_www_attachparams=""
export jail_www_attachblocking=""
export jail_www_forceblocking=""
export jail_www_zfs_datasets=""
export jail_www_cpuset=""
export jail_www_fib="1"

 

[norbi771]

The answer was simpler than I could ever think of, it had nothing to do with ipfw pf.

I finally ended up with:

setfib 1 route add -host 10.251.8.4 10.251.8.1