Need help with static routes on a jail

[sim]

Hi

I need help configuring static route network access from a jail. The host has two NICs, one connected to the public network/internet (em0) and the other connected to a local development network (em1):

defaultrouter="10.0.118.1"
ifconfig_em0="inet 10.0.118.211 netmask 255.255.255.0 broadcast 10.0.118.255"
ifconfig_em0_alias0="10.0.118.212 netmask 255.255.255.255"

ifconfig_em1="inet 192.168.4.154 netmask 255.255.255.0 broadcast 192.168.4.255"
static_routes="devel"
route_devel="-net 10.0.99.0/24 192.168.4.1"

Network access from the Host works as expected - all addresses on 10.0.99/24 go through em1, everything else through em0. No problem.

My problem is with a jail on the same host, on em0. The jail can successfully access destinations addresses on em0, but fails when attempting to access em1 via the static route, e.g. 10.0.99.2. I think I understand why (the jail's IP is aliased on em0), and I know that jails have the host's routing table. So the question is, can this be solved, or is it beyond the network restrictions inherent in a jail?

Routing table on host:

Internet:
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.118.1         UGS         0     3165    em0
10.0.99.0/24       192.168.4.1        UGS         0     1684    em1
10.0.118.0/24      link#1             U           0     9251    em0
10.0.118.211       link#1             UHS         0        0    lo0
10.0.118.212       link#1             UHS         0   140380    lo0 =>
10.0.118.212/32    link#1             U           0        0    em0
127.0.0.1          link#4             UH          0     1594    lo0
192.168.4.0/24     link#3             U           0        0    em1
192.168.4.154      link#3             UHS         0        0    lo0

Host network config:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:4e:2f:b1
        inet 10.0.118.211 netmask 0xffffff00 broadcast 10.0.118.255
        inet6 fe80::a00:27ff:fe4e:2fb1%em0 prefixlen 64 scopeid 0x1 
        inet 10.0.118.212 netmask 0xffffffff broadcast 10.0.118.212
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:db:f6:df
        inet 192.168.4.154 netmask 0xffffff00 broadcast 192.168.4.255
        inet6 fe80::a00:27ff:fedb:f6df%em1 prefixlen 64 scopeid 0x3 
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Any help from jail / networking gurus much appreciated!

sim

 

[SirDice]

I think you just need to turn on routing (on the host):

gateway_enable="YES"

 

[sim]

Hi @SirDice,

I tried that by setting net.inet.ip.forwarding=1, which I gather does the same thing as

gateway_enable="YES"

It didn't appear to have any effect - maybe I need to restart networking / routing etc?

I was hoping I could recreate the scenario on my home PC to test over the weekend but it looks like I'll have to wait till I'm back at work tomorrow to try again.

Thanks for you help,

sim

 

[sim]

Coming at it from a different angle...

I didn't realise jails could take multiple IPs, but it seems they can: http://forums.freebsd.org/showthread.php?t=4382

If I give my jail an IP from the 192.168.4.x range as well as the existing 10.0.118.x range, I wonder if that could fix the problem? Looking forward to trying this tomorrow!

sim