jails Network connectivity with Bastille VNET jails

[janedenone]

I am new to jails (and not a networking specialist), and struggle to configure a VNET jail correctly with bastille. This is my jail setup:

bastille setup vnet
bastille create -V alcatraz 15.0-RC3 "192.168.0.24/24 fdb6:01b5:3992:e964::24/64" vtnet0

The jail is created, along with the bridge ( vtnet0bridge) and the epair ( e0a_alcatraz on the host, e0b_alcatraz as vnet0 in the jail (with the private IP subnets above). The host is configured as gateway ( sysrc gateway_enable="YES").

With this configuration alone, the host cannot reach the jail, and the jail cannot reach the host (and the internet).

When I add an IP address from the jail subnet to vtnet0bridge ( ifconfig vtnet0bridge inet 192.168.0.1/24), a connection to the jail ( ping 192.168.0.24) is possible with the following pf configuration:

vnet_if = "vtnet0bridge"
vnetnet = "192.168.0.0/24"

pass quick on $vnet_if inet from $vnetnet to any keep state

But from the jail, I cannot reach the internet (network unreachable). The host's public IP was set as defaultrouter by bastille for the jail, so I tried setting it to the IP added to vtnet0bridge ( 192.168.0.1) and added a NAT rule to the host's pf configuration ( nat on $ext_if from $vnetnet to any -> ($ext_if) without success.

I can ping the 192.168.0.1 (when this address is configured as defaultrouter), but not the host's public IP in the original setting (defaultrouter = host's public IP). /etc/rc.conf contains the following:

ifconfig_e0b_alcatraz_name="vnet0"
ifconfig_vnet0="inet 192.168.0.24/24"
ifconfig_vnet0_ipv6="inet6 -ifdisabled fdb6:01b5:3992:e964::24/64"
defaultrouter="192.168.0.1"
ipv6_defaultrouter="fe80::1%vtnet0"

I did RTFM (FreeBSD handbook and Bastille documentation), but still cannot wrap my head around this. How can I get out of the jail and into the world?

 

[victort]

I am new to jails (and not a networking specialist), and struggle to configure a VNET jail correctly with bastille. This is my jail setup:

bastille setup vnet
bastille create -V alcatraz "192.168.0.24/24 fdb6:01b5:3992:e964::24/64" vtnet0

The jail is created, along with the bridge ( vtnet0bridge) and the epair ( e0a_alcatraz on the host, e0b_alcatraz as vnet0 in the jail (with the private IP subnets above). The host is configured as gateway ( sysrc gateway_enable="YES").

With this configuration alone, the host cannot reach the jail, and the jail cannot reach the host (and the internet).

When I add an IP address from the jail subnet to vtnet0bridge ( ifconfig vtnet0bridge inet 192.168.0.1/24), a connection to the jail ( ping 192.168.0.24) is possible with the following pf configuration:

vnet_if = "vtnet0bridge"
vnetnet = "192.168.0.0/24"

pass quick on $vnet_if inet from $vnetnet to any keep state

But from the jail, I cannot reach the internet (network unreachable). The host's public IP was set as defaultrouter by bastille for the jail, so I tried setting it to the IP added to vtnet0bridge ( 192.168.0.1) and added a NAT rule to the host's pf configuration ( nat on $ext_if from $vnetnet to any -> ($ext_if) without success.

I can ping the 192.168.0.1 (when this address is configured as defaultrouter), but not the host's public IP in the original setting (defaultrouter = host's public IP). /etc/rc.conf contains the following:

ifconfig_e0b_alcatraz_name="vnet0"
ifconfig_vnet0="inet 192.168.0.24/24"
ifconfig_vnet0_ipv6="inet6 -ifdisabled fdb6:01b5:3992:e964::24/64"
defaultrouter="192.168.0.1"
ipv6_defaultrouter="fe80::1%vtnet0"

I did RTFM (FreeBSD handbook and Bastille documentation), but still cannot wrap my head around this. How can I get out of the jail and into the world?

I wonder if the “gateway_enable” has anything to do with it.

As long as the IP you soecify is within your subnet, things should just work.

BTW did you forget to type the RELEASE in the create command?

Do you mind sharing the output (relevant output) of ‘ifconfig’ of the host and jail?

 

[janedenone]

Problem solved! I had changed the defaultrouter parameter in /etc/rc.conf, but did not restart the jail afterwards. Restarting the jail (or manually adding the default route: route add default 192.168.0.1) established connectivity to the host and the internet.

 

[janedenone]

BTW did you forget to type the RELEASE in the create command?

No, sorry – I retyped the command instead of c&p. The actual command included the RELEASE.

Do you mind sharing the output (relevant output) of ‘ifconfig’ of the host and jail?

Sure – this is the host (just the bridge and the epair interface):

vtnet0bridge: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=10<VLAN_HWTAGGING>
    ether 58:9c:fc:10:39:48
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    bridge flags=0<>
    member: e0a_alcatraz flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 7 priority 128 path cost 2000 vlan protocol 802.1q
    member: vtnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            port 1 priority 128 path cost 2000 vlan protocol 802.1q
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
e0a_alcatraz: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vnet0 host interface for Bastille jail alcatraz
    options=60000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 02:1a:e1:58:96:60
    hwaddr 58:9c:fc:10:89:6f
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

And this is the jail (just the epair interface):

vnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=60000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 0e:1a:e1:58:96:60
    hwaddr 58:9c:fc:10:4e:b0
    inet 192.168.0.24 netmask 0xffffff00 broadcast 192.168.0.255
    inet6 fe80::c1a:e1ff:fe58:9660%vnet0 prefixlen 64 scopeid 0x8
    inet6 fdb6:1b5:3992:e964::24 prefixlen 64
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

As written in my previous post, all is well now. Thanks for your help, and sorry again for having wasted your time with a stupid mistake on my part.

 

[victort]

Awesome!