No access to outside network inside jail



Reaction score: 5
Messages: 41

I've installed 12.0 recently and tried to reproduce the handbook example of a dnsjail (later referred to as dns1). I've done this once before, successfully. First, installed sysutils/ezjail through pkg. Then, added the following
to my /etc/rc.conf and rebooted.

After reboot, # ezjail-admin install -i -p to make a basejail then create my own jail with # ezjail-admin create dnsjail 'lo1|,alc0|', which is copying the handbook ipsis litteris (except for the jail name).

Next thing, start # ezjail-admin start dnsjail and # ezjail-admin console dnsjail. Set root password with # passwd and tz # tzsetup. Then:
sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab
sed -i .bak -e 's/; s/ dnsjail/' /etc/hosts
Here's the tricky part. The last time I've done this, the host /etc/resolv.conf had my router local address. It was something like this:
Thus, I'd created a /etc/resolv.conf inside the jail slightly different (nameserver and everything worked as expected: I built dns/bind99 and etcetera through the end of instructions in the handbook. Also, I managed to use this jail as a gateway to the other jails, using its IP as nameserver within their own /etc/resolv.conf.

This time, however, the very first jail failed at this point: there was no connection to the network.

I'm using another ISP now, and the contents of my /etc/resolv.conf are actual IP addresses (supposedly, their DNS servers): Of course, it wouldn't make sense to copy these inside the jail, yet I tried all the same, but to no avail. As I understand the process, I tried again using the host IP - it should then forward to the actual gateway, am I wrong? By that logic:
But that failed as well. And trying for the sake of argument to reach also failed. # make -C /usr/ports/dns/bind913 install clean keeps trying to fetch pkg without ever managing to resolve, skipping to the next mirror and so on until stopped e.g. with Ctrl+C.

I see the address set to lo1 is quite the same range as lo0, CIDR, whereas is set to the other interface alc0, but that didn't seem to matter in the past. The jail was created with "alc0|" as well. In fact, running $ ifconfig -a in the host show both (host) and (jail) under alc0 interface.

I'm not running PF, IPFW, IPFILTER or any other similar firewall. To the best of my knowledge, that is. I checked running processes, enabled services and found nothing of the sort. However, should one of these happen to be active by default without the need of explicitly being enabled in /etc/rc.conf or something like that, I'd probably just been missing the point completely.

The facts are as related above. After a couple of hours researching I did little to no progress, which led me to exaustion and to open this thread seeking for help. Thanks in advance.


Well-Known Member

Reaction score: 82
Messages: 371

Your jail is in a different subnet than your host. The packets from the jail need to be routed to the outside world by your host.
You have different options, for example:
  • Add the jail to the same subnet like your host (the jail becomes part of the LAN and would have an IP address like - then it could directly use your router.
  • Have the jail in a different subnet ( but then your host needs to also have a second IP address on the jail's subnet and then the host needs to route jail's packets to the outside.
If you want to do the second option:
  • Enable ip forwarding on the host
  • Add a second IP address for the host, for example
  • Add a default route on the jail and set the host as gateway:
  • Enable "ipfw with kernel NAT" or "ipfw with natd" on the host in order to create a NAT connection for the jail. Alternatively, you could just route the packets but then your router needs an additional routing entry for the jail's subnet, where your host would be the gateway.
Take a look at the port sysutils/iocage. It helps you easily create jails and configure the network, incl. addresses, dns routing etc.

If you want an easy setup - just add the jail to your LAN as
If you want more security, then go for a separate subnet and then use the host's firewall to route and filter.