No internet connection within a jail

Bertrand31 · Jul 10, 2011

Hi all !

First, please forgive me for my bad english, that's not my native language.
I will soon remove Debian from my personal server to put FreeBSD instead, but I'm a newbie in *BSD's world. That's why I decided to train myself a bit with VirtualBox.
So I installed FreeBSD 8.2 into a virtual machine.
Everything went well, but when created a jail (with ezjail), it became a little more complicated.

In fact, when I enter into the jail, I haven't access to the Internet.

Here are some outputs of commands and some config files. I you need me to give you more details, just ask me.

Into the jail :

Code:

Apache# dig google.fr

; <<>> DiG 9.6.-ESV-R3 <<>> google.fr
;; global options: +cmd
;; connection timed out; no servers could be reached

Code:

Apache# cat /etc/resolv.conf
nameserver 192.168.1.1

Code:

Apache# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:bd:31:01
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.2 netmask 0xffffff00

Out of the jail :

Code:

# cat /etc/rc.conf
hostname=".home"
ifconfig_em0="DHCP"
inetd_enable="YES"
keymap="fr.iso.acc"
sshd_enable="YES"

#Ezjail

ezjail_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.1.1.2 netmask 255.255.255.0"

Code:

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:bd:31:01
        inet 192.168.1.25 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.2 netmask 0xffffff00

I hope you can help me, because I would really like to switch my server from Debian to FreeBSD, and the jails are something I'd really like to use.

Thanks in advance !

graudeejs · Jul 10, 2011

I manage my jails with custom scritps, I'm not a zjail person, but I'd suggest you read: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html (if you haven't yet)

It looks like you have wrong ezjail config

Code:

cloned_interfaces="lo1"
ifconfig_lo1="inet 10.1.1.2 netmask 255.255.255.0"

is defiantly wrong, lo0 is loopback interface

You should instead use em0

Bertrand31 · Jul 10, 2011

I replaced both "lo1" by "emo0" in the rc.conf of the host, but it still doesn't work ...
Any other idea ?

graudeejs · Jul 10, 2011

the 10.1.1.2 should be replace to something from 192.168.1.0/24 (Jail must be in same address space as your root server, on em0 interface)
Really read the handbook

Your router also needs to be configured, to pass your jails IP trafice.
BTW, don't test internet from jail with ping (it won't work, unless you enable raw sockets. This is security feature)

I highly recommend you configure your first jail with info form link above, and then try ezjail

UNIXgod · Jul 10, 2011

Look into setting up a nat with pf.

fbsd1 · Jul 16, 2011

Since you can not get ezjail to work for you, give qjail a try. qjail is in the ports system.

UNIXgod · Jul 16, 2011

fbsd1 said:
Since you can not get ezjail to work for you, give qjail a try. qjail is in the ports system.

And how does qjail help him with the networking issue?

fbsd1 · Jul 16, 2011

qjail does automatic network setup in each jail created which ezjail does not.

Bertrand31 · Jul 27, 2011

Qjail didn't work either, but I think I found how to fix the issue..
I've been told to add theese lines to pf.conf :

Code:

nat on rl0 from lo1:network to any -> (rl0)
rdr pass on rl0 inet proto tcp to port http -> 10.1.1.1 port http
rdr pass on rl0 inet proto tcp to port https -> 10.1.1.1 port https

(Of course after modifying them to match my network configuration)

I'm going to try this out and to keep you in touch.
Anyway, thank for your help guys !

Jason_Gantner · Feb 15, 2012

I have the same problem (no Internet access from inside of the jails but access to the jails from internet) with my jails, so I put here some outputs of commands or configuration files and hope you have any idea to fix the problem please:

out of any jail:

Code:

# ifconfig
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether bc:ae:c5:df:07:e8
        inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active[/INDENT]
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
        inet6 ::1 prefixlen 128 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.1 netmask 0xffffffff

Code:

# cat /etc/pf.conf
set block-policy drop
set loginterface re0
set optimization normal


#block all in
#block all out

nat pass on re0 from lo1:network to any -> (re0)
nat pass on re0 from lo2:network to any -> (re0)
rdr pass on re0 inet proto tcp to port http -> 10.1.1.1 port http
rdr pass on re0 inet proto tcp to port https -> 10.1.1.1 port https
rdr pass on re0 ftp proto tcp to port ftp ->10.1.1.1 port ftp

Code:

# cat /etc/rc.conf

ifconfig_re0="DHCP"
network_interfaces="lo2"
pf_enable="YES"
pf_rules="/etc/pf.conf"
inetd_enable="YES"
cloned_interfaces="lo1"
ezjail_enable="YES"
ifconfig_lo1="inet 10.1.1.1 netmask 255.255.255.0"
qjail_enable="YES"

No error message from tcpdump.

with ezjail:

Code:

jail1# ifconfig
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether bc:ae:c5:df:07:e8
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>

Code:

jail1# dig [url]www.freebsd.org[/url]

; <<>> DiG 9.6.-ESV-R3 <<>> [url]www.freebsd.org[/url]
;; global options: +cmd
;; connection timed out; no servers could be reached

Code:

tcpdump port 80
tcpdump: WARNING: re0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
18:05:57.879767 IP 192.168.1.10.46546 > 69.171.224.14.http: Flags [P.], ack 2240078482, win 8280, options [nop,nop,TS val 3590484 ecr 2184221807], length 517
18:05:58.083857 IP 69.171.224.14.http > 192.168.1.10.46546: Flags [P.], ack 517, win 55957, options [nop,nop,TS val 2184252987 ecr 3590484], length 241
18:05:58.183493 IP 192.168.1.10.46546 > 69.171.224.14.http: Flags [.], ack 242, win 8280, options [nop,nop,TS val 3590788 ecr 2184252987], length 0

...

18:08:02.738116 IP 69.171.224.14.http > 192.168.1.10.46546: Flags [P.], ack 2585, win 58025, options [nop,nop,TS val 2184377644 ecr 3715140], length 241
18:08:02.837424 IP 192.168.1.10.46546 > 69.171.224.14.http: Flags [.], ack 1206, win 8280, options [nop,nop,TS val 3715432 ecr 2184377644], length 0
^C
15 packets captured
513 packets received by filter
0 packets dropped by kernel

with qjail:

Code:

qjail1 /root >ifconfig
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether bc:ae:c5:df:07:e8
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.1 netmask 0xffffffff

Code:

qjail1 /root >dig [url]www.freebsd.org[/url]

; <<>> DiG 9.6.-ESV-R3 <<>> [url]www.freebsd.org[/url]
;; global options: +cmd
;; connection timed out; no servers could be reached

Code:

qjail1 /root >tcpdump port 80
tcpdump: WARNING: re0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes

In host and jails:

Code:

qjail1 /root >cat /etc/resolv.conf
nameserver 192.168.1.1[/QUOTE]UP,LOOPBACK,RUNNING,MULTICAST

No error message from tcpdump.

with ezjail:

Code:

jail1# ifconfig
re0: flags=8943

tcpdu