Solved question about jail with bastille in freebsd15 ?

fff2024g · Jan 1, 2026

happy 2026 new year to all :
i have installed bastille 1.3.2.251225 in my freebsd15 ...then create a vm-mylan bridge...create jail with this vm-mylan bridge...below was the bridge info:
ifconfig vm-mylan
vm-mylan: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=10<VLAN_HWTAGGING>
ether 0a:b3:62:a1:42:7e
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
bridge flags=0<>
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
port 11 priority 128 path cost 2000000 vlan protocol 802.1q
member: e0a_fb15 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
port 7 priority 128 path cost 2000 vlan protocol 802.1q
member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
port 1 priority 128 path cost 200000 vlan protocol 802.1q
groups: bridge vm-switch viid-693b4@
nd6 options=9<PERFORMNUD,IFDISABLED>

we can see the jail vnet touch the bridge.. re0 was the physical networkcard and touch the bridge same..
jail IP : 192.168.255.199/24
re0 IP: 192.168.233.1/24
no firewall :
the re0 with jail was in the same bridge .. why i can't ping jail from host ,or from host ping jail.....

if i create vm with bhyve , and touch vm's tap0 to same vm-mylan bridge .
!!! note !!!: magic things happened ..
now, i can from jail ping host re0 , and from host re0 ping jail...jail can ping bhyve vm , bhyve vm can ping jail....

then, i have use bastille create other jail (192.168.233.134). those jails can ping each others.
jail1 IP : 192.168.233.133/24
jail2 IP : 192.168.233.134/24
re0 IP: 192.168.233.1/24

please help me .....thanks.
in my soul. i have jail with re0 in same network with bridge vm-mylan , they can ping each others . why not work. ? thanks.

fff2024g · Jan 5, 2026

tcpdump -nettti vm-mylan # vm-mylan was bridge ...

00:00:00.162918 58:9c:fc:10:18:06 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.255.1 tell 192.168.255.119, length 28
00:00:00.000053 c8:4b:d6:68:e6:ac > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.255.119 tell 192.168.255.1, length 28
00:00:00.000010 58:9c:fc:10:18:06 > c8:4b:d6:68:e6:ac, ethertype ARP (0x0806), length 42: Reply 192.168.255.119 is-at 58:9c:fc:10:18:06, length 28
00:00:00.000001 c8:4b:d6:68:e6:ac > 58:9c:fc:10:18:06, ethertype IPv4 (0x0800), length 98: 192.168.255.1 > 192.168.255.119: ICMP echo reply, id 38978, seq 0, length 64
00:00:00.329494 00:14:10:2b:61:7c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.24.19 tell 192.168.24.170, length 46
00:00:00.678164 58:9c:fc:10:18:06 > c8:4b:d6:68:e6:ac, ethertype IPv4 (0x0800), length 98: 192.168.255.119 > 192.168.255.1: ICMP echo request, id 38978, seq 1, length 64
00:00:00.000031 c8:4b:d6:68:e6:ac > 58:9c:fc:10:18:06, ethertype IPv4 (0x0800), length 98: 192.168.255.1 > 192.168.255.119: ICMP echo reply, id 38978, seq 1, length 64
00:00:00.361210 58:9c:fc:10:18:06 > c8:4b:d6:68:e6:ac, ethertype IPv4 (0x0800), length 98: 192.168.255.119 > 192.168.255.1: ICMP echo request, id 38978, seq 2, length 64
00:00:00.000034 c8:4b:d6:68:e6:ac > 58:9c:fc:10:18:06, ethertype IPv4 (0x0800), length 98: 192.168.255.1 > 192.168.255.119: ICMP echo reply, id 38978, seq 2, length 64
00:00:01.008427 58:9c:fc:10:18:06 > c8:4b:d6:68:e6:ac, ethertype IPv4 (0x0800), length 98: 192.168.255.119 > 192.168.255.1: ICMP echo request, id 38978, seq 3, length 64
00:00:00.000027 c8:4b:d6:68:e6:ac > 58:9c:fc:10:18:06, ethertype IPv4 (0x0800), length 98: 192.168.255.1 > 192.168.255.119: ICMP echo reply, id 38978, seq 3, length 64

looks like the from jail ping host , don't have problem... request and reply was ok. but why can't ping ? lost all ...

fff2024g · Jan 9, 2026

hello , any body can help me ? thanks.

hedwards · Jan 15, 2026

I'm not an expert, but I don't think that pinging out of a bastille jail is enabled by default. Or at least I can't and IIRC the video I used to show me how to set it up indicated that pinging out would be disabled by default.

Did you remember to configure /usr/local/etc/bastille/bastille.conf to change bastille_network_loopback to match your bridge?

fff2024g · Jan 16, 2026

hedwards said:
I'm not an expert, but I don't think that pinging out of a bastille jail is enabled by default. Or at least I can't and IIRC the video I used to show me how to set it up indicated that pinging out would be disabled by default.

Did you remember to configure /usr/local/etc/bastille/bastille.conf to change bastille_network_loopback to match your bridge?

Dear hedwards :
thanks for your reply ... below was configure about network...
## Networking
bastille_network_vnet_type="if_bridge" ## default: "if_bridge"
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6=""

1. where we can see the ping was blocked by default ?
2. what is the bastille loopback ?
thanks.

hedwards · Jan 16, 2026

fff2024g said:
Dear hedwards :
thanks for your reply ... below was configure about network...
## Networking
bastille_network_vnet_type="if_bridge" ## default: "if_bridge"
bastille_network_loopback="bastille0" ## default: "bastille0"
bastille_network_pf_ext_if="ext_if" ## default: "ext_if"
bastille_network_pf_table="jails" ## default: "jails"
bastille_network_shared="" ## default: ""
bastille_network_gateway="" ## default: ""
bastille_network_gateway6=""

1. where we can see the ping was blocked by default ?
2. what is the bastille loopback ?
thanks.

1) I'm not sure, it's just something that I'd heard and mine also doesn't permit pinging outside of the jail, even though I can ping in and access the network. I wouldn't worry about that until after getting the ability to ping into the jail. If it's both still happening and still a problem after fixing the config, that would likely be the time to look into that, but I don't know how to address that issue as I haven't cared to even try.
2) bastille0 is what bastille is expecting the name of the bridge to be named. It should match with what you've told your system to use. You're not going to get any pinging going on either direction if the bridge that bastille0 is listening to doesn't exist. Create a new bastille0 should fix this, alternative changing it in the config to match your actual bridge should also work.

fff2024g · Jan 17, 2026

hedwards said:
1) I'm not sure, it's just something that I'd heard and mine also doesn't permit pinging outside of the jail, even though I can ping in and access the network. I wouldn't worry about that until after getting the ability to ping into the jail. If it's both still happening and still a problem after fixing the config, that would likely be the time to look into that, but I don't know how to address that issue as I haven't cared to even try.
2) bastille0 is what bastille is expecting the name of the bridge to be named. It should match with what you've told your system to use. You're not going to get any pinging going on either direction if the bridge that bastille0 is listening to doesn't exist. Create a new bastille0 should fix this, alternative changing it in the config to match your actual bridge should also work.

Dear hedwards :
i have create a bridge , and attach all jail vnet to this bridge . why we need to create bastille0 bridge again ? thanks.

hedwards · Jan 17, 2026

fff2024g said:
Dear hedwards :
i have create a bridge , and attach all jail vnet to this bridge . why we need to create bastille0 bridge again ? thanks.

You shouldn't need to, as long as you have 1 bridge that matches that setting in the bastille configuration file it should work. It's a choice, feel free to just edit the bastille configuration to match that.

fff2024g · Jan 25, 2026

i think that was a big.so close this topic..change a way to go, we don't access re0 directly . all jails join the bridge , re0 don't join it. then NAT from re0. thanks for all.

victort · Jan 25, 2026

bastille0 is a loopback address that Bastille uses for non-VNET jails. It is not needed for VNET jails.

hedwards · Jan 31, 2026

victort said:
bastille0 is a loopback address that Bastille uses for non-VNET jails. It is not needed for VNET jails.

Thanks, I've been having consistency problems with my jail's net connection when also having podman containers and vms. Setting the non-VNET jail to use bastille0 with aliases for the appropriate IPs seems to have done the trick.