Solved SSH to jail's ip from another physical device in the network gets me to the host system ssh.

Ferocious1881 · Sep 17, 2024

With /etc/jail.conf being set to:

Code:

myjail {
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 5;

path = "/jails/myjail";
host.hostname = "${name}";


$id = "154";
$ip = "192.168.0.${id}/24";
$gateway = "192.168.0.1";
$bridge = "bridge0";
$epair = "epair${id}";

vnet;
vnet.interface = "${epair}b";

exec.prestart  = "/sbin/ifconfig ${epair} create up";
exec.prestart += "/sbin/ifconfig ${epair}a inet $ip up descr jail:${name}";
exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
exec.start    += "/sbin/ifconfig ${epair}b ${ip} up";
exec.start    += "/sbin/route add default ${gateway}";
exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
exec.poststop += "/sbin/ifconfig ${epair}a destroy";
}

and the bridge being set to ifconfig bridge0 inet 192.168.0.250/24 addm re0 up

When I try to get to the ssh of the Jail at 192.168.0.154 It gets me instead to the ssh of my home server's home system.

Ferocious1881 · Sep 18, 2024

Hallo?

Professor_Fate · Sep 18, 2024

Edited: Sorry I just realized you're using VNET so my suggestion I gave a few minutes ago wouldn't work.

When I've used VNET in the past I've given the bridge an ip address and subnet mask. Then add the epair as a member and the physical interface of the host as a member.

chief · Sep 18, 2024

Are you assigning the ip to the correct vnet epair ?
I think you need to make sure that ip gets assigned to the epair that is inside of the jail and not the host.
Eg: epairA/epairB

Ferocious1881 · Sep 18, 2024

chief said:
Are you assigning the ip to the correct vnet epair ?
I think you need to make sure that ip gets assigned to the epair that is inside of the jail and not the host.
Eg: epairA/epairB

I am sure that you can know that if you read my /etc/jail.conf, if it is not enough, testing it should sufice.
Anyway this what says ifconfig about the bridge and the epair154a:

Code:

re0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=0
        inet 192.168.0.250 netmask 0xc0000000 broadcast 255.255.255.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair154a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 55
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
epair154a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: jail:myjail
        options=8<VLAN_MTU>
        inet 192.168.0.154 netmask 0xffffff00 broadcast 192.168.0.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

and everything from the jail:

Code:

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair154b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.0.154 netmask 0xffffff00 broadcast 192.168.0.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Ferocious1881 · Sep 18, 2024

Professor_Fate said:
Edited: Sorry I just realized you're using VNET so my suggestion I gave a few minutes ago wouldn't work.

When I've used VNET in the past I've given the bridge an ip address and subnet mask. Then add the epair as a member and the physical interface of the host as a member.

Nor have you read my config files, as they clearly states that those things happen.

Professor_Fate · Sep 18, 2024

The "a" end of your epair should not have an ip address. It should simply be added as a member of the bridge, and up.

chief · Sep 18, 2024

As Professor_Fate mention and you can confirm this by looking at your ifconfig from both host and jail, you have assigned the same 192.168.0.154 ip to both host and the jail.
It should only be assigned inside of the jail.

Ferocious1881 · Sep 18, 2024

Professor_Fate said:
The "a" end of your epair should not have an ip address. It should simply be added as a member of the bridge, and up.

Thanks