Hello,
I am testing out vnet jails and I am having trouble inside the jail as traffic can not leave the host. Setup as follows:
HOST (VM running on ESX 6.7, VLAN is in promiscuous mode 'Accept' in vCenter)
FreeBSD 12.1-RELEASE-p2 amd64
Hostname = jails-01
NIC interface = vmx0, 192.168.10.10
I have gateway enabled in my rc.conf on the host.
jail.conf
rc.conf of my walnuts jail
The host, jails-01, can ping the jail walnuts and walnuts can ping the host. Walnuts can ping another vnet jail called tickets I have created.
The host, jails-01, can ping anything on the 192.168.10.x subnet.
The jails can not ping past vmx0.
Most setups I have been viewing have jails in a different subnet so some sort of NAT is required in PF. In my case if PF needed if the jails and host are on the same network segment?
I have attached my netgraph show image so you can see the hooks.
I am testing out vnet jails and I am having trouble inside the jail as traffic can not leave the host. Setup as follows:
HOST (VM running on ESX 6.7, VLAN is in promiscuous mode 'Accept' in vCenter)
FreeBSD 12.1-RELEASE-p2 amd64
Hostname = jails-01
NIC interface = vmx0, 192.168.10.10
I have gateway enabled in my rc.conf on the host.
jail.conf
Code:
mount.devfs;
allow.raw_sockets;
exec.system_user = "root";
exec.jail_user = "root";
vnet;
path = "/usr/jails/$name";
exec.clean;
walnuts {
host.hostname = "walnuts";
vnet.interface="ng0_walnuts";
exec.prestart += "jng bridge walnuts vmx0";
exec.poststop += "jng shutdown walnuts";
}
rc.conf of my walnuts jail
Code:
hostname="walnuts"
ifconfig_ng0_walnuts="192.168.10.11/24"
defaultrouter="192.168.10.254"
cron_flags="$cron_flags -J 15"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
syslogd_flags="-c -ss"
The host, jails-01, can ping the jail walnuts and walnuts can ping the host. Walnuts can ping another vnet jail called tickets I have created.
The host, jails-01, can ping anything on the 192.168.10.x subnet.
The jails can not ping past vmx0.
Most setups I have been viewing have jails in a different subnet so some sort of NAT is required in PF. In my case if PF needed if the jails and host are on the same network segment?
I have attached my netgraph show image so you can see the hooks.