jails Wifibox on the host supporting jails on the host

K

kennethcf

Has anyone been able to have wifibox running on their host, then being able to support jail connectivity into those jails? I've tried attaching one end of an epair to the wifibox0 bridge and the other I gave to the jail, but the jail can't see the end of the epair attached to the bridge. The host continues to work fine through the wifibox0 with its default 10.0.0.2 address. I assigned 10.0.0.3 to the end inside the jail. I cannot ping 10.0.0.3 from the host either. Not sure what to try next. Any help would be appreciated.
- ifconfig create epair
epair5a
- jail -c name=my_jail host.hostname=my_jail persist vnet vnet.interface=epair5b
- ifconfig wifibox0 addm epair5a
...bridge now has tap0 and epari5a as members
- jexec my_jail ifconfig inet 10.0.0.3/24 up
 
I have my wifibox connection working in a jail that I use to run Brave Browser under Ubuntu LTS.
It didn't work until I added something like this to my rc.conf:

To create more IP addresses:
Code: 
cloned_interfaces="lo1"
ifconfig_lo1_aliases="inet 10.10.0.1-12/24"

and this to my jail.conf
Code: 
ubuntu {
    devfs_ruleset = 20;
    host.hostname="ubuntu";
    ip4.addr="lo1|10.10.0.5/24";
    path="/jail/ubuntu";
    allow.raw_sockets=1;
    exec.start='/bin/true';
    exec.stop='/bin/true';
    persist;
    mount.fstab="/jail/ubuntu/etc/fstab";
}
 
I came here looking for anyone reporting problems or a solution for attaching an epair to a bridge. I seem to recall dealing with this before and tonight I stumbled over the problem again. I'm fairly certain that the 'b' side of the epair must be connected to the bridge and the 'a' side is the business end for IP addressing (static or DHCP). I was about to post, but didn't want to repeat anything so I searched for "bridge epair" and found your post.

Upshot is, try swapping the ends of the epair and add epair5b. I would encourage a liberal use of 'up'

Code: 
ifconfig wifibox0 addm epair5b up

I'm curious if this will work for you. I recall telling myself 'b' for 'bridge'.
 
Thank you both for your feedback. Your feedback was enough to give me inspiration to keep trying.

I have been following https://freebsdfoundation.org/wp-content/uploads/2020/03/Jail-vnet-by-Examples.pdf by OLIVIER COCHARD-LABBÉ. He uses an epair with side A on the bridge and side B into the jail. I don't think it matters which end is connected to the bridge.

I retried my example, only this time it worked. I think I forgot the UP keyword when creating the epair. In addition, I added a route inside my jail to my home network (192.168.32.0/24) through the host's gateway (10.0.0.1 which is the wifibox), and a default route to the same gateway (probably don't need the local network route with the default). I can use jexec to ping the host, ping devices on my home network (192.168.32.32 for example), and ping google.com using their IP address.

The commands (as root on the host):

#ifconfig create epair up <-- created epair0a and epair0b
#ifconfig wifibox0 addm epari0a <-- adds the A side of the epair to the wifibox0 bridge

Create the jail and assign ip 10.0.0.3/24 to the epairb inside the jail.
#jail -c name=jail0 host.hostname=jail0 persist vnet vnet.interface=epair0b
#jexec jail0 ifconfig epair0b inet 10.0.0.3/24 up
#jexec jail0 ifconfig epair0b inet <-- you should see epair0b assigned address 10.0.0.3

Try to ping the jail from the jail, and the host from the jail. Now this works for me.
#jexec jail0 ping -c 2 10.0.0.3 <-- should ping the jail twice
#jexec jail0 ping -c 2 10.0.0.2 <-- should ping the host twice

Now add a route to the jail so the jail can find the home network using the host's gateway which is the wifibox 10.0.0.1. For those of you who don't know, the route means any address asked for on the network 192.168.32.0/24, route to address 10.0.0.1.
#jexec jail0 route add -net 192.168.32.0/24 10.0.0.1

Now ping a device on your home network, like your home network's gateway or iphone. If the iphone's screen is black, it won't answer the ping. I found the IP of my iphone by looking at the connected devices on my home network's router (gateway).
#jexec jail0 ping -c 2 192.168.32.1 <-- should ping the gateway twice
#jexec jail0 ping -c 2 192.168.32.105 <-- this pinged my iphone twice

Now add a default route (could probably do this instead of adding the home network route) so any address not known to the jail's routing table will go to the host's gateway (10.0.0.1)
#jexec jail0 route add default 10.0.0.1

Get the address of google.com (or any other web URL) by pinging it from your host. The reply is google's IP.
#ping google.com
64 bytes from 64.233.185.100 <-- use this address

Now Ping google from the jail
#jexec jail0 ping -c 2 64.233.185.100 <-- should ping google twice


So the above works, but I know I'm breaking a DHCP rule here. The wifibox has a dhcp server handing out addresses. The dhcp server handed my host 10.0.0.2. The IP address I chose, 10.0.0.3, is in the range of addresses handed out by the dhcp server. Now these are my jails and I am the almighty on my network, so I can get away with it. However, to do this correctly, I need to have the jail somehow ask for an IP (can that be done with an epair ?) or hard code it like I am currently, but configure wifibox to know about the assigned IP address, and any other jails I create.
 
Looks like I tripped over my own shoelaces and failed to have the proper "up", so you're correct, a/b side in the bridge doesn't matter. I've been struggling for the past 24 hours with DHCP for epairs. I was about to post about it, so feel free to look for that later once I finish. There's quite a bit of complexity there.

BTW, although it may be different in your case, I don't think you need to give both ends of the epair an IP address. If your tun has the address 10.0.0.1 or leads to it, I suspect epair0a (connected directly to the bridge) doesn't need 10.0.0.2 and you can leave it off. The epair0b that's inside your jail requires an address, of course.

If you want to use DHCP, you can, although I have some caveats. It's a bit complicated with epairs, bridges and jails as they are all virtual, so any ether (MAC) is random, unless you make it not random by setting it. Does it matter that it's random? Yes and no. DHCP addresses will be acquired when it's random, however they won't be "sticky". Every time you reboot or restart the jail, you'll have a new ether/MAC address that the DHCP server won't recognize and so a new IP will be issued. Also, you can't reserve a DHCP address for the jail because it's random. If you want to peg the ether, you can, but where you set it is crucial because if you set it in the host and push the epair0b side down into the jail, the ether is wiped; all epair settings are wiped when it's put into a VNET jail. So, you have to set the ether inside the jail, most people use the jail config.

Alright, so tl/dr to have a stable DHCP:
  1. In /etc/devfs.rules, create a new rule (eg. 15) that unhides bpf* or DHCP won't work. See /etc/defaults/devfs and be sure to set that new rule in your jail.conf.
  2. Also, be sure to restart the devfs service ( service devfs restart) so the rule change takes effect.
  3. In your jail.conf, set the new rule and the ether:
    Code: 
    devfs_ruleset="15";   # This is the rule ID you created in Step 1 to pick up /dev/bpf

exec.start += "ifconfig epair0b ether XX:XX:XX:XX:XX:XX";
exec.start += "/sbin/dhclient epair0b";
  4. Make sure you sprinkle plenty of "up"s throughout the configuration.
Let me know if you have any questions.
 
You must log in or register to reply here.
Back
Top