From owner-freebsd-jail@freebsd.org Sun Oct 18 12:54:14 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18EF3A108E2 for ; Sun, 18 Oct 2015 12:54:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 062B69FF for ; Sun, 18 Oct 2015 12:54:14 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9ICsDrD098495 for ; Sun, 18 Oct 2015 12:54:13 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 203521] MongoDB hangs during mi_switch Date: Sun, 18 Oct 2015 12:54:14 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: sirl33tname@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Oct 2015 12:54:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203521 Sir l33tname changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sirl33tname@gmail.com --- Comment #4 from Sir l33tname --- I saw the same thing today on a system, with git, mysql and mongodb in different jails. Is there any workaround for it? -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-jail@freebsd.org Sun Oct 18 16:45:28 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA925A181CA for ; Sun, 18 Oct 2015 16:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 97DE75F7 for ; Sun, 18 Oct 2015 16:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9IGjSZK073841 for ; Sun, 18 Oct 2015 16:45:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 203521] MongoDB hangs during mi_switch Date: Sun, 18 Oct 2015 16:45:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rwestlun@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Oct 2015 16:45:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203521 --- Comment #5 from Randy Westlund --- Not that I've found. This problem is over my head. Even if I restart the server, it's the same programs in the same jails that hang during the context switch. In the mean time, I've moved my services to a VPS (with no jails) because I can't get my jails to start. I'm not updating any system with working jails, for fear of my other servers breaking. -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-jail@freebsd.org Sun Oct 18 16:46:12 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AF22A1824C for ; Sun, 18 Oct 2015 16:46:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 486D5684 for ; Sun, 18 Oct 2015 16:46:12 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9IGkCHM074729 for ; Sun, 18 Oct 2015 16:46:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 203521] MongoDB hangs during mi_switch Date: Sun, 18 Oct 2015 16:46:12 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rwestlun@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_severity Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Oct 2015 16:46:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203521 Randy Westlund changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Affects Only Me |Affects Some People -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-jail@freebsd.org Sun Oct 18 17:54:52 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA6859D135E for ; Sun, 18 Oct 2015 17:54:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B7A4989D for ; Sun, 18 Oct 2015 17:54:52 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9IHsqC2022324 for ; Sun, 18 Oct 2015 17:54:52 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 203521] MongoDB or vim in jail hang during mi_switch Date: Sun, 18 Oct 2015 17:54:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Oct 2015 17:54:52 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203521 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|MongoDB hangs during |MongoDB or vim in jail hang |mi_switch |during mi_switch -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-jail@freebsd.org Sun Oct 18 18:17:08 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9DEBC9D18FF for ; Sun, 18 Oct 2015 18:17:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8B023279 for ; Sun, 18 Oct 2015 18:17:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t9IIH8o2033863 for ; Sun, 18 Oct 2015 18:17:08 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 203521] MongoDB or vim in jail hang during mi_switch Date: Sun, 18 Oct 2015 18:17:08 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: threads X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: sirl33tname@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-threads@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Oct 2015 18:17:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203521 --- Comment #6 from Sir l33tname --- (In reply to Sir l33tname from comment #4) Nevermind, I just missed to update my libs to 10.2 in the base jail. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203765 -- You are receiving this mail because: You are on the CC list for the bug. From owner-freebsd-jail@freebsd.org Tue Oct 20 14:54:40 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DF23A1A4B1 for ; Tue, 20 Oct 2015 14:54:40 +0000 (UTC) (envelope-from andreavisentin@ks3287569.kimsufi.com) Received: from ks3287569.kimsufi.com (unknown [IPv6:2001:41d0:8:ba2a::]) by mx1.freebsd.org (Postfix) with ESMTP id 3BD951D2 for ; Tue, 20 Oct 2015 14:54:39 +0000 (UTC) (envelope-from andreavisentin@ks3287569.kimsufi.com) Received: by ks3287569.kimsufi.com (Postfix, from userid 502) id 9020C50E17; Tue, 20 Oct 2015 16:25:24 +0200 (CEST) To: freebsd-jail@freebsd.org Subject: Notice to appear in Court #00684898 X-PHP-Originating-Script: 502:post.php(6) : regexp code(1) : eval()'d code(17) : eval()'d code Date: Tue, 20 Oct 2015 16:25:24 +0200 From: "State Court" Reply-To: "State Court" Message-ID: X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Oct 2015 14:54:40 -0000 Notice to Appear, This is to inform you to appear in the Court on the October 28 for your case hearing. You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date. Note: The case will be heard by the judge in your absence if you do not come. The copy of Court Notice is attached to this email. Kind regards, Jerry Greer, Court Secretary. From owner-freebsd-jail@freebsd.org Fri Oct 23 15:38:10 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFCD1A1D795 for ; Fri, 23 Oct 2015 15:38:10 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0132.outbound.protection.outlook.com [157.55.234.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0F1EA1CE for ; Fri, 23 Oct 2015 15:38:07 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) by VI1PR06MB1150.eurprd06.prod.outlook.com (10.162.124.146) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 15:37:59 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 15:37:57 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 15:37:57 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QA== Date: Fri, 23 Oct 2015 15:37:56 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1039; 5:DiQnq/lobNHTgoc4gNFQNJtxH0c5ckHYeAFUwFe1v6PsgNYqrPjCs6hjWdHEpomvokCXi437nuRQapRi86z0M28TaxZrkubyGNN1fRx8wRdw2Jf7Z+bmUAdy6JEI0fM/qAlONGQXtRhYKhXM2uEixA==; 24:yk1y384ZZONP77DoPg340ae9o7ZFYpB3bGUFr/sTvm3uWyVwPTfHCsS6btHkc7oT6iGvdb69PXhMmwC2bLrUmGxsd8IJPK5lek1ti5g0HCE=; 20:zT3nr5xoRoOWHXQoIlj0tU3nv+whfySDFVQtgMZEkgcB1DTQD4zGh8jAHfb/iYjKU0I1HYWfQ6hZw+qU4W81MQ== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR06MB1039; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001)(102215026); SRVR:VI1PR06MB1039; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1039; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(53754006)(189002)(106356001)(2501003)(19627405001)(229853001)(189998001)(122556002)(107886002)(81156007)(2900100001)(110136002)(5001960100002)(11100500001)(105586002)(86362001)(5003600100002)(106116001)(92566002)(76576001)(5002640100001)(5004730100002)(2351001)(5007970100001)(102836002)(40100003)(450100001)(77096005)(5008740100001)(66066001)(80792005)(10400500002)(5001920100001)(19625215002)(87936001)(54356999)(97736004)(50986999)(16236675004)(33656002)(74316001)(101416001)(74482002); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1039; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 15:37:56.2613 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1039 X-Microsoft-Exchange-Diagnostics: 1; VI1PR06MB1150; 2:EA009N5/eKsbtwE1gwfUIm+s5TqDluy22UfG0tgnSah3D5uyHyVpMyv42kbOWL9frET8zlp270oNGa6ZksAH8Ib/QyqBTuOEo5izx48IqVwgyZDQiyhzhDI4/O/H46zk5GMv7OldoR2YDNjbr29Vy5k2pv9leW92VHS8iVV5E90=; 23:dYStac3QOJy8FmM65Z5GWK5rstorNALYwuZO39C1d+FhX7ZpgDyKDj/dRSx1MInQeD4cd8LiFHmcdTrnilXlDKgISnJh/e7whd+Pbx2KQoMvvqTRHAOk+LBYy3uvpAQC9OEYZJTBCB1XbQN2ie4e966cUEY1aBsx1OFexIJjMrYo0BEyBywJ3yT7gsPZT9yA X-OriginatorOrg: Lodge.me.uk Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 15:38:10 -0000 Hello all, I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run Ope= nVPN. I'm not using vimage and don't particularly want to but I'm having an= issue with networking. OpenVPN daemon is up and running and I can connect successfully as a client= . I receive an IP address as expected, but I cannot route traffic to/from c= lient/server. The routing table on the client (which is a Windows machine) = looks fine so I assume the issue is on the server side. I have a tun interf= ace created on the host and exposed to the jail via devfs rules. The IP add= ress on the tun interface is configure on the host and not from the jail. I= can ping the tun interface IP from the host and the jail, but not from the= client when connected. Client---------public IP --------- lo1 (Jail alias Interface)------tun0 (Op= enVPN Interface) 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 OpenVPN Jail Routing Table: Internet: Destination Gateway Flags Netif Expire 172.16.1.8 link#4 UH lo1 Jail Host Routing Table: Internet: Destination Gateway Flags Netif Expire default x.x.0.1 UGS vtnet0 10.8.0.0 10.8.0.2 UGS tun0 10.8.0.1 link#5 UHS lo0 10.8.0.2 link#5 UH tun0 x.x.0.0/18 link#1 U vtnet0 x.x.x.x link#1 UHS lo0 localhost link#3 UH lo0 172.16.1.1 link#4 UH lo1 172.16.1.2 link#4 UH lo1 172.16.1.3 link#4 UH lo1 172.16.1.4 link#4 UH lo1 172.16.1.5 link#4 UH lo1 172.16.1.6 link#4 UH lo1 172.16.1.7 link#4 UH lo1 172.16.1.8 link#4 UH lo1 Client Routing Table: IPv4 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 20 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 20 10.8.0.4 255.255.255.252 On-link 10.8.0.6 276 10.8.0.6 255.255.255.255 On-link 10.8.0.6 276 10.8.0.7 255.255.255.255 On-link 10.8.0.6 276 I'm a little stumped as to how to trouble shoot the issue so any help much = appreciated. James From owner-freebsd-jail@freebsd.org Fri Oct 23 17:41:33 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7BC64A1D5FE for ; Fri, 23 Oct 2015 17:41:33 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 5C105CAB for ; Fri, 23 Oct 2015 17:41:33 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id C4476D007 for ; Fri, 23 Oct 2015 17:41:26 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: From: Allan Jude Message-ID: <562A7147.5080002@freebsd.org> Date: Fri, 23 Oct 2015 13:41:27 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EOnwafblGJbqU8NqaaJUDJ9uFq3LsPmXE" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 17:41:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EOnwafblGJbqU8NqaaJUDJ9uFq3LsPmXE Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 11:37, James Lodge wrote: > Hello all, >=20 >=20 > I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run= OpenVPN. I'm not using vimage and don't particularly want to but I'm hav= ing an issue with networking. >=20 >=20 > OpenVPN daemon is up and running and I can connect successfully as a cl= ient. I receive an IP address as expected, but I cannot route traffic to/= from client/server. The routing table on the client (which is a Windows m= achine) looks fine so I assume the issue is on the server side. I have a = tun interface created on the host and exposed to the jail via devfs rules= =2E The IP address on the tun interface is configure on the host and not = from the jail. I can ping the tun interface IP from the host and the jail= , but not from the client when connected. >=20 >=20 > Client---------public IP --------- lo1 (Jail alias Interface)------tun0= (OpenVPN Interface) >=20 > 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >=20 >=20 >=20 > OpenVPN Jail Routing Table: >=20 > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 >=20 > Jail Host Routing Table: > Internet: > Destination Gateway Flags Netif Expire > default x.x.0.1 UGS vtnet0 > 10.8.0.0 10.8.0.2 UGS tun0 > 10.8.0.1 link#5 UHS lo0 > 10.8.0.2 link#5 UH tun0 > x.x.0.0/18 link#1 U vtnet0 > x.x.x.x link#1 UHS lo0 > localhost link#3 UH lo0 > 172.16.1.1 link#4 UH lo1 > 172.16.1.2 link#4 UH lo1 > 172.16.1.3 link#4 UH lo1 > 172.16.1.4 link#4 UH lo1 > 172.16.1.5 link#4 UH lo1 > 172.16.1.6 link#4 UH lo1 > 172.16.1.7 link#4 UH lo1 > 172.16.1.8 link#4 UH lo1 >=20 > Client Routing Table: >=20 > IPv4 Route Table > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > Active Routes: > Network Destination Netmask Gateway Interface Me= tric > 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 > 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 > 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 > 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 > 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >=20 >=20 >=20 > I'm a little stumped as to how to trouble shoot the issue so any help m= uch appreciated. >=20 >=20 > James >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Try running 'tcpdump -i tun0 -n' on the host, while pining from the windows machine, and see if the packets are arriving. --=20 Allan Jude --EOnwafblGJbqU8NqaaJUDJ9uFq3LsPmXE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKnFOAAoJEBmVNT4SmAt+4REP/RUZz2VLtQJRsVvZZq+XjkLq 5/Ym4aHHCc8YOcpSMzBPrpjB4nIL0O95dhZjBYhcrYinU3aDk4if6rqpWyTCmsbj 2ts7m16f00DFbvF2M2vgUBPeAMZvzCINM4i0Epyvm7d0qyhBuTEiHjYiFT7PxLNM jr75tLL9KN34/rcdwTtZg5LdegNu/UGzT8rh5rb7Ql7cTl0gkwmsdjP9ZPdNzQWU m+NSYJOcF9W9InzJIB+TrWhwszE2/gBvQ7UycBL+i3dciYX0BJAhJ7bPi9OiV1Oz 4hxlRYNaEndM0qO0iISqoJktRLMzc26Yhn4DheN35MJGlemJ2pXWE/AiAql8exkP gX55F19aS7gm+z0u66WsrIJaqumTdbXUdNG+1+qsUSEFNnk9Jwz50yUKmjuXTyLW a0l8CPadUJzH7trNVc1mP1kMs5tgpXakhIcNuYWQzlfuGL59hiKmuALvrlnw3Wfp wPJjsO5UQX+/m7ODy+3h6kQH0d+w7TW/aFEntWFreTkafj/Id40wykBH1OrWbYpC p6hz2eKV53rOzoXt9RwK9DgIOy0uniBZd19Ti34sf7mi09wp45qf4WoFfiv0msRq e4aejV47S10UPUjBrM2YRw4S4fAMeu2cFHXamtxLL3eHHcaYfo94gNjF3Gj1Iphp nQlsw5UBdWCTs48N1r0z =E+xu -----END PGP SIGNATURE----- --EOnwafblGJbqU8NqaaJUDJ9uFq3LsPmXE-- From owner-freebsd-jail@freebsd.org Fri Oct 23 18:13:43 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A892A1DD8A for ; Fri, 23 Oct 2015 18:13:43 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0115.outbound.protection.outlook.com [157.56.112.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8EE9144 for ; Fri, 23 Oct 2015 18:13:41 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) by VI1PR06MB0990.eurprd06.prod.outlook.com (10.162.123.146) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 18:13:32 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 18:13:31 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 18:13:31 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDI= Date: Fri, 23 Oct 2015 18:13:31 +0000 Message-ID: References: , <562A7147.5080002@freebsd.org> In-Reply-To: <562A7147.5080002@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1039; 5:g9Z+qnOfVokSMppMPPVOV6steaWq3yi7JwTHwK4+IhimXKQBNHqIam59yo9G633EP6OFUpH4fcGvfgnQVE8i1viyZRDS2Qn0cfcMT8Uo1ShEKkvBjI/+dsonSsqEM8phLSsCVD57wWD0y6SuoyWOhg==; 24:s8pOje5xWKXbCJbrRLlFBvUTIptrP+ol/laNtCZPceDIdpGJkIv5Fk4GMFOohhz1XKud8WiiFyUsbd46s1ORsf/4KVE9WmER+NSFw7uzEnc=; 20:O5ZmeXuYFn46Yf2M+GM9qulRk3Lu4GjoLB+cgOHbEkeNBb4HsJBObK3TMpCocM91MXkQ4t4YAVbaV3UjyEK1AQ== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1039; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(102215026); SRVR:VI1PR06MB1039; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1039; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(199003)(24454002)(377424004)(53754006)(189002)(110136002)(122556002)(106356001)(189998001)(2501003)(107886002)(81156007)(2900100001)(5001960100002)(86362001)(5003600100002)(106116001)(15975445007)(2950100001)(92566002)(5002640100001)(450100001)(5007970100001)(5004730100002)(76576001)(2351001)(102836002)(40100003)(77096005)(11100500001)(66066001)(19580405001)(5008740100001)(10400500002)(80792005)(4001150100001)(5001920100001)(105586002)(19580395003)(87936001)(54356999)(97736004)(50986999)(33656002)(74316001)(76176999)(101416001)(74482002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1039; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 18:13:31.4706 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1039 X-Microsoft-Exchange-Diagnostics: 1; VI1PR06MB0990; 2:Kf1Fa0ybUT/yeNktWE3S+X3YFa2iTipx+v3bopfPQZizes9Yb6xDAZHsPYnqIX697RZ8NC6UeLF+Iftk2BSHwcNvxFHgRPblB76R7iwnV/PEVPLQd7bzwcixBhpN8Q5silF1yi9yRvx2rkbTRhQxd/f2hjewlJ1XwxuHh79oMCM=; 23:QeDMGZnoOkkiCyryNr8hUQlXB5djHL5DfxjxkUir76CF7xayVJGZyI+djYM9nigJZP4VNnSR+HKA0Q/drZjhnld2UY7rvTGxiHEkCIEvYAYix2+Ivfx8150gmFdYyXQtzN4gZMUbe5YnQjELWQW/ReMyGN7t+nD0JN09rZAMzzpqIQZOyLu2rZ0ToTUjldCZ X-OriginatorOrg: Lodge.me.uk X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 18:13:43 -0000 > On 2015-10-23 11:37, James Lodge wrote: > Hello all, > > > I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run O= penVPN. I'm not using vimage and don't particularly want to but I'm having = an issue with networking. > > > OpenVPN daemon is up and running and I can connect successfully as a clie= nt. I receive an IP address as expected, but I cannot route traffic to/from= client/server. The routing table on the client (which is a Windows machine= ) looks fine so I assume the issue is on the server side. I have a tun inte= rface created on the host and exposed to the jail via devfs rules. The IP a= ddress on the tun interface is configure on the host and not from the jail.= I can ping the tun interface IP from the host and the jail, but not from t= he client when connected. > > > Client---------public IP --------- lo1 (Jail alias Interface)------tun0 (= OpenVPN Interface) > > 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 > > > > OpenVPN Jail Routing Table: > > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 > > Jail Host Routing Table: > Internet: > Destination Gateway Flags Netif Expire > default x.x.0.1 UGS vtnet0 > 10.8.0.0 10.8.0.2 UGS tun0 > 10.8.0.1 link#5 UHS lo0 > 10.8.0.2 link#5 UH tun0 > x.x.0.0/18 link#1 U vtnet0 > x.x.x.x link#1 UHS lo0 > localhost link#3 UH lo0 > 172.16.1.1 link#4 UH lo1 > 172.16.1.2 link#4 UH lo1 > 172.16.1.3 link#4 UH lo1 > 172.16.1.4 link#4 UH lo1 > 172.16.1.5 link#4 UH lo1 > 172.16.1.6 link#4 UH lo1 > 172.16.1.7 link#4 UH lo1 > 172.16.1.8 link#4 UH lo1 > > Client Routing Table: > > IPv4 Route Table > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > Active Routes: > Network Destination Netmask Gateway Interface Metr= ic > 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 > 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 > 10.8.0.4 255.255.255.252 On-link 10.8.0.6 2= 76 > 10.8.0.6 255.255.255.255 On-link 10.8.0.6 2= 76 > 10.8.0.7 255.255.255.255 On-link 10.8.0.6 2= 76 > > > > I'm a little stumped as to how to trouble shoot the issue so any help muc= h appreciated. > > > James > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > Try running 'tcpdump -i tun0 -n' on the host, while pining from the > windows machine, and see if the packets are arriving. > >-- >Allan Jude Thank you Allan,=20 I should have thought of tcpdump. So traffic is being received at the host = from the windows client. Results from Host tcpdump -i tun0 -n=20 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577,= length 40 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 512633= 761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.= (34) 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.= (34) After that I thought I'd see if the traffic is reaching the jail. After all= ow the jail access to /dev/bpf I get the same results as the host, traffic = is received.=20 Results from Jail tcpdump -i tun0 -n 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com.= (34) 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 313928= 1876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 415204= 8904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 310746= 3099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) Regards James From owner-freebsd-jail@freebsd.org Fri Oct 23 18:42:14 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FABEA1D1F1 for ; Fri, 23 Oct 2015 18:42:14 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 4E35496 for ; Fri, 23 Oct 2015 18:42:13 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id D4497D200 for ; Fri, 23 Oct 2015 18:42:12 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> From: Allan Jude Message-ID: <562A7F88.4070106@freebsd.org> Date: Fri, 23 Oct 2015 14:42:16 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 18:42:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 14:13, James Lodge wrote: >> On 2015-10-23 11:37, James Lodge wrote: >> Hello all, >> >> >> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to ru= n OpenVPN. I'm not using vimage and don't particularly want to but I'm ha= ving an issue with networking. >> >> >> OpenVPN daemon is up and running and I can connect successfully as a c= lient. I receive an IP address as expected, but I cannot route traffic to= /from client/server. The routing table on the client (which is a Windows = machine) looks fine so I assume the issue is on the server side. I have a= tun interface created on the host and exposed to the jail via devfs rule= s. The IP address on the tun interface is configure on the host and not f= rom the jail. I can ping the tun interface IP from the host and the jail,= but not from the client when connected. >> >> >> Client---------public IP --------- lo1 (Jail alias Interface)------tun= 0 (OpenVPN Interface) >> >> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >> >> >> >> OpenVPN Jail Routing Table: >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> Jail Host Routing Table: >> Internet: >> Destination Gateway Flags Netif Expire >> default x.x.0.1 UGS vtnet0 >> 10.8.0.0 10.8.0.2 UGS tun0 >> 10.8.0.1 link#5 UHS lo0 >> 10.8.0.2 link#5 UH tun0 >> x.x.0.0/18 link#1 U vtnet0 >> x.x.x.x link#1 UHS lo0 >> localhost link#3 UH lo0 >> 172.16.1.1 link#4 UH lo1 >> 172.16.1.2 link#4 UH lo1 >> 172.16.1.3 link#4 UH lo1 >> 172.16.1.4 link#4 UH lo1 >> 172.16.1.5 link#4 UH lo1 >> 172.16.1.6 link#4 UH lo1 >> 172.16.1.7 link#4 UH lo1 >> 172.16.1.8 link#4 UH lo1 >> >> Client Routing Table: >> >> IPv4 Route Table >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >> Active Routes: >> Network Destination Netmask Gateway Interface M= etric >> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >> >> >> >> I'm a little stumped as to how to trouble shoot the issue so any help = much appreciated. >> >> >> James >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >=20 >> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >> windows machine, and see if the packets are arriving. >> >> -- >> Allan Jude >=20 >=20 > Thank you Allan,=20 >=20 > I should have thought of tcpdump. So traffic is being received at the h= ost from the windows client. >=20 > Results from Host tcpdump -i tun0 -n=20 >=20 > 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10= 577, length 40 > 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 51= 2633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 > 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) > 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) >=20 > After that I thought I'd see if the traffic is reaching the jail. After= allow the jail access to /dev/bpf I get the same results as the host, tr= affic is received.=20 >=20 > Results from Jail tcpdump -i tun0 -n >=20 > 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) > 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.= com. (34) > 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) > 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 31= 39281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 41= 52048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 31= 07463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 > 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) >=20 >=20 > Regards > James > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Can you include the output of 'ifconfig' from inside the jail?, and 'netstat -rn' It looks like the packets are reaching you on tun0 --=20 Allan Jude --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKn+MAAoJEBmVNT4SmAt+NSQP/A21owCgO9tkcdo6tkodlUsD LtY0F7V/wkwuZnyVP8wU+GcXyQMJw6/hbnEDIjojfS2VGLdYi3HIBfglITHSvfZc Ku2+0Yr/dh0bfEkZ3ulBNvRJ1spdU/UsoBz6+/FCG9wmfAHFDXy64yQXccTeZOhl nxd8mXzJezek6ZA0KB8hIR+Os5U+eGxiIIL/s9TS2v6hSiqGYLs2EyQ6ndEtVJ5b tYU7Gyydpk05+c/Cdsbw+FQmWMQUGxBkun7LYxHpgdWAm+jvOlvMYoffAxbRIYjn LcKlLOSU/rPNmrutIoK0Kfa9j1XLsG7LLqzTjYSMGOFkw14GwDLjGy5s7vtvuveQ qQW3SGPxL3joJtSo1DwCcMC4unEdNAQuDDMDbrnvy4gMZd+w+PEiOZS3enJ2TTpo geuCkuyzRWm0K1Dn6GkPalO988k4gWMuoBbH9Y5YZwUfKBtTYrpJ3H4vxfKZ/rjL H2KVXfuArOZ6vpmbTJQy4BmBLR6XBII3kILNEAvG3eHdlnmXZc7KNos5rFVu4+NU Yah+Cz5WqcLqK7Yo5RryzhQTwehT/IT0DDqH48HpyeBxSnbJB0EFXO42HvC3TRYi v3JKWw6HZeCaLPAB5d8KxLwRiwRARiFnfw31ioZjFXmGRL0nGlOBNKB4IsbJHQWe P1+SIGafsi8G5RDsTg+e =gsqy -----END PGP SIGNATURE----- --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l-- From owner-freebsd-jail@freebsd.org Fri Oct 23 19:30:13 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDEC1A1D941 for ; Fri, 23 Oct 2015 19:30:13 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0127.outbound.protection.outlook.com [157.56.112.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 207987EA for ; Fri, 23 Oct 2015 19:30:11 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) by VI1PR06MB1006.eurprd06.prod.outlook.com (10.162.123.15) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 19:15:06 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 19:15:04 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 19:15:04 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDKAAA86AIAACF/v Date: Fri, 23 Oct 2015 19:15:04 +0000 Message-ID: References: <562A7147.5080002@freebsd.org> , <562A7F88.4070106@freebsd.org> In-Reply-To: <562A7F88.4070106@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1039; 5:bYXVWvyCXlkNIPc69sVYRg98+jaJJE2mi8blSDqRxybPMJ6K0CsNaIyIU211wyjen0UYmkkMjVnTfr+XCzjL/alWBXsBWt9hqXVpRFF+Qhpmfvn5OO64l3rYrXxpgInuPWWG/dsgF+zKy6Kc8hXt3A==; 24:IXc72If0Ajj8CsjQMivl7M+ZdRFtubgpDcG+UW9ZKVvJpHs3mkbC9l06SmfpUjdGTy21u8yl/FpwewMV3kw4EvfNrDNI4FzYGldZxzDOeLg=; 20:IzjiMgtXl6S3DY9A4w9VKzL7WKY5Q948fLT42T/EpV95zWzpN++49UG04sK0dNOerDeSBIoO+mvBdMLlqVC8xw== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1039; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(102215026); SRVR:VI1PR06MB1039; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1039; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377424004)(53754006)(24454002)(189002)(199003)(19580395003)(105586002)(87936001)(5008740100001)(66066001)(10400500002)(4001150100001)(93886004)(80792005)(74316001)(74482002)(76176999)(101416001)(33656002)(54356999)(97736004)(50986999)(19580405001)(5004730100002)(5001960100002)(86362001)(5003600100002)(2900100001)(189998001)(106356001)(2501003)(110136002)(81156007)(122556002)(107886002)(76576001)(5007970100001)(2351001)(15975445007)(5002640100001)(450100001)(11100500001)(102836002)(77096005)(40100003)(106116001)(92566002)(2950100001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1039; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 19:15:04.1193 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1039 X-Microsoft-Exchange-Diagnostics: 1; VI1PR06MB1006; 2:rakzbRSFaNyyehBFGjBg+NFI0dzzsn5QZmB8bw/RzNm2XWoVLRoaLvDwEoIv9ry0M0atLsBoWR3VwjvVOYEt7H+VqJ9gyE9hpmEif+EBYcpNNiWokjmUW2Czzwl+bIhfLhaCQG45xhZTjTDnuPv+eLisijqaajnW/LMIugJcLj8=; 23:fgDgyVL7L5dAmOqDJ1FFu0V9wWioi/OkFM/qo9bPOE3ttN4bdAXQZOsLYQ9SnaLoZZJE+bVcQRB+X4a00gesUuwpEyT53U5SdaMSPJ93V8hKRiYRPxEqUQyVf9vHw6bG98L5Jbfl/iZw7zsuEh/yVbEuN5H3Q2eQgWgAlz839acWKW+mISgrjfQ6xEXLv4dU X-OriginatorOrg: Lodge.me.uk X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 19:30:13 -0000 On 2015-10-23 14:13, James Lodge wrote: >> On 2015-10-23 11:37, James Lodge wrote: >> Hello all, >> >> >> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run = OpenVPN. I'm not using vimage and don't particularly want to but I'm having= an issue with networking. >> >> >> OpenVPN daemon is up and running and I can connect successfully as a cli= ent. I receive an IP address as expected, but I cannot route traffic to/fro= m client/server. The routing table on the client (which is a Windows machin= e) looks fine so I assume the issue is on the server side. I have a tun int= erface created on the host and exposed to the jail via devfs rules. The IP = address on the tun interface is configure on the host and not from the jail= . I can ping the tun interface IP from the host and the jail, but not from = the client when connected. >> >> >> Client---------public IP --------- lo1 (Jail alias Interface)------tun0 = (OpenVPN Interface) >> >> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >> >> >> >> OpenVPN Jail Routing Table: >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> Jail Host Routing Table: >> Internet: >> Destination Gateway Flags Netif Expire >> default x.x.0.1 UGS vtnet0 >> 10.8.0.0 10.8.0.2 UGS tun0 >> 10.8.0.1 link#5 UHS lo0 >> 10.8.0.2 link#5 UH tun0 >> x.x.0.0/18 link#1 U vtnet0 >> x.x.x.x link#1 UHS lo0 >> localhost link#3 UH lo0 >> 172.16.1.1 link#4 UH lo1 >> 172.16.1.2 link#4 UH lo1 >> 172.16.1.3 link#4 UH lo1 >> 172.16.1.4 link#4 UH lo1 >> 172.16.1.5 link#4 UH lo1 >> 172.16.1.6 link#4 UH lo1 >> 172.16.1.7 link#4 UH lo1 >> 172.16.1.8 link#4 UH lo1 >> >> Client Routing Table: >> >> IPv4 Route Table >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >> Active Routes: >> Network Destination Netmask Gateway Interface Met= ric >> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >> >> >> >> I'm a little stumped as to how to trouble shoot the issue so any help mu= ch appreciated. >> >> >> James >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > >> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >> windows machine, and see if the packets are arriving. >> >> -- >> Allan Jude > > > Thank you Allan, > > I should have thought of tcpdump. So traffic is being received at the hos= t from the windows client. > > Results from Host tcpdump -i tun0 -n > > 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 1057= 7, length 40 > 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 5126= 33761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 > 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.co= m. (34) > 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.co= m. (34) > > After that I thought I'd see if the traffic is reaching the jail. After a= llow the jail access to /dev/bpf I get the same results as the host, traffi= c is received. > > Results from Jail tcpdump -i tun0 -n > > 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.co= m. (34) > 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.co= m. (34) > 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.co= m. (34) > 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3139= 281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 > 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4152= 048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 > 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3107= 463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 > 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.co= m. (34) > > > Regards > James > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > >=20 > Can you include the output of 'ifconfig' from inside the jail?, and > 'netstat -rn' > > It looks like the packets are reaching you on tun0 >=20 > -- > Allan Jude ifconfig from Jail ---------------------- vtnet0: flags=3D8843 metric 0 mtu 1= 500 options=3D6c03bb ether 04:01:5d:21:c3:01 media: Ethernet 10Gbase-T status: active vtnet1: flags=3D8802 metric 0 mtu 1500 options=3D6c03bb ether 04:01:5d:21:c3:02 media: Ethernet 10Gbase-T status: active lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 lo1: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet 172.16.1.8 netmask 0xffffffff tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 Opened by PID 9024 pflog0: flags=3D141 metric 0 mtu 33160 netstat -rn from Jail --------------------------- Routing tables Internet: Destination Gateway Flags Netif Expire 172.16.1.8 link#4 UH lo1 Regards James From owner-freebsd-jail@freebsd.org Fri Oct 23 20:24:12 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FAADA1D47A for ; Fri, 23 Oct 2015 20:24:12 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 0AD6FBA7 for ; Fri, 23 Oct 2015 20:24:11 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id DEE35D44B for ; Fri, 23 Oct 2015 20:24:10 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> From: Allan Jude Message-ID: <562A9772.5050408@freebsd.org> Date: Fri, 23 Oct 2015 16:24:18 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 20:24:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 15:15, James Lodge wrote: > On 2015-10-23 14:13, James Lodge wrote: >>> On 2015-10-23 11:37, James Lodge wrote: >>> Hello all, >>> >>> >>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to r= un OpenVPN. I'm not using vimage and don't particularly want to but I'm h= aving an issue with networking. >>> >>> >>> OpenVPN daemon is up and running and I can connect successfully as a = client. I receive an IP address as expected, but I cannot route traffic t= o/from client/server. The routing table on the client (which is a Windows= machine) looks fine so I assume the issue is on the server side. I have = a tun interface created on the host and exposed to the jail via devfs rul= es. The IP address on the tun interface is configure on the host and not = from the jail. I can ping the tun interface IP from the host and the jail= , but not from the client when connected. >>> >>> >>> Client---------public IP --------- lo1 (Jail alias Interface)------tu= n0 (OpenVPN Interface) >>> >>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>> >>> >>> >>> OpenVPN Jail Routing Table: >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> Jail Host Routing Table: >>> Internet: >>> Destination Gateway Flags Netif Expire >>> default x.x.0.1 UGS vtnet0 >>> 10.8.0.0 10.8.0.2 UGS tun0 >>> 10.8.0.1 link#5 UHS lo0 >>> 10.8.0.2 link#5 UH tun0 >>> x.x.0.0/18 link#1 U vtnet0 >>> x.x.x.x link#1 UHS lo0 >>> localhost link#3 UH lo0 >>> 172.16.1.1 link#4 UH lo1 >>> 172.16.1.2 link#4 UH lo1 >>> 172.16.1.3 link#4 UH lo1 >>> 172.16.1.4 link#4 UH lo1 >>> 172.16.1.5 link#4 UH lo1 >>> 172.16.1.6 link#4 UH lo1 >>> 172.16.1.7 link#4 UH lo1 >>> 172.16.1.8 link#4 UH lo1 >>> >>> Client Routing Table: >>> >>> IPv4 Route Table >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>> Active Routes: >>> Network Destination Netmask Gateway Interface = Metric >>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >>> >>> >>> >>> I'm a little stumped as to how to trouble shoot the issue so any help= much appreciated. >>> >>> >>> James >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >> >>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>> windows machine, and see if the packets are arriving. >>> >>> -- >>> Allan Jude >> >> >> Thank you Allan, >> >> I should have thought of tcpdump. So traffic is being received at the = host from the windows client. >> >> Results from Host tcpdump -i tun0 -n >> >> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 1= 0577, length 40 >> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 5= 12633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= =2Ecom. (34) >> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= =2Ecom. (34) >> >> After that I thought I'd see if the traffic is reaching the jail. Afte= r allow the jail access to /dev/bpf I get the same results as the host, t= raffic is received. >> >> Results from Jail tcpdump -i tun0 -n >> >> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3= 139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng= th 0 >> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4= 152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng= th 0 >> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3= 107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> >> >> Regards >> James >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Can you include the output of 'ifconfig' from inside the jail?, and >> 'netstat -rn' >> >> It looks like the packets are reaching you on tun0 >> >> -- >> Allan Jude >=20 > ifconfig from Jail > ---------------------- >=20 > vtnet0: flags=3D8843 metric 0 m= tu 1500 > options=3D6c03bb > ether 04:01:5d:21:c3:01 > media: Ethernet 10Gbase-T > status: active >=20 > vtnet1: flags=3D8802 metric 0 mtu 1500 > options=3D6c03bb > ether 04:01:5d:21:c3:02 > media: Ethernet 10Gbase-T > status: active >=20 > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 >=20 > lo1: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet 172.16.1.8 netmask 0xffffffff >=20 > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > Opened by PID 9024 >=20 > pflog0: flags=3D141 metric 0 mtu 33160 >=20 >=20 > netstat -rn from Jail > --------------------------- >=20 > Routing tables >=20 > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 >=20 >=20 > Regards > James >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Look at 'jls' on the host, as your jail doesn't seem to have any IP addresses on tun0. Or, where are you expecting to receive the traffic? --=20 Allan Jude --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKpdyAAoJEBmVNT4SmAt+fMwQAIF9p3LusuNbsUOWzuX8fA3Y mIzfgs+FfT5rWPu3B0LDrriCGV4opTuskpt7Av4T8z0RFA8pL8MKdBGM2/aEVOZb A6FJZDjgyu1HIPKiioo6ATHQqx/tNhZw8KT+LRZ0lOROckmZOCBDhvaZ3WF14rgZ jkbn2ZAWmShxp0YHumJmdwAvZKvQ1qJbvmz937WSe7LFV9YANsar2cPklhbYTykL 8+qx2QQt1H3H4o5X2pVZfMgFAuNRr/Jc4tZjg/n2yfLVMOIdTPUU4lfiiyZ4o4TA l96K2VU7zV5lq1MgqB+/cZTVUnJ1kVGXDS7yBsB3oMAcrSGy6TxUg59HcZhZry/t YvqquZxaXrT1woeQLWrGjn7X1pnttAHMxzplFEdmhVkPpi5aTMChzv0HhD/R47Tq cICFyeAcqrHx6zzhmYzavVin0BEqwFaOhOYetFMt72SbXy08IKhEVsb0I8Qc3QA4 rVn37b4C3TzfDBdsXjJKtFcKwcNYY6Wglkf38N+FTgnUTwNrW7V51OtHaKs7TrI7 oJhiG7mAt8VYO9BqAjvBavwzjbnYHX2VEusQbyLm2ZgeZRMMXb3DTMG9o3ZjWhH7 6M5/fL/2YvmOU85SiJ/wZ2FGJTuR1AZNwPkT/7M86Oi0/59ZxwavGZ5T0dSyxIKr /woex2gUDVRVZupGKAl/ =dLvY -----END PGP SIGNATURE----- --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28-- From owner-freebsd-jail@freebsd.org Fri Oct 23 20:45:17 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1AE77A1D825 for ; Fri, 23 Oct 2015 20:45:17 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0105.outbound.protection.outlook.com [157.56.112.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 64C7C93D for ; Fri, 23 Oct 2015 20:45:14 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1038.eurprd06.prod.outlook.com (10.162.123.157) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 20:45:05 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 20:45:05 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDKAAA86AIAACF/vgAAUIwCAAAK2PQ== Date: Fri, 23 Oct 2015 20:45:04 +0000 Message-ID: References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> , <562A9772.5050408@freebsd.org> In-Reply-To: <562A9772.5050408@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1038; 5:kMARniIwhxXipCtM7/0PwfVHOXbAz4L3s8hKsSBSKQZxOlqsNEPlVYdHoDRWlINmJibfQNDRvQ3+SfdnZZLjw71Vun1leZvNKFdUbtpfkUneSSnwCi2KLeh3YFd/rmstjupzmE7mw0+w5WV+P12KAQ==; 24:z17BmT/2cI3dbjdO5tiiXHvx1yB2+GLqqzF946+qRWhHU0W3RT4vXbor0F5e+fPl4U2ZdXkanCE7QSeWOrnpJEUcRmc/qK3BbAmn1sZGKWs=; 20:UJvwG8Y+lRpINWJsgwGRUBSSx4TDnBSAersmLW/mpjK0Hktf+uETafVwQeNDYv7TJYMATua3UYJJI2VJJU1TJg== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1038; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(265634631926514); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001)(102215026); SRVR:VI1PR06MB1038; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1038; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(53754006)(199003)(377424004)(189002)(105586002)(40100003)(11100500001)(5008740100001)(5001960100002)(189998001)(107886002)(110136002)(10400500002)(5003600100002)(101416001)(77096005)(80792005)(102836002)(87936001)(15975445007)(74482002)(86362001)(2950100001)(5004730100002)(19580395003)(4001150100001)(122556002)(74316001)(50986999)(93886004)(2900100001)(106116001)(5007970100001)(5002640100001)(66066001)(33656002)(106356001)(450100001)(76176999)(81156007)(19580405001)(76576001)(2501003)(54356999)(92566002)(97736004)(2351001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1038; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Lodge.me.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 20:45:04.7743 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1038 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 20:45:17 -0000 >On 2015-10-23 15:15, James Lodge wrote: > On 2015-10-23 14:13, James Lodge wrote: >>> On 2015-10-23 11:37, James Lodge wrote: >>> Hello all, >>> >>> >>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run= OpenVPN. I'm not using vimage and don't particularly want to but I'm havin= g an issue with networking. >>> >>> >>> OpenVPN daemon is up and running and I can connect successfully as a cl= ient. I receive an IP address as expected, but I cannot route traffic to/fr= om client/server. The routing table on the client (which is a Windows machi= ne) looks fine so I assume the issue is on the server side. I have a tun in= terface created on the host and exposed to the jail via devfs rules. The IP= address on the tun interface is configure on the host and not from the jai= l. I can ping the tun interface IP from the host and the jail, but not from= the client when connected. >>> >>> >>> Client---------public IP --------- lo1 (Jail alias Interface)------tun0= (OpenVPN Interface) >>> >>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>> >>> >>> >>> OpenVPN Jail Routing Table: >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> Jail Host Routing Table: >>> Internet: >>> Destination Gateway Flags Netif Expire >>> default x.x.0.1 UGS vtnet0 >>> 10.8.0.0 10.8.0.2 UGS tun0 >>> 10.8.0.1 link#5 UHS lo0 >>> 10.8.0.2 link#5 UH tun0 >>> x.x.0.0/18 link#1 U vtnet0 >>> x.x.x.x link#1 UHS lo0 >>> localhost link#3 UH lo0 >>> 172.16.1.1 link#4 UH lo1 >>> 172.16.1.2 link#4 UH lo1 >>> 172.16.1.3 link#4 UH lo1 >>> 172.16.1.4 link#4 UH lo1 >>> 172.16.1.5 link#4 UH lo1 >>> 172.16.1.6 link#4 UH lo1 >>> 172.16.1.7 link#4 UH lo1 >>> 172.16.1.8 link#4 UH lo1 >>> >>> Client Routing Table: >>> >>> IPv4 Route Table >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>> Active Routes: >>> Network Destination Netmask Gateway Interface Me= tric >>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >>> >>> >>> >>> I'm a little stumped as to how to trouble shoot the issue so any help m= uch appreciated. >>> >>> >>> James >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >> >>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>> windows machine, and see if the packets are arriving. >>> >>> -- >>> Allan Jude >> >> >> Thank you Allan, >> >> I should have thought of tcpdump. So traffic is being received at the ho= st from the windows client. >> >> Results from Host tcpdump -i tun0 -n >> >> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 105= 77, length 40 >> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 512= 633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.c= om. (34) >> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.c= om. (34) >> >> After that I thought I'd see if the traffic is reaching the jail. After = allow the jail access to /dev/bpf I get the same results as the host, traff= ic is received. >> >> Results from Jail tcpdump -i tun0 -n >> >> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.c= om. (34) >> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.c= om. (34) >> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.c= om. (34) >> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 313= 9281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 >> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 415= 2048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 >> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 310= 7463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.c= om. (34) >> >> >> Regards >> James >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> >> >> Can you include the output of 'ifconfig' from inside the jail?, and >> 'netstat -rn' >> >> It looks like the packets are reaching you on tun0 >> >> -- >> Allan Jude > > ifconfig from Jail > ---------------------- > > vtnet0: flags=3D8843 metric 0 mtu= 1500 > options=3D6c03bb > ether 04:01:5d:21:c3:01 > media: Ethernet 10Gbase-T > status: active > > vtnet1: flags=3D8802 metric 0 mtu 1500 > options=3D6c03bb > ether 04:01:5d:21:c3:02 > media: Ethernet 10Gbase-T > status: active > > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > > lo1: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet 172.16.1.8 netmask 0xffffffff > > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > Opened by PID 9024 > > pflog0: flags=3D141 metric 0 mtu 33160 > > > netstat -rn from Jail > --------------------------- > > Routing tables > > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 > > > Regards > James > > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > Look at 'jls' on the host, as your jail doesn't seem to have any IP > addresses on tun0. > > Or, where are you expecting to receive the traffic? > > -- > Allan Jude I expect the traffic to be received within the jail. I find it strange that= I don't see the same IP address as what I see on the host. Could this be a= devfs rule issue? what should I be looking for with jls? ifconfig from host _______________ tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff nd6 options=3D29 Opened by PID 9024 Regards James From owner-freebsd-jail@freebsd.org Fri Oct 23 20:49:34 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1FCDA1D884 for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id C418A9AA for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 2CA45D485 for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> <562A9772.5050408@freebsd.org> From: Allan Jude Message-ID: <562A9D63.809@freebsd.org> Date: Fri, 23 Oct 2015 16:49:39 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="998BUA1nRAN1oAnNIK8q8W8tS50wEVijp" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 20:49:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 16:45, James Lodge wrote: >=20 >> On 2015-10-23 15:15, James Lodge wrote: >> On 2015-10-23 14:13, James Lodge wrote: >>>> On 2015-10-23 11:37, James Lodge wrote: >>>> Hello all, >>>> >>>> >>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to = run OpenVPN. I'm not using vimage and don't particularly want to but I'm = having an issue with networking. >>>> >>>> >>>> OpenVPN daemon is up and running and I can connect successfully as a= client. I receive an IP address as expected, but I cannot route traffic = to/from client/server. The routing table on the client (which is a Window= s machine) looks fine so I assume the issue is on the server side. I have= a tun interface created on the host and exposed to the jail via devfs ru= les. The IP address on the tun interface is configure on the host and not= from the jail. I can ping the tun interface IP from the host and the jai= l, but not from the client when connected. >>>> >>>> >>>> Client---------public IP --------- lo1 (Jail alias Interface)------t= un0 (OpenVPN Interface) >>>> >>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>> >>>> >>>> >>>> OpenVPN Jail Routing Table: >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Jail Host Routing Table: >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default x.x.0.1 UGS vtnet0 >>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>> 10.8.0.1 link#5 UHS lo0 >>>> 10.8.0.2 link#5 UH tun0 >>>> x.x.0.0/18 link#1 U vtnet0 >>>> x.x.x.x link#1 UHS lo0 >>>> localhost link#3 UH lo0 >>>> 172.16.1.1 link#4 UH lo1 >>>> 172.16.1.2 link#4 UH lo1 >>>> 172.16.1.3 link#4 UH lo1 >>>> 172.16.1.4 link#4 UH lo1 >>>> 172.16.1.5 link#4 UH lo1 >>>> 172.16.1.6 link#4 UH lo1 >>>> 172.16.1.7 link#4 UH lo1 >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Client Routing Table: >>>> >>>> IPv4 Route Table >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>> Active Routes: >>>> Network Destination Netmask Gateway Interface = Metric >>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6= 20 >>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6= 20 >>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6= 276 >>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6= 276 >>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6= 276 >>>> >>>> >>>> >>>> I'm a little stumped as to how to trouble shoot the issue so any hel= p much appreciated. >>>> >>>> >>>> James >>>> >>>> >>>> >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.o= rg" >>>> >>> >>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>>> windows machine, and see if the packets are arriving. >>>> >>>> -- >>>> Allan Jude >>> >>> >>> Thank you Allan, >>> >>> I should have thought of tcpdump. So traffic is being received at the= host from the windows client. >>> >>> Results from Host tcpdump -i tun0 -n >>> >>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq = 10577, length 40 >>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq = 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncs= i.com. (34) >>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncs= i.com. (34) >>> >>> After that I thought I'd see if the traffic is reaching the jail. Aft= er allow the jail access to /dev/bpf I get the same results as the host, = traffic is received. >>> >>> Results from Jail tcpdump -i tun0 -n >>> >>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncs= i.com. (34) >>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq = 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], len= gth 0 >>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq = 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], len= gth 0 >>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq = 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> >>> >>> Regards >>> James >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >>> >>> Can you include the output of 'ifconfig' from inside the jail?, and >>> 'netstat -rn' >>> >>> It looks like the packets are reaching you on tun0 >>> >>> -- >>> Allan Jude >> >> ifconfig from Jail >> ---------------------- >> >> vtnet0: flags=3D8843 metric 0 = mtu 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:01 >> media: Ethernet 10Gbase-T >> status: active >> >> vtnet1: flags=3D8802 metric 0 mtu 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:02 >> media: Ethernet 10Gbase-T >> status: active >> >> lo0: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> >> lo1: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> inet 172.16.1.8 netmask 0xffffffff >> >> tun0: flags=3D8051 metric 0 mtu 1500= >> options=3D80000 >> Opened by PID 9024 >> >> pflog0: flags=3D141 metric 0 mtu 33160 >> >> >> netstat -rn from Jail >> --------------------------- >> >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> >> Regards >> James >> >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Look at 'jls' on the host, as your jail doesn't seem to have any IP >> addresses on tun0. >> >> Or, where are you expecting to receive the traffic? >> >> -- >> Allan Jude >=20 >=20 > I expect the traffic to be received within the jail. I find it strange = that I don't see the same IP address as what I see on the host. Could thi= s be a devfs rule issue? what should I be looking for with jls? >=20 > ifconfig from host > _______________ >=20 >=20 > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > nd6 options=3D29 > Opened by PID 9024 >=20 > Regards > James >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Jails are only allowed to see the IP addresses that are defined for that jail, so you need to add 10.8.0.1 to the list of IP addresses for that jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd ip after the first, separated with a comma. --=20 Allan Jude --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKp1mAAoJEBmVNT4SmAt+a5gP+gO6TzZOrKrcjyHlJoWx1t+J LsoZmH7Wbb5Fd776keL84AUlbGg7PEEV416PQTGqf59XFxr+Juu7GXpSZ+JR7fmu OyJqIDlKt1MEH+7fi2uec4orLgTP1pEgUlB8YTJRfXyIgUTjkPUBJYPlXlVCviYj qYrIcKwoX/OU0XhqDNXpVrTZp77ht8tnB4dNw5k6+S+l8ID8s+VMd5oNuS+vfYMS 5DeR5IdzTJJpPP+nBfYtmmXGWb05LUac5LbXw0HKwKmRBkgeuIoxMngiWHHnDY8p 3DbpMqrm9SgBc2LOcvVxs0ZtEyVf5JCTji9gbRLw0SgR3kugmUqQ8un5zVQUgXom Uu85wZP6342MKJ0ALCoupWf6XjwvSJ9TG9Qwwy0ARKfUJOYnRCffHmkdj1tX4ZY3 j195CwGorUa+1tl8qeUDgILYQ820nutFBeX9vANB2AOeuXr2BlnU/paaCZYU+kgI YLvM0+DymtiJbbpOFYvDGVyM7lygCmvhtA7pVUxWVvUUcxgc2ClebDn3vTvddvlD y8JW0bluFx3WkydDwlhEdR63blERIVIb5b5fuVsGbx193AoBT+zgupuoFgffx55p BvX+rArHms9JW5Zoi2WDxWLsFM6XzKvUdMkI9y0oKeFYWDQA9kNI7hML0AOFaK9g 9qICarlp57cg4R0VYSAM =q6u+ -----END PGP SIGNATURE----- --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp-- From owner-freebsd-jail@freebsd.org Fri Oct 23 21:41:32 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33F5CA1C5DD for ; Fri, 23 Oct 2015 21:41:32 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0103.outbound.protection.outlook.com [157.56.112.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7C2FD1C89 for ; Fri, 23 Oct 2015 21:41:30 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 21:25:58 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 21:25:58 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDKAAA86AIAACF/vgAAUIwCAAAK2PYAABGCAgAAEqWg= Date: Fri, 23 Oct 2015 21:25:57 +0000 Message-ID: References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> <562A9772.5050408@freebsd.org> , <562A9D63.809@freebsd.org> In-Reply-To: <562A9D63.809@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1037; 5:VXKcXfvYfaBvifMbXfz5PQ9Iqq1Z1hErglY7PvSo77YUODfZDL82soejmduVGjMJU6PCP+GwPAIZgKrch8hCsmg7KFF/MFbWyl3BC5xsNa5LSEBrMZbcU6aDWYQR2TWD6Nk6Xb3ZfjfT/hKFMtiu5w==; 24:n7R0MrEPP6LyEvDWVx4MaizqIqvFI7aFgmoBiEMGFUXfi85eCPzRLqGtnTCTOTXGhjG736wOOpIokyv7Z3ZNVZsyh5javKpBrSWAtStUOu4=; 20:4S5WJoe81GG4Leszm8sCCXZLMh/DnLSI/Sv31j3Pj84h7OXekDhI3tZi9ExQLuHm/9LLUhVjtgiDJ1K3LHTT7g== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1037; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(265634631926514); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(520078)(3002001)(102215026); SRVR:VI1PR06MB1037; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1037; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(45984002)(24454002)(377424004)(199003)(189002)(53754006)(76176999)(10400500002)(2351001)(76576001)(77096005)(19580395003)(450100001)(93886004)(11100500001)(54356999)(5002640100001)(110136002)(189998001)(19580405001)(5004730100002)(5003600100002)(97736004)(2950100001)(107886002)(80792005)(66066001)(81156007)(2501003)(5001960100002)(5007970100001)(86362001)(74316001)(15975445007)(74482002)(4001150100001)(106116001)(33656002)(102836002)(5008740100001)(50986999)(87936001)(122556002)(2900100001)(101416001)(105586002)(92566002)(40100003)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1037; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Lodge.me.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 21:25:57.8575 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1037 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 21:41:32 -0000 >On 2015-10-23 16:45, James Lodge wrote: > >> On 2015-10-23 15:15, James Lodge wrote: >> On 2015-10-23 14:13, James Lodge wrote: >>>> On 2015-10-23 11:37, James Lodge wrote: >>>> Hello all, >>>> >>>> >>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to ru= n OpenVPN. I'm not using vimage and don't particularly want to but I'm havi= ng an issue with networking. >>>> >>>> >>>> OpenVPN daemon is up and running and I can connect successfully as a c= lient. I receive an IP address as expected, but I cannot route traffic to/f= rom client/server. The routing table on the client (which is a Windows mach= ine) looks fine so I assume the issue is on the server side. I have a tun i= nterface created on the host and exposed to the jail via devfs rules. The I= P address on the tun interface is configure on the host and not from the ja= il. I can ping the tun interface IP from the host and the jail, but not fro= m the client when connected. >>>> >>>> >>>> Client---------public IP --------- lo1 (Jail alias Interface)------tun= 0 (OpenVPN Interface) >>>> >>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>> >>>> >>>> >>>> OpenVPN Jail Routing Table: >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Jail Host Routing Table: >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default x.x.0.1 UGS vtnet0 >>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>> 10.8.0.1 link#5 UHS lo0 >>>> 10.8.0.2 link#5 UH tun0 >>>> x.x.0.0/18 link#1 U vtnet0 >>>> x.x.x.x link#1 UHS lo0 >>>> localhost link#3 UH lo0 >>>> 172.16.1.1 link#4 UH lo1 >>>> 172.16.1.2 link#4 UH lo1 >>>> 172.16.1.3 link#4 UH lo1 >>>> 172.16.1.4 link#4 UH lo1 >>>> 172.16.1.5 link#4 UH lo1 >>>> 172.16.1.6 link#4 UH lo1 >>>> 172.16.1.7 link#4 UH lo1 >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Client Routing Table: >>>> >>>> IPv4 Route Table >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>> Active Routes: >>>> Network Destination Netmask Gateway Interface M= etric >>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >>>> >>>> >>>> >>>> I'm a little stumped as to how to trouble shoot the issue so any help = much appreciated. >>>> >>>> >>>> James >>>> >>>> >>>> >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >>>> >>> >>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>>> windows machine, and see if the packets are arriving. >>>> >>>> -- >>>> Allan Jude >>> >>> >>> Thank you Allan, >>> >>> I should have thought of tcpdump. So traffic is being received at the h= ost from the windows client. >>> >>> Results from Host tcpdump -i tun0 -n >>> >>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10= 577, length 40 >>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 51= 2633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) >>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) >>> >>> After that I thought I'd see if the traffic is reaching the jail. After= allow the jail access to /dev/bpf I get the same results as the host, traf= fic is received. >>> >>> Results from Jail tcpdump -i tun0 -n >>> >>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) >>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.= com. (34) >>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) >>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 31= 39281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length = 0 >>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 41= 52048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length = 0 >>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 31= 07463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) >>> >>> >>> Regards >>> James >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >>> >>> Can you include the output of 'ifconfig' from inside the jail?, and >>> 'netstat -rn' >>> >>> It looks like the packets are reaching you on tun0 >>> >>> -- >>> Allan Jude >> >> ifconfig from Jail >> ---------------------- >> >> vtnet0: flags=3D8843 metric 0 mt= u 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:01 >> media: Ethernet 10Gbase-T >> status: active >> >> vtnet1: flags=3D8802 metric 0 mtu 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:02 >> media: Ethernet 10Gbase-T >> status: active >> >> lo0: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> >> lo1: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> inet 172.16.1.8 netmask 0xffffffff >> >> tun0: flags=3D8051 metric 0 mtu 1500 >> options=3D80000 >> Opened by PID 9024 >> >> pflog0: flags=3D141 metric 0 mtu 33160 >> >> >> netstat -rn from Jail >> --------------------------- >> >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> >> Regards >> James >> >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> >> >> Look at 'jls' on the host, as your jail doesn't seem to have any IP >> addresses on tun0. >> >> Or, where are you expecting to receive the traffic? >> >> -- >> Allan Jude > > > I expect the traffic to be received within the jail. I find it strange th= at I don't see the same IP address as what I see on the host. Could this be= a devfs rule issue? what should I be looking for with jls? > > ifconfig from host > _______________ > > > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > nd6 options=3D29 > Opened by PID 9024 > > Regards > James > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > Jails are only allowed to see the IP addresses that are defined for that > jail, so you need to add 10.8.0.1 to the list of IP addresses for that > jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd ip > after the first, separated with a comma. >=20 > -- > Allan Jude Thanks Allan,=20 You learn something new everyday! So now ifconfig from jail=20 tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff Opened by PID 11132 and after allow ICMP through PF on the host I can now ping the tun0 from th= e client, so thank you very much for your help. One last thing you might be= able to point me in the right direction of. I need to route client traffic= on to the Internet. My understanding is IP forwarding can't be enabled wit= hin the jail and adding routes to the jails routing table isn't possible ei= ther. I'm doing NAT at the host, but how do I get the traffic from inside t= he jail there.=20 Regards James=20 From owner-freebsd-jail@freebsd.org Fri Oct 23 23:41:26 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96D6AA1DE3C for ; Fri, 23 Oct 2015 23:41:26 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 4FDB29D8 for ; Fri, 23 Oct 2015 23:41:25 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id A30B3D651 for ; Fri, 23 Oct 2015 23:41:24 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> <562A9772.5050408@freebsd.org> <562A9D63.809@freebsd.org> From: Allan Jude Message-ID: <562AC5A9.1090106@freebsd.org> Date: Fri, 23 Oct 2015 19:41:29 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OoDaa8vksQ9maweft0j6dSUtUAp1srkG5" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 23:41:26 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 17:25, James Lodge wrote: >=20 >> On 2015-10-23 16:45, James Lodge wrote: >> >>> On 2015-10-23 15:15, James Lodge wrote: >>> On 2015-10-23 14:13, James Lodge wrote: >>>>> On 2015-10-23 11:37, James Lodge wrote: >>>>> Hello all, >>>>> >>>>> >>>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to= run OpenVPN. I'm not using vimage and don't particularly want to but I'm= having an issue with networking. >>>>> >>>>> >>>>> OpenVPN daemon is up and running and I can connect successfully as = a client. I receive an IP address as expected, but I cannot route traffic= to/from client/server. The routing table on the client (which is a Windo= ws machine) looks fine so I assume the issue is on the server side. I hav= e a tun interface created on the host and exposed to the jail via devfs r= ules. The IP address on the tun interface is configure on the host and no= t from the jail. I can ping the tun interface IP from the host and the ja= il, but not from the client when connected. >>>>> >>>>> >>>>> Client---------public IP --------- lo1 (Jail alias Interface)------= tun0 (OpenVPN Interface) >>>>> >>>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>>> >>>>> >>>>> >>>>> OpenVPN Jail Routing Table: >>>>> >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Jail Host Routing Table: >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> default x.x.0.1 UGS vtnet0 >>>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>>> 10.8.0.1 link#5 UHS lo0 >>>>> 10.8.0.2 link#5 UH tun0 >>>>> x.x.0.0/18 link#1 U vtnet0 >>>>> x.x.x.x link#1 UHS lo0 >>>>> localhost link#3 UH lo0 >>>>> 172.16.1.1 link#4 UH lo1 >>>>> 172.16.1.2 link#4 UH lo1 >>>>> 172.16.1.3 link#4 UH lo1 >>>>> 172.16.1.4 link#4 UH lo1 >>>>> 172.16.1.5 link#4 UH lo1 >>>>> 172.16.1.6 link#4 UH lo1 >>>>> 172.16.1.7 link#4 UH lo1 >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Client Routing Table: >>>>> >>>>> IPv4 Route Table >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>>> Active Routes: >>>>> Network Destination Netmask Gateway Interface= Metric >>>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.= 6 20 >>>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.= 6 20 >>>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.= 6 276 >>>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.= 6 276 >>>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.= 6 276 >>>>> >>>>> >>>>> >>>>> I'm a little stumped as to how to trouble shoot the issue so any he= lp much appreciated. >>>>> >>>>> >>>>> James >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> freebsd-jail@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.= org" >>>>> >>>> >>>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the= >>>>> windows machine, and see if the packets are arriving. >>>>> >>>>> -- >>>>> Allan Jude >>>> >>>> >>>> Thank you Allan, >>>> >>>> I should have thought of tcpdump. So traffic is being received at th= e host from the windows client. >>>> >>>> Results from Host tcpdump -i tun0 -n >>>> >>>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq= 10577, length 40 >>>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq= 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc= si.com. (34) >>>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc= si.com. (34) >>>> >>>> After that I thought I'd see if the traffic is reaching the jail. Af= ter allow the jail access to /dev/bpf I get the same results as the host,= traffic is received. >>>> >>>> Results from Jail tcpdump -i tun0 -n >>>> >>>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftnc= si.com. (34) >>>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq= 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le= ngth 0 >>>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq= 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le= ngth 0 >>>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq= 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> >>>> >>>> Regards >>>> James >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.o= rg" >>>> >>>> >>>> Can you include the output of 'ifconfig' from inside the jail?, and >>>> 'netstat -rn' >>>> >>>> It looks like the packets are reaching you on tun0 >>>> >>>> -- >>>> Allan Jude >>> >>> ifconfig from Jail >>> ---------------------- >>> >>> vtnet0: flags=3D8843 metric 0= mtu 1500 >>> options=3D6c03bb >>> ether 04:01:5d:21:c3:01 >>> media: Ethernet 10Gbase-T >>> status: active >>> >>> vtnet1: flags=3D8802 metric 0 mtu 1500 >>> options=3D6c03bb >>> ether 04:01:5d:21:c3:02 >>> media: Ethernet 10Gbase-T >>> status: active >>> >>> lo0: flags=3D8049 metric 0 mtu 16384 >>> options=3D600003 >>> >>> lo1: flags=3D8049 metric 0 mtu 16384 >>> options=3D600003 >>> inet 172.16.1.8 netmask 0xffffffff >>> >>> tun0: flags=3D8051 metric 0 mtu 150= 0 >>> options=3D80000 >>> Opened by PID 9024 >>> >>> pflog0: flags=3D141 metric 0 mtu 33160 >>> >>> >>> netstat -rn from Jail >>> --------------------------- >>> >>> Routing tables >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> >>> Regards >>> James >>> >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >>> >>> Look at 'jls' on the host, as your jail doesn't seem to have any IP >>> addresses on tun0. >>> >>> Or, where are you expecting to receive the traffic? >>> >>> -- >>> Allan Jude >> >> >> I expect the traffic to be received within the jail. I find it strange= that I don't see the same IP address as what I see on the host. Could th= is be a devfs rule issue? what should I be looking for with jls? >> >> ifconfig from host >> _______________ >> >> >> tun0: flags=3D8051 metric 0 mtu 1500= >> options=3D80000 >> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff >> nd6 options=3D29 >> Opened by PID 9024 >> >> Regards >> James >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Jails are only allowed to see the IP addresses that are defined for th= at >> jail, so you need to add 10.8.0.1 to the list of IP addresses for that= >> jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd = ip >> after the first, separated with a comma. >> >> -- >> Allan Jude >=20 > Thanks Allan,=20 >=20 > You learn something new everyday! >=20 > So now ifconfig from jail=20 >=20 > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > Opened by PID 11132 >=20 >=20 > and after allow ICMP through PF on the host I can now ping the tun0 fro= m the client, so thank you very much for your help. One last thing you mi= ght be able to point me in the right direction of. I need to route client= traffic on to the Internet. My understanding is IP forwarding can't be e= nabled within the jail and adding routes to the jails routing table isn't= possible either. I'm doing NAT at the host, but how do I get the traffic= from inside the jail there.=20 >=20 > Regards > James=20 >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 You should be able to do: sysrc gateway_enable=3D"YES" (temporarily: sysctl net.inet.ip.forwarding=3D1) and that should allow packets to move between interfaces. --=20 Allan Jude --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKsWsAAoJEBmVNT4SmAt+Pl8P/RZ74gL8PGaK2SUz88q3O6t/ fj/wyWrlGHrolf+8ehnPIbxCV2AtJLXpXxnBo/bvE6zRQxh5rj/3mjnBGNEqZoTQ PCSDoszC1LQ/D5IJvU7LdTAb3aOhjxlqdTPPaeq1QUx/F1+OxixEFctJoYxmbZbw 3crf+r6FGq/Zwi4KWOflvGYByZS06BDKLC7Vzm6Xrzk6q5p5iHUr5ZmBsLrlLPui 7yFBxbR54J/7qL+F3qzpiLBf6WZxyxvDcJ5LbbORVgca0gALEt4kRtucStiGCA5v QI97qWWlIP8vwFCDL6TB2iEj7nCBWB++MUeREeWph0O6bpU6IHwa6INJx8QfyKDS Yh3NvZyWsldgJgHZkrf5nj72Uhs65xFueqr1dOOGseMYRwX/0AyeOnVXhz2C7/zq 0qEa3ZKitrDgkNe+otWd8ARap5rHzVMO1DoFhwOdnRMDnA5gnsQYFqSJJs4tviNd mnKVyfGaZfukz3BqhD3NJqZRmiaMUnTY7FBxCDdm2pW8WMHQJ/Pm1JO54tFNyuDx 0IirL7FAz90+utIg5zpN1ArHZup3qCwP5sbMGm+Tpr0bliafK4Knffm7szItC9BQ fu3PElharLj2hAPFIZv1FCxSlNcfB59w2052Iq/gdC2VAgi+7XEm1kIUveFJlAOd I4o3BGcRm1epuq4kM1i/ =7eht -----END PGP SIGNATURE----- --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5-- From owner-freebsd-jail@freebsd.org Sat Oct 24 07:47:44 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9ACBA1D49B for ; Sat, 24 Oct 2015 07:47:44 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0108.outbound.protection.outlook.com [157.56.112.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F022DFB7 for ; Sat, 24 Oct 2015 07:47:43 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1038.eurprd06.prod.outlook.com (10.162.123.157) with Microsoft SMTP Server (TLS) id 15.1.306.13; Sat, 24 Oct 2015 07:47:33 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Sat, 24 Oct 2015 07:47:33 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDKAAA86AIAACF/vgAAUIwCAAAK2PYAABGCAgAAEqWiAACtZgIAAhw68 Date: Sat, 24 Oct 2015 07:47:32 +0000 Message-ID: References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> <562A9772.5050408@freebsd.org> <562A9D63.809@freebsd.org> , <562AC5A9.1090106@freebsd.org> In-Reply-To: <562AC5A9.1090106@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [46.101.56.132] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1038; 5:xJu1UFtFAaM9K+hHCJ2AEk1AlxO1rBO7+P2cj1041n7hsawqj9GJpnXEQZZUms2Yv6Ftyj9BEKKnQtWagbHNVjnB6qaoQTlF66lx7X37uDom+R72L2E9MoNgLaye+sLQdtr4JGIe2o5tpOA5lEuQpg==; 24:D8TcO5gwkqsVjNp1zVXGRGvi4L9WqdwUbx78nUCsUvy5Z0NGh7rxMbpIqrpWdJDjEsfT+ovU1bv2OUA95r9/zQVoe+YQ2e1z/odFR/hfQqQ=; 20:FGQBf3Y5cGX9YqFcjM0FIANxvD/biil/Ml4kHT1nfZlozg9MxmCRbhR8G7QPT1Q/bN2UuIgixeW3FNa2Z4nVRw== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1038; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(265634631926514); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(102215026); SRVR:VI1PR06MB1038; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1038; x-forefront-prvs: 073966E86B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(53754006)(24454002)(377424004)(45984002)(199003)(40764003)(189002)(86362001)(87936001)(101416001)(54356999)(76176999)(50986999)(11100500001)(5004730100002)(74482002)(122556002)(5008740100001)(10400500002)(107886002)(40100003)(5007970100001)(92566002)(2501003)(5001960100002)(110136002)(450100001)(2900100001)(2950100001)(81156007)(97736004)(80792005)(4001150100001)(5002640100001)(77096005)(15975445007)(189998001)(102836002)(33656002)(5003600100002)(66066001)(2351001)(105586002)(93886004)(106116001)(106356001)(76576001)(19580395003)(19580405001)(74316001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1038; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: Lodge.me.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2015 07:47:32.6104 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1038 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Oct 2015 07:47:44 -0000 >On 2015-10-23 17:25, James Lodge wrote: > >> On 2015-10-23 16:45, James Lodge wrote: >> >>> On 2015-10-23 15:15, James Lodge wrote: >>> On 2015-10-23 14:13, James Lodge wrote: >>>>> On 2015-10-23 11:37, James Lodge wrote: >>>>> Hello all, >>>>> >>>>> >>>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to r= un OpenVPN. I'm not using vimage and don't particularly want to but I'm hav= ing an issue with networking. >>>>> >>>>> >>>>> OpenVPN daemon is up and running and I can connect successfully as a = client. I receive an IP address as expected, but I cannot route traffic to/= from client/server. The routing table on the client (which is a Windows mac= hine) looks fine so I assume the issue is on the server side. I have a tun = interface created on the host and exposed to the jail via devfs rules. The = IP address on the tun interface is configure on the host and not from the j= ail. I can ping the tun interface IP from the host and the jail, but not fr= om the client when connected. >>>>> >>>>> >>>>> Client---------public IP --------- lo1 (Jail alias Interface)------tu= n0 (OpenVPN Interface) >>>>> >>>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>>> >>>>> >>>>> >>>>> OpenVPN Jail Routing Table: >>>>> >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Jail Host Routing Table: >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> default x.x.0.1 UGS vtnet0 >>>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>>> 10.8.0.1 link#5 UHS lo0 >>>>> 10.8.0.2 link#5 UH tun0 >>>>> x.x.0.0/18 link#1 U vtnet0 >>>>> x.x.x.x link#1 UHS lo0 >>>>> localhost link#3 UH lo0 >>>>> 172.16.1.1 link#4 UH lo1 >>>>> 172.16.1.2 link#4 UH lo1 >>>>> 172.16.1.3 link#4 UH lo1 >>>>> 172.16.1.4 link#4 UH lo1 >>>>> 172.16.1.5 link#4 UH lo1 >>>>> 172.16.1.6 link#4 UH lo1 >>>>> 172.16.1.7 link#4 UH lo1 >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Client Routing Table: >>>>> >>>>> IPv4 Route Table >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>>> Active Routes: >>>>> Network Destination Netmask Gateway Interface = Metric >>>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >>>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >>>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >>>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >>>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >>>>> >>>>> >>>>> >>>>> I'm a little stumped as to how to trouble shoot the issue so any help= much appreciated. >>>>> >>>>> >>>>> James >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> freebsd-jail@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>>>> >>>> >>>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>>>> windows machine, and see if the packets are arriving. >>>>> >>>>> -- >>>>> Allan Jude >>>> >>>> >>>> Thank you Allan, >>>> >>>> I should have thought of tcpdump. So traffic is being received at the = host from the windows client. >>>> >>>> Results from Host tcpdump -i tun0 -n >>>> >>>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 1= 0577, length 40 >>>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 5= 12633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= .com. (34) >>>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= .com. (34) >>>> >>>> After that I thought I'd see if the traffic is reaching the jail. Afte= r allow the jail access to /dev/bpf I get the same results as the host, tra= ffic is received. >>>> >>>> Results from Jail tcpdump -i tun0 -n >>>> >>>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= .com. (34) >>>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi= .com. (34) >>>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= .com. (34) >>>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3= 139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length= 0 >>>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4= 152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length= 0 >>>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3= 107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= .com. (34) >>>> >>>> >>>> Regards >>>> James >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >>>> >>>> >>>> Can you include the output of 'ifconfig' from inside the jail?, and >>>> 'netstat -rn' >>>> >>>> It looks like the packets are reaching you on tun0 >>>> >>>> -- >>>> Allan Jude >>> >>> ifconfig from Jail >>> ---------------------- >>> >>> vtnet0: flags=3D8843 metric 0 m= tu 1500 >>> options=3D6c03bb >>> ether 04:01:5d:21:c3:01 >>> media: Ethernet 10Gbase-T >>> status: active >>> >>> vtnet1: flags=3D8802 metric 0 mtu 1500 >>> options=3D6c03bb >>> ether 04:01:5d:21:c3:02 >>> media: Ethernet 10Gbase-T >>> status: active >>> >>> lo0: flags=3D8049 metric 0 mtu 16384 >>> options=3D600003 >>> >>> lo1: flags=3D8049 metric 0 mtu 16384 >>> options=3D600003 >>> inet 172.16.1.8 netmask 0xffffffff >>> >>> tun0: flags=3D8051 metric 0 mtu 1500 >>> options=3D80000 >>> Opened by PID 9024 >>> >>> pflog0: flags=3D141 metric 0 mtu 33160 >>> >>> >>> netstat -rn from Jail >>> --------------------------- >>> >>> Routing tables >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> >>> Regards >>> James >>> >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >>> >>> Look at 'jls' on the host, as your jail doesn't seem to have any IP >>> addresses on tun0. >>> >>> Or, where are you expecting to receive the traffic? >>> >>> -- >>> Allan Jude >> >> >> I expect the traffic to be received within the jail. I find it strange t= hat I don't see the same IP address as what I see on the host. Could this b= e a devfs rule issue? what should I be looking for with jls? >> >> ifconfig from host >> _______________ >> >> >> tun0: flags=3D8051 metric 0 mtu 1500 >> options=3D80000 >> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff >> nd6 options=3D29 >> Opened by PID 9024 >> >> Regards >> James >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> >> >> Jails are only allowed to see the IP addresses that are defined for that >> jail, so you need to add 10.8.0.1 to the list of IP addresses for that >> jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd ip >> after the first, separated with a comma. >> >> -- >> Allan Jude > > Thanks Allan, > > You learn something new everyday! > > So now ifconfig from jail > > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > Opened by PID 11132 > > > and after allow ICMP through PF on the host I can now ping the tun0 from = the client, so thank you very much for your help. One last thing you might = be able to point me in the right direction of. I need to route client traff= ic on to the Internet. My understanding is IP forwarding can't be enabled w= ithin the jail and adding routes to the jails routing table isn't possible = either. I'm doing NAT at the host, but how do I get the traffic from inside= the jail there. > > Regards > James > > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > You should be able to do: > sysrc gateway_enable=3D"YES" > >(temporarily: sysctl net.inet.ip.forwarding=3D1) > >and that should allow packets to move between interfaces. > >-- >Allan Jude Thanks Allan, As always you're a fountain of knowledge.=20 After enabling IP forwarding and amending my PF NAT rule everything is now = working. Once again thank you for your help.=20 Regards James