From nobody Fri Jul 23 16:36:25 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 53D8B12D14B9
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 23 Jul 2021 16:36:38 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (fournil.foucry.net [95.217.83.231])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GWZhj1mMTz3Jss
	for <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 16:36:36 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (unknown [192.168.12.17])
	by mail.foucry.net (Postfix) with ESMTP id 44328F130
	for <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 16:36:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at foucry.net
Received: from mail.foucry.net ([192.168.12.17])
	by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024)
	with ESMTP id UJjdfThmi4kM for <freebsd-jail@freebsd.org>;
	Fri, 23 Jul 2021 16:36:28 +0000 (UTC)
Received: by mail.foucry.net (Postfix, from userid 58)
	id 65BA9EF1F; Fri, 23 Jul 2021 16:36:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627058188; bh=qepLsvCAqHt9S6DO92vmcCGWR/pnSph6LnuOL9gd4uk=;
	h=Date:From:To:Subject;
	b=IiwX0t1i5MM3meenJrufM6+wx7XSAqBl2OPAyDzSKOnJF7UyryyyPWBnyihZpek3e
	 1WSrLych9pdAPt6huVanmGPq2xvxuYx7x78MyD5vL8naKb78HR/vh6HTwO4vo5WUaX
	 QVxDdEPZY6qLnkFJhj/inhWt8RbiVnUJKVHV08Hs=
Received: from mithril.foucry.net (unknown [IPv6:2a01:e0a:434:44e0:ea6a:64ff:fe07:95a1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.foucry.net (Postfix) with ESMTPSA id 78683EF1E;
	Fri, 23 Jul 2021 16:36:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627058187; bh=qepLsvCAqHt9S6DO92vmcCGWR/pnSph6LnuOL9gd4uk=;
	h=Date:From:To:Subject;
	b=Ju9FgXlcg/kEkK69c4BtN8Ekz0Ke3PW0iCOfe/s4ePe5GEzn9rb2Q+mx/0RiBCnKS
	 4DwHIKOQDzXYN7egEWBMdl7OthJi6nSEaLF6qILc1y2wu3PMlWc2wVwu0N/kygHvgk
	 EuYbBo1dAMn8GG97fbtw2NwHmbB30TR6f+Rx+UzA=
Received: from mithril.foucry.net (localhost [IPv6:::1])
	by mithril.foucry.net (Postfix) with ESMTPS id BE7A71098;
	Fri, 23 Jul 2021 18:36:26 +0200 (CEST)
Date: Fri, 23 Jul 2021 18:36:25 +0200
From: Jacques Foucry <jacques+freebsd@foucry.net>
To: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org
Subject: iocage, vnet jail does not go outside
Message-ID: <YPrwCW44LdKfHxIk@mithril.foucry.net>
Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="08+5bsy7v9+aNml6"
Content-Disposition: inline
X-Operating-System: FreeBSD
X-Rspamd-Queue-Id: 4GWZhj1mMTz3Jss
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=fail (headers rsa verify failed) header.d=foucry.net header.s=dkim header.b=IiwX0t1i;
	dkim=fail (headers rsa verify failed) header.d=foucry.net header.s=dkim header.b=Ju9FgXlc;
	dmarc=pass (policy=none) header.from=foucry.net;
	spf=pass (mx1.freebsd.org: domain of jacques@foucry.net designates 95.217.83.231 as permitted sender) smtp.mailfrom=jacques@foucry.net
X-Spamd-Result: default: False [-5.85 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 R_DKIM_REJECT(0.00)[foucry.net:s=dkim];
	 TO_DN_NONE(0.00)[];
	 DKIM_TRACE(0.00)[foucry.net:-];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(0.00)[foucry.net,none];
	 NEURAL_HAM_SHORT(-0.95)[-0.946];
	 DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	 SIGNED_PGP(-2.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 RCVD_TLS_LAST(0.00)[];
	 RBL_DBL_DONT_QUERY_IPS(0.00)[95.217.83.231:from];
	 ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 TAGGED_FROM(0.00)[freebsd];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 RCVD_COUNT_FIVE(0.00)[6];
	 FROM_HAS_DN(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org];
	 SPAMHAUS_ZRD(0.00)[95.217.83.231:from:127.0.2.255];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 MAILMAN_DEST(0.00)[freebsd-jail]
X-ThisMailContainsUnwantedMimeParts: N


--08+5bsy7v9+aNml6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello friends,

I'm turing crazy.

I made a new jail ,on my hosted system using iocage.

Here is the config.json file:

more config.json
{
    "allow_mount": 1,
    "allow_mount_devfs": 1,
    "allow_mount_nullfs": 1,
    "allow_mount_procfs": 1,
    "allow_mount_tmpfs": 1,
    "allow_mount_zfs": 1,
    "allow_raw_sockets": 1,
    "allow_socket_af": 1,
    "allow_sysvipc": 1,
    "bpf": 1,
    "cloned_release": "13.0-RELEASE",
    "defaultrouter": "10.0.10.1",
    "defaultrouter6": "auto",
    "dhcp": 0,
    "host_hostname": "examplejail",
    "host_hostuuid": "examplejail",
    "ip4_addr": "vnet0|10.0.10.23/24",
    "ip6_addr": "vnet0|2a01:4f9:4a:1fd8::23",
    "jail_zfs_dataset": "iocage/jails/examplejail/data",
    "last_started": "2021-07-23 15:11:28",
    "nat": 0,
    "release": "13.0-RELEASE-p3",
    "vnet": 1,
    "vnet0_mac": "b42e999c5bca b42e999c5bcb",
    "vnet_default_interface": "auto"
}

The jail's ifconfig:

ifconfig
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	groups: lo
	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=3D0<> metric 0 mtu 33160
	groups: pflog
epair0b: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu =
1500
	options=3D8<VLAN_MTU>
	ether b4:2e:99:9c:5b:cb
	hwaddr 02:ae:46:07:62:0b
	inet 10.0.10.23 netmask 0xffffff00 broadcast 10.0.10.255
	inet6 2a01:4f9:4a:1fd8::23 prefixlen 64
	inet6 fe80::b62e:99ff:fe9c:5bcb%epair0b prefixlen 64 scopeid 0x3
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>

The jail's netstat:

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.0.10.1          UGS     epair0b
10.0.10.0/24       link#3             U       epair0b
10.0.10.23         link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0

Internet6:
Destination                       Gateway                       Flags     N=
etif Expire
::/96                             ::1                           UGRS       =
 lo0
default                           fe80::1%epair0b               UGS     epa=
ir0b
::1                               link#1                        UHS        =
 lo0
::ffff:0.0.0.0/96                 ::1                           UGRS       =
 lo0
2a01:4f9:4a:1fd8::/64             link#3                        U       epa=
ir0b
2a01:4f9:4a:1fd8::23              link#3                        UHS        =
 lo0
fe80::/10                         ::1                           UGRS       =
 lo0
fe80::%lo0/64                     link#1                        U          =
 lo0
fe80::1%lo0                       link#1                        UHS        =
 lo0
fe80::%epair0b/64                 link#3                        U       epa=
ir0b
fe80::b62e:99ff:fe9c:5bcb%epair0b link#3                        UHS        =
 lo0
ff02::/16

On the host, the ifconfig (note thereis a lot of old fashion jails):

ifconfig
em0: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 =
mtu 1500
	options=3D4810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER=
,NOMAP>
	ether b4:2e:99:6a:80:9d
	inet6 2a01:4f9:4a:1fd8::2 prefixlen 64
	inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1
	inet6 2a01:4f9:4a:1fd8::5 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::11 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::12 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::15 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::16 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::18 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::19 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::21 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::22 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::25 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::14 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::29 prefixlen 64
	inet6 2a01:4f9:4a:1fd8::17 prefixlen 64
	inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
	inet 127.0.12.1 netmask 0xff000000
	inet 127.0.1.5 netmask 0xffffffff
	inet 127.0.1.11 netmask 0xffffffff
	inet 127.0.1.12 netmask 0xffffffff
	inet 127.0.1.15 netmask 0xffffffff
	inet 127.0.1.16 netmask 0xffffffff
	inet 127.0.1.18 netmask 0xffffffff
	inet 127.0.1.19 netmask 0xffffffff
	inet 127.0.1.21 netmask 0xffffffff
	inet 127.0.1.22 netmask 0xffffffff
	inet 127.0.1.25 netmask 0xffffffff
	inet 127.0.1.14 netmask 0xffffffff
	inet 127.0.1.29 netmask 0xffffffff
	inet 127.0.1.17 netmask 0xffffffff
	groups: lo
	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 192.168.12.1 netmask 0xffffff00
	inet 192.168.12.5 netmask 0xffffffff
	inet 192.168.12.11 netmask 0xffffff00
	inet 192.168.12.12 netmask 0xffffff00
	inet 192.168.12.15 netmask 0xffffff00
	inet 192.168.12.16 netmask 0xffffff00
	inet 192.168.12.18 netmask 0xffffff00
	inet 192.168.12.19 netmask 0xffffff00
	inet 192.168.12.21 netmask 0xffffff00
	inet 192.168.12.22 netmask 0xffffff00
	inet 192.168.12.25 netmask 0xffffff00
	inet 192.168.12.14 netmask 0xffffff00
	inet 192.168.12.29 netmask 0xffffff00
	inet 192.168.12.17 netmask 0xffffff00
	groups: lo
	nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=3D100<PROMISC> metric 0 mtu 33160
	groups: pflog
bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu =
1500
	description: jails-bridge
	ether 58:9c:fc:10:ed:66
	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vnet0.655 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 6 priority 128 path cost 2000
	member: em0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 1 priority 128 path cost 20000
	groups: bridge
	nd6 options=3D9<PERFORMNUD,IFDISABLED>
vnet0.655: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> met=
ric 0 mtu 1500
	description: associated with jail: examplejail as nic: epair0b
	options=3D8<VLAN_MTU>
	ether b4:2e:99:9c:5b:ca
	hwaddr 02:ae:46:07:62:0a
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

And host's netstat (again with many old fashion jail):

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            95.217.83.193      UGS         em0
10.0.10.0/24       link#5             U       bridge0
10.0.10.1          link#5             UHS         lo0
95.217.83.192/26   link#1             U           em0
95.217.83.231      link#1             UHS         lo0
127.0.0.1          link#2             UH          lo0
127.0.1.5          link#2             UH          lo0
127.0.1.11         link#2             UH          lo0
127.0.1.12         link#2             UH          lo0
127.0.1.14         link#2             UH          lo0
127.0.1.15         link#2             UH          lo0
127.0.1.16         link#2             UH          lo0
127.0.1.17         link#2             UH          lo0
127.0.1.18         link#2             UH          lo0
127.0.1.19         link#2             UH          lo0
127.0.1.21         link#2             UH          lo0
127.0.1.22         link#2             UH          lo0
127.0.1.25         link#2             UH          lo0
127.0.1.29         link#2             UH          lo0
127.0.12.1         link#2             UH          lo0
192.168.12.1       link#3             UH          lo1
192.168.12.5       link#3             UH          lo1
192.168.12.11      link#3             UH          lo1
192.168.12.12      link#3             UH          lo1
192.168.12.14      link#3             UH          lo1
192.168.12.15      link#3             UH          lo1
192.168.12.16      link#3             UH          lo1
192.168.12.17      link#3             UH          lo1
192.168.12.18      link#3             UH          lo1
192.168.12.19      link#3             UH          lo1
192.168.12.21      link#3             UH          lo1
192.168.12.22      link#3             UH          lo1
192.168.12.25      link#3             UH          lo1
192.168.12.29      link#3             UH          lo1

Internet6:
Destination                       Gateway                       Flags     N=
etif Expire
::/96                             ::1                           UGRS       =
 lo0
default                           fe80::1%em0                   UGS        =
 em0
::1                               link#2                        UHS        =
 lo0
::ffff:0.0.0.0/96                 ::1                           UGRS       =
 lo0
2a01:4f9:4a:1fd8::/64             link#1                        U          =
 em0
2a01:4f9:4a:1fd8::2               link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::5               link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::11              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::12              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::14              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::15              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::16              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::17              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::18              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::19              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::21              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::22              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::25              link#1                        UHS        =
 lo0
2a01:4f9:4a:1fd8::29              link#1                        UHS        =
 lo0
fe80::/10                         ::1                           UGRS       =
 lo0
fe80::%em0/64                     link#1                        U          =
 em0
fe80::b62e:99ff:fe6a:809d%em0     link#1                        UHS        =
 lo0
fe80::%lo0/64                     link#2                        U          =
 lo0
fe80::1%lo0                       link#2                        UHS        =
 lo0
ff02::/16                         ::1                           UGRS       =
 lo0

The bridge0 had the em0 and vnet0:655 interfaces.

=46rom the jail in can ping oustside world:

ping google.ca
PING6(56=3D40+8+8 bytes) 2a01:4f9:4a:1fd8::23 --> 2a00:1450:400f:803::2003
16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D0 hlim=3D118 time=3D7.92=
7 ms
16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D1 hlim=3D118 time=3D7.80=
0 ms
16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D2 hlim=3D118 time=3D7.79=
8 ms
^C
--- google.ca ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev =3D 7.798/7.842/7.927/0.061 ms

The problem is, I cannot ssh to an external computer (for example, my
nextcloud hosted at home):

ssh -vvv nextcloud.foucry.net -p2250
OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "nextcloud.foucry.net" port 2250
debug2: ssh_connect_direct
debug1: Connecting to nextcloud.foucry.net [2a01:e0a:434:44e0:ff:60ff:feba:=
b582] port 2250.
debug1: connect to address 2a01:e0a:434:44e0:ff:60ff:feba:b582 port 2250: O=
peration timed out
debug1: Connecting to nextcloud.foucry.net [82.65.174.130] port 2250.
debug1: connect to address 82.65.174.130 port 2250: Operation timed out
ssh: connect to host nextcloud.foucry.net port 2250: Operation timed out

What's look strange (for me) is the traceroute (using ipv4):

traceroute nextcloud.foucry.net
traceroute to nextcloud.foucry.net (82.65.174.130), 64 hops max, 40 byte pa=
ckets
 1  10.0.10.1 (10.0.10.1)  0.086 ms  0.051 ms  0.037 ms
 2  static.193.83.217.95.clients.your-server.de (95.217.83.193)  0.451 ms  =
0.571 ms  0.392 ms
 3  core32.hel1.hetzner.com (213.239.252.97)  11.621 ms
    core31.hel1.hetzner.com (213.239.252.93)  1.812 ms
    core32.hel1.hetzner.com (213.239.252.97)  2.793 ms
 4  core9.fra.hetzner.com (213.239.224.166)  21.295 ms
    core8.fra.hetzner.com (213.239.224.149)  20.730 ms
    core9.fra.hetzner.com (213.239.224.170)  20.333 ms
 5  core4.fra.hetzner.com (213.239.245.85)  28.499 ms
    core4.fra.hetzner.com (213.239.224.177)  20.507 ms  22.850 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  *^C


Look's like something wrong on the way, but I could connect on the same host
form any other jails.


There is for me a mysterious behaviiors that I can't understand.=20

Any help will be appreciate.

Thanks for reading me, and the time your spend on my problem.
--=20
Jacques Foucry

--08+5bsy7v9+aNml6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iNUEAREKAH0WIQRd29C9s3PtOgNIX2tkcaT/7DX1XwUCYPrv/l8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0NURE
QkQwQkRCMzczRUQzQTAzNDg1RjZCNjQ3MUE0RkZFQzM1RjU1RgAKCRBkcaT/7DX1
X4jGAQCG+zm53q9HlSsrWZffS3KWuSzdyKjqELP3Fr31Gt9WVAEAkwJZ2xsi+ZYA
E7z13v6eK7+BTVkoGqzULIZSeTkO9XY=
=jIaX
-----END PGP SIGNATURE-----

--08+5bsy7v9+aNml6--

From nobody Fri Jul 23 17:51:42 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DDA2E12786E8
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 23 Jul 2021 17:51:51 +0000 (UTC)
	(envelope-from freebsd@grem.de)
Received: from mail.evolve.de (mail.evolve.de [213.239.217.29])
	(using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail.evolve.de", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GWcMW3PLTz3lb3;
	Fri, 23 Jul 2021 17:51:51 +0000 (UTC)
	(envelope-from freebsd@grem.de)
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTP id 146e4d9a;
	Fri, 23 Jul 2021 17:51:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to:cc
	:subject:message-id:in-reply-to:references:mime-version
	:content-type:content-transfer-encoding; s=20180501; bh=L67uY/Wp
	Vm0zQMJRU+/FKJ5Esrk=; b=W75vsmoXTUmbWWqSx4OajTgpuXAF/ad+NUbndThV
	BRhrW7MDC2d2osnkOjOn/u3C0uGhn9kHrs73HNrypPrsCinxp7SMFaUFxCYIw7mk
	kSgf2YYOhtxeWMLioim8Xq52P8QHGsGQTkMa1X76dAwY4uovzBA5ui2tq4TsDJ+Z
	TWRMnMpstTb5FhJqSzPlmONwer2PIbyAOaUsNCdjTta4ZsqmEd86cXMqf2XuU42S
	5s82mtjz0l6b0W5e8jR2yy5SsY4/avOgCF6wfnSaDttKpGM/FHg/u2IRG4SKIE6N
	SxkWctMkjgPAex+8fpzQ1C8qSDeqevdRXn1z/GzqeD6SBg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to:cc
	:subject:message-id:in-reply-to:references:mime-version
	:content-type:content-transfer-encoding; q=dns; s=20180501; b=Ku
	Xu9zYyj7MBxdH8TPjNrVG4B7AhqTp/17VBqkiA37zWPCSNI+GUeLY+C/sPtRrCqj
	9A0pxwbXwkPXS8gD82rWAhEOB0BYQHUnUQvBxUkI+1USUxneFICBsUVXJIiRxU94
	2ruwFjDzE+29Eh8hd68G+cFvRJ2dDguGMKL8TMmFCFb7yTFduJ8ZdT8kTxTm3MI1
	1tEJ1wmgmxDJ+aa9ztDXjFFid/xn1BYJ2Ceq54KeMo9yfAurNyx+OHesP4W0AfW6
	nnVyfAnYLjc43k67qGvjeK8V5i4cNJ9wn5yOFXUjlz0UDGUS+JteAkyfxGHNVZPs
	wHRMtwvGe8BsjphEYHRg==
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTPSA id 067fa54c (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO);
	Fri, 23 Jul 2021 17:51:45 +0000 (UTC)
Date: Fri, 23 Jul 2021 19:51:42 +0200
From: Michael Gmelin <freebsd@grem.de>
To: Jacques Foucry <jacques+freebsd@foucry.net>
Cc: freebsd-questions@freebsd.org, freebsd-jail@freebsd.org
Subject: Re: iocage, vnet jail does not go outside
Message-ID: <20210723195142.77b668f1@bsd64.grem.de>
In-Reply-To: <YPrwCW44LdKfHxIk@mithril.foucry.net>
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}>
 +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl
 LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL
 EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl
 YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq
 AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY
 fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM
 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea
 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+
 xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA
 Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n
 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v
 f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT
 L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF
 CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc
 Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII=
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4GWcMW3PLTz3lb3
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 TAGGED_RCPT(0.00)[freebsd];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N



On Fri, 23 Jul 2021 18:36:25 +0200
Jacques Foucry <jacques+freebsd@foucry.net> wrote:

> Hello friends,
> 
> I'm turing crazy.
> 
> I made a new jail ,on my hosted system using iocage.
> 
> Here is the config.json file:
> 
> more config.json
> {
>     "allow_mount": 1,
>     "allow_mount_devfs": 1,
>     "allow_mount_nullfs": 1,
>     "allow_mount_procfs": 1,
>     "allow_mount_tmpfs": 1,
>     "allow_mount_zfs": 1,
>     "allow_raw_sockets": 1,
>     "allow_socket_af": 1,
>     "allow_sysvipc": 1,
>     "bpf": 1,
>     "cloned_release": "13.0-RELEASE",
>     "defaultrouter": "10.0.10.1",
>     "defaultrouter6": "auto",
>     "dhcp": 0,
>     "host_hostname": "examplejail",
>     "host_hostuuid": "examplejail",
>     "ip4_addr": "vnet0|10.0.10.23/24",
>     "ip6_addr": "vnet0|2a01:4f9:4a:1fd8::23",
>     "jail_zfs_dataset": "iocage/jails/examplejail/data",
>     "last_started": "2021-07-23 15:11:28",
>     "nat": 0,
>     "release": "13.0-RELEASE-p3",
>     "vnet": 1,
>     "vnet0_mac": "b42e999c5bca b42e999c5bcb",
>     "vnet_default_interface": "auto"
> }
> 
> The jail's ifconfig:
> 
> ifconfig
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> 	inet 127.0.0.1 netmask 0xff000000
> 	groups: lo
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> pflog0: flags=0<> metric 0 mtu 33160
> 	groups: pflog
> epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu 1500 options=8<VLAN_MTU>
> 	ether b4:2e:99:9c:5b:cb
> 	hwaddr 02:ae:46:07:62:0b
> 	inet 10.0.10.23 netmask 0xffffff00 broadcast 10.0.10.255
> 	inet6 2a01:4f9:4a:1fd8::23 prefixlen 64
> 	inet6 fe80::b62e:99ff:fe9c:5bcb%epair0b prefixlen 64 scopeid
> 0x3 groups: epair
> 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> 	status: active
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> 
> The jail's netstat:
> 
> netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            10.0.10.1          UGS     epair0b
> 10.0.10.0/24       link#3             U       epair0b
> 10.0.10.23         link#3             UHS         lo0
> 127.0.0.1          link#1             UH          lo0
> 
> Internet6:
> Destination                       Gateway                       Flags
>     Netif Expire ::/96                             ::1
>            UGRS        lo0 default
> fe80::1%epair0b               UGS     epair0b ::1
>           link#1                        UHS         lo0
> ::ffff:0.0.0.0/96                 ::1                           UGRS
>       lo0 2a01:4f9:4a:1fd8::/64             link#3
>     U       epair0b 2a01:4f9:4a:1fd8::23              link#3
>               UHS         lo0 fe80::/10                         ::1
>                         UGRS        lo0 fe80::%lo0/64
>     link#1                        U           lo0 fe80::1%lo0
>               link#1                        UHS         lo0
> fe80::%epair0b/64                 link#3                        U
>   epair0b fe80::b62e:99ff:fe9c:5bcb%epair0b link#3
>     UHS         lo0 ff02::/16
> 
> On the host, the ifconfig (note thereis a lot of old fashion jails):
> 
> ifconfig
> em0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
> metric 0 mtu 1500
> options=4810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
> ether b4:2e:99:6a:80:9d inet6 2a01:4f9:4a:1fd8::2 prefixlen 64
> 	inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1
> 	inet6 2a01:4f9:4a:1fd8::5 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::11 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::12 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::15 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::16 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::18 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::19 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::21 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::22 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::25 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::14 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::29 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::17 prefixlen 64
> 	inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255
> 	media: Ethernet autoselect (1000baseT <full-duplex>)
> 	status: active
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
> 	inet 127.0.0.1 netmask 0xff000000
> 	inet 127.0.12.1 netmask 0xff000000
> 	inet 127.0.1.5 netmask 0xffffffff
> 	inet 127.0.1.11 netmask 0xffffffff
> 	inet 127.0.1.12 netmask 0xffffffff
> 	inet 127.0.1.15 netmask 0xffffffff
> 	inet 127.0.1.16 netmask 0xffffffff
> 	inet 127.0.1.18 netmask 0xffffffff
> 	inet 127.0.1.19 netmask 0xffffffff
> 	inet 127.0.1.21 netmask 0xffffffff
> 	inet 127.0.1.22 netmask 0xffffffff
> 	inet 127.0.1.25 netmask 0xffffffff
> 	inet 127.0.1.14 netmask 0xffffffff
> 	inet 127.0.1.29 netmask 0xffffffff
> 	inet 127.0.1.17 netmask 0xffffffff
> 	groups: lo
> 	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet 192.168.12.1 netmask 0xffffff00
> 	inet 192.168.12.5 netmask 0xffffffff
> 	inet 192.168.12.11 netmask 0xffffff00
> 	inet 192.168.12.12 netmask 0xffffff00
> 	inet 192.168.12.15 netmask 0xffffff00
> 	inet 192.168.12.16 netmask 0xffffff00
> 	inet 192.168.12.18 netmask 0xffffff00
> 	inet 192.168.12.19 netmask 0xffffff00
> 	inet 192.168.12.21 netmask 0xffffff00
> 	inet 192.168.12.22 netmask 0xffffff00
> 	inet 192.168.12.25 netmask 0xffffff00
> 	inet 192.168.12.14 netmask 0xffffff00
> 	inet 192.168.12.29 netmask 0xffffff00
> 	inet 192.168.12.17 netmask 0xffffff00
> 	groups: lo
> 	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> pflog0: flags=100<PROMISC> metric 0 mtu 33160
> 	groups: pflog
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu 1500 description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: vnet0.655
> flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 6
> priority 128 path cost 2000 member: em0
> flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1
> priority 128 path cost 20000 groups: bridge
> 	nd6 options=9<PERFORMNUD,IFDISABLED>
> vnet0.655: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
> metric 0 mtu 1500 description: associated with jail: examplejail as
> nic: epair0b options=8<VLAN_MTU>
> 	ether b4:2e:99:9c:5b:ca
> 	hwaddr 02:ae:46:07:62:0a
> 	groups: epair
> 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> 	status: active
> 	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> 
> And host's netstat (again with many old fashion jail):
> 
> netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            95.217.83.193      UGS         em0
> 10.0.10.0/24       link#5             U       bridge0
> 10.0.10.1          link#5             UHS         lo0
> 95.217.83.192/26   link#1             U           em0
> 95.217.83.231      link#1             UHS         lo0
> 127.0.0.1          link#2             UH          lo0
> 127.0.1.5          link#2             UH          lo0
> 127.0.1.11         link#2             UH          lo0
> 127.0.1.12         link#2             UH          lo0
> 127.0.1.14         link#2             UH          lo0
> 127.0.1.15         link#2             UH          lo0
> 127.0.1.16         link#2             UH          lo0
> 127.0.1.17         link#2             UH          lo0
> 127.0.1.18         link#2             UH          lo0
> 127.0.1.19         link#2             UH          lo0
> 127.0.1.21         link#2             UH          lo0
> 127.0.1.22         link#2             UH          lo0
> 127.0.1.25         link#2             UH          lo0
> 127.0.1.29         link#2             UH          lo0
> 127.0.12.1         link#2             UH          lo0
> 192.168.12.1       link#3             UH          lo1
> 192.168.12.5       link#3             UH          lo1
> 192.168.12.11      link#3             UH          lo1
> 192.168.12.12      link#3             UH          lo1
> 192.168.12.14      link#3             UH          lo1
> 192.168.12.15      link#3             UH          lo1
> 192.168.12.16      link#3             UH          lo1
> 192.168.12.17      link#3             UH          lo1
> 192.168.12.18      link#3             UH          lo1
> 192.168.12.19      link#3             UH          lo1
> 192.168.12.21      link#3             UH          lo1
> 192.168.12.22      link#3             UH          lo1
> 192.168.12.25      link#3             UH          lo1
> 192.168.12.29      link#3             UH          lo1
> 
> Internet6:
> Destination                       Gateway                       Flags
>     Netif Expire ::/96                             ::1
>            UGRS        lo0 default
> fe80::1%em0                   UGS         em0 ::1
>           link#2                        UHS         lo0
> ::ffff:0.0.0.0/96                 ::1                           UGRS
>       lo0 2a01:4f9:4a:1fd8::/64             link#1
>     U           em0 2a01:4f9:4a:1fd8::2               link#1
>               UHS         lo0 2a01:4f9:4a:1fd8::5
> link#1                        UHS         lo0 2a01:4f9:4a:1fd8::11
>           link#1                        UHS         lo0
> 2a01:4f9:4a:1fd8::12              link#1                        UHS
>       lo0 2a01:4f9:4a:1fd8::14              link#1
>     UHS         lo0 2a01:4f9:4a:1fd8::15              link#1
>               UHS         lo0 2a01:4f9:4a:1fd8::16
> link#1                        UHS         lo0 2a01:4f9:4a:1fd8::17
>           link#1                        UHS         lo0
> 2a01:4f9:4a:1fd8::18              link#1                        UHS
>       lo0 2a01:4f9:4a:1fd8::19              link#1
>     UHS         lo0 2a01:4f9:4a:1fd8::21              link#1
>               UHS         lo0 2a01:4f9:4a:1fd8::22
> link#1                        UHS         lo0 2a01:4f9:4a:1fd8::25
>           link#1                        UHS         lo0
> 2a01:4f9:4a:1fd8::29              link#1                        UHS
>       lo0 fe80::/10                         ::1
>     UGRS        lo0 fe80::%em0/64                     link#1
>               U           em0 fe80::b62e:99ff:fe6a:809d%em0
> link#1                        UHS         lo0 fe80::%lo0/64
>           link#2                        U           lo0 fe80::1%lo0
>                     link#2                        UHS         lo0
> ff02::/16                         ::1                           UGRS
>       lo0
> 
> The bridge0 had the em0 and vnet0:655 interfaces.
> 
> From the jail in can ping oustside world:
> 
> ping google.ca
> PING6(56=40+8+8 bytes) 2a01:4f9:4a:1fd8::23 -->
> 2a00:1450:400f:803::2003 16 bytes from 2a00:1450:400f:803::2003,
> icmp_seq=0 hlim=118 time=7.927 ms 16 bytes from
> 2a00:1450:400f:803::2003, icmp_seq=1 hlim=118 time=7.800 ms 16 bytes
> from 2a00:1450:400f:803::2003, icmp_seq=2 hlim=118 time=7.798 ms ^C
> --- google.ca ping6 statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 7.798/7.842/7.927/0.061 ms
> 
> The problem is, I cannot ssh to an external computer (for example, my
> nextcloud hosted at home):
> 
> ssh -vvv nextcloud.foucry.net -p2250
> OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "nextcloud.foucry.net" port 2250
> debug2: ssh_connect_direct
> debug1: Connecting to nextcloud.foucry.net
> [2a01:e0a:434:44e0:ff:60ff:feba:b582] port 2250. debug1: connect to
> address 2a01:e0a:434:44e0:ff:60ff:feba:b582 port 2250: Operation
> timed out debug1: Connecting to nextcloud.foucry.net [82.65.174.130]
> port 2250. debug1: connect to address 82.65.174.130 port 2250:
> Operation timed out ssh: connect to host nextcloud.foucry.net port
> 2250: Operation timed out
> 
> What's look strange (for me) is the traceroute (using ipv4):
> 
> traceroute nextcloud.foucry.net
> traceroute to nextcloud.foucry.net (82.65.174.130), 64 hops max, 40
> byte packets 1  10.0.10.1 (10.0.10.1)  0.086 ms  0.051 ms  0.037 ms
>  2  static.193.83.217.95.clients.your-server.de (95.217.83.193)
> 0.451 ms  0.571 ms  0.392 ms 3  core32.hel1.hetzner.com
> (213.239.252.97)  11.621 ms core31.hel1.hetzner.com (213.239.252.93)
> 1.812 ms core32.hel1.hetzner.com (213.239.252.97)  2.793 ms
>  4  core9.fra.hetzner.com (213.239.224.166)  21.295 ms
>     core8.fra.hetzner.com (213.239.224.149)  20.730 ms
>     core9.fra.hetzner.com (213.239.224.170)  20.333 ms
>  5  core4.fra.hetzner.com (213.239.245.85)  28.499 ms
>     core4.fra.hetzner.com (213.239.224.177)  20.507 ms  22.850 ms
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * * *
> 13  *^C
> 
> 
> Look's like something wrong on the way, but I could connect on the
> same host form any other jails.
> 
> 
> There is for me a mysterious behaviiors that I can't understand. 
> 
> Any help will be appreciate.
> 
> Thanks for reading me, and the time your spend on my problem.

You need to enable some sort of NAT at your end, e.g. using pf. Traffic
is leaving your host on a private IP.

-m

-- 
Michael Gmelin

From nobody Fri Jul 23 18:04:41 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6510C127B412
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 23 Jul 2021 18:04:53 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (mail.foucry.net [IPv6:2a01:4f9:4a:1fd8::17])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GWcfY1HD4z3ns9
	for <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 18:04:52 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (unknown [192.168.12.17])
	by mail.foucry.net (Postfix) with ESMTP id B4A38EF31
	for <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 18:04:44 +0000 (UTC)
X-Virus-Scanned: amavisd-new at foucry.net
Received: from mail.foucry.net ([192.168.12.17])
	by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024)
	with ESMTP id 0zr109JVGcn0 for <freebsd-jail@freebsd.org>;
	Fri, 23 Jul 2021 18:04:44 +0000 (UTC)
Received: by mail.foucry.net (Postfix, from userid 58)
	id 4ECDBEB64; Fri, 23 Jul 2021 18:04:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627063484; bh=GsKdT7++nUojUiOpCQgYqcXZPO8I2r9whkqAZq+ky9M=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=Ef7fBU3mmwfAt+L4LJ4Df/rp8quikBqgghz6uIJ6aE4ja99kyr/lfxFm8bXP2+YwV
	 FLQvA3MnLCDZkn0bMeCRwpqe45CeWzXF/Q3XjzP01Y+xoDU2UbXY7wJq5a/g912bK3
	 uIrLvM90luTR5mjv6fkCYmtzAzoCdhu424GVPdF8=
Received: from mithril.foucry.net (82-65-174-130.subs.proxad.net [82.65.174.130])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.foucry.net (Postfix) with ESMTPSA id A5C83F402;
	Fri, 23 Jul 2021 18:04:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627063483; bh=GsKdT7++nUojUiOpCQgYqcXZPO8I2r9whkqAZq+ky9M=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=Dh4EuekYKA2iE1sR53jrCQUwXjHGgnIGy/ZNY80dBmQqpznxoZHywmi+5IIpOd/5h
	 E7tRtRrJyGp2nA6ZejbronrW8mm26cjjfvfzu6y2uQFhM6L30WrJERpuED1Dn8ueJp
	 4wyXtKTx72FXTUGEQI00AtDjrxaMCZiB3ne7wJIA=
Received: from mithril.foucry.net (localhost [IPv6:::1])
	by mithril.foucry.net (Postfix) with ESMTPS id E64F9D65;
	Fri, 23 Jul 2021 20:04:42 +0200 (CEST)
Date: Fri, 23 Jul 2021 20:04:41 +0200
From: Jacques Foucry <jacques+freebsd@foucry.net>
To: Michael Gmelin <freebsd@grem.de>
Cc: Jacques Foucry <jacques+freebsd@foucry.net>,
	freebsd-questions@freebsd.org, freebsd-jail@freebsd.org
Subject: Re: iocage, vnet jail does not go outside
Message-ID: <YPsEuaj5R6iKKHVd@mithril.foucry.net>
Mail-Followup-To: Michael Gmelin <freebsd@grem.de>,
	Jacques Foucry <jacques+freebsd@foucry.net>,
	freebsd-questions@freebsd.org, freebsd-jail@freebsd.org
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
 <20210723195142.77b668f1@bsd64.grem.de>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20210723195142.77b668f1@bsd64.grem.de>
X-Operating-System: FreeBSD
X-Rspamd-Queue-Id: 4GWcfY1HD4z3ns9
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 TAGGED_RCPT(0.00)[freebsd];
	 TAGGED_FROM(0.00)[freebsd];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

Le vendredi 23 juil. 2021 à 19:51:42 (+0200), Michael Gmelin à écrit:

Hello Michael,

> You need to enable some sort of NAT at your end, e.g. using pf. Traffic
> is leaving your host on a private IP.


I forgot to post the part of my pf.conf your right. I enabled a NAT (may be in
a wroing way):

ext_if = em0
int_if = "{lo0 lo1}"
bridge_if = bridge0

icmp_types="{ echoreq, unreach }"

# ok loopback
set skip on lo0
set skip on lo1
#set skip on bridge0

# define jails
jails_net = "{192.168.12.0/24 10.0.10.0/24 2a01:4f9:4a:1fd8::/64}"

…

# nat
nat on $ext_if from $jails_net to any -> $ext_if

…

# ExampleJail
rdr on $ext_if inet proto tcp from any to $ext_if port $examplejail_ports -> $examplejail_v4
rdr on $ext_if inet6 proto tcp from any to $ext_if port $examplejail_ports -> $examplejail_v6

…

pass in log quick on $ext_if proto tcp from any to $examplejail_v4 port $examplejail_ports flags S/SA keep state
pass in log quick on $ext_if proto tcp from any to $examplejail_v6 port $examplejail_ports

…

# Allow icmp
pass in inet proto icmp all icmp-type $icmp_types
#IPv6 - pass in/out all IPv6 ICMP traffic
pass in quick proto icmp6 Allow



Is there something wrong of missing? I was guessing that the NAT is correct
because I can connect from outside (IPv4 and IPv6) to this jail.


Thanks again for your time.
-- 
Jacques Foucry

From nobody Fri Jul 23 18:22:51 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0F067127EF5D
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 23 Jul 2021 18:23:01 +0000 (UTC)
	(envelope-from freebsd@grem.de)
Received: from mail.evolve.de (mail.evolve.de [213.239.217.29])
	(using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail.evolve.de", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GWd3S4l9Dz3rkk;
	Fri, 23 Jul 2021 18:23:00 +0000 (UTC)
	(envelope-from freebsd@grem.de)
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTP id 8691f2eb;
	Fri, 23 Jul 2021 18:22:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to:cc
	:subject:message-id:in-reply-to:references:mime-version
	:content-type:content-transfer-encoding; s=20180501; bh=MG5F6Cpz
	8S/+9xrPh7ScTAnoYTE=; b=jSka6fovgpOSeyFkHxlbTIn9JmOATG9pgBGgaSHJ
	9gh04HbhD22tz4hD8iYYsL7+PwzMOiI3+tCx71aaHCYowv1wYLz4F8KKd3xlNGUA
	PTU6dYQoc+WZyYUdhw00mfY+4W6MMBEGGeE9uZFxHYVxRkkflQATt6/ih+CWzUqm
	UPGiRIhx8M0REaQ0Fpsf5bRGvcwzyhTSvJuikDk+hvSaR6q8xWUNOrwKTrGobue+
	skIU2ClnazlcG2O6i4eYVtdE2DZJS3vcLgliDfbdei6NDRUrGNFGHJEoRlTaly1c
	31b43A2U2krEXdub2P4MDPWsl5gmqV6RlxHZ+R14Ofpaww==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to:cc
	:subject:message-id:in-reply-to:references:mime-version
	:content-type:content-transfer-encoding; q=dns; s=20180501; b=HS
	tWZ0JUx96cD0+87g5e83lQBVuNxKomr2MEXxbi2RlUec5dSzaptGX31tc0seWsS5
	De7x0F0uuLURM7kOVbYfF/Rsq3K82yw7CTwp6JnGMtOSu9SztW2ghHEmJMbE5GOR
	cwAnVVXx9gDdLjlGj+UbI1vhaKuPpmgL2CXe5VFmGH9flRBRZ5TJr6CqEUHOSA/a
	uRY/bPD9gAyFxkL4V0Jj0b5h7RYOWgh4ksqpS50Xq64xJ/Z9f/83V8KfzXuqNQAE
	2M4hxPMRQD8snyCLsxWdzcJV7pWEPgOfTrGjbMB4S6gquVkM6lcDvWVPa0IafPjk
	61dCYkHMMbBkJ7vG0p8w==
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTPSA id d1799bd4 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO);
	Fri, 23 Jul 2021 18:22:53 +0000 (UTC)
Date: Fri, 23 Jul 2021 20:22:51 +0200
From: Michael Gmelin <freebsd@grem.de>
To: Jacques Foucry <jacques+freebsd@foucry.net>
Cc: Michael Gmelin <freebsd@grem.de>, freebsd-questions@freebsd.org,
 freebsd-jail@freebsd.org
Subject: Re: iocage, vnet jail does not go outside
Message-ID: <20210723202251.708ac906@bsd64.grem.de>
In-Reply-To: <YPsEuaj5R6iKKHVd@mithril.foucry.net>
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
	<20210723195142.77b668f1@bsd64.grem.de>
	<YPsEuaj5R6iKKHVd@mithril.foucry.net>
X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}>
 +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl
 LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL
 EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl
 YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq
 AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY
 fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM
 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea
 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+
 xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA
 Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n
 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v
 f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT
 L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF
 CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc
 Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII=
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 4GWd3S4l9Dz3rkk
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 TAGGED_RCPT(0.00)[freebsd];
	 REPLY(-4.00)[]
X-Spam: Yes
X-ThisMailContainsUnwantedMimeParts: N



On Fri, 23 Jul 2021 20:04:41 +0200
Jacques Foucry <jacques+freebsd@foucry.net> wrote:

> Le vendredi 23 juil. 2021 =C3=A0 19:51:42 (+0200), Michael Gmelin =C3=A0 =
=C3=A9crit:
>=20
> Hello Michael,
>=20
> > You need to enable some sort of NAT at your end, e.g. using pf.
> > Traffic is leaving your host on a private IP. =20
>=20
>=20
> I forgot to post the part of my pf.conf your right. I enabled a NAT
> (may be in a wroing way):
>=20
> ext_if =3D em0
> int_if =3D "{lo0 lo1}"
> bridge_if =3D bridge0
>=20
> icmp_types=3D"{ echoreq, unreach }"
>=20
> # ok loopback
> set skip on lo0
> set skip on lo1
> #set skip on bridge0
>=20
> # define jails
> jails_net =3D "{192.168.12.0/24 10.0.10.0/24 2a01:4f9:4a:1fd8::/64}"
>=20
> =E2=80=A6
>=20
> # nat
> nat on $ext_if from $jails_net to any -> $ext_if
>=20
> =E2=80=A6
>=20
> # ExampleJail
> rdr on $ext_if inet proto tcp from any to $ext_if port
> $examplejail_ports -> $examplejail_v4 rdr on $ext_if inet6 proto tcp
> from any to $ext_if port $examplejail_ports -> $examplejail_v6
>=20
> =E2=80=A6
>=20
> pass in log quick on $ext_if proto tcp from any to $examplejail_v4
> port $examplejail_ports flags S/SA keep state pass in log quick on
> $ext_if proto tcp from any to $examplejail_v6 port $examplejail_ports
>=20
> =E2=80=A6
>=20
> # Allow icmp
> pass in inet proto icmp all icmp-type $icmp_types
> #IPv6 - pass in/out all IPv6 ICMP traffic
> pass in quick proto icmp6 Allow
>=20
>=20
>=20
> Is there something wrong of missing? I was guessing that the NAT is
> correct because I can connect from outside (IPv4 and IPv6) to this
> jail.
>=20
>=20
> Thanks again for your time.

There's one thing on your bridge that looks wrong:

> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu 1500 description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
>	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
>	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>	member: vnet0.655 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>	        ifmaxaddr 0 port 6 priority 128 path cost 2000
>	member: em0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>	        ifmaxaddr 0 port 1 priority 128 path cost 20000
>	groups: bridge
>	nd6 options=3D9<PERFORMNUD,IFDISABLED>
>

em0 shouldn't be part of the bridge, as you don't want to bridge with
your uplink, but NAT to it.

So try

    ifconfig bridge0 deletem em0

Once done, you might need to enable ip forwarding (if it isn't enabled
already).

   service gateway enable
   sysctl net.inet.ip.forwarding=3D1

-m

--=20
Michael Gmelin

From nobody Fri Jul 23 21:06:41 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id E5C2012AFD8B
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Fri, 23 Jul 2021 21:06:49 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GWhhT4Vgzz3FKb
	for <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 21:06:48 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1627074401;
	bh=JGJcrwvYzeRDi1EbESORSUOduG6KnbuYxq1ZBvLDlDY=;
	h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To;
	b=HCUvJ9/qX4fjcd5UrrVFvuy9IJCzfXhc/IlmPKOSlU7ykHHErTjKrWv1eK3JrsMQ3
	 LU5H2rvqm7OvVnwlzGBlIm3fPclyWXN48uoS/vlMBQZqFjBA/N+LuxGOiWWJY5gPZe
	 yToDNqrlwhSP1jky19zTFGvDEQnJC1xncMPSRHIo=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [10.0.1.209] ([178.114.235.19]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MVvLB-1lhUbU2RjZ-00Ru2k for
 <freebsd-jail@freebsd.org>; Fri, 23 Jul 2021 23:06:41 +0200
Subject: Re: iocage, vnet jail does not go outside
To: freebsd-jail@freebsd.org
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
From: infoomatic <infoomatic@gmx.at>
Message-ID: <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
Date: Fri, 23 Jul 2021 23:06:41 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
In-Reply-To: <YPrwCW44LdKfHxIk@mithril.foucry.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Provags-ID: V03:K1:NY+bEGTFnIf6y05ZxJVFJEp1SdYzujdNyCanCa34/OjcjItnQe7
 VpgwrDQ7qRXtY2RdGVB9lRZTwPSM5bZB1ZTLbXlXv73XFPVbXNjl2X84FSCxn4BbY5/FSnI
 zNZzo/T0k9AzpNJol1V5QXEZXZMsrZ9//EdK7aLttzdRBEQhQxT7fMCLZ5g5IU3boWpO9zG
 VCzq6qT/a/jDP6ThWzjLQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:uHo6IFMOqJ0=:tLt8yNZ5Bd5zKmwV9FEV7O
 2ZBO0A01vy3agZedNxGKc/6yQuVGcaPUDTqEyxFMO5WsWk8jMWbOPqFQcST1by72WgXZDWKg1
 pu+oZuX57Su+8NxrZxBQS2lbJSnuudbu8rHEPV4JL2VBFdB6DZzQD09m5rAsBHQLD8jU+Ium0
 qEfJL7sco35fQMkFtZ3geo+obimj6MBd1pPz1ALOfJKqESSUZAawEHylP6v72sELpnXztmLGW
 N6fQEWqzV0fLSQjL3NNFI1kW73S7c8yU0eNj8gKHvBJbKxa1Hmtba6NDGemVQrTk48KWJ8Vej
 IT/6zvayzbdYnO6fS2aB5PKxa4XHuhkN1ydO2ea6Tysdgu4QVbSEd/OBg8I5OQqStzG3I+Ek9
 ZaklNR96fC+++/vK+CqHYG537vGL4XXCWQ1X6E5Vd0fFD+LA+fOAh0Lvbki4JdaKHpTtaGJkr
 BSC5SUPAYiHFqvQ++JQPx7YGzcZHxEymX4tvM97QmhA5IKEYzYfznS4X2KsahH+hamkFonkAj
 pPnGScX9ySwNGJKkNRyAJsza8GkyAf/vC3pi5Blj3LoTqe7wIR6KptJrcJkuYMrHsXQJHs7SF
 pLWFMEU/HY9TOq19VHEDVOgAfn7nLfAuwxSluP3RJzfYG3ubuByoGbP2cCHNEL+cxrsKW+6eT
 HmOdb/bSWO5IJAgefuZG4emDQdV/c2CkgNJJSbVMR8EC2LuWj67Dn4r+Gm91afD1lBFAzV2D/
 8yOeCMV2LSTtVB4di7V47uZKs/OZhyXhAYaXqrMrWgcNu6KYG1PSL7I4+iSZ9/u2D/KKVrEFS
 UJR7hQU8YLsq5Gk4O9ul9fZew4VejYBHh3iBhLNcwvsCsHccVvpouyHmCU/cfsFRZwfjbheGM
 YbOpyq2MLoH1eK6M91l8RR+gKW3CGjgY5EkxSfPFnw2I0HefC5PRL0HPTLGnVj48tvsAB4AGr
 i4E1OQa4hhOq5qEM+83kTXtI8H7xOdv8hoSD/nZF9KRhFRaijGPmmfWcFwES4Cu7sYDNBUAii
 gP46zUqz+qTnybFIHz/cnXLXXeiiRQU4Sy9YPVWRfXQV8ElrnB1VRc97Fzxb+ByGpU7zmmxMo
 n9B8b/kW4kfuzTPZzwpd4TazdGkUEwb5oDm
X-Rspamd-Queue-Id: 4GWhhT4Vgzz3FKb
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

iocage autoatically creates a bridge with your physical interface and
the vnet interface. Imho this is wrong behaviour so I quit using iocage,
however, there is a workaround, for more info see [1]

Regards,

Robert


[1] https://github.com/iocage/iocage/issues/521


On 23.07.21 18:36, Jacques Foucry wrote:
> Hello friends,
>
> I'm turing crazy.
>
> I made a new jail ,on my hosted system using iocage.
>
> Here is the config.json file:
>
> more config.json
> {
>     "allow_mount": 1,
>     "allow_mount_devfs": 1,
>     "allow_mount_nullfs": 1,
>     "allow_mount_procfs": 1,
>     "allow_mount_tmpfs": 1,
>     "allow_mount_zfs": 1,
>     "allow_raw_sockets": 1,
>     "allow_socket_af": 1,
>     "allow_sysvipc": 1,
>     "bpf": 1,
>     "cloned_release": "13.0-RELEASE",
>     "defaultrouter": "10.0.10.1",
>     "defaultrouter6": "auto",
>     "dhcp": 0,
>     "host_hostname": "examplejail",
>     "host_hostuuid": "examplejail",
>     "ip4_addr": "vnet0|10.0.10.23/24",
>     "ip6_addr": "vnet0|2a01:4f9:4a:1fd8::23",
>     "jail_zfs_dataset": "iocage/jails/examplejail/data",
>     "last_started": "2021-07-23 15:11:28",
>     "nat": 0,
>     "release": "13.0-RELEASE-p3",
>     "vnet": 1,
>     "vnet0_mac": "b42e999c5bca b42e999c5bcb",
>     "vnet_default_interface": "auto"
> }
>
> The jail's ifconfig:
>
> ifconfig
> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> 	inet 127.0.0.1 netmask 0xff000000
> 	groups: lo
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
> pflog0: flags=3D0<> metric 0 mtu 33160
> 	groups: pflog
> epair0b: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu 1500
> 	options=3D8<VLAN_MTU>
> 	ether b4:2e:99:9c:5b:cb
> 	hwaddr 02:ae:46:07:62:0b
> 	inet 10.0.10.23 netmask 0xffffff00 broadcast 10.0.10.255
> 	inet6 2a01:4f9:4a:1fd8::23 prefixlen 64
> 	inet6 fe80::b62e:99ff:fe9c:5bcb%epair0b prefixlen 64 scopeid 0x3
> 	groups: epair
> 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> 	status: active
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>
> The jail's netstat:
>
> netstat -rn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            10.0.10.1          UGS     epair0b
> 10.0.10.0/24       link#3             U       epair0b
> 10.0.10.23         link#3             UHS         lo0
> 127.0.0.1          link#1             UH          lo0
>
> Internet6:
> Destination                       Gateway                       Flags   =
  Netif Expire
> ::/96                             ::1                           UGRS    =
    lo0
> default                           fe80::1%epair0b               UGS     =
epair0b
> ::1                               link#1                        UHS     =
    lo0
> ::ffff:0.0.0.0/96                 ::1                           UGRS    =
    lo0
> 2a01:4f9:4a:1fd8::/64             link#3                        U       =
epair0b
> 2a01:4f9:4a:1fd8::23              link#3                        UHS     =
    lo0
> fe80::/10                         ::1                           UGRS    =
    lo0
> fe80::%lo0/64                     link#1                        U       =
    lo0
> fe80::1%lo0                       link#1                        UHS     =
    lo0
> fe80::%epair0b/64                 link#3                        U       =
epair0b
> fe80::b62e:99ff:fe9c:5bcb%epair0b link#3                        UHS     =
    lo0
> ff02::/16
>
> On the host, the ifconfig (note thereis a lot of old fashion jails):
>
> ifconfig
> em0: flags=3D8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric=
 0 mtu 1500
> 	options=3D4810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFIL=
TER,NOMAP>
> 	ether b4:2e:99:6a:80:9d
> 	inet6 2a01:4f9:4a:1fd8::2 prefixlen 64
> 	inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1
> 	inet6 2a01:4f9:4a:1fd8::5 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::11 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::12 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::15 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::16 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::18 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::19 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::21 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::22 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::25 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::14 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::29 prefixlen 64
> 	inet6 2a01:4f9:4a:1fd8::17 prefixlen 64
> 	inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255
> 	media: Ethernet autoselect (1000baseT <full-duplex>)
> 	status: active
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet6 ::1 prefixlen 128
> 	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
> 	inet 127.0.0.1 netmask 0xff000000
> 	inet 127.0.12.1 netmask 0xff000000
> 	inet 127.0.1.5 netmask 0xffffffff
> 	inet 127.0.1.11 netmask 0xffffffff
> 	inet 127.0.1.12 netmask 0xffffffff
> 	inet 127.0.1.15 netmask 0xffffffff
> 	inet 127.0.1.16 netmask 0xffffffff
> 	inet 127.0.1.18 netmask 0xffffffff
> 	inet 127.0.1.19 netmask 0xffffffff
> 	inet 127.0.1.21 netmask 0xffffffff
> 	inet 127.0.1.22 netmask 0xffffffff
> 	inet 127.0.1.25 netmask 0xffffffff
> 	inet 127.0.1.14 netmask 0xffffffff
> 	inet 127.0.1.29 netmask 0xffffffff
> 	inet 127.0.1.17 netmask 0xffffffff
> 	groups: lo
> 	nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
> lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> 	options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> 	inet 192.168.12.1 netmask 0xffffff00
> 	inet 192.168.12.5 netmask 0xffffffff
> 	inet 192.168.12.11 netmask 0xffffff00
> 	inet 192.168.12.12 netmask 0xffffff00
> 	inet 192.168.12.15 netmask 0xffffff00
> 	inet 192.168.12.16 netmask 0xffffff00
> 	inet 192.168.12.18 netmask 0xffffff00
> 	inet 192.168.12.19 netmask 0xffffff00
> 	inet 192.168.12.21 netmask 0xffffff00
> 	inet 192.168.12.22 netmask 0xffffff00
> 	inet 192.168.12.25 netmask 0xffffff00
> 	inet 192.168.12.14 netmask 0xffffff00
> 	inet 192.168.12.29 netmask 0xffffff00
> 	inet 192.168.12.17 netmask 0xffffff00
> 	groups: lo
> 	nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> pflog0: flags=3D100<PROMISC> metric 0 mtu 33160
> 	groups: pflog
> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu 1500
> 	description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: vnet0.655 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> 	member: em0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 1 priority 128 path cost 20000
> 	groups: bridge
> 	nd6 options=3D9<PERFORMNUD,IFDISABLED>
> vnet0.655: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> =
metric 0 mtu 1500
> 	description: associated with jail: examplejail as nic: epair0b
> 	options=3D8<VLAN_MTU>
> 	ether b4:2e:99:9c:5b:ca
> 	hwaddr 02:ae:46:07:62:0a
> 	groups: epair
> 	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
> 	status: active
> 	nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>
> And host's netstat (again with many old fashion jail):
>
> netstat -rn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Netif Expire
> default            95.217.83.193      UGS         em0
> 10.0.10.0/24       link#5             U       bridge0
> 10.0.10.1          link#5             UHS         lo0
> 95.217.83.192/26   link#1             U           em0
> 95.217.83.231      link#1             UHS         lo0
> 127.0.0.1          link#2             UH          lo0
> 127.0.1.5          link#2             UH          lo0
> 127.0.1.11         link#2             UH          lo0
> 127.0.1.12         link#2             UH          lo0
> 127.0.1.14         link#2             UH          lo0
> 127.0.1.15         link#2             UH          lo0
> 127.0.1.16         link#2             UH          lo0
> 127.0.1.17         link#2             UH          lo0
> 127.0.1.18         link#2             UH          lo0
> 127.0.1.19         link#2             UH          lo0
> 127.0.1.21         link#2             UH          lo0
> 127.0.1.22         link#2             UH          lo0
> 127.0.1.25         link#2             UH          lo0
> 127.0.1.29         link#2             UH          lo0
> 127.0.12.1         link#2             UH          lo0
> 192.168.12.1       link#3             UH          lo1
> 192.168.12.5       link#3             UH          lo1
> 192.168.12.11      link#3             UH          lo1
> 192.168.12.12      link#3             UH          lo1
> 192.168.12.14      link#3             UH          lo1
> 192.168.12.15      link#3             UH          lo1
> 192.168.12.16      link#3             UH          lo1
> 192.168.12.17      link#3             UH          lo1
> 192.168.12.18      link#3             UH          lo1
> 192.168.12.19      link#3             UH          lo1
> 192.168.12.21      link#3             UH          lo1
> 192.168.12.22      link#3             UH          lo1
> 192.168.12.25      link#3             UH          lo1
> 192.168.12.29      link#3             UH          lo1
>
> Internet6:
> Destination                       Gateway                       Flags   =
  Netif Expire
> ::/96                             ::1                           UGRS    =
    lo0
> default                           fe80::1%em0                   UGS     =
    em0
> ::1                               link#2                        UHS     =
    lo0
> ::ffff:0.0.0.0/96                 ::1                           UGRS    =
    lo0
> 2a01:4f9:4a:1fd8::/64             link#1                        U       =
    em0
> 2a01:4f9:4a:1fd8::2               link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::5               link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::11              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::12              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::14              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::15              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::16              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::17              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::18              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::19              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::21              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::22              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::25              link#1                        UHS     =
    lo0
> 2a01:4f9:4a:1fd8::29              link#1                        UHS     =
    lo0
> fe80::/10                         ::1                           UGRS    =
    lo0
> fe80::%em0/64                     link#1                        U       =
    em0
> fe80::b62e:99ff:fe6a:809d%em0     link#1                        UHS     =
    lo0
> fe80::%lo0/64                     link#2                        U       =
    lo0
> fe80::1%lo0                       link#2                        UHS     =
    lo0
> ff02::/16                         ::1                           UGRS    =
    lo0
>
> The bridge0 had the em0 and vnet0:655 interfaces.
>
> From the jail in can ping oustside world:
>
> ping google.ca
> PING6(56=3D40+8+8 bytes) 2a01:4f9:4a:1fd8::23 --> 2a00:1450:400f:803::20=
03
> 16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D0 hlim=3D118 time=3D7=
.927 ms
> 16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D1 hlim=3D118 time=3D7=
.800 ms
> 16 bytes from 2a00:1450:400f:803::2003, icmp_seq=3D2 hlim=3D118 time=3D7=
.798 ms
> ^C
> --- google.ca ping6 statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev =3D 7.798/7.842/7.927/0.061 ms
>
> The problem is, I cannot ssh to an external computer (for example, my
> nextcloud hosted at home):
>
> ssh -vvv nextcloud.foucry.net -p2250
> OpenSSH_7.9p1, OpenSSL 1.1.1k-freebsd  25 Mar 2021
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "nextcloud.foucry.net" port 2250
> debug2: ssh_connect_direct
> debug1: Connecting to nextcloud.foucry.net [2a01:e0a:434:44e0:ff:60ff:fe=
ba:b582] port 2250.
> debug1: connect to address 2a01:e0a:434:44e0:ff:60ff:feba:b582 port 2250=
: Operation timed out
> debug1: Connecting to nextcloud.foucry.net [82.65.174.130] port 2250.
> debug1: connect to address 82.65.174.130 port 2250: Operation timed out
> ssh: connect to host nextcloud.foucry.net port 2250: Operation timed out
>
> What's look strange (for me) is the traceroute (using ipv4):
>
> traceroute nextcloud.foucry.net
> traceroute to nextcloud.foucry.net (82.65.174.130), 64 hops max, 40 byte=
 packets
>  1  10.0.10.1 (10.0.10.1)  0.086 ms  0.051 ms  0.037 ms
>  2  static.193.83.217.95.clients.your-server.de (95.217.83.193)  0.451 m=
s  0.571 ms  0.392 ms
>  3  core32.hel1.hetzner.com (213.239.252.97)  11.621 ms
>     core31.hel1.hetzner.com (213.239.252.93)  1.812 ms
>     core32.hel1.hetzner.com (213.239.252.97)  2.793 ms
>  4  core9.fra.hetzner.com (213.239.224.166)  21.295 ms
>     core8.fra.hetzner.com (213.239.224.149)  20.730 ms
>     core9.fra.hetzner.com (213.239.224.170)  20.333 ms
>  5  core4.fra.hetzner.com (213.239.245.85)  28.499 ms
>     core4.fra.hetzner.com (213.239.224.177)  20.507 ms  22.850 ms
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * * *
> 13  *^C
>
>
> Look's like something wrong on the way, but I could connect on the same =
host
> form any other jails.
>
>
> There is for me a mysterious behaviiors that I can't understand.
>
> Any help will be appreciate.
>
> Thanks for reading me, and the time your spend on my problem.

From nobody Sat Jul 24 11:38:16 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B9B3A12B3207
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 24 Jul 2021 11:38:22 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (fournil.foucry.net [95.217.83.231])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GX4263qZLz4YYb
	for <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 11:38:21 +0000 (UTC)
	(envelope-from jacques+freebsd@foucry.net)
Received: from mail.foucry.net (unknown [192.168.12.17])
	by mail.foucry.net (Postfix) with ESMTP id D8B80FA02
	for <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 11:38:19 +0000 (UTC)
X-Virus-Scanned: amavisd-new at foucry.net
Received: from mail.foucry.net ([192.168.12.17])
	by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024)
	with ESMTP id GXS8471CiCAH for <freebsd-jail@freebsd.org>;
	Sat, 24 Jul 2021 11:38:19 +0000 (UTC)
Received: by mail.foucry.net (Postfix, from userid 58)
	id 68F26FA01; Sat, 24 Jul 2021 11:38:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627126699; bh=XUAW2nSKNlYM2KlLNo26SM2+LEBDoxhzoC0/PF6mw9U=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=QcUnhN35i552Db/K+krBn7AHdRJ8dQ+I6FdqZFudi/vb1WkAgrx7GiccRrFbsYjNi
	 ge4oz9fhA/o6KN1HEq6KfTjFaG2CYYKBpMAXQsDFrARRsF+splAbBSp/DGHDXbJdBg
	 5Y46tUntwB2hwNI0i1RSMFPFdOa2mySm/kLGE+5Q=
Received: from mithril.foucry.net (unknown [IPv6:2a01:e0a:434:44e0:ea6a:64ff:fe07:95a1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.foucry.net (Postfix) with ESMTPSA id 91483F4EB;
	Sat, 24 Jul 2021 11:38:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim;
	t=1627126698; bh=XUAW2nSKNlYM2KlLNo26SM2+LEBDoxhzoC0/PF6mw9U=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=mC4tnMHi6SQoOXlSXdQpDL2Ty11Ul5ZunCRiYluoFZLPdoFhwASX7wueA1JQr3JAN
	 UfvIA2iNUhAS0rmDzfklrUPiH6T0bBfL5XdU+hL9ljr9PcvDpcWfHRN7zl8Dg2nKA6
	 QcGyvk89V+2uj8HDwivau9RXymxNvT48GTme9gL0=
Received: from mithril.foucry.net (localhost [IPv6:::1])
	by mithril.foucry.net (Postfix) with ESMTPS id 778BE115B;
	Sat, 24 Jul 2021 13:38:17 +0200 (CEST)
Date: Sat, 24 Jul 2021 13:38:16 +0200
From: Jacques Foucry <jacques+freebsd@foucry.net>
To: infoomatic <infoomatic@gmx.at>
Cc: freebsd-jail@freebsd.org
Subject: Re: iocage, vnet jail does not go outside
Message-ID: <YPv7qCwQ18cF+5Ba@mithril.foucry.net>
Mail-Followup-To: infoomatic <infoomatic@gmx.at>, freebsd-jail@freebsd.org
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
 <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
X-Operating-System: FreeBSD
X-Rspamd-Queue-Id: 4GX4263qZLz4YYb
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[];
	 TAGGED_FROM(0.00)[freebsd]
X-ThisMailContainsUnwantedMimeParts: N

Le vendredi 23 juil. 2021 à 23:06:41 (+0200), infoomatic à écrit:

Hello Robert,

Thanks for your answer.

> iocage autoatically creates a bridge with your physical interface and
> the vnet interface. Imho this is wrong behaviour so I quit using iocage,
> however, there is a workaround, for more info see [1]


I read carfully the issue your pointed and it appears that the
vnet_default_interface parameter set to auto, em0 is added to the bridge, set
to none, em0 is not added to the bridge.

So I stopped my jail, destroy bridge0 interface, set vnet_default_interface to
none and restart the jail.

As exepected em0 is not in the bridge any more:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: jails-bridge
	ether 58:9c:fc:10:ed:66
	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vnet0.657 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 6 priority 128 path cost 2000
	groups: bridge
	nd6 options=9<PERFORMNUD,IFDISABLED>

Since from the jail I cannot ping anything, from outside I cannot connect to
the jail and from the jail I cannot connect to outside host.

In fact, see quickly, the situation is worst.

I did not look at the routing tables yet (too many other things to do).

As I understood your did not use iocage any more. Did you use the "raw"
method (ie /etc/jail.conf)? If yes, I am really interested of "picture" of
your configurætion.

To be honest, I used to try the "raw" method whithout success before tring
iocage. 

Thanks for your time and advices.
-- 
Jacques Foucry

From nobody Sat Jul 24 15:45:25 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 07C43127F9AA
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 24 Jul 2021 15:45:26 +0000 (UTC)
	(envelope-from luzar722@gmail.com)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GX9W96NX2z3lqM
	for <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 15:45:25 +0000 (UTC)
	(envelope-from luzar722@gmail.com)
Received: by mail-qk1-x732.google.com with SMTP id f22so4442619qke.10
        for <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 08:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-transfer-encoding;
        bh=qcpCAzkaGUA9QzN3zdrJmC/dO5MRyoTVlDIn02Opwdg=;
        b=ZwzznMdEcey3FUth2oMvzRGlchIGqt4sWGEhd7b0qosXm5KXWKuznau0AH+fuODzI6
         G4DdpydRIlQBP6uIfdIv7VcmAidK+ayo5QkZRxm734qDROZF2JJ8Z++YC4d4WaiXLPUN
         RNBd5QVZheE9LZCreDBNv4EvBYVi5H+yvjQlUgkccEVoOrVayJUuVEqefpbuonwPGIdn
         kFTgJWHF+f2Tww23IVV7dOt69tYnzI8Qu+XLUco8vkIZiJKz0aKeiZgRWfjKip82aF1z
         a/Q8RtsbnCmnrXKmtzp5eWd4wIVQZg7tM1SKRyL2Y0m6AtmOP1qgJDWJgKkn3NBE9yBA
         DhMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :subject:references:in-reply-to:content-transfer-encoding;
        bh=qcpCAzkaGUA9QzN3zdrJmC/dO5MRyoTVlDIn02Opwdg=;
        b=fbZ09MfL5rQcagkzO4HMP6zRnfhhJgRxU3xT2c2fUb+ZO2bEp680uMzhBStHSDl9UF
         twXO/A70rTrmmQl0bGc/otDq+6gyYS3T53YDb9xj2fGQHhmSla2oLxa2YW/+oz3VhdJv
         OoAw+ecY8N1eYPk3VBTf8cvvd9c2V9KvqdXt+P8wqwudkXU/c9lP1O4QM4OYwTdl+2ib
         hnMA5MABz88RkbScw0fSNRanQROyl+xzg/XH2r/F90V9hVYeP6U4SqpWDwX7/oy7ic01
         i8Wo5v7lpybLTx8yMCPE5u35fktT4KWDwy86OwVCugHe3LmU3/5LLM5LVQqR96tS3HAt
         4Kug==
X-Gm-Message-State: AOAM530rJNQ34ojPTXfmqzB1k6lwxrcVbpC+BRp6ZQLT7mSu0K072SWh
	7C73lp/M2/5CsEqvUDHZjQQ=
X-Google-Smtp-Source: ABdhPJwdVmN+FNhYj+byIZNGLOoyiTgAbbN6tLf3TOcrW+kyWsdruqn0fffglJaU0CPaj/E7KVHXMw==
X-Received: by 2002:a05:620a:1998:: with SMTP id bm24mr10265780qkb.471.1627141525020;
        Sat, 24 Jul 2021 08:45:25 -0700 (PDT)
Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0])
        by smtp.googlemail.com with ESMTPSA id k14sm13159106qtm.18.2021.07.24.08.45.23
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Sat, 24 Jul 2021 08:45:24 -0700 (PDT)
Message-ID: <60FC3595.6030402@gmail.com>
Date: Sat, 24 Jul 2021 11:45:25 -0400
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
To: infoomatic <infoomatic@gmx.at>, freebsd-jail@freebsd.org
Subject: Re: iocage, vnet jail does not go outside
References: <YPrwCW44LdKfHxIk@mithril.foucry.net> <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at> <YPv7qCwQ18cF+5Ba@mithril.foucry.net>
In-Reply-To: <YPv7qCwQ18cF+5Ba@mithril.foucry.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4GX9W96NX2z3lqM
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

I use qjail for my vnet jails because iocage just did not work for me.

From nobody Sat Jul 24 21:48:26 2021
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5F32412A33CC
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Sat, 24 Jul 2021 21:48:35 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GXKZC0WT8z4VWx
	for <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 21:48:34 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1627163307;
	bh=170X5AFFJ/EzwJAGGytw60Z4BbsebEENOj+VfPT3r9I=;
	h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To;
	b=Wp/PoY5yAfd06+mJMdptyK9hXgVfW3xNcZldtzImbf5U/CwY7JFctIwOLlqlzAt9p
	 RbZMuQKyAy/WdFSPM7D+7DpgomZX9gPL3wrDkblm2lxN+WLm+VJSvpp8hvIk3Cj5L8
	 /FTDn2Y31Gzqy4LktlYTK6OJPs2MuzvEuwehTBwU=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [10.0.1.209] ([178.114.235.19]) by mail.gmx.net (mrgmx105
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MFbVu-1lrVSe3v5y-00H5hx for
 <freebsd-jail@freebsd.org>; Sat, 24 Jul 2021 23:48:27 +0200
Subject: Re: iocage, vnet jail does not go outside
To: freebsd-jail@freebsd.org
References: <YPrwCW44LdKfHxIk@mithril.foucry.net>
 <40b7782d-9d5c-099a-ed58-4476b3523d7a@gmx.at>
 <YPv7qCwQ18cF+5Ba@mithril.foucry.net>
From: infoomatic <infoomatic@gmx.at>
Message-ID: <3c0bcf3e-541f-5add-47cd-9457d4e5dc85@gmx.at>
Date: Sat, 24 Jul 2021 23:48:26 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
In-Reply-To: <YPv7qCwQ18cF+5Ba@mithril.foucry.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Provags-ID: V03:K1:Rhm4MlbMdAbDUM30CKh7Tu70wmTmr/CwzE6PT55izIM2tgfG63P
 pPjGtabDquU1VapfUc34JxavACU/jpIKqBv3wFXxj5XM3WEshEk/6Snda+PZkd4Krg6WpgX
 URJwgwHNx3b6CU0TuPs8BWyOtCainsBf2psgud4T/8nDgvyhDX+9fmq/XkJh9H22AyhLS+E
 AsLrLJACb3WwmuAmILynQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:UaaBMcL4MrQ=:mcSkyjnSCbgc/CuZ3nxrwH
 mk3TDG+Um456E8fP+vkZkWydBZk5/52V5nVwHkuinLhq8a83Xwpgp8xkBC3Lzm1FihLzfwDFJ
 J/2py6J4soZFaabTfydmF5qIWLVH+wd3VcJCW8FdH8I28Whe2OJQYAuQ4dw4HAosNsHVVWiDN
 3xzT31M5M9TT9fGPamwMBdV1HgDWKS18/IkJMaBqd5jDN8VY5i/3XP/wnuWxWpGpblOnG5uDq
 aqYx9RG8Mp1Nxj3N3x5V1SGmWfW2htyFuHJmYpNm77yndVa6+g/tM87DKHVVt9uB7gBxZZ5GL
 ryL7EQpzHLaz+/zqpaid5xYfRIrQDWIRFE8IF0hQQ61DIgd3Y5KIHS+dOjrCKAE8ST/3knrl6
 gFzQfNhlYUQZGcvohYlYqbA+AQi4XtV2UqhyP38r6o1K5S/n9WsqBrrOeEfB0ZQ6hbQOVfbWT
 u4HpupYULrdAsvOOxIU3OwunTZhPdM2AbQKSVJRzCLthlzZQ32PxZJUkgZ+5FLe4tKkjxkz3G
 WbBm0EnqSL+CJvXHBfDz6vJlGVQPzVnkV9OxBo9tCrdMzYGvuKxws1TtEWZZm3QnxJKtCRu37
 MqSSdoVfIsl7Lt7cRWi1spgox+LVWd0vVU5+YnX3T+9WBoefTVVu6Ju3JFdA34gih0w5ENmyD
 erLUtoXhPI0+A4TEKIkcUfBY+Oef58LF6m0xG8PCBPtUG0Q4T/Ca+xaCR1KPUeTmhTpaefp94
 nEATB0w8veGMsdeKNHY/LoJAP3kDLW21LoBSyMcCBmEbGATTuXBQuJ/XrHuh3CzBC02LFUkUu
 dL4VzC+lcpUnNNUKLxKOvl6NeBRU/5JHVWK6e7Kq6YgTMIJxXgqkBayqRLPzgpRUWq86VeInH
 RwSe9yfisVGNn+pvrZHPrGjzRogvoPdqs4MJXY3vzCnyp3eJjiAOWYNPT3ZCFrAy6N+JvQW3I
 +yC4JqtfjKkxFlWOJu06g8Xrh6RoqnpMCj/iXV0SkJ53no5VTMVTPH9C4fgtXbbZ4IltpArNx
 iiiBdlgVYSrFh3DZ990fzA0f4zGr+bEtO/OWYFqDkr3onOGN3rac0fzbwSYlbrU2/qxVpxTYs
 sAPEZp8bfPzmhLMjwECpPSXpzJKCvptM24Q
X-Rspamd-Queue-Id: 4GXKZC0WT8z4VWx
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

Hi,

sorry to hear that.

I use the tools from the FreeBSD base system, they work great, and I
encourage all newbies to use the tools from the base systems - and
recommend reading the parts of the handbook and the man pages of jail
and jail.conf

Here are the relevant parts of my config:

rc.conf:

cloned_interfaces=3D"bridge0"

ifconfig_bridge0=3D"inet 192.168.1.1 netmask 255.255.255.0 up"

pf.conf:

nat pass on em0 proto tcp from {192.168.1.201} to any -> pu.bl.ic.ip

and the jail.conf:

example {
=C2=A0=C2=A0=C2=A0 host.hostname =3D example;
=C2=A0=C2=A0=C2=A0 vnet;
=C2=A0=C2=A0=C2=A0 vnet.interface =3D "epair201b";
=C2=A0=C2=A0=C2=A0 path =3D"/jails/$name";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201 create";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig epair201a up";
=C2=A0=C2=A0=C2=A0 exec.prestart +=3D "ifconfig bridge0 addm epair201a";
=C2=A0=C2=A0=C2=A0 exec.prestop +=3D "ifconfig epair201b -vnet $name";
=C2=A0=C2=A0=C2=A0 exec.poststop +=3D "ifconfig epair201a destroy";

}

and the /jails/example/etc/rc.conf:

ifconfig_epair201b=3D"inet 192.168.1.201 netmask 255.255.255.0"
defaultrouter=3D"192.168.1.1"


hope this helps,

Robert


On 24.07.21 13:38, Jacques Foucry wrote:
> Le vendredi 23 juil. 2021 =C3=A0 23:06:41 (+0200), infoomatic =C3=A0 =C3=
=A9crit:
>
> Hello Robert,
>
> Thanks for your answer.
>
>> iocage autoatically creates a bridge with your physical interface and
>> the vnet interface. Imho this is wrong behaviour so I quit using iocage=
,
>> however, there is a workaround, for more info see [1]
>
> I read carfully the issue your pointed and it appears that the
> vnet_default_interface parameter set to auto, em0 is added to the bridge=
, set
> to none, em0 is not added to the bridge.
>
> So I stopped my jail, destroy bridge0 interface, set vnet_default_interf=
ace to
> none and restart the jail.
>
> As exepected em0 is not in the bridge any more:
>
> bridge0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu 1500
> 	description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: vnet0.657 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> 	groups: bridge
> 	nd6 options=3D9<PERFORMNUD,IFDISABLED>
>
> Since from the jail I cannot ping anything, from outside I cannot connec=
t to
> the jail and from the jail I cannot connect to outside host.
>
> In fact, see quickly, the situation is worst.
>
> I did not look at the routing tables yet (too many other things to do).
>
> As I understood your did not use iocage any more. Did you use the "raw"
> method (ie /etc/jail.conf)? If yes, I am really interested of "picture" =
of
> your configur=C3=A6tion.
>
> To be honest, I used to try the "raw" method whithout success before tri=
ng
> iocage.
>
> Thanks for your time and advices.