From owner-freebsd-current@freebsd.org Wed Oct 5 16:47:26 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4380FAF6062 for ; Wed, 5 Oct 2016 16:47:26 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 09C191BF for ; Wed, 5 Oct 2016 16:47:26 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it0-x232.google.com with SMTP id o19so184104926ito.1 for ; Wed, 05 Oct 2016 09:47:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=T/OzDiRF8rdN0xkINWARpNUhCQP4HUn9tyeHZcOu6rU=; b=G/4Mq8vsWjEwJ3Nv4oj/P+7REHr6rXDSHqhwhhAvUWMZXZo8mNGSSML8EYrllM5sUV 02Be8K1HrbhvRwA1445xki0oKs232JktOdLDy7rFnQqlVlWPHz9SIPcdjzugkNtwd8Oe rgsj9v5xREWll8BiCwE+7UC2JxqODzJgP7Pu32CZ54AP0+p8uqpgArTEjyk0sXThv2FC sONYK2ETV3NI1GveCjQraplYXfWYqYw8zGZtLjK/5lHCsgadWPY6sDzkVWcu3rlWXQIX j9Xo4AcoXkBemXIQ+jODkD1a+T5kV1W8rNCUvm6faU7CD1JYUBR+HTtVh6E6QbwU4rjB 9A/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=T/OzDiRF8rdN0xkINWARpNUhCQP4HUn9tyeHZcOu6rU=; b=AcIAf0Y75LI7w2fG+PgX2JWB3FxuiHU9BA3N5tM5zWLvj1HccnqkWOygSWtupkLHBd wohqLABWImTz0WFZZmXd6Jhgf0WYkVKnG4WNH/C9Go9N6nHprE/pn8tmihjcIVl06+jd mNqM7p9KVKNHB+jGb230a7RQM2JCeMDNU/eOZs3y6I4nvVBTvKFxihvEVzEq7EWu02G3 2D/PJ5Edhq4HBaJoMiZDrpNW0FeGvVzAddIQOaPVffDfWEzy5AoqmRlUrBkbqW5wjjAl 1O1Y/y0tzXgz3Y6Ghg3CaVKeqPoogXcbtnd+iVugP2cB+Db5CQGOwH+ud7sKqOAfML1D SDyA== X-Gm-Message-State: AA6/9Rl5OPv8PzVqz3M+uqa1G3WI17zOyAMuHSEwSQ1Z6IfGsutp//8LpUZCsPr9KFDRHQ== X-Received: by 10.36.163.197 with SMTP id p188mr11064951ite.107.1475686044984; Wed, 05 Oct 2016 09:47:24 -0700 (PDT) Received: from [10.0.10.3] (cpe-24-165-201-26.neo.res.rr.com. [24.165.201.26]) by smtp.googlemail.com with ESMTPSA id r123sm12958225ith.1.2016.10.05.09.47.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 05 Oct 2016 09:47:22 -0700 (PDT) Message-ID: <57F52EA4.4080004@gmail.com> Date: Wed, 05 Oct 2016 12:47:32 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "O. Hartmann" CC: freebsd-current Subject: Re: jails in CURRENT: can not reach hosts on same network References: <20161005134446.7af8126c@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <20161005134446.7af8126c@freyja.zeit4.iv.bundesimmobilien.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2016 16:47:26 -0000 O. Hartmann wrote: > Hello list. > > I struggle with setting up jails on most recent CURRENT. > > The machine containing the jails has two NICs (bce0 and bce1). the host itself > is supposed to own NIC bce0 exclusively - means, the services running on that > NIC - syslogd, named and others - are bound to that NIC and should not be > shared with the bce1 or jails bound to bce1. > > I followed the instructions given in the most recent version of the handbook > setting up a jail. So far, so good. The NIC bce1 (the second one) is "aliased" > with IPs from the local network. forwarding is disabled > (net.inet.ip.forwarding: 0). > > Setup of each jail is straigh forward, with "ip4.addr=" set to the specific IP > and interface="bce1". > > Within a jail, I can not reach an IP on the same network, not even the gateway > by pinging or doing name resolutions using the DNS server on the local net! The > curious thing is, by setting "nameserver 8.8.8.8" in /etc/resolv.conf, I can > ping "outer world systems" and performing name resolutions as well - this > implies, that the IP pakets are delegated to the local gateway and then further > to the DNS of Google's. But pinging the local gateway directly (192.168.0.1) > seems to be prohibited as well as pinging or reching any other IP on the net, > including the bce0 of the same host (via default gateway?) or any other aliased > IP. > > Since I'm new to jails and the complicated handling with networks, I miss > something here which is probably not well documented. I found some notes on the > forum about setfib, FIB, but I lack in the correct manpage to read more about > this concept, the meaning for a jail and its probable impact in my situation. > > Following the suggestion setting > > net.add_addr_allfibs=0 > > in /boot/loader.conf seems to be senseless - after a reboot this OID is always > set back to 1 (net.add_addr_allfibs=1). > > maybe someone has an idea what's wrong in principle with my attempts. > > thanks in advance for your patience, > > Oliver First of all trying to teach your self about LAN & jail usage using [CURRENT] is the wrong version of FreeBSD to be using because it's the bleeding edge where all the OS updates are tested. You should be using 10.3 or soon to be published 11.0. With CURRENT you can't tell if problems are caused by you not configuring something correctly or you fell into a OS bug. Now if you have a LAN & jail setup working on a RELEASE version and you really think your problem is caused by a bug in CURRENT then you need to come out and state that. But based on the tone of your post that is not the case. Secondly, the "current" list is the incorrect list to be posting this type of question. You should post this to the "questions" or the "jail" list. The ping command from within a jail is a considered a security risk and disabled by jail(8) design. It seems to me that you are mixing 2 separate problems, LAN configuration and jail configuration. You need to first get your LAN nodes talking to each other and with the host, before you add jail(8) into the mix. The standard LAN configuration runs a DHCP server on the host to assign private IP address to the LAN PC's when they power on. Since your host box functions as a [gateway box] with a LAN behind it you need to have gateway_enable="YES" in your hosts rc.conf file. You also need a firewall to NAT the private LAN IP addresses to the hosts public ISP issued IP address. I recommend ipfilter which is in the base system, it's open source and runs on most all other Unix flavored OS's making it very easy to use the same firewall rule set across other OS's. After you have your LAN nodes being able to ping the host and other nodes on the LAN, and also access the pubic internet, Then is the time to play with jails. I recommend you use the jail utility sysutil/qjail port. It simplifies jail management and is very user friendly. Be sure not to assign private IP addresses to jails that are controlled by DHCP or the LAN node will stop working when the jail starts using the same IP address. A detailed description of how you intend to us jails would go a long way to customizing any additional help you may require from posts to the "questions" list.