From owner-freebsd-questions@freebsd.org Fri Apr 6 18:34:08 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C900F9D184 for ; Fri, 6 Apr 2018 18:34:08 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from webmail.dweimer.net (24-240-198-186.static.stls.mo.charter.com [24.240.198.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "dweimer.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EDE76E1E9 for ; Fri, 6 Apr 2018 18:34:07 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from www.dweimer.net (pfSense.dweimer.local [10.9.5.1]) (authenticated bits=0) by webmail.dweimer.net (8.15.2/8.15.2) with ESMTPSA id w36IWt0a099198 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 6 Apr 2018 13:32:56 -0500 (CDT) (envelope-from dweimer@dweimer.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dweimer.net; s=2017.01.31; t=1523039576; bh=hU7U1+9OfAzja296NSy3S/4EUtVW66K1f7NSnD1dsdI=; h=Date:From:To:Subject:Reply-To; b=CRMIomxH/2QKmSlUjc9MUcBZE4H3+RkMPaq+twH/ad9JfoxDDee2LNR7QBPe6/PJ3 MkH3Cwte7kjRqRN7Q5fpEFKF0erGMFrnh24nFwElSJvmunJMvqQG6BwLfkSu/Jd0cY oEJAhzhoq9cqmmoX3zInRofzOIasORNSmkWdbIitMGtmj5dHMiJECVzo0jtfaCmCEh nXKBIfRBR6xiMsd8RzhH1gvbuI2jAARMzNMc7LdoB+3TzI3PQUFDeoPmtLEbW2cFRf 9sYuQdsFbEV0DphKTj5h3aWSx1wCoc01Dfq0J2fDeSPniJw1p7Mxzk8b+7qNVZsgFG mdJkKO5kHQEvg== MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 06 Apr 2018 13:32:50 -0500 From: "Dean E. Weimer" To: FreeBSD Questions Subject: Jail unable to access some network devices Organization: dweimer.net Reply-To: dweimer@dweimer.net Mail-Reply-To: dweimer@dweimer.net Message-ID: <7f30fe692d049949bbd74c5d4c136f16@dweimer.net> X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/1.3.5 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2018 18:34:08 -0000 I am trying to setup some jails on a server utilizing multiple routing fib tables I have a few jails already running some of them in different fibs, one in the same fib as the host. But this last one I added has caused some problems. Its the first one I am trying to build in this fib. Below is sections from the fib routing setup and the jail. ## Set up the DMZ[1] routing table # Interface route(s) setfib 1 route add -net 10.50.0.0/16 -iface lagg0.4 setfib 1 route add -net 10.52.0.0/16 -iface lagg0.4 setfib 1 route add -net 172.17.0.0/25 -iface lagg0.900 # Default route setfib 1 route add default 10.50.110.9 # Default Jail Options allow.mount.devfs; mount.devfs; devfs_ruleset = '4'; allow.sysvipc; allow.dying; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/jails/${name}/console.log"; proxy2 { exec.fib=1; allow.raw_sockets = 1; ip4.addr = 'lagg0.4|10.50.20.42/16'; ip4.addr += 'lagg0.4|10.52.20.42/16'; ip4.addr += 'lagg0.900|172.17.0.5/25'; } The jail can talk to every host on the 172.17.0.0/25 subnet, and can talk to every hos tin the 10.52.0.0/16 subnet. I can't talk to some things in the 10.50.0.0/16 subnet though. The 3 devices I can't talk to also have 10.52.0.0/16 addresses on the same adapter as the 10.50.0.0/16 I can talk to their 10.52 address but receive an invalid argument error when attempting to connect via 10.50 address. Below the 10.50.20.4 and 10.52.20.4 are the same device, an older FreeBSD server that this jail is intending to replace. root@fbsdhost2:/jails/proxy2 # proxy2 root@proxy2-temp:/ # ping 10.52.20.4 PING 10.52.20.4 (10.52.20.4): 56 data bytes 64 bytes from 10.52.20.4: icmp_seq=0 ttl=64 time=0.749 ms 64 bytes from 10.52.20.4: icmp_seq=1 ttl=64 time=0.311 ms ^C --- 10.52.20.4 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.311/0.530/0.749/0.219 ms root@proxy2-temp:/ # ping 10.50.20.4 PING 10.50.20.4 (10.50.20.4): 56 data bytes ping: sendto: Invalid argument ping: sendto: Invalid argument ^C --- 10.50.20.4 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss root@proxy2-temp:/ # ping 10.50.110.9 PING 10.50.110.9 (10.50.110.9): 56 data bytes 64 bytes from 10.50.110.9: icmp_seq=0 ttl=255 time=0.599 ms 64 bytes from 10.50.110.9: icmp_seq=1 ttl=255 time=0.253 ms ^C --- 10.50.110.9 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.253/0.426/0.599/0.173 ms root@fbsdhost2:/jails/proxy2 # setfib 1 netstat -rnf inet Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 10.50.110.9 UGS lagg0.4 10.50.0.0/16 84:2b:2b:4d:6e:08 US lagg0.4 10.52.0.0/16 84:2b:2b:4d:6e:08 US lagg0.4 127.0.0.1 lo0 UHS lo0 172.17.0.0/25 84:2b:2b:4d:6e:08 US lagg0.90 I know it has to be something on the jail configuration, as it doesn't even attempt to send the traffic to the interface, watched on host adapter. If I ping this jail address from the other system the echo requests do show up, on that adapter. Can anyone see anything in the above configuration that I have missed, or got wrong? -- Thanks, Dean E. Weimer http://www.dweimer.net/