From owner-freebsd-questions@freebsd.org  Sat Aug 25 15:21:14 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6D8AA108D638
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sat, 25 Aug 2018 15:21:14 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com
 [66.111.4.25])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1AB5474793
 for <freebsd-questions@freebsd.org>; Sat, 25 Aug 2018 15:21:13 +0000 (UTC)
 (envelope-from dch@skunkwerks.at)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 450DA21B55
 for <freebsd-questions@freebsd.org>; Sat, 25 Aug 2018 11:21:13 -0400 (EDT)
Received: from web5 ([10.202.2.215])
 by compute7.internal (MEProxy); Sat, 25 Aug 2018 11:21:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
 h=content-transfer-encoding:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm3; bh=8bdu7LCBlb5qyuotJ3G0dG1+er4aF
 4zC344R9o3pWLY=; b=UtNngEl1j4ZekqPaodbEALQ5cuRGqW5VJkY+RlgnheLO4
 QVpp6yQKr9KgmOFNqhzE6CGbvjYnynurr6HKvY0UuVD0gAt/2CcuVjlNTF9LPUtT
 Kirelk+MdpTypqK4QV0IdXWnwN3Ed+nZNHj84ikIxP1ltmncjIFqQzI5ib/dXL2p
 uwIt1sObL1+oeDFtQRB0FqgoCatykR1EcOQD7WCWnSumKOlN8Y4GQIw1xkWaPtdB
 62NuK5jcvZeiJPo/l/KYeFvPMZdO0Dct8fo5kGZBV6yc7EhSW8yOoGbs/I1JxtCh
 EQMrY3d9ObaJAOcghp3/D/LYJT6+Y8inSNutJj1TA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:in-reply-to:message-id:mime-version:references
 :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=8bdu7L
 CBlb5qyuotJ3G0dG1+er4aF4zC344R9o3pWLY=; b=YsID3YyIN6wqIXKAl0XX9R
 qU9/hi/qJVqRtwXlp37Tn+i2ghMdc3tB/seDbMnng7u8yjw2uTnZMZsIZUayCRjm
 mZuUQ/4w7NEA1L+khjiEp78iNV7xHwImDeJmgXcVwpueDsvC7HJxqbWlvVZSjiBl
 uVTswTBvl3oS792xG3WdgiYE0MnlarrdxccN7oKeQZSNHLhzB1DVc34GA7XG5T6T
 0sHfcZmfYvqYB+r3Q9EGyMPtG65396kR679E6JaTEU2OOWnaG4qLhEOQnJFKhpq2
 XkPMv2VmoUmtbAdjRRFxXUFxyrs2cDfjpY1mqgTbXcflFBzfo+fNV1o7K+WrXalw
 ==
X-ME-Proxy: <xmx:6HOBW8lGMwBYgyV4BtcYYNv_F3EZbiAXFpjwXFzn_hdPQHMtzb9Ifg>
 <xmx:6HOBW5wClN7R6n9QzyXL9DO1ff--DIXC4aM4uiNl37EMqFc5JHMaag>
 <xmx:6HOBWyPC81jBFiArjZvpBEVEHh3pUAZ1SETQJSnrVwr0CGlmQCBYmw>
 <xmx:6HOBW1QGEdDF9NvU_BNMN56SGuOHF7w9RPaGqdgcvQfNzyupigY_JQ>
 <xmx:6HOBW4bc82uHlykoN2Ps1f4itoSsPadnsakKo-s0ipceH-WMsSB7-w>
 <xmx:6XOBW3cU5bnW7-0uW9MtHLZDAMZvxBBmQBW2EWlUtCT8g0fRyAwvxA>
X-ME-Sender: <xms:6HOBW7n9nIoM4a0s0FJlDdouNpXDYgMLDYAAD0vKnVHSkieaCp6BVQ>
Received: by mailuser.nyi.internal (Postfix, from userid 99)
 id A40D79E24B; Sat, 25 Aug 2018 11:21:12 -0400 (EDT)
Message-Id: <1535210472.40142.1485918024.52274C37@webmail.messagingengine.com>
From: Dave Cottlehuber <dch@skunkwerks.at>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-7b72137a
Date: Sat, 25 Aug 2018 17:21:12 +0200
References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
Subject: Re: Jails and networks
In-Reply-To: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Aug 2018 15:21:14 -0000

On Thu, 23 Aug 2018, at 20:44, Norman Gray wrote:
> 
> Greetings.
>
>    * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions.  But I now suspect I'm doing so naively.
>
> My host is on a 172.16.0.0/12 private network, which is routable
> locally, though it has to use a proxy to get to the web.  I want to set
> up a jail on (slightly at random) 192.168.11.128.

Your jail needs to have some way to send & receive traffic via the
host to the internet. Just adding a 192.168.0.0 address to the external
igb0 interface will only work if the adjacent router allows that, and
it almost certainly won't by default.

This means you need either NAT or routing on your system to take
care of this for you.

You might try your initial jail setup with a 17.16.0.0/12 address from
the same pool as your host, ensuring that the IP address is already
free, and then you can work through the other issues that crop up,
but soon you'll want pf for the jails on their own RFC1928 private
network.

I am no pf expert but something like this might be all you need:

# /etc/rc.conf additions
# jail networks
cloned_interfaces="${cloned_interfaces} lo1"
# provide a single IP for the jail using the IP you already chose
ifconfig_lo1="inet 192.168.11.128/16"
# provide additional 2 IPs for other jails
ifconfig_lo1_aliases="inet 192.168.11.129-130/32"
# and reboot

# /etc/pf.conf
# and `service pf start`

# interfaces
extl_if = "igb0"
jail_if = "lo1"

# networks
jail_net = $jail_if:network
internet = $extl_if:network

# clean packets are happy packets
scrub in all

# jails are allowed outbound connections but not inbound
# these should be set up explicitly using spiped or haproxy
nat on $extl_if proto tcp from   $jail_net to any -> ($extl_if)

A+
Dave