Date: Fri, 02 Jun 2017 10:09:24 -0600 From: James Gritton <jamie@freebsd.org> To: freebsd-jail@freebsd.org Cc: =?UTF-8?Q?Marko_Cupa=C4=87?= <marko.cupac@mimar.rs> Subject: Re: setfib, jails and loopback interfaces Message-ID: <2483b0d2a12f49924bf0e66bf7c48549@freebsd.org> In-Reply-To: <20170531103349.244f0fbf@efreet-freebsd.kappastar.com> References: <20170531103349.244f0fbf@efreet-freebsd.kappastar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2017-05-31 02:33, Marko Cupać wrote: > Hi, > > I'm not subscribed to the list, could you please keep me in CC? > > I'm using ezjail as instructed in Handbook, assigning jails > lo1|127.0.0.X,bce0|10.66.66.X addresses, in order to keep jails' > loopback traffic off host's, and in order to be able to keep internal > services on lo1 (such as redis, mongodb, mysql etc.), and external on > bce0 (such as apache, unifi5 etc.). > > Recently I got a server with multiple NICs, and I'd like to serve both > LAN and DMZ services from it. I found some information on how to > accomplish that with setfib: > > # cat /boot/loader.conf > net.fibs=4 > net.add_addr_allfibs=0 > > # cat /etc/rc.conf > ... > cloned_interfaces="lo1" > static_routes="nix nixd" > route_nix="-net 10.66.66.0/24 -interface bce0 -fib 1" > route_nixd="default 10.66.66.254 -fib 1" > ... > > In this setup, services bound to bce0 interface work fine, but they > can't contact internal services on lo1. I guess it has something to do > with jail routing, but can't figure out what. > > Thank you in advance for any hints. I haven't done the lo1 trick before, but I have had jails with addresses on a different FIB. Note that the jail also has an FIB. You probably at least want to set the jail's fib to 1 (exec.fib in jail.conf, I suppose jail_*_fib or whatever in the old rc-based system ezjail still uses). The part I'm not sure about is you probably also want to have lo1's entries in the fib=1 routing table. I don't know the interaction between cloned_interfaces and fib though - that might take some exploring in rc, or a word or two from someone who knows that side of things more than I do. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2483b0d2a12f49924bf0e66bf7c48549>