From owner-freebsd-jail@freebsd.org Wed Oct 14 15:14:56 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D8DE143BF34 for ; Wed, 14 Oct 2020 15:14:56 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CBGDb6wC6z46tZ; Wed, 14 Oct 2020 15:14:55 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qk1-x730.google.com with SMTP id b69so2965326qkg.8; Wed, 14 Oct 2020 08:14:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=WdB/oM1x9sN/FKL5DVdKG+JHlrcxjR6HtU4LEIuPAS0=; b=IvHFxjJ2S0473perqpGVO/9eRI2Edhi+xfHunxJNaSGBUYbGofT2TBAnb2KJRUJQeQ byFaNxRFvdk7BadhyrA1sbXzrBBG/i+Ip94bFkm7vdtPX7qSxLuzpnvK8Uh32flAMJrL za4woIo7Y7aNWj7PLxyZ0YL2oCortp41fOz36Uq8fk0TjwnaAK6cYnYMBgqp29gtV0dp jpW5GIO33PnoLQY7DF/rXs50izTAOS/yIMIOhQOs4SHOcejOu0dgjF0zqalpa8p16JDY pI3pteIXphjN9FnvRTidL/Tlzz5OAuskNL0Iv+gprPY0HkARaE8p8fBbnOdZpRiS6z8E i4gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=WdB/oM1x9sN/FKL5DVdKG+JHlrcxjR6HtU4LEIuPAS0=; b=ksWGOckrg2q/0JOqCq5eeO0iYZXyvtTHiR3AG5YSzK+iNQPf9yIDBVijj6+VYUChMU TFdtzE83/oGG2//FeGJUC/+KSHL4/C46FTqLXGu86rDfDfh4FlF+170S5ygbH14qAGlo OPURXrWPLF1AL4yayD8bOsm7xjuH4AGbdCD87NKu9N5DyqgZsdLSuFVePTiUnvBQ+mZ+ kiMdk/hO4smAJK37W7n5lA3JX+vFW6z5wl0PiL27o7Le9PdLemHTxJmpy1cpahX4efNs n1r5+l6EoW3xBw8bL4759whl/muZ2Sp+6+qb66vqOM6nSmPoXb7NCxBKlFfLLp8KgFBi BHnQ== X-Gm-Message-State: AOAM531KFWGQHnMnoSYXKEH61Lt/U1PmoKDFNNMfhz1fgLodfinCidDB ASj9PGPCGfp0ZptjthQZtKw= X-Google-Smtp-Source: ABdhPJw73ltgNz6RfbV7TPOKShCEagW9NcpG0afpZNYX8ipWZaDqP0A/PS6TMKAL3+LR8XyZtTrDpg== X-Received: by 2002:a37:7e41:: with SMTP id z62mr5331051qkc.495.1602688494993; Wed, 14 Oct 2020 08:14:54 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id b191sm1344656qkg.81.2020.10.14.08.14.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 14 Oct 2020 08:14:54 -0700 (PDT) Message-ID: <5F8715ED.8020606@gmail.com> Date: Wed, 14 Oct 2020 11:14:53 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Arsenij Solovjev CC: Kristof Provost , freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface References: <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CBGDb6wC6z46tZ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=IvHFxjJ2; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::730 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-3.28 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.25)[-0.246]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.003]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.03)[-1.027]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::730:from]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 15:14:56 -0000 Arsenij Solovjev wrote: > On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: >>> >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>>>> Hi all! >>>>> Does anybody know if it's possible to run a vnet jail on a >>>>> non-dedicated >>>>> interface? I have the Lucas book on jails. In it he says that for >>>>> vnet >>>>> you >>>>> need to pick a dedicated interface, remove all networking IP >>>>> configuration >>>>> and only bring it up. Afterwards you set up jib and whatnot. >>>>> >>>>> All works well if I use a dedicated secondary interface (let's call >>>>> it >>>>> em1). If I use em0 however I cannot ping the jail. >>>>> >>>>> I would like to have a host with that has a single network interface >>>>> which >>>>> is used for both normal networking stuff as well as having the vnet >>>>> jail >>>>> run on it. >>>>> >>>>> Maybe I could create some sort of virtual interface and run vnet on >>>>> it? >>>>> >>>>> Any ideas here? Thanks in advance! >>>>> >>>> Look at epair interfaces. >>>> >>>> You can put em0 and epair0a in a bridge together and add epair0b to >>>> the >>>> vnet jail. >>>> That gets the vnet jail connected to your LAN. >>>> >>>> Or you can skip the bridge, assign an IP to epair0a and route between >>>> the jail and your LAN. >>>> >>>> Regards, >>>> Kristof >>>> >>> Hi Kristof, >>> >>> Thanks for your reply! >>> >>> considering your first idea. I did this, the jail gets created >>> seemingly >>> fine. However I cannot ping the ip of epair0b (this works when using a >>> dedicated interface). >>> Also I cannot reach my gateway from within the jail. This too works >>> when >>> using a dedicated interface. >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". >>> snip: >>> >> This is odd. Are you assigning a new MAC address to the epair interfaces >> somewhere? Both ends of the epair seem to have a new MAC address, and >> the same one at that. >> >> Regards, >> Kristof >> > > Not explicitly, no, I let the jib script do the epair creation. To Arsenij Solovjev For the record sure would like to see your jail.conf file where you setup this non-dedicated vnet jail system. I believe a non-dedicated vnet jail is for local access only. Is that correct? The bridge setup is for public internet access? Is that correct? To Kristof Provost In your reply you said. "Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN." Please explain this statement. Route how?