Date: Wed, 14 Oct 2020 11:14:53 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Arsenij Solovjev <xeper000@gmail.com> Cc: Kristof Provost <kp@freebsd.org>, freebsd-jail@freebsd.org Subject: Re: vnet Jail on a non-dedicated network interface Message-ID: <5F8715ED.8020606@gmail.com> In-Reply-To: <CA%2BRQ_FfvOCk0QEqNMHgaJ4qAE3G2L3c3p%2BH4gDg1rLyC5L-h5A@mail.gmail.com> References: <CA%2BRQ_Fd7Z7ynky8iB5h=cV30oRk5mPw0Out-2c=RF_e-AZVo2A@mail.gmail.com> <3F8DAE0C-0EA1-40C5-9825-262F547E1954@FreeBSD.org> <CA%2BRQ_Fc9HJhuJQe4wxpePe67R%2Be1XcCDBt9HjVHZA7RQfsOHzg@mail.gmail.com> <CCF31BD6-2335-4C5D-A230-9AA871466AD3@FreeBSD.org> <CA%2BRQ_FfvOCk0QEqNMHgaJ4qAE3G2L3c3p%2BH4gDg1rLyC5L-h5A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Arsenij Solovjev wrote: > On Wed, 14 Oct 2020 at 15:41, Kristof Provost <kp@freebsd.org> wrote: > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost <kp@freebsd.org> wrote: >>> >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>>>> Hi all! >>>>> Does anybody know if it's possible to run a vnet jail on a >>>>> non-dedicated >>>>> interface? I have the Lucas book on jails. In it he says that for >>>>> vnet >>>>> you >>>>> need to pick a dedicated interface, remove all networking IP >>>>> configuration >>>>> and only bring it up. Afterwards you set up jib and whatnot. >>>>> >>>>> All works well if I use a dedicated secondary interface (let's call >>>>> it >>>>> em1). If I use em0 however I cannot ping the jail. >>>>> >>>>> I would like to have a host with that has a single network interface >>>>> which >>>>> is used for both normal networking stuff as well as having the vnet >>>>> jail >>>>> run on it. >>>>> >>>>> Maybe I could create some sort of virtual interface and run vnet on >>>>> it? >>>>> >>>>> Any ideas here? Thanks in advance! >>>>> >>>> Look at epair interfaces. >>>> >>>> You can put em0 and epair0a in a bridge together and add epair0b to >>>> the >>>> vnet jail. >>>> That gets the vnet jail connected to your LAN. >>>> >>>> Or you can skip the bridge, assign an IP to epair0a and route between >>>> the jail and your LAN. >>>> >>>> Regards, >>>> Kristof >>>> >>> Hi Kristof, >>> >>> Thanks for your reply! >>> >>> considering your first idea. I did this, the jail gets created >>> seemingly >>> fine. However I cannot ping the ip of epair0b (this works when using a >>> dedicated interface). >>> Also I cannot reach my gateway from within the jail. This too works >>> when >>> using a dedicated interface. >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". >>> snip: >>> >> This is odd. Are you assigning a new MAC address to the epair interfaces >> somewhere? Both ends of the epair seem to have a new MAC address, and >> the same one at that. >> >> Regards, >> Kristof >> > > Not explicitly, no, I let the jib script do the epair creation. To Arsenij Solovjev For the record sure would like to see your jail.conf file where you setup this non-dedicated vnet jail system. I believe a non-dedicated vnet jail is for local access only. Is that correct? The bridge setup is for public internet access? Is that correct? To Kristof Provost In your reply you said. "Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN." Please explain this statement. Route how?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5F8715ED.8020606>