From owner-freebsd-net@FreeBSD.ORG Tue Apr 7 11:29:47 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 00851263 for ; Tue, 7 Apr 2015 11:29:46 +0000 (UTC) Received: from BLU004-OMC2S19.hotmail.com (blu004-omc2s19.hotmail.com [65.55.111.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB665F97 for ; Tue, 7 Apr 2015 11:29:46 +0000 (UTC) Received: from BLU184-W14 ([65.55.111.73]) by BLU004-OMC2S19.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 7 Apr 2015 04:29:45 -0700 X-TMN: [Kys4RFdSBs42Q70TDaDHMprXvQ/39gBF] X-Originating-Email: [dr_sweety_1337@hotmail.com] Message-ID: From: Anton Farber To: "freebsd-net@freebsd.org" Subject: RE: FreeBSD sometimes uses the router for packets on the local network Date: Tue, 7 Apr 2015 11:29:45 +0000 Importance: Normal In-Reply-To: <20150407072949.GA2379@kib.kiev.ua> References: , , , <20150407072949.GA2379@kib.kiev.ua> MIME-Version: 1.0 X-OriginalArrivalTime: 07 Apr 2015 11:29:45.0301 (UTC) FILETIME=[25F14850:01D07126] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 11:29:47 -0000 > On Tue=2C Apr 07=2C 2015 at 07:04:40AM +0000=2C Anton Farber wrote:=0A= >>> On Mon=2C Apr 6=2C 2015 at 12:15 PM=2C Anton Farber=0A= >>> wrote:=0A= >>>> I've opened a thread on the FreeBSD networking forum (https://forums.f= reebsd.org/threads/jail-fails-to-connect-to-main-host.50833/) as sometime a= go my FreeBSD server (initially running 10.1=2C now CURRENT) started to beh= ave strangely after an upgrade from 10.0 to 10.1. I first noticed that a ja= il (192.168.1.5) wasn't able to contact the base system (192.168.1.1). Runn= ing a tcpdump revealed the following: the jail is using em0 instead of lo0 = for communicating with the base system:=0A= >>> =0A= >>> You need to look at your routing tables. From inside the jail=2C run=0A= >>> "netstat -rn -f inet". You probably won't see any entry for 127.0.0.1= =0A= >>> or 127.0.0.0/8. Those are the entries that your jail needs in order=0A= >>> to talk to the base system. You can add them=2C but think carefully.=0A= >>> Many server processes=2C such as ntpd=2C have reduced security for=0A= >>> connections coming over 127.0.0.1. Whether or not it is appropriate=0A= >>> to add those routes depends on why you are using a jail.=0A= >> =0A= >> Ok=2C so the behaviour I'm seeing regarding the communication between ja= il and base system is to be expected then. My reason for posting it was=2C = that I was unsure whether it might have anything to do with the main proble= m. I don't think that this is the case so the question remains=2C why is my= FreeBSD server sometimes using the router for contacting hosts on the loca= l network?=0A= > =0A= > This was very strange proposal to look at routing tables inside jail.=0A= > Do you use VNET-enabled kernel ? If not=2C there is no separate instance = of=0A= > the network stack per jail. The netstat -rn output in jail for non-VNET= =0A= > kernels is simply not relevant to your problem. The same issues must be= =0A= > present when non-jailed process using the same source address selection.= =0A= =0A= No=2C I'm not using a VNET-enabled kernel (at least not to my knowledge :).= I'm not sure whether my problem is jail related at all... It's just where = it first manifested itself: suddenly I wasn't able to connect from my jail = to the base system when using SSH or IMAP (roundcube). It was only later on= e that I realized=2C that the base system was having troubles connecting to= random hosts on the local network (as described in my initial post).=0A= =0A= Regards=2C Anton =