From owner-freebsd-net@FreeBSD.ORG  Mon Mar  2 08:33:47 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1FE93AE5
 for <freebsd-net@freebsd.org>; Mon,  2 Mar 2015 08:33:47 +0000 (UTC)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id CA940F4A
 for <freebsd-net@freebsd.org>; Mon,  2 Mar 2015 08:33:46 +0000 (UTC)
Received: from Julian-MBP3.local
 (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133])
 (authenticated bits=0)
 by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t228XclT003021
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Mon, 2 Mar 2015 00:33:39 -0800 (PST)
 (envelope-from julian@freebsd.org)
Message-ID: <54F4205D.1030405@freebsd.org>
Date: Mon, 02 Mar 2015 00:33:33 -0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: =?UTF-8?B?TG/Dr2MgQmxvdA==?= <loic.blot@unix-experience.fr>,
 freebsd-net@freebsd.org
Subject: Re: fib issue with jails.
References: <bc15cc61e9557bd654cc90ed8d9a2234@mail.unix-experience.fr>
In-Reply-To: <bc15cc61e9557bd654cc90ed8d9a2234@mail.unix-experience.fr>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 08:33:47 -0000

On 3/2/15 12:12 AM, Loïc Blot wrote:
> Hello,
> i'm trying to implement jails over multiples networks, using VLANs, with different default routes. The network stack is simple
>
> igb0-3 into lagg0
> vlan 10-30 over lagg0
> jails over VLANs using a fib for each VLAN (but no fib set on the VLAN iface itself)
>
> Whereas it works for a week on my server, after a reboot, the outgoing packets aren't routed to lagg and then outgoing requests doesn't work (like DNS requests), i don't find why.
>
> The fib is correctly set
>
> /etc/rc.local:
> setfib 1 route add -net 192.168.136.0/24 -iface vlan136
> setfib 1 route add default 192.168.136.254
>
> root@jh1:~ # setfib 1 netstat -rnfinet
> Routing tables (fib: 1)
>
> Internet:
> Destination        Gateway            Flags      Netif Expire
> default            192.168.136.254    UGS     vlan136
> 192.168.136.0/24   ac:16:2d:96:e5:04  US      vlan136
>
> and the jails are correctly configured:
>
> root@jh1:~ # cat /var/run/jail.idevmysql.conf
> # Generated by rc.d/jail at 2015-02-27 10:38:05
> devmysql {
>      host.hostname = "devmysql.local.net";
>      path = "/jails/dev/devmysql";
>      ip4.addr += "vlan136|192.168.136.50/32";
>      exec.fib = "1";
>      allow.raw_sockets = 0;
>      exec.clean;
>      exec.system_user = "root";
>      exec.jail_user = "root";
>      exec.start += "/bin/sh /etc/rc";
>      exec.stop = "";
>      exec.consolelog = "/var/log/jail_idevmysql_console.log";
>      mount.fstab = "/etc/fstab.idevmysql";
>      mount.devfs;
>      mount.fdescfs;
>      mount +=  "procfs /jails/dev/idevmysql/proc procfs rw 0 0";
>      allow.mount;
>      allow.set_hostname = 0;
>      allow.sysvipc = 0;
> }
>
> Routing is also enabled:
>
> root@jh1:~ # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding: 1
>
> If we are trying to contact the jail from an external host, for example with ansible, the SSH connection works very well but it seems outgoing initiated connections are staying on vlan136 but not forwarded to lagg0.
> Have you got any idea ?

Can you explain in more depth, what you mean by that last bit?
"staying on vlan136 but not forwarded to lagg0" .
I am not sure how you come to this idea and what you mean by it.


have you considered if you could use VIMAGE/VNET based jails?

>
> Thanks in advance
> Regards,
>
> Loïc Blot,
> UNIX Systems, Network and Security Engineer
> http://www.unix-experience.fr (http://www.unix-experience.fr)
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
>
>