From owner-freebsd-net@FreeBSD.ORG Wed May 29 05:01:24 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 78EA62ED; Wed, 29 May 2013 05:01:24 +0000 (UTC) (envelope-from andrnils@gmail.com) Received: from mail-oa0-f47.google.com (mail-oa0-f47.google.com [209.85.219.47]) by mx1.freebsd.org (Postfix) with ESMTP id 3B5648D7; Wed, 29 May 2013 05:01:23 +0000 (UTC) Received: by mail-oa0-f47.google.com with SMTP id m1so10933063oag.20 for ; Tue, 28 May 2013 22:01:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SEXySmTNMHSRp+nrzGdQfHzU1Hap8BGUxmxZHUQuXZI=; b=SMFBqazG+5e7f5dGvKkdreJ8ev+/R6Vf4ldcW/FgTaCqyIk4L/1arqDyqqADha1tR9 kFjEU2ulCpS5/Ymw3pMN6BqqoLSw+oztTjSi/8RZptw7y5ciSdtDxN0pd3al2AHuj+5E sks99nqDdXtYXo3HeuvLGm3FKkhZFACImI9SVTcX6rslHb2PkdYvMdmsCBWkoPx87gRC Rb0WDlhYUC029gK6ejmYvpcEm3Ra5bROvvpBk2wrnNCmTSwl+KVsQ+1NqeN5qN0NQ8Ww Zg1s6nWp+PjZD/7RUTSAhFRSplSPRUSKeQSsmy/Qbjg8+0uZ5HXJxPnYm8ufjZ59olzF 6DRQ== MIME-Version: 1.0 X-Received: by 10.60.33.102 with SMTP id q6mr584982oei.111.1369803683264; Tue, 28 May 2013 22:01:23 -0700 (PDT) Received: by 10.76.77.9 with HTTP; Tue, 28 May 2013 22:01:23 -0700 (PDT) In-Reply-To: <51A562B2.4020101@freebsd.org> References: <1369785428.89131.YahooMailNeo@web142302.mail.bf1.yahoo.com> <51A562B2.4020101@freebsd.org> Date: Wed, 29 May 2013 07:01:23 +0200 Message-ID: Subject: Re: FreeBSD jail can't talk to internet through multiple routers From: Andreas Nilsson To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , Jeff X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 05:01:24 -0000 On Wed, May 29, 2013 at 4:06 AM, Julian Elischer wrote: > On 5/29/13 7:57 AM, Jeff wrote: > >> Hi, >> >> I run PCBSD 9.1 and have a jail setup (uses the Warden PBI to set it up). >> >> In that jail which has it's own local IP like 192.168.1.12, I have an >> Apache server running Drupal. >> >> Normally when I connect the computer to a single router that is connected >> to a modem, I set "nameserver 192.168.1.1", i.e. the router LAN IP or >> gateway, in etc/resolv.conf and have no problems. >> >> Now I have added a 2nd router daisy chained from the primary router, >> running a subnet (primary router has IP: 192.168.1.1 and secondary router: >> 192.168.2.1). >> >> The computer running the jail is plugged into the secondary router. >> >> The problem is, the jail can't contact the internet. I can SSH into the >> jail but it takes a very long time to connect, like 30 seconds or so. >> >> >> I've tried different IP addresses for "nameserver" but nothing works. >> >> I have no problems using the internet from the main part of the computer, >> just the jails. >> >> >> Any ideas why this happens and how to get around it? I've had this >> problem for years with different versions of FreeBSD. >> >> Do I need to create a static route through to the gateway, and if so, why >> is that not a problem using a browser from the main part of the machine? >> > > > basically your jail is using the same routing as the rest of the machine > you have several options, though they may not all be supported in the > PCBSD 9.1 jail system > > 1/ you could use ipfw to do packet forwarding > this is what we used to before we had #2 and #3. > 2/ you can specify that the jail should use a different FIB (routing table) > you should look up setfib(1) and setfib(2) and follow the 'see also' > pointers as well. > 3/ you can use VIMAGE and set up a jail with a completely separate network > stack. > DOcumentation for this is a bit hard to find but use the 'vnet' option in > jail(8) > nad look up VIMAGE and vnet in google. > > > >> >> Thanks, >> >> Jeff >> ______________________________**_________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@**freebsd.org >> " >> >> >> > ______________________________**_________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@**freebsd.org > " > >From the example ips I take it you are behind "double nat", not just behind 2 routers? When you say "jail cant connect to the internet", is it just dns querys that fails, or ip connectivity? Are you running any firewall on the host? I was forced to used a similar setup for a while, but I never saw those problems. Timeouts on ssh could point to dns failures: did you update the resolv.conf in the jails as well as on the host? If you start the jail with allow.raw_sockets enabled ( you didn't mention what method, ie rc.conf jail.conf or just jail -c, you use to start the jails so use the appropriate method of passing that arg), could you then from within the jail do some pings and digs like: dig @8.8.8.8 freebsd.org dig @192.168.2.1 freebsd.org dig @192.168.1.1 freebsd.org ping 8.8.8.8 ping 192.168.2.1 ping 192.168.1.1 Best regards Andreas