Date: Sun, 26 Aug 2018 19:19:33 +0100 From: Norman Gray <norman.gray@glasgow.ac.uk> To: Dave Cottlehuber <dch@skunkwerks.at> Cc: <freebsd-questions@freebsd.org> Subject: Re: Jails and networks Message-ID: <82BDCB53-FBEF-431B-B43F-099E7CC4C4F2@glasgow.ac.uk> In-Reply-To: <1535210472.40142.1485918024.52274C37@webmail.messagingengine.com> References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> <1535210472.40142.1485918024.52274C37@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave and other spectators, hello. On 25 Aug 2018, at 16:21, Dave Cottlehuber wrote: > Your jail needs to have some way to send & receive traffic via the > host to the internet. Just adding a 192.168.0.0 address to the > external > igb0 interface will only work if the adjacent router allows that, and > it almost certainly won't by default. > > This means you need either NAT or routing on your system to take > care of this for you. *sigh* this was the problem. The host is on a 172.16.0.0/12 private network (which routes to the internet), the jails were on 192.168.0.0/16, and there was no routing between them. I added (the commented equivalent of) ext_if="igb0" jail_if="lo1" jail_net = $jail_if:network internet = $ext_if:network scrub in all nat pass on $ext_if from $jail_net to any -> $internet pass out pass in to /etc/pf.conf, and I can now happily route from the jail to the World Wide Web of Wonderfulness. ---- This is of course fairly obvious in retrospect. In production, these jails will have to talk only to the host (they'll be Ceph nodes), but of course when experimenting, and when setting things up, they'll have to be able to see further afield. I had the endpoint (too) firmly in mind when I started on the sub-problem of learning about jails, so I never reexamined the slightly unusual network environment I had initially set up for myself. Moral: when you cut down the problem to make it easier to understand, make sure the sub-problem is actually simpler. Step further back. In my original list post, I even said, apropos one of the most useful resources I found, 'Now, I don't think I need pf in my situation, so I want to skip that part of the instructions.' Did I mention: *sigh*? Moral: when you skip part of the instructions, be _really_ clear why they were there in the first place. I have a clearer idea of jails+interfaces than I had: jails are much less magical than I thought going in to this, and in particular the set of interfaces in the jail is (roughly) merely a tweaked version of the host's. I confess I'm still unclear why I don't see a default route in `netstat -rn` within the jail, and that `telnet www.gla.ac.uk 80` works but `route get www.gla.ac.uk` claims there is no route. But perhaps I'll leave that mystery for another day. But at least I got to spend some quality time with Stevens' IP book, so that was good. Thanks again to all who gave advice, and best wishes, Norman -- Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82BDCB53-FBEF-431B-B43F-099E7CC4C4F2>