vnet Jail on a non-dedicated network interface
Locked
vnet Jail on a non-dedicated network interface
 
|
Hi all!
Does anybody know if it's possible to run a vnet jail on a non-dedicated interface? I have the Lucas book on jails. In it he says that for vnet you need to pick a dedicated interface, remove all networking IP configuration and only bring it up. Afterwards you set up jib and whatnot. All works well if I use a dedicated secondary interface (let's call it em1). If I use em0 however I cannot ping the jail. I would like to have a host with that has a single network interface which is used for both normal networking stuff as well as having the vnet jail run on it. Maybe I could create some sort of virtual interface and run vnet on it? Any ideas here? Thanks in advance! Arsenij _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote:
> Hi all! > Does anybody know if it's possible to run a vnet jail on a > non-dedicated > interface? I have the Lucas book on jails. In it he says that for vnet > you > need to pick a dedicated interface, remove all networking IP > configuration > and only bring it up. Afterwards you set up jib and whatnot. > > All works well if I use a dedicated secondary interface (let's call it > em1). If I use em0 however I cannot ping the jail. > > I would like to have a host with that has a single network interface > which > is used for both normal networking stuff as well as having the vnet > jail > run on it. > > Maybe I could create some sort of virtual interface and run vnet on > it? > > Any ideas here? Thanks in advance! > You can put em0 and epair0a in a bridge together and add epair0b to the vnet jail. That gets the vnet jail connected to your LAN. Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN. Regards, Kristof _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote:
> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > > Hi all! > > Does anybody know if it's possible to run a vnet jail on a > > non-dedicated > > interface? I have the Lucas book on jails. In it he says that for vnet > > you > > need to pick a dedicated interface, remove all networking IP > > configuration > > and only bring it up. Afterwards you set up jib and whatnot. > > > > All works well if I use a dedicated secondary interface (let's call it > > em1). If I use em0 however I cannot ping the jail. > > > > I would like to have a host with that has a single network interface > > which > > is used for both normal networking stuff as well as having the vnet > > jail > > run on it. > > > > Maybe I could create some sort of virtual interface and run vnet on > > it? > > > > Any ideas here? Thanks in advance! > > > Look at epair interfaces. > > You can put em0 and epair0a in a bridge together and add epair0b to the > vnet jail. > That gets the vnet jail connected to your LAN. > > Or you can skip the bridge, assign an IP to epair0a and route between > the jail and your LAN. > > Regards, > Kristof > Hi Kristof, Thanks for your reply! considering your first idea. I did this, the jail gets created seemingly fine. However I cannot ping the ip of epair0b (this works when using a dedicated interface). Also I cannot reach my gateway from within the jail. This too works when using a dedicated interface. Btw I have "sysctl security.jail.allow_raw_sockets=1". Here is my host ifconfig when putting em0 and epair0a in a bridge: em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 > mtu 1500 > options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> ether 9a:4c:eb:b5:95:bf inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> jailether: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> ether 56:39:b7:c5:2e:ec media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 inet 10.43.84.1 netmask 0xffffff00 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > ether 02:13:0b:48:53:00 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: e0a_sambaad flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 5 priority 128 path cost 2000 member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 20000 groups: bridge nd6 options=1<PERFORMNUD> e0a_sambaad: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> > metric 0 mtu 1500 > options=8<VLAN_MTU> ether 02:a4:c4:b5:95:bf hwaddr 02:78:fd:34:e8:0a groups: epair media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> Here's the ifconfig from my within my jail: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> e0b_sambaad: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > mtu 1500 > options=8<VLAN_MTU> ether 0e:a4:c4:b5:95:bf hwaddr 02:78:fd:34:e8:0b inet 172.18.20.197 netmask 0xffffff00 broadcast 172.18.20.255 groups: epair media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> The rc.conf in my jail contains the following: ifconfig_e0b_sambaad="172.18.20.197/24" > defaultrouter="172.18.20.1" And last but not least, here's my jail.conf: Samba-AD_sambaad{ > allow.mount.devfs="true"; vnet.interface="e0b_sambaad"; exec.prestart="/usr/local/scripts/jib addm sambaad em0"; exec.poststop="/usr/local/scripts/jib destroy sambaad"; sysvshm="new"; sysvmsg="new"; host.hostname="sambaad"; exec.start="'/etc/rc'"; allow.mount.fdescfs="true"; devfs_ruleset="6"; sysvsem="new"; allow.mount.procfs="true"; enforce_statfs="2"; exec.stop="'/etc/rc.shutdown'"; mount.devfs="true"; path="/cs/systemJheap/Samba-AD/j/sambaad/root"; vnet="new"; allow.raw_sockets="true"; allow.mount="true"; } Do you have an idea why I cannot ping my jail from within my network when using a non-dedicated interface? BR Arsenij _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote:
> On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote: > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>> Hi all! >>> Does anybody know if it's possible to run a vnet jail on a >>> non-dedicated >>> interface? I have the Lucas book on jails. In it he says that for >>> vnet >>> you >>> need to pick a dedicated interface, remove all networking IP >>> configuration >>> and only bring it up. Afterwards you set up jib and whatnot. >>> >>> All works well if I use a dedicated secondary interface (let's call >>> it >>> em1). If I use em0 however I cannot ping the jail. >>> >>> I would like to have a host with that has a single network interface >>> which >>> is used for both normal networking stuff as well as having the vnet >>> jail >>> run on it. >>> >>> Maybe I could create some sort of virtual interface and run vnet on >>> it? >>> >>> Any ideas here? Thanks in advance! >>> >> Look at epair interfaces. >> >> You can put em0 and epair0a in a bridge together and add epair0b to >> the >> vnet jail. >> That gets the vnet jail connected to your LAN. >> >> Or you can skip the bridge, assign an IP to epair0a and route between >> the jail and your LAN. >> >> Regards, >> Kristof >> > > Hi Kristof, > > Thanks for your reply! > > considering your first idea. I did this, the jail gets created > seemingly > fine. However I cannot ping the ip of epair0b (this works when using a > dedicated interface). > Also I cannot reach my gateway from within the jail. This too works > when > using a dedicated interface. > Btw I have "sysctl security.jail.allow_raw_sockets=1". > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric > 0 >> mtu 1500 >> > options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > ether 9a:4c:eb:b5:95:bf > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > media: Ethernet autoselect (1000baseT <full-duplex>) > > status: active > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > jailether: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > mtu >> 1500 >> > options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > ether 56:39:b7:c5:2e:ec > > media: Ethernet autoselect (1000baseT <full-duplex>) > > status: active > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >> > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > inet 127.0.0.1 netmask 0xff000000 > > inet 10.43.84.1 netmask 0xffffff00 > > groups: lo > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > mtu >> 1500 >> > ether 02:13:0b:48:53:00 > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > member: e0a_sambaad flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > groups: bridge > > nd6 options=1<PERFORMNUD> > > e0a_sambaad: > flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> >> metric 0 mtu 1500 >> > options=8<VLAN_MTU> > > ether 02:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0a > > groups: epair > > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > > status: active > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > Here's the ifconfig from my within my jail: > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >> > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > inet 127.0.0.1 netmask 0xff000000 > > groups: lo > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > e0b_sambaad: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric > 0 >> mtu 1500 >> > options=8<VLAN_MTU> > > ether 0e:a4:c4:b5:95:bf > hwaddr 02:78:fd:34:e8:0b > somewhere? Both ends of the epair seem to have a new MAC address, and the same one at that. Regards, Kristof _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
On Wed, 14 Oct 2020 at 15:41, Kristof Provost <[hidden email]> wrote:
> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote: > > > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>> Hi all! > >>> Does anybody know if it's possible to run a vnet jail on a > >>> non-dedicated > >>> interface? I have the Lucas book on jails. In it he says that for > >>> vnet > >>> you > >>> need to pick a dedicated interface, remove all networking IP > >>> configuration > >>> and only bring it up. Afterwards you set up jib and whatnot. > >>> > >>> All works well if I use a dedicated secondary interface (let's call > >>> it > >>> em1). If I use em0 however I cannot ping the jail. > >>> > >>> I would like to have a host with that has a single network interface > >>> which > >>> is used for both normal networking stuff as well as having the vnet > >>> jail > >>> run on it. > >>> > >>> Maybe I could create some sort of virtual interface and run vnet on > >>> it? > >>> > >>> Any ideas here? Thanks in advance! > >>> > >> Look at epair interfaces. > >> > >> You can put em0 and epair0a in a bridge together and add epair0b to > >> the > >> vnet jail. > >> That gets the vnet jail connected to your LAN. > >> > >> Or you can skip the bridge, assign an IP to epair0a and route between > >> the jail and your LAN. > >> > >> Regards, > >> Kristof > >> > > > > Hi Kristof, > > > > Thanks for your reply! > > > > considering your first idea. I did this, the jail gets created > > seemingly > > fine. However I cannot ping the ip of epair0b (this works when using a > > dedicated interface). > > Also I cannot reach my gateway from within the jail. This too works > > when > > using a dedicated interface. > > Btw I have "sysctl security.jail.allow_raw_sockets=1". > > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric > > 0 > >> mtu 1500 > >> > > > options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > > > ether 9a:4c:eb:b5:95:bf > > > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > > > media: Ethernet autoselect (1000baseT <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > jailether: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > > mtu > >> 1500 > >> > > > options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > > > ether 56:39:b7:c5:2e:ec > > > > media: Ethernet autoselect (1000baseT <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > >> > > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > inet 10.43.84.1 netmask 0xffffff00 > > > > groups: lo > > > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > > > em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > > mtu > >> 1500 > >> > > ether 02:13:0b:48:53:00 > > > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > > > member: e0a_sambaad flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > > > member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > > > groups: bridge > > > > nd6 options=1<PERFORMNUD> > > > > e0a_sambaad: > > flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> > >> metric 0 mtu 1500 > >> > > options=8<VLAN_MTU> > > > > ether 02:a4:c4:b5:95:bf > > > > hwaddr 02:78:fd:34:e8:0a > > > > groups: epair > > > > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > > > > > Here's the ifconfig from my within my jail: > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > >> > > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > groups: lo > > > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > > > e0b_sambaad: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric > > 0 > >> mtu 1500 > >> > > options=8<VLAN_MTU> > > > > ether 0e:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0b > > > This is odd. Are you assigning a new MAC address to the epair interfaces > somewhere? Both ends of the epair seem to have a new MAC address, and > the same one at that. > > Regards, > Kristof > Not explicitly, no, I let the jib script do the epair creation. _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
In reply to this post by Kristof Provost
Btw, an important detail I left out, I'm running a Samba DC with Bind9
inside the jail. Maybe this interferes somehow? On Wed, 14 Oct 2020 at 15:41, Kristof Provost <[hidden email]> wrote: > On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote: > > > >> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>> Hi all! > >>> Does anybody know if it's possible to run a vnet jail on a > >>> non-dedicated > >>> interface? I have the Lucas book on jails. In it he says that for > >>> vnet > >>> you > >>> need to pick a dedicated interface, remove all networking IP > >>> configuration > >>> and only bring it up. Afterwards you set up jib and whatnot. > >>> > >>> All works well if I use a dedicated secondary interface (let's call > >>> it > >>> em1). If I use em0 however I cannot ping the jail. > >>> > >>> I would like to have a host with that has a single network interface > >>> which > >>> is used for both normal networking stuff as well as having the vnet > >>> jail > >>> run on it. > >>> > >>> Maybe I could create some sort of virtual interface and run vnet on > >>> it? > >>> > >>> Any ideas here? Thanks in advance! > >>> > >> Look at epair interfaces. > >> > >> You can put em0 and epair0a in a bridge together and add epair0b to > >> the > >> vnet jail. > >> That gets the vnet jail connected to your LAN. > >> > >> Or you can skip the bridge, assign an IP to epair0a and route between > >> the jail and your LAN. > >> > >> Regards, > >> Kristof > >> > > > > Hi Kristof, > > > > Thanks for your reply! > > > > considering your first idea. I did this, the jail gets created > > seemingly > > fine. However I cannot ping the ip of epair0b (this works when using a > > dedicated interface). > > Also I cannot reach my gateway from within the jail. This too works > > when > > using a dedicated interface. > > Btw I have "sysctl security.jail.allow_raw_sockets=1". > > Here is my host ifconfig when putting em0 and epair0a in a bridge: > > > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric > > 0 > >> mtu 1500 > >> > > > options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > > > ether 9a:4c:eb:b5:95:bf > > > > inet 172.18.20.145 netmask 0xffffff00 broadcast 172.18.20.255 > > > > media: Ethernet autoselect (1000baseT <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > jailether: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > > mtu > >> 1500 > >> > > > options=81209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER> > > > > ether 56:39:b7:c5:2e:ec > > > > media: Ethernet autoselect (1000baseT <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > >> > > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > inet 10.43.84.1 netmask 0xffffff00 > > > > groups: lo > > > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > > > em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 > > mtu > >> 1500 > >> > > ether 02:13:0b:48:53:00 > > > > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > > > > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > > > > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > > > > member: e0a_sambaad flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > > > ifmaxaddr 0 port 5 priority 128 path cost 2000 > > > > member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > > > > ifmaxaddr 0 port 1 priority 128 path cost 20000 > > > > groups: bridge > > > > nd6 options=1<PERFORMNUD> > > > > e0a_sambaad: > > flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> > >> metric 0 mtu 1500 > >> > > options=8<VLAN_MTU> > > > > ether 02:a4:c4:b5:95:bf > > > > hwaddr 02:78:fd:34:e8:0a > > > > groups: epair > > > > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > > > > status: active > > > > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > > > > > > > > Here's the ifconfig from my within my jail: > > > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > >> > > options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > > > > inet6 ::1 prefixlen 128 > > > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > > > > inet 127.0.0.1 netmask 0xff000000 > > > > groups: lo > > > > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > > > > e0b_sambaad: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric > > 0 > >> mtu 1500 > >> > > options=8<VLAN_MTU> > > > > ether 0e:a4:c4:b5:95:bf > > hwaddr 02:78:fd:34:e8:0b > > > This is odd. Are you assigning a new MAC address to the epair interfaces > somewhere? Both ends of the epair seem to have a new MAC address, and > the same one at that. > > Regards, > Kristof > [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
In reply to this post by Arsenij Solovjev
Arsenij Solovjev wrote:
> On Wed, 14 Oct 2020 at 15:41, Kristof Provost <[hidden email]> wrote: > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote: >>> >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: >>>>> Hi all! >>>>> Does anybody know if it's possible to run a vnet jail on a >>>>> non-dedicated >>>>> interface? I have the Lucas book on jails. In it he says that for >>>>> vnet >>>>> you >>>>> need to pick a dedicated interface, remove all networking IP >>>>> configuration >>>>> and only bring it up. Afterwards you set up jib and whatnot. >>>>> >>>>> All works well if I use a dedicated secondary interface (let's call >>>>> it >>>>> em1). If I use em0 however I cannot ping the jail. >>>>> >>>>> I would like to have a host with that has a single network interface >>>>> which >>>>> is used for both normal networking stuff as well as having the vnet >>>>> jail >>>>> run on it. >>>>> >>>>> Maybe I could create some sort of virtual interface and run vnet on >>>>> it? >>>>> >>>>> Any ideas here? Thanks in advance! >>>>> >>>> Look at epair interfaces. >>>> >>>> You can put em0 and epair0a in a bridge together and add epair0b to >>>> the >>>> vnet jail. >>>> That gets the vnet jail connected to your LAN. >>>> >>>> Or you can skip the bridge, assign an IP to epair0a and route between >>>> the jail and your LAN. >>>> >>>> Regards, >>>> Kristof >>>> >>> Hi Kristof, >>> >>> Thanks for your reply! >>> >>> considering your first idea. I did this, the jail gets created >>> seemingly >>> fine. However I cannot ping the ip of epair0b (this works when using a >>> dedicated interface). >>> Also I cannot reach my gateway from within the jail. This too works >>> when >>> using a dedicated interface. >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". >>> snip: >>> >> This is odd. Are you assigning a new MAC address to the epair interfaces >> somewhere? Both ends of the epair seem to have a new MAC address, and >> the same one at that. >> >> Regards, >> Kristof >> > > Not explicitly, no, I let the jib script do the epair creation. To Arsenij Solovjev For the record sure would like to see your jail.conf file where you setup this non-dedicated vnet jail system. I believe a non-dedicated vnet jail is for local access only. Is that correct? The bridge setup is for public internet access? Is that correct? To Kristof Provost In your reply you said. "Or you can skip the bridge, assign an IP to epair0a and route between the jail and your LAN." Please explain this statement. Route how? _______________________________________________ [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
Re: vnet Jail on a non-dedicated network interface
|
|
Hi Ernie, please consider the last block in my second email, that is the
jail.conf for the non-dedicated interface. The host runs all "normal" IP networking on em0. On Wed, 14 Oct 2020 at 17:14, Ernie Luzar <[hidden email]> wrote: > Arsenij Solovjev wrote: > > On Wed, 14 Oct 2020 at 15:41, Kristof Provost <[hidden email]> wrote: > > > >> On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: > >>> On Wed, 14 Oct 2020 at 14:42, Kristof Provost <[hidden email]> wrote: > >>> > >>>> On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: > >>>>> Hi all! > >>>>> Does anybody know if it's possible to run a vnet jail on a > >>>>> non-dedicated > >>>>> interface? I have the Lucas book on jails. In it he says that for > >>>>> vnet > >>>>> you > >>>>> need to pick a dedicated interface, remove all networking IP > >>>>> configuration > >>>>> and only bring it up. Afterwards you set up jib and whatnot. > >>>>> > >>>>> All works well if I use a dedicated secondary interface (let's call > >>>>> it > >>>>> em1). If I use em0 however I cannot ping the jail. > >>>>> > >>>>> I would like to have a host with that has a single network interface > >>>>> which > >>>>> is used for both normal networking stuff as well as having the vnet > >>>>> jail > >>>>> run on it. > >>>>> > >>>>> Maybe I could create some sort of virtual interface and run vnet on > >>>>> it? > >>>>> > >>>>> Any ideas here? Thanks in advance! > >>>>> > >>>> Look at epair interfaces. > >>>> > >>>> You can put em0 and epair0a in a bridge together and add epair0b to > >>>> the > >>>> vnet jail. > >>>> That gets the vnet jail connected to your LAN. > >>>> > >>>> Or you can skip the bridge, assign an IP to epair0a and route between > >>>> the jail and your LAN. > >>>> > >>>> Regards, > >>>> Kristof > >>>> > >>> Hi Kristof, > >>> > >>> Thanks for your reply! > >>> > >>> considering your first idea. I did this, the jail gets created > >>> seemingly > >>> fine. However I cannot ping the ip of epair0b (this works when using a > >>> dedicated interface). > >>> Also I cannot reach my gateway from within the jail. This too works > >>> when > >>> using a dedicated interface. > >>> Btw I have "sysctl security.jail.allow_raw_sockets=1". > >>> snip: > > >>> > >> This is odd. Are you assigning a new MAC address to the epair interfaces > >> somewhere? Both ends of the epair seem to have a new MAC address, and > >> the same one at that. > >> > >> Regards, > >> Kristof > >> > > > > Not explicitly, no, I let the jib script do the epair creation. > > > To Arsenij Solovjev > > For the record sure would like to see your jail.conf file where you > setup this non-dedicated vnet jail system. > > I believe a non-dedicated vnet jail is for local access only. Is that > correct? > > The bridge setup is for public internet access? Is that correct? > > > To Kristof Provost > > In your reply you said. > "Or you can skip the bridge, assign an IP to epair0a and route between > the jail and your LAN." > Please explain this statement. Route how? > > > > > > > > > [hidden email] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[hidden email]" |
«
Return to freebsd-jail
|
1 view|%1 views
| Free forum by Nabble | Edit this page |