I'm in the middle of setting up a dedicated server. It's running ESXi and I installed a FreeBSD guest.
Using iocage I want to create some jails. I have done this before more than once and usually this is strait-forward... but this time I'm stuck somehow.
The jail is created with vnet=on and I assigned a static IP. From the jail I can ping the FreeBSD host but not for example the pfSense instance that's running in the same network. Reaching pfSense from the FreeBSD host is no problem.
To me it seems the traffic can't flow further than the FreeBSD host... but I'm not sure why. I compared the settings with what I have on my home server and things looks identical. Maybe there is something different because it's running inside ESXi but I'm not 100%.
Another issue I noticed: Usually I set the IP address on the bridge0 interface instead on em0 but this seems not to work properly in this scenario. When I set the IP on the bridge then the FreeBSD host itself had not connectivity. It feels that this could be related somehow...
Any ideas?
ifconfig host:
ifconfig jail:
/etc/sysctl.conf freebsd host:
ping host:
ping jail:
Using iocage I want to create some jails. I have done this before more than once and usually this is strait-forward... but this time I'm stuck somehow.
The jail is created with vnet=on and I assigned a static IP. From the jail I can ping the FreeBSD host but not for example the pfSense instance that's running in the same network. Reaching pfSense from the FreeBSD host is no problem.
To me it seems the traffic can't flow further than the FreeBSD host... but I'm not sure why. I compared the settings with what I have on my home server and things looks identical. Maybe there is something different because it's running inside ESXi but I'm not 100%.
Another issue I noticed: Usually I set the IP address on the bridge0 interface instead on em0 but this seems not to work properly in this scenario. When I set the IP on the bridge then the FreeBSD host itself had not connectivity. It feels that this could be related somehow...
Any ideas?
ifconfig host:
Code:
ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:0c:29:30:11:07
inet 10.23.0.10 netmask 0xffff0000 broadcast 10.23.255.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:4c:98:3e:bd:00
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: vnet0.6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
groups: bridge
nd6 options=9<PERFORMNUD,IFDISABLED>
vnet0.6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: associated with jail: template as nic: epair0b
options=8<VLAN_MTU>
ether 00:0c:29:5a:d2:94
hwaddr 02:bb:a1:19:51:0a
inet6 fe80::20c:29ff:fe5a:d294%vnet0.6 prefixlen 64 scopeid 0x4
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>ifconfig jail:
Code:
ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:0c:29:5a:d2:95
hwaddr 02:bb:a1:19:51:0b
inet 10.23.0.6 netmask 0xffff0000 broadcast 10.23.255.255
inet6 fe80::20c:29ff:fe5a:d295%epair0b prefixlen 64 tentative scopeid 0x2
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>/etc/sysctl.conf freebsd host:
Code:
cat /etc/sysctl.conf
...
# vnet iocage
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interfaceping host:
Code:
ping 10.23.0.1
PING 10.23.0.1 (10.23.0.1): 56 data bytes
64 bytes from 10.23.0.1: icmp_seq=0 ttl=64 time=0.155 ms
ping 10.23.0.6
PING 10.23.0.6 (10.23.0.6): 56 data bytes
64 bytes from 10.23.0.6: icmp_seq=0 ttl=64 time=5.062 ms
Code:
ping 10.23.0.10
PING 10.23.0.10 (10.23.0.10): 56 data bytes
64 bytes from 10.23.0.10: icmp_seq=0 ttl=64 time=5.621 m
ping 10.23.0.1
PING 10.23.0.1 (10.23.0.1): 56 data bytes
ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Last edited by a moderator:
