Solved VNET jail with jib unable to reach network

A

algi

Hi! I'm sure someone must have asked this question milion times, but I can't find an answer and I spent already couple of hours on this. I have FreeBSD 13.0 instance on Vultr, where I would like to create jail. The problem is that I cannot reach the network from jail and I cannot even ping bridge from jail. It can be wrong network configuration, or firewall settings. I can't imagine anything else.

Network:
Code: 
vtnet0 (192.248.xxx.xxx) <--> vtnet0bridge (10.0.0.1) <--> e0a_jail0 (10.0.0.5)

/etc/jail.conf:
Code: 
jamulus {
    host.hostname="jamulus.local";
    path="/jail/jamulus";
    exec.clean;
   
    vnet;
    vnet.interface = "e0b_jail0";
    exec.prestart += "/usr/local/scripts/jib addm jail0 vtnet0";
    exec.poststop += "/usr/local/scripts/jib destroy jail0";
    
    exec.start = "/bin/sh /etc/rc";
    exec.stop  = "/bin/sh /etc/rc.shutdown jail";
    exec.consolelog = "/var/log/jail_jamulus_console.log";
    mount.devfs;
    allow.raw_sockets; # for testing, to be removed
}

/etc/rc.conf (inside jail):
Code: 
defaultrouter="10.0.0.1"
ifconfig_e0b_jail0="inet 10.0.0.5 netmask 255.192.0.0"
sendmail_enable="NONE"

I also use pf, to close all unwanted ports. It should not block any network communication from jail out and will be later on used to NAT traffic to the jail. Right now it doesn't have this functionality and /etc/pf.conf looks like this:

Code: 
ext_if="vtnet0"

set block-policy return
set skip on lo

scrub in all

block in on $ext_if
pass out keep state

pass in on $ext_if proto tcp to ($ext_if) port ssh
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }
 
I managed to "fix" it to a degree, where I can do one (only one) successful ping request going out. After that, everything else gets lost. I can't wrap my head around it, it must be something with firewall, but I allow all traffic going out, I don't block anything. Anyone got an idea, please?
 
Okay, problem solved. For anybody wondering why it behaves so strange: pf config is correct and jails.conf as well. Apart from one little thing, which breaks everything: I had 'exec.clean;' too late in the process, it belongs to the beginning. Here's fully functional config:

Code: 
jamulus {
    host.hostname = "jamulus.jamulus";    # hostname
    path = "/jail/jamulus";                                 # root directory
    mount.devfs;                                                  # mount devfs
    exec.clean;                                                      # clean environment variables

    # TODO: automate ifconfig vtnet0bridge 10.0.0.1/24 up
    vnet;
    vnet.interface = "e0b_jail";
    exec.prestart += "jib addm jail vtnet0";
    exec.poststop += "jib destroy jail";
   
    exec.start += "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown";

    exec.consolelog = "/var/log/jail_jamulus_console.log";
    allow.raw_sockets;
}

The only thing (which curiously no tutorial mentions) is to configure bridge to assign it IP address. I need to find a way how to automate that, probably via rc config.

Edit:

I would forget, the NAT on firewall was required too:

Code: 
nat pass on $ext_if from $int_if:network to any -> ($ext_if)

where $ext_if = physical interface and $int_if = bridge interface.
 
You must log in or register to reply here.
Back
Top