|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
DI-604; jail does not see network
Hello folks! I've posted this in a couple of forums, but then found this one which looks very active!
Here is the problem. From inside the jail I can ping host and jail ip addresses, but the network is unreachable. Looking to do all kinds of fun things like test CRM packages that run with php or perl and apache, among other things. I'm going to need routine network access from the jails. (Used ezjail for setup and followed some of the common guides -- went smoothly up until network problem.) I use a D-Link DI-604 broadband router/firewall, which has been very nice since every system can be setup with the same ip address, even if it is set to dhcp (allows dhcp, static ip, and static-dhcp). After first encountering the problem, I moved the server ip to a higher static ip. Also limited DHCP to a lower range, and set all possible ips there to static-DHCP. The jail ip is in the static ip range as well. Static-DHCP requires unique MAC addresses -- this is what forced me to static ip addresses on the host and jail. Yet I still cannot ping outside the system and package installations do not work. Does anyone else have a functional jail behind a DI-604 router? Also, I am wondering if the router is blocking aliasing because the MAC address is the same for host and any jails? ifconfig Code:
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 02:01:99:03:9d:82 ch 1 dma -1 fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 lladdr 0.1.99.0.0.3.9d.82.a.2.ff.fe.0.0.0.0 nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4> ether 00:19:21:ef:f5:c0 inet6 fe80::219:21ff:feef:f5c0%nfe0 prefixlen 64 scopeid 0x3 inet 192.168.0.120 netmask 0xffffffff broadcast 192.168.0.120 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pflog0: flags=0<> metric 0 mtu 33152 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4> ether 00:19:21:ef:f5:c0 inet 192.168.0.199 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::219:21ff:feef:f5c0%lagg0 prefixlen 64 scopeid 0x8 media: Ethernet autoselect status: active laggproto failover laggport: nfe0 flags=5<MASTER,ACTIVE> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet 10.1.1.1 netmask 0xffffff00 (192.168.0.199 is the host and .120 is the jail). domain and nameservers are in the resolv.conf of jail and host. jail rc.conf has default router (192.168.0.1) and jail starts up fine. (ssh to jail works from host) Any help is much appreciated! -r Last edited by Carpetsmoker; 2nd May 2010 at 09:31 PM. Reason: Added [code] tags |
|
|||
ty edit
Ty for the edit ... much better ifconfig output.
-r |
|
|||
Yea ezjail man pages are very poorly documented.
There are 3 things your jail has to have to be accessable from the public network. 1. A copy of the hosts /etc/resolv.conf 2, The ezjail-admin create must use the public ip address. 3. The /etc/rc.conf must contain the same ifconfig_xxx="DHCP" statements as used in the host to connect to the public network. Then pkg_add -r will work. But ping is restricted from working inside of any jail by design. I use whois or dig commands to test for network access in place of ping. Here are my versions of the ezjail man pages I wrote for my own use. You may find them helpfull. Copy the files to /usr/local/man/man8/ and then man 8 ezjail-admin to see it.
__________________
FreeBSD Install Guide www.a1poweruser.com |
|
|||
The DNS resolver on the DI-604 lacks support for TCP requests, so you should use your ISP servers directly or use a local caching server.
AFAIK FreeBSD's resolver doesn't have EDNS support (..larger packets over UDP), so some sites may not resolve properly.. granted it's rather rare, see this thread. |
|
|||
ty ideas
Ty for the the ideas. I will look at the .conf files again, but I think everything is setup as if static IPs since the hardware router was doing static-dhcp.
Ping is working from jail to host ... I don't know enough to know if ping would nevertheless be disabled from jail to router by default? I'm guessing FBSD is indicating that no, even if ping works on the host, it will not go outside the host from the jail. I might try taking the router dns out of the config and see what happens. If that doesn't work and I can't make progress with other .conf files I'll try setting up a freebsd router (maybe working on different range of IPs from the hardware router). |
|
|||
rc.conf
Wondering if there are any glaring issues here before I start messing around with a software router?
Code:
background_dhclient="YES" compat5x_enable="YES" sshd_enable="YES" usbd_enable="YES" devd_enable="YES" devfs_system_ruleset="devfsrules_common" ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/kde4/lib /usr/local/lib/compat/pkg" # Enable ezajil by default ezjail_enable="YES" # Disable Sendmail by default sendmail_enable="NONE" # Enable console mouse moused_type="auto" moused_enable="YES" # Enable the pcbsd startup / shutdown scripts pcbsdinit_enable="YES" #Enable samba server samba_enable="YES" winbindd_enable="YES" # Disable LPD lpd_enable="NO" # Enable CUPS cupsd_enable="YES" linux_enable="YES" # FSCK Enhancements fsck_y_enable="YES" background_fsck="NO" # Denyhosts Startup denyhosts_enable="YES" # powerd: adaptive speed while on AC power, adaptive while on battery power # WARNING: May cause crashes with nvidia driver #powerd_enable="YES" #powerd_flags="-a adaptive -b adaptive" # set CPU frequency # enable HAL / DBUS dbus_enable="YES" polkitd_enable="YES" hald_enable="YES" # Enables support for HPLIP hpiod_enable="NO" hpssd_enable="NO" # Enable the firewall pf_rules="/etc/pf.conf" pf_enable="YES" pf_flags="" # Enable ipfw and open it by default since we have PF firewall_enable="YES" firewall_type="open" # Enable sound-support snddetect_enable="YES" mixer_enable="YES" # Enable avahi_daemon avahi_daemon_enable="YES" # Run the port jail portjail_enable="YES" # Added for sound support in the portjail, access to /dev/random, /dev/null, etc. jail_pcbsd_devfs_enable="YES" # Start the swapmonitor swapmonitor_enable="YES" # Enable IPV6 support ipv6_enable="YES" # Enable BSDStats bsdstats_enable="YES" ntpd_enable="YES" ntpd_sync_on_start="YES" keymap="us.iso" # Auto-Enabled NICs from pc-sysinstall ifconfig_nfe0="up" hostname="test" cloned_interfaces="lagg0" ifconfig_lagg0="laggproto failover laggport nfe0 192.168.0.199 netmask 255.255.255.0" defaultrouter="192.168.0.1" ipv6_defaultrouter="" # Aliased IPs for jails ifconfig_nfe0_alias0="inet 192.168.0.120 netmask 255.255.255.255" #ifconfig_nfe0_alias1="inet 192.168.0.121 netmask 255.255.255.255" #ifconfig_nfe0_alias2="inet 192.168.0.122 netmask 255.255.255.255" #ifconfig_nfe0_alias3="inet 192.168.0.123 netmask 255.255.255.255" |
|
|||
resolv.conf
Both jail and host resolv.conf have:
nameserver 192.168.0.1 I put in the domain info and even added the DNS entries for the cable service. No luck. So I guess I am wondering if my rc.conf file is "non-standard" and maybe creating the issue. |
|
|||
brute force trial and error
OK, so I wondered if lagg0 was the problem. It seems to co-opt the main host ip. Now, with lagg0 commented out of rc.conf and explicit line for nfe0, the jail can ping to router. Do I need lagg0? If so, how can I enable it and make the jails work?
Code:
ifconfig fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 02:01:99:03:9d:82 ch 1 dma -1 fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 lladdr 0.1.99.0.0.3.9d.82.a.2.ff.fe.0.0.0.0 nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4> ether 00:19:21:ef:f5:c0 inet 192.168.0.199 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::219:21ff:feef:f5c0%nfe0 prefixlen 64 scopeid 0x3 inet 192.168.0.120 netmask 0xffffffff broadcast 192.168.0.120 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pflog0: flags=0<> metric 0 mtu 33152 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3<RXCSUM,TXCSUM> inet 10.1.1.1 netmask 0xffffff00 |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
minimal jail install with sysinstall | daemon-dd | FreeBSD General | 3 | 16th September 2008 08:28 AM |
Set time in Jail | tanked | FreeBSD General | 5 | 22nd August 2008 01:51 PM |
Getting around Jail IP Adresses | starbuck | FreeBSD Security | 8 | 9th August 2008 01:15 AM |
Internet access within jail | Weaseal | FreeBSD General | 5 | 26th June 2008 02:45 PM |
Network not working in my jail. | krreagan | FreeBSD Security | 7 | 5th May 2008 11:43 PM |