DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default DI-604; jail does not see network

Hello folks! I've posted this in a couple of forums, but then found this one which looks very active!

Here is the problem. From inside the jail I can ping host and jail ip addresses, but the network is unreachable. Looking to do all kinds of fun things like test CRM packages that run with php or perl and apache, among other things. I'm going to need routine network access from the jails. (Used ezjail for setup and followed some of the common guides -- went smoothly up until network problem.)

I use a D-Link DI-604 broadband router/firewall, which has been very nice since every system can be setup with the same ip address, even if it is set to dhcp (allows dhcp, static ip, and static-dhcp). After first encountering the problem, I moved the server ip to a higher static ip. Also limited DHCP to a lower range, and set all possible ips there to static-DHCP. The jail ip is in the static ip range as well.

Static-DHCP requires unique MAC addresses -- this is what forced me to static ip addresses on the host and jail.

Yet I still cannot ping outside the system and package installations do not work.

Does anyone else have a functional jail behind a DI-604 router?

Also, I am wondering if the router is blocking aliasing because the MAC address is the same for host and any jails?

ifconfig
Code:
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:01:99:03:9d:82
        ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        lladdr 0.1.99.0.0.3.9d.82.a.2.ff.fe.0.0.0.0
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
        ether 00:19:21:ef:f5:c0
        inet6 fe80::219:21ff:feef:f5c0%nfe0 prefixlen 64 scopeid 0x3
        inet 192.168.0.120 netmask 0xffffffff broadcast 192.168.0.120
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pflog0: flags=0<> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
        ether 00:19:21:ef:f5:c0
        inet 192.168.0.199 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::219:21ff:feef:f5c0%lagg0 prefixlen 64 scopeid 0x8
        media: Ethernet autoselect
        status: active
        laggproto failover
        laggport: nfe0 flags=5<MASTER,ACTIVE>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00

(192.168.0.199 is the host and .120 is the jail). domain and nameservers are in the resolv.conf of jail and host. jail rc.conf has default router (192.168.0.1) and jail starts up fine. (ssh to jail works from host)

Any help is much appreciated!

-r

Last edited by Carpetsmoker; 2nd May 2010 at 09:31 PM. Reason: Added [code] tags
Reply With Quote
  #2   (View Single Post)  
Old 2nd May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default ty edit

Ty for the edit ... much better ifconfig output.

-r
Reply With Quote
  #3   (View Single Post)  
Old 3rd May 2010
FBSD FBSD is offline
Real Name: Joe Barbish
KING
 
Join Date: Feb 2010
Location: Angeles City, Philippines
Posts: 19
Default

Yea ezjail man pages are very poorly documented.

There are 3 things your jail has to have to be accessable from the public network.

1. A copy of the hosts /etc/resolv.conf

2, The ezjail-admin create must use the public ip address.

3. The /etc/rc.conf must contain the same ifconfig_xxx="DHCP" statements as used in the host to connect to the public network.

Then pkg_add -r will work.

But ping is restricted from working inside of any jail by design. I use whois or dig commands to test for network access in place of ping.

Here are my versions of the ezjail man pages I wrote for my own use. You may find them helpfull. Copy the files to /usr/local/man/man8/ and then man 8 ezjail-admin to see it.
Attached Files
File Type: gz ezjail-admin.8.gz (9.8 KB, 58 views)
File Type: gz ezjail.8.gz (2.1 KB, 51 views)
File Type: gz ezjail.conf.8.gz (1.2 KB, 51 views)
__________________
FreeBSD Install Guide www.a1poweruser.com
Reply With Quote
  #4   (View Single Post)  
Old 3rd May 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The DNS resolver on the DI-604 lacks support for TCP requests, so you should use your ISP servers directly or use a local caching server.

AFAIK FreeBSD's resolver doesn't have EDNS support (..larger packets over UDP), so some sites may not resolve properly.. granted it's rather rare, see this thread.
Reply With Quote
  #5   (View Single Post)  
Old 3rd May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default ty ideas

Ty for the the ideas. I will look at the .conf files again, but I think everything is setup as if static IPs since the hardware router was doing static-dhcp.

Ping is working from jail to host ... I don't know enough to know if ping would nevertheless be disabled from jail to router by default? I'm guessing FBSD is indicating that no, even if ping works on the host, it will not go outside the host from the jail.

I might try taking the router dns out of the config and see what happens. If that doesn't work and I can't make progress with other .conf files I'll try setting up a freebsd router (maybe working on different range of IPs from the hardware router).
Reply With Quote
  #6   (View Single Post)  
Old 4th May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default rc.conf

Wondering if there are any glaring issues here before I start messing around with a software router?


Code:
background_dhclient="YES" 
compat5x_enable="YES" 
sshd_enable="YES" 
usbd_enable="YES" 
devd_enable="YES" 
devfs_system_ruleset="devfsrules_common" 
ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/kde4/lib /usr/local/lib/compat/pkg"

# Enable ezajil by default
ezjail_enable="YES"

# Disable Sendmail by default
sendmail_enable="NONE"

# Enable console mouse
moused_type="auto" 
moused_enable="YES" 

# Enable the pcbsd startup / shutdown scripts
pcbsdinit_enable="YES"
 
#Enable samba server 
samba_enable="YES" 
winbindd_enable="YES"
 
# Disable LPD  
lpd_enable="NO" 
 
# Enable CUPS 
cupsd_enable="YES" 
linux_enable="YES"
 
# FSCK Enhancements 
fsck_y_enable="YES" 
background_fsck="NO" 
 
# Denyhosts Startup 
denyhosts_enable="YES" 

# powerd: adaptive speed while on AC power, adaptive while on battery power
# WARNING: May cause crashes with nvidia driver
#powerd_enable="YES"
#powerd_flags="-a adaptive -b adaptive" # set CPU frequency

# enable HAL / DBUS
dbus_enable="YES"
polkitd_enable="YES"
hald_enable="YES"

# Enables support for HPLIP
hpiod_enable="NO"
hpssd_enable="NO"

# Enable the firewall
pf_rules="/etc/pf.conf"
pf_enable="YES"
pf_flags=""

# Enable ipfw and open it by default since we have PF
firewall_enable="YES"
firewall_type="open"

# Enable sound-support
snddetect_enable="YES"
mixer_enable="YES"

# Enable avahi_daemon
avahi_daemon_enable="YES"

# Run the port jail
portjail_enable="YES"

# Added for sound support in the portjail, access to /dev/random, /dev/null, etc.
jail_pcbsd_devfs_enable="YES"

# Start the swapmonitor
swapmonitor_enable="YES"

# Enable IPV6 support
ipv6_enable="YES"

# Enable BSDStats
bsdstats_enable="YES"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
keymap="us.iso"
# Auto-Enabled NICs from pc-sysinstall
ifconfig_nfe0="up"
hostname="test"

cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto failover laggport nfe0 192.168.0.199 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
ipv6_defaultrouter=""

# Aliased IPs for jails
ifconfig_nfe0_alias0="inet 192.168.0.120 netmask 255.255.255.255"
#ifconfig_nfe0_alias1="inet 192.168.0.121 netmask 255.255.255.255"
#ifconfig_nfe0_alias2="inet 192.168.0.122 netmask 255.255.255.255"
#ifconfig_nfe0_alias3="inet 192.168.0.123 netmask 255.255.255.255"
Reply With Quote
  #7   (View Single Post)  
Old 4th May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default resolv.conf

Both jail and host resolv.conf have:

nameserver 192.168.0.1


I put in the domain info and even added the DNS entries for the cable service. No luck.

So I guess I am wondering if my rc.conf file is "non-standard" and maybe creating the issue.
Reply With Quote
  #8   (View Single Post)  
Old 5th May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default brute force trial and error

OK, so I wondered if lagg0 was the problem. It seems to co-opt the main host ip. Now, with lagg0 commented out of rc.conf and explicit line for nfe0, the jail can ping to router. Do I need lagg0? If so, how can I enable it and make the jails work?

Code:
ifconfig
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:01:99:03:9d:82
        ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        lladdr 0.1.99.0.0.3.9d.82.a.2.ff.fe.0.0.0.0
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=10b<RXCSUM,TXCSUM,VLAN_MTU,TSO4>
        ether 00:19:21:ef:f5:c0
        inet 192.168.0.199 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::219:21ff:feef:f5c0%nfe0 prefixlen 64 scopeid 0x3
        inet 192.168.0.120 netmask 0xffffffff broadcast 192.168.0.120
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pflog0: flags=0<> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.1.1.1 netmask 0xffffff00
Reply With Quote
  #9   (View Single Post)  
Old 6th May 2010
redshirt redshirt is offline
New User
 
Join Date: May 2010
Posts: 7
Default hmmm , still no edit

I would have edited the above, still no edit function for me. Maybe not five days yet.

I think I will marked the thread as resolved since this seems to be an issue with how lagg was setup. My thinking at the moment is I really only want lagg set up if I want to fail-over from one connection to another. No point with one ethernet card.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
minimal jail install with sysinstall daemon-dd FreeBSD General 3 16th September 2008 08:28 AM
Set time in Jail tanked FreeBSD General 5 22nd August 2008 01:51 PM
Getting around Jail IP Adresses starbuck FreeBSD Security 8 9th August 2008 01:15 AM
Internet access within jail Weaseal FreeBSD General 5 26th June 2008 02:45 PM
Network not working in my jail. krreagan FreeBSD Security 7 5th May 2008 11:43 PM


All times are GMT. The time now is 04:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick