Project

General

Profile

Bug #7808

Specifying a NIC for a jail results in unexpected behavior

Added by Anthony Lobianco over 5 years ago. Updated about 4 years ago.

Status:
Closed: Behaves correctly
Priority:
Nice to have
Assignee:
John Hixson
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

FreeNAS 9.3 introduced the ability to specify a NIC for jails on an individual basis (I chose em0), but traffic still seems to be routed through the main physical interface (igb0 in my case). I'm not a networking wiz but I imagine it has something to do with the fact that the jail's default gateway is still inherited from FreeNAS. The first screenshot shows my jail configuration and I've included some snippets of code below:

netstat (inside jail):

root@plexmediaserver_1:/ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0      645   igb0
127.0.0.1          link#6             UH          0     6236    lo0
192.168.1.0/24     link#1             U           0        0    em0
192.168.1.21       link#1             UHS         0      290    lo0
192.168.2.0/24     link#3             U           0     4480   igb0
192.168.2.20       link#3             UHS         0      272    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#6                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%lo0/32                     ::1                           U           lo0

ifconfig (inside jail):

root@plexmediaserver_1:/ # ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:eb
    inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:ea
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:2c:ce:a5:0d:00
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 2000
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 10 priority 128 path cost 2000
    member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 8 priority 128 path cost 2000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 3 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:7a:29:00:08:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:55:c0:00:0a:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:68:fa:00:0b:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
root@plexmediaserver_1:/ # 

The second screenshot is of a firewall entry that shows the jail traffic flowing down the wrong pipe (igb0 is connected to the AIRVPN_LAN switch - em0 is connected to a different switch).

Expected behavior: The jail's traffic should exit the machine on the NIC specified in the jail settings.

Screen Shot 2015-02-03 at 10.27.58 AM.png (177 KB) Screen Shot 2015-02-03 at 10.27.58 AM.png Jail settings Anthony Lobianco, 02/03/2015 07:35 AM
Screen Shot 2015-02-03 at 10.34.12 AM.png (25 KB) Screen Shot 2015-02-03 at 10.34.12 AM.png Firewall log entry Anthony Lobianco, 02/03/2015 07:46 AM
2098
2099

History

#1 Updated by Jordan Hubbard over 5 years ago

  • Category set to 38
  • Assignee set to John Hixson

#2 Updated by Anthony Lobianco over 5 years ago

Small clarification: igb0 has a default gateway of 192.168.2.1 set in Network -> Global Configuration.

Please let me know if any other information is needed - I'm happy to help.

#3 Updated by John Hixson over 5 years ago

  • Status changed from Unscreened to Screened
  • Target version set to Unspecified

#4 Updated by John Hixson over 5 years ago

  • Status changed from Screened to 15

Anthony Lobianco wrote:

Small clarification: igb0 has a default gateway of 192.168.2.1 set in Network -> Global Configuration.

Please let me know if any other information is needed - I'm happy to help.

From the host system, can you post the output of ifconfig -a and netstat -nr?

#5 Updated by Anthony Lobianco over 5 years ago

Sure thing:

ifconfig -a

 ❯ ifconfig -a
em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:eb
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:ea
    inet 192.168.2.20 netmask 0xffffff00 broadcast 192.168.2.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
    nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
    inet 127.0.0.1 netmask 0xff000000 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:2c:ce:a5:0d:00
    nd6 options=1<PERFORMNUD>
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair4a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 12 priority 128 path cost 2000
    member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 2000
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 10 priority 128 path cost 2000
    member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 9 priority 128 path cost 2000
    member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 8 priority 128 path cost 2000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 3 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:44:81:00:08:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:f1:c2:00:09:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:61:cc:00:0a:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:cb:27:00:0b:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair4a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:40:8b:00:0c:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active

netstat -nr

 ❯ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0  1437124   igb0
127.0.0.1          link#6             UH          0  1653929    lo0
192.168.2.0/24     link#3             U           0 84544031   igb0
192.168.2.20       link#3             UHS         0      378    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#6                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%lo0/32                     ::1                           U           lo0

#6 Updated by John Hixson over 5 years ago

I'm seeing inconsistencies with your first post. It looks like you've changed some of the configuration. Can you post the corresponding jail networking info as well? (as it is currently).

#7 Updated by Anthony Lobianco over 5 years ago

Sorry about that. Ignore my previous post. It slipped my mind that I changed the jail's NIC after filing the issue as a temporary workaround. Here is the correct networking info as it appears with the conditions in the OP:

HOST:

ifconfig -a

[22:23:13]lobianco@freenas:~
 ❯ ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:eb
    inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:ea
    inet 192.168.2.20 netmask 0xffffff00 broadcast 192.168.2.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
    nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
    inet 127.0.0.1 netmask 0xff000000 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:2c:ce:a5:0d:00
    nd6 options=1<PERFORMNUD>
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 2000
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 10 priority 128 path cost 2000
    member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 9 priority 128 path cost 2000
    member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 8 priority 128 path cost 2000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 3 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:66:e0:00:08:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:3a:da:00:09:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:c6:da:00:0a:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:a1:48:00:0b:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active

netstat -nr

[22:23:36]lobianco@freenas:~
 ❯ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0      128   igb0
127.0.0.1          link#6             UH          0     1946    lo0
192.168.1.0/24     link#1             U           0       22    em0
192.168.1.21       link#1             UHS         0      201    lo0
192.168.2.0/24     link#3             U           0   127722   igb0
192.168.2.20       link#3             UHS         0       63    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#6                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%lo0/32                     ::1                           U           lo0

JAIL:

ifconfig -a

[22:24:57]root@plexmediaserver:/
 ❯ ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:eb
    inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
    ether 0c:c4:7a:06:32:ea
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:2c:ce:a5:0d:00
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 2000
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 10 priority 128 path cost 2000
    member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 9 priority 128 path cost 2000
    member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 8 priority 128 path cost 2000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 3 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:66:e0:00:08:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:3a:da:00:09:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:c6:da:00:0a:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:a1:48:00:0b:0a
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active

netstat -nr

[22:25:23]root@plexmediaserver:/
 ❯ netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0      162   igb0
127.0.0.1          link#6             UH          0     5035    lo0
192.168.1.0/24     link#1             U           0       25    em0
192.168.1.21       link#1             UHS         0      239    lo0
192.168.2.0/24     link#3             U           0   369878   igb0
192.168.2.20       link#3             UHS         0       63    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#6                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%lo0/32                     ::1                           U           lo0

#8 Updated by Jordan Hubbard over 5 years ago

  • Status changed from 15 to Screened

#9 Updated by John Hixson over 5 years ago

  • Status changed from Screened to 15

Do you have NAT enabled?

#10 Updated by Anthony Lobianco over 5 years ago

No I don't (IIRC it's disabled when VIMAGE is unchecked).

#11 Updated by John Hixson over 5 years ago

  • Status changed from 15 to Investigation

Anthony Lobianco wrote:

No I don't (IIRC it's disabled when VIMAGE is unchecked).

Okay. I'll setup a test scenario here and see what I can find.

#12 Updated by Anthony Lobianco over 5 years ago

Great! Please let me know if I can be of any help.

#13 Updated by John Hixson over 5 years ago

Anthony Lobianco wrote:

Great! Please let me know if I can be of any help.

I'm still on this. I'm setting up a system now to try and reproduce the issue.

#14 Updated by John Hixson over 5 years ago

  • Status changed from Investigation to Closed: Behaves correctly

I see what is happening here. It should have been obvious. igb0 is your primary interface and is setup as the outgoing interface for your default route. em0 has your jail IP aliased on it. If you are pinging anything not reachable on that network, the default route is the next hop and where packets will go. Nothing weird here, just standard networking.

#15 Updated by Anthony Lobianco over 5 years ago

Thanks for investigating John, but I'm not sure I understand. I can't comment from a technical perspective because I'm only barely competent in the field of networking, but from a user perspective, is the option to specify a NIC not meant to consider outgoing/external connections? What's the point of selecting a non-default NIC if packets are still going to route through the primary interface? Or maybe a better question is, do I have the ability in 9.3 to solve the problem in the OP?

In 9.2.x, I was able to achieve results by following the suggestion in this post: https://forums.freenas.org/index.php?threads/reserve-a-nic-for-jails.16649/#post-86769 . Was that considered broken networking? (In any case, it doesn't seem to work anymore in 9.3 - not sure why.)

#16 Updated by John Hixson over 5 years ago

Anthony Lobianco wrote:

Thanks for investigating John, but I'm not sure I understand. I can't comment from a technical perspective because I'm only barely competent in the field of networking, but from a user perspective, is the option to specify a NIC not meant to consider outgoing/external connections? What's the point of selecting a non-default NIC if packets are still going to route through the primary interface? Or maybe a better question is, do I have the ability in 9.3 to solve the problem in the OP?

In 9.2.x, I was able to achieve results by following the suggestion in this post: https://forums.freenas.org/index.php?threads/reserve-a-nic-for-jails.16649/#post-86769 . Was that considered broken networking? (In any case, it doesn't seem to work anymore in 9.3 - not sure why.)

Hi Anthony,

That thread mentions creating an "iface" file in the jail meta directory. That is exactly what is already being done when you specify an interface in the UI. The purpose of being able to specify an interface is so that the jail is bound to that interface. I'm not clear on what you are asking here though, if you are pinging 8.8.8.8 on that network, where do you expect those packets to go? The interface is connected directly to the box, there is a default gateway specified, so that's where they will go if not reachable directly.

#17 Updated by Anthony Lobianco over 5 years ago

John Hixson wrote:

I'm not clear on what you are asking here though, if you are pinging 8.8.8.8 on that network, where do you expect those packets to go? The interface is connected directly to the box, there is a default gateway specified, so that's where they will go if not reachable directly.

Ideally I would have them go to a different gateway (192.168.1.1 rather than the primary interface's 192.168.2.1) but I'm not sure how this can be achieved in Freenas (or maybe networking) terms. Is it possible for a jail to have its own default gateway? If not, and it's restricted to inheriting the default gateway from the host machine, is it possible to give the secondary NIC its own default gateway?

(I hope these questions are not escaping the scope of this bug report. I appreciate all your input!)

#18 Updated by Anthony Lobianco over 5 years ago

John, any word on the comment above?

#19 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from Unspecified to N/A

Also available in: Atom PDF