Hi,
I would like to separate few Jail accessible from the internet but I am stucked with routing in DMZ jails.
My FreeNAS ( FreeNAS-11.1-RELEASE) is running HP Microserver Gen8 so there are two physical NICs (bge0, bge1) in my case configured in LACP as lagg0. For FreeNAS and regular Jails I created interface vlan11 and configured IP address 192.168.11.20 (network 192.168.11.0/24, GW 192.168.11.254). For DMZ Jails I created interface vlan14 . There is no IP address for FreeNAS configured. All the routing is provided with ipfire firewall connected with trunk port to L2 switch (vlan11 192.168.11.254 vlan14 192.168.14.254). Freenas switch connection is also port trunk – tagged vlan11, vlan14.
There is output of ifconfig and netstat -rn
I created standard Jail named DMZ_jail_1 with these configuration – IPv4 address: 192.168.14.21, IPv4 netmask: 24, IPv4 default gateway: 192.168.14.254, VIMAGE of and assigned to NIC: vlan14. I can ping IP addresses in same network but there is missiong GW – configured but not propagated.
I tried to find out information how to do routing in FreeBSD, FreeNAS for Jails in differrent subnets. I found interesting information there:
https://forums.freenas.org/index.php?threads/freenas-jails-in-different-multiple-subnets.41539/
https://forums.freenas.org/index.php?threads/how-to-set-separate-vlan-for-jail.54019/
I think for me there is way to create second routing table for the DMZ network and assign it to DMZ Jails.
For that I configured few wariables in System – Tunables in GUI
I checked result how it was applied to main system:
When I connect jail from main system with command “setfib 1 jexec 8 /bin/tcsh”
I need to find out how to assign routing table fib 1 to DMZ_jail_1
Thx Mirek
I would like to separate few Jail accessible from the internet but I am stucked with routing in DMZ jails.
My FreeNAS ( FreeNAS-11.1-RELEASE) is running HP Microserver Gen8 so there are two physical NICs (bge0, bge1) in my case configured in LACP as lagg0. For FreeNAS and regular Jails I created interface vlan11 and configured IP address 192.168.11.20 (network 192.168.11.0/24, GW 192.168.11.254). For DMZ Jails I created interface vlan14 . There is no IP address for FreeNAS configured. All the routing is provided with ipfire firewall connected with trunk port to L2 switch (vlan11 192.168.11.254 vlan14 192.168.14.254). Freenas switch connection is also port trunk – tagged vlan11, vlan14.
There is output of ifconfig and netstat -rn
Code:
root@freenas:~ # ifconfig bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 00:fd:45:fd:72:34 hwaddr 00:fd:45:fd:72:34 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 00:fd:45:fd:72:34 hwaddr 00:fd:45:fd:72:35 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 00:fd:45:fd:72:34 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active groups: lagg laggproto lacp lagghash l2,l3,l4 laggport: bge0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> laggport: bge1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> vlan11: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=80001<RXCSUM,LINKSTATE> ether 00:fd:45:fd:72:34 inet 192.168.11.20 netmask 0xffffff00 broadcast 192.168.11.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active vlan: 11 vlanpcp: 0 parent interface: lagg0 groups: vlan vlan14: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE> ether 00:fd:45:fd:72:34 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active vlan: 14 vlanpcp: 0 parent interface: lagg0 groups: vlan root@freenas:~ # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.11.254 UGS vlan11 127.0.0.1 link#3 UH lo0 192.168.11.0/24 link#5 U vlan11 192.168.11.20 link#5 UHS lo0
I created standard Jail named DMZ_jail_1 with these configuration – IPv4 address: 192.168.14.21, IPv4 netmask: 24, IPv4 default gateway: 192.168.14.254, VIMAGE of and assigned to NIC: vlan14. I can ping IP addresses in same network but there is missiong GW – configured but not propagated.
Code:
root@DMZ_jail_1:/ # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire 192.168.14.21 link#6 UHS lo0 root@DMZ_jail_1:/ #
I tried to find out information how to do routing in FreeBSD, FreeNAS for Jails in differrent subnets. I found interesting information there:
https://forums.freenas.org/index.php?threads/freenas-jails-in-different-multiple-subnets.41539/
https://forums.freenas.org/index.php?threads/how-to-set-separate-vlan-for-jail.54019/
I think for me there is way to create second routing table for the DMZ network and assign it to DMZ Jails.
For that I configured few wariables in System – Tunables in GUI
I checked result how it was applied to main system:
Code:
root@freenas:~ # sysctl net.fibs net.fibs: 4 root@freenas:~ # sysctl net.add_addr_allfibs net.add_addr_allfibs: 0 root@freenas:~ # setfib 1 netstat -rn Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 192.168.14.254 UGS vlan14 127.0.0.1 lo0 UHS lo0 192.168.14.0/24 00:fd:45:fd:72:34 US vlan14 root@freenas:~ # root@freenas:~ # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 192.168.11.254 UGS vlan11 127.0.0.1 link#3 UH lo0 192.168.11.0/24 link#5 U vlan11 192.168.11.20 link#5 UHS lo0 192.168.14.0/24 link#6 U vlan14 192.168.14.21 link#6 UHS lo0 192.168.14.22 link#6 UHS lo0
When I connect jail from main system with command “setfib 1 jexec 8 /bin/tcsh”
Code:
root@freenas:~ # setfib 1 jexec 8 /bin/tcsh root@DMZ_jail_1:/ # root@DMZ_jail_1:/ # root@DMZ_jail_1:/ # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=12.962 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=7.301 ms ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 7.301/10.131/12.962/2.831 ms root@DMZ_jail_1:/ #
I need to find out how to assign routing table fib 1 to DMZ_jail_1
Thx Mirek