Jail Vimage Multiple Network Configuration

[krys allen]

Dears,
It's difficulty, is the easiness :)
first create the jail with VIMAGE & unchecked NAT & vanilla...
with FreeNAS termial go to JAILS directory for me /mnt/strg/jails/
for each jail you create there is a .jail.meta folder (Ex. Jail name Vbox43 there is a .Vbox43.meta ) the .Vbox43.meta is the configuration folder for this jail,
cd to this folder, edit & add to the bottom of files as follow:
jail-pre-start

Code:

#added by mic
ifconfig bridge172 create ## set bridgeN as you need
ifconfig bridge172 up
ifconfig epair172 create ## set epairN as you need
ifconfig bridge172 addm epair172a addm em1 ## Change em1 to your NIC name from ifconfig
ifconfig epair172a up

jail-post-start

Code:

#added by mic
ifconfig epair172b vnet "${JAILNAME}"
#jexec "${JAILNAME}" ifconfig epair172b up
jexec "${JAILNAME}" ifconfig epair172b inet 192.168.10.11 netmask 255.255.255.0 up #set ifconfig as your needs & don't forget to add UP :) 

jail-pre-stop

Code:

#added by mic
ifconfig bridge172 destroy
ifconfig epair172a destroy

also files is attached ;) simple ?

Michaeleino,
You seem to have some expertise on this subject so I wonder if you could help me out. I am wanting to ditch my esxi host and move it's vm's into a virtualbox jail. One of those vm's is my router/dhcp server that has one NIC connected to my ISP(dhcp from ISP) and the other to my internal LAN(dhcp for LAN). Would your solution work for my needs? Would I be able to pass the external interface to my virtualbox server?



Thanks in advance!

 

[michaeleino]

Hey, thanks for this interesting thread. I'd also like to configure a jail in my FreeNAS installation to have two logical interfaces. You guys seem to have done it with the config-snippets given above. My question to you: Has anybody done this by using VLAN-interfaces as the source-interface which is to be connected to the jail?

In my installation, I use a lagg0-interface with two physical interfaces. One logical network is untagged (it's the network the main FreeNAS is on), the other is tagged. I added the VLAN-id via the GUI, and for tests I configured an IP in the range of the VLAN (also via the GUI). This works perfectly, and I can connect to other systems in the VLAN back and forth my using the new IP. So the basic connectivity, dot1q-tagging etc from FreeNAS works fine.

The next logical step is to connect this working VLAN (tag=50) to the jail.

Code:

# jail-pre-start
ifconfig bridge50 create ## set bridgeN as you need
ifconfig bridge50 up
ifconfig epair50 create ## set epairN as you need
ifconfig bridge50 addm epair50a addm vlan50 ## Change em1 to your NIC name from ifconfig
ifconfig epair50a up

# jail-post-start
ifconfig epair50b vnet "${JAILNAME}"
#jexec "${JAILNAME}" ifconfig epair50b up
jexec "${JAILNAME}" ifconfig epair50b inet 192.168.50.11 netmask 255.255.255.0 up

In the host I see now these interfaces (selection):

Code:

vlan50: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=303<RXCSUM,TXCSUM,TSO4,TSO6>
        ether d0:50:99:2d:fc:aa
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect
        status: active
        vlan: 50 parent interface: lagg0

bridge50: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:ac:b5:e2:f4:32
        nd6 options=1<PERFORMNUD>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vlan50 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 55
        member: epair50a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 2000

epair50a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:20:00:09:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active

In the jail, I see these interfaces:

Code:

epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:70:00:0c:0b
        inet 172.22.2.32 netmask 0xffffff00 broadcast 172.22.2.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
epair50b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:70:00:0a:0b
        inet 192.168.50.11 netmask 0xffffff00 broadcast 192.168.50.255
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active

The upper interface epair1b is the one configured via the FreeNAS-GUI, and connects to lagg0 directly (untagged). epair50b is configured by the config-snippets above, and connects to vlan50 (which physically also uses lagg0, tagged). For a reason I don't understand, the upper interface works, while the lower does not. When I ping from the jail, I don't even see tagged ARP-packets going out lagg0. If I do it from the host (FreeNAS), I see the packets, and everything works. So it is the stitching between the vlan-interface and jail via the bridge, which doesn't work. Any ideas?

Thanks,
airflow

Dear @airflow,
sorry for being late for you...
I think you config is clearly logical :)
review this article it should work...
http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html

the traffic flows through the bridge to the vlan interface on the host, all packets are automatically tagged with your VLAN ID. There is no need for additional VLAN configuration within the jail.

let me know you did it or not yet...

 

[michaeleino]

Michaeleino,
You seem to have some expertise on this subject so I wonder if you could help me out. I am wanting to ditch my esxi host and move it's vm's into a virtualbox jail. One of those vm's is my router/dhcp server that has one NIC connected to my ISP(dhcp from ISP) and the other to my internal LAN(dhcp for LAN). Would your solution work for my needs? Would I be able to pass the external interface to my virtualbox server?



Thanks in advance!

@krys allen
Yes this solution will bridge the interfaces to the jail... you can do what you stated :)

 

[oracle_sod]

Hey guys,

sorry to dig this up, but I'm running freenas 9.10 and not ready to upgrade yet to the newer versions...

Following the above example, i have created some vlan interfaces and configured some tagged vlans to the physical interface of my freenas box. I have updated the Jail scripts to contain all the settings above except the line with:

Code:

jexec "${JAILNAME}" ifconfig epair10b inet ???.???.???.??? netmask ???.???.???.??? up

I have a vm running with the epair10b interface attached

when i set an IP on the jail interface thats in the correct subnet, the vm comes online and works as expected, however i dont wish to have an IP set on this interface, is there a way around this ?

Most virtual machine setups I have worked with don't require an IT set on the vm host's interfaces, why is this needed in the FreeBSD jail ? is this a limitation of virtualbox or freebsd/freenas ? or is it something that can be changed with a config update somewhere ?