Jail VNET change physical interface

[seb101]

Hi all,

Going crazy here trying to figure something out.

I have two network adapters (igb0 and igb1) attached to different physical networks, igb0 on 192.168.1.0/24 and igb1 on 10.0.0.0/24.

I've just created a Jail, configured with VNET, BPF and DHCP.

Whenever I start the jail it *always* gets a DHCP address in the 10.0.0.0/24 range, meaning it is communicating over the igb1 interface. I need it on the other network!

How can I change which physical adapter the VNET adaptor binds to?

Thanks!

 

[KevDog]

Is your jail a member of a bridge?

ifconfig on the host Freenas installation may help.

 

[seb101]

So seemingly FreeNAS created a hidden bridge for me (hidden as in it does not show up in the network GUI). This was causing havoc on my network as it has bridged two different (firewalled) networks. I had to use the command line to detach the incorrect adaptor from the bridge.

Not sure what action triggered the creation of this bridge?

 

[Patrick M. Hausen]

The fact that you created a VNET jail and did not explicitly have a bridge defined, yet. For iocage VNET jails bridged networking is mandatory. So I'd recommend

• explicitly configure a bridge interface with the desired hardware IF as the only member
• assign that bridge to your jail

HTH,
Patrick

 

[seb101]

I see, thanks.
Automatically silently bridging multiple network adaptors is a fairly nuclear response to not having a bridge pre-defined when creating a VNET jail.
Perhaps the GUI should be updated to request the desired adaptor for the new bridge, or even not allow VNET creation if there is no bridge pre-defined. Worst case it could auto-create a bridge but only with the lowest indexed network adaptor. Bridging separate network connections without user confirmation is a big security risk.

 

[Patrick M. Hausen]

Of course bridging multiple physical interfaces can be a nuclear attack on a network. I'm a bit suprised by that, I was (!) sure that FreeNAS would do precisely that: pick the first interface, igb0 in your case.

If you can do that without bringing down your network, could you please

• repeat the steps that lead to the undesireable bridge configuration
• copy and post the output of ifconfig -a
• copy and post the output of iocage get all <your-jail-name>

All from a root shell?

That would be great. Thanks!
Patrick

 

[BeepDog]

I ran into this problem, the ghost bridge that I didn't know existed.

I had moved my interface from a single NIC to a LACP bond, and then my jails wouldn't come back up.
I know I'm not the original poster of the problem, but since I had the same problem, I actually fixed one jail, and left the other one, that got the iocage output here. I have a "ghost" bridge0 that is still attached to the `ix0` interface that is no longer in use. It's physically disconnected.

I had to update the jail network params to use `vnet0:bridge1` since I had a new bridge created, possibly when I updated the NIC settings of my VMs running on the NAS.

Hope this helps someone else!