philiplu
Explorer
- Joined
- Aug 10, 2014
- Messages
- 58
I'm setting up my first FreeNAS box, with version 9.2.1.7. This is on a SM X10SL7-F, with only one of the two NICs plugged in (plus the IPMI NIC). I'm now playing around with jails, and ran into a problem. I've set up a default portjail, with VIMAGE unchecked so there's a shared network stack. The NAS is on 192.168.1.10, and the jail is assigned 192.168.1.200. DHCP is via an Asus RT-AC66U router, with the DHCP range set to 192.168.1.20 to 192.168.1.199, so there's no conflict there.
The problem is that I'm no longer able to reliably browse or SSH to the NAS by name. If I "ping marvin" (the NAS) from a Win 7 cmdline, I sometimes see 192.168.1.200, and sometimes 192.168.1.10. If the jail is running, then browsing shares still works by name even if the netbios name MARVIN is set to .200 instead of .10. But if I stop the jail, browsing to \\marvin (or attempting to open a file via \\marvin\share\somefile) hangs and fails while MARVIN is still cached on the Windows machine and apparently on the NAS as well. If I clear the cache under windows with "nbtstat -R" and recycle the CIFS service via the FreeNAS GUI, then a ping to marvin finally gets the .10 address I'm expecting.
Also, if the jail is up and MARVIN is at .200, then a SSH to marvin (via putty on Win 7) ends up in the jail and not the main OS. That's what actually first alerted me that something was wrong - putty was complaining about the fingerprint not matching the cached value on startup, which made me think I'd broken the sshd_config somehow. But no, turning on putty logging showed that I was connecting to the .200 address, not the expected .10 (at least, after the jail had sshd running).
I'm running a simple workgroup network here - no AD, no WINS, no local DNS, so name resolution is all by netbios broadcast queries. Here are some dumps to show my configuration. First, smb4.conf's [global] section - I've added "preferred master = yes" and "os level = 255" in the CIFS Auxiliary parameters through the GUI, just to make sure FreeNAS is the local browser master:
Here's "netstat -rn":
Here's ifconfig:
Finally, here's nmblookup run on marvin, showing the netbios name resolution returning the jail's IP:
There are probably a bunch of ways to work around this: /etc/hosts, /etc/local/lmhosts, set up a WINS server, set up a local DNS server on my router, using a jail with VIMAGE so it's got an independent network stack, .... But I'm trying to understand why this default configuration is hitting this. Seems unexpected.
I noticed that the man pages for ifconfig (here) mention under the "alias" parameter than if an alias address is on the same subnet as the 1st address, a non-conflicting netmask must be given. That's not what I've got set here, but when I configure the jail with a /32 netmask instead of /24, I still see the same unexpected behavior.
The problem is that I'm no longer able to reliably browse or SSH to the NAS by name. If I "ping marvin" (the NAS) from a Win 7 cmdline, I sometimes see 192.168.1.200, and sometimes 192.168.1.10. If the jail is running, then browsing shares still works by name even if the netbios name MARVIN is set to .200 instead of .10. But if I stop the jail, browsing to \\marvin (or attempting to open a file via \\marvin\share\somefile) hangs and fails while MARVIN is still cached on the Windows machine and apparently on the NAS as well. If I clear the cache under windows with "nbtstat -R" and recycle the CIFS service via the FreeNAS GUI, then a ping to marvin finally gets the .10 address I'm expecting.
Also, if the jail is up and MARVIN is at .200, then a SSH to marvin (via putty on Win 7) ends up in the jail and not the main OS. That's what actually first alerted me that something was wrong - putty was complaining about the fingerprint not matching the cached value on startup, which made me think I'd broken the sshd_config somehow. But no, turning on putty logging showed that I was connecting to the .200 address, not the expected .10 (at least, after the jail had sshd running).
I'm running a simple workgroup network here - no AD, no WINS, no local DNS, so name resolution is all by netbios broadcast queries. Here are some dumps to show my configuration. First, smb4.conf's [global] section - I've added "preferred master = yes" and "os level = 255" in the CIFS Auxiliary parameters through the GUI, just to make sure FreeNAS is the local browser master:
Code:
[global] server max protocol = SMB2 encrypt passwords = yes dns proxy = no strict locking = no oplocks = yes deadtime = 15 max log size = 51200 max open files = 11070 syslog only = yes syslog = 1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes getwd cache = yes guest account = nobody map to guest = Bad User obey pam restrictions = Yes directory name cache size = 0 kernel change notify = no panic action = /usr/local/libexec/samba/samba-backtrace server string = Main FreeNAS Server ea support = yes store dos attributes = yes time server = yes acl allow execute always = false local master = yes idmap config *:backend = tdb idmap config *:range = 90000000-100000000 server role = standalone netbios name = MARVIN workgroup = LUCIDOHOME security = user pid directory = /var/run/samba smb passwd file = /var/etc/private/smbpasswd private dir = /var/etc/private create mask = 0644 directory mask = 0755 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 2 preferred master = yes os level = 255
Here's "netstat -rn":
Code:
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGS 0 783 igb0 127.0.0.1 link#6 UH 0 6640162 lo0 192.168.1.0/24 link#2 U 0 20878440 igb0 192.168.1.10 link#2 UHS 0 96 lo0 192.168.1.200 link#2 UHS 0 0 lo0 Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 ::1 link#6 UH lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 fe80::/10 ::1 UGRS lo0 fe80::%lo0/64 link#6 U lo0 fe80::1%lo0 link#6 UHS lo0 ff01::%lo0/32 ::1 U lo0 ff02::/16 ::1 UGRS lo0 ff02::%lo0/32 ::1 U lo0
Here's ifconfig:
Code:
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO> ether 0c:c4:7a:30:06:82 inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO> ether 0c:c4:7a:30:06:83 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: no carrier ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 nd6 options=9<PERFORMNUD,IFDISABLED> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Finally, here's nmblookup run on marvin, showing the netbios name resolution returning the jail's IP:
Code:
Marvin# nmblookup -d=3 marvin lp_load_ex: refreshing parameters Initialising global parameters max_open_files: increasing sysctl_max (11095) to minimum Windows limit (16384) rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/usr/local/etc/smb4.conf" Processing section "[global]" added interface igb0 ip=192.168.1.10 bcast=192.168.1.255 netmask=255.255.255.0 added interface igb0 ip=192.168.1.200 bcast=192.168.1.255 netmask=255.255.255.0 Socket opened. name_resolve_bcast: Attempting broadcast lookup for name marvin<0x0> Got a positive name query response from 192.168.1.10 ( 192.168.1.200 ) 192.168.1.200 marvin<00>
There are probably a bunch of ways to work around this: /etc/hosts, /etc/local/lmhosts, set up a WINS server, set up a local DNS server on my router, using a jail with VIMAGE so it's got an independent network stack, .... But I'm trying to understand why this default configuration is hitting this. Seems unexpected.
I noticed that the man pages for ifconfig (here) mention under the "alias" parameter than if an alias address is on the same subnet as the 1st address, a non-conflicting netmask must be given. That's not what I've got set here, but when I configure the jail with a /32 netmask instead of /24, I still see the same unexpected behavior.