SOLVED Lagg0, and dedicated vlan for jails

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Hi all,

I've been looking for 3 days without an answer and I'm starting to get lost and nothing works.
My installation:
There are 3 vlan coming on freenas (11.2), 101, 102, 103, configured on parent link lagg0

I have created 3 addresses for these interfaces 10.1.0.1, 10.2.0.1, and 10.3.0.1
101: it is the management vlan, the GUI is bound on it (10.0.0.0.1 and gw 10.0.0.0.254/24)
102: it is the data vlan, smb is bound on it (10.2.0.1) and the default freenas gateway is 10.2.0.254

I would like to have a dedicated vlan for my DMZ: 10.3.0.0/24
1550840484765.png


When I create a "test" jail with the following options:
he doesn't have a network address. I can't understand it.
1550840510422.png


1550840531275.png



ifconfig on freenas host when jail is running :
root@jokul:~ # ifconfig igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 hwaddr d0:50:99:c2:a8:25 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 hwaddr d0:50:99:c2:a8:26 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active groups: lagg laggproto lacp lagghash l2,l3,l4 laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> vlan101: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=600303<RXCSUM,TXCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 inet 10.1.0.3 netmask 0xffffff00 broadcast 10.1.0.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active vlan: 101 vlanpcp: 7 parent interface: lagg0 groups: vlan vlan102: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=600303<RXCSUM,TXCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 inet 10.2.0.1 netmask 0xffffff00 broadcast 10.2.0.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active vlan: 102 vlanpcp: 0 parent interface: lagg0 groups: vlan vlan103: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000 options=600303<RXCSUM,TXCSUM,TSO4,TSO6,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:50:99:c2:a8:26 inet 10.3.0.1 netmask 0xffffff00 broadcast 10.3.0.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect status: active vlan: 103 vlanpcp: 0 parent interface: lagg0 groups: vlan bridge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 02:f8:f1:90:ef:00 nd6 options=1<PERFORMNUD> groups: bridge id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0


The only time my jail works is by selecting DHCP and the jail gets a default gateway network address of 10.2.0.10.

1550840548037.png


How do I get my jail to have an address in the vlan 103, 10.3.0.0.0/24
 
Joined
Mar 6, 2014
Messages
686
Last edited:

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Hi,
Thank you so much Rilo Ravestein, it seems work pretty well.
But, can you explain me the logic.

Can you rectify me if I wrong.
One bridge bind on one vlan and one VNET bind on one jail. Then, can you tell me why I have to set vnet0:bridge0 for the other jails in the same lan and not vnet1:bridge0.
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
update :
I rebooted my NAS and set on autostart on 2 jails which are in the same vlan, both are set on Vnet0:Bridge0 and their interfaces are Vnet0.
When I manually start jail, it's working
 
Joined
Mar 6, 2014
Messages
686
One bridge bind on one vlan and one VNET bind on one jail. Then, can you tell me why I have to set vnet0:bridge0 for the other jails in the same lan and not vnet1:bridge0.
It creates a VNET0.# per jail in the specified bridge. You can check this with ifconfig -a (in freenas' shell, not the jail's)
So you get VNET0.1 for jail 1, VNET0.2 for jail 2 (could also be VNET0.6 and VNET0.5 or whatever numbers)
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Still doesn't work, when I want to force the interface of my jail.
I tried, VNET0.1:bridge0 or VNET0:1:bridge0 or VNET1:bridge0 or VNET0,1:bridge0.
Only vnet0:bridge0 works
 
Joined
Mar 6, 2014
Messages
686
Still doesn't work, when I want to force the interface of my jail.
I tried, VNET0.1:bridge0 or VNET0:1:bridge0 or VNET1:bridge0 or VNET0,1:bridge0.
Only vnet0:bridge0 works
That is correct. You specify VNET0:bridge0 and it it will automatically create a VNET0.# for the jail in bridge0. You can check and see that for yourself with ifconfig -a
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Yes, I see this correctly but my jails are down after reboot with autostart set on.
When I manually start both with vnet0:bridge0 that work. I tried to play with priority jail but it doesn't work
 
Joined
Mar 6, 2014
Messages
686
Yes, I see this correctly but my jails are down after reboot with autostart set on.
When I manually start both with vnet0:bridge0 that work. I tried to play with priority jail but it doesn't work
Hmm... Strange. For me it works exactly like that. I have VNET0:bridge0 in one jail and VNET0:bridge1 in the other jail. That creates a VNET0.# in brindge0 for one jail and a different VNET0.# in bridge1 for the other jail and also auto start works fine.

But why do you care about autostart that much anyway? A (NAS) server is not supposed to be turned off much, except for maintenance.
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Hi Rilo,
Sorry, I was in holiday. You set VNET0:bridge1 because your second jail is in another network that your first jail or in the same network ?

I 'm looking for to have a same working after rebooting because my nas will be stock at my friend's home.
 
Joined
Mar 6, 2014
Messages
686
You set VNET0:bridge1 because your second jail is in another network that your first jail or in the same network ?
I put it in bridge1, because it's on a different physical interface and on another network.
 
Last edited:

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
ok, I understand. Today my autostart up works. I don't why, it's fallen in work
 
Joined
Mar 6, 2014
Messages
686
ok, I understand. Today my autostart up works. I don't why, it's fallen in work
Great!
Just FYI: I just created a new jail on the same interface/network, using VNET0:bridge0, and everything works as expected :)
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Rilo,
by curiosity in global network configuration, have you set up a default gateway ? If yes, is it linking in particularity network ?For exemple the same that GUI network. Or have you set up static route ?
 
Joined
Mar 6, 2014
Messages
686
In global config, the gateway is the gateway in the GUI network, which is connected to interface 1. Interface 2 is connected to a completely separate network. No static routes.
But that shouldn't matter, as far as I know. You configure the jail's gateway in the jail's settings.
 

andfrid

Dabbler
Joined
Apr 18, 2018
Messages
25
Ok, I asked you because I read thin in documentation :
In many cases, a FreeNAS® configuration does not include default gateway information as a way to make it more difficult for a remote attacker to communicate with the server. While this is a reasonable precaution, such a configuration does not restrict inbound traffic from sources within the local network. However, omitting a default gateway will prevent the FreeNAS® system from communicating with DNS servers, time servers, and mail servers that are located outside of the local network. In this case, it is recommended to add Static Routes to be able to reach external DNS, NTP, and mail servers which are configured with static IP addresses. When a gateway to the Internet is added, make sure the FreeNAS® system is protected by a properly configured firewall
 
Top