Problem accessing internet from JAIL over second nic and different subnet (DMZ)

Krautmaster

Explorer
Joined
Apr 10, 2017
Messages
81
Dear all,
I know this has been solved several times but there was no reasonable and working solution so far for me.

Some Information:

-> Xeon D Board, HyperV Host, FreeNAS-11.2-U5 VM, 2 nic (hn0 / hn1)
-> Local subnet 192.168.2.0/24 -> gateway / nameserver 192.168.2.10
-> DMZ subnet 192.168.1.0/24 -> gateway / nameserver 192.168.1.1

hn0 is connected to LAN
hn1 is connected to DMZ

other VM can access the web from DMZ without any issue:
1563451176730.png


I currently did a jail for nextcloud. That jail was installed with hn1 connected to LAN = 192.168.2.* subnet, for easier testing purposes.

Now I tried to switch it over to DMZ. Its pretty weird that its working in general to access the webpage / nextcloud without issues, execpt the app store and the security scan fails. That is due to the fact that the jail cant access the internet any more. https://cloud.krautmaster.de

Freenas ifconfig printout:
Code:
root@freenas[~]# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
hn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8011b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LINKSTATE>
        ether 00:15:5d:02:64:00
        hwaddr 00:15:5d:02:64:00
        inet 192.168.2.99 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
hn1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8011b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LINKSTATE>
        ether 00:15:5d:02:64:03
        hwaddr 00:15:5d:02:64:03
        inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:eb:1f:d8:f6:00
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: hn0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000
        member: hn1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000
root@freenas[~]#


Jail Information - did not manually edit any file in here, just 4 information
Code:
root@nextcloud:/ # ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
hn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8011b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LINKSTATE>
        ether 00:15:5d:02:64:00
        hwaddr 00:15:5d:02:64:00
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
hn1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8011b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LINKSTATE>
        ether 00:15:5d:02:64:03
        hwaddr 00:15:5d:02:64:03
        inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:eb:1f:d8:f6:00
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: hn0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000
        member: hn1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000
root@nextcloud:/ # cat /etc/resolv.conf
nameserver 192.168.1.1
root@nextcloud:/ # ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=1.560 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.790 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.641 ms
^X64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.731 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.641/0.930/1.560/0.367 ms
root@nextcloud:/ # cat /etc/rc.conf
ifconfig_epair0b="DHCP"
hostname="nextcloud"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
apache24_enable="yes"
mysql_enable="yes"
redis_enable="yes"
php_fpm_enable="yes"
root@nextcloud:/ # ping google.com
PING google.com (216.58.208.46): 56 data bytes
^X^C
--- google.com ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
root@nextcloud:/ #


1563451474424.png
1563451526367.png

I did a static route - required?
1563451705061.png


and I did not yet configure hn1 (DMZ) in Freenas webgui:
1563451896230.png



Please let me know if you found information missing, ill update asap then.

Thanks for your support.

Edit: to sum up:

-> jail can access other machines in 192.168.1.* subnet
-> jail has static ip 192.168.1.200 and nameserver configured to 192.168.1.1
-> jail is reachable from internet over virtual firewall, reverse proxy (in dmz as well)
-> jail lacks on web access over gateway 192.168.1.1


Edit: that weird bridge0 was removed with a full reboot. All other stuff is the same. Behaviour as well.

Edit2:
If configured like this (with vnet0 instead of passing the adapter itself) I can't even ping the clients in the DMZ subnet
1563456629620.png
 
Last edited:

Krautmaster

Explorer
Joined
Apr 10, 2017
Messages
81
:confused:
I can access the internet from JAIL if I change my general network settings of Freenas to work with 192.168.1.1 (DMZ Gateway) instead of the local Gateway.

Sucks. Why ignores the iocage any internal gateway setting and why cant I set a different gateway if I configure hn1 (second nic) in Freenas manually?
 
Top