freebsd stable - Mar 2018 - Two NIC's inside a Jail

Hi all,

I have a Problem to understund how to manage 2 Networks inside a Jail.

i have create a jail (using ezjail) with a alias IP.
in rc.conf (on Host):

ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0"
ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"? <-
this
is the jail ip

Inside the jail running apachhe24.

Now i add a new NIC to the System.
in rc.conf (on Host):
ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"

in /usr/local/etc/ezjail/myjail.conf:
i add the new ip
export jail_myjail_ip="192.168.100.2,213.70.80.92"

Restart the jail and ifconfig looks fine.
vmx0 -> inet 192.168.100.2
em0? -> inet 213.70.80.92

Apache Listen on all NIC's (<VirtualHost *:80>)
But i can see my Website only via 192.168.100.2 from intern Network.

The Host is behind a Firewall.
The IP? 213.70.80.92 is enabled for incomming Traffic.

When i give the Hostname in a Browser i become "connection Timeout".

What is to do that the Host is accessable from Inet?


Thanks
Holm


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20180323/7a012b9b/attachment.sig>

On Fri, Mar 23, 2018 at 04:01:30PM +0100, Joerg Surmann
wrote:
> Hi all,
> 
> I have a Problem to understund how to manage 2 Networks inside a Jail.
> 
> i have create a jail (using ezjail) with a alias IP.  in rc.conf (on
> Host):
> 
> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0"
> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"?
<-
> this is the jail ip
> 
> Inside the jail running apachhe24.
> 
> Now i add a new NIC to the System.  in rc.conf (on Host):
> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"
> 
> in /usr/local/etc/ezjail/myjail.conf: i add the new ip export
> jail_myjail_ip="192.168.100.2,213.70.80.92"
> 
> Restart the jail and ifconfig looks fine.  vmx0 -> inet 192.168.100.2
> em0? -> inet 213.70.80.92
> 
> Apache Listen on all NIC's (<VirtualHost *:80>) But i can see my
> Website only via 192.168.100.2 from intern Network.
> 
> The Host is behind a Firewall.  The IP? 213.70.80.92 is enabled for
> incomming Traffic.
> 
> When i give the Hostname in a Browser i become "connection
Timeout".
> 
> What is to do that the Host is accessable from Inet?
> 
Hi Joerg, 

I guess your host has default gw reachable via vmx0 and second interface
em0 is connected and was reachable at least from firewall protecting
address 213.70.80.92? If it is true then you should add: 

to /usr/local/etc/ezjail/myjail.conf 
export
jail_myjail_ip="lo1|127.0.1.1,vmx0|192.168.100.2,em0|213.70.80.92"
export jail_myjail_fib="1"

to /etc/rc.conf
static_routes="net_jails"
route_net_jails="default 213.70.80.x -fib 1"

to /boot/loader.conf
net.fibs="2"

Eventually take a look at setfib(1) and also consider migrating em
adapter to second vmx which shuld be faster and more flexible.

IMHO this questions should be asked rather on freebsd-net list than
here.
-- 
Marek Zarychta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20180323/e089f9c5/attachment.sig>