[PC-BSD Testing] Jails can't talk to internet

Jeff dejamuse at yahoo.com
Tue Jun 11 07:16:33 PDT 2013


I run PCBSD 9.1 and have a Warden jail setup.

In that jail which has it's own local IP, 192.168.1.12, I have an Apache server.

Normally when I connect the computer to a single router that is 
connected to a modem, I set "nameserver 192.168.1.1", i.e. the router 
LAN IP / gateway, in etc/resolv.conf on the jail and have no problems.

Now I have added a 2nd router daisy chained from the primary router, 
running a subnet (primary router has IP: 192.168.1.1 and secondary 
router: 192.168.2.1).

The computer running the jail is plugged into the secondary router.

The problem is, the jail can't contact the internet.  I can SSH into the
 jail from the host but it takes a very long time to connect, like 15 
seconds or so.

I can't ping out of the jail either, even as root I get: ping: socket: Operation not permitted.

Disabling the firewall has no effect.

The server responds to any connection from any computer connected to the 2nd router but it's slow.

I've tried different IP addresses for "nameserver" but nothing works.  
The resolv.conf file on the  PCBSD host just lists the ISPs DNS servers.
 Even changing the 2nd router's IP to 192.168.1.1 and the primary router
 to 192.168.2.1 has no effect.  I thought maybe the jails needed to be 
on the same subnet.

I have no problems using the internet from the host, just the jails.

Any ideas why this happens and how to get around it?  I've had this problem for years with different versions of FreeBSD.

I thought that jails just used the host's internet setup.

I posted this first on the PCBSD forum but got no response.  I also posted on the FreeBSD networking forum and got this, which is a bit over my head:

---------------------------------------

Basically your jail is using the same routing as the rest of the machine you have several options, though they may not all be supported in thePCBSD 9.1 jail system

1/ you could use ipfw to do packet forwarding   this is what we used to before we had #2 and #3.
2/ you can specify that the jail should use a different FIB (routing table)   you should look up setfib(1) and setfib(2) and follow the 'see also' pointers as well.
3/ you can use VIMAGE and set up a jail with a completely separate network stack.

Documentation for this is a bit hard to find but use the 'vnet' option in jail(8) -  look up VIMAGE and vnet  in google.
---------------------------------------

Thanks,

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pcbsd.org/pipermail/testing/attachments/20130611/c89d8d5c/attachment-0001.html>


More information about the Testing mailing list