SOLVED Basejail networking does not work with VNET and BPF

[Arun Gupta]

I am running TrueNAS-12.0-U2.1. I created a basejail release 12.2. I enabled VNET and BPF and assigned static IP. After creating the jail, I found that I cannot ping the jail IP from my local network, nor can the jail ping any IP on my local network. The jail cannot access internet. Here are things that I tested:

a) Change jail to NAT. It works fine. From within the jail, I can ping all IPs on my local network and can connect to internet.
b) Disable both VNET and BPF. Jail works fines. I can ping jail IP from my local network, from within jail, I can ping all IPs on my local network and can connect to internet.
c) Change jail to DHCP. It obtains IP address from DHCP server, but same problem. No pinging the jail IP from local network, from within jail, cannot ping any local network IP, no internet access.
d) If I disable VNET and just enable BPF, jail cannot start. It says that BPF needs VNET.

I also noticed that when I created the jail with VNET and BPF enabled, in the jail, the network interface epair0b is assigned the static IP. On the host side, there is a vnet0.n interface which shows as "associated with jail: testj as nic: epair0b" and bridge0 has members em0 and vnet0.n. In the vnet0.n interface, n keeps incrementing every time I restart the jail.

When VNET and BPF are disabled, in the jail, there is one NIC em0 and a bridge0. NIC em0 is a member of bridge0. On the host side, there is no vnet0.n interface and bridge0 has just one member: em0 (the host NIC).

So, it seems that with VNET and BPF enabled, the jail NIC is just bridged to the host NIC via bridge0 and does not appear as an independent machine on the local network. From within the jail shell, I started a ping of a local network IP address and looked for ICMP packets on the host side using

tcpdump -i bridge0 -v -ip proto icmp
tcpdump -i vnet0.28 -v -ip proto icmp

Not a single ICMP packet is reaching any of these interfaces from within the jail.

Is there a way to make a basejail work with VNET and BPF enabled? If someone has a working setup, can you please share some details of how it worked? I have spent more than two days deleting and recreating the jails and trying various options and read tens of forums threads but nothing of value. Till yesterday, I was testing on FreeNAS 11.3 U5 and had same problem. Then yesterday I upgraded to TrueNAS 12 hoping that things will work, but no luck.

I have just one NIC on the TrueNAS host and all local network is on 192.168.250.0 network.

Thanks...

 

[Samuel Tai]

My basejail works just fine; however, you may need to set the vnet_default_interface property of your basejail to em0 from auto. You may also need to run ifconfig -a | grep vnet to see if you have zombie vnet interfaces for which you'll need to ifconfig <name of zombie interface> destroy.

 

[Arun Gupta]

Thanks for the reply.

Do you have both VNET and Berkeley Packet Filter checked?

I have tried every possible setting for vnet_default_interface and ipv4_interface. Nothing works when VNET and Berkeley Packet Filter are enabled.

I have checked and there is no zombie vnet interface on the host. There is just one.

# ifconfig -a | grep vnet member: vnet0.35 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> vnet0.35: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

If you don't mind, can you please share how many interfaces you see when you do ifconfig in the jail shell? No need for actual output, just interface names will do.

Thanks...!!

 

[Samuel Tai]

Yes, both VNET and BPF are enabled. Here's my ifconfig -a output outside the jail:

Code:

igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: igb0
        options=a520b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6>
        ether d0:50:99:01:33:9e
        inet6 fe80::d250:99ff:fe01:339e%igb0 prefixlen 64 scopeid 0x1
        inet6 2601:5c9:4200:4169:d250:99ff:fe01:339e prefixlen 64 autoconf
        inet6 fdce:7100:606a:0:d250:99ff:fe01:339e prefixlen 64 autoconf
        inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
igb1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether d0:50:99:01:33:9f
        media: Ethernet autoselect
        status: no carrier
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:6d:5e:0d:0e:00
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000000
        member: vnet0.1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
vnet0.1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: garage as nic: epair0b
        options=8<VLAN_MTU>
        ether 02:ff:60:de:0b:69
        hwaddr 02:7f:a9:4b:a0:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether fe:a0:98:78:bd:3d
        hwaddr 58:9c:fc:10:d0:0d
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=1<PERFORMNUD>
        Opened by PID 45784

And inside the jail:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:60:de:0b:6a
        hwaddr 02:7f:a9:4b:a0:0b
        inet 192.168.0.31 netmask 0xffffff00 broadcast 192.168.0.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>

 

[Arun Gupta]

This different from what I am seeing. Here is my output from host:

Code:

# ifconfig -a
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: FreeNASPublic
        options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 00:0c:29:03:5f:66
        inet 192.168.250.10 netmask 0xffffff00 broadcast 192.168.250.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:e4:fc:27:bf:00
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0.2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
vnet0.2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: dnsmasqj as nic: epair0b
        options=8<VLAN_MTU>
        ether 02:0c:29:4a:50:e4
        hwaddr 02:d2:67:92:f8:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>

This is from within the jail:

Code:

# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:0c:29:4a:50:e5
        hwaddr 02:d2:67:92:f8:0b
        inet 192.168.250.92 netmask 0xffffff00 broadcast 192.168.250.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>

If you have some time, would you be willing to take a look and see what is wrong? I do not see a vnet0 interface on the host.

Thanks,
Arun

 

[Samuel Tai]

Ignore my vnet0 interface; that's associated with the bhyve virtual machine tap interface. Please provide the output of iocage get all dnsmasqj. In particular, what are the values of these properties?

• bpf
• defaultrouter
• dhcp
• interfaces
• ip4
• ip4_addr
• ip4_saddrsel
• mac_prefix
• nat
• vnet
• vnet0-mac

 

[Arun Gupta]

Here it is:

Code:

CONFIG_VERSION:28
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_fusefs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:0
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:0
allow_vmm:0
assign_localhost:0
available:readonly
basejail:1
boot:1
bpf:1
children_max:0
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:192.168.250.1
defaultrouter6:auto
depends:none
devfs_ruleset:4
dhcp:0
enforce_statfs:2
exec_clean:1
exec_created:/usr/bin/true
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:dnsmasqj
host_hostuuid:dnsmasqj
host_time:1
hostid:262de71c-ca0b-11e9-9d50-000c29035f66
hostid_strict_check:0
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|192.168.250.92/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
ip_hostname:0
jail_zfs:0
jail_zfs_dataset:iocage/jails/dnsmasqj/data
jail_zfs_mountpoint:none
last_started:2021-04-02 01:02:19
localhost_ip:none
login_flags:-f root
mac_prefix:020c29
maxproc:off
memorylocked:off
memoryuse:off
min_dyn_devfs_ruleset:1000
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nat:0
nat_backend:ipfw
nat_forwards:none
nat_interface:none
nat_prefix:172.16
nmsgq:off
notes:none
nsem:off
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
plugin_name:none
plugin_repository:none
priority:99
pseudoterminals:off
quota:none
readbps:off
readiops:off
release:12.2-RELEASE-p5
reservation:none
resolver:/etc/resolv.conf
rlimits:off
rtsold:0
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:0
type:jail
used:readonly
vmemoryuse:off
vnet:1
vnet0_mac:020c294a50e4 020c294a50e5
vnet0_mtu:auto
vnet1_mac:none
vnet1_mtu:auto
vnet2_mac:none
vnet2_mtu:auto
vnet3_mac:none
vnet3_mtu:auto
vnet_default_interface:em0
vnet_default_mtu:1500
vnet_interfaces:none
wallclock:off
writebps:off
writeiops:off

 

[Samuel Tai]

Here's your problem:

Code:

vnet0_mac:020c294a50e4 020c294a50e5

There needs to be a comma between the 2 MACs, to let VNET know these are the MACs to apply to both sides of the epair interface. There can't be any white space following the comma. I.e., your property should read:

Code:

vnet0_mac:020c294a50e4,020c294a50e5

 

[Arun Gupta]

This was put in there by TrueNAS. This is what the help says:

Help vnet0_mac:
Leave this field empty to generate random MAC addresses for the host and jail. To assign fixed MAC addresses, enter the MAC address to be assigned to the host, a space, then the MAC address to be assigned to the jail.


Should I try putting a comma instead of space?
Thanks,
Arun

 

[Samuel Tai]

Yes, try a comma instead of a space. I built this particular jail in 11.x, and always used DHCP, but with fixed MACs. It's always worked.

 

[Arun Gupta]

I tested with a comma, but same behavior. Cannot ping the jail IP and from within the jail, no ping to local network.

Thanks...
Arun

 

[Samuel Tai]

What does dmesg | grep epair show on your system?

 

[Samuel Tai]

BTW, here's my jail properties.

Code:

CONFIG_VERSION:28
allow_chflags:0
allow_mlock:0
allow_mount:1
allow_mount_devfs:1
allow_mount_fusefs:1
allow_mount_nullfs:0
allow_mount_procfs:1
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:0
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:0
allow_vmm:0
assign_localhost:0
available:readonly
basejail:1
boot:1
bpf:1
children_max:0
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:auto
defaultrouter6:auto
depends:none
devfs_ruleset:0
dhcp:1
enforce_statfs:2
exec_clean:1
exec_created:/usr/bin/true
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:garage
host_hostuuid:garage
host_time:1
hostid:a514a741-fb39-11e7-9458-d0509901339e
hostid_strict_check:0
interfaces:vnet0:bridge0
ip4:new
ip4_addr:none
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
ip_hostname:0
jail_zfs:0
jail_zfs_dataset:iocage/jails/garage/data
jail_zfs_mountpoint:none
last_started:2021-03-12 23:55:05
localhost_ip:none
login_flags:-f root
mac_prefix:02ff60
maxproc:off
memorylocked:off
memoryuse:off
min_dyn_devfs_ruleset:1000
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nat:0
nat_backend:ipfw
nat_forwards:none
nat_interface:none
nat_prefix:172.16
nmsgq:off
notes:none
nsem:off
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
plugin_name:none
plugin_repository:none
priority:99
pseudoterminals:off
quota:none
readbps:off
readiops:off
release:12.2-RELEASE-p5
reservation:none
resolver:/etc/resolv.conf
rlimits:off
rtsold:0
securelevel:0
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:0
type:jail
used:readonly
vmemoryuse:off
vnet:1
vnet0_mac:02ff60de0b69,02ff60de0b6a
vnet0_mtu:auto
vnet1_mac:none
vnet1_mtu:auto
vnet2_mac:none
vnet2_mtu:auto
vnet3_mac:none
vnet3_mtu:auto
vnet_default_interface:auto
vnet_default_mtu:1500
vnet_interfaces:none
wallclock:off
writebps:off
writeiops:off

I'm using DHCP to provision an IP in the jail, using the 2nd vnet0_mac MAC address on my router to provide a static IP to the jail.

 

[Arun Gupta]

This from outside the jail:

Code:

epair0a: Ethernet address: 02:5b:fb:e2:24:0a
epair0b: Ethernet address: 02:5b:fb:e2:24:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: changing name to 'vnet0.1'
epair0b: link state changed to DOWN
epair0a: Ethernet address: 02:d2:67:92:f8:0a
epair0b: Ethernet address: 02:d2:67:92:f8:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: changing name to 'vnet0.2'
epair0b: link state changed to DOWN
epair0a: Ethernet address: 02:4d:cd:0e:6e:0a
epair0b: Ethernet address: 02:4d:cd:0e:6e:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: changing name to 'vnet0.3'
epair0b: link state changed to DOWN
epair0a: Ethernet address: 02:99:e5:43:17:0a
epair0b: Ethernet address: 02:99:e5:43:17:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: changing name to 'vnet0.4'
epair0b: link state changed to DOWN
epair0a: Ethernet address: 02:05:c0:af:a6:0a
epair0b: Ethernet address: 02:05:c0:af:a6:0b
epair0a: link state changed to UP
epair0b: link state changed to UP
epair0a: changing name to 'vnet0.5'
arp: 192.168.250.10 moved from 02:0c:29:4a:50:e4 to 00:0c:29:03:5f:66 on epair0b

 

[Samuel Tai]

OK, part of the problem is the random prefixes and MACs that are auto-generated. Try locking down the mac_prefix and vnet0_mac properties so they don't change between jail starts/stops by entering your own values instead of the generated values. In your case, the last values from vnet0.5 would work:

• mac_prefix: 0205c0
• vnet0_mac: 0205c0afa60a,0205c0afa60b

 

[Arun Gupta]

Still not working.

I compared my jail settings side by side with yours and made most of them the same as yours. So, now the only difference is MAC addresses, use of DHCP vs. static, last start time etc., but still no luck.

Thank you so much for your continued help. I will check this thread tomorrow. It is kind of getting late here and I have to catch up on my sleep.

 

[Arun Gupta]

I feel so stupid right now. The problem is solved. The TrueNAS server is actually a VM (VMWare ESXi). It's NIC em0 is connected to a vSwitch. The vSwitch was set to reject promiscuous mode packets. This is why network access was getting blocked. When I enabled the promiscuous mode on the vSwitch, ping and network access from within jail started to work.

What lead me to checking promiscuous mode is that I looked at the arp entries on the Windows laptop. It was showing correct IP to MAC address mapping. The IP was 192.168.250.92 and MAC address was the MAC address of vpair0b. Then I started a tcpdump -i em0 -v icmp on host and started ping -t 192.168.250.92 from Windows laptop. The ping failed. After some thinking, I thought why the ICMP packets are not reaching em0?

Then I realized that for ICMP packets to reach em0, promiscuous mode must be enabled. em0 had promiscuous mode enabled. Then I started checking backwards till I reached vSwitch.

I thank you so much for spending time on this problem. Words of gratitude are not enough. I also sincerely apologize for wasting your valuable time.

Best regards,
Arun