BOUNTY!! Help wanted, yet another VLAN/Jail topic, tried everything

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Hey!

100$ BOUNTY FOR WHOEVER HELPS ME FIX THIS!!!

So i've been trying to get this right for about 5 days now. I had around 4 reinstalls because i locked myself out (flood/storms or something like that). Also a few CLI config restores happend.
I'll first try to explain what hardware i have then ill explain what i try to achieve. I hope anyone can help me.

I have a OPNsense router 4 ports
  1. Gateway: 192.168.3.1 (LAN)
  2. DNS: 192.168.3.9
  3. Ifaces: WAN, LAN (192.168.3.0/24), HTPC (192.168.7.0/24 vlan tag 2), HASS (192.168.4.0/24 vlan tag 3), GUEST (192.168.5.0/24 vlan tag 4)
  4. Above VLAN's HASS and GUEST work great right now.
I have a TPlink 8 port router partly managed WEBui (QoS, port vlan, 802.1Q vlan, LAG and some loop protection options)
  1. Port 8 has vlan id 1 (regular untagged traffic)
  2. Port 8 has vlan id 2 (HTPC vlan in OPNsense and FreeNAS)
  3. Port 8 is connected to Freenas
  4. -----
  5. Port 7 has vlan id 1 (regular untagged traffic)
  6. Port 7 is connected to my OPNsense router at LAN
  7. -----
  8. Port 1 has vlan id 1 (regular untagged traffic)
  9. Port 1 has vlan id 3 (Guest AP)
  10. Port 1 has vlan id 4 (Home automation IP)
  11. Port 1 is connected to a TPlink AC wifi AP (Guest AP, Home automation AP)
  12. Other ports contain pc/laptop/rpi etc
FreeNAS system with 1 NIC igb0 -- (i'm going to buy a 4xPort intel nic to use 2x LAGG and 2x VLAN but, thats for another day)

OS Version:
FreeNAS-11.2-RELEASE-U1
(Build Date: Dec 20, 2018 22:41)

Processor:
AMD Ryzen 7 1700X Eight-Core Processor (16 cores)

Memory:
32 GiB
  1. IP DHCP from OPNsense (statically configured in router) 192.168.3.2
  2. GW: 192.168.3.1
  3. 1x VM on TAP0
  4. Several jails on VNET
  5. Bridge0 created in the past, don't know what for anymore, please advise. (please see config below)
Now what i want to achieve is:
  1. Separate jails from my main LAN, totally isolated, nothing to do with LAN just HTPC (vlan 2)
  2. Be able to add/change vlans and jails later on
What my questions are:
  • What do i set in the jail config page for:
    • dhcp (i'd like to use it on vlan)
    • bpf (security issue? I'm not that technical so the docs only confuse me more)
    • vnet, i assume yes... (i need to access each jail via its ip from another subnet, configured with rules in router)
    • ipv4_addr
    • default gw
    • exec_fib (tried the suggested fib 1 with the new routing rules... no avail)
    • interfaces vnet0:bridge0 or vnet1:bridge1 or else? (because i dont want the HTPC jails in the regular LAN bridge)
    • Raw sockets? (security concern? I'm not that technical so the docs only confuse me more)
Code:
root@freenas:~ # ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
    ether 70:85:c2:62:06:62
    hwaddr 70:85:c2:62:06:62
    inet 192.168.3.2 netmask 0xffffff00 broadcast 192.168.3.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:00
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0:7 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 12 priority 128 path cost 2000
    member: vnet0:6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 2000
    member: vnet0:5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 10 priority 128 path cost 2000
    member: vnet0:4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    member: vnet0:3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 9 priority 128 path cost 2000
    member: vnet0:2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 8 priority 128 path cost 2000
    member: vnet0:1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 7 priority 128 path cost 2000
    member: tap1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 6 priority 128 path cost 2000000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:01
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
tap1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    ether 00:bd:f1:10:f8:01
    hwaddr 00:bd:f1:10:f8:01
    nd6 options=1<PERFORMNUD>
    media: Ethernet autoselect
    status: active
    groups: tap
    Opened by PID 4302
vnet0:1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: plex
    options=8<VLAN_MTU>
    ether 02:ff:60:14:fa:09
    hwaddr 02:dc:d0:00:07:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: backuppc
    options=8<VLAN_MTU>
    ether 02:ff:60:12:30:b6
    hwaddr 02:dc:d0:00:08:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: bitwarden
    options=8<VLAN_MTU>
    ether 02:ff:60:ef:c8:55
    hwaddr 02:dc:d0:00:09:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:4: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: guac
    options=8<VLAN_MTU>
    ether 02:ff:60:fa:f0:c0
    hwaddr 02:dc:d0:00:05:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:5: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: nextcloud
    options=8<VLAN_MTU>
    ether 02:ff:60:ba:b5:81
    hwaddr 02:dc:d0:00:0a:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:6: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: influxdb
    options=8<VLAN_MTU>
    ether 02:ff:60:92:dd:64
    hwaddr 02:dc:d0:00:0b:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:7: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: organizr
    options=8<VLAN_MTU>
    ether 02:ff:60:e1:fe:c6
    hwaddr 02:dc:d0:00:0c:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair


Code:
root@freenas:~ # iocage list
+-----+-----------+-------+--------------+--------------+
| JID |   NAME    | STATE |   RELEASE    |     IP4      |
+=====+===========+=======+==============+==============+
| 2   | backuppc  | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 3   | bitwarden | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 4   | guac      | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 6   | influxdb  | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | jackett   | down  | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | lidarr    | down  | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | manager   | down  | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 5   | nextcloud | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 7   | organizr  | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| 1   | plex      | up    | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | radarr    | down  | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | sabnzbd   | down  | 11.2-RELEASE | DHCP         |
+-----+-----------+-------+--------------+--------------+
| -   | sonarr    | down  | 11.2-RELEASE | 192.168.7.10 |
+-----+-----------+-------+--------------+--------------+


Code:
root@freenas:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.3.1        UGS        igb0
127.0.0.1          link#2             UH          lo0
192.168.3.0/24     link#1             U          igb0
192.168.3.2        link#1             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#2                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0


Documentation used (tried every single method and a mix of all, also sub links posted in each threads...):
https://forums.freenas.org/index.php?threads/vlan-explain-please-on-how-to-do-it.65943/page-2
https://forums.freenas.org/index.php?threads/how-to-set-separate-vlan-for-jail.54019/
https://forums.freenas.org/index.php?threads/freenas-jails-in-different-multiple-subnets.41539/
https://gist.github.com/sdebnath/086874c5df8b68e0df69
 

Attachments

  • Screenshot from 2019-02-10 21-53-11.png
    Screenshot from 2019-02-10 21-53-11.png
    192.3 KB · Views: 714
  • Screenshot from 2019-02-10 21-56-05.png
    Screenshot from 2019-02-10 21-56-05.png
    208.7 KB · Views: 760
Last edited:

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
FreeNAS system with 1 NIC igb0 -- (i'm going to buy a 4xPort intel nic to use 2x LAGG and 2x VLAN but, thats for another day)
Probably better off with a single 10Gb port
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Last edited:

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Overthinking the whole misery, i thought of the following, which could work. Any thoughts on it?

* Setup a VLAN to a specified parent interface (with just one NIC, in my example it would be igb0)
* In system -> tunables add: cloned_interfaces: bridge0 bridge1 & ifconfig_bridge0: addm igb0 up & ifconfig_bridge1: addm vlanX up
* Jail settings:
-----IPV4_addr: vnet1:SUBNET-IP/24
-----DEFAULTROUTER: ROUTER-IP
-----INTERFACE: vnet1:bridge1
----- Only have vnet enabled, DHCP and BPF and raw socket off
----- Specify DNS server

In my idea this is nearly the same as the bridge created for the regular LAN jails.
Going to test this tomorrow, will report back.
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Ok applying the above to 2x jail does properly create the bridge1 and vnet1:xx and they can ping eachother, just not the router. Added default gateways via FreeNAS Gui also tried the FIB method... nothing

$100 bounty for anyone who helps me fix this
 
Last edited:

f4nt0m

Cadet
Joined
Dec 14, 2017
Messages
5
make another bridge
you want 3 files
jail-pre-start
Code:
#!/bin/bash
ifconfig bridge172 create ## set bridgeN as you need
ifconfig bridge172 up
ifconfig epair172 create ## set epairN as you need
ifconfig bridge172 addm epair172a addm re1 ## Change em1 to your NIC name from ifconfig
ifconfig epair172a up

jail-post-start
Code:
#!/bin/bash
JAILNAME=gateway
JID=$(iocage list -h | grep gateway | sed "s/[[:space:]].*//");
IFACE=epair172b
ifconfig $IFACE vnet $JID
iocage exec $JAILNAME dhclient $IFACE

and for remove it
jail-pre-stop
Code:
#!/bin/bash
ifconfig bridge172 destroy
ifconfig epair172a destroy

set this scripts to iocage jail like in UI
exec_poststart:/mnt/bigraidz/iocage/jails/gateway/jail-post-start gateway
exec_prestart:/mnt/bigraidz/iocage/jails/gateway/jail-pre-start gateway
exec_prestop:/mnt/bigraidz/iocage/jails/gateway/jail-pre-stop gateway
setup your VLAN's and enjoy %)
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
make another bridge
you want 3 files
jail-pre-start
Code:
#!/bin/bash
ifconfig bridge172 create ## set bridgeN as you need
ifconfig bridge172 up
ifconfig epair172 create ## set epairN as you need
ifconfig bridge172 addm epair172a addm re1 ## Change em1 to your NIC name from ifconfig
ifconfig epair172a up

jail-post-start
Code:
#!/bin/bash
JAILNAME=gateway
JID=$(iocage list -h | grep gateway | sed "s/[[:space:]].*//");
IFACE=epair172b
ifconfig $IFACE vnet $JID
iocage exec $JAILNAME dhclient $IFACE

and for remove it
jail-pre-stop
Code:
#!/bin/bash
ifconfig bridge172 destroy
ifconfig epair172a destroy

set this scripts to iocage jail like in UI
exec_poststart:/mnt/bigraidz/iocage/jails/gateway/jail-post-start gateway
exec_prestart:/mnt/bigraidz/iocage/jails/gateway/jail-pre-start gateway
exec_prestop:/mnt/bigraidz/iocage/jails/gateway/jail-pre-stop gateway
setup your VLAN's and enjoy %)

He mate! Thanks for this suggestion, i'm still not quite sure what to set as ip interface's in the jail's config. Please elaborate on that?
so:
* ivp4_addr=vnet or epair?
*interface: epair172:bridge172 ?

I need the jails to be accessible on their ip. And can i do this for every jail? Just specify a new number?

Code:
root@freenas:~ # ifconfig bridge172 addm epair172a addm igb0
ifconfig: BRDGADD igb0: Device busy


Please help me fix this VLAN stuff and the bounty is yours!

Thanks
 
Last edited:

f4nt0m

Cadet
Joined
Dec 14, 2017
Messages
5
He mate! Thanks for this suggestion, i'm still not quite sure what to set as IP interface's in the jail's config. Please elaborate on that?
so:
* ivp4_addr=vnet or epair?
*interface: epair172:bridge172 ?

I need the jails to be accessible on their IP. And can i do this for every jail? Just specify a new number?

Code:
root@freenas:~ # ifconfig bridge172 addm epair172a addm igb0
ifconfig: BRDGADD igb0: Device busy


Please help me fix this VLAN stuff and the bounty is yours!

Thanks
this settings from UI use as default

like *interface: vnet0:bridge0?

and my scripts use for custom interfaces with your VLAN settings
like

#!/bin/bash
ifconfig bridge10 create ## set bridgeN as you need
ifconfig bridge10 up
ifconfig epair10 create ## set epairN as you need
ifconfig bridge10 addm epair10a addm vlan2 ## Change em1 to your NIC name from ifconfig
ifconfig epair10a up

and with iocage
#!/bin/bash
JAILNAME=yourjailname
JID=$(iocage list -h | grep $JAILNAME | sed "s/[[:space:]].*//");
IFACE=epair10b
ifconfig $IFACE vnet $JID
iocage exec $JAILNAME dhclient $IFACE

and in you jail connect interface with vlan2 as epair10b

sorry for my english %)
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Ok so i understand i just have to use the default settings? But why create the epair10? It doesnt do anything in this config right?

But when i try to do this:
Code:
root@freenas:~ # ifconfig epair10b vnet 13
ifconfig: SIOCSIFVNET: Device not configured


Also possible to keep bpf and dhcp off?
Do you have anything else in tunables?

Ok i was able to create a jail with these settings:

Code:
root@freenas:~ # cat /tmp/jail-pre-start
#!/bin/bash
ifconfig bridge172 create ## set bridgeN as you need
ifconfig bridge172 up
ifconfig epair172 create ## set epairN as you need
ifconfig bridge172 addm epair172a addm vlan2 ## Change em1 to your NIC name from ifconfig
ifconfig epair172a up

root@freenas:~ # cat /tmp/jail-post-start
#!/bin/bash
JAILNAME=tests
JID=$(iocage list -h | grep tests | sed "s/[[:space:]].*//");
IFACE=epair10b
ifconfig $IFACE vnet $JID
iocage exec $JAILNAME dhclient $IFACE

#!/bin/bash
ifconfig bridge172 destroy
ifconfig epair172a destroy



but:
Code:
root@tests:~ # ping 192.168.7.1
PING 192.168.7.1 (192.168.7.1): 56 data bytes
ping: sendto: Host is down
 
Last edited:

f4nt0m

Cadet
Joined
Dec 14, 2017
Messages
5
Ok so i understand i just have to use the default settings? But why create the epair10? It doesnt do anything in this config right?

But when i try to do this:
Code:
root@freenas:~ # ifconfig epair10b vnet 13
ifconfig: SIOCSIFVNET: Device not configured


Also possible to keep bpf and dhcp off?
Do you have anything else in tunables?
After this command ifconfig epair10 create
System create 2 pair interface epair10a and epair10b check it
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Yes it gets created indeed but this is the output running it manually.

I also added it to the scripts and to the pre and post lines but like i stated above, no connectivity inside the jail...

Please advise.

Edit: if i understand correctly, epairA is used on the host where epairB is used inside the jail. EpairA is the equvilant of vnet0 if i'm correct.
 

f4nt0m

Cadet
Joined
Dec 14, 2017
Messages
5
Edit: if i understand correctly, epairA is used on the host where epairB is used inside the jail. EpairA is the equvilant of vnet0 if i'm correct.
Yes it right.

Show ifconfig in system host and jail
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Ok i was able to create a jail with these settings:

Code:
root@freenas:~ # cat /tmp/jail-pre-start
#!/bin/bash
ifconfig bridge172 create ## set bridgeN as you need
ifconfig bridge172 up
ifconfig epair172 create ## set epairN as you need
ifconfig bridge172 addm epair172a addm vlan2 ## Change em1 to your NIC name from ifconfig
ifconfig epair172a up

root@freenas:~ # cat /tmp/jail-post-start
#!/bin/bash
JAILNAME=tests
JID=$(iocage list -h | grep tests | sed "s/[[:space:]].*//");
IFACE=epair10b
ifconfig $IFACE vnet $JID
iocage exec $JAILNAME dhclient $IFACE

#!/bin/bash
ifconfig bridge172 destroy
ifconfig epair172a destroy



but:
Code:
root@tests:~ # ping 192.168.7.1
PING 192.168.7.1 (192.168.7.1): 56 data bytes
ping: sendto: Host is down

Still no connectivity within the jail...

Also found this:
https://iocage.readthedocs.io/en/latest/networking.html
But i cant add 2 bridges with the same parent interface to it.

https://www.freebsd.org/doc/handbook/network-bridging.html
 
Last edited:

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
Added default gateways via FreeNAS Gui
I'm wondering if the plural of gateway is what you mean here... your box would only usually have 1 default gateway. All other interfaces won't have a path to the Internet, so don't get one (the routing table uses the IP and netmask to work out that the interface on that subnet is the way to other addresses on that same subnet).

Don't know if that can really be the only problem you have, but it could be one.
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Well because i only have 1 nic, and i do have jails that need "normal, not vlanned" traffic. Bridge0 is my regular bridge that I need for the jails to have normal LAN access.

Now there must be a way to tackle this right? How else would one create multiple vlans on 1 NIC?
Thanks for the help so far!

I'm wondering if the plural of gateway is what you mean here... your box would only usually have 1 default gateway. All other interfaces won't have a path to the Internet, so don't get one (the routing table uses the IP and netmask to work out that the interface on that subnet is the way to other addresses on that same subnet).

Don't know if that can really be the only problem you have, but it could be one.

@sretalla No i just meant a route, sorry. Default gateway is setup for the FreeNAS box as 192.168.3.1 as thats my router. I just mean 192.168.x.0/24 to 192.168.x.1 for all subnets.
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Ok so the above steps did not do it for me.

Now i've setup vlan400 with 2x jail sonarr/radarr
bridge1 contains re0 (new nic) and vlan400 (iocage docs state that vlan and host nic need to be in the bridge)

Now i can ping both jails from within eachother but not the GW (firewall allows icmp and switch is configured correctly, same switch setup works for vlan300 on a VM)

ifconfig of mentioned above:

Code:
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 00:13:3b:10:1f:ba
    hwaddr 00:13:3b:10:1f:ba
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:01
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0:12 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 23 priority 128 path cost 2000
    member: vnet0:11 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 22 priority 128 path cost 2000
    member: vlan400 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 21 priority 128 path cost 20000
    member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 2 priority 128 path cost 55
vlan400: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80001<RXCSUM,LINKSTATE>
    ether 00:13:3b:10:1f:ba
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    vlan: 400 vlanpcp: 1 parent interface: re0
    groups: vlan
vnet0:11: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: sonarr as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:75:8d:29
    hwaddr 02:9f:d0:00:16:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:12: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: radarr as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:c1:df:ca
    hwaddr 02:9f:d0:00:17:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair


iocage jail config:
Code:
root@freenas:~ # iocage get all sonarr
CONFIG_VERSION:14.1
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:0
available:readonly
basejail:no
boot:off
bpf:no
children_max:0
cloned_release:11.2-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:192.168.7.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:sonarr
host_hostuuid:sonarr
host_time:yes
hostid:981bc45b-f61b-11e7-8463-7085c2620662
hostid_strict_check:off
interfaces:vnet0:bridge1
ip4:new
ip4_addr:vnet0|192.168.7.2
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/sonarr/data
jail_zfs_mountpoint:none
last_started:2019-03-01 21:11:20
login_flags:-f root
mac_prefix:02ff60
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.2-RELEASE-p9
reservation:none
resolver:nameserver 192.168.7.1
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:02ff60758d29 02ff60758d2a
vnet1_mac:02ff60758d29 02ff60758d2a
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:off


Full ifconfig:

Code:
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
    ether 70:85:c2:62:06:62
    hwaddr 70:85:c2:62:06:62
    inet 192.168.3.2 netmask 0xffffff00 broadcast 192.168.3.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 00:13:3b:10:1f:ba
    hwaddr 00:13:3b:10:1f:ba
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
re1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 00:13:3b:10:1f:bb
    hwaddr 00:13:3b:10:1f:bb
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether a0:36:9f:85:71:d4
    hwaddr a0:36:9f:85:71:d4
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect
    status: no carrier
igb2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether a0:36:9f:85:71:d5
    hwaddr a0:36:9f:85:71:d5
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect
    status: no carrier
igb3: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether a0:36:9f:85:71:d6
    hwaddr a0:36:9f:85:71:d6
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect
    status: no carrier
igb4: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether a0:36:9f:85:71:d7
    hwaddr a0:36:9f:85:71:d7
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect
    status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:00
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0:7 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 20 priority 128 path cost 2000
    member: vnet0:6 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 19 priority 128 path cost 2000
    member: vnet0:5 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 18 priority 128 path cost 2000
    member: vnet0:4 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 17 priority 128 path cost 2000
    member: vnet0:3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 16 priority 128 path cost 2000
    member: vnet0:2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 15 priority 128 path cost 2000
    member: vnet0:1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 14 priority 128 path cost 2000
    member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 20000
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:01
    nd6 options=9<PERFORMNUD,IFDISABLED>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vnet0:12 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 23 priority 128 path cost 2000
    member: vnet0:11 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 22 priority 128 path cost 2000
    member: vlan400 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 21 priority 128 path cost 20000
    member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 2 priority 128 path cost 55
vlan300: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80003<RXCSUM,TXCSUM,LINKSTATE>
    ether 00:13:3b:10:1f:bb
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    vlan: 300 vlanpcp: 0 parent interface: re1
    groups: vlan
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: Attached to Hassio
    options=80000<LINKSTATE>
    ether 00:bd:c0:11:f8:00
    hwaddr 00:bd:c0:11:f8:00
    nd6 options=1<PERFORMNUD>
    media: Ethernet autoselect
    status: active
    groups: tap
    Opened by PID 4566
bridge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 02:05:16:ba:17:02
    nd6 options=1<PERFORMNUD>
    groups: bridge
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: vlan300 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 11 priority 128 path cost 20000
    member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 12 priority 128 path cost 2000000
vnet0:1: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: plex as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:14:fa:09
    hwaddr 02:9f:d0:00:0e:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:2: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: backuppc as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:12:30:b6
    hwaddr 02:9f:d0:00:0f:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:3: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: bitwarden as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:ef:c8:55
    hwaddr 02:9f:d0:00:10:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:4: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: guac as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:fa:f0:c0
    hwaddr 02:9f:d0:00:11:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:5: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: nextcloud as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:ba:b5:81
    hwaddr 02:9f:d0:00:12:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:6: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: influxdb as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:92:dd:64
    hwaddr 02:9f:d0:00:13:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:7: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: organizr as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:e1:fe:c6
    hwaddr 02:9f:d0:00:14:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vlan400: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80001<RXCSUM,LINKSTATE>
    ether 00:13:3b:10:1f:ba
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    vlan: 400 vlanpcp: 1 parent interface: re0
    groups: vlan
vnet0:11: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: sonarr as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:75:8d:29
    hwaddr 02:9f:d0:00:16:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
vnet0:12: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: radarr as nic: epair0b
    options=8<VLAN_MTU>
    ether 02:ff:60:c1:df:ca
    hwaddr 02:9f:d0:00:17:0a
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Ezra,

I can help you with your networking setup. While I review all your post and configs, please do yourself a favor and remove VLAN ID 1 from all of your config. Just don't use ID 1. It creates confusion and does not bring any benefit compared to any other VLAN ID. You can change your ID 1 for 10 or any other number not used.

Once done, the next step is to troubleshoot at layer 2 before troubleshooting at layer 3. So please, post your arp tables also. The FreeNAS and firewall definitely have one table each, your switches may also be able to show your their tables.

I will review your setup while you do that...
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey again Ezra,

I started from the description you gave in your first post and will work from there.

Questions :
--Please, provide the details of your firewalls network interfaces.

That means:
To identify each physical NIC,
To identify all the logical NICs on each physical NIC (and provide the VLAN tag used for each of these virtual NICs)
To identify the IP Address / Netmasks used on each virtual NICs (a single virtual NIC can have many IPs)

As of now, I have your NIC #1 as WAN without any VLANs on it.
I have your NIC #2 as LAN and tagged as VLAN id 1. Please change that to VLAN 10.

I do not know what you did with your NIC #3 and #4, where are VLANs 2, 3 and 4, IP addresses, etc.

Also, tell me what are you using each VLAN for. Is HTPC the one supposed to host all your Jails and nothing else ? What is VLAN3 and what interaction are you looking from that VLAN ? Is VLAN 4 supposed to reach your Jails ? Do you expect Internet access from everywhere ?

The plan will be :
To identify each and every one of your layer 2 networks.
To provide a layer 3 addressing to each of them.
To connect your firewall to each and every one of these networks.
To configure your DNS and DHCP for every network you have.
To configure your switch for each of these networks
To test and debug each network by moving a computer from one network to the other and confirm network connectivity.

Lets stop here for now. Once all your network segments will be operational, we will work the Access Point and confirm it is working as expected.

Once the Access Point is done, we will move to the FreeNAS.

I am confident we will get that network working as you need.
 

ezra

Contributor
Joined
Jan 15, 2015
Messages
124
Hey again Ezra,

I started from the description you gave in your first post and will work from there.

Questions :
--Please, provide the details of your firewalls network interfaces.

That means:
To identify each physical NIC,
To identify all the logical NICs on each physical NIC (and provide the VLAN tag used for each of these virtual NICs)
To identify the IP Address / Netmasks used on each virtual NICs (a single virtual NIC can have many IPs)

As of now, I have your NIC #1 as WAN without any VLANs on it.
I have your NIC #2 as LAN and tagged as VLAN id 1. Please change that to VLAN 10.

I do not know what you did with your NIC #3 and #4, where are VLANs 2, 3 and 4, IP addresses, etc.

Also, tell me what are you using each VLAN for. Is HTPC the one supposed to host all your Jails and nothing else ? What is VLAN3 and what interaction are you looking from that VLAN ? Is VLAN 4 supposed to reach your Jails ? Do you expect Internet access from everywhere ?

The plan will be :
To identify each and every one of your layer 2 networks.
To provide a layer 3 addressing to each of them.
To connect your firewall to each and every one of these networks.
To configure your DNS and DHCP for every network you have.
To configure your switch for each of these networks
To test and debug each network by moving a computer from one network to the other and confirm network connectivity.

Lets stop here for now. Once all your network segments will be operational, we will work the Access Point and confirm it is working as expected.

Once the Access Point is done, we will move to the FreeNAS.

I am confident we will get that network working as you need.

Hey!

Thanks for your reply! Please neglect my first post, some things have changed.

Please see the updated post above, there is the most accurate setup! I have multiple VLANS working on the router/switch side already. This is purely a iocage/freenas networking issue, i can ping 2 jails in the same vlan structure but not the gateway, as stated above.

As for intra vlan access, that i'll manage on the router side without any problems, for testing i'll setup an allow all to all rule on the firewall, but I'd like to isolate my HTPC vlan to only have network access and not reach other subnets (i can access HTPC vlan from my LAN)

FreeNAS
IGB0 = LAN (192.168.3.2 freenas ip, gw 192.168.3.1)
RE0 = VLAN400 (192.168.7.0/24 jails mentioned above have 192.168.7.2 & 192.168.7.3)
RE1 = VLAN300 (used for a FreeNAS VM, which works, on bridge2 with TAP0)
IGB1 to 4 = Not used, will use it for LAGG and some other stuff later on!

See screenshot below for interfaces in FreeNAS, only IGB0 has an IP assigned.

New switch ZyXel gs1900-24E
FreeNAS --------------------------------------------------------- Switch ------------------------------------------------- Router
IGB0 -------------------------------------------------- port 8 Untagged --------------------------------------- LAGG0
RE0 ------------------------------------------------------ port 15 tagged vlan 400+LAGG1 -------------------- LAGG0 (vlan400 has parent interface LAGG0, vlan interface has proper rules and dhcp)
RE1 ----------------------------------------------------- port 16 taggen vlan 300+LAGG01 -------------------- LAGG0 (vlan300 has parent interface LAGG0, vlan interface has proper rules and dhcp) this works as it should

LAGG1 goes from my switch to LAGG0 on my router

I have more ports connected to my switch, with another switch that has a wireless ap, with multiple VLANS, that do work via my router. This works as intended so i'll leave it out. Can provide full setup, but that will take quite a while to write up/draw.
 

Attachments

  • Screenshot from 2019-03-02 13-54-06.png
    Screenshot from 2019-03-02 13-54-06.png
    155.4 KB · Views: 538
Last edited:
Top