Hello everyone,
Recently I spend a lot of time on trying setting up jails with DHCP.
For unknown reason jail wound't get IP from the DHCP server.
Because solution was so simple, I want to share this story and I hope this can save some time for someone who might have similar issue.
I have a simple setup with a single NIC, and router with DHCP services. All works grate except jails - no network. Apparently, my problem was in firewall rules.
One of the first things I did when I built FreeNAS server was setting up a pf firewall to block a brute-force attempts to login into FTP and SSH. This blocked the DHCP traffic between router and jails.
The DHCP "pass in" and "pass out" rules worked only for my primary interface, which happily uses DHCP. However pf was filtering everything else on epair[0-9]a interfaces.
The solution was simple - add "set skip on epair*" to pf.conf for each VM interface:
Once pf.conf file is changed, reload new configuration with:
Recently I spend a lot of time on trying setting up jails with DHCP.
For unknown reason jail wound't get IP from the DHCP server.
Because solution was so simple, I want to share this story and I hope this can save some time for someone who might have similar issue.
I have a simple setup with a single NIC, and router with DHCP services. All works grate except jails - no network. Apparently, my problem was in firewall rules.
One of the first things I did when I built FreeNAS server was setting up a pf firewall to block a brute-force attempts to login into FTP and SSH. This blocked the DHCP traffic between router and jails.
The DHCP "pass in" and "pass out" rules worked only for my primary interface, which happily uses DHCP. However pf was filtering everything else on epair[0-9]a interfaces.
The solution was simple - add "set skip on epair*" to pf.conf for each VM interface:
Code:
# change this to match your primary ethernet interface, re0 or em0 are common, but there are others # change xxx.xxx.xxx.xxx to the external IP of your FreeNAS box # ext_if="re0" dhcp_servers = "{ 10.0.4.1 }" table <bruteforce> persist persist file "/mnt/store/hacks/bruteforce" # #These are all of the other interfaces set skip on lo0 # do not filter briedge0 and any VMs interfaces set skip on bridge0 set skip on epair0a set skip on epair1a set skip on epair2a set skip on epair3a set skip on epair4a set skip on epair5a set skip on epair6a set skip on epair7a set skip on epair8a set skip on epair9a set block-policy return scrub in all # Lock it down block in all block out all # Block BAD IPs block quick from <bruteforce> # Allow traffic in for ssh pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 2/5, overload <bruteforce> flush global) # Allow traffic in for web - delete or comment out if you don't want web traffic #pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state #pass in on $ext_if proto tcp from any to any port 443 flags S/SA keep state # Allow LAN traffic to connect to FreeNAS pass in on $ext_if from 10.0.4.0/24 to any keep state # Allow traffic out from the LAN pass out on $ext_if from any to any keep state # DHCP pass out quick on $ext_if proto udp all keep state pass in quick on $ext_if proto udp from $dhcp_servers port = 68 to port = 67 # allow local traffic pass in quick on $ext_if inet proto tcp from 10.0.4.0/24 to any port 548 keep state label "AFP"
Once pf.conf file is changed, reload new configuration with:
sudo service pf reload