Hello everyone,
Recently I spend a lot of time on trying setting up jails with DHCP.
For unknown reason jail wound't get IP from the DHCP server.
Because solution was so simple, I want to share this story and I hope this can save some time for someone who might have similar issue.
I have a simple setup with a single NIC, and router with DHCP services. All works grate except jails - no network. Apparently, my problem was in firewall rules.
One of the first things I did when I built FreeNAS server was setting up a pf firewall to block a brute-force attempts to login into FTP and SSH. This blocked the DHCP traffic between router and jails.
The DHCP "pass in" and "pass out" rules worked only for my primary interface, which happily uses DHCP. However pf was filtering everything else on epair[0-9]a interfaces.
The solution was simple - add "set skip on epair*" to pf.conf for each VM interface:
Once pf.conf file is changed, reload new configuration with:
Recently I spend a lot of time on trying setting up jails with DHCP.
For unknown reason jail wound't get IP from the DHCP server.
Because solution was so simple, I want to share this story and I hope this can save some time for someone who might have similar issue.
I have a simple setup with a single NIC, and router with DHCP services. All works grate except jails - no network. Apparently, my problem was in firewall rules.
One of the first things I did when I built FreeNAS server was setting up a pf firewall to block a brute-force attempts to login into FTP and SSH. This blocked the DHCP traffic between router and jails.
The DHCP "pass in" and "pass out" rules worked only for my primary interface, which happily uses DHCP. However pf was filtering everything else on epair[0-9]a interfaces.
The solution was simple - add "set skip on epair*" to pf.conf for each VM interface:
Code:
# change this to match your primary ethernet interface, re0 or em0 are common, but there are others
# change xxx.xxx.xxx.xxx to the external IP of your FreeNAS box
#
ext_if="re0"
dhcp_servers = "{ 10.0.4.1 }"
table <bruteforce> persist persist file "/mnt/store/hacks/bruteforce"
#
#These are all of the other interfaces
set skip on lo0
# do not filter briedge0 and any VMs interfaces
set skip on bridge0
set skip on epair0a
set skip on epair1a
set skip on epair2a
set skip on epair3a
set skip on epair4a
set skip on epair5a
set skip on epair6a
set skip on epair7a
set skip on epair8a
set skip on epair9a
set block-policy return
scrub in all
# Lock it down
block in all
block out all
# Block BAD IPs
block quick from <bruteforce>
# Allow traffic in for ssh
pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 5, max-src-conn-rate 2/5, overload <bruteforce> flush global)
# Allow traffic in for web - delete or comment out if you don't want web traffic
#pass in on $ext_if proto tcp from any to any port 80 flags S/SA keep state
#pass in on $ext_if proto tcp from any to any port 443 flags S/SA keep state
# Allow LAN traffic to connect to FreeNAS
pass in on $ext_if from 10.0.4.0/24 to any keep state
# Allow traffic out from the LAN
pass out on $ext_if from any to any keep state
# DHCP
pass out quick on $ext_if proto udp all keep state
pass in quick on $ext_if proto udp from $dhcp_servers port = 68 to port = 67
# allow local traffic
pass in quick on $ext_if inet proto tcp from 10.0.4.0/24 to any port 548 keep state label "AFP"
Once pf.conf file is changed, reload new configuration with:
sudo service pf reload