SOLVED How to set Separate VLAN for Jail ?

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
RESOLVED - see post #4

Hi,
I am scratching my head how to set a separate VLAN for my Jail. Bellow is diagram of current setup with the desired Jail config. Basically i have two VLANs defined on the router. Each VLAN has its own network and DHCP server. Router is connected to my HP ProCurve switch and the port is set to TRUNK mode with both VLANs tagged. Aside of the other devices connected to the switch my FreeNAS box is there as well. The port for FreeNAS has VLAN7 set as UnTagged and VLAN3 as Tagged.

- FreeNAS NIC has IP 10.0.7.13 assigned via DHCP because of the Untagged VLAN flag.
- Jail supposed to be on VLAN3 and should get IP assigned from 10.0.3.1 gateway because its traffic supposed to be tagged as VLAN3 - this is where i am stuck ...

FN_network_resize.png


Scenario 1 - All OK but not desired

- No VLANs
- epair0b gets IP from 10.0.7.1 network as there is no tagging so it falls under VLAN7

Scenario 2:
- Created VLAN3 interface with VLAN ID "3" and parent NIC as "igb0" and assigned some IP from the same subnet

I was thinking about simply assigning this virtual NIC to the jail but the "NIC" drop down is greyed out if VIMAGE is enabled. If i disable vimage i see only physical NICs, not the virtual VLAN one. I don't see any possibility in the GUI so looks like it has to be done manually.

I've added the vlan3 to the bridge0. After doing so i GOT an IP from DHCP server VLAN3 network (cool!) unfortunately i am not able to access anything outside my local network. I am not even able to ping the gateway on the same network i got IP from.

Host (FreeNAS) setup (other brX and lo0 excluded):
Code:
#Ifconfig:
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM>
  ether 00:25:90:XX:XX:XX
  inet 10.0.7.13 netmask 0xffffff00 broadcast 10.0.7.255
  nd6 options=9<PERFORMNUD,IFDISABLED>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 00:25:90:XX:XX:XX
  inet 10.0.3.89 netmask 0xffffff80 broadcast 10.0.3.127
  nd6 options=9<PERFORMNUD,IFDISABLED>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
  vlan: 3 parent interface: igb0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 02:58:c0:c0:68:00
  nd6 options=1<PERFORMNUD>
  id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
  maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
  root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
  member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 6 priority 128 path cost 2000
  member: vlan3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 4 priority 128 path cost 20000
  member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  ifmaxaddr 0 port 1 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8<VLAN_MTU>
  ether 02:ff:20:00:06:0a
  nd6 options=1<PERFORMNUD>
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active

#Routing tables
Destination  Gateway  Flags  Netif Expire
default  10.0.7.1  UGS  igb0
10.0.3.0/25  link#4  U  vlan30
10.0.3.89  link#4  UHS  lo0
10.0.7.0/24  link#1  U  igb0
10.0.7.13  link#1  UHS  lo0
127.0.0.1  link#3  UH  lo0


Jail setup (lo0 excluded):
Code:
#Ifconfig:
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8<VLAN_MTU>
  ether 32:5e:39:26:37:43
  inet 10.0.3.50 netmask 0xffffff00 broadcast 10.0.3.255
  nd6 options=9<PERFORMNUD,IFDISABLED>
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active


Basically i got IP from DNS on 10.0.3.1 gateway but i cannot reach it (can't even ping) or anything on the network. What i CAN ping is IP of the VLAN3 (10.0.3.89). What i am missing there? Some static route on the host (NAS) ? But which one?

Also i am not quite confident if this is the proper way from security perspective - Having everything in one bridge (where other jails will be added as well) doesn't look OK. Interface in bridge is set into promiscuous mode so it can receive every packet on the network. I don't care if host system (NAS) can inspect every single packet (well it has to as it is the host system with the physical NIC) but my concern is if whatever inside the Jail can get anything from host system or another Jail (on different subnet/vlan). Consider the fact that the security on the Router does not allow that and the Jail is actively isolated by FW rules from the rest of the local networks.

I've searched a bit and found some crumbs but still haven's figured out how to really have a separate VLAN for the jail. Note that i want to keep Jail traffic isolated from the host NAS (for security purpose) so it has to be on different VLAN/network.

Sources i worked with:
https://forums.freenas.org/index.php?threads/vm-networking-vlan-tagging.48716/ // Coral-related, not much usable as there is bhyve in play
https://forums.freenas.org/index.ph...s-multi-jails-freenas-routing-question.39047/ //This was the most close situation but i got lost in between as there is lacp in play. Also OP mentioned that the issue is with FreeNAS itself and that it works on pure FreeBSD (?)
http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html // This is basically similar to my "Scenario 1". Host and Jail on the same subnet/vlan. This works straight out of the box but not my desired case :/
http://www.freebsd.cz/doc/handbook/network-bridging.html
http://www.freebsd.cz/doc/handbook/network-vlan.html
https://gathering.tweakers.net/forum/list_messages/1693573 // Thread is in Dutch so i've used google translator for the whole page. Not sure if the content was translated properly.
++ Bunch of local threads regarding VLANs

Thank you in advance for help!

Alex
 
Last edited:

Junicast

Patron
Joined
Mar 6, 2015
Messages
206
As far as I know this just won't work. I've been waiting for ages for FreeNAS to flawlessly work in 802.1Q environments together with bridges with jail or bhyve guests.
FreeNAS Corral btw worked nearly perfectly for that regard.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
Well since i am able to get the IP from DHCP on the router from the proper network (10.0.3.0/24) the VLAN tagging seems to work (otherwise i would get IP from the 10.0.7.0/24) . I really think that i am just missing some static route. I've updated first post with my routing table.

When i check routes from jail there is something weird going on...
Code:
root@test3:/ # netstat -nr
netstat: no namelist

root@test3:/ # cat /etc/resolv.conf
# Generated by resolvconf
nameserver 10.0.3.1

root@test3:/ # route add default 10.0.3.1
route: writing to routing socket: File exists
add net default: gateway 10.0.3.1 fib 0: route already in table

Whaaat the heck? I was looking for some answers and one discussion i found is that the binaries are different between host and jail? Could this be the cause?

Code:
[root@HolyNAS] ~# ls -la /usr/bin/netstat
-r-xr-sr-x  1 root  wheel  135528 Feb 19 12:55 /usr/bin/netstat*

root@test3:/ # ls -la /usr/bin/netstat
-r-xr-sr-x  1 root  kmem  159504 Sep 27  2013 /usr/bin/netstat

I guess this would be not the cause of the outer network not reachable but at least i could see the routes inside jail.



Side-note regarding Corral: No way going that way. I have encrypted pool (i have to - company data) so wouldn't risk it at all.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
Seems like i made it! Thing is that when Jail is started FreeNAS assigns the default NIC to the bridge together with epairXa interface. We need to have VLAN one in the bridge instead. This can not be done in GUI so we need to do it manually. Instead of messing directly with the interfaces just specify the host NIC for the jail so FreeNAS handles rest of the things (routes, epair, bridge, ... etc) automatically.

Here is how to:
- Stop the jail(s) ( Destroy the bridge0 leftover if any vlanX was added manually - like i did ... just issue ifconfig bridge0 destroy )
- Create VLAN interface via GUI (Network -> VLANs) and assign IP (Network -> Interface -> vlanX)
- Go to Jails and choose either DHCP or define static IP + GW of your network. Save the config but don't start the Jail yet.
- SSH or open host console and go to /<path_to_jail_storage>/.<jail_name>.meta
(Example: /mnt/temp_pool/jails/.test3.meta )
- Create file named "iface" and insert name of the vlan in it
touch iface
echo "vlan3" > iface

- Go back to the Jail section and start the Jail
- You should have now traffic from jail tagged with the defined vlanID.

Host ifconfig for vlan and bridge ... see there is vlan + epairXa
Code:
vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 00:25:90:XX:XX:XX
  inet 10.0.3.89 netmask 0xffffff80 broadcast 10.0.3.127
  vlan: 3 parent interface: igb0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 02:58:c0:c0:68:00
  member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  member: vlan3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>


And here is the tcpdump on igb0 (host physical interface) when issuing "ping google.com" from the jail ...
Frame 12: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: 32:5e:39:XX:XX:XX (32:5e:39:XX:XX:XX), Dst: Routerbo_YY:YY:YY (d4:ca:6d:YY:YY:YY)
Destination: Routerbo_YY:YY:YY (d4:ca:6d:YY:YY:YY)
Address: Routerbo_YY:YY:YY (d4:ca:6d:YY:YY:YY)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 32:5e:39:XX:XX:XX (32:5e:39:XX:XX:XX)
Address: 32:5e:39:XX:XX:XX (32:5e:39:XX:XX:XX)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 3
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = CFI: Canonical (0)
.... 0000 0001 1110 = ID: 3
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.3.50, Dst: 216.58.201.78
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 84
Identification: 0x9298 (37528)
Flags: 0x00
Fragment offset: 0
Time to live: 64
Protocol: ICMP (1)
Header checksum: 0x1e56 [validation disabled]
[Header checksum status: Unverified]
Source: 10.0.3.50
Destination: 216.58.201.78

There is one thing which i don't understand ... there was a feature request #3909 few years ago to allow assigning vlan interface for Jails via GUI. That request was closed as follows:
958beed85ca2cb986c9e45877ad4440c
Updated by Jordan Hubbard over 2 years ago


  • Status changed from Screened to Not To Be Fixed

Clearly not happening...

I wonder why? Is this approach somehow bad? Insecure? (how?) Or just not intended to be possible to do via GUI ?
 

Junicast

Patron
Joined
Mar 6, 2015
Messages
206

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
I was about to do so but you was faster, thanks :]
 

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,970
@HolyK
This is a nice piece of data on how to get VLANs to work in a FreeNAS jail. I hope I remember it at a later date.
 

kgmoney

Cadet
Joined
May 4, 2016
Messages
8
Yes! I have been looking for this info for a year! Thank-you for sharing!
 

SaskiFX

Dabbler
Joined
Mar 18, 2015
Messages
27
As a note: I also had to assign a default gateway to get this working as intended. I went and added a file called defaultrouter-ipv4 to the same location as the iface file. Just put in the IP of the gateway/router.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
I wonder why? Is this approach somehow bad? Insecure? (how?) Or just not intended to be possible to do via GUI ?
My opinion is that Jordan did not like jails and did not want any further development put towards them. Again that's just my opinion.
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Seems like i made it! Thing is that when Jail is started FreeNAS assigns the default NIC to the bridge together with epairXa interface. We need to have VLAN one in the bridge instead. This can not be done in GUI so we need to do it manually. Instead of messing directly with the interfaces just specify the host NIC for the jail so FreeNAS handles rest of the things (routes, epair, bridge, ... etc) automatically.

Here is how to:
- Stop the jail(s) ( Destroy the bridge0 leftover if any vlanX was added manually - like i did ... just issue ifconfig bridge0 destroy )
- Create VLAN interface via GUI (Network -> VLANs) and assign IP (Network -> Interface -> vlanX)
- Go to Jails and choose either DHCP or define static IP + GW of your network. Save the config but don't start the Jail yet.
- SSH or open host console and go to /<path_to_jail_storage>/.<jail_name>.meta
(Example: /mnt/temp_pool/jails/.test3.meta )
- Create file named "iface" and insert name of the vlan in it
touch iface
echo "vlan3" > iface

- Go back to the Jail section and start the Jail
- You should have now traffic from jail tagged with the defined vlanID.

Host ifconfig for vlan and bridge ... see there is vlan + epairXa
Code:
vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 00:25:90:XX:XX:XX
  inet 10.0.3.89 netmask 0xffffff80 broadcast 10.0.3.127
  vlan: 3 parent interface: igb0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  ether 02:58:c0:c0:68:00
  member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
  member: vlan3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>


And here is the tcpdump on igb0 (host physical interface) when issuing "ping google.com" from the jail ...


There is one thing which i don't understand ... there was a feature request #3909 few years ago to allow assigning vlan interface for Jails via GUI. That request was closed as follows:


I wonder why? Is this approach somehow bad? Insecure? (how?) Or just not intended to be possible to do via GUI ?

Hmm... Doesnt seem to work in Freenas 11-U4 for some reason?!?! did exactly as you wrote, but it never reaches my router
 

StarkJohan

Explorer
Joined
Mar 27, 2015
Messages
62
I've been struggling with the same problem the last year or so as well. Ended upp solving it by a workaround forcing a jail to use a specific default router on a different subnet and socage as the jail handler. This worked fine until I updated to FreeNAS 11.0-U4 (from U2). Something has definitely changed with the jail networking in U4. Downgraded to U2 and the problem remained...

HolyK, is your system updated to U4? If so, does your VLAN tagging still work?

I'm hoping for a simple GUI solution for VLAN tagging jails in 11.1...
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
Sorry guys, i still have "FreeNAS-9.10.2-U1 (86c7ef5)" and currently i don't have enough time to do the upgrade + handle all the new things :/ ...

Anyway i 100% agree that there should be some user-friendly way for VLAN tagging.
 

StarkJohan

Explorer
Joined
Mar 27, 2015
Messages
62
Hoping for a big update of the bundled iocage and jail networking in 11.1. Personally I think I'll be waiting a few weeks for 11.1 to reach a stable state before making the jump.
 

HolyK

Ninja Turtle
Moderator
Joined
May 26, 2011
Messages
653
My box got down today (My 1y old son found a power button on the UPS :eek:). Luckily no damage was done but my jails were not picking up the IP from DHCP. Startup of jail took quite long and after it started it did not had proper IP. Also no VLAN tag on the epair-b interface and outside word was not reachable. I had to destroy the VLAN Interface via GUI and create it again with the same values. After that Jails started up and got IPs just fine with proper tags. I suppose something regarding the VLAN Interface will not survive system reboot - either is not written properly in the config or gets corrupted. o_O
 

Tyrannus

Dabbler
Joined
Aug 20, 2016
Messages
16
Thanks HolyK for the guide on how to get with this working with Warden.

It turns out the iface file gets content wiped when a jail stops. You don't need to recreate the VLAN interface in the GUI, you just need to have the iface file populated with your VLAN for the NIC again.

Another tip for those who want to get this work, I also needed to have static routes setup for the VLAN I was using.

Further, if you are not using DHCP for your Warden jails, you will need to set the gateway directly in the network settings of the jail as well as manually editing /etc/resolv.conf for DNS in the jail itself.

This is how I got it to work in 11.1-U4.

Does anyone know if iocage has made this simpler? I'm not ready to migrate to iocage yet (mostly because I can't edit bits of pieces of those jails like I can with the old UI and Warden) but if it will make networking easier then I'm all for it.
 

mihanson

Cadet
Joined
Apr 8, 2018
Messages
2
Here's my outline of how I achieved this in 11.1-U4 with all-static network addresses. I am by no means a professional and I have no background in IT and especially networking. I consider myself a "power user" who is self taught through the school of "hard computing knocks." With that said, I'm more than happy to learn and correct anything I may do incorrectly or learn a better way.

For reference this is for my home network and I'm working with the following:

ASRock Rack C236WSi
32 GB ECC RAM
Intel i3-6100
Intel X520 10G Fiber Network Card (LACP lagg)
Mirrored SSD's for OS
6 x 8TB Seagate Iron Wolf Drives in paired mirrors

Ubiquiti Unifi USG3P router/gateway
Ubiquiti Unifi USW-48 switch (non-POE)
Ubiquiti Unifi USW-8 switch
Ubiquiti Unifi APs

Here's the outline (numbering is a little messed up from the copy/paste, but you should be able to follow it linearly):
  1. Set FreeNAS to static IP [Optional]
    1. Set Default Gateway
      1. [Optional if you have static route set for it’s subnet already]
    2. Set DNS Server(s)
      1. [Local or Remote DNS servers]
  2. Add VLANs (Network → VLANs → Add VLAN)

  3. Configure VLAN Interfaces (Network → Interfaces)
    1. IPv4 Address
      1. [empty]
    2. Options
      1. up

      2. [Possibly may need: mtu 1496 as well to account for 4-byte VLAN header, but I did not.]
  4. Add system tunables (System → Tunables → Add Tunable)
    1. Set Up Routing Tables
      1. Variable: net.fibs
        1. Value = 4 [max 16]

        2. Type: loader
      2. Variable: net.add_addr_allfibs
        1. Value = 0 [disables sharing routing table across fibs]

        2. Type: sysctl [Older docs had this as a loader, but this does not work as a loader on boot.]
    2. Set static route for each VLAN (Network → Static Routes → Add Static Route)
      1. Destination Network: 192.168.XX.0/24 (or other netmask)

      2. Gateway: 192.168.XX.1
  5. Reboot for fibs to take hold

  6. Bind GUI to FreeNAS management subnet (System → General)
    1. WebGUI IPv4 Address
      1. 192.168.XX.XX
  7. Set up jail networking
    1. Stop Jail

    2. Edit Jail
      1. Advanced Mode
        1. Uncheck DHCP (if checked)

        2. Uncheck VIMAGE (If checked)

        3. Uncheck NAT (if checked)

        4. NIC
          1. vlanXX
        5. Set IPv4 Address in correct subnet
          1. 192.168.XX.xx
        6. Set subnet mask
          1. /24 (255.255.255.0) [or whatever is appropriate]
        7. Save
    3. Start the Jail
  8. Check jail routing and connectivity
    1. ssh into Jail
      1. Edit /etc/resolv.conf
        1. search [your local lan, for me, simply “lan” (no quotes)]

        2. nameserver [your favorite nameserver(s) here]
      2. ping ping.ubnt.com
    2. ssh into main FreeNAS installation
      1. $ sudo netstat -rn [to see routing table]
      2. $ sudo tcpdump -n -i lagg0 -e '( ether[12:2] = 0x8100 and ether[15] = XX )' where ‘XX’ is the vlan you are testing.
        1. In the output you should see:
          1. Code:
            09:23:52.942166 [MAC Address] > [MAC of main FreeNAS interface], ethertype 802.1Q (0x8100), length 102: vlan XX, p 0, ethertype IPv4, 52.85.58.13 > 192.168.XX.xx: ICMP echo reply, id 387, seq 23, length 64


References:

Hope this can help someone.

Mike
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
Here's my outline of how I achieved this in 11.1-U4 with all-static network addresses. I am by no means a professional and I have no background in IT and especially networking. I consider myself a "power user" who is self taught through the school of "hard computing knocks." With that said, I'm more than happy to learn and correct anything I may do incorrectly or learn a better way.

For reference this is for my home network and I'm working with the following:

ASRock Rack C236WSi
32 GB ECC RAM
Intel i3-6100
Intel X520 10G Fiber Network Card (LACP lagg)
Mirrored SSD's for OS
6 x 8TB Seagate Iron Wolf Drives in paired mirrors

Ubiquiti Unifi USG3P router/gateway
Ubiquiti Unifi USW-48 switch (non-POE)
Ubiquiti Unifi USW-8 switch
Ubiquiti Unifi APs

Here's the outline (numbering is a little messed up from the copy/paste, but you should be able to follow it linearly):
  1. Set FreeNAS to static IP [Optional]
    1. Set Default Gateway
      1. [Optional if you have static route set for it’s subnet already]
    2. Set DNS Server(s)
      1. [Local or Remote DNS servers]
  2. Add VLANs (Network → VLANs → Add VLAN)

  3. Configure VLAN Interfaces (Network → Interfaces)
    1. IPv4 Address
      1. [empty]
    2. Options
      1. up

      2. [Possibly may need: mtu 1496 as well to account for 4-byte VLAN header, but I did not.]
  4. Add system tunables (System → Tunables → Add Tunable)
    1. Set Up Routing Tables
      1. Variable: net.fibs
        1. Value = 4 [max 16]

        2. Type: loader
      2. Variable: net.add_addr_allfibs
        1. Value = 0 [disables sharing routing table across fibs]

        2. Type: sysctl [Older docs had this as a loader, but this does not work as a loader on boot.]
    2. Set static route for each VLAN (Network → Static Routes → Add Static Route)
      1. Destination Network: 192.168.XX.0/24 (or other netmask)

      2. Gateway: 192.168.XX.1
  5. Reboot for fibs to take hold

  6. Bind GUI to FreeNAS management subnet (System → General)
    1. WebGUI IPv4 Address
      1. 192.168.XX.XX
  7. Set up jail networking
    1. Stop Jail

    2. Edit Jail
      1. Advanced Mode
        1. Uncheck DHCP (if checked)

        2. Uncheck VIMAGE (If checked)

        3. Uncheck NAT (if checked)

        4. NIC
          1. vlanXX
        5. Set IPv4 Address in correct subnet
          1. 192.168.XX.xx
        6. Set subnet mask
          1. /24 (255.255.255.0) [or whatever is appropriate]
        7. Save
    3. Start the Jail
  8. Check jail routing and connectivity
    1. ssh into Jail
      1. Edit /etc/resolv.conf
        1. search [your local lan, for me, simply “lan” (no quotes)]

        2. nameserver [your favorite nameserver(s) here]
      2. ping ping.ubnt.com
    2. ssh into main FreeNAS installation
      1. $ sudo netstat -rn [to see routing table]
      2. $ sudo tcpdump -n -i lagg0 -e '( ether[12:2] = 0x8100 and ether[15] = XX )' where ‘XX’ is the vlan you are testing.
        1. In the output you should see:
          1. Code:
            09:23:52.942166 [MAC Address] > [MAC of main FreeNAS interface], ethertype 802.1Q (0x8100), length 102: vlan XX, p 0, ethertype IPv4, 52.85.58.13 > 192.168.XX.xx: ICMP echo reply, id 387, seq 23, length 64


References:

Hope this can help someone.

Mike

Good write and info. But that's great bhyve ? That's changing slowly to iocage ;(
Now how to do it in iocage hehe


Sent from my iPhone using Tapatalk
 

mihanson

Cadet
Joined
Apr 8, 2018
Messages
2
Good write and info. But that's great bhyve ? That's changing slowly to iocage ;(
Now how to do it in iocage hehe

If bhyve is what's used by default in FreeNAS 11, then yes. I have dutifully obeyed the warnings to (mostly) only do things in the GUI. :D

Mike
 

Kennyvb8

Contributor
Joined
Mar 18, 2017
Messages
112
If bhyve is what's used by default in FreeNAS 11, then yes. I have dutifully obeyed the warnings to (mostly) only do things in the GUI. :D

Mike

Iocage is in the new (beta) UI and bhyve in the old.
Both have cli


Sent from my iPhone using Tapatalk
 
Top