How to setup Jail to use VLAN IP

[lela_tabathy]

I'm trying to achieve the following:
I have Plex Media Server installed in a Jail on my FreeNAS system. I need the IP of Plex to be in a different subnet than my Freenas IP.

My setup:
My Router is a FritzBox which is connected to my Unify 24 POE Switch, to 2 ports: One is for the main network, the other is configured as the guest network and a VLAN is setup in the Switch. My FritzBox does not support VLANS so I had to go this route.

So I have two networks, 192.168.178.x (main network) and my guest network 192.168.189.x (this range gets assigned by the FritzBox automatically).

My FreeNAS is hooked up to the main network, but my TV is hooked up to the Guest network. I need my Plex Server to be part of the Guest network as well.

How can I achieve this? I tried simply changing the IP of my jail and thus my Plex plugin, and the IP does get registered in my Unify Controller; but my FritzBox still assigns the main network IP to Plesk, kind of obviously, because it is using the network interface on the FreeNAS box that is connected to the main network.

Since the port on the switch the FreeNAS is connected to is tagged with All networks, I would assume there is a way to achieve this using Vnet settings in the jail? But I lack the knowledge to properly configure this. I basically need Plex to use a virtual network interface that connects to my VLAN.
Thanks for your help!

 

[Patrick M. Hausen]

Does your FreeNAS system have two network interfaces? In that case I can guide you through the necessary setup, although it's almost bedtime around where I live and that will probably take until tomorrow to resolve.

You can of course use VLANs but the Fritzbox does not use tagged frames for its guest network so it is really just that single other Ethernet port or WLAN SSID and that is that. Using VLANs in combination with your switch is possible but it complicates the setup of your jail quite a bit. No problem, I know how to do that, too.

But the most simple way would be

• two switches or a switch that supports port based VLANs, so you can just group ports into two different networks
• a separate interface of your NAS for your jail

HTH, please report back, I'm happy to help. This seems to have become one of my main areas of expertise here ...

 

[lela_tabathy]

Hi Patrick, thank you for willing to help me. It was already bed time where I live, so I didn't reply straight away ;-)

Anyways, I've attached a drawing of my setup. I do have an additional 10G NIC but I'm using both ports for direct connection to my work stations, so I'm not sure if the described route would work?

As an additional point, I am considering getting a Unify Dream Machine which has the Unify USG inside. So I would reduce my FritzBox to a DSL modem and have the USG do the routing, which as I understand it would make it possible to do a lot more adjustments / handle VLANs properly. I don't know if that would make things easier?

Again, thank you for your help.

 

[Patrick M. Hausen]

If you could connect to the UI from one of the systems labelled "PC" or "Mac" that would be great.

Steps:

• configure the switch port as a trunk port (only tagged frames)
• remove the IP address from igb0, only put "up" in the options field
• create your VLANs as needed with igb0 as the parent
• create a bridge interface for each VLAN that should serve jails and/or VMs, make the VLAN the only member interface
• put the IP configuration on the bridge interfaces - if there is one. If the VLAN only serves jails and there is no connection to the NAS itself, you don't need one
• for the jail change "auto" in "vnet default interface" to "none"
• for the jail in the advanced options assign the bridge matching your desired VLAN to epair0b
• you can have more than one interface per jail and make the jail be in two VLANs if desired - just "add", assign another bridge to epair1b

Don't run tagged and untagged traffic on igb0 - that doesn't work with the FreeBSD bridge interface. You must run all VLANs tagged on that port. And if the NAS has got an IP address for itself in a particular VLAN, the IP configuration must go on the bridge interface, not the VLAN interface.

 

[lela_tabathy]

Thank you Patrick, I will give this a try and hopefully I won’t break anything
Just so I understand: Will I afterwards still be able to access my FreeNAS via the previous IP I am to remove from igb0 in Step 2?
I also have a jail setup as a reverse proxy and a Nextcloud jail, both have IPs from the main network (not the vlan). Won’t those be affected if I remove the IP settings from the interface?

Thank you!

 

[lela_tabathy]

I've tried setting it up like this but I'm stuck at:

• for the jail in the advanced options assign the bridge matching your desired VLAN to epair0b

I'm not finding an option for that, where do I need to configure this exactly? I've tried setting it up like in the attached screenshots, but it doesn't seem to work.

 

[Patrick M. Hausen]

Just so I understand: Will I afterwards still be able to access my FreeNAS via the previous IP I am to remove from igb0 in Step 2?

You need to move that IP address to its own VLAN. All different networks on igb0 must be tagged VLANs.

I also have a jail setup as a reverse proxy and a Nextcloud jail, both have IPs from the main network (not the vlan). Won’t those be affected if I remove the IP settings from the interface?

Those would go to the bridge/vlan you defined for the main network.

See my first screenshot. ix0 and ix1 are combined into lagg0 - you don't have that, so think "igb0" instead. lagg0 (your igb0) is the parent interface for VLANs 1, 2 and 3. VLAN 3 does not connect any jails or VMs so there does not need to be a bridge.
Then we have bridge interfaces for VLAN 1 and 2 and those have the IP configuration.

Second and third screen shot show one particular jail with interfaces in both VLAN 1 and 2.

Hope this helps,
Patrick

 

[lela_tabathy]

Thank you Patrick, I will be getting a new Router tomorrow (Unifi Dream Machine) and I will try all this once I've set that up.