Jail in DMZ - FreeNAS in LAN

[jerhat]

Hi,

I am new to FreeNAS and I really like it so far.

I am trying to have a jail sitting in my DMZ while keeping the FreeNAS host away from it.

My current setup is:

• FreeNAS-11.3-RELEASE with
• igb0: connected to my LAN with an IP assigned
• igb1: connected to my DMZ, no IP assigned

What I tried is: uncheck DHCP and NAT in the jail creation screen and select igb1 for the interface and configure ip/netmask. However the jail cannot be created:

Stopped due to VNET failure

I used to do that in my previous setup (Proxmox running on the same box). How can I achieve this in FreeNAS? Shall I use a VM instead of a jail?

Thank you

 

[sretalla]

Have you tried with an IP from your DMZ subnet assigned to the igb1 interface?

 

[jerhat]

Thank you stretalla.

I just tried your suggestion and it is actually also failing with the same error when trying to create the jail with igb1 configured. And it is also failing with igb0.

I could only create the jail when ticking DHCP (in which case it got its IP from my lan DHCP server).

So it does not seem related to the underlying nic being configured in not, but rather to the fact that I'm not using DHCP (nor NAT).

Is it supposed to be supported?

Thanks

 

[sretalla]

I know of issues in past versions with the setup of jails with VNET failing if DHCP wasn't used... it was supposed to be fixed in 11.3 to my memory, but seems your case may be proof that it isn't.

I'm not sure what you have done with the VNET setup as with 2 interfaces, you would need to ensure a second bridge is in place for the DMZ network and that your DNZ NIC has been joined to it.

 

[jerhat]

For the record, I ended up with the following:

• a dhcp server running on my dmz segment (with a static lease for my jail mac address)
• in FreeNAS, a bridge1 interface with igb1 as member (no ip being assigned to it)
• then I set the interfaces of my dmz jail to this bridge (using iocage command since the GUI did not let me do so) iocage set interfaces=vnet0:bridge1 mydmzjail

This way it works the way I want .

This post helped me:
https://www.ixsystems.com/community/threads/jail-on-dedicated-network.72841/post-540533

 

[jerhat]

Seems like I was hitting this bug:

https://jira.ixsystems.com/browse/NAS-104963

Fixed in latest maintenance release.