Jail using dedicated interface

[mpfusion]

How can I make a jail use a particular network interface? I set up a jail (using CLI because current GUI only supports warden and new GUI is buggy):

iocage create --name testjail -r 11.1-RELEASE ip4_addr="igb2|10.0.90.16/24" defaultrouter=10.0.90.10 boot="on" host_hostname=testjail


When I try to make a connection from within the jail it appears to leave through the igb0 interface instead of igb2.

Network config:

freenas:
igb0: 10.0.10.15
igb1: 10.0.50.15
igb2: 10.0.90.15
default gateway: 10.0.10.10

jail “testjail”:
igb2: 10.0.90.16
default gaweway: 10.0.90.10


igb0 is the correct gateway for regular traffic (everything except the jails), jails should use igb2. What do I need to configure so this jail uses the dedicated network adapter?

FreeNAS-11.1-U4

 

[nightshade00013]

This will probably help figure it out https://forums.freebsd.org/threads/multiple-nics-and-jails.46753/

I don't think you can even do that via GUI and you may need to setup a second "bridge" in the FreeNAS itself to transfer data from the other interface. It may even be easier to setup the second interface for the FreeNAS and use the first one that is already working for the jails.

 

[mpfusion]

This will probably help figure it out https://forums.freebsd.org/threads/multiple-nics-and-jails.46753/

Thanks. That's a valuable link. The mentioned scenario is exactly what I want to achieve. However, it seems very involved and suggests things you shouldn't do in an appliance and would certainly be discouraged in FreeNAS. Furthermore, I don't know how the ezjail commands and configuration translates to iocage.

I don't think you can even do that via GUI

That would be unfortunate. Basically what I want to do is set up a web server in a DMZ on a dedicated nic. That seems like a common use case (for jails). I'll file a feature request if there's no GUI way of doing this.

I'll wait for some more responses. Maybe someone has an idea how to do that without messing directly with the network internals. I don't believe I'm the first one to set up a web server in a jail.

It may even be easier to setup the second interface for the FreeNAS and use the first one that is already working for the jails.

This wouldn't work because the firewall and the routing would be wrong. I would have to swap all the rules in the firewall. But then I basically just swapped the nics and the problem is the same as before. Maybe I'm just misunderstanding you.

 

[mpfusion]

Feature #31008