Jail with UDP/53 forwarded won't start with GUI but starts fine using command line

[redm0nster]

Running TrueNAS Core version TrueNAS-13.0-U4 on a Pentium Silver J5040 cpu (64-bit) with 16GB RAM. 1 x 240GB SSD boot disk and 2 x 10TB Seagate Ironwolf pro disks running as mirror.

I've got a jail called "bind-dns" that I want to forward ports UDP/53 and TCP/53 to because it is a DNS server. I've started with just UDP/53 to keep things simple. This jail works fine and I can perform DNS queries to it using the usual UDP port 53 to the truenas' IP address. So NAT and port forwarding is working. The issue is that while I can start it fine from the command line with sudo iocage start bind-dns, I cannot start it from the web interface: I get the error message "Error: [EFAULT] Please correct udp(53:53) port rule as another running jail is using one of the mentioned ports.".

UDP port 53 is not used by the truenas host (checked with netstat -na | grep 53), nor is it port forwarded by any other jail (including jails that are down). I know I can use DHCP, but I'd like to use NAT with port forwarding so I can use my TrueNAS system as a DNS server, and I want to run it in a jail to reduce the impact of a compromise via DNS/bind.

Here is example command line output:

Code:

rsh@store:~$ iocage list

+------+---------------+-------+--------------+------------+

| JID  |     NAME      | STATE |   RELEASE    |    IP4     |

+======+===============+=======+==============+============+

| None | bind-dns      | down  | 13.2-RELEASE | 172.16.0.6 |

+------+---------------+-------+--------------+------------+

| 42   | gitserver     | up    | 13.2-RELEASE | DHCP       |

+------+---------------+-------+--------------+------------+

| 33   | jellyfin      | up    | 13.1-RELEASE | DHCP       |

+------+---------------+-------+--------------+------------+

| 34   | photoprism    | up    | 12.4-RELEASE | 172.16.0.2 |

+------+---------------+-------+--------------+------------+

| 7    | plex          | up    | 13.1-RELEASE | DHCP       |

+------+---------------+-------+--------------+------------+

| None | test-jail-new | down  | 13.1-RELEASE | DHCP       |

+------+---------------+-------+--------------+------------+

rsh@store:~$ sudo iocage start bind-dns
Password:
bind-dns: nat requires nat_interface, using re0
No default gateway found for ipv6.
* Starting bind-dns
  + Started OK
  + Using devfs_ruleset: 1005 (iocage generated default)
  + Configuring VNET OK
  + Using IP options: vnet
  + Starting services OK
  + Executing poststart OK

rsh@store:~$ sudo iocage stop bind-dns
* Stopping bind-dns
  + Executing prestop OK
  + Stopping services OK
  + Tearing down VNET OK
  + Removing devfs_ruleset: 1005 OK
  + Removing jail process OK
  + Executing poststop OK

Web interface example:

This looks like a bug to me. Does anyone know about it, and whether it's being worked on?

 

[redm0nster]

Some more information on this issue:

1. I can create the jail both through the GUI and manually with a script and the issue remains the same, so it's not connected with the GUI jail creation process.

2. The issue exists with both 13.2-RELEASE and 13.1-RELEASE jails (I initially created the jail as 13.2-RELEASE, but re-created it as 13.1-RELEASE to match the TrueNAS host OS, but the issue remained).

3. Rebooting the TrueNAS host starts the bind-dns jail fine. It's only starting from the GUI that's the problem. There's no issue starting from the CLI with "iocage start" or through the TrueNAS boot process.

Perhaps the GUI is not distinguising between UDP and TCP forwarded ports so it thinks I'm forwarding port 53 twice? Here is how the jail is created in my script ($JAIL is set to the jail name, "bind-dns" in this case):

Code:

iocage create --basejail --name $JAIL --release 13.1-RELEASE --pkglist=$PKGFILE nat=1 vnet=1 nat_forwards="udp(53:53),tcp(53:53)" notes="ISC BIND DNS Server"

 

[redm0nster]

I worked around the issue by creating my BIND DNS jail with DHCP instead of NAT so it has its own address, and specifying locally assigned MAC addresses so my DHCP server will allocate a fixed IP address. It's working fine now.

Code:

iocage create --basejail --name $JAIL --release 13.1-RELEASE --pkglist=$PKGFILE vnet0_mac="02000000000d,02000000000e" bpf=1 dhcp=1 vnet=1 notes="ISC BIND DNS Server"