Jails created with bridge1, no physical interfaces

[shpokas]

Hi there,

my NAS already has bridge0, for openvpn.
Why my jails, created vith VIMAGE option, are bridged to bridge1 which has no physical interfaces?
Full ifconfig output below. Note bridge1 has only one member, epair0a.
Is there a way to have only one bridge, bridge0?

Thanks for your time,
shpokas

$ ifconfig
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=c0099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether a0:1d:48:c7:ca:94
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active​

bge1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=c0099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether a0:1d:48:c7:ca:94
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active​

ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536

nd6 options=9<PERFORMNUD,IFDISABLED>​

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>​

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

ether 02:c0:75:36:94:00
inet 192.168.150.20 netmask 0xffffff00 broadcast 192.168.17.255
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

ifmaxaddr 0 port 10 priority 128 path cost 2000000​

member: lagg0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

ifmaxaddr 0 port 9 priority 128 path cost 20000​

lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=c0099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether a0:1d:48:c7:ca:94
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect
status: active
laggproto lacp lagghash l2,l3,l4
laggport: bge1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>
laggport: bge0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING>​

tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=80000<LINKSTATE>
ether 00:bd:f6:a5:00:00
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect
status: active
Opened by PID 3095​

bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

ether 02:c0:75:36:94:01
nd6 options=1<PERFORMNUD>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

ifmaxaddr 0 port 12 priority 128 path cost 2000​

epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=8<VLAN_MTU>
ether 02:59:24:00:0c:0a
nd6 options=1<PERFORMNUD>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active​

 

[cyberjock]

The short answer is that if a bridge already exists for something else it isn't used. So no, you can't.

 

[shpokas]

Thanks for answer.
Well... because I have two physical interfaces, would it be possible to use bge0 for jail bridge and bge1 for openvpn?

To put it differently - is it possible to run openvpn in bridge mode and jails with VIMAGE option set on the same box?

 

[cyberjock]

Not really. FreeNAS was never designed to act as a VPN, so not surprisingly it isn't "totally trivial" to do. The jails are basically made available to the entire system(and all networks they are attached to). There's no easy fix without setting up multiple subnets.

This is one of *many* reasons why VPN functions with FreeNAS are just "a bad idea". Never mind the security implications that could result.

 

[shpokas]

No, it's not a bad idea. It's just a FreeNAS limitation.
Thanks for answers though.

I could hack around if only I know where to start.

 

[cyberjock]

No, it's not a bad idea.

Sorry, but you are very very wrong about that. There's about 50 threads on the topic if you want to understand the reasons why more definitively.

 

[shpokas]

I certainly do not want to start a flame war, not even a discussion.
Just noting that if I could afford or wish to use multiple single purpose boxes then I'd do so. There are always arguments why one should not put all eggs in one basket, BUT... I have small business with HP Microserver and I need to pack all in that box.
Putting VPN on ARM based router just doesn't cut if you have 100 Mb line. I do not have another box for VPN.
Thanks for your informative response.

 

[cyberjock]

A business that can't do a VPN correctly?!

I'm glad I don't use use for whatever service you use. VPN on a FreeNAS box is wholly inappropriate for business use.

But good luck to you!

 

[depasseg]

Actually a VPN within FreeNAS is something I'm looking into. It would make replication between FreeNAS's very powerful. Something like neorouter would allow easy deployment and work through firewalls. I'm only looking for the VPN connection to go to other FreeNAS's, not to be a client endpoint.

Let me know if you make any progress.

 

[cyberjock]

Actually a VPN within FreeNAS is something I'm looking into. It would make replication between FreeNAS's very powerful. Something like neorouter would allow easy deployment and work through firewalls. I'm only looking for the VPN connection to go to other FreeNAS's, not to be a client endpoint.

Let me know if you make any progress.

You should read up on FreeNAS' replication then. It uses the SSH tunnel, which for all intents and purposes, provides at least the same level of security as a VPN, with the advantage of the SSH tunnel directly supporting the ZFS replication data stream in FreeNAS.

In short, no, you don't need to use a VPN for what you want to do. You just need to use the already built-in features of ZFS replication and setup your firewalls appropriately. ;)

 

[depasseg]

I absolutely have been reading up on replication, and that is exactly what I want to do.

However, I would prefer not to have to configure Dynamic DNS and port forwarding on friends/families routers for SSH to work through them.

So something like a NeoRouter VPN (which is like Hamachi before being bought by LogMeIn). Not because I need a connection, but because it easily works through remote firewalls.

The way I see it, there are 2 choices:
A: Configure a dynamic DNS client on the remote freenases, configure port-forwarding on the remote router and use replication over SSH
B: Configure NeoRouter on each FreeNas to join the same VPN network, perform replication over that.