Network unreachable from inside jail, DNS resolution works fine.

[RalfR]

I'm crossposting here as I realised, this might be more appropriate in the networking section. I so hope, somebody can shed some light on the issue as it currently renders FreeNAS mostly unusable for me.

Hi everyone,

I'm not a FreeBSD / Linux pro but hope, you guys can help me resolve an issue I'm having with jails being unable to connect to the Internet.

I've been running my FreeNAS system for a while, having upgraded from FreeBSD 9.x via 10.x to 11.x. I've got a couple of jails (all from the FreeBSD 9 times) which work fine. Today, I created a new jail, based off the official 11.0 standard template here.

When I try to ping a host on the Internet, I do get a network unreachable error.

Below is some info which might help anybody here helping me. I noticed, that ifconfig does not report "status: active" for the epair2b interface – which it does for jails which I've created with earlier versions. There is a corresponding epair2a on the host and the interface is up and active.

I hope somebody can help me getting this fixed. I love FreeNAS but this is sort of a bummer for me at this moment.

root@experimental:/ # host google.com
google.com has address 172.217.22.110
google.com has IPv6 address 2a00:1450:4001:81d::200e
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.

root@experimental:/ # ping google.com
PING google.com (172.217.22.110): 56 data bytes
ping: sendto: Network is unreachable

root@experimental:/ # traceroute google.com
traceroute: findsaddr: failed to connect to peer for src addr selection.

root@experimental:/ # netstat -rn
Routing tables
(0) (0) U
(0) (0) UG
(0) (0) UH 13473
(0) (0) U
(0) (0) UHS 13473
(0) (0) U 13473
(0) (0) UHS 13473
(0) (0) U
(0) (0) UHS 13473

root@experimental:/ # ifconfig
lo0: flags=8048<LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 4e:61:35:52:5b:18
inet 192.168.1.118 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

 

[SweetAndLow]

Do you have your default gateway settings configured for the jail?Are you using dhcp or static ip's?

 

[RalfR]

Do you have your default gateway settings configured for the jail?Are you using dhcp or static ip's?

Thanks for your speedy response.

The host IP is static. The jail has been configured to use a static IP, too. I have made sure, that both IPs are outside the DHCP range of my router. They are in the space reserved for static IPs and not assigned to any other host.

Below is how I created the jail via the FreeNAS Web GUI. I did set a default route. However, I'm not sure whether it got configured correctly.

Adding a default route from inside the jail yields an error.

root@experimental:/ # route add default 192.168.1.1
route: writing to routing socket: Invalid argument

 

[SweetAndLow]

Thanks for your speedy response.

The host IP is static. The jail has been configured to use a static IP, too. I have made sure, that both IPs are outside the DHCP range of my router. They are in the space reserved for static IPs and not assigned to any other host.

Below is how I created the jail via the FreeNAS Web GUI. I did set a default route. However, I'm not sure whether it got configured correctly.

Adding a default route from inside the jail yields an error.

root@experimental:/ # route add default 192.168.1.1
route: writing to routing socket: Invalid argument

You probably should never use the cli for configuring stuff like this. Have you used it much more? If you did that could be your problem. Freenas expects almost everything to be done in the gui.

Can you ping your gateway? Can you ping the freenas host?

 

[RalfR]

You probably should never use the cli for configuring stuff like this. Have you used it much more? If you did that could be your problem. Freenas expects almost everything to be done in the gui.

Can you ping your gateway? Can you ping the freenas host?

I did create the jail from the gui as the screenshot shows. Or did you mean the exact opposite? Should I create the jail from the command line? ;-)

Yes. Ping and DNS resolution works like a charm.

root@experimental:/ # ping 192.168.1.45
PING 192.168.1.45 (192.168.1.45): 56 data bytes
64 bytes from 192.168.1.45: icmp_seq=0 ttl=64 time=41.756 ms
64 bytes from 192.168.1.45: icmp_seq=1 ttl=64 time=2.291 ms
64 bytes from 192.168.1.45: icmp_seq=2 ttl=64 time=0.073 ms

I really think the missing default gateway might be the problem. netstat does not print any valid routing tables. Is there any way to manually configure a default gateway from within the jail?

 

[SweetAndLow]

so if you can ping your gateway but can't ping an external ip then your router/gateway is messed up? Describe your network topology more.

and no you should never be using the cli. I was referring to you trying to use route add.

 

[RalfR]

Once again: Thanks for being patient and trying to help!

My network topology is pretty basic: I'm running FreeNAS at home. The FreeNAS host is connected directly to my home router (Ubiquiti Edge Router). It has a static IP address 192.168.1.45/255.255.255.0. The router is at 192.168.1.1/255.255.255.0. That's it. The strange thing is, that jails created in Version 9 still work with full outbound connectivity.

 

[SweetAndLow]

Do you have any strange outbound firewall rules set on your router? Can freenas ping google? Double check that your other jails can ping google also.

You might have found a bug in the current jail stuff.

 

[RalfR]

See below. Jail 2 (created v9) pings perfectly. Jail 11 does not. I'm using the official templates from the FreeNAS repo.

root@rr-freenas:~ # jls
JID IP Address Hostname Path
1 plexmediaserver_1 /mnt/tank/jails/plexmediaserver_1
2 proxy /mnt/tank/jails/proxy
11 experimental /mnt/tank/jails/experimental
root@rr-freenas:~ # jexec 2 /bin/tcsh
root@proxy:/ # ping www.google.com
PING www.google.com (216.58.205.196): 56 data bytes
64 bytes from 216.58.205.196: icmp_seq=0 ttl=54 time=30.357 ms
^C
--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 30.357/30.357/30.357/0.000 ms
root@proxy:/ # exit
exit
root@rr-freenas:~ # jexec 11 /bin/tcsh
root@experimental:/ # ping www.google.com
PING www.google.com (216.58.205.196): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
^C
--- www.google.com ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss


 

[Stefano Monti]

I thank both for the report and for the instructions. Here I actually encountered the exact same problem by building the jails with the iocage function http://doc.freenas.org/11/jails.html#using-iocage

I believe that FreeBSD and therefore FreeNAS limits the default jails to a local use, so that it is necessary to manually insert the default route and DNS