Re: jails in different private subnets on the same host

2016-05-20 Thread Grzegorz Junka 


On 19/05/2016 15:19, Kurt Jaeger wrote:

Hi!


Why would it need to use the nameserver if I am telneting through IP?

Use telnet -N to avoid DNS lookups.


Oh, great! That worked. It could connect to the web server jail 
immediately. So it looks like the problem is with connecting to the DNS 
jail, but why?


This is inside the DNS jail:

*root@dns1:/ # netstat -an*
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  0 192.168.1.60.53 *.*LISTEN
tcp4   0  0 192.168.1.60.25 *.*LISTEN
udp4   0  0 192.168.1.60.53*.*
udp4   0  0 192.168.1.60.514   *.*
(... IPv6 entries)

On the problematic jail:

*root@pjp1:/ # cat /etc/resolv.conf *
search myserver.mydomain.com
nameserver 192.168.1.60
options edns0

*root@pjp1:/ # netstat -an*
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address  Foreign Address(state)
tcp4   0  0 10.33.1.40.25 *.*LISTEN
tcp4   0  0 10.33.1.40.3306 *.*LISTEN
tcp4   0  0 10.33.1.40.80 *.*LISTEN
udp4   0  0 10.33.1.40.514 *.*

*root@pjp1:/ # netstat -rn*
Routing tables

Internet:
DestinationGatewayFlags  Netif Expire
10.33.1.40 link#4 UHS lo0


This works immediately:
*root@pjp1:/ # telnet -N 192.168.1.60 53*
Trying 192.168.1.60...
Connected to 192.168.1.60.
Escape character is '^]'.

But this connects after exactly 15 seconds:
*root@pjp1:/ # telnet 192.168.1.60 53*
Trying 192.168.1.60...
Connected to 192.168.1.60.
Escape character is '^]'.

Grzegorz

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: jails in different private subnets on the same host

2016-05-19 Thread Kurt Jaeger 
Hi!

> Why would it need to use the nameserver if I am telneting through IP?

Use telnet -N to avoid DNS lookups.

-- 
p...@opsec.eu+49 171 3101372 4 years to go !
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: jails in different private subnets on the same host

2016-05-19 Thread Grzegorz Junka 


On 19/05/2016 14:50, James Gritton wrote:

On 2016-05-18 09:08, Grzegorz Junka wrote:

I just tried telnet 192.168.1.50 80 from the main host and from the
10.33.1.40 jail. From the main host it works without issues. From the
jail it eventually connected after 15 or so seconds of waiting.


That sounds like about the kind of timeout I'd expect from DNS 
resolution not working.  If you're adding a new subnet when the jail 
is created, you'll need to do something to get a nameserver to listen 
to it.


- Jamie


Why would it need to use the nameserver if I am telneting through IP? My 
nameserver is running in 192.168.1.60 but drill @192.168.1.60 from 
inside the 10.33.1.40 jail doesn't see it. I am using telnet with the IP 
specifically to avoid using the nameserver because I know the jail can't 
use the nameserver at this moment (until this is solved).


Grzegorz
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: jails in different private subnets on the same host

2016-05-19 Thread James Gritton 

On 2016-05-18 09:08, Grzegorz Junka wrote:

I just tried telnet 192.168.1.50 80 from the main host and from the
10.33.1.40 jail. From the main host it works without issues. From the
jail it eventually connected after 15 or so seconds of waiting.


That sounds like about the kind of timeout I'd expect from DNS 
resolution not working.  If you're adding a new subnet when the jail is 
created, you'll need to do something to get a nameserver to listen to 
it.


- Jamie
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: jails in different private subnets on the same host

2016-05-18 Thread Grzegorz Junka 


On 18/05/2016 14:11, Bjoern A. Zeeb wrote:
>> On 18 May 2016, at 14:00 , Grzegorz Junka  >> 
wrote: >> >> Is it possible to have two jails on the same host each one 
in a >> different private subnet, e.g. 192.168.1.0 and 10.33.1.0, and 
have >> routing between them working without issues? >> >> I know it's 
possible to run jails with IPs in those two subnets >> but it seems 
there is no routing and I am not sure if it's because >> I can't 
configure my router properly or there is a more >> fundamental problem. 
One issue I see is that the jail can't have a >> different default 
gateway than the host, and that for now is >> 192.168.1.1, but I don't 
see a reason why 10.33.1.0 wouldn't be >> able to use 192.168.1.1 as 
it's default gateway provided there is >> routing between those two 
subnets. > > Given they are both on the same base system host,  both 
addresses > are connected locally and thus the kernel knows where to 
deliver > these packets.  If that doesn’t work, there is a bug 
somewhere. > > If you want different default gateways then you may want 
to look > into using different FIBs for different jails.  See route(8) 
and > jail(8) for parameters to set and tune. > > /bz >


I can ping both jails from the main host, however when in the 10.33.1.0 
jail I can't access any jail in the 192.168.1.0 network. This is what 
netstat -r shows:


-
root@dns1:/ # ifconfig
em0: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
media: Ethernet autoselect (1000baseT )
status: active
lo0: flags=8049 metric 0 mtu 16384
options=63
lagg0: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
inet 192.168.1.60 netmask 0x broadcast 192.168.1.60
media: Ethernet autoselect
status: active
laggproto lacp lagghash l2,l3,l4
laggport: em0 flags=1c
laggport: em1 flags=1c


root@dns1:/ # netstat -r
Routing tables

Internet:
DestinationGatewayFlags  Netif Expire
dns1   link#4 UHS lo0
-

root@pjp1:/ # ifconfig
em0: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
media: Ethernet autoselect (1000baseT )
status: active
lo0: flags=8049 metric 0 mtu 16384
options=63
lagg0: flags=8843 metric 0 mtu 1500
options=4219b
ether 00:25:90:ae:e8:bc
inet 10.33.1.40 netmask 0x broadcast 10.33.1.40
media: Ethernet autoselect
status: active
laggproto lacp lagghash l2,l3,l4
laggport: em0 flags=1c
laggport: em1 flags=1c


root@pjp1:/ # netstat -r
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
-

On the main host:

root@somehost:~ # netstat -r
Routing tables

Internet:
Destination   GatewayFlags Netif Expire
default   192.168.1.1UGS lagg0
pjp1.somehost.somedomain. link#4 UHS lo0
10.33.1.40/32 link#4 U lagg0
localhost link#3 UH lo0
192.168.1.0   link#4 U lagg0
somehost  link#4 UHS lo0
web1.somehost.somedomain. link#4 UHS lo0
192.168.1.50/32   link#4 U lagg0
dns1.somehost.somedomain. link#4 UHS lo0
192.168.1.60/32   link#4 U lagg0
(... other jails)

Internet6:
DestinationGatewayFlags  Netif Expire
:: localhost  UGRSlo0
localhost  link#3 UH

Re: jails in different private subnets on the same host

2016-05-18 Thread Bjoern A. Zeeb 

> On 18 May 2016, at 14:00 , Grzegorz Junka  wrote:
> 
> Is it possible to have two jails on the same host each one in a different 
> private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have routing between them 
> working without issues?
> 
> I know it's possible to run jails with IPs in those two subnets but it seems 
> there is no routing and I am not sure if it's because I can't configure my 
> router properly or there is a more fundamental problem. One issue I see is 
> that the jail can't have a different default gateway than the host, and that 
> for now is 192.168.1.1, but I don't see a reason why 10.33.1.0 wouldn't be 
> able to use 192.168.1.1 as it's default gateway provided there is routing 
> between those two subnets.

Given they are both on the same base system host,  both addresses are connected 
locally and thus the kernel knows where to deliver these packets.  If that 
doesn’t work, there is a bug somewhere.

If you want different default gateways then you may want to look into using 
different FIBs for different jails.  See route(8) and jail(8) for parameters to 
set and tune.

/bz

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

jails in different private subnets on the same host

2016-05-18 Thread Grzegorz Junka 
Is it possible to have two jails on the same host each one in a 
different private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have 
routing between them working without issues?


I know it's possible to run jails with IPs in those two subnets but it 
seems there is no routing and I am not sure if it's because I can't 
configure my router properly or there is a more fundamental problem. One 
issue I see is that the jail can't have a different default gateway than 
the host, and that for now is 192.168.1.1, but I don't see a reason why 
10.33.1.0 wouldn't be able to use 192.168.1.1 as it's default gateway 
provided there is routing between those two subnets.


Grzegorz

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"