Re: jails in different private subnets on the same host
Hi! > >> Why would it need to use the nameserver if I am telneting through IP? > > Use telnet -N to avoid DNS lookups. > Oh, great! That worked. It could connect to the web server jail > immediately. So it looks like the problem is with connecting to the DNS > jail, but why? It's not the problem connecting, it's getting an answer. Does your DNS have an answer for 60.1.168.192.in-addr.arpa ? -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
On 19/05/2016 15:19, Kurt Jaeger wrote: Hi! Why would it need to use the nameserver if I am telneting through IP? Use telnet -N to avoid DNS lookups. Oh, great! That worked. It could connect to the web server jail immediately. So it looks like the problem is with connecting to the DNS jail, but why? This is inside the DNS jail: *root@dns1:/ # netstat -an* netstat: kvm not available: /dev/mem: No such file or directory Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.60.53 *.*LISTEN tcp4 0 0 192.168.1.60.25 *.*LISTEN udp4 0 0 192.168.1.60.53*.* udp4 0 0 192.168.1.60.514 *.* (... IPv6 entries) On the problematic jail: *root@pjp1:/ # cat /etc/resolv.conf * search myserver.mydomain.com nameserver 192.168.1.60 options edns0 *root@pjp1:/ # netstat -an* netstat: kvm not available: /dev/mem: No such file or directory Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 10.33.1.40.25 *.*LISTEN tcp4 0 0 10.33.1.40.3306 *.*LISTEN tcp4 0 0 10.33.1.40.80 *.*LISTEN udp4 0 0 10.33.1.40.514 *.* *root@pjp1:/ # netstat -rn* Routing tables Internet: DestinationGatewayFlags Netif Expire 10.33.1.40 link#4 UHS lo0 This works immediately: *root@pjp1:/ # telnet -N 192.168.1.60 53* Trying 192.168.1.60... Connected to 192.168.1.60. Escape character is '^]'. But this connects after exactly 15 seconds: *root@pjp1:/ # telnet 192.168.1.60 53* Trying 192.168.1.60... Connected to 192.168.1.60. Escape character is '^]'. Grzegorz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
On 19/05/2016 15:40, Ernie Luzar wrote: James Gritton wrote: On 2016-05-18 09:08, Grzegorz Junka wrote: I just tried telnet 192.168.1.50 80 from the main host and from the 10.33.1.40 jail. From the main host it works without issues. From the jail it eventually connected after 15 or so seconds of waiting. That sounds like about the kind of timeout I'd expect from DNS resolution not working. If you're adding a new subnet when the jail is created, you'll need to do something to get a nameserver to listen to it. - Jamie You have not copied the hosts /etc/resolv.conf to the jail in question. Of course I did. root@somehost:/# cat /etc/resolv.conf search somehost.somedomain.com nameserver 192.168.1.60 nameserver 8.8.8.8 I installed the jail using bsdinstall and it copies that automatically. Grzegorz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
James Gritton wrote: On 2016-05-18 09:08, Grzegorz Junka wrote: I just tried telnet 192.168.1.50 80 from the main host and from the 10.33.1.40 jail. From the main host it works without issues. From the jail it eventually connected after 15 or so seconds of waiting. That sounds like about the kind of timeout I'd expect from DNS resolution not working. If you're adding a new subnet when the jail is created, you'll need to do something to get a nameserver to listen to it. - Jamie You have not copied the hosts /etc/resolv.conf to the jail in question. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
Hi! > Why would it need to use the nameserver if I am telneting through IP? Use telnet -N to avoid DNS lookups. -- p...@opsec.eu+49 171 3101372 4 years to go ! ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
On 19/05/2016 14:50, James Gritton wrote: On 2016-05-18 09:08, Grzegorz Junka wrote: I just tried telnet 192.168.1.50 80 from the main host and from the 10.33.1.40 jail. From the main host it works without issues. From the jail it eventually connected after 15 or so seconds of waiting. That sounds like about the kind of timeout I'd expect from DNS resolution not working. If you're adding a new subnet when the jail is created, you'll need to do something to get a nameserver to listen to it. - Jamie Why would it need to use the nameserver if I am telneting through IP? My nameserver is running in 192.168.1.60 but drill @192.168.1.60 from inside the 10.33.1.40 jail doesn't see it. I am using telnet with the IP specifically to avoid using the nameserver because I know the jail can't use the nameserver at this moment (until this is solved). Grzegorz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
On 2016-05-18 09:08, Grzegorz Junka wrote: I just tried telnet 192.168.1.50 80 from the main host and from the 10.33.1.40 jail. From the main host it works without issues. From the jail it eventually connected after 15 or so seconds of waiting. That sounds like about the kind of timeout I'd expect from DNS resolution not working. If you're adding a new subnet when the jail is created, you'll need to do something to get a nameserver to listen to it. - Jamie ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
On 18/05/2016 14:11, Bjoern A. Zeeb wrote: >> On 18 May 2016, at 14:00 , Grzegorz Junka >> wrote: >> >> Is it possible to have two jails on the same host each one in a >> different private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have >> routing between them working without issues? >> >> I know it's possible to run jails with IPs in those two subnets >> but it seems there is no routing and I am not sure if it's because >> I can't configure my router properly or there is a more >> fundamental problem. One issue I see is that the jail can't have a >> different default gateway than the host, and that for now is >> 192.168.1.1, but I don't see a reason why 10.33.1.0 wouldn't be >> able to use 192.168.1.1 as it's default gateway provided there is >> routing between those two subnets. > > Given they are both on the same base system host, both addresses > are connected locally and thus the kernel knows where to deliver > these packets. If that doesn’t work, there is a bug somewhere. > > If you want different default gateways then you may want to look > into using different FIBs for different jails. See route(8) and > jail(8) for parameters to set and tune. > > /bz > I can ping both jails from the main host, however when in the 10.33.1.0 jail I can't access any jail in the 192.168.1.0 network. This is what netstat -r shows: - root@dns1:/ # ifconfig em0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc media: Ethernet autoselect (1000baseT ) status: active em1: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=63 lagg0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc inet 192.168.1.60 netmask 0x broadcast 192.168.1.60 media: Ethernet autoselect status: active laggproto lacp lagghash l2,l3,l4 laggport: em0 flags=1c laggport: em1 flags=1c root@dns1:/ # netstat -r Routing tables Internet: DestinationGatewayFlags Netif Expire dns1 link#4 UHS lo0 - root@pjp1:/ # ifconfig em0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc media: Ethernet autoselect (1000baseT ) status: active em1: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=63 lagg0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:25:90:ae:e8:bc inet 10.33.1.40 netmask 0x broadcast 10.33.1.40 media: Ethernet autoselect status: active laggproto lacp lagghash l2,l3,l4 laggport: em0 flags=1c laggport: em1 flags=1c root@pjp1:/ # netstat -r netstat: kvm not available: /dev/mem: No such file or directory Routing tables rt_tables: symbol not in namelist - On the main host: root@somehost:~ # netstat -r Routing tables Internet: Destination GatewayFlags Netif Expire default 192.168.1.1UGS lagg0 pjp1.somehost.somedomain. link#4 UHS lo0 10.33.1.40/32 link#4 U lagg0 localhost link#3 UH lo0 192.168.1.0 link#4 U lagg0 somehost link#4 UHS lo0 web1.somehost.somedomain. link#4 UHS lo0 192.168.1.50/32 link#4 U lagg0 dns1.somehost.somedomain. link#4 UHS lo0 192.168.1.60/32 link#4 U lagg0 (... other jails) Internet6: DestinationGatewayFlags Netif Expire :: localhost UGRSlo0 localhost link#3 UH lo0 :::0.0.0.0 localhost UGRSlo0 fe80:: localhost UGRSlo0 fe80::%lo0 link#3 U lo0 fe80::1%lo0link#3 UHS lo0 ff01::%lo0 localhost U lo0 ff02:: localhost UGRSlo0 ff02::%lo0 localhost U lo0 - I would rather not set up different FIBs for different jails, unless required. First of all I would like to establish what's wrong. I just tried telnet 192.168.1.50 80 from the main host and from the 10.33.1.40 jail. From the main host it works without issues. From the jail it eventually connected after 15 or so seconds of waiting. Grzegorz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails in different private subnets on the same host
> On 18 May 2016, at 14:00 , Grzegorz Junka wrote: > > Is it possible to have two jails on the same host each one in a different > private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have routing between them > working without issues? > > I know it's possible to run jails with IPs in those two subnets but it seems > there is no routing and I am not sure if it's because I can't configure my > router properly or there is a more fundamental problem. One issue I see is > that the jail can't have a different default gateway than the host, and that > for now is 192.168.1.1, but I don't see a reason why 10.33.1.0 wouldn't be > able to use 192.168.1.1 as it's default gateway provided there is routing > between those two subnets. Given they are both on the same base system host, both addresses are connected locally and thus the kernel knows where to deliver these packets. If that doesn’t work, there is a bug somewhere. If you want different default gateways then you may want to look into using different FIBs for different jails. See route(8) and jail(8) for parameters to set and tune. /bz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
jails in different private subnets on the same host
Is it possible to have two jails on the same host each one in a different private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have routing between them working without issues? I know it's possible to run jails with IPs in those two subnets but it seems there is no routing and I am not sure if it's because I can't configure my router properly or there is a more fundamental problem. One issue I see is that the jail can't have a different default gateway than the host, and that for now is 192.168.1.1, but I don't see a reason why 10.33.1.0 wouldn't be able to use 192.168.1.1 as it's default gateway provided there is routing between those two subnets. Grzegorz ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"