Latest News:
2018-12-21: XigmaNAS 11.2.0.4.6315 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS cost money, please consider a donation to our project so we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] Virtual subnet for jails w/ theBrig

Jails with XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
grzs
NewUser
NewUser
Posts: 5
Joined: 23 Oct 2017 02:48
Status: Offline

[HOWTO] Virtual subnet for jails w/ theBrig

#1

Post by grzs » 23 Oct 2017 03:29

It took me days to achieve, but finally it works, so I decided to share my solution...

Recent version of theBrig offers an option for vnet for jail networking. It means that it creates an epair virtual cable for the jail and connects it to a given interface via a bridge. It is good if you want to attach it to the main network, but I wanted to hide my jails behind firewall and communicate with the world by NAT.

Here are the steps:
  • go to "Network/Interface Management" menu, "VLAN" tab and create a vlan for your main interface
  • make it available to the whole system by adding a new interface at "Management" tab (named automatically as OPT1 or similar)
  • in theBrig jail creation GUI (network section) select vnet
  • at host side (epairXa) the ip should be the same for all jails as it will be set for the bridge (e.g. 10.0.0.1/24)
  • at jail side give it as you wish within the subnet range (e.g. 10.0.0.123)
  • save the config
As a result you should have a bridge interface with all the jails' virtual epair cables connected to.
The only thing left is configuring the NAT for the whole subnet, the same way you would do in case of a physical NIC connected to a switch.
Last edited by grzs on 03 Aug 2018 10:42, edited 2 times in total.

Jyjon
Starter
Starter
Posts: 17
Joined: 17 Nov 2014 21:51
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#2

Post by Jyjon » 08 Jan 2018 04:24

Following your instructions Network > Interface Management.
I have the choices of creating a new:
interface
wlan
vlan
lagg
bridge
carp

I do not see vnet as an choice.

I'm assuming you mean a new Interface since you say to select it as OPT1.
I can not create interface without network port.
Could you be a bit more specific please.
Supermicro X9SCM-F-O : Intel E3-1225v2 : 32GB ECC RAM : Dell Perc H200i flashed to Dell 6Gbps SAS HBA : Mirrored 2x 4TB 2.5" Seagate ST4000LM016 : Raidz1 3x6TB WL6000GSA6457

grzs
NewUser
NewUser
Posts: 5
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#3

Post by grzs » 03 Aug 2018 10:44

sorry, I haven't been here for a long time.
I updated the howto.

Stuarty
Starter
Starter
Posts: 32
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#4

Post by Stuarty » 10 Jan 2019 21:53

I would really like some help with this. I want to be able to have upnp in a jail and I believe that a vnet is the way to have the upnp service accessible on my lan but I don't understand how to configure xignamas and TheBrig.

grzs
NewUser
NewUser
Posts: 5
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#5

Post by grzs » 10 Jan 2019 23:24

I don't know too much about upnp, but I try to describe my setup again (although I don't use XigmaNAS at the moment).

So, the main idea was to create a virtual subnet for my jails, as if the host would have had two network interfaces, and the jails would have been single machines connected to it via a switch. In this case the second interface and the switch (=bridge) are virtual. But you can route traffic to each jail and you can forward ports with IPFW as if they were separate devices (look at my other howto). The XigmaNAS box acts as a firewall.

In TheBrig GUI you can chose vnet, and in that case it creates a virtual cable (epair) for you, and a bridge interface in the host. But you need only one bridge, that's why you give the same IP to the host side of every epair. But to do this, you have to create a VLAN first in the main GUI.

Let's see an example:
I have a jail running a web server on port 8080. When I created the jail I gave the host side the ip 10.0.0.1/24, so a bridge interface has been created on the host. The jail side ip is 10.0.0.8. This is the address where I can reach the jail from the host. I can make its service accessible for the outer world if I configure the firewall (IPFW) to forward traffic from outbound port 80 to 10.0.0.8:8080. So from outside it will appear like my host would offer web service at port 80. I hope it helped. If not, please ask a specific question.

Stuarty
Starter
Starter
Posts: 32
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#6

Post by Stuarty » 18 Jan 2019 16:29

In your example you set the jail IP in TheBrig settings for the jail but what are the settings for in "network > interface management" in the web-gui? And should the IP of the jail be within the range of the other IPs on my network?

On my network the gateway assigns IPs in the range 192.168.0.1/24. So, my jails without vnet have IPs like 192.168.0.85. When I choose to enable vnet for a jail TheBrig suggests an IP in the range 192.168.1/24 and assigns the jail 192.168.1.252. When I start the jail with this IP I can't connect to it (I guess because I'm on a different subnet).

I don't understand the interaction between 'VLAN', 'bridge', 'epair' and vnet'.

Stuarty
Starter
Starter
Posts: 32
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#7

Post by Stuarty » 18 Jan 2019 17:14

I will try and describe what I want to achieve. I have a jail with a upnp server in it. Devices on my network can't access this server and I think this is because it is in a jail and so cannot receive multicast messages. I believe that if I could configure a vnet for the jail then the devices would be able to contact the upnp server.

Before I start, ifconfig tells me:

Code: Select all

ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 20:cf:30:43:da:35
	hwaddr 20:cf:30:43:da:35
	inet 192.168.0.16 netmask 0xffffff00 broadcast 192.168.0.255 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
When I look at the network configuration page in the web guide I see the following:

Image

So, my first question is, how do I create a lan from this point?

When I go to the jail that I have created with TheBrig I see the following:

Image

I don't know what IP range to give the epair interface and I don't know what I should choose under 'Attach to interface'. I've tried to work through various possibilities but nothing I do has worked. I hope this makes sense. I have tried to read about vents and jails elsewhere but just don't understand what I am reading. There is a guide I nearly understand here but I can't quite join it up with the Xigmanas gui

Any help appreciated.

grzs
NewUser
NewUser
Posts: 5
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#8

Post by grzs » 19 Jan 2019 12:33

My goal was creating a virtual subnet for my jails, to make the services available from the host IP by port forwarding. If you the upnp service listens on a specific port or port range this solution is viable for you too. It has the advantage that the host's firewall can give access to the jails only on the given ports. It means that if you create a virtual subnet it will have a different range. If your LAN address is 1.2.3.0/24 and your vnet is 1.0.0.0/24, the clients on your LAN won't see the jails on the subnet. To do this you have to forward the specific ports like this:

client (1.2.3.4) -----> host (1.2.3.1:9000) --firewall port forward--> jail (1.0.0.0:9000)

First try to do the following steps:
- main GUI / Network / tab "VLAN" : add new vnet with name OPT1
- main GUI / Network / tab "Management" : check if OPT1 exist
- theBrig GUI / jail creation / Networking section / "Epair interface" Side A: 10.0.0.1 / 24 ; side B: 10.0.0.2
- theBrig GUI / jail creation / Networking section / "Attach to interface" : choose OPT1


send ifconfig output from the host and the jail too.

Post Reply

Return to “Jails”