Latest News:
2019-02-21: XigmaNAS 11.2.0.4.6536 - released!

Latest BETA Release:
2019-02-21: XigmaNAS 12.0.0.4.6536 - BETA released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS cost money, please consider a donation to our project so we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] Virtual subnet for jails w/ theBrig

Jails with XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

[HOWTO] Virtual subnet for jails w/ theBrig

#1

Post by grzs » 23 Oct 2017 03:29

It took me days to achieve, but finally it works, so I decided to share my solution...

Recent version of theBrig offers an option for vnet for jail networking. It means that it creates an epair virtual cable for the jail and connects it to a given interface via a bridge. It is good if you want to attach it to the main network, but I wanted to hide my jails behind firewall and communicate with the world by NAT.

Here are the steps:
  • go to "Network/Interface Management" menu, "VLAN" tab and create a vlan for your main interface
  • make it available to the whole system by adding a new interface at "Management" tab (named automatically as OPT1 or similar)
  • in theBrig jail creation GUI (network section) select vnet
  • at host side (epairXa) the ip should be the same for all jails as it will be set for the bridge (e.g. 10.0.0.1/24)
  • at jail side give it as you wish within the subnet range (e.g. 10.0.0.123)
  • save the config
As a result you should have a bridge interface with all the jails' virtual epair cables connected to.
The only thing left is configuring the NAT for the whole subnet, the same way you would do in case of a physical NIC connected to a switch.
jail_vnet.png
You do not have the required permissions to view the files attached to this post.
Last edited by grzs on 31 Jan 2019 01:27, edited 3 times in total.

Jyjon
Starter
Starter
Posts: 17
Joined: 17 Nov 2014 21:51
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#2

Post by Jyjon » 08 Jan 2018 04:24

Following your instructions Network > Interface Management.
I have the choices of creating a new:
interface
wlan
vlan
lagg
bridge
carp

I do not see vnet as an choice.

I'm assuming you mean a new Interface since you say to select it as OPT1.
I can not create interface without network port.
Could you be a bit more specific please.
Supermicro X9SCM-F-O : Intel E3-1225v2 : 32GB ECC RAM : Dell Perc H200i flashed to Dell 6Gbps SAS HBA : Mirrored 2x 4TB 2.5" Seagate ST4000LM016 : Raidz1 3x6TB WL6000GSA6457

grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#3

Post by grzs » 03 Aug 2018 10:44

sorry, I haven't been here for a long time.
I updated the howto.

Stuarty
Starter
Starter
Posts: 36
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#4

Post by Stuarty » 10 Jan 2019 21:53

I would really like some help with this. I want to be able to have upnp in a jail and I believe that a vnet is the way to have the upnp service accessible on my lan but I don't understand how to configure xignamas and TheBrig.

grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#5

Post by grzs » 10 Jan 2019 23:24

I don't know too much about upnp, but I try to describe my setup again (although I don't use XigmaNAS at the moment).

So, the main idea was to create a virtual subnet for my jails, as if the host would have had two network interfaces, and the jails would have been single machines connected to it via a switch. In this case the second interface and the switch (=bridge) are virtual. But you can route traffic to each jail and you can forward ports with IPFW as if they were separate devices (look at my other howto). The XigmaNAS box acts as a firewall.

In TheBrig GUI you can chose vnet, and in that case it creates a virtual cable (epair) for you, and a bridge interface in the host. But you need only one bridge, that's why you give the same IP to the host side of every epair. But to do this, you have to create a VLAN first in the main GUI.

Let's see an example:
I have a jail running a web server on port 8080. When I created the jail I gave the host side the ip 10.0.0.1/24, so a bridge interface has been created on the host. The jail side ip is 10.0.0.8. This is the address where I can reach the jail from the host. I can make its service accessible for the outer world if I configure the firewall (IPFW) to forward traffic from outbound port 80 to 10.0.0.8:8080. So from outside it will appear like my host would offer web service at port 80. I hope it helped. If not, please ask a specific question.

Stuarty
Starter
Starter
Posts: 36
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#6

Post by Stuarty » 18 Jan 2019 16:29

In your example you set the jail IP in TheBrig settings for the jail but what are the settings for in "network > interface management" in the web-gui? And should the IP of the jail be within the range of the other IPs on my network?

On my network the gateway assigns IPs in the range 192.168.0.1/24. So, my jails without vnet have IPs like 192.168.0.85. When I choose to enable vnet for a jail TheBrig suggests an IP in the range 192.168.1/24 and assigns the jail 192.168.1.252. When I start the jail with this IP I can't connect to it (I guess because I'm on a different subnet).

I don't understand the interaction between 'VLAN', 'bridge', 'epair' and vnet'.

Stuarty
Starter
Starter
Posts: 36
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#7

Post by Stuarty » 18 Jan 2019 17:14

I will try and describe what I want to achieve. I have a jail with a upnp server in it. Devices on my network can't access this server and I think this is because it is in a jail and so cannot receive multicast messages. I believe that if I could configure a vnet for the jail then the devices would be able to contact the upnp server.

Before I start, ifconfig tells me:

Code: Select all

ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 20:cf:30:43:da:35
	hwaddr 20:cf:30:43:da:35
	inet 192.168.0.16 netmask 0xffffff00 broadcast 192.168.0.255 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
When I look at the network configuration page in the web guide I see the following:

Image

So, my first question is, how do I create a lan from this point?

When I go to the jail that I have created with TheBrig I see the following:

Image

I don't know what IP range to give the epair interface and I don't know what I should choose under 'Attach to interface'. I've tried to work through various possibilities but nothing I do has worked. I hope this makes sense. I have tried to read about vents and jails elsewhere but just don't understand what I am reading. There is a guide I nearly understand here but I can't quite join it up with the Xigmanas gui

Any help appreciated.

grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#8

Post by grzs » 19 Jan 2019 12:33

My goal was creating a virtual subnet for my jails, to make the services available from the host IP by port forwarding. If you the upnp service listens on a specific port or port range this solution is viable for you too. It has the advantage that the host's firewall can give access to the jails only on the given ports. It means that if you create a virtual subnet it will have a different range. If your LAN address is 1.2.3.0/24 and your vnet is 10.0.0.0/24, the clients on your LAN won't see the jails on the subnet. To do this you have to forward the specific ports like this:

client (1.2.3.4) -----> host (1.2.3.1:9000) --firewall port forward--> jail (10.0.0.123:9000)

First try to do the following steps:
- main GUI / Network / tab "VLAN" : add new vnet with name OPT1
- main GUI / Network / tab "Management" : check if OPT1 exist
- theBrig GUI / jail creation / Networking section / "Epair interface" Side A: 10.0.0.1 / 24 ; side B: 10.0.0.2
- theBrig GUI / jail creation / Networking section / "Attach to interface" : choose OPT1


send ifconfig output from the host and the jail too.
Last edited by grzs on 29 Jan 2019 13:42, edited 1 time in total.

Stuarty
Starter
Starter
Posts: 36
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#9

Post by Stuarty » 28 Jan 2019 20:31

Okay, so I created a vlan called OPT1 and rebooted and I can see it.

'jls' and 'ifconfig' from the host are:

Code: Select all

box: /mnt# jls
   JID  IP Address      Hostname                      Path
     1  192.168.0.71    	plex.local                    /tank2/extensions/thebrig/plex
     2  192.168.0.85    lmssept18.local         /tank2/extensions/thebrig/lmssept18
     3                 	 minim.local             /tank2/extensions/thebrig/minim
box: /mnt# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 20:cf:30:43:da:35
	hwaddr 20:cf:30:43:da:35
	inet 192.168.0.16 netmask 0xffffff00 broadcast 192.168.0.255 
	inet 192.168.0.71 netmask 0xffffff00 broadcast 192.168.0.255 
	inet 192.168.0.85 netmask 0xffffff00 broadcast 192.168.0.255 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo 
vlan0: flags=8102<BROADCAST,PROMISC,MULTICAST> metric 0 mtu 1500
	ether 00:00:00:00:00:00
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	vlan: 0 vlanpcp: 0 parent interface: <none>
	groups: vlan 
bridge20: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 02:5b:b9:13:e5:14
	inet 192.168.1.251 netmask 0xffffff00 broadcast 192.168.1.255 
	nd6 options=1<PERFORMNUD>
	groups: bridge 
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 5 priority 128 path cost 2000
	member: vlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 3 priority 128 path cost 55
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:7c:10:00:05:0a
	hwaddr 02:7c:10:00:05:0a
	inet6 fe80::7c:10ff:fe00:50a%epair3a prefixlen 64 scopeid 0x5 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair
'ifconfig' inside the jail 'minim' is:

Code: Select all

root@minim:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo 
epair3b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:7c:10:00:06:0b
	hwaddr 02:7c:10:00:06:0b
	inet6 fe80::7c:10ff:fe00:60b%epair3b prefixlen 64 scopeid 0x2 
	inet 192.168.1.252 netmask 0xffffff00 broadcast 192.168.1.255 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair 
root@minim:/ # 
Note that the first jls query on the host shows the jail without an ip. I don't now what to do next. Do I need to forward a port on my router? DO I need to use pf on the xigmanas host to forward a port? I want upnp clients on my lan to be able to access the upnp server MinimServer in the jail.

grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#10

Post by grzs » 29 Jan 2019 13:35

OK, please send output of the following commands executed on the host:
netstat -r -f inet
ping 192.168.1.252

If it works then xigmanas acts as a router, so it should forward the network packages to the jail on the subnet.
PF can be easier but I couldn't do it on xigmanas. I had to use ipfw instead (it's in the kernel, no extra package install needed)

Stuarty
Starter
Starter
Posts: 36
Joined: 21 Jun 2013 17:40
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#11

Post by Stuarty » 29 Jan 2019 15:17

@grzs
Thanks for your help, I'm really grateful. Here are the responses to the two commands:

Code: Select all

netstat -r -f inet
Routing tables
Internet:
Destination        Gateway            Flags     Netif Expire
default            router.asus.com    UGS         re0
localhost          link#2             UH          lo0
192.168.0.0/24     link#1             U           re0
box                link#1             UHS         lo0
192.168.0.71       link#1             UHS         lo0
192.168.0.85       link#1             UHS         lo0
192.168.1.0/24     link#4             U      bridge20
192.168.1.251      link#4             UHS         lo0

ping 192.168.1.252
PING 192.168.1.252 (192.168.1.252): 56 data bytes
64 bytes from 192.168.1.252: icmp_seq=0 ttl=64 time=0.053 ms
64 bytes from 192.168.1.252: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 192.168.1.252: icmp_seq=2 ttl=64 time=0.050 ms
64 bytes from 192.168.1.252: icmp_seq=3 ttl=64 time=0.059 ms
64 bytes from 192.168.1.252: icmp_seq=4 ttl=64 time=0.049 ms
64 bytes from 192.168.1.252: icmp_seq=5 ttl=64 time=0.053 ms
64 bytes from 192.168.1.252: icmp_seq=6 ttl=64 time=0.046 ms
^C
--- 192.168.1.252 ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.046/0.053/0.061/0.005 ms
I think that's a good result…

grzs
NewUser
NewUser
Posts: 7
Joined: 23 Oct 2017 02:48
Status: Offline

Re: [HOWTO] Virtual subnet for jails w/ theBrig

#12

Post by grzs » 29 Jan 2019 15:24

Yes, it seems it works :)

As you can see, the bridge interface is the gateway to the virtual subnet. It means that you can reach the services within the jail from the host.
If you want to reach it from outside (LAN) you have to forward the ports. Check my other howto, and if you are puzzled, feel free to write me.

And if you have any idea on make this howto clearer, don't hesitate to let me know.

Post Reply

Return to “Jails”