No Internet access within jail

[achaycock]

I'm currently trying to create a crashplan jail on our NAS and have hit a problem with networking. Essentially the jail does not seem to want to talk to the outside world.

I am using TheBrig to create and manage the jail, and have enabled the [Route only TCP/IP within a jail] option. The IP address that I have assigned the jail is 192.168.0.27/24 and this maps to LAGG0, an aggregate link consisting of igb0 and igb1 configured to use LACP.

I'm hoping that this may give some clues. Is there something else that I can try? I'm beginning to feel a touch frustrated

[raulfg3]

sorry but actual implementation of jails in thebrig do not support LAGG, works fine with only one NIC in config, but not with LAGG.

Try to configure using one of the involves NIC (eg: igb0) and must work.

[achaycock]

Thank you so much for your reply, it's incredibly helpful, though it leads to follow on questions.

Is it possible to configure this to use igb0 or igb1 while they're still used being used as an aggregate link? I confess that seems highly unlikely but sometimes unlikely things are possible.

Otherwise is the problem related only to the TheBrig or BSD jails in general? Would Finch be likely to offer success for example?

I greatly appreciate the assistance, whatever the answer I think I'm in for a lot less hair pulling

[raulfg3]

Is it possible to configure this to use igb0 or igb1 while they're still used being used as an aggregate link?

yes, not tested , but must work

Otherwise is the problem related only to the TheBrig or BSD jails in general? Would Finch be likely to offer success for example?

not sure, I know that this problem exist on thebrig, but use a LAGG is not really common so not sure if finch have the same problem.

[achaycock]

Thank you. I'm going to try this and see what happens, most likely tomorrow morning. Failing that I'll install an additional NIC and dedicate that for Jail use.

I very much appreciate your assistance and I'll let you know what happens.

[achaycock]

After a lot of tinkering, I've begun to feel at a complete loss.

I have the jail connected to igb1 (OPT1) only, although I have also tried this on igb0 (LAN) also. I have disabled LAGG altogether and yet I am still experiencing no joy with respect to internet access from within the jail.

This is ifconfig on ZOE (the host)

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether d0:50:99:46:c2:6c
inet 192.168.0.25 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.27 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether d0:50:99:46:c2:6d
inet 192.168.0.27 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

And this is ifconfig on crashplan (the jail)

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether d0:50:99:46:c2:6c
inet 192.168.0.27 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
ether d0:50:99:46:c2:6d
inet 192.168.0.27 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

[raulfg3]

you need help from a friend that manage LANs and rules, I only see that ZOE (The host) have igb0 with 2 IP( 192.168.0.25 and 192.168.0.27) and igb1 with same IP that igb0 (192.168.0.27).

My point is: this is not a jail or Nas4Free related problem, is a network problem, you need to be sure what you want and how to do.

[dreamcat4]

I don't think I can help any more than Raul here. But after experimenting with LAGG myself briefly some time ago I am not surprised you are experiencing network connection problems. You may have some left over host side configuration remaining of LAGG, even after disabling LAGG itself. I would be carefuly because it is usually not a very easy way to set up link aggregation.

I *theory* (ahem, because it doesn't work / didn't work / has never worked for me this way and there are still incomplete / missing outstanding features to LAGG which were not implemented anytime up to FreeBSD 9.2). In *theory* you are supposed to create the LAGG interface with ifconfig command on the host. Then associate one or more physical networking interfaces to the virtual lagg[0-9] device. There are different modes or types of connection to assign which have different purposes and will do different kinds of things.

So then once the virtual LAGG interface is proven fully working on the host side. You will probably also want to run some tests using the iperf command or something (to check the throughput if aggregating). Else disconnect the link state phyically by unplugging cables (if failover feature).

Only after that point, should you consider to bind a jail's IP address to the virtual lagg0 interface (this results in ifconfig alias ... command being run when the jail is started up). If the LAGG interface is working properly, then set the default route inside the jail same as the LAGG interface and you are done.

Else otherwise (since it didn't work for *me* i can't say what you will do about it). Maybe consider other options if there are any alternatives available to you.

If you decide to give up on LAGG or anything else and just return to ways of 1 physical interface device. Then you just delete your jail. Create a new one. If you really can't do that either then re-configure the jail's ip4_addr jail configuration parameter (to point to single physical network interface and new jail ip address). Make sure that your jail's IP address is on the same subnet as your router / LAN whatever. For most people normally that is 192.168.1.XXX / 24 (255.255.255.0 netmask). Set the default route to point to your LAN's router e.g. 192.168.1.1, 'man route' 'route default ...' command will set the default route.

If problem still persists you may have mucked up networking on the host side during LAGG configuration. It certainly happened to me and not terribly easy to recover from when you are locked out of being able to login over ssh.

[achaycock]

That actually makes a lot of sense sadly. I have given up on the LAGG idea as it happens, though I was surprised when after deleting and recreating the jail I found that it still had no internet access. You have however pointed me towards a few areas that I can investigate so hope is rekindled, thank you so much for your reply it is a big help.

[achaycock]

Hi, many thanks for the assistance. Following the advice I have been given, it has now been possible to get the jail fully operational (sans LAGG).