# Trying to understand jail networking



## japoc (Nov 16, 2015)

Hi,

I have trouble understanding how ip addresses work in regard to FreeBSD jails.
Every single example I see seems to assign another IP (an alias) to a physical network interface on the host, and attribute it to the jail. But, my server is a remote machine and I was affected only one IP address by the hosting company. I don't think I can decide to add an IP on their network like this.
Should I instead, create an alias on the loopback interface of the host, and use NAT to reach the jail (that is, make a router out of my host) ?
Or am I completely misunderstanding all of this?

Thanks for your help.


----------



## SirDice (Nov 16, 2015)

japoc said:


> Or am I completely misunderstanding all of this?


Nope, you understood it correctly.


----------



## japoc (Nov 22, 2015)

Well, it seems it's a lot more complicated than I expected.
I learned it was impossible to set a default route inside a jail. So how could the host could act as a router for the jail? I searched the whole internet (google asks me for captchas now) and I couldn't find a single page explaining how networking works for jails.

I have a question:

When I do a 

`wget 123.123.123.123` 

for example inside the jail. What does the packet look like and on what interface does it go?

Or please, could you point me to a documentation that explains how networking works for jails. It's obviously extremely different than for a physical machine so I guess it must be documented somewhere. But where?

Thanks for your help.


----------



## kpa (Nov 23, 2015)

There is no difference in jail networking compared to how it works on the host when it comes to routing, any communication originating from a jailed application is routed using the host's routing table. What is slightly different in a jail is the availability of IP addresses that can be used for bind(2)ing a socket, usually the loopback interface lo0 with the usual loopback address 127.0.0.1 are not available in a jail. This means services running in a jail have to be adjusted to use only the IP address(es) available in the jail. Client type applications do not have to be configured specially in jail because the IP address selection automatically selects the correct IP address that is available in the jail for outbound traffic.


----------



## japoc (Nov 23, 2015)

Ok, so here is my understanding so far.
Say I have a jail who was created with IP address 10.0.0.200 and this IP address is configured on interface lo1 (a cloned local interface).
Say the host has an external interface re0 configured with IP 192.168.0.15 and default gateway 192.168.0.1 (which is connected to the internet).

When I do

`wget 123.123.123.123`

inside the jail.

The first packet that is emitted should look like this:

```
source: 10.0.0.200; destination: 123.123.123.123
source-port: some random port;  destination-port: 80
```
and it should be presented directly on the re0 interface of the host.

Is this correct?

If so, in order for networking to work inside the jail, I should add the following NAT rule to my pf firewall (pf.conf):

```
nat on ! re0 from 10.0.0.200 to any -> (re0)
```
This way, the packets coming from the jail would appear to come from the host.

Is this correct?


----------



## kpa (Nov 23, 2015)

Yes you understood correctly (partly). The source address selected in this case will be the only one available to the jailed application, 10.0.0.200. The nat will then change the source address of the packet to 192.168.0.15 before the packet leaves out via the re0 interface.

Your nat rule however won't work, do it this way:


```
...
ext_if = re0
...
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
...
```

This way the rule catches all traffic that is going out from the system regardless of the source. You won't have to add any more nat rules with that rule in place.


----------



## japoc (Nov 23, 2015)

Thanks. I just realized the "!" was a negation. I thought it was just a syntactic element you were forced to use to form a nat expression for pf.
So what I actually meant to do was:


```
nat on re0 from 10.0.0.200 to any -> (re0)
```

This should work, right? Your formulation is more general, though (it would work for other jails I could create on other IPs).


----------



## kpa (Nov 23, 2015)

Yes, that would work for the particular case. For the more general rule I gave make sure you put the inet keyword in, you don't want to nat IPv6 (inet6) traffic with the same rule and also nat with IPv6 might not even work with the FreeBSD's PF implementation.


----------



## japoc (Nov 23, 2015)

Oh, thanks, I'm going to add the inet keyword!


----------

