# Jail slow to make connection, fast afterwards



## lib13 (Dec 11, 2015)

The jail is slow to start.  Sometimes drill is fast, most of the times it takes a little bit more than ten seconds to retrieve.

In the jail (similar to the hosts' files):

```
# cat /etc/hosts | grep -v '^#'
::1  deco
::21  jail
127.0.0.1  deco
127.0.0.21  jail
169.254.0.11  deco
169.254.0.21  jail
```



```
# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 108.61.10.10
```



```
# ifconfig
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
  ether 56:00:00:19:21:b6
  inet 169.254.0.21 netmask 0xffffffff broadcast 169.254.0.21
  media: Ethernet 10Gbase-T <full-duplex>
  status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
  ether 5a:00:00:19:21:b6
  media: Ethernet 10Gbase-T <full-duplex>
  status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet 127.0.0.21 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```


```
# drill freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13031
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; freebsd.org. IN  A

;; ANSWER SECTION:
freebsd.org.  600  IN  A  8.8.178.110

;; AUTHORITY SECTION:
freebsd.org.  600  IN  NS  ns3.isc-sns.info.
freebsd.org.  600  IN  NS  ns1.isc-sns.net.
freebsd.org.  600  IN  NS  ns2.isc-sns.com.

;; ADDITIONAL SECTION:

;; Query time: 10093 msec
;; SERVER: 108.61.10.10
;; WHEN: Fri Dec 11 00:51:40 2015
;; MSG SIZE  rcvd: 133
```

The jail.conf (network only):

```
interface = "vtnet0";
  ip4.addr = "vtnet0|169.254.0.21/32";
  ip4.addr += "lo1|127.0.0.21/32";
```


In host's pf.conf:

```
nat pass on $ext_if from $jail1 to any -> ($ext_if)
```

I installed elinks in the jail and can see that it takes ten or more seconds to resolve the hostname and some more seconds to make the connection.  After the connection is established, it seems to be fast to download files.

So, as I have no problems in the host with this setup, what is the cause of this misbehavior in the jail?


----------



## SirDice (Dec 11, 2015)

If you bind the jail to a real interface in the same network as the host there's no need to NAT. I'd also remove the lo1 interface, jails typically don't have a localhost interface. I would also suggest using RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) instead of RFC-3927 (IPv4 Link-Local; 169.254.0.0/16) addresses.


----------



## lib13 (Dec 11, 2015)

Thank you very much SirDice for your help, as I cannot find updated examples on how to do this and need it to work properly ASAP.



> I would also suggest using RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) instead of RFC-3927 (IPv4 Link-Local; 169.254.0.0/16) addresses.



The 169.254.0.0/16 network was given to me from my VPS provider.

```
static_routes="linklocal"
route_linklocal="-net 169.254.0.0/16 -iface vtnet0"
```

So, I think I should not modify it...



> If you bind the jail to a real interface in the same network as the host there's no need to NAT.



My public interface address is given by DHCP from the VPS provider: 106.yyy.zzz.vvv.  To be able to do as you suggest do I need to add an alias in the 169.254.0.0/16 network to /etc/rc.conf, like this?

```
ifconfig_vtnet0_alias0="inet 169.254.0.11/16 netmask 255.255.0.0"
```


Following this, would that mean that I should add a 169.254.0.21, for example, address to the jail?  In this case, with a /32 netmask, right?
In the jail.conf, should network be configured like:

```
interface = "vtnet0";
ip4.addr = "vtnet0|169.254.0.21/32";
```



> I'd also remove the lo1 interface, jails typically don't have a localhost interface.



Some rationale behind using lo1:
This jail is for httpd server and I want to create another for database server, so that the latter is not connected to the internet.  The httpd jail would only connect to the database jail through the secure loopback interface.
Following your logic, SirDice, it seems possible to add the database jail to the host network as well and block access from outside from the jail.  Is this correct?


Please, I'd appreciate your thoughtful insights on this!


----------



## SirDice (Dec 11, 2015)

lib13 said:


> The 169.254.0.0/16 network was given to me from my VPS provider.
> static_routes="linklocal"
> route_linklocal="-net 169.254.0.0/16 -iface vtnet0"


Odd, Link-Local addresses are non-routable. 



> My public interface address is given by DHCP from the VPS provider: 106.yyy.zzz.vvv.  To be able to do as you suggest do I need to add an alias in the 169.254.0.0/16 network to /etc/rc.conf, like this?
> ifconfig_vtnet0_alias0="inet 169.254.0.11/16 netmask 255.255.0.0"


In that case, keep the host address as is, create lo1 and assign an RFC-1918 address to it (forget the addresses you got from the provider). Bind your jail to lo1 and the RFC-1918 address. On the host, set up NAT on vtnet0 translating your jail address(es) to your external IP (vtnet0). And add a redirection to forward port 80 to the jail.

As for adding another jail, just add another RFC-1918 address to lo1 and bind the jail to it. Communications between the two jails will never leave the host and will stay 'local'. And as long as you don't add a forwarding rule on the host the jail won't be accessible from the internet.


----------



## kpa (Dec 11, 2015)

SirDice said:


> Odd, Link-Local addresses are non-routable.



In some operating systems they are used as an analog for the IPv6 link-local addresses, some like FreeBSD just deny their existence completely although they do work for directly connected networks if used.


----------



## SirDice (Dec 11, 2015)

Sure, they're just IP addresses like all the others. But it's possible those IP addresses are never routed beyond the hosting provider. I found it rather strange they're suggesting to bind those addresses to a public internet interface and route the network out of it.


----------



## lib13 (Dec 11, 2015)

SirDice said:


> In that case, keep the host address as is, create lo1 and assign an RFC-1918 address to it (forget the addresses you got from the provider). Bind your jail to lo1 and the RFC-1918 address. On the host, set up NAT on vtnet0 translating your jail address(es) to your external IP (vtnet0). And add a redirection to forward port 80 to the jail.



So, in /etc/rc.conf, do I just create an interface:

```
ifconfig_lo1="inet 127.0.0.21 netmask 255.255.255.255"
```

or should it also be a cloned interface?

```
cloned_interfaces="lo1"
ifconfig_lo1="inet 127.0.0.21 netmask 255.255.255.255"
```

with /etc/jail.conf:

```
interface = "lo1";
ip4.addr += "lo1|127.0.0.21/32";
```

Is this correct?


----------



## SirDice (Dec 11, 2015)

Use a cloned interface and don't use 127.0.0.0/8. Although the interface is called lo1 it has no relation to lo0, both are just local interfaces. This should work:

```
cloned_interfaces="lo1"
ifconfig_lo1="inet 192.168.0.1 netmask 255.255.255.0"
```
Then use this in your jail.conf:

```
interface="lo1"
ip4.addr="192.168.0.2"
```

The jail's address (192.168.0.2 in my example) will be dynamically added/removed when the jail starts/stops. It's not needed but I always like to assign an address (192.168.0.1 in my example) to the host side of the interface.


----------



## lib13 (Dec 11, 2015)

You  saved my day(s) 
It's working and resolv is fast!
So, I guess that having two network interfaces assigned to the jail was causing this slowdown.


----------

