# internet access to jail



## ac1115 (Mar 17, 2011)

I know this topic has been covered dozens of times at least, but I've been through every thread forum search and google search has given me.  I've been bashing my head for hours on this.

I've a fresh install of FreeBSD on my box.   I set up a jail and I can access my local network fine.  I can ssh into and out of the jail without any problems.   However, I cannot access the internet.

My network setup is pretty typical, nothing tricky.

```
Internet ------>  router ---------->Host -------------> Jail
                  192.168.1.1/24   192.168.1.254/24    192.168.1.253/24
```

I can access the internet fine on the host machine and other devices on the network.  It's only the jail which doesn't work.

HOST /etc/rc.conf  (relevant portion)

```
hostname="server.domain.local"

ifconfig_re0="192.168.1.254 netmask 255.255.255.0"
ifconfig_re0_alias0="inet 192.168.1.253/32"

defaultrouter="192.168.1.1"
inetd_flags="-wW -a 192.168.1.254"
sendmail_enable="NO"
```

JAIL /etc/rc.conf (entire file)

```
hostname="test.domain.local"
sshd_enable="YES"
defaultrouter="192.168.1.1"
```

I am using ezjail, here is the jail config

```
export jail_test_hostname="test"
export jail_test_ip="192.168.1.253"
export jail_test_rootdir="/usr/jails/test"
export jail_test_exec_start="/bin/sh /etc/rc"
export jail_test_exec_stop=""
export jail_test_mount_enable="YES"
export jail_test_devfs_enable="YES"
export jail_test_devfs_ruleset="devfsrules_jail"
export jail_test_procfs_enable="YES"
export jail_test_fdescfs_enable="YES"
export jail_test_image=""
export jail_test_imagetype=""
export jail_test_attachparams=""
export jail_test_attachblocking=""
export jail_test_forceblocking=""
export jail_test_zfs_datasets=""
export jail_test_cpuset=""
export jail_test_fib=""
```

Jail /etc/resolv.conf

```
nameserver 192.168.1.1
```



```
JAIL> host freebsd.org

freebsd.org has address 69.147.83.40
freebsd.org has IPv6 address 2001:4f8:fff6::28
freebsd.org mail is handled by 10 mx1.freebsd.org.
```
The Jail resolves dns correctly, since my router can handle those requests and the Jail can connect to the router fine.

However trying to build any ports fails on fetch.


----------



## SirDice (Mar 18, 2011)

ac1115 said:
			
		

> JAIL /etc/rc.conf (entire file)
> 
> ```
> hostname="test.domain.local"
> ...


You cannot set the defaultrouter inside a jail, it has to be set on the host. Hostname normally can't be set either unless *jail_set_hostname_allow* is set on the host.



> However trying to build any ports fails on fetch.


Please post the exact error.


----------



## Alt (Mar 18, 2011)

Show output of 
	
	



```
traceroute -n freebsd.org
```
(from jail)


----------



## ac1115 (Mar 18, 2011)

ok,

I enabled raw sockets first 

```
sysctl security.jail.allow_raw_sockets=1
```

pinging router works fine.

```
ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.419 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.396 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.393 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.403 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.388 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=0.394 ms
64 bytes from 192.168.1.1: icmp_seq=6 ttl=64 time=0.407 ms
^C
```

pinging freebsd.org doesn't return anything,

```
ping freebsd.org
PING freebsd.org (69.147.83.40): 56 data bytes
^C
--- freebsd.org ping statistics ---
35 packets transmitted, 0 packets received, 100.0% packet loss
```


```
traceroute -n freebsd.org
traceroute to freebsd.org (69.147.83.40), 64 hops max, 52 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  *^A^A * *
11  *^C
```

removing the hostname line from Jail /etc/rc.conf has no effect.

There is no error message when I use fetch.  It just runs without any output until I ctrl+c, similar to how ping had no output until I ctrl-C.  Needless to say, the file wasn't fetched.


----------



## SirDice (Mar 18, 2011)

On what port? Some ports have very large distfiles and extracting those can take some time.


----------



## ac1115 (Mar 18, 2011)

SirDice said:
			
		

> On what port?



Any and all.  
	
	



```
fetch www.google.com/index.html
```
 doesn't work, that page is only 9KB.

I'm sure it's some sort of routing or configuration issue, not a connectivity problem.


----------



## SirDice (Mar 18, 2011)

Is the router NAT'ing properly? Any firewall rules on the host that might block traffic?


----------



## ac1115 (Mar 18, 2011)

Well, I assume so. I'm using the network in question to post these messages.


----------



## SirDice (Mar 18, 2011)

ac1115 said:
			
		

> any and all.
> 
> 
> 
> ...


That means it works. That page is only 9KB. So if you now have a index.html file 9184 bytes in size we can safely assume fetch and your network works.


----------



## ac1115 (Mar 18, 2011)

Sorry if I wasn't clear. The index file doesn't download at all on the Jail. I mentioned the size to show it wasn't a matter of large files taking long to download and extract.


----------



## gkontos (Mar 18, 2011)

ac1115 said:
			
		

> ```
> hostname="server.domain.local"
> 
> ifconfig_re0="192.168.1.254 netmask 255.255.255.0"
> ...


Change this to /24


----------



## ac1115 (Mar 18, 2011)

gkontos said:
			
		

> Change this to /24



all the examples I've seen use /32 as subnet regardless of the actual value used on the network.

regardless, I tried /24 as well, no effect.


----------



## SirDice (Mar 18, 2011)

gkontos said:
			
		

> Change this to /24



No.

ifconfig(8):


> *alias*
> Establish an additional network address for this interface.  This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface.  If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given.  Usually 0xffffffff is most appropriate.


----------



## gkontos (Mar 18, 2011)

SirDice said:
			
		

> No.
> 
> ifconfig(8):



Sorry, my mistake.
I guess tcpdump would give some answers.
[CMD=""]#tcpdump -i re0[/CMD]


----------



## ac1115 (Mar 18, 2011)

Ok, I ran this on HOST:


```
tcpdump -i re0|grep 192.168.1.253
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:06:28.375759 IP 192.168.1.253.39408 > 192.168.1.1.domain: 418+ A? www.google.com. (32)
15:06:28.389775 IP 192.168.1.1.domain > 192.168.1.253.39408: 418 6/0/0 CNAME www.l.google.com., A 74.125.226.179, A 74.125.226.177, A 
74.125.226.180, A 74.125.226.178, A 74.125.226.176 (132)
15:06:28.389873 IP 192.168.1.253.23444 > 192.168.1.1.domain: 419+ AAAA? www.google.com. (32)
15:06:28.390648 IP 192.168.1.1.domain > 192.168.1.253.23444: 419 1/0/0 CNAME www.l.google.com. (62)
15:06:33.383749 ARP, Request who-has 192.168.1.253 tell 192.168.1.1, length 46
15:06:33.383755 ARP, Reply 192.168.1.253 is-at 40:61:86:07:22:51 (oui Unknown), length 28
```

The above bit of output is when I used the fetch below on JAIL. There was no other output other than that.


```
fetch www.google.com/index.html
```


----------



## gkontos (Mar 18, 2011)

ac1115 said:
			
		

> Ok, I ran this on HOST:
> 
> ```
> tcpdump -i re0|grep 192.168.1.253
> ...



That is very interesting. Apparently your router is providing DNS info to your jail. But when your jail tries to reach to the internet then you have an ARP isssue. ARP is in layer 2, honestly you shouldn't be getting that. I can't think of anything else but a reboot at your router. 

Again this is a wild guess.


----------



## ac1115 (Mar 19, 2011)

well I reinstalled the host from scratch... and now it works...

I'm even more confused now than I was before.  I don't think I did anything differently, but I wont' look a gift horse in the mouth. :e  Thanks all for helping!

And yes, I'm using dd-wrt on a linksys router, it can double as a dns server as well.


----------

