# Vimage + netgraph



## gpatrick (May 27, 2012)

Am trying to start a Jail using Netgraph interfaces, but the Jail starts without an IP.  Has anyone got this to work and point where my configuration is wrong?


```
# jls
   JID   IP Address       Hostname             Path
     1   -                pftest               /usr/jails/pftest
```

If I try to start the IP manually from host:
[cmd=]# jexec 1 ifconfig re0 192.168.1.100 netmask 255.255.255.0 up[/cmd]
returns 
	
	



```
ifconfig: up: permission denied
```

If I try from the host:
[cmd=]# jexec 1 ifconfig ng0_pftest 192.168.1.100 netmask 255.255.255.0 up[/cmd]
returns 
	
	



```
ifconfig: interface ng0_pftest does not exist
```

If I try inside the Jail:
[cmd=]# ifconfig ng0_pftest up[/cmd]
returns 
	
	



```
ifconfig: interface ng0_pftest does not exist
```

Custom kernel  9.0-RELEASE-p1
/usr/src/sys/i386/conf/CUSTOM

```
include GENERIC
ident CUSTOM
cpu I686_CPU
nooptions  SCTP
options    VIMAGE
device     epair
device     if_bridge
options    NULLFS
options    NETGRAPH
options    NETGRAPH_ETHER
options    NETGRAPH_BRIDGE
options    NETGRAPH_EIFACE
options    NETGRAPH_SOCKET
device     pf
device     pflog
device     pfsync
options    ALTQ
options    ALTQ_CBQ
options    ALTQ_RED
options    ALTQ_RIO
options    ALTQ_HFSC
options    ALTQ_PRIQ
options    ALTQ_NOPCC
```

/etc/rc.conf

```
hostname="test"
ifconfig_re0=" inet 192.168.1.2 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
sshd_enable="YES"
gateway_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
jail_enable="YES"
jail_list="pftest"
jail_pftest_rootdir="/usr/jails/pftest"
jail_pftest_name="pftest"
jail_pftest_hostname="pftest"
jail_pftest_devfs_enable="YES"
jail_pftest_fstab="/etc/jails/fstabs/pftest"
jail_pftest_mount_enable="YES"
jail_pftest_vnet_enable="YES"
#jail_pftest_exec_prestart0="ifconfig re0 re0 re0"
##############################################################
vimage_enable="YES"
vimage_parallel_start="NO"
vimage_list="pftest"    
vimage_set_hostname_allow="YES"
vimage_socket_unixiproute_only="NO"
vimage_sysvipc_allow="YES"
vimage_prestart_services="ipfw netif routing"
vimage_pftest_rootdir="/usr/jails/pftest"
vimage_pftest_hostname="pftest"
vimage_pftest_bridges="re0 re0 re0"
#vimage_example_vnets="epair0b"     
vimage_exec_start="/bin/sh /etc/rc"
vimage_pftest_prestart_services="ipfw netif routing"
vimage_pftest_afterstart_services=""
#vimage_example_exec_afterstart0="/bin/sh command"
vimage_pftest_exec_stop="/bin/sh /etc/rc.shutdown"
vimage_pftest_devfs_enable="YES"
#vimage_example_devfs_ruleset="ruleset_name" 
#vimage_example_fdescfs_enable="NO" 
#vimage_example_procfs_enable="NO"  
vimage_pftest_mount_enable="YES"
vimage_pftest_fstab="/etc/jails/fstabs/pftest"
#vimage_example_flags="-l -U root"  # flags for jail(8)
```

/boot/loader.conf

```
hint.acpi.0.disabled="1"
ng_bridge_load="YES"
ng_eiface_load="YES"
ng_ether_load="YES"
ng_socket_load="YES"
```
In jail
/etc/rc.conf

```
ifconfig_ng0_pftest="inet 192.168.1.100/24"
ifconfig_ng1_pftest="inet 192.168.1.101/24"
ifconfig_ng2_pftest="inet 192.168.1.102/24"
```


----------



## fbsd1 (May 17, 2013)

PF firewall will not run inside of a Vnet/Vimage jail. This is a long time known problem. PF will run on a host with vnet jails though. IPFW is the only firewall that as of 9.1-RELEASE can run on the host and inside of a vnet jail. IPFW incore NAT and dummynet are not vnet aware. And will abend the host if used. There are PRs already about that. For network access your host must have the gateway parameter in the host's
/etc/rc.conf file or 
	
	



```
sysctl net.inet.ip.forwarding=1
```


----------

