# Combining an epair(4) member and WLAN interface via bridge(4) in VNET jail?



## kumba (Apr 17, 2021)

I've pieced together a jail for containing my wifi network.  It has two interfaces:
`jail0` - The jail half of an epair(4) interface (epairXb)
`wlan0` - physical wlan0 from host
The `wlan0` will host my local wireless network, but I want to create something like an Ethernet bridge between the `wlan0` and `jail0` interfaces.  I did not assign `jail0` an IP address, because I want this to happen at OSI layer 2.  My thinking is, if I can do that, then traffic from wireless client stations will transit through `jail0` to pop out on the host-side's `epairXa` interface with the wireless LAN IP addresses intact (so that I can avoid having to do double NAT or fiddling around with some weird UDP-encapsulated mess).

Is this possible?  I have already tried putting `wlan0` and `jail0` into a `bridge0` inside the jail, and my wireless client can ping the `wlan0` interface fine.  But IPv4 traffic is not moving from `wlan0` through `jail0` as far as i can tell.  Oddly enough, IPv6 traffic _is_, as if I put tcpdump on the host `epairXa` interface, I can see attempts by the wireless client (an android phone) trying to get to Google, and the IPv6 packets are carrying the client's `fe80` link-local IPv6 address as source and one of Google's IPv6 addresses as destination (but I haven't joined the IPv6 internet yet, so these packets won't go anywhere).  So I kinda think the bridge idea *is* working, but I need it to forward IPv4 traffic only.  However, I am somewhat stumped at this point, and really don't know the right Google keywords to look for to get any further.


----------



## rootbert (Apr 17, 2021)

do you have "net.inet.ip.forwarding=1" in your /etc/sysctl.conf - and you also might want to use pf inside that jail. My suggestion however is not to bridge wifi network


----------



## kumba (Apr 17, 2021)

rootbert said:


> do you have "net.inet.ip.forwarding=1" in your /etc/sysctl.conf - and you also might want to use pf inside that jail. My suggestion however is not to bridge wifi network



I did not have that tunable set.  Even after setting it, though, I still am not seeing traffic being forwarded by the bridge to/from jail0.  I wonder if it is something to do with the routes?  Do I need to teach it to forward all non-WLAN traffic through jail0 somehow?

And I currently have the firewall disabled in the jail while testing.  It will be an IPFW firewall, which is the firewall language I've taught myself once I get to setting that up.  As for the goal, this is currently on my router appliance, which handles both wireless and wired networking.  It makes the IPFW script needlessly complex, though, so if I can put the wireless and wired router elements into their own jails, I can split and compartment both with simpler IPFW firewalls.  Then on the host-side, I'll just have a bridge0 interface that ties the two epairXa interfaces to the WAN port and the host's own IPFW firewall will be much easier to manage and maintain.  To test this idea, I am first attempting to jail the wifi network.  It's easier (so I tell myself) to test this compared to the wired network router piece without bouncing my internet access up and down constantly.


----------



## Deviant0ne (Apr 17, 2021)

It sounds like what you want to use is the /usr/share/examples/jails/jng script - have a look here: Thread vnet-netgraph-jail-s-fail-to-jng-bridge-to-lagg-interface.79295/#post-504059


----------



## kumba (Apr 17, 2021)

Deviant0ne said:


> It sounds like what you want to use is the /usr/share/examples/jails/jng script - have a look here: Thread vnet-netgraph-jail-s-fail-to-jng-bridge-to-lagg-interface.79295/#post-504059



Oddly enough, I found that exact thread last night.  I haven't looked into using any existing tools or scripts yet, as I want to learn the raw commands to set things up manually, then switch to tools that do it via jail.conf or rc.conf (in the jail).  Looking at the script, internally, it's using netgraph to set the bridge interface up.  How exactly is this different from the standard ifconfig bridgeX commands?  I have not read up too much on the whole netgraph subsystem yet.

Small progress, though!  I turned off AP isolation in hostapd.  It seems like that was stopping wireless traffic from my phone from getting to the bridge interface in the jail.  I assigned the WLAN IPv4 address space to the bridge interface instead of the `wlan0` interface, and also have ISC DHCPd listening on the bridge interface.  My phone picks up an address assignment from DHCP, and running tcpdump on both `bridge0` and `jail0`, I can see Android's hyper-chatty attempts to contact the Google mothership via the bridge interface, but none of those packets are showing up on the `jail0` interface that is also attached to the bridge.  So there is still some kind of disconnect where the traffic doesn't know it needs to route via jail0.  I tried running `route add default -iface jail0` as well, and that had no effect.

Also, does anyone know why hostapd's rc.d script has "nojail" in KEYWORDS?  I cannot find any history on that.  Thus far, hostapd seems to work perfectly fine from within a jail, provided you put the `wlan0` interface inside the jail with it.  I suspect it's some legacy thing that probably needs to be updated.


----------



## Deviant0ne (Apr 17, 2021)

kumba said:


> Oddly enough, I found that exact thread last night.  I haven't looked into using any existing tools or scripts yet, as I want to learn the raw commands to set things up manually, then switch to tools that do it via jail.conf or rc.conf (in the jail).  Looking at the script, internally, it's using netgraph to set the bridge interface up.  How exactly is this different from the standard ifconfig bridgeX commands?  I have not read up too much on the whole netgraph subsystem yet.
> 
> Small progress, though!  I turned off AP isolation in hostapd.  It seems like that was stopping wireless traffic from my phone from getting to the bridge interface in the jail.  I assigned the WLAN IPv4 address space to the bridge interface instead of the `wlan0` interface, and also have ISC DHCPd listening on the bridge interface.  My phone picks up an address assignment from DHCP, and running tcpdump on both `bridge0` and `jail0`, I can see Android's hyper-chatty attempts to contact the Google mothership via the bridge interface, but none of those packets are showing up on the `jail0` interface that is also attached to the bridge.  So there is still some kind of disconnect where the traffic doesn't know it needs to route via jail0.  I tried running `route add default -iface jail0` as well, and that had no effect.
> 
> Also, does anyone know why hostapd's rc.d script has "nojail" in KEYWORDS?  I cannot find any history on that.  Thus far, hostapd seems to work perfectly fine from within a jail, provided you put the `wlan0` interface inside the jail with it.  I suspect it's some legacy thing that probably needs to be updated.


If you’re looking for a manual configuration, you might search for genneko’s blog - those have a lot of really good information.


----------

