# iocage private ip routing to host



## leonardorame (Jun 21, 2018)

Hi, I wonder if I can create an iocage jail with its own private ip address (for example 172.16.10.10), and let it connect to services running on the host's network (192.168.0.0/24).

I assume this can be possible, by creating a static route between the jail and the host's gateway, but as I'm fairly new to this I need your help.

Leonardo.


----------



## SirDice (Jun 21, 2018)

Yes, that's possible. You don't need a static route, from the host's point of view both networks are so-called 'directly' connected networks. Which means the route to those networks is already known. Other hosts on the 192.168.0.0/24 network _do_ need a static route to be able to find the 172.16.10.0/24 network.


----------



## leonardorame (Jun 22, 2018)

SirDice said:


> Yes, that's possible. You don't need a static route, from the host's point of view both networks are so-called 'directly' connected networks. Which means the route to those networks is already known. Other hosts on the 192.168.0.0/24 network _do_ need a static route to be able to find the 172.16.10.0/24 network.



Thanks SirDice, my problem is the other way around, I mean, the host 172.16.10.x (the jail) must reach a host in the 192.168.0.x network, shoul I create a static route inside the jail?.


----------



## SirDice (Jun 22, 2018)

leonardorame said:


> shoul I create a static route inside the jail?


No, but you do need a static route on the 192.168.0.0/24 host (it needs to know the route back).


----------



## leonardorame (Jun 22, 2018)

Hi Again SirDice, I've tried to create the routes, but I still cannot reach any host on the 192.168.0.x network.

Here's the routing table of the host:


```
Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.0.175     UGS         re0
127.0.0.1          link#2             UH          lo0
172.16.1.1         link#1             UHS         lo0
172.16.1.1/32      link#1             U           re0
192.168.0.0/24    link#1             U           re0
192.168.0.197     link#1             UHS         lo0
```

And this is the routing table of the jail:


```
Internet:
Destination        Gateway            Flags     Netif Expire
172.16.1.1         link#1             UHS         lo0
```

Do you see something wrong?


----------



## SirDice (Jun 22, 2018)

Jails don't really have a routing table, it's the host that does the routing. On the host did you enable routing? Make sure to add to /etc/rc.conf:

```
gateway_enable="YES"
```

Don't bind your jails to lo0, create a cloned interface lo1 and bind the jail to that.


----------



## leonardorame (Jun 22, 2018)

Hi again SirDice, I created the lo1 interface and bound it to the jail.

This is ifconfig from inside the jail:


```
root@postgresql:~ # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 1c:1b:0d:fd:ec:11
        hwaddr 1c:1b:0d:fd:ec:11
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 172.16.1.1 netmask 0xffffffff
        groups: lo
root@postgresql:~ #
```

And nestat -nr from inside the jail:


```
root@postgresql:~ # netstat -nr
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
172.16.1.1         link#3             UH          lo1
```

But still cannot reach the 192.168.0.x network (I only can reach the host 192.168.0.197).


----------



## SirDice (Jun 22, 2018)

leonardorame said:


> But still cannot reach the 192.168.0.x network


Other hosts on that network need a static route for 172.16.1.0/24 pointing to 192.168.0.197.

IP routing only looks at the destination address of a packet to determine where it needs to be sent to. It does not know or record where it came from. So your forward routes (from point A to B) are good, but the responses (from B to A) are not.


----------



## leonardorame (Jun 22, 2018)

Ok, but those hosts already have a default route to the gateway (192.168.0.175), Isn't there a way to implement this without changing anything on the other hosts?.


----------



## SirDice (Jun 22, 2018)

leonardorame said:


> Ok, but those hosts already have a default route to the gateway (192.168.0.175)


And? You should see some of the routing tables on our core routers. 



leonardorame said:


> Isn't there a way to implement this without changing anything on the other hosts?.


Nope. Not with "plain" routing. 

The only way would be to implement NAT on the FreeBSD host,  which effectively hides the whole 172.16.1.0/24 network behind the 192.168.0.179 address. If you require access to anything behind the NAT you'll need to create forwarding rules. But doing this make things more complex (thus easier to break). 

If the services inside the jail need to be accessible from the network you're probably better off binding the jail to re0 and simply assign a 192.168.0.0/24 address to it.


----------



## leonardorame (Jun 22, 2018)

Well, knowing that it looks like NAT is the way to go, since I don't need other hosts to access the jail, but the other way around, the jail must connect to other hosts.


----------



## leonardorame (Jun 22, 2018)

Finally I added the static route in the Ubuntu server I needed to reach by simply issuing a:


```
sudo ip route add 172.16.1.0/24 via 192.168.0.197
```


----------

