# Jails in a 2 NIC server



## zeissoctopus (Nov 19, 2009)

I am using FreeBSD 7.2 Release

My FreeBSD Server have 2 NIC. 1 NIC is assigned to DMZ Land address Zone for public services, another is assigned within private LAN, both connect to same firewall with differnet LAN address zones

I create jails on both NIC. For example,

em0 in 192.168.1.5, create jails
192.168.1.5 pgsql

em1 in 192.168.10.5, create jails
192.168.10.6 www
192.168.10.7 sendmail
192.168.10.8 pgsql
Each jails run sshd for login


My is FreeBSD host use 192.168.1.5 on em0 . Everything seem work until I login to em1 jails via ssh. 

If I ssh to em1 jails from any workstations in 192.168.1.0/24 zone, the ssh session terminates automatically after 2 min. The error msg is "Connection reset by peer"

If I ssh to em1 jails from FreeBSD host (192.168.1.5), no problem occurs.

Is it the jail limitations on multiple NIC ?


----------



## SirDice (Nov 19, 2009)

The em1 is the one that's connected to the firewall?

Just guessing, the firewall is terminating it's state because there's no activity on the connection.


----------



## zeissoctopus (Nov 21, 2009)

SirDice said:
			
		

> The em1 is the one that's connected to the firewall?
> 
> Just guessing, the firewall is terminating it's state because there's no activity on the connection.



Thank you for reply.

May be my poor english cannot describe my case clearly.

May be my problem is caused by misunderstanding in networking knowledge.

One FreeBSD BOX with two NIC.

1st NIC --> switch (private lan) --> same router with PF --> Internet

2nd NIC --> same router with PF --> Internet

1st NIC 192.168.1.5

2nd NIC 192.168.10.5, 192.168.10.7 (www jail), 192.168.10.8 (sendmail jail), 192.168.10.9 (pgsql jail)

sshd on 192.168.1.5, 192.168.10.6, 192.168.10.7, 192.168.10.8

Problem: Even configure PF with that pass all rule. I cannot ssh without problem from 192.168.1.0/24 to 192.168.10.6, 192.168.10.7, 192.168.10.8

ssh session drop with error msg: "Connection reset by peer"

If I give up to put FreeBSD in 192.168.1.0/24 and return to 1 NIC as follow:

Only one NIC 192.168.10.0/24 --> same router with PF --> Internet

Other workstations 192.168.1.0/24 ---> same router with PF --> Internet

Only one NIC 192.168.10.5, 192.168.10.7 (www jail), 192.168.10.8 (sendmail jail), 192.168.10.9 (pgsql jail)

sshd on 192.168.10.5, 192.168.10.6, 192.168.10.7, 192.168.10.8

I can ssh without any problem from 192.168.1.0/24 to jails' sshd


----------



## wonslung (Nov 21, 2009)

is the freebsd box with 2 nics your gateway running pf?

If so it might helps for you to post your /etc/rc.conf and your /etc/pf.conf

also, you could also put jails on a fake interface and use pf to route packets to them.

i put most of my jails on a cloned loopback device.

ALSO with 7.2 or greater you can set multiple ip's per jails so theres no reason you can't set an ip for EACH device.


----------



## vivek (Nov 21, 2009)

> , the ssh session terminates automatically after 2 min. The error msg is "Connection reset by peer"



this is confusing part. If ssh terminate 2 minutes after successful login, than you need to configure both ssh client and server. If message is "Connection reset by peer", than you need to configure firewall.


----------



## zeissoctopus (Nov 23, 2009)

Re: wonslung



			
				wonslung said:
			
		

> is the freebsd box with 2 nics your gateway running pf?



No, it is not.

I want to use one computer with 2 NIC in two Separated subnets and then running some public services in one subnet, some private services in another subnet. Is it possible ?


```
----------- 1 FreeBSD , 1 em driver, 2 em NIC, no PF on this box -----------
         |                                                                          |
         |        em0     <-- No IP Forwarding each other -->        em1            |
         |   192.168.1.5                                        192.168.10.5        |                   
         |   127.0.0.1                                                              |
         |         |                                      <public serivces jails>   |
         |         |                    www jails ip em0|192.168.10.6, lo0|127.0.0.2|
         |         |               sendmail jails ip em0|192.168.10.7, lo0|127.0.0.3|
         |         |                pgsql84 jails ip em0|192.168.10.8, lo0|127.0.0.4|
         ----------------------------------------------------------------------------
                   |                                              |
                   v                                              |
 workstations ---Switch                                           |
(192.168.1.0/24)   |                                              |
                   |------------------------------|               |
                                                  |               |
                                                  v               v
                                            -------------------------------
                                            |    vr0              vr1     |
                                            |  192.168.1.1   192.168.10.1 |
                                            |                             |
                                            |      OpenBSD PF router      |
                                            |                             |
                                            |    vr2              vr3     |
                                            |  192.168.100.1    dhcp ISP  |
                                            -------------------------------
                                                   ^               |
                                                   |               |
     wifi zone ------------------------------------|               v
  (192.168.100.0/24)                                            Internet
```



			
				wonslung said:
			
		

> If so it might helps for you to post your /etc/rc.conf and your /etc/pf.conf



The rc.conf like..

```
ifconfig_em0="inet 192.168.1.5 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
...
...
jail_enable="YES"
jail_list="apache22 pgsql84 sendmail"
jail_apache22_interface="em0"
jail_apache22_ip="em0|192.168.1.6/32,lo0|127.0.0.2/8"
jail_sendmail_interface="em0"
jail_sendmail_ip="em0|192.168.1.7/32,lo0|127.0.0.3/8"
jail_sql84_ip_interface="em0"
jail_sql84_ip="em0|192.168.1.8/32,lo0|127.0.0.4/8"
```

Inside each jail, I correct the value of default_gateway in file /etc/rc.conf in www, psql, sendmail jails to 192.168.10.1


----------

