# VLANs for jail



## bsus (May 10, 2012)

Hello,

I now gave up trying to use VIMAGE for jail use. Fortunat*e*ly there are other options to go 

I created two VLAN interfaces:

```
# ifconfig vlan0 create vlan 1 vlandev em0
# ifconfig vlan0 inet 10.0.0.0 netmask 255.255.255.0
# ifconfig vlan1 create vlan 2 vlandev em0
# ifconfig vlan1 inet 10.0.0.1 netmask 255.255.255.0
```

Th*e*n I created some jails using them:

```
# ezjail-admin create -c zfs build 10.0.0.0
# ezjail-admin create -c zfs www 10.0.0.1
# mkdir /usr/jails/build/var/ports
# echo '/usr/jails/basejail/usr/ports /usr/jails/build/var/ports nullfs rw 0 0' >> /etc/fstab.build
# ezjail-admin start build
# jexec 2 sh
# cd /usr/ports/ports-mgmt/portmaster && make install clean
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for portmaster-3.11
=> portmaster-3.11.tar.gz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://dougbarton.us/Downloads/portmaster-3.11.tar.gz
fetch: http://dougbarton.us/Downloads/portmaster-3.11.tar.gz: No address record
=> Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/portmaster-3.11.tar.gz
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/portmaster-3.11.tar.gz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop in /basejail/usr/ports/ports-mgmt/portmaster.
*** Error code 1

Stop in /basejail/usr/ports/ports-mgmt/portmaster.
```

How do I solve this? What have I forgotten?


----------



## SirDice (May 10, 2012)

Fix DNS. It's failing to resolve anything. Did you set up /etc/resolv.conf correctly in the jail?


----------



## bsus (May 10, 2012)

```
# cat /etc/resolv.conf
nameserver 192.168.178.1
```

This is the IP of the router. Which IP should I define for the nameserver (the local of em0)?


----------



## SirDice (May 10, 2012)

Your VLAN interface is in 10.0.0.0/24. Is there a route to 192.168.178.0/24 on the host?


----------



## bsus (May 10, 2012)

I don't think so:

```
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
	ether 00:1b:21:c5:fa:f4
	inet 192.168.178.10 netmask 0xffffff00 broadcast 192.168.178.255
	inet6 fe80::21b:21ff:fec5:faf4%em0 prefixlen 64 scopeid 0x1 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 6c:f0:49:d8:31:19
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (10baseT/UTP <half-duplex>)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1b:21:c5:fa:f4
	inet 10.0.0.0 netmask 0xffffff00 broadcast 10.0.0.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 1 parent interface: em0
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1b:21:c5:fa:f4
	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 2 parent interface: em0
#
```

I thought that the VLAN IP isn't important because it's internal?


----------



## SirDice (May 10, 2012)

bsus said:
			
		

> I thought that the vlan ip isn't important because it's internal?


I think you're confused with lo0. Some people like to clone it and bind their jails to that. That will be local only, if you need access outside of the host you would need to use NAT.

VLANs are mainly used to compartmentalize traffic to improve performance.

http://en.wikipedia.org/wiki/Virtual_LAN


----------



## bsus (May 10, 2012)

Ok, this makes sense.

I thought all the time that it's just an easy way of creating an internal network.

Th*e*n I would say back trying to fix the vimage thing


----------

