From owner-freebsd-jail@freebsd.org Wed May 31 08:40:08 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D297AFA69C for ; Wed, 31 May 2017 08:40:08 +0000 (UTC) (envelope-from marko.cupac@mimar.rs) Received: from mail.mimar.rs (mail1.mimar.rs [193.53.106.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B12A6EAA0 for ; Wed, 31 May 2017 08:40:07 +0000 (UTC) (envelope-from marko.cupac@mimar.rs) Received: from mail1.mimar.rs (localhost [127.0.1.128]) by mail.mimar.rs (Postfix) with ESMTP id 11CF99FA8B67 for ; Wed, 31 May 2017 10:33:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mimar.rs; h= content-transfer-encoding:content-type:content-type:mime-version :x-mailer:organization:message-id:subject:subject:from:from:date :date:received:received; s=mimar-0901; t=1496219630; x= 1498034031; bh=mvs4NS4qWZoMDgHZGU3yQHuYrn7rAa34yQZxOXU2FoQ=; b=3 KFDVsD1TWavQmSHlK3D2dbTTyBy66V3zZnUdjvz39BibM5AELN+hT2SLeVjs5/T7 W00kKeBrMfvShHn4DzBmRFxiRWBPduDw4mRA1clDDvysao7z6KuUcQzojcuQfdkF XclYWal1reiFzOfyz009byldJpB/DOJ+o+ydRuYypQ= X-Virus-Scanned: amavisd-new at mimar.rs Received: from mail.mimar.rs ([127.0.1.128]) by mail1.mimar.rs (amavis.mimar.rs [127.0.1.128]) (amavisd-new, port 10026) with LMTP id u4WSvt3JMsTc for ; Wed, 31 May 2017 10:33:50 +0200 (CEST) Received: from efreet-freebsd.kappastar.com (nat-nat.kappastar.com [193.53.106.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: marko.cupac) by mail.mimar.rs (Postfix) with ESMTPSA id 4251B9FA891B for ; Wed, 31 May 2017 10:33:50 +0200 (CEST) Date: Wed, 31 May 2017 10:33:49 +0200 From: Marko =?UTF-8?B?Q3VwYcSH?= To: freebsd-jail@freebsd.org Subject: setfib, jails and loopback interfaces Message-ID: <20170531103349.244f0fbf@efreet-freebsd.kappastar.com> Organization: Mimar X-Mailer: Claws Mail 3.15.0 (GTK+ 2.24.31; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2017 08:40:08 -0000 Hi, I'm not subscribed to the list, could you please keep me in CC? I'm using ezjail as instructed in Handbook, assigning jails lo1|127.0.0.X,bce0|10.66.66.X addresses, in order to keep jails' loopback traffic off host's, and in order to be able to keep internal services on lo1 (such as redis, mongodb, mysql etc.), and external on bce0 (such as apache, unifi5 etc.). Recently I got a server with multiple NICs, and I'd like to serve both LAN and DMZ services from it. I found some information on how to accomplish that with setfib: # cat /boot/loader.conf net.fibs=3D4 net.add_addr_allfibs=3D0 # cat /etc/rc.conf ... cloned_interfaces=3D"lo1" static_routes=3D"nix nixd" route_nix=3D"-net 10.66.66.0/24 -interface bce0 -fib 1" route_nixd=3D"default 10.66.66.254 -fib 1" ... In this setup, services bound to bce0 interface work fine, but they can't contact internal services on lo1. I guess it has something to do with jail routing, but can't figure out what. Thank you in advance for any hints. --=20 Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupa=C4=87 https://www.mimar.rs/