Issues putting jails on their own subnet

Nikolay Denev nike_d at cytexbg.com
Sun Dec 29 01:28:51 UTC 2013 

Hi,

I meant to delete the route from FIB 1, not from the main FIB, like "setfib
1 route delete 10.0.3.0/24"

Anyways, good that you made it work using the tunable.

Cheers,

--Nikolay


On Sun, Dec 29, 2013 at 12:30 AM, Andrew Klaus <andrewklaus at gmail.com>wrote:

> It doesn't seem to let me delete it (first thing I tried).. Gives me this
> error:
>
> # route delete 10.0.3.0/24
> route: writing to routing socket: Address already in use
> delete net 10.0.3.0 fib 0: gateway uses the same route
>
> However, using the tunable, then works perfectly.
>
> Thanks!
>
>
> On Sat, Dec 28, 2013 at 5:16 PM, Nikolay Denev <nike_d at cytexbg.com> wrote:
>
> > Hi Andrew,
> >
> > Actually you should be able to override this routing entry by just
> > deleting it, or you can also check if "net.add_addr_allfibs" sysctl can
> > help you.
> >
> >
> > --Nikolay
> >
> >
> >
> > On Sat, Dec 28, 2013 at 10:05 PM, Andrew Klaus <andrewklaus at gmail.com
> >wrote:
> >
> >> Hello,
> >>
> >> I'm trying to segregate some of my jails onto their own (DMZ) subnet.
> >>
> >> Internal subnet: 10.0.3.0/24
> >> DMZ subnet: 10.0.4.0/24
> >>
> >> Both of these subnets are on my FreeBSD host, but I'm using a second
> >> routing table for my DMZ jails as seen here:
> >>
> >> ---------------
> >> setfib 1 netstat -rn
> >> Routing tables
> >>
> >> Internet:
> >> Destination        Gateway            Flags    Refs      Use  Netif
> Expire
> >> default            10.0.4.1           UGS         0  2393945  vlan4
> >> 10.0.3.0/24        link#12            U           0        0  vlan3
> >> ----------------
> >>
> >> The problem I'm facing, is when I try to connect to the DMZ'd jail from
> >> the
> >> 10.0.3.0 network, traffic comes in on vlan4 like it's supposed to, but
> >> replies back through on the vlan3 interface. I guess this makes sense,
> >> because of that second route entry (that I can't override).
> >>
> >> I've tried using PF to force the packets back through to 10.0.4.1, but
> it
> >> doesn't seem to want to work.  Is the only other way to use the
> >> experimental vnet/vimage?
> >>
> >> Any ideas would be helpful.
> >>
> >> Thanks,
> >>
> >> Andrew
> >> _______________________________________________
> >> freebsd-net at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> >> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> >>
> >
> >
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>

More information about the freebsd-net mailing list