Static Routes, gateways and the end of my sanity

Mikhail Goriachev mikhailg at webanoide.org
Fri Jun 1 10:06:00 UTC 2007 

Reuben A. Popp wrote:
> Hello everyone, can someone please (_please_!!) let me know what I'm doing 
> wrong in the following example?  I am near my wits end on implementing this, 
> any suggestions are greatly appreciated!
> 
> The scenario is that I have a server here with twin nics, bce0 and bce1; I 
> would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 
> would be on our internal network.  A jail will reside on the ip assigned to 
> bce0, while the regular base system will bind to bce1.
> 
> My current rc.conf consists of the following:
> -------------------------------------------
> defaultrouter="10.228.228.254"
> ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0"
> ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex 
> netmask 255.255.255.0"
> 
> # Enable Jails for multi-homed box (video)
> jail_enable="YES"
> jail_list="video"
> jail_video_rootdir="/usr/local/jail/video"
> jail_video_hostname="video.eastcentral.edu"
> jail_video_ip="192.168.4.80"
> jail_named_exec_start="/bin/sh /etc/rc"
> jail_video_devfs_enable="YES"
> 
> # Routed and gateway settings
> static_routes="net1"
> route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254"
> ------------------------------------------
> 
> Of course there's other things in there like binding various services (inetd, 
> syslog, et al) to the internal ip.
> 
> On bringing the machine up, I can ping both ips just fine; what I can't do is 
> ssh to the dmz address.  Yes, sshd is running inside the jail ;).  The output 
> of tcpdump shows a connect to that ip on bce0, but all responses appear to be 
> going out on bce1.
> 
> Again, any suggestions or comments are welcome and appreciated.  For the 
> record, the machine is a Dell PowerEdge 2950 running  the amd64  
> 6.2-RELEASE-p4 branch.  I will gladly supply more info if this isn't enough.


You can't bind both host and jail to the same IP. I'd suggest the 
following re-arrangement:

ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0"
ifconfig_bce0_alias0="inet 192.168.4.81 netmask 255.255.255.255"
               ^^^^^^                  ^                     ^^^
ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex

jail_enable="YES"
jail_list="video"
jail_interface="bce0"
^^^^^^^^^^^^^^^^^^^^^
jail_video_rootdir="/usr/local/jail/video"
jail_video_hostname="video.eastcentral.edu"
jail_video_ip="192.168.4.81"
                           ^
jail_named_exec_start="/bin/sh /etc/rc"
jail_video_devfs_enable="YES"


In other words:

Your host binds to bce0 (192.168.4.80) and bce1 (10.228.228.228). The 
jail binds to bce0_alias0 (192.168.4.81). Also jails will always try to 
bind to bce0 interface (jail_interface="bce0").

You don't need any routes if your machine acts as a gateway. All traffic 
from 10.0.0.0/8 will find its way to 192.168.0.0/16 through bc1 and from 
other net via bc0.


Hopefully I didn't misinterpret your problem.

Regards,
Mikhail.

-- 
Mikhail Goriachev
Webanoide

Telephone: +61 (0)3 62252501
Mobile Phone: +61 (0)4 38255158
E-Mail: mikhailg at webanoide.org
Web: www.webanoide.org

More information about the freebsd-questions mailing list