Re: iocage, vnet jail does not go outside

From: infoomatic <>
Date: Sat, 24 Jul 2021 23:48:26 +0200

sorry to hear that.

I use the tools from the FreeBSD base system, they work great, and I
encourage all newbies to use the tools from the base systems - and
recommend reading the parts of the handbook and the man pages of jail
and jail.conf

Here are the relevant parts of my config:



ifconfig_bridge0="inet netmask up"


nat pass on em0 proto tcp from {} to any ->

and the jail.conf:

example {
    host.hostname = example;
    vnet.interface = "epair201b";
    path ="/jails/$name";
    exec.prestart += "ifconfig epair201 create";
    exec.prestart += "ifconfig epair201a up";
    exec.prestart += "ifconfig bridge0 addm epair201a";
    exec.prestop += "ifconfig epair201b -vnet $name";
    exec.poststop += "ifconfig epair201a destroy";


and the /jails/example/etc/rc.conf:

ifconfig_epair201b="inet netmask"

hope this helps,


On 24.07.21 13:38, Jacques Foucry wrote:
> Le vendredi 23 juil. 2021 à 23:06:41 (+0200), infoomatic à écrit:
> Hello Robert,
> Thanks for your answer.
>> iocage autoatically creates a bridge with your physical interface and
>> the vnet interface. Imho this is wrong behaviour so I quit using iocage,
>> however, there is a workaround, for more info see [1]
> I read carfully the issue your pointed and it appears that the
> vnet_default_interface parameter set to auto, em0 is added to the bridge, set
> to none, em0 is not added to the bridge.
> So I stopped my jail, destroy bridge0 interface, set vnet_default_interface to
> none and restart the jail.
> As exepected em0 is not in the bridge any more:
> bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> 	description: jails-bridge
> 	ether 58:9c:fc:10:ed:66
> 	inet netmask 0xffffff00 broadcast
> 	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> 	maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
> 	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> 	member: vnet0.657 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
> 	        ifmaxaddr 0 port 6 priority 128 path cost 2000
> 	groups: bridge
> Since from the jail I cannot ping anything, from outside I cannot connect to
> the jail and from the jail I cannot connect to outside host.
> In fact, see quickly, the situation is worst.
> I did not look at the routing tables yet (too many other things to do).
> As I understood your did not use iocage any more. Did you use the "raw"
> method (ie /etc/jail.conf)? If yes, I am really interested of "picture" of
> your configurætion.
> To be honest, I used to try the "raw" method whithout success before tring
> iocage.
> Thanks for your time and advices.
Received on Sat Jul 24 2021 - 21:48:26 UTC

Original text of this message