How do I know what IP to assign to my FreeBSD jail to avoid conflicts?

July 24, 2017 649 views
DNS Networking Getting Started FreeBSD

So I am trying to install a Nextcloud instance inside a FreeBSD jail. The domain I have chosen is pointing at the host FreeBSD instance inside which I want to spin up a FreeBSD jail and in order to do that I have to assign my jail an IP address.

My question is how to provide a safe enough IP address so as to get up and running and also to get my domain name to point at the running jail instead of the host OS.

2 Answers
mzs114 July 24, 2017
Accepted Answer

For using a internal private subnet series, you can stick to the common private IP ranges that start with 192. 172. and 10. [1]
If you have enabled private IP for the droplet, just make sure that you choose a series different from the droplet private IP.

Next, the domain will still be pointing to host IP, what you can do is forward packets (using NAT) which arrive on socket - combination of host IP and TCP 80, to internal private IP plus any arbitrary port on where the service is listening in the jail(lets say 8000, or 8080, etc).

RequestfromInternet => host:80 => jailIP:xxxx

To configure the above you will need to work with PF and make the host act as a gateway, following blog has demonstrated basic concept(the last config example) on making NAT work, on top of this you will need to modify PF config to do port forwarding.

https://kgibran.wordpress.com/2016/01/10/internet-connectivity-to-jails-on-freebsd/

[1]
https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces

I set my jails up in a similar way, but I use a cloned loopback interface rather than an IP on an external interface. Since 127.0.0.0/8 (127.*.*.*) is reserved for the loopback address, you can use any address in that range (just don't use the commonly used 127.0.0.1). I prefer to reserve 127.1.0.0/16 (127.1.*.*) for jails, so I could use the 3rd octet to logically/mentally group them if needed (e.g., by purpose or function). This approach "feels right" to me since it keeps local services on local IP addresses.

Add to /etc/rc.conf:

# Jails:
ezjail_enable="YES"
cloned_interfaces="${cloned_interfaces} lo1"
ifconfig_lo1="inet 127.1.0.0/16"

Bring up the cloned interface: sudo service netif cloneup

Add to /etc/pf.conf:

ext_if="vtnet0"
jail_if="lo1"
jail_net=$jail_if:network
www_jail="127.1.1.1"
www_ports="{ 80, 443 }"
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp to port $www_ports -> $www_jail

Create and start your jail:

sudo ezjail-admin create www 'lo1|127.1.1.1'
sudo ezjail-admin start www

The rest (such as installing ezjail) should be typical setup/config.

  • Excellent, I wanted to mention 127. series but choose to ignore them so it becomes simpler for the users.

Have another answer? Share your knowledge.