From nobody Sun Mar 13 13:15:44 2022
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D5D401A085FC
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Sun, 13 Mar 2022 13:15:53 +0000 (UTC)
	(envelope-from grembo@freebsd.org)
Received: from mail.evolve.de (mail.evolve.de [213.239.217.29])
	(using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail.evolve.de", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KGgCX4VQ4z4rm8;
	Sun, 13 Mar 2022 13:15:52 +0000 (UTC)
	(envelope-from grembo@freebsd.org)
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTP id e08cf8ea;
	Sun, 13 Mar 2022 13:15:50 +0000 (UTC)
Received: 
	by mail.evolve.de (OpenSMTPD) with ESMTPSA id 9ec8258b (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO);
	Sun, 13 Mar 2022 13:15:45 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@freebsd.org
Mime-Version: 1.0 (1.0)
Subject: Re: epair and vnet jail loose connection.
From: Michael Gmelin <grembo@freebsd.org>
In-Reply-To: <7DD42D89-7706-47C2-B8B6-82A29DE9D351@punkt.de>
Date: Sun, 13 Mar 2022 14:15:44 +0100
Cc: Johan Hendriks <joh.hendriks@gmail.com>,
 Kristof Provost <kp@freebsd.org>, freeBSD-net <freebsd-net@freebsd.org>
Message-Id: <88632081-99D8-48C8-B5A6-F10E9C5C478A@freebsd.org>
References: <7DD42D89-7706-47C2-B8B6-82A29DE9D351@punkt.de>
To: "Patrick M. Hausen" <hausen@punkt.de>
X-Mailer: iPhone Mail (19D52)
X-Rspamd-Queue-Id: 4KGgCX4VQ4z4rm8
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=softfail (mx1.freebsd.org: 213.239.217.29 is neither permitted nor denied by domain of grembo@freebsd.org) smtp.mailfrom=grembo@freebsd.org
X-Spamd-Result: default: False [0.97 / 15.00];
	 ARC_NA(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 FREEFALL_USER(0.00)[grembo];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[4];
	 MV_CASE(0.50)[];
	 RCVD_TLS_ALL(0.00)[];
	 TAGGED_RCPT(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[freebsd.org];
	 R_SPF_SOFTFAIL(0.00)[~all:c];
	 MID_RHS_MATCH_FROM(0.00)[];
	 NEURAL_HAM_LONG(-0.97)[-0.971];
	 RCVD_COUNT_THREE(0.00)[3];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 TO_DN_ALL(0.00)[];
	 NEURAL_SPAM_MEDIUM(1.00)[0.999];
	 NEURAL_HAM_SHORT(-0.96)[-0.959];
	 MLMMJ_DEST(0.00)[freebsd-net];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:213.239.192.0/18, country:DE];
	 FREEMAIL_CC(0.00)[gmail.com,freebsd.org];
	 SUSPICIOUS_RECIPS(1.50)[]
X-ThisMailContainsUnwantedMimeParts: N



> On 13. Mar 2022, at 14:07, Patrick M. Hausen <hausen@punkt.de> wrote:
>=20
> =EF=BB=BFHi all,
>=20
> i was a bit puzzled by Michael using bhyve trying to reproduce.
> Up until now I thought bhyve uses tap and not epair?
>=20

In my setup, FreeBSD 14 runs on a bhyve vm, hosting the jails, which use vne=
t.

Bare metal -> FreeBSD 13.0 -> bhyve -> FreeBSD Current -> vnet jails haproxy=
/web01

Replace bhyve with VMware, AWS, or a bare metal server to understand the set=
up.

The reason I=E2=80=99m doing this is:
1. I don=E2=80=99t want to update the bare metal host to a non-release versi=
on
2. Johan is running his setup inside a vm as well.

Best
Michael

> Anyway ...
>=20
>> Am 13.03.2022 um 14:01 schrieb Johan Hendriks <joh.hendriks@gmail.com>:
>> I have no idea why it does not work on my setup, which is nothing out of t=
he ordinary i think, basic full jails connected to a bridge interface and on=
e of them exposed to the world wide web using pf binat.
>=20
> What we do is full exposed VNET jails connected to the bridge
> on the external interface of the host. ipfw kernel module loaded
> but not used in this case, i.e. only the "default to accept" rule active
> in the jails.
>=20
> I will probably downgrade the production host from 13.1-PRERELEASE
> to 13.0-pX tomorrow and see if that changes anything.
>=20
> Kind regards,
> Patrick
> --=20
> punkt.de GmbH
> Patrick M. Hausen
> .infrastructure
>=20
> Kaiserallee 13a
> 76133 Karlsruhe
>=20
> Tel. +49 721 9109500
>=20
> https://infrastructure.punkt.de
> info@punkt.de
>=20
> AG Mannheim 108285
> Gesch=C3=A4ftsf=C3=BChrer: J=C3=BCrgen Egeling, Daniel Lienert, Fabian Ste=
in