Can’t access internet or ping default gateway from a FreeBSD 12 jail

I am new to FreeBSD jails, everything (such as ssh to jail from any host in network) works find except I can’t access internet or ping default gateway from a FreeBSD 12 jail, please help me to resolve this

my setup as follows

  • a laptop running on Ubuntu 16.04.4/ Kernel 4.15.0-29-generic (172.20.0.2) is connector to 4G router (172.20.0.1) via wlan0

  • VirtualBox ver 5.2.16 r123759 installed on the system

  • FreeBSD 12 is running on VirtualBox with Bridged adapter to wlan0
  • a Jail running on FreeBSD 12

diagram:

+-------------------------------+ |   E5172Bs-925 4G router       | |                               | +-------------------------------+               |172.20.0.1               |               |               |               |               |  wlan0        |172.20.0.2 gw: 172.20.0.1      Ubuntu 16.04.4/ Kernel 4.15.0-29-generic +---------------------------------------------------------------+ |             |                                                 | |             |                                                 | |             |                                                 | | FreeBSD 12  |172.20.0.41 (Attached to Bridged adapter)        | | +-----------+gw: 172.20.0.1---+---------------+               | | |                             |               |               | | |                             |               |               | | |                             |               |               | | | +---------------------------+--------+      |               | | | | jail : 172.20.0.110                |      |               | | | | gw: 172.20.0.1                     |      |               | | | |                                    |      |               | | | |                                    |      |               | | | |                                    |      |               | | | |                                    |      |               | | | +------------------------------------+      |               | | |                                             |               | | +---------------------------------------------+               | +---------------------------------------------------------------+ 

my jail.conf file (got from /usr/share/examples/jails/jail.xxx.conf)

rsnapshot {     host.hostname = "rsnapshot";    # hostname     path = "/jails/rsnapshot";              # root directory      exec.clean;     exec.system_user = "root";     exec.jail_user = "root";      #     # NB: Below 4-lines required     #     vnet;     # netgraph     #vnet.interface = "ng0_rsnapshot";               # vnet interface(s)     #exec.prestart += "jng bridge rsnapshot em0";    # bridge interface(s)     #exec.poststop += "jng shutdown rsnapshot";      # destroy interface(s)     # if_bridge     vnet.interface = "e0b_rsnapshot";              # vnet interface(s)     exec.prestart += "jib addm rsnapshot em0";     # bridge interface(s)     exec.poststop += "jib destroy rsnapshot";      # destroy interface(s)      # Standard recipe     exec.start += "/bin/sh /etc/rc";     exec.stop = "/bin/sh /etc/rc.shutdown";     exec.consolelog = "/var/log/jail_rsnapshot_console.log";     mount.devfs;    # mount devfs      # Optional (default off)     #devfs_ruleset = "11";          # rule to unhide bpf for DHCP     #allow.mount;                   # mount /etc/fstab.rsnapshot     #allow.set_hostname = 1;        # Allow hostname to change     #allow.sysvipc = 1;             # Allow SysV Interprocess Comm. 

}

host ifconfig

    em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=810099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>     ether 08:00:27:9b:b8:c4     inet 172.20.0.41 netmask 0xffffff00 broadcast 172.20.0.255      media: Ethernet autoselect (1000baseT <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384     options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>     inet6 ::1 prefixlen 128      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2      inet 127.0.0.1 netmask 0xff000000      groups: lo      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> em0bridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500     ether 02:d7:f0:96:d8:00     id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15     maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200     root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0     member: e0a_rsnapshot flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>             ifmaxaddr 0 port 4 priority 128 path cost 2000     member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>             ifmaxaddr 0 port 1 priority 128 path cost 20000     groups: bridge      nd6 options=1<PERFORMNUD> e0a_rsnapshot: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=8<VLAN_MTU>     ether 02:f8:e0:9b:b8:c4     hwaddr 02:70:c5:28:c6:0a     groups: epair      media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 

jail’s ifconfig

    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384     options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>     inet6 ::1 prefixlen 128      inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1      inet 127.0.0.1 netmask 0xff000000      groups: lo      nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> e0b_rsnapshot: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500     options=8<VLAN_MTU>     ether 0e:f8:e0:9b:b8:c4     hwaddr 02:70:c5:28:c6:0b     inet 172.20.0.110 netmask 0xffffff00 broadcast 172.20.0.255      groups: epair      media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)     status: active     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 

I can ping to to any host in my network from jail but not default getaway or outside

tcpdump of wlan0 of my laptop shows as below, I can see ICMP echo request but no replies

    11:03:40.748008 IP (tos 0x0, ttl 64, id 52840, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.110 > 172.20.0.1: ICMP echo request, id 45323, seq 0, length 64 11:03:40.775639 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.20.0.110 tell 172.20.0.1, length 28 11:03:40.776034 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.20.0.110 is-at 0e:f8:e0:9b:b8:c4, length 28 

If i ping my laptop from jail, it shows

 11:31:15.625571 IP (tos 0x0, ttl 64, id 52842, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.110 > 172.20.0.2: ICMP echo request, id 6668, seq 0, length 64 11:31:15.625629 IP (tos 0x0, ttl 64, id 2336, offset 0, flags [none], proto ICMP (1), length 84)     172.20.0.2 > 172.20.0.110: ICMP echo reply, id 6668, seq 0, length 64 

netstat -rn on jail

root@freebsdjail1:/ # netstat -rn Routing tables  Internet: Destination        Gateway            Flags     Netif Expire default            172.20.0.1         UGS    e0b_rsna 127.0.0.1          link#1             UH          lo0 172.20.0.0/24      link#2             U      e0b_rsna 172.20.0.110       link#2             UHS         lo0  Internet6: Destination                       Gateway                       Flags     Netif Expire ::/96                             ::1                           UGRS        lo0 ::1                               link#1                        UH          lo0 ::ffff:0.0.0.0/96                 ::1                           UGRS        lo0 fe80::/10                         ::1                           UGRS        lo0 fe80::%lo0/64                     link#1                        U           lo0 fe80::1%lo0                       link#1                        UHS         lo0 ff02::/16                         ::1                           UGRS        lo0 

microservices with it’s pieces like api gateway, messaging and discovery server

I’ve looked up this answer and I understand the difference between api gateway and discovery server.

My understanding is API gateway is for the clients like mobile apps or desktop browsers, for instance api gateway is a piece of software that lives at https://api.example.com and then it will pipe the request to the Discovery Service.

Discovery Service is where all my “REST client servers” will register themselves and when Discovery Service receives a requests from api gateway it will pipe the request to the relevant “client server”

Please review the above.

What I also don’t get is the role of messaging (with kakfa or rabbit mq), can someone explain why and where would I use it within microservices. For interservice communication I can make a REST call through discovery service, why do I need to use kafka technology to communicate to them via messages.

Edit

Just came across this answer and my understanding now is that it’s sort of like holywood saying,

don’t call us, we’ll call you.

REST – For an asynchronous request, client has to keep checking with the server (follow up requests) if the job was done.

Messaging – Client would know if the job was done

My second segment IP can not access its gateway

I have a VLAN which have 43.24.227.38/29 and 192.168.33.238/29 in it, I configured IP on one interface, you see bellow:

source /etc/network/interfaces.d/*  # The loopback network interface auto lo iface lo inet loopback  # The primary network interface auto eno1 iface eno1 inet static         address 43.24.227.35         netmask 255.255.255.248         gateway 43.24.227.38  auto eno1:0 iface eno1:0 inet static         address 43.24.227.36         netmask 255.255.255.248         # dns-* options are implemented by the resolvconf package, if installed auto eno1:1 iface eno1:1 inet static         address 192.168.33.235         netmask 255.255.255.248 

but now I can not ping 192.168.33.238 from my server, is there I need add any static route?

How to configure two segment’s IP addresses’ gateway use netplan?

How to configure two segment’s IP addresses’ gateway use netplan ?

#!/bin/bash network:   version: 2   renderer: networkd   ethernets:     enp1s0f1:       addresses:         - 22.95.140.1/24               ...         - 22.95.141.1/24             - 22.95.141.2/24          ....       gateway4: 22.95.140.254       nameservers:         addresses: [8.8.8.8, 8.8.4.4]       dhcp4: no       optional: no 

You see I configured two IP segment 22.95.140.0/24 and 22.95.141.0/24.

but there I only configured one gateway, gateway4: 22.95.140.254, is there I need two IP segments’ gateway?

if I need two, how can I configured it?

should I configured like this?

gateway4: [22.95.140.254, 22.95.140.254] 

Rate Limit using Azure Application Gateway

I am changing the deployment of our Web App from Azure App Service to VMs behind an Application Gateway, because the App Service could not handle the peak load we had a few days ago.

What I now would like to do to guard the app from a possible very short peak-usage is implement rate-limiting (e.g. max. 60 requests per minute per client/IP).

The app is expected to have a very short peak-usage (ticket-selling app and start selling of a very popular event).
Last time when the peak occurred and the server got slower people started to hit “Refresh” as fast as they could and completely shut down the whole system without a chance to recover (at multiple thousand requests per second our system was not able to start up again, as it is not really designed for such a high load, as during 99.9% of the time we have <100 requests per second) – so we would like to have a possibility to avoid such users “DDoS-ing” the system “on accident or out of fear not getting their ticket”…

Is this possible using an Application Gateway?
Any other idea how such (on-demand) rate-limiting could be implemented?

What I found is the following: https://docs.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling but this seems to not apply to Application Gateways or at least I did not find out how…

Is it better to specify a public DNS on each host or send it through the gateway?

In general do you get better performance if each host has a public DNS specified (like Google’s 8.8.8.8) or is it better to just add that DNS to the gateway and then serve a DNS and point all hosts to it (perhaps adding the public DNS after the gateway for redundancy)? Does using the public DNS slow down page loading on hosts?

Cannot ping past gateway

My wifi is connected but I cannot access the internet irresepective of the network to which I connect. I can ping the gateway but cannot ping 8.8.8.8 which shows Destination Net Unreachable. I tried adding nameserver 8.8.8.8 as the first uncommented line in /etc/resolv.conf but it didn’t help. The traceroute 8.8.8.8 shows

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max

1 * 192.168.100.1 45.013ms !N 0.869ms !N

ip link shows the state of enp8s0 as DOWN. I am new to such issues and don’t know if this is a problem. I am unable to set it to UP.

Thanks in advance.

No default gateway in TAP OpenVPN with Kea

We have an OpenVPN server in TAP mode on our server. Wifi routers connect directly to this server; other devices can then, in turn, connect to these. On our server, we also have a Kea DHCP server handing out IP addresses to all devices connected (directly or through Wifi). This part works fine so far.

We now want those devices to be able to connect to the Internet through the VPN. This part works as well – but only if we manually set the default gateway on the devices.

In Kea, we have defined the following subnet:

{     "subnet": "10.11.0.0/24",    "pools": [ { "pool": "10.11.0.10 - 10.11.0.200" } ],    "option-data": [             {                 "name": "routers",                 "data": "10.11.0.1"             },             {                 "name": "domain-name-servers",                 "data": "8.8.8.8, 9.9.9.9"             }      ] } 

My understanding is that the IP specified in the “routers” option should be used as the default gateway, but it isn’t. We have tested on Android and Windows devices and none of them set any default gateway (and neither do the Wifi routers). However, IP addresses are handed out fine and the DNS servers provided in the “domain-name-servers” option are set properly. Once we manually set the default gateway, end devices can access the Internet without any issues.

Just in case we have to change anything there, here is also the OpenVPN server config:

local 1.2.3.4 port 443 proto tcp dev tap3 ca ca.crt cert server.crt key server.key dh dh2048.pem server-bridge client-to-client keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" user nobody group nogroup