Jail connectivity issue

[djdwosk97]

I recently upgraded my router and upon doing so, I can no longer get my Plex jail to run. Previously, I had to set a static IP as the DHCP option never seemed to work for some reason. But now I can't seem to get either a DHCP or Static configuration to work.

When I tried to edit the Jail configuration I get the error:
HTTPSConnectionPool(host='www.freebsd.org', port=443): Max retries exceeded with url: /security/unsupported.html (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 65] No route to host'))

then when I try to start the Jail I get:
Error: [EFAULT] No default interface found
The Jail does start up though -- it's just not accessible (by ping or by web portal)

I have already gone into Network > Global Configuration and set the DNS and Default Gateway.

I'm wondering if something is being blocked with the new router as when I switch back to the old router it does work again.


EDIT: I'm running TrueNAS 12 U8

 

[Davvo]

Proper configuration is to set up a bridge interface to avoid this kind of issues; @sretalla has made quite a few posts about it if I'm not wrong: try a little research around these informations and you should be good.

 

[Jailer]

Did your IP address range change with the new router?

 

[djdwosk97]

Did your IP address range change with the new router?

It did (and I updated the DNS/Default gateway accordingly). I even changed the new router's IP range to the same as the previous routers range and still the same problem.

 

[djdwosk97]

I also attempted to create a new Plex plugin and I get the following error during the installation process:

Error: pms3 had a failure Exception: RuntimeError Message: No default interface found Partial plugin destroyed

Also interesting, in the TrueNAS shell, I can ping the router, but I can't ping google.com.



EDIT: Okay, one final update....

I decided to setup the second interface (I have dual NICs) -- which I stopped using since I didn't need the extra bandwidth -- and I was able to get the jail to work with DHCP when using that interface..... so there is just something weird going on with the first interface and jails. For what it's worth, the first interface works perfectly fine with a VM.

 

[Jailer]

If you change the subnet of your network the nameserver in /etc/resolv.conf in your jail does not get updated to reflect the change. You have to go into the jail and update the file manually to match the new default gateway address for things to work again. At least that's what used to happen in the past, not sure if that's something that got changed in newer FreeBSD versions.

Also don't use plugins, they're a recipe for failure.

 

[Patrick M. Hausen]

@Jailer iocage set "resolver=nameserver 1.2.3.4;nameserver 5.6.7.8;search domain.com" <jailname> might help.

@djdwosk97 Did you create your bridge interfaces and move the host IP address configuration there from the physical member?

 

[djdwosk97]

@Jailer iocage set "resolver=nameserver 1.2.3.4;nameserver 5.6.7.8;search domain.com" <jailname> might help.

@djdwosk97 Did you create your bridge interfaces and move the host IP address configuration there from the physical member?

I didn't yet, What are the benefits of using a Bridge over the physical interface itself?

Before proceeding with setting up a Bridge interface, I'd like to make sure I've got the steps down so I don't lock myself out of the GUI and cause myself a headache (if I did get locked out, would fixing it be as simple as opening up a shell on the server itself and running 'route add default 192.168.0.1'?).

I would also like to move my server to a different VLAN at the same time. How would I go about doing this? Do I first need to change the default nameserver and gateway in Network > Global Configuration? And then would I go into Network > Interfaces and 'Reset Configuration' on one of the physical interfaces? And then add a bridge? Would I create a bridge for each of Plex, a VM, and the GUI?

If you change the subnet of your network the nameserver in /etc/resolv.conf in your jail does not get updated to reflect the change. You have to go into the jail and update the file manually to match the new default gateway address for things to work again. At least that's what used to happen in the past, not sure if that's something that got changed in newer FreeBSD versions.

Also don't use plugins, they're a recipe for failure.

I'll probably move away from the Plex jail eventually, but I haven't built up he motivation to do it just yet.

Shouldn't that not have been an issue anyway after I went into my new router's settings and switched it to the original IP range (that continued to work after I plugged TrueNAS back into the old router).

 

[Patrick M. Hausen]

I didn't yet, What are the benefits of using a Bridge over the physical interface itself?

TrueNAS will create a bridge for you, anyway, because this is the only way to connect a VNET jail with a physical interface. Only it will do so on the fly and the resulting configuration will be in direct violation of FreeBSD documentation and cause various issues most of which revolve around multicast.

Enter ifconfig in an ssh session on your NAS host and you will find that:

• there is a bridge interface for each physical interface you connected jails to
• the bridge interface does not have an IP address
• the physical interface that is a member of the bridge interface does have an IP address

Which violates that "any bridge member MUST NOT have an IP address" in FreeBSD. The IP address MUST be on the bridge interface instead.

 

[victort]

Do you have only one NIC?
Is the TrueNAS machine going to be part of the VLAN or only the jail?

 

[djdwosk97]

Do you have only one NIC?
Is the TrueNAS machine going to be part of the VLAN or only the jail?

I have dual NICs.

I would like the TrueNAS machine and one of the VMs to be on one VLAN; the Plex jail is possibly worth keeping on a separate VLAN?

TrueNAS will create a bridge for you, anyway, because this is the only way to connect a VNET jail with a physical interface. Only it will do so on the fly and the resulting configuration will be in direct violation of FreeBSD documentation and cause various issues most of which revolve around multicast.

Enter ifconfig in an ssh session on your NAS host and you will find that:

• there is a bridge interface for each physical interface you connected jails to
• the bridge interface does not have an IP address
• the physical interface that is a member of the bridge interface does have an IP address

Which violates that "any bridge member MUST NOT have an IP address" in FreeBSD. The IP address MUST be on the bridge interface instead.

Gotcha, I see that.

 

[victort]

I have dual NICs.

I would like the TrueNAS machine and one of the VMs to be on one VLAN; the Plex jail is possibly worth keeping on a separate VLAN?


Gotcha, I see that.

The process would be to create two bridges named according to whichever VLAN they will be a part of. For example br0 would be you main LAN, br5 would be VLAN, br6 would be another VLAN. I like to name my bridges according to the third quadrant of the range.

192.168.5.0 would be br5
192.168.10.0 would be br10
etc…

So you create your bridge interfaces, with the members being your physical interfaces, then move the IP address from the physical to the corresponding bridge interfaces.

Then you just select the proper bridge interfaces based on which VLAN it should be a part of when configuring your jails and VMs.

 

[Patrick M. Hausen]

@victort If you connect the VLANs via untagged physical ports, you are correct. If you want to use VLANs in TrueNAS, the order is:

Create VLAN with physical as parent interface
Create bridge with VLAN as member
Configure IP address on bridge

Then attach your jails/VMs to the bridge interfaces instead of anything else. From a FreeBSD point of view this is not optional. Every configuration that does not adhere to this architecture is unsupported. Why TrueNAS got away with ignoring that for years fails me.

Kind regards,
Patrick

 

[victort]

@victort If you connect the VLANs via untagged physical ports, you are correct. If you want to use VLANs in TrueNAS, the order is:

Create VLAN with physical as parent interface
Create bridge with VLAN as member
Configure IP address on bridge

Then attach your jails/VMs to the bridge interfaces instead of anything else. From a FreeBSD point of view this is not optional. Every configuration that does not adhere to this architecture is unsupported. Why TrueNAS got away with ignoring that for years fails me.

Kind regards,
Patrick

Correct. I missed that part. Thanks for the correction.

 

[victort]

I used to configure my switch to tag VLAN1 for my main LAN when I had only 1 NIC, but I found I can just add a VLAN interface, attach the NIC as a member, then create a bridge with the VLAN as a member and it would function just the same. No need to configure the switch. But that was when I was using only 1 NIC on my server.

 

[djdwosk97]

The process would be to create two bridges named according to whichever VLAN they will be a part of. For example br0 would be you main LAN, br5 would be VLAN, br6 would be another VLAN. I like to name my bridges according to the third quadrant of the range.

192.168.5.0 would be br5
192.168.10.0 would be br10
etc…

So you create your bridge interfaces, with the members being your physical interfaces, then move the IP address from the physical to the corresponding bridge interfaces.

Then you just select the proper bridge interfaces based on which VLAN it should be a part of when configuring your jails and VMs.

@victort If you connect the VLANs via untagged physical ports, you are correct. If you want to use VLANs in TrueNAS, the order is:

Create VLAN with physical as parent interface
Create bridge with VLAN as member
Configure IP address on bridge

Kind regards,
Patrick

The router is putting out untagged and VLAN100 on the physical port (I have TrueNAS connected to two of the router's LAN ports, not to the switch due to its physical location)

I created a VLAN interface with em0 as the parent interface and no IP address and no DHCP. I then created a bridge interface with no DHCP and an IP address (10.0.100.2/24 -- should this be /24 and not /32?).

I did 'Test Changes' and tried to navigate to the GUI at 10.0.100.2 (I was on a device that was on that VLAN), but it couldn't be reached.

 

[victort]

It should be /24 as that looks to be your subnet.

I usually set the bridge to DHCP and let it obtain an IP address to confirm it can talk on the VLAN before setting it statically.

 

[djdwosk97]

It should be /24 as that looks to be your subnet.

I usually set the bridge to DHCP and let it obtain an IP address to confirm it can talk on the VLAN before setting it statically.

I tried with DHCP and not a static IP and I get an IP Address of 0.0.0.0/8, so I must be missing something that needs to be set?

Do I not need to modify the default gateway/nameserver to the VLANs gateway?

 

[victort]

Hmmm…

Is the VLAN tag set to 100 in the VLAN interface?
Does the bridge interface have the VLAN as its member?

 

[djdwosk97]

Hmmm…

Is the VLAN tag set to 100 in the VLAN interface?
Does the bridge interface have the VLAN as its member?

The VLAN tag is set to 100 in the router's interface, yes.
Yes, the bridge does have the VLAN as its sole member.

Should DHCP be enabled on the bridge or the VLAN interface? It is currently enabled on the Bridge interface.