My jail host is somehow allowing jails which are assigned their own interface parented to a vlan to access management vlan hosts

it's bypassing the router and it looks like the freebsd jail hypervisor itself is forwarding packets to the management vlan, despite never putting gateway_enable="YES" into rc.conf

traceroute is contradicting ifconfig saying an ip address is not on a interface


i'm using standard iocage stands. vnet is off

my topology is the main hypervisor operating system's ipas on at a lagg0 interface in failover mode across to intel gigabit nics pointed to vlan1

the iocage jails are assigned to an alias interface 'jail' each jail with a unique ipv4 and ipv6 address

the jail interface is renamed lagg0_4 or vlan4 on interface lagg0

all those cluster physical links go into a layer 3 switch, which is trunked to a openwrt router which handles firewalling and cross-vlan talk, nat, etc




my computer which is on the management vlan

192.168.55.5

i ran nc -vkl 4000 which binds to 0.0.0.0 port 4000 TCP

and inside one  of the tails (192.168.4.31) i ran nc -v 192.168.55.5 4000

the connection succeeded and on my computer I see these lines:

Listening on 0.0.0.0 4000

Connection received on 192.168.4.31 12606

hello

that should not happen

i thought my router was passing it through so I connected my laptop to the switch vlan 4, and tried to repeat nc -v 192.168.55.5 4000

i was unable to replicate

i then on the jail hypervisor ran traceroute -i jail -s 192.168.4.31 192.168.55.5

traceroute complained the jail interface didn't contain that IP address, which directly contradicts what ifconfig jail says

i removed -i jail and ran traceroute again and it succeeded

that shouldn't happen either

interestingly there was no router inbetween

according to traceroute, it was direct. That lead me to believe the jail hypervisor is forwarding the packets

which also should not be possible because sys.inet.forward=0

sys.inet.forwarding is 0