[GH-ISSUE #372] Sandboxes connected to a bridge, how to connect the bridge to the Internet?

gitea-mirror commented

2026-05-05 05:28:00 -06:00

Owner

Originally created by @jebofponderworthy on GitHub (Mar 20, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/372

I need this setup to run not only headless but connection-less, thus all of my sandboxes will connect to bridges, for basic example:

firejail --noprofile --net=br0 ip=10.99.99.10 bash

Within such a bash shell, I can ping other sandboxes setup with other IPs, and I can ping the host, and the host can ping the sandboxes; perfect! But when I do want to run these sandboxes connected to the outside world, I try to add the host's NIC to the bridge:

sudo brctl addbr br0 enp0s7

and instead of connecting the sandboxes on br0 to the Internet, it cuts the host off from everything outside of itself! What am I missing? I have tried turning STP on, no change. I would rather not use iptables routing as some configurations have it, is there a simple 'route' statement which would do it?

Originally created by @jebofponderworthy on GitHub (Mar 20, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/372 I need this setup to run not only headless but connection-less, thus all of my sandboxes will connect to bridges, for basic example: `firejail --noprofile --net=br0 ip=10.99.99.10 bash` Within such a bash shell, I can ping other sandboxes setup with other IPs, and I can ping the host, and the host can ping the sandboxes; perfect! But when I do want to run these sandboxes connected to the outside world, I try to add the host's NIC to the bridge: `sudo brctl addbr br0 enp0s7` and instead of connecting the sandboxes on br0 to the Internet, it cuts the host off from everything outside of itself! What am I missing? I have tried turning STP on, no change. I would rather not use iptables routing as some configurations have it, is there a simple 'route' statement which would do it?

gitea-mirror

2026-05-05 05:28:00 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:28:06 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 21, 2016):

In your setup you need to move the IP address configuration from eth0 to br0 and leave eth0 unconfigured. This is a bridged setup.

I would try a routed setup, where you don't need to change your eth0 configuration: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

@netblue30 commented on GitHub (Mar 21, 2016): In your setup you need to move the IP address configuration from eth0 to br0 and leave eth0 unconfigured. This is a bridged setup. I would try a routed setup, where you don't need to change your eth0 configuration: https://firejail.wordpress.com/documentation-2/basic-usage/#routed

gitea-mirror commented

2026-05-05 05:28:09 -06:00

Author

Owner

@voidzero commented on GitHub (Mar 21, 2016):

There is also the --defaultgw option.

@voidzero commented on GitHub (Mar 21, 2016): There is also the `--defaultgw` option.

gitea-mirror commented

2026-05-05 05:28:12 -06:00

Author

Owner

@jebofponderworthy commented on GitHub (Mar 22, 2016):

Thank you both very much for writing! I created bridge br0 with subnet 10.111.111.1/24, and tried:
firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=10.111.111.1 --dns=8.8.8.8 --dns=8.8.4.4 bash
and
firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=192.168.1.16 --dns=8.8.8.8 --dns=8.8.4.4 bash
which both ran, but could not reach the Internet. (192.168.1.16 is the host's IP.) I also tried this:
firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=192.168.1.1 --dns=8.8.8.8 --dns=8.8.4.4 bash
but it said "Error: default gateway 192.168.1.1 is not in the range of any network". Am I missing something simple ?

@jebofponderworthy commented on GitHub (Mar 22, 2016): Thank you both very much for writing! I created bridge br0 with subnet 10.111.111.1/24, and tried: `firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=10.111.111.1 --dns=8.8.8.8 --dns=8.8.4.4 bash` and `firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=192.168.1.16 --dns=8.8.8.8 --dns=8.8.4.4 bash` which both ran, but could not reach the Internet. (192.168.1.16 is the host's IP.) I also tried this: `firejail --net=br0 --name=test --ip=10.111.111.10 --defaultgw=192.168.1.1 --dns=8.8.8.8 --dns=8.8.4.4 bash` but it said "Error: default gateway 192.168.1.1 is not in the range of any network". Am I missing something simple ?

gitea-mirror commented

2026-05-05 05:28:15 -06:00

Author

Owner

@voidzero commented on GitHub (Mar 22, 2016):

First, check the IP address and router of the host:
ip addr show dev eth0 scope global
ip route show default dev eth0 (you need the line that starts with "default via")

Now. If my host has the IP address 192.168.0.2 and the default gateway is 192.168.0.1, start up a firejail instance as follows:

firejail --net=br0 --name=test --ip=192.168.0.3/24 --defaultgw=192.168.0.1 --dns=8.8.8.8 bash

HTH

@voidzero commented on GitHub (Mar 22, 2016): First, check the IP address and router of the **host**: `ip addr show dev eth0 scope global` `ip route show default dev eth0` (you need the line that starts with "default via") Now. If my **host** has the IP address 192.168.0.2 and the default gateway is 192.168.0.1, start up a firejail instance as follows: `firejail --net=br0 --name=test --ip=192.168.0.3/24 --defaultgw=192.168.0.1 --dns=8.8.8.8 bash` HTH

gitea-mirror commented

2026-05-05 05:28:18 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 22, 2016):

How is your networking configured? If you reset your computer and do a /sbin/ifconfig, what does it print?

@netblue30 commented on GitHub (Mar 22, 2016): How is your networking configured? If you reset your computer and do a /sbin/ifconfig, what does it print?

gitea-mirror commented

2026-05-05 05:28:20 -06:00

Author

Owner

@jebofponderworthy commented on GitHub (Mar 23, 2016):

My previous testing was on a different platform; here's my primary test rig:

bnr@box-at-home:~$ sudo /sbin/ifconfig
enp0s7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.125 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::224:21ff:fe9e:962f prefixlen 64 scopeid 0x20<link> ether 00:24:21:9e:96:2f txqueuelen 1000 (Ethernet) RX packets 549255 bytes 34082075 (32.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17911 bytes 5171701 (4.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 52 bytes 3120 (3.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 52 bytes 3120 (3.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

bnr@box-at-home:~$ sudo route -N
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 enp0s7
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s7
192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s7
bnr@box-at-home:~$

The last testing I did, was this:

sudo brctl addbr br0
sudo ifconfig br0 192.168.2.250/24
firejail --name=SRO --noprofile --net=br0 --ip=192.168.2.252 --defaultgw=192.168.2.1 bash

and the above sandbox was not able to ping or otherwise reach 8.8.8.8.

@jebofponderworthy commented on GitHub (Mar 23, 2016): My previous testing was on a different platform; here's my primary test rig: `bnr@box-at-home:~$ sudo /sbin/ifconfig` `enp0s7: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.125 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::224:21ff:fe9e:962f prefixlen 64 scopeid 0x20<link> ether 00:24:21:9e:96:2f txqueuelen 1000 (Ethernet) RX packets 549255 bytes 34082075 (32.5 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17911 bytes 5171701 (4.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0` ` ` `lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 52 bytes 3120 (3.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 52 bytes 3120 (3.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0` `bnr@box-at-home:~$ sudo route -N` `Kernel IP routing table` `Destination Gateway Genmask Flags Metric Ref Use Iface` `0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 enp0s7` `192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s7` `192.168.2.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s7` `bnr@box-at-home:~$` The last testing I did, was this: `sudo brctl addbr br0` `sudo ifconfig br0 192.168.2.250/24` `firejail --name=SRO --noprofile --net=br0 --ip=192.168.2.252 --defaultgw=192.168.2.1 bash` and the above sandbox was not able to ping or otherwise reach 8.8.8.8.

gitea-mirror commented

2026-05-05 05:28:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 23, 2016):

You cannot use the same IP/network address on the bridge as you have on enp0s7.

https://firejail.wordpress.com/documentation-2/basic-usage/#routed

In your case will be:

brctl addbr br0
ifconfig br0 10.10.20.1/24 up
echo "1" > /proc/sys/net/ipv4/ip_forward

Then, you need to set netfilter:

iptables -t nat -A POSTROUTING -o enp0s7 -s 10.10.20.0/24  -j MASQUERADE

@netblue30 commented on GitHub (Mar 23, 2016): You cannot use the same IP/network address on the bridge as you have on enp0s7. https://firejail.wordpress.com/documentation-2/basic-usage/#routed In your case will be: ``` brctl addbr br0 ifconfig br0 10.10.20.1/24 up echo "1" > /proc/sys/net/ipv4/ip_forward ``` Then, you need to set netfilter: ``` iptables -t nat -A POSTROUTING -o enp0s7 -s 10.10.20.0/24 -j MASQUERADE ```

gitea-mirror referenced this issue

2026-05-05 10:04:02 -06:00

[PR #265] [MERGED] remove duplicate include from uGet profile #3579

Rows
Columns

[GH-ISSUE #372] Sandboxes connected to a bridge, how to connect the bridge to the Internet? #265