Home Bastille + Warden Reduced AI Bootstrap

Warden Network Troubleshooting

Concrete failure signatures and validation order for warden0, VNET jails, host forwarding, default routes, and pf on FreeBSD.

Goal

Keep network debugging deterministic. The point is to identify whether the failure belongs to host bridge state, forwarding, jail routing, or pf, instead of guessing.

Canonical Model

host bridge: warden0
subnet: 10.0.0.0/24
host gateway: 10.0.0.1
control-plane jail ID: controlplane
control-plane IP: 10.0.0.100
public uplink: vtnet0

Observed Failure Signatures

Symptom	Meaning
`ifconfig: interface warden0 does not exist`	Host bridge is not present. Bastille cannot start the VNET jail.
`jexec: jail "controlplane" not found`	Jail was never created, is not started, or Bastille start failed earlier.
`route: route has not been found` for default	Jail has no default route. Outbound traffic will fail even if the VNET interface is up.
`fetch: ... Transient resolver failure`	Usually DNS is unreachable because routing or NAT is still broken.
`pfctl: Table does not exist.`	Host `pf` config is incomplete for Warden. Bastille cleanup hit missing firewall state.
`block drop all` with no `warden0` rules	Host firewall is blocking jail traffic before NAT or routing can succeed.

Validation Order

Host bridge exists and has the gateway IP.
Jail starts and has the expected VNET address.
Host forwarding is enabled.
Jail has a default route to 10.0.0.1.
Jail can reach the host gateway.
Host pf allows and NATs the Warden subnet.
Only then test DNS and external APIs.

Canonical Checks

ifconfig warden0
sysctl net.inet.ip.forwarding
jls
sudo jexec controlplane /bin/sh -c 'hostname && ifconfig && netstat -rn'
sudo jexec controlplane /bin/sh -c 'ping -c 2 10.0.0.1'
ping -c 2 10.0.0.100
sudo pfctl -s info
sudo pfctl -sr

Persistent Host State

cloned_interfaces+="bridge0"
ifconfig_bridge0_name="warden0"
ifconfig_warden0="inet 10.0.0.1/24 up"
gateway_enable="YES"

These belong to host administration, not to jail-specific playbooks.

What We Learned

controlplane must be the Bastille jail ID because VNET jail names reject - and _.
The host bridge must persist across reboot or Bastille VNET startup fails immediately.
Forwarding must be on before jailed egress can work.
pf with block drop all needs explicit Warden rules or the jail will not reach the gateway or internet reliably.
A missing default route inside the jail is a separate problem from host NAT.

One-Shot Host Preparation

Use this when db or controlplane starts cleanly but cannot fetch packages or reach APIs.

sudo mkdir -p /usr/local/etc/bastille
sudo tee /usr/local/etc/bastille/resolv.conf >/dev/null <<'EOF'
nameserver 1.1.1.1
nameserver 9.9.9.9
EOF

# set in /usr/local/etc/bastille/bastille.conf
# bastille_resolv_conf="/usr/local/etc/bastille/resolv.conf"

# add to /etc/pf.conf
ext_if = "vtnet0"
warden_net = "10.0.0.0/24"

nat on $ext_if from $warden_net to any -> ($ext_if)
pass quick on warden0 inet from $warden_net to any keep state

sudo pfctl -nf /etc/pf.conf
sudo service pf reload
sudo bastille restart db
sudo jexec db /bin/sh -c 'fetch -qo- https://api.telegram.org >/dev/null && echo TELEGRAM_OK'