From owner-freebsd-questions@freebsd.org Sat Aug 15 17:19:14 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0D65A3785E5 for ; Sat, 15 Aug 2020 17:19:14 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from bede.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BTRqh4tpbz4VwV for ; Sat, 15 Aug 2020 17:19:12 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.qeng-ho.org (Postfix) with ESMTP id C7DD010374; Sat, 15 Aug 2020 18:19:10 +0100 (BST) Subject: Re: can a domain name config point to a vlan tag at the host To: Ernie Luzar Cc: "freebsd-questions@freebsd.org" References: <5F37E329.3000903@gmail.com> <9a027a2c-3575-25ac-6ccc-0f186a3d6820@qeng-ho.org> <5F37F4BD.5030301@gmail.com> From: Arthur Chance Message-ID: <66b05a60-69f0-5634-1f1a-3f1f7d5a53d9@qeng-ho.org> Date: Sat, 15 Aug 2020 18:19:10 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <5F37F4BD.5030301@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1597511953; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5Eq9cLyxSoNfplk/wOIOwNzoZzVIQNPY1L+dtK97yvg=; b=CknxiEKkkn4vz7YlnYV8o8RMf8dmAsEptxJpAxU7wQLrjLXl2iS13MyU1YBhxpnlN7ztUR 5eLvqwrvt7v3A2FqWi9igkwpgJbXASg+PYf7UR2UoUeT7JnUiivvJE5OfLznlEq8lf0Hxh WeUZGurA4uSkRo9sio8eCD89spWvGSgQ8iL3KV+KkXNZ76Vb2bI5f3yJrc2c9UPgdZjjfD CEpj2kChC1HQRxr0/cC76deKEsjePt3WeAMok0bJ8GxJp2ycaA3ptpXlQdKx+6YK8tqu/8 gMXEMYxJdJ+WeMoluvEVPhF4/9gqN/7c+hZ81LU0aPuFvZxQCom9h+Sq6Q+6nA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1597511953; a=rsa-sha256; cv=none; b=OCMcKYL1AS/DBH6xzsFJAI4fiAe13TF4n0LcEbXu5mjj29WbcMMQZt5UOVOwM4cAFoky8G F4HD158kvCCfXttur8e7dL2kPqieEp9v51FgUAp+Sb5ejUqxmtGq0j9xzO2xWCvY0MOweI CyYJs52N3Fc5raUdUfv14N7T9s+rqEtIZ40lax+bT4Jny4BQu0zUwD2DX/JyWwq2wc6lka lkYXNjtw1U37Cj31kMOnucD8tzq0P6dq+JkZEV3VKUwI04l6++jfK1kCJ/i+AZZHkFVdgq F/g9t7JZyi1cbBy/vHxMHWzmuxp8R7KWgdcYfTwSC8oDStqgZaI8EF9C1YjIow== ARC-Authentication-Results: i=1; mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of freebsd@qeng-ho.org designates 217.155.128.241 as permitted sender) smtp.mailfrom=freebsd@qeng-ho.org X-Rspamd-Queue-Id: 4BTRqh4tpbz4VwV X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@qeng-ho.org designates 217.155.128.241 as permitted sender) smtp.mailfrom=freebsd@qeng-ho.org X-Spamd-Result: default: False [-2.95 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.051]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:217.155.128.240/29]; NEURAL_HAM_LONG(-0.97)[-0.972]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; ARC_SIGNED(0.00)[i=1]; DMARC_NA(0.00)[qeng-ho.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.63)[-0.631]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13037, ipnet:217.155.0.0/16, country:GB]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2020 17:19:14 -0000 On 15/08/2020 15:44, Ernie Luzar wrote: > Arthur Chance wrote: >> On 15/08/2020 14:29, Ernie Luzar wrote: >>> I set up vlan for the host interface cabled to the public internet. >>> How do I drive internet traffic to the desired vlan name on the host >>> using a registered domain name? >>> >>> My rc.conf has this >>> >>> ifconfig_re0="DHCP" >>> gateway_enable="YES" >>> >>> vlans_re0="1 2 3" >>> >>> # vlan_1  is for the host >>> # vlan_2  is for vnet jailA >>> # vlan_3  is for vnet jailB >>> >>> Final goal is to drive traffic from the public internet using a fqdn to >>> the vnet jailA. >> >> I strongly suggest you read up more about networking because it's >> obvious you don't really understand it. All network traffic goes to *IP >> addresses* not domains. DNS says what addresses to use for a specific >> domain, but *all* connection attempts, whatever the protocol, are to a >> specific numeric IP address. Yes, protocols like HTTP then accept a host >> specification for further "routing" but that happens *after* the initial >> connection is made. >> >> If you want to run N jails with N different domains, all with their own >> traffic to arbitrary ports, you are going to need at least N different >> IP addresses. >> > > I agree with you that I am not a network guru, but I do have a general > big picture understanding. I'm really not sure you do, because many of the questions you're asking are simply not meaningful. Especially when you talk about vlans. > Problem with the network manuals I have read > is they do not give real world examples showing how to implement the > concepts talked about. They contain NO cross over reference to vnet > jails. Also all the public literature on vnet jails never talk about how > to drive public traffic to a vnet jail or that vnet jails are limited to > requiring a virgin public ipv4 address for the vnet jails sole use. > After all the reading and trial and error attempts I come here to ask > questions to get the answers only someone with vnet experience can > answer. Hoping that is you. vnet jails are simply a particular FreeBSD virtualisation technology, they are not magic. vnet jails are a virtual equivalent of having multiple physical computers. Think of them as separate machines and you might be less confused. > As I understand it vnet jails have to have their own host interface > device with a public ip address that is not already in use by the host. No. They can have their own IP addresses, but you cannot use *public* IP addresses without them being assigned to you. (Well you can, you can even use google.com addresses if you want but nobody will route to them so they will be useless.) Unless you have been assigned public addresses you have to use RFC 1918 private addresses which are not visible to the outside world. (On IPv4 of course. IPv6 has it's own way of doing things.) > This translates to a business type of ISP account to get 3 static ipv4 > public addresses. This is a very expensive setup just to do some concept > testing to be able to write a business proposal for in house IT management. Personally I've got a /29 assignment for no extra charge on a home account, but I'm in the UK. If you're doing a purely in house proof of concept just pretend one of the RFC 1918 address ranges is "public" for the purpose of testing. > Now last month a guy posted on the questions list that he was using vlan > tags to separate his single dynamic public ip address into 4 vlan tags. > One for the host and 3 for vnet jails. He states he can ping the public > internet from inside of the vnet jails using this concept. That is meaningless AFAIUI. IP addresses are at level 3 of the network stack, vlans are at level 2, so they don't mix. (Dan Kaminsky can probably do something weird with them, you do not want to go there for business purposes. Or sanity.) Also, being able to ping out simply requires NAT. Being able to receive incoming connections requires public IP addresses. I can imagine he might be using vlans to mix external and internal networks onto the same physical wire with the help of a managed switch, I've seen people use Raspberry Pis as router/firewalls that way, but all internal vlans would be using RFC 1918 addresses. > But the part missing is how to drive public traffic to the vlan tagged > vnet jail.  So I ask the question to you again. Is there a way to > configure a domain name setup to not only point to the hosts public ip > address but also to its layer 2 vlan tag? The srv record looked like a > good candidate but could not find any mention of vlan tags. Because vlans are level 2, not level 3. They are not visible at the TCP/IP level. > Or could it be the "A" record ip address field with something like this > x.x.x.x_2   Where in the host vlan_2 is a vnet jail. No. A records contain 32 bit IPv4 addresses, end of story. It's evening here in the UK. I'll be offline until tomorrow afternoon, so don't expect further responses until at least after breakfast Eastern time. -- The number of people predicting the demise of Moore's Law doubles every 18 months.