From owner-freebsd-net@freebsd.org Tue Jan 2 05:51:33 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA513EB4A81 for ; Tue, 2 Jan 2018 05:51:33 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C20C670891 for ; Tue, 2 Jan 2018 05:51:33 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (203-206-51-137.dyn.iinet.net.au [203.206.51.137] (may be forged)) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id w025pPhF028165 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 1 Jan 2018 21:51:28 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: VLANing between jails not segmenting traffic To: Eugene Grosbein , Farhan Khan , freebsd-net@freebsd.org References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> <59F79902.40408@grosbein.net> From: Julian Elischer Message-ID: <9cdad78c-5663-ab66-37ed-025251780440@freebsd.org> Date: Tue, 2 Jan 2018 13:51:18 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <59F79902.40408@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2018 05:51:34 -0000 On 31/10/17 5:26 am, Eugene Grosbein wrote: > 31.10.2017 4:08, Farhan Khan пишет: >> Hi all, >> >> I am trying to experiment with setting up two jails on different VLANs, but have not been able to segment traffic. >> >> My configuration was to create vlan1 for jail1 and vlan2 for jail2. >> >> I did the following commands: >> ifconfig vlan1 create vlan 1 vlandev em0 >> ifconfig vlan1 10.1.0.1/24 >> ifconfig vlan2 create vlan 2 vlandev em0 >> ifconfig vlan2 10.2.0.1/24 >> >> Within each jail, I set the interface to be vlan1 and vlan2 and assigned them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively. >> >> I can still have connectivity between the two VLANs. >> >> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior would be to say "unable to route". It can even connect to the external interface's IP address. At a minimum it should not even know how to connect to the 10.2.0.0/24 network at all. >> >> I was advised that its connectivity is because Jails use the base system's routing table. If so, how could one possibly separate network traffic? That's the entire purpose of VLANing. >> >> I have been advised to use pf to prevent that, but shouldn't VLANing provide that separation mechanism? I do not know what I might be doing wrong here. > It seems you are looking for isolated network stacks for jails each having distinct route table etc. > You need options VIMAGE for your kernel and create jails with vnet option (man jail) > to obtain this feature. so, a couple of months later, did you try  out VIMAGE? it's designed to give you EXACTLY what you are looking for. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >