From owner-freebsd-net@freebsd.org Mon Oct 30 21:53:20 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98BFDE66959 for ; Mon, 30 Oct 2017 21:53:20 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.grem.de (outcast.grem.de [213.239.217.27]) by mx1.freebsd.org (Postfix) with SMTP id 11FBF739EA for ; Mon, 30 Oct 2017 21:53:19 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: (qmail 11471 invoked by uid 89); 30 Oct 2017 21:46:36 -0000 Received: from unknown (HELO ?100.92.203.49?) (mg@grem.de@109.43.1.161) by mail.grem.de with ESMTPA; 30 Oct 2017 21:46:36 -0000 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: VLANing between jails not segmenting traffic From: Michael Gmelin X-Mailer: iPhone Mail (14G60) In-Reply-To: <59F79902.40408@grosbein.net> Date: Mon, 30 Oct 2017 22:46:35 +0100 Cc: Farhan Khan , freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <2A44422B-31A9-4ADC-8FCE-D1F8BC03623C@freebsd.org> References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> <59F79902.40408@grosbein.net> To: Eugene Grosbein X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2017 21:53:20 -0000 > On 30. Oct 2017, at 22:26, Eugene Grosbein wrote: >=20 > 31.10.2017 4:08, Farhan Khan =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> Hi all, >>=20 >> I am trying to experiment with setting up two jails on different VLANs, b= ut have not been able to segment traffic. >>=20 >> My configuration was to create vlan1 for jail1 and vlan2 for jail2. >>=20 >> I did the following commands: >> ifconfig vlan1 create vlan 1 vlandev em0 >> ifconfig vlan1 10.1.0.1/24 >> ifconfig vlan2 create vlan 2 vlandev em0 >> ifconfig vlan2 10.2.0.1/24 >>=20 >> Within each jail, I set the interface to be vlan1 and vlan2 and assigned t= hem the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively. >>=20 >> I can still have connectivity between the two VLANs. >>=20 >> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route ou= tbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior w= ould be to say "unable to route". It can even connect to the external interf= ace's IP address. At a minimum it should not even know how to connect to the= 10.2.0.0/24 network at all. >>=20 >> I was advised that its connectivity is because Jails use the base system'= s routing table. If so, how could one possibly separate network traffic? Tha= t's the entire purpose of VLANing. >>=20 >> I have been advised to use pf to prevent that, but shouldn't VLANing prov= ide that separation mechanism? I do not know what I might be doing wrong her= e. >=20 > It seems you are looking for isolated network stacks for jails each having= distinct route table etc. > You need options VIMAGE for your kernel and create jails with vnet option (= man jail) > to obtain this feature. >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" You can use fibs with net.add_addr_allfibs=3D0 to get separate routing table= s (comes with its own set of complications though). -m