From owner-freebsd-net@FreeBSD.ORG Mon Mar 17 03:04:23 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 688EDF35 for ; Mon, 17 Mar 2014 03:04:23 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 235AD392 for ; Mon, 17 Mar 2014 03:04:22 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1WPNqY-0006nS-5L for freebsd-net@freebsd.org; Mon, 17 Mar 2014 04:04:14 +0100 Received: from tempe0.bbox.io ([24.249.180.233]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 17 Mar 2014 04:04:14 +0100 Received: from kevin.bowling by tempe0.bbox.io with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 17 Mar 2014 04:04:14 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Kevin Bowling Subject: VNET, if_bridge, if_epair, vlans and bridged phy? Date: Sun, 16 Mar 2014 20:04:01 -0700 Lines: 34 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: tempe0.bbox.io User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Thunderbird/28.0 Cc: freebsd-virtualization@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 03:04:23 -0000 I'm trying a somewhat elaborate VNET jails setup and for the most part it's working. I'm using if_epairs, one side that gets passed into the jail, and the other side that attaches to an if_bridge. The if_bridge has a member on a vlan interface. So far so good. cloned_interfaces="bridge0 bridge1 bridge2 vlan0 vlan1" ifconfig_ix0="inet netmask 255.255.255.240 up" ifconfig_vlan0="vlan 1010 vlandev ix0" ifconfig_vlan1="vlan 1011 vlandev ix0" ifconfig_bridge1="inet 10.10.10.55/24 addm vlan0 description vlan0" ifconfig_bridge2="inet 10.10.11.55/24 addm vlan1 description vlan1" The above works fine, the VNET jails are able to access the outside world and vis versa (NAT happens on a dedicated router, not this host). Now, if I instead do something like this to add the public IP to a bridge: ifconfig_ix0="up" ifconfig_vlan0="vlan 1010 vlandev ix0" ifconfig_vlan1="vlan 1011 vlandev ix0" ifconfig_bridge0="inet netmask 255.255.255.240 addm ix0 description ix0" ifconfig_bridge1="inet 10.10.10.55/24 addm vlan0 description vlan0" ifconfig_bridge2="inet 10.10.11.55/24 addm vlan1 description vlan1" A VNET jail on bridge0 in the public IP space works fine, but bridge1 and bridge2 are no longer accessible from the outside, including the host interface like 10.10.10.55. Any ideas on what could be going wrong? Is there a way to use an untagged interface like this in addition to the tagged ones? Regards, Kevin