From owner-freebsd-net@FreeBSD.ORG Tue Aug 28 22:10:33 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1839816A41A; Tue, 28 Aug 2007 22:10:33 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.freebsd.org (Postfix) with ESMTP id DB4FC13C45D; Tue, 28 Aug 2007 22:10:32 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from [127.0.0.1] (c-67-160-132-255.hsd1.or.comcast.net [67.160.132.255]) (authenticated bits=0) by mail.sailorfej.net (8.13.8/8.13.8) with ESMTP id l7SLmvXx048981 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Aug 2007 14:49:01 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <46D4983E.2050305@sailorfej.net> Date: Tue, 28 Aug 2007 14:48:46 -0700 From: Jeffrey Williams User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-jail@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.4 required=6.0 tests=BAYES_00,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Cc: Subject: Running jails on multiple subnets with multiple interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 22:10:33 -0000 I have a server with two interfaces, I want to run the host and a couple of jails using one interface on one subnet (internal interface, private IP, behind NAT/firewall) and some other jails using the other interface on another subnet (external interface, public IP, DMZ). Now my understanding of the challenge in doing this, is that the network stack is not "virtualized" in the jails, so all the jails use the same routing table, and for obvious reasons only one default router. (also just for sake of clarity I don't want to enable routing between interfaces on the jail host) Now if I understand all this correctly, then what will happen is, if I set the default router to the internal networks exit router (the NAT/firewall), then the jails listening on the external interface will only be able to talk to their local subnet, and because the internal subnet won't exist for them they won't be able to connect to the network at large. If I set the default router to the external networks exit router (the DMZ perimeter firewall) then the host and jails listening on the internal network won't be able to be able to talk to the internet beyond the local nets, the jails because the external network doesn't exist for them, and the host because even though it can talk to both nets, the services are configured to only listen to the internal net, and the it will be trying to send all outgoing traffic to the public net, thus not creating and NAT table entries on the NAT/Firewall for the return connections. Is there anyway to achieve what I have trying to do? Thanks Jeffrey williams