From owner-freebsd-net@freebsd.org  Tue Dec  1 09:02:34 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31549A35C67
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  1 Dec 2015 09:02:34 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 0CAA11515
 for <freebsd-net@freebsd.org>; Tue,  1 Dec 2015 09:02:33 +0000 (UTC)
 (envelope-from julian@freebsd.org)
Received: from Julian-MBP3.local
 (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133])
 (authenticated bits=0)
 by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tB192QSu005032
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Tue, 1 Dec 2015 01:02:29 -0800 (PST)
 (envelope-from julian@freebsd.org)
Subject: Re: vimage and jail networking
To: Ben Woods <woodsb02@gmail.com>, Nathan Aherne <nathan@vuid.com>
References: <8538858C-BE02-489A-BC1B-2315AC18AD3F@vuid.com>
 <565D17D2.1090007@freebsd.org>
 <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com>
 <CAOc73CCoy2DDb6c5itXzqP0oEcokJ324r3TV_h5qkZFiLK3SVQ@mail.gmail.com>
Cc: freebsd-net@freebsd.org
From: Julian Elischer <julian@freebsd.org>
Message-ID: <565D621C.50402@freebsd.org>
Date: Tue, 1 Dec 2015 17:02:20 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAOc73CCoy2DDb6c5itXzqP0oEcokJ324r3TV_h5qkZFiLK3SVQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 09:02:34 -0000

On 1/12/2015 3:49 PM, Ben Woods wrote:
> On 1 December 2015 at 06:48, Nathan Aherne <nathan@vuid.com 
> <mailto:nathan@vuid.com>> wrote

interestingly this is the first time I see this email.  I think 
something blocked he original for me.
>
>     Thank you for helping me to understand vimage better Julian! I
>     have read all three links you posted a number of times.
>

I think the example in /usr/share/examples/netgraph actually does all 
that you want for you..  just edit and run.
>
>
>     I use iocage for jail management and it uses epair. From your
>     comments it seems you recommend netgraph?
>
no
I recommend you use whatever works for you..  :-)
epair allows you to connect jails together with point to point links. 
it is then jsut a routing problem.
If you want a bridged solution I think you can combine epair with 
if_bridge,  but haven't tried that myself.

you can achieve the exact same with netgraph. netgraph will give you 
more flexibility but is more 'complex' to drive.
On the other hand its designed to be embedded in scripts. So you don't 
usually have to confront the complexity each time you use it.


>
>     This is the link to the iocage image instructions -
>     https://iocage.readthedocs.org/en/latest/networking.html#configuring-a-vnet-jail
>     <https://iocage.readthedocs.org/en/latest/networking.html#configuring-a-vnet-jail>.
>     It seems that iocage does a number of things automatically or at
>     least I am still confused on how to use iocage and vimage to
>     have multiple jails share a single public (external) IP. I will
>     continue to read the links you sent me in the hopes that the
>     ahah moment comes to me.
>
>     Regards,
>
>     Nathan
>
>
> The public IP will be configured on whichever device you have 
> connected to the internet. Normally that is a physically separate 
> edge firewall/router. It has the public IP and performs NAT for any 
> devices on the LAN that talk to the internet. This configuration has 
> nothing to do with your jails - it is required for any computers on 
> your LAN which talk to the internet.
>
> The jails are then each configured with a LAN address (10.0.0.0/8 
> <http://10.0.0.0/8> range if you like). When they need to talk to 
> the internet, they will go via their default route, which is 
> normally your edge firewall/router, and is often given a 10.0.0.1 
> address (but could be anything you like). The router will perform 
> the NAT, and if you want the jails to host service listening for 
> internet traffic, you will also need to configure port forwarding on 
> the router to send traffic on the relevant ports to your jails on 
> their LAN IP address.
>
> Note that if your router happens to be the host running the jails, 
> this doesn't change any of the above.

yes usually I would have Nat on the outgoing interface of whichever 
jail isn my 'final router',
  and all the jails connected together by some bridge construction 
that has one leg on
a second interface in the router jail (maybe the base jail but not 
necessarily).



>
> Regards,
> Ben