From owner-freebsd-questions@FreeBSD.ORG  Wed Nov 28 21:01:37 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 81AF616A418
	for <freebsd-questions@freebsd.org>;
	Wed, 28 Nov 2007 21:01:37 +0000 (UTC) (envelope-from josh@tcbug.org)
Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com
	[208.42.156.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 59C8913C465
	for <freebsd-questions@freebsd.org>;
	Wed, 28 Nov 2007 21:01:37 +0000 (UTC) (envelope-from josh@tcbug.org)
Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163])
	by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP
	id 1FE667934; Wed, 28 Nov 2007 15:01:36 -0600 (CST)
Received: from build64.tcbug.org (unknown [208.42.70.167])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.tcbug.org (Postfix) with ESMTP id 78F8A10AA85A;
	Wed, 28 Nov 2007 15:01:33 -0600 (CST)
From: Josh Paetzel <josh@tcbug.org>
To: freebsd-questions@freebsd.org
Date: Wed, 28 Nov 2007 15:01:28 -0600
User-Agent: KMail/1.9.7
References: <A528456BFBC1394FB0C91228BD4BC31FD4110C@emilie.notarius.lan>
	<474D7759.2070200@riderway.com>
In-Reply-To: <474D7759.2070200@riderway.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2393661.DE5MDDux0d";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200711281501.32594.josh@tcbug.org>
Cc: =?iso-8859-1?q?F=E9lix_Langelier?= <felix.langelier@notarius.com>,
	"Philip M. Gollucci" <pgollucci@riderway.com>
Subject: Re: Network Configuration with Jails.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2007 21:01:37 -0000

--nextPart2393661.DE5MDDux0d
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 28 November 2007 08:12:41 am Philip M. Gollucci wrote:
> F=E9lix Langelier wrote:
> > Hello,
> >
> > I run a FreeBSD Jailer and I want to have multiple jails in 2 seperate
> > networks. The server has 2 network interfaces and each of them are
> > connected in a different network. Say vlan1 and vlan2.
> >
> > My problem is that all the network traffic is going through the first
> > interface (vlan1). What I need is that a jail in vlan1 can't communicate
> > with a jail in vlan2 (and vice-versa).
> >
> > Is it possible to split the network traffic in the right interfaces and
> > use a diffrent default gateway for each of them ?
> >
> > Here is my /etc/rc.d configuration.
> >
> > defaultrouter=3D"192.168.1.1"
> >
> > static_routes=3D"vlan1 vlan2"
> > route_vlan1=3D"-net 192.168.1.0/24 192.168.1.1"
> > route_vlan2=3D"-net 192.168.2.0/24 192.168.2.1"
> >
> > # vlan1 interface config.
> > ifconfig_bge0=3D"inet 192.168.1.10 netmask 255.255.255.0"
> > ifconfig_bge0_alias0=3D"192.168.1.11 netmask 255.255.255.255"
> >
> > # vlan2 interface config.
> > ifconfig_bge1=3D"inet 192.168.2.10 netmask 255.255.255.0"
> > ifconfig_bge1_alias0=3D"inet 192.168.2.11 netmask 255.255.255.255"
> >
> > I tried to remove the default gateway but then the server was
> > unreachable. I am thinking of using pf to resolve my issue.
>
> Removing the default gateway will work, but you have to add back
> _similiar_ routes, you can't just remove it.

PF is probably the way to go.  In particular using route-to to send traffic=
=20
originating from 192.168.2.0/24 to 192.168.2.1

I'm not totally sure what your static routes even accomplish.  The kernel w=
ill=20
establish routes for directly connected networks automatically.

So probably some rules of interest....

# keep jails from talking to each other
block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24
block in on bge1 from 192.168.1.0/24 to 192.168.2.0/24

# ignore the default route
pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! 192.168.2.0/2=
4 \
     keep state

# redundant because of the default route
# which actually does what we want
pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! 192.168.1.0/2=
4 \
      keep state

=2D-=20
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB

--nextPart2393661.DE5MDDux0d
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQBHTdcsJvkB8SevrssRAp3jAJ9p5dl3BGEzm4/RgNKpeDT33z9BMQCgjsFS
Vs8rk2hgrXexLfjImCDRLFk=
=IvGN
-----END PGP SIGNATURE-----

--nextPart2393661.DE5MDDux0d--