From owner-freebsd-questions@FreeBSD.ORG Thu Nov 29 20:33:30 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57C8516A419 for ; Thu, 29 Nov 2007 20:33:30 +0000 (UTC) (envelope-from felix.langelier@notarius.com) Received: from emma.notarius.com (emma.notarius.com [207.253.43.122]) by mx1.freebsd.org (Postfix) with ESMTP id 118D413C457 for ; Thu, 29 Nov 2007 20:33:29 +0000 (UTC) (envelope-from felix.langelier@notarius.com) Received: from emilie.notarius.lan ([172.25.1.59]) by emma.notarius.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Nov 2007 15:33:28 -0500 X-MIMEOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 29 Nov 2007 15:33:26 -0500 Message-ID: In-Reply-To: <200711281501.32594.josh@tcbug.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Network Configuration with Jails. [Resolved] Thread-index: AcgyAd2X8lat1U6DTeqEwzqymRIgtgAw+Nbg References: <474D7759.2070200@riderway.com> <200711281501.32594.josh@tcbug.org> From: =?iso-8859-1?Q?F=E9lix_Langelier?= To: X-OriginalArrivalTime: 29 Nov 2007 20:33:28.0217 (UTC) FILETIME=[192AB890:01C832C7] Cc: Josh Paetzel , "Philip M. Gollucci" Subject: RE: Network Configuration with Jails. [Resolved] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Nov 2007 20:33:30 -0000 > > Hello, > > > > I run a FreeBSD Jailer and I want to have multiple jails in 2=20 > > seperate networks. The server has 2 network interfaces and each of=20 > > them are connected in a different network. Say vlan1 and vlan2. > > > > My problem is that all the network traffic is going through the=20 > > first interface (vlan1). What I need is that a jail in vlan1 can't=20 > > communicate with a jail in vlan2 (and vice-versa). > > > > Is it possible to split the network traffic in the right interfaces=20 > > and use a diffrent default gateway for each of them ? > > > > Here is my /etc/rc.d configuration. > > > > defaultrouter=3D"192.168.1.1" > > > > static_routes=3D"vlan1 vlan2" > > route_vlan1=3D"-net 192.168.1.0/24 192.168.1.1" > > route_vlan2=3D"-net 192.168.2.0/24 192.168.2.1" > > > > # vlan1 interface config. > > ifconfig_bge0=3D"inet 192.168.1.10 netmask 255.255.255.0" > > ifconfig_bge0_alias0=3D"192.168.1.11 netmask 255.255.255.255" > > > > # vlan2 interface config. > > ifconfig_bge1=3D"inet 192.168.2.10 netmask 255.255.255.0" > > ifconfig_bge1_alias0=3D"inet 192.168.2.11 netmask 255.255.255.255" > > > > I tried to remove the default gateway but then the server was=20 > > unreachable. I am thinking of using pf to resolve my issue. > > > >PF is probably the way to go. In particular using route-to to send = traffic originating from 192.168.2.0/24 to 192.168.2.1 > >I'm not totally sure what your static routes even accomplish. The = kernel will establish routes for directly connected networks = automatically. > >So probably some rules of interest.... > ># keep jails from talking to each other >block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24 block in on bge1 = from 192.168.1.0/24 to 192.168.2.0/24 > ># ignore the default route >pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! = 192.168.2.0/24 \ > keep state > ># redundant because of the default route # which actually does what we = want pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! = 192.168.1.0/24 \ > keep state It's working perfectly. Thanks Josh ! -- Felix Langelier Unix Sysadmin felix.langelier@notarius.com