From owner-freebsd-virtualization@freebsd.org  Wed Nov  4 16:32:26 2020
Return-Path: <owner-freebsd-virtualization@freebsd.org>
Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4157446140B
 for <freebsd-virtualization@mailman.nyi.freebsd.org>;
 Wed,  4 Nov 2020 16:32:26 +0000 (UTC) (envelope-from
 01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com)
Received: from a48-99.smtp-out.amazonses.com (a48-99.smtp-out.amazonses.com
 [54.240.48.99])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CRByK1Kj5z407C
 for <freebsd-virtualization@freebsd.org>; Wed,  4 Nov 2020 16:32:24 +0000 (UTC)
 (envelope-from
 01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
 s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1604507543;
 h=Reply-To:To:From:Subject:Message-ID:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID;
 bh=SeVbzDhLY8enWUqlYvmpfl0JTLlb809e2V35UiJd1Uk=;
 b=G5rSYE4LWZOkhW83aPc2TjmzIqfHLu0qeHTCNsZW+/MTDlbwhabb951JzFhpCg3p
 nCXYNmZpTxsPNhQoi6F1H93pidm3H33rcHtS42cwAr+lBqcEBF3S5/bW9jpSRohtMFo
 PFo52uvAOUyXgiYfKn9t6v8SmMZPUS7Yxh8HgLxw=
Reply-To: lausts@acm.org
To: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>
From: Thomas Laus <lausts@acm.org>
Subject: Using OpenBSD guest as PF firewall
Message-ID: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com>
Date: Wed, 4 Nov 2020 16:32:23 +0000
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.3.3
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-SES-Outgoing: 2020.11.04-54.240.48.99
Feedback-ID: 1.us-east-1.9pbSdi8VQuDGy3n7CRAr3/hYnLCug78GrsPo0xSgBOs=:AmazonSES
X-Rspamd-Queue-Id: 4CRByK1Kj5z407C
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono
 header.b=G5rSYE4L; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of
 01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com
 designates 54.240.48.99 as permitted sender)
 smtp.mailfrom=01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com
X-Spamd-Result: default: False [-0.48 / 15.00];
 HAS_REPLYTO(0.00)[lausts@acm.org]; ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono];
 NEURAL_HAM_MEDIUM(-0.88)[-0.876]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18];
 MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[];
 DMARC_NA(0.00)[acm.org]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-0.99)[-0.995];
 DKIM_TRACE(0.00)[amazonses.com:+];
 NEURAL_HAM_SHORT(-0.91)[-0.907];
 RCVD_IN_DNSWL_NONE(0.00)[54.240.48.99:from];
 TO_DN_EQ_ADDR_ALL(0.00)[];
 FORGED_SENDER(0.30)[lausts@acm.org,01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com];
 RCVD_COUNT_ZERO(0.00)[0];
 RWL_MAILSPIKE_POSSIBLE(0.00)[54.240.48.99:from];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:14618, ipnet:54.240.48.0/23, country:US];
 FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[];
 FROM_NEQ_ENVFROM(0.00)[lausts@acm.org,01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@amazonses.com];
 MAILMAN_DEST(0.00)[freebsd-virtualization]
X-BeenThere: freebsd-virtualization@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "Discussion of various virtualization techniques FreeBSD supports."
 <freebsd-virtualization.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-virtualization/>
List-Post: <mailto:freebsd-virtualization@freebsd.org>
List-Help: <mailto:freebsd-virtualization-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization>, 
 <mailto:freebsd-virtualization-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 16:32:26 -0000

Is there a How-To or a Handbook article for using an OpenBSD guest as a
firewall for a FreeBSD host?  I have enabled pci-passthru and the
OpenBSD guest can use the functional FreeBSD NIC hardware and has a
hostname.vio0 configured with an IP address and netmask.  I have created
a public switch on the FreeBSD side and have added tap0.  I can connect
both from and to the OpenBSD / FreeBSD host by their respective IP
addresses.  These addresses both use the same subnet.  I can't connect
anywhere else from the FreeBSD host.  The OpenBSD guest has an open
pf.conf file to pass all packets to from vio0 to my re0 NIC.

The OpenBSD system is version 6.8 and the FreeBSD is Current r367054.
It looks like I need to create a bridge somewhere, but can't find the
proper commands to make one.  I have read a few instructions, but none
of them use commands from the vm-bhyve port.  I found that is always a
good idea to not 'mix and match' these methods.


Tom

-- 
Public Keys:
PGP KeyID = 0x5F22FDC1
GnuPG KeyID = 0x620836CF