Date: Wed, 29 Aug 2007 06:19:10 -0700 From: Julian Elischer <julian@elischer.org> To: Jeffrey Williams <jeff@sailorfej.net>, freebsd-jail@freebsd.org, freebsd-net@freebsd.org Subject: Re: Running jails on multiple subnets with multiple interfaces Message-ID: <46D5724E.8020208@elischer.org> In-Reply-To: <20070828224314.GB4446@tcbug.org> References: <46D4983E.2050305@sailorfej.net> <20070828224314.GB4446@tcbug.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Paetzel wrote:
> Jeffrey Williams wrote:
>> I have a server with two interfaces, I want to run the host and a couple of
>> jails using one interface on one subnet (internal interface, private IP, behind
>> NAT/firewall) and some other jails using the other interface on another subnet
>> (external interface, public IP, DMZ).
>>
>> Now my understanding of the challenge in doing this, is that the network stack
>> is not "virtualized" in the jails, so all the jails use the same routing table,
>> and for obvious reasons only one default router. (also just for sake of clarity
>> I don't want to enable routing between interfaces on the jail host)
>>
>> Now if I understand all this correctly, then what will happen is, if I set the
>> default router to the internal networks exit router (the NAT/firewall), then
>> the jails listening on the external interface will only be able to talk to
>> their local subnet, and because the internal subnet won't exist for them they
>> won't be able to connect to the network at large.
>>
>> If I set the default router to the external networks exit router (the DMZ
>> perimeter firewall) then the host and jails listening on the internal network
>> won't be able to be able to talk to the internet beyond the local nets, the
>> jails because the external network doesn't exist for them, and the host because
>> even though it can talk to both nets, the services are configured to only
>> listen to the internal net, and the it will be trying to send all outgoing
>> traffic to the public net, thus not creating and NAT table entries on the
>> NAT/Firewall for the return connections.
>>
>> Is there anyway to achieve what I have trying to do?
>>
>> Thanks
>> Jeffrey williams
>
> PF makes a very effective workaround to this with it's route-to
> option...effectively letting you bypass the routing table altogether
> and set up per IP behavior.
>
> For instance, I use it in the following scenario, where a box has two
> interfaces with public IPs and I don't want answers to connections on
> the 'secondary' interface to go out the default route.
ipfw can also do this using the fwd rule.
in 7.x (and 6-stable) you can also do:
ipfw table 1 add 1.2.3.4/28 2.2.2.2 <-- a specific route
ipfw table 1 add 0.0.0.0/0 3.3.3.3 <-- a default route
ipfw add 300 fwd tablearg ip from ${ADDRESS2} to table(1) out
>
> connection 1's router 192.168.1.1
> em0 ip 192.168.1.2/24
>
> connection 2's router 10.0.0.1
> em1 ip 10.0.0.2/24
>
> if connection 1 is the 'primary' link then set the default route to
> 192.168.1.1 and put the following rule in pf.conf
>
> pass out route-to (em1 10.0.0.1) from 10.0.0.2 to ! 10.0.0.0/24
>
> If you were to give more concrete examples of your config I could
> probably help you out with a workable pf solution.
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46D5724E.8020208>