From owner-freebsd-net@freebsd.org Mon Oct 30 21:08:36 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 686B4E657C3 for ; Mon, 30 Oct 2017 21:08:36 +0000 (UTC) (envelope-from khanzf@gmail.com) Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E2AE7194B for ; Mon, 30 Oct 2017 21:08:36 +0000 (UTC) (envelope-from khanzf@gmail.com) Received: by mail-qt0-x233.google.com with SMTP id k31so18232921qta.6 for ; Mon, 30 Oct 2017 14:08:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=8PeDQnyobPe+6QVLBXgqOSH1UNOiCn0MHtd1kymeDVE=; b=lZBewH7GTM7ZatDSpRMM3739uSRDq9W7oM4Actvb3ttdpUP2DudX8/G0TOxpvgfw6j IfUrxLNkZEr/7PiDOnYhW9Uu4/ZdDL2Zcx+S/zSbocBqyaKt+8G02pbHnZ1rrm5P2dmx e5RIP4mrBDZfyXbnOJJMYcVRE6CebvYFDB2zQbGgqFvZyWAXf4vKoti7BmpSWOdrtOEQ m4djN2Y3YsMlfKshD3cOZyS+/fbPAL8E8s37u4vFffTQPpJ8s1c3df9UsSBwv1avtmQ+ MW0CABR+CVGlPtF0xSoEHN5PDZtF+SD/t8CsqR3gAuLiFIbSi14kQxyiOUndeErl4qEz q+IA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=8PeDQnyobPe+6QVLBXgqOSH1UNOiCn0MHtd1kymeDVE=; b=eIu81UBWkVsiUm9hqkba77TVkzzvoOOoUz4n6Rbs6tSvvGD6GSoncWx9FfQ5Zs7S6t 1X09EguujLliqMPYfYjcJpFCQzBuqiA/HYZP+p5dUe8cJzbqa6cSfFJcJC7iw2PlwWCn L3e/bF+7sM/1fLeyANh8keOyBAkE0W4oKp8j7ElZCRfD5L/uTFXBZW3e4u6MYpRjwton ATxUujDaFTYFeCAWo7b4Rt6GeOvu6QgaWZx1XK107/hTI0tsJ8gzvphb0br8c0xYDFGI IloygcfypQGDQRUybHf/q9YPjmaJKsM4Fkemogl688LtOHWgROKR3NTLdc+rPeL0uJZp ZJoQ== X-Gm-Message-State: AMCzsaX5Vxxwbnc9XBAgdBu9GkOE4y7ssO+8+oL0HeeIw4349sLDN+Ea BU5jdygwnuBPbH/nLzIJhUrJElRr X-Google-Smtp-Source: ABhQp+R7I1z6nO2Ud1N1rqqxYxCNxsKbJdS+FzysV1GpirVrgB2Ga0Lh4Z7KEqI4Qcq7bovIb9FqWg== X-Received: by 10.237.35.178 with SMTP id j47mr16939266qtc.327.1509397714997; Mon, 30 Oct 2017 14:08:34 -0700 (PDT) Received: from pc.farhan.codes ([2001:470:8:209::dead:c0de]) by smtp.gmail.com with ESMTPSA id a127sm9877083qkc.60.2017.10.30.14.08.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Oct 2017 14:08:34 -0700 (PDT) From: Farhan Khan Subject: VLANing between jails not segmenting traffic To: freebsd-net@freebsd.org Message-ID: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> Date: Mon, 30 Oct 2017 17:08:33 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Oct 2017 21:08:36 -0000 Hi all, I am trying to experiment with setting up two jails on different VLANs, but have not been able to segment traffic. My configuration was to create vlan1 for jail1 and vlan2 for jail2. I did the following commands: ifconfig vlan1 create vlan 1 vlandev em0 ifconfig vlan1 10.1.0.1/24 ifconfig vlan2 create vlan 2 vlandev em0 ifconfig vlan2 10.2.0.1/24 Within each jail, I set the interface to be vlan1 and vlan2 and assigned them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively. I can still have connectivity between the two VLANs. Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior would be to say "unable to route". It can even connect to the external interface's IP address. At a minimum it should not even know how to connect to the 10.2.0.0/24 network at all. I was advised that its connectivity is because Jails use the base system's routing table. If so, how could one possibly separate network traffic? That's the entire purpose of VLANing. I have been advised to use pf to prevent that, but shouldn't VLANing provide that separation mechanism? I do not know what I might be doing wrong here. Thank you Farhan Khan