Date: Thu, 5 Nov 2020 08:52:52 +1100 From: Jason Tubnor <jason@tubnor.net> To: lausts@acm.org Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: Using OpenBSD guest as PF firewall Message-ID: <CACLnyCJjdkxaLSu2=r2Ymjvdde_UzLVWcQpVt%2BtznEMepZNRhg@mail.gmail.com> In-Reply-To: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com> References: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 5 Nov 2020 at 03:32, Thomas Laus <lausts@acm.org> wrote: > Is there a How-To or a Handbook article for using an OpenBSD guest as a > firewall for a FreeBSD host? I have enabled pci-passthru and the > OpenBSD guest can use the functional FreeBSD NIC hardware and has a > hostname.vio0 configured with an IP address and netmask. I have created > I think you are getting a few things mixed up here. If you pass through the adaptor to OpenBSD, then you'll address it by the real device name and not use the vio driver. Once you pass it through, the host will not be able to communicate with the guest via the same path, it will be via some other physical connection back to a switch. If you want the guest and host to communicate over the same wire, then you need to bridge the physical interface at the host level and then add a tap to that bridge that the guest will then use. a public switch on the FreeBSD side and have added tap0. I can connect > both from and to the OpenBSD / FreeBSD host by their respective IP > addresses. These addresses both use the same subnet. I can't connect > anywhere else from the FreeBSD host. The OpenBSD guest has an open > pf.conf file to pass all packets to from vio0 to my re0 NIC. > > The OpenBSD system is version 6.8 and the FreeBSD is Current r367054. > It looks like I need to create a bridge somewhere, but can't find the > proper commands to make one. I have read a few instructions, but none > of them use commands from the vm-bhyve port. I found that is always a > good idea to not 'mix and match' these methods. > We use the bridge/vio/tap configuration extensively. Testing on -HEAD shows that two OpenBSD guests can communicate with each other and the rest of the network at 3.5Gb/s with bridge. We see even faster with netmap/VALE (17Gb/s) but OpenBSD vio driver has checksum issues that I need to sort out. We don't pass-thru any hardware as it exceeds the level of comfort that we are happy with with deployed remote hosts. Cheers, Jason.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACLnyCJjdkxaLSu2=r2Ymjvdde_UzLVWcQpVt%2BtznEMepZNRhg>