From owner-freebsd-virtualization@freebsd.org Thu Nov 5 12:40:29 2020 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8E8FD4675CD for ; Thu, 5 Nov 2020 12:40:29 +0000 (UTC) (envelope-from 01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com) Received: from a48-102.smtp-out.amazonses.com (a48-102.smtp-out.amazonses.com [54.240.48.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CRjmD62JBz4dgp for ; Thu, 5 Nov 2020 12:40:28 +0000 (UTC) (envelope-from 01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1604580027; h=Reply-To:To:References:From:Cc:Subject:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=pLX4KnU2l6Y7X1kYQPSsvxoHHodsWT0bUHVNlG5XCvI=; b=Ug3g4U7EK7L11tP/YYVlRs1lhoDNSf5Q1YBY9pqaEgmP7MUKgZCTBkA8/zhUfrCZ H+echopYSCTZvbsPLts9ZbOgIR7w0y0LXMPXfe4hPAku2SRkqe1X/ddWT3CneiervKL enIu315IvruP10XFtb8BxdM7m4iPteNMbYjTdLG4= Reply-To: lausts@acm.org To: Jason Tubnor References: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com> From: Thomas Laus Cc: "freebsd-virtualization@freebsd.org" Subject: Re: Using OpenBSD guest as PF firewall Message-ID: <01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@email.amazonses.com> Date: Thu, 5 Nov 2020 12:40:27 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.3.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-SES-Outgoing: 2020.11.05-54.240.48.102 Feedback-ID: 1.us-east-1.9pbSdi8VQuDGy3n7CRAr3/hYnLCug78GrsPo0xSgBOs=:AmazonSES X-Rspamd-Queue-Id: 4CRjmD62JBz4dgp X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=Ug3g4U7E; dmarc=none; spf=pass (mx1.freebsd.org: domain of 01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com designates 54.240.48.102 as permitted sender) smtp.mailfrom=01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com X-Spamd-Result: default: False [1.30 / 15.00]; HAS_REPLYTO(0.00)[lausts@acm.org]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; ARC_NA(0.00)[]; DMARC_NA(0.00)[acm.org]; SPAMHAUS_ZRD(0.00)[54.240.48.102:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[54.240.48.102:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[lausts@acm.org,01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com]; RCVD_COUNT_ZERO(0.00)[0]; RWL_MAILSPIKE_POSSIBLE(0.00)[54.240.48.102:from]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[54.240.48.102:from]; ASN(0.00)[asn:14618, ipnet:54.240.48.0/23, country:US]; FROM_NEQ_ENVFROM(0.00)[lausts@acm.org,01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@amazonses.com]; MAILMAN_DEST(0.00)[freebsd-virtualization] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2020 12:40:29 -0000 On 11/4/20 4:52 PM, Jason Tubnor wrote: > > I think you are getting a few things mixed up here.  If you pass through > the adaptor to OpenBSD, then you'll address it by the real device name > and not use the vio driver.  Once you pass it through, the host will not > be able to communicate with the guest via the same path, it will be via > some other physical connection back to a switch.  If you want the guest > and host to communicate over the same wire, then you need to bridge the > physical interface at the host level and then add a tap to that bridge > that the guest will then use. > I am fairly sure that is not my case. I have provided the FreeBSD NIC to the OpenBSD client with pci-passthru. This NIC will be internet facing and I want to have the OpenBSD PF provide the firewall service to the FreeBSD host like this Forum Link. https://forums.freebsd.org/threads/howto-bhyve-using-openbsd-as-main-firewall-in-freebsd.50470/ My question to this list was how this can be done using vm-bhyve commands. This 'how-to' showed the traditional scripting method and I would prefer using the 'vm' commands. The tap0 created as part of the 'vm switch' utility, is able to make the connection to the OpenBSD guest 'vio0'. The OpenBSD guest is also able to make the connection to 'tap0' on the FreeBSD host. The OpenBSD guest has normal internet connections to the world using the NIC that was passed through. The FreeBSD host is not able to make any other connections anywhere other than to the OpenBSD guest. This forum article says it is possible. I just need a handbook reference or a 'how-to' writeup for doing this using the vm-bhyve utility. > > We use the bridge/vio/tap configuration extensively. Testing on -HEAD > shows that two OpenBSD guests can communicate with each other and the > rest of the network at 3.5Gb/s with bridge.  We see even faster with > netmap/VALE (17Gb/s) but OpenBSD vio driver has checksum issues that I > need to sort out.  We don't pass-thru any hardware as it exceeds the > level of comfort that we are happy with with deployed remote hosts. > This is not what I am trying to accomplish. Tom -- Public Keys: PGP KeyID = 0x5F22FDC1 GnuPG KeyID = 0x620836CF