From owner-freebsd-net@FreeBSD.ORG Sat Apr 5 16:21:14 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 91791919 for ; Sat, 5 Apr 2014 16:21:14 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4AF60218 for ; Sat, 5 Apr 2014 16:21:13 +0000 (UTC) Received: from jre-mbp.elischer.org (ppp121-45-232-70.lns20.per1.internode.on.net [121.45.232.70]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s35GL3wp053414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 5 Apr 2014 09:21:05 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <53402D68.4030500@freebsd.org> Date: Sun, 06 Apr 2014 00:20:56 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Chris Smith , freebsd-net@freebsd.org Subject: Re: Multihomed system with jails routing issues References: <533F68EF.8060607@nevermind.co.nz> In-Reply-To: <533F68EF.8060607@nevermind.co.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 16:21:14 -0000 On 4/5/14, 10:22 AM, Chris Smith wrote: > Hi All, > > I have a system with 1 network interface with 2 extra VLANs off it > and I'm having some trouble getting the routing working correctly > with it and jails. > > bge0 - management - 10.71.100.0/24 > bge0.101 - LAN - 10.71.101.0/24 > bge0.103 - DMZ - 10.71.101.0/24 > > Here's what I want to achieve... > > Host: > I want the host system to only listen on one interface, bge0. I want > NO ip addresses of the host on the vlan interfaces. The only service > it will be exposing is its sshd. The management address for this > system is 10.71.100.50. > Sounds to me that you want to use vimage jails. check the vnet command to jail . > Jails: > The system will also host a variety of jails, each with an IP either > on the LAN or DMZ. I am using ezjail to manage the jails. > > Router: > There is a router at the .254 address of every subnet that can route > between each network. > > I set up jail1 on bge0.101 with the IP 10.71.101.51. Since the host > does not have an address configured on bge0.101, I configured the > jail address as /24 instead of the default /32. > > My issues: > > * If I do not configure the jail as a /24 (e.g. /32), the LAN cannot > communicate with the jail. > > * When the jail is up and 10.71.101.51/24 is active, SSHing from the > LAN to the mgmt interface via the router fails, as the host tries to > send return traffic via the bge0.101 interface, even though traffic > arrived via the bge0 interface. > > So I did a whole lot of research for people having these apparently > problems, and decided to try the multiple routing table/fib > approach. So I recompiled my kernel, configured fib 1 with the LAN > interface route (setfib route add 10.71.101.0/24 -iface bge0.101), > set the jail fib and set the tunable net.addr_all_fibs = 0. I still > can't get this working correctly. ezjail still seems to add the > interface route to fib 0 by default (but it won't if i run ezjail > with the setfib 1 command). > > Using FIB 1 and trying to ping hosts on the LAN gives an error like: > sendto failed: invalid argument. > > Does anybody have any best practices for doing this, or anything > else I can try? I'm happy to share/pastebin any configuration and > I've tried most things I've found on the internet. I'm using FreeBSD > 10.0 with a custom kernel for multiple routing tables. > > Thanks in advance! > Chris. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >