From owner-freebsd-virtualization@freebsd.org Fri Nov 6 19:25:40 2020 Return-Path: Delivered-To: freebsd-virtualization@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 62B4B447AAB for ; Fri, 6 Nov 2020 19:25:40 +0000 (UTC) (envelope-from 010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com) Received: from a48-106.smtp-out.amazonses.com (a48-106.smtp-out.amazonses.com [54.240.48.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CSVjH44Bdz4fCl for ; Fri, 6 Nov 2020 19:25:39 +0000 (UTC) (envelope-from 010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1604690737; h=Reply-To:To:References:Cc:From:Subject:Message-ID:Date:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=a5mlrcLU/EXJaIEIKuABv+s+zzHTkHxJ58oeaEMHOBk=; b=iUTZBjC7DZiq7YrXE2dF6tHZnUzQKGw9JRm0rVeNzNqiH1xoEvMEFZhzi+xJ7Iiv o7MFqVfpyVzPFfcokAET1Lvry3JXjYWaM1cxI+/Jb+S1/WAoZ+7ftQcvlPs7yW/iEjA zSWv64Kk6cANkiJGg4aRWE3i2bJokvaqgxNCaPWo= Reply-To: lausts@acm.org To: Jason Tubnor References: <01000175941a2783-79804ed8-eafa-4f80-92d4-3f500e9d7993-000000@email.amazonses.com> <01000175986c2d21-4256d477-387f-4379-9dd3-8e60fc88b94a-000000@email.amazonses.com> <010001759b2c6171-3d48f141-38d9-4c47-8741-dfe5dd74021c-000000@email.amazonses.com> Cc: "freebsd-virtualization@freebsd.org" From: Thomas Laus Subject: Re: Using OpenBSD guest as PF firewall Message-ID: <010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@email.amazonses.com> Date: Fri, 6 Nov 2020 19:25:37 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.3.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-SES-Outgoing: 2020.11.06-54.240.48.106 Feedback-ID: 1.us-east-1.9pbSdi8VQuDGy3n7CRAr3/hYnLCug78GrsPo0xSgBOs=:AmazonSES X-Rspamd-Queue-Id: 4CSVjH44Bdz4fCl X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=iUTZBjC7; dmarc=none; spf=pass (mx1.freebsd.org: domain of 010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com designates 54.240.48.106 as permitted sender) smtp.mailfrom=010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com X-Spamd-Result: default: False [0.30 / 15.00]; HAS_REPLYTO(0.00)[lausts@acm.org]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18]; REPLYTO_ADDR_EQ_FROM(0.00)[]; DKIM_TRACE(0.00)[amazonses.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FORGED_SENDER(0.30)[lausts@acm.org,010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[54.240.48.106:from]; ASN(0.00)[asn:14618, ipnet:54.240.48.0/23, country:US]; FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[]; FROM_NEQ_ENVFROM(0.00)[lausts@acm.org,010001759f0579e5-9d7d33c4-ac14-4f53-baf9-de548f7adbd0-000000@amazonses.com]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[amazonses.com:s=224i4yxa5dv7c2xz3womw6peuasteono]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[acm.org]; SPAMHAUS_ZRD(0.00)[54.240.48.106:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[54.240.48.106:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[54.240.48.106:from]; MAILMAN_DEST(0.00)[freebsd-virtualization] X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2020 19:25:40 -0000 On 11/5/20 9:24 PM, Jason Tubnor wrote: > > You could create a clone (lo) with an IP address, add that as an > interface to a vm switch and then guest tap to that vm switch? >I ended up getting this all to function by removing bridge 'public' created by the vm-bhyve utility and manually making the loader.conf and rc.conf changes listed in the forum article. My loader.conf: vmm_load="YES" if_tap_load="YES" if_bridge_load="YES" pptdevs=2/0/0 I edited my rc.conf and added: cloned_interfaces="bridge0" ifconfig_bridge0="inet 172.16.1.2 netmask 255.255.255.0" defaultrouter="176.16.1.1" gateway_enable-"YES" The OpenBSD guest has a vio0 address set to 172.16.1.1 in hostname.vio0. The OpenBSD guest sees the host motherboard NIC that is passed through and is properly configured through DHCP. The only hiccup is that I can't enable the tap0 interface in the host /etc/rc.conf because the OpenBSD takes 35 seconds to boot and vio0 on that end is not visible until the boot process has been completed. I made a script for /usr/local/etc/rc.d on the host to add tap0 to bridge0. It errors out during the host boot process, but runs fine when getting a 'onestart' after the host is booted. I have already tried adding a 'sleep 40' to the start of the script without success. I now have a 'mostly' operational OpenBSD PF guest for my FreeBSD host. Thanks for the help and a few pointers to the right direction. Tom -- Public Keys: PGP KeyID = 0x5F22FDC1 GnuPG KeyID = 0x620836CF