Date: Thu, 29 Dec 2016 17:39:30 -0500 From: Vincent Olivier <vincent@up4.com> To: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: Multiple bhyve Guests, Single bridge/tap? Message-ID: <B2390C22-4F3A-44FE-AFB4-151756024EA5@up4.com> In-Reply-To: <CANV9Nzm36Uf1=DiWbOphQe4suQ9SrGjU=zgChWfLTp7FZWATfQ@mail.gmail.com> References: <B0C8AC1D-340A-4EF9-A862-FEA3A2AE37E4@up4.com> <CAGBxaXmv1pD1Lib76jzU%2B7OntT7i50xmV6LmxYjjmOYYrmD8UA@mail.gmail.com> <EFADB4DF-5779-4228-8A22-2E336B4E46D4@up4.com> <CAGBxaXnEs9n1DMET3y58ZouRnizj5Xn8yW1r_qr7tBiL0DgaNg@mail.gmail.com> <CANV9Nzm36Uf1=DiWbOphQe4suQ9SrGjU=zgChWfLTp7FZWATfQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! I made a little diagram of the situation that I posted of Twitter. If = you are aggressive enough with the web interface you can see a full size = version where the labels are clear enough to read. https://twitter.com/MUP4/status/814595352112283649 I had fun doing it. Hope it provides a little bit of joy to you helpful = guys too! :) > On Dec 29, 2016, at 1:09 PM, Matt Churchyard <churchers@gmail.com> = wrote: >=20 > As mentioned a bridge is the virtual equivalent of a switch. It only = really makes sense to have more than one bridge if you have more than = one interface on your guest(s), and want to connect those interfaces to = separate networks. (Or you want some guests on a different network, = possibly bridged to a different physical interface). That is why I made the above diagram. There are multiple networks and = multiple interfaces, etc. > If you want to provide complete network separation between guests, = it's much easier to just use the 'private' option to ifconfig when = bridging the guest's tap interface. Any bridge member set to private can = not talk to any other private bridge member. Of course this is only = really applicable in multi-tenant situations like Aryeh says. If they = are all your own guests, the fact that they can see each other on the = network should hopefully be a non-issue. Got it. I think that the planned architecture illustrated in the diagram = provides the adequate level of isolation. Here is an explanation of the guest virtual machines and their intended = uses: CINQ: this is the bare-metal OS it provides a Samba service on a ZFS = pool to both the 1G and the 10G networks. It also contains all the other = virtual machines. PFSENSE: I guess this is the most sensitive network-wise. It has to = provide a DHCP service for both the 1G and the 10G networks (with = separate subnets). It provides NAT routing, bandwidth shaping, etc. to = the ADSL MODEM for internet access on the 1G network only (not the 10G). = Also only for the 1G network, there should be a HTTP/HTTPS proxy = (probably squid, depending on what pfsense supports) that transparently = further proxies *.onion and *.i2p routing to relevant HTTP/HTTPS/SOCKS = proxy services on the ALTNET machine. ALTNET: =E2=80=9Cdark web proxy=E2=80=9D accessible explicitly or via = PFSENSE traffic, uses the internet connection provided by PFSENSE. = Requires access to the 1G network (for explicit access), and to the = PFSENSE for the Squid transparent proxying and internet for software = updates. UNIFI: network device management for the 1000BASE-T SWITCH and the UNIFI = 802.11 AP (access point). Requires access to the 1G network (where the = devices are) and the internet for software updates. CULTURED: modified forked-daapd service for the 1G network. Requires = internet access via PFSENSE for software updates. So I guess, my only question is: will that work? Thank you all in advance. Maybe I=E2=80=99m getting too excited but with = bhyve, FreeBSD makes a lot of sense for the always-on home appliance = that I always dreamed of=E2=80=A6 Take care, Vincent=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B2390C22-4F3A-44FE-AFB4-151756024EA5>