From owner-freebsd-virtualization@freebsd.org Thu Dec 29 22:46:41 2016 Return-Path: Delivered-To: freebsd-virtualization@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19AA3C970D8 for ; Thu, 29 Dec 2016 22:46:41 +0000 (UTC) (envelope-from vincent@up4.com) Received: from smtp85.iad3a.emailsrvr.com (smtp85.iad3a.emailsrvr.com [173.203.187.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF85B1271 for ; Thu, 29 Dec 2016 22:46:40 +0000 (UTC) (envelope-from vincent@up4.com) Received: from smtp27.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id A968524D01 for ; Thu, 29 Dec 2016 17:39:30 -0500 (EST) X-Auth-ID: vincent@up4.com Received: by smtp27.relay.iad3a.emailsrvr.com (Authenticated sender: vincent-AT-up4.com) with ESMTPSA id 83E8C24C71 for ; Thu, 29 Dec 2016 17:39:30 -0500 (EST) X-Sender-Id: vincent@up4.com Received: from [192.168.0.3] (216-46-32-34.telebecinternet.net [216.46.32.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.7.12); Thu, 29 Dec 2016 17:39:30 -0500 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Multiple bhyve Guests, Single bridge/tap? From: Vincent Olivier In-Reply-To: Date: Thu, 29 Dec 2016 17:39:30 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: "freebsd-virtualization@freebsd.org" X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2016 22:46:41 -0000 Hi! I made a little diagram of the situation that I posted of Twitter. If = you are aggressive enough with the web interface you can see a full size = version where the labels are clear enough to read. https://twitter.com/MUP4/status/814595352112283649 I had fun doing it. Hope it provides a little bit of joy to you helpful = guys too! :) > On Dec 29, 2016, at 1:09 PM, Matt Churchyard = wrote: >=20 > As mentioned a bridge is the virtual equivalent of a switch. It only = really makes sense to have more than one bridge if you have more than = one interface on your guest(s), and want to connect those interfaces to = separate networks. (Or you want some guests on a different network, = possibly bridged to a different physical interface). That is why I made the above diagram. There are multiple networks and = multiple interfaces, etc. > If you want to provide complete network separation between guests, = it's much easier to just use the 'private' option to ifconfig when = bridging the guest's tap interface. Any bridge member set to private can = not talk to any other private bridge member. Of course this is only = really applicable in multi-tenant situations like Aryeh says. If they = are all your own guests, the fact that they can see each other on the = network should hopefully be a non-issue. Got it. I think that the planned architecture illustrated in the diagram = provides the adequate level of isolation. Here is an explanation of the guest virtual machines and their intended = uses: CINQ: this is the bare-metal OS it provides a Samba service on a ZFS = pool to both the 1G and the 10G networks. It also contains all the other = virtual machines. PFSENSE: I guess this is the most sensitive network-wise. It has to = provide a DHCP service for both the 1G and the 10G networks (with = separate subnets). It provides NAT routing, bandwidth shaping, etc. to = the ADSL MODEM for internet access on the 1G network only (not the 10G). = Also only for the 1G network, there should be a HTTP/HTTPS proxy = (probably squid, depending on what pfsense supports) that transparently = further proxies *.onion and *.i2p routing to relevant HTTP/HTTPS/SOCKS = proxy services on the ALTNET machine. ALTNET: =E2=80=9Cdark web proxy=E2=80=9D accessible explicitly or via = PFSENSE traffic, uses the internet connection provided by PFSENSE. = Requires access to the 1G network (for explicit access), and to the = PFSENSE for the Squid transparent proxying and internet for software = updates. UNIFI: network device management for the 1000BASE-T SWITCH and the UNIFI = 802.11 AP (access point). Requires access to the 1G network (where the = devices are) and the internet for software updates. CULTURED: modified forked-daapd service for the 1G network. Requires = internet access via PFSENSE for software updates. So I guess, my only question is: will that work? Thank you all in advance. Maybe I=E2=80=99m getting too excited but with = bhyve, FreeBSD makes a lot of sense for the always-on home appliance = that I always dreamed of=E2=80=A6 Take care, Vincent=