From owner-freebsd-stable@FreeBSD.ORG Thu Feb 1 04:44:38 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 38CC116A400 for ; Thu, 1 Feb 2007 04:44:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.freebsd.org (Postfix) with ESMTP id 0D6B913C474 for ; Thu, 1 Feb 2007 04:44:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 5FCC760AA; Wed, 31 Jan 2007 23:44:37 -0500 (EST) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnGzPfoG3eYJ; Wed, 31 Jan 2007 23:44:35 -0500 (EST) Received: from [192.168.1.251] (pool-68-161-114-230.ny325.east.verizon.net [68.161.114.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id CEEB65D95; Wed, 31 Jan 2007 23:44:34 -0500 (EST) Message-ID: <45C17032.4030807@mac.com> Date: Wed, 31 Jan 2007 23:44:34 -0500 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Jeffrey Williams References: <45C06A42.6000001@sailorfej.net> <200701311119.47888.freebsd-stable@dino.sk> <45C0722B.3060504@sailorfej.net> <200701311221.34003.freebsd-stable@dino.sk> <45C081E9.50509@sailorfej.net> In-Reply-To: <45C081E9.50509@sailorfej.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: jails and multple interfaces X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2007 04:44:38 -0000 Jeffrey Williams wrote: [ ... ] > My only concern, and what I was hoping to get more information on, is > whether there are any potential problems with having two active ethernet > interfaces on the same network segment, e.g. arp issues, etc. The problem you are going to run into is that the default behavior of FreeBSD's routing table will cause it to favor only one of the interfaces if two or more NICs are configured onto the same subnet. You can probably over-ride this behavior for jails by setting up some /32 routes for the jail IPs or use IPFW to fwd certain traffic via specific interfaces. If your switch has port aggregation capabilities (aka "port trunking"), you could bind them together-- see "man ng_fec". Otherwise, the normal approach really is to put the two interfaces on two district subnets. However, if you really want to isolate the traffic due to concern over security, you really ought to consider using two separate machines on two separate switches handling two distinct subnets. -- -Chuck