From owner-freebsd-net@freebsd.org  Mon Oct 30 21:26:44 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1045AE65E77
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Mon, 30 Oct 2017 21:26:44 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9B7E47282F
 for <freebsd-net@freebsd.org>; Mon, 30 Oct 2017 21:26:43 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be
 forged))
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v9ULQXgH075543
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 30 Oct 2017 22:26:34 +0100 (CET)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: khanzf@gmail.com
Received: from [10.58.0.4] (dadv@[10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v9ULQPsB070736
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Tue, 31 Oct 2017 04:26:25 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: VLANing between jails not segmenting traffic
To: Farhan Khan <khanzf@gmail.com>, freebsd-net@freebsd.org
References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <59F79902.40408@grosbein.net>
Date: Tue, 31 Oct 2017 04:26:26 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000] *  2.6 LOCAL_FROM From my domains
 *  1.9 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-Spam-Level: **
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 21:26:44 -0000

31.10.2017 4:08, Farhan Khan пишет:
> Hi all,
> 
> I am trying to experiment with setting up two jails on different VLANs, but have not been able to segment traffic.
> 
> My configuration was to create vlan1 for jail1 and vlan2 for jail2.
> 
> I did the following commands:
> ifconfig vlan1 create vlan 1 vlandev em0
> ifconfig vlan1 10.1.0.1/24
> ifconfig vlan2 create vlan 2 vlandev em0
> ifconfig vlan2 10.2.0.1/24
> 
> Within each jail, I set the interface to be vlan1 and vlan2 and assigned them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively.
> 
> I can still have connectivity between the two VLANs.
> 
> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior would be to say "unable to route". It can even connect to the external interface's IP address. At a minimum it should not even know how to connect to the 10.2.0.0/24 network at all.
> 
> I was advised that its connectivity is because Jails use the base system's routing table. If so, how could one possibly separate network traffic? That's the entire purpose of VLANing.
> 
> I have been advised to use pf to prevent that, but shouldn't VLANing provide that separation mechanism? I do not know what I might be doing wrong here.

It seems you are looking for isolated network stacks for jails each having distinct route table etc.
You need options VIMAGE for your kernel and create jails with vnet option (man jail)
to obtain this feature.