From owner-freebsd-net@freebsd.org Thu Nov 2 14:49:40 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DB6FCE5BC5E for ; Thu, 2 Nov 2017 14:49:40 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from mail.grem.de (outcast.grem.de [213.239.217.27]) by mx1.freebsd.org (Postfix) with SMTP id 4A09D81537 for ; Thu, 2 Nov 2017 14:49:39 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: (qmail 65989 invoked by uid 89); 2 Nov 2017 14:42:56 -0000 Received: from unknown (HELO bsd64.grem.de) (mg@grem.de@194.97.158.70) by mail.grem.de with ESMTPA; 2 Nov 2017 14:42:56 -0000 Date: Thu, 2 Nov 2017 15:42:55 +0100 From: Michael Gmelin To: Marko =?UTF-8?B?Q3VwYcSH?= Cc: freebsd-net@freebsd.org Subject: Re: VLANing between jails not segmenting traffic Message-ID: <20171102154255.12ca7e4d@bsd64.grem.de> In-Reply-To: <20171102131931.452f1106@efreet-freebsd.kappastar.com> References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> <59F79902.40408@grosbein.net> <2A44422B-31A9-4ADC-8FCE-D1F8BC03623C@freebsd.org> <20171102131931.452f1106@efreet-freebsd.kappastar.com> X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd10.2) X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Nov 2017 14:49:41 -0000 On Thu, 2 Nov 2017 13:19:31 +0100 Marko Cupa=C4=87 wrote: > On Mon, 30 Oct 2017 22:46:35 +0100 > Michael Gmelin wrote: >=20 > > You can use fibs with net.add_addr_allfibs=3D0 to get separate routing > > tables (comes with its own set of complications though). =20 >=20 > I hoped to go this way, but the fact that host (in fib0) replies to > icmp requests destined to jail with raw_sockets disabled (in fib 1) > via host's default gateway, making really wierd routing situation. Shouldn't you be able to fix this using a pf pass rule with rtable? Maybe you can share more of your setup, quite curious. -m >=20 > Had to go back to separate physical hosts for now. Will check VIMAGE. --=20 Michael Gmelin