From owner-freebsd-net@freebsd.org Tue Dec 1 07:49:53 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C922A3D2DD for ; Tue, 1 Dec 2015 07:49:53 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 98D0E1E38; Tue, 1 Dec 2015 07:49:52 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by lffu14 with SMTP id u14so229235475lff.1; Mon, 30 Nov 2015 23:49:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BEZpkqlQIjEiY9BbIxlGyuAs2im7W2pkrH9yxOi8weE=; b=eNFFmGNxufMiv/S0+2bq1c/XKvCb+lFDb8Z6FiHE/fYWLOh9x4qjSC4VC2g3D256F0 222v2b62HdIAUbIAWbJEov9RtPDsx2c277j0z6JM9/p6B4q4Zu/NVlgZQ+hY/Xm+MYaf 6ggm6lChJIlC8nbbVMyOTS538zrepGacz4MzlCLqnuXj0PaFQJMxnWtiKlvLH6VhsANq qM741FUSe72eU5mmIcTO2Fy0IWB/H/vmy91QqrrUqvtvZQshCSpbHVwI/wh66XwGmvom Bhdb0JfSHrTsQZvkUCACHT0X53rP1kHOdr1KEr1XrNHtokRw8Kekxmc27dtyqPSrzro+ sdLw== MIME-Version: 1.0 X-Received: by 10.112.199.194 with SMTP id jm2mr21676163lbc.109.1448956190161; Mon, 30 Nov 2015 23:49:50 -0800 (PST) Received: by 10.25.141.129 with HTTP; Mon, 30 Nov 2015 23:49:50 -0800 (PST) In-Reply-To: <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com> References: <8538858C-BE02-489A-BC1B-2315AC18AD3F@vuid.com> <565D17D2.1090007@freebsd.org> <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com> Date: Tue, 1 Dec 2015 08:49:50 +0100 Message-ID: Subject: Re: vimage and jail networking From: Ben Woods To: Nathan Aherne Cc: Julian Elischer , freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 07:49:53 -0000 On 1 December 2015 at 06:48, Nathan Aherne wrote > Thank you for helping me to understand vimage better Julian! I have read > all three links you posted a number of times. > > I use iocage for jail management and it uses epair. From your comments it > seems you recommend netgraph? > > This is the link to the iocage image instructions - > https://iocage.readthedocs.org/en/latest/networking.html#configuring-a-vnet-jail > < > https://iocage.readthedocs.org/en/latest/networking.html#configuring-a-vnet-jail>. > It seems that iocage does a number of things automatically or at least I am > still confused on how to use iocage and vimage to have multiple jails share > a single public (external) IP. I will continue to read the links you sent > me in the hopes that the ahah moment comes to me. > > Regards, > > Nathan > The public IP will be configured on whichever device you have connected to the internet. Normally that is a physically separate edge firewall/router. It has the public IP and performs NAT for any devices on the LAN that talk to the internet. This configuration has nothing to do with your jails - it is required for any computers on your LAN which talk to the internet. The jails are then each configured with a LAN address (10.0.0.0/8 range if you like). When they need to talk to the internet, they will go via their default route, which is normally your edge firewall/router, and is often given a 10.0.0.1 address (but could be anything you like). The router will perform the NAT, and if you want the jails to host service listening for internet traffic, you will also need to configure port forwarding on the router to send traffic on the relevant ports to your jails on their LAN IP address. Note that if your router happens to be the host running the jails, this doesn't change any of the above. Regards, Ben