Date: Thu, 29 Nov 2007 15:33:26 -0500 From: =?iso-8859-1?Q?F=E9lix_Langelier?= <felix.langelier@notarius.com> To: <freebsd-questions@freebsd.org> Cc: Josh Paetzel <josh@tcbug.org>, "Philip M. Gollucci" <pgollucci@riderway.com> Subject: RE: Network Configuration with Jails. [Resolved] Message-ID: <A528456BFBC1394FB0C91228BD4BC31FD412C3@emilie.notarius.lan> In-Reply-To: <200711281501.32594.josh@tcbug.org> References: <A528456BFBC1394FB0C91228BD4BC31FD4110C@emilie.notarius.lan> <474D7759.2070200@riderway.com> <200711281501.32594.josh@tcbug.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hello, > > > > I run a FreeBSD Jailer and I want to have multiple jails in 2=20 > > seperate networks. The server has 2 network interfaces and each of=20 > > them are connected in a different network. Say vlan1 and vlan2. > > > > My problem is that all the network traffic is going through the=20 > > first interface (vlan1). What I need is that a jail in vlan1 can't=20 > > communicate with a jail in vlan2 (and vice-versa). > > > > Is it possible to split the network traffic in the right interfaces=20 > > and use a diffrent default gateway for each of them ? > > > > Here is my /etc/rc.d configuration. > > > > defaultrouter=3D"192.168.1.1" > > > > static_routes=3D"vlan1 vlan2" > > route_vlan1=3D"-net 192.168.1.0/24 192.168.1.1" > > route_vlan2=3D"-net 192.168.2.0/24 192.168.2.1" > > > > # vlan1 interface config. > > ifconfig_bge0=3D"inet 192.168.1.10 netmask 255.255.255.0" > > ifconfig_bge0_alias0=3D"192.168.1.11 netmask 255.255.255.255" > > > > # vlan2 interface config. > > ifconfig_bge1=3D"inet 192.168.2.10 netmask 255.255.255.0" > > ifconfig_bge1_alias0=3D"inet 192.168.2.11 netmask 255.255.255.255" > > > > I tried to remove the default gateway but then the server was=20 > > unreachable. I am thinking of using pf to resolve my issue. > > > >PF is probably the way to go. In particular using route-to to send = traffic originating from 192.168.2.0/24 to 192.168.2.1 > >I'm not totally sure what your static routes even accomplish. The = kernel will establish routes for directly connected networks = automatically. > >So probably some rules of interest.... > ># keep jails from talking to each other >block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24 block in on bge1 = from 192.168.1.0/24 to 192.168.2.0/24 > ># ignore the default route >pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! = 192.168.2.0/24 \ > keep state > ># redundant because of the default route # which actually does what we = want pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! = 192.168.1.0/24 \ > keep state It's working perfectly. Thanks Josh ! -- Felix Langelier Unix Sysadmin felix.langelier@notarius.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A528456BFBC1394FB0C91228BD4BC31FD412C3>