Date: Thu, 2 Nov 2017 16:46:57 +0100 From: Michael Gmelin <grembo@freebsd.org> To: Marko =?UTF-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs> Cc: freebsd-net@freebsd.org Subject: Re: VLANing between jails not segmenting traffic Message-ID: <20171102164657.59074b14@bsd64.grem.de> In-Reply-To: <20171102162101.4e334dfd@efreet-freebsd.kappastar.com> References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> <59F79902.40408@grosbein.net> <2A44422B-31A9-4ADC-8FCE-D1F8BC03623C@freebsd.org> <20171102131931.452f1106@efreet-freebsd.kappastar.com> <20171102154255.12ca7e4d@bsd64.grem.de> <20171102162101.4e334dfd@efreet-freebsd.kappastar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2 Nov 2017 16:21:01 +0100 Marko Cupać <marko.cupac@mimar.rs> wrote: > On Thu, 2 Nov 2017 15:42:55 +0100 > Michael Gmelin <grembo@freebsd.org> wrote: > > > On Thu, 2 Nov 2017 13:19:31 +0100 > > Marko Cupać <marko.cupac@mimar.rs> wrote: > > > > > On Mon, 30 Oct 2017 22:46:35 +0100 > > > Michael Gmelin <grembo@freebsd.org> wrote: > > > > > > > You can use fibs with net.add_addr_allfibs=0 to get separate > > > > routing tables (comes with its own set of complications > > > > though). > > > > > > I hoped to go this way, but the fact that host (in fib0) replies > > > to icmp requests destined to jail with raw_sockets disabled (in > > > fib 1) via host's default gateway, making really wierd routing > > > situation. > > > > Shouldn't you be able to fix this using a pf pass rule with > > rtable? > > I am sure it could be fixed as you said, but I don't want to introduce > more complexity with PF. It would be something simple like "pass proto icmp to y rtable n" If you're not already using pf you obviously don't want to introduce it only to solve this problem. > > > Maybe you can share more of your setup, quite curious. > > I wrote about that here on the list, and on -jail as well (both are > the same): > [https://lists.freebsd.org/pipermail/freebsd-jail/2017-September/003442.html] > [https://lists.freebsd.org/pipermail/freebsd-net/2017-October/049037.html] > > I also got off-list reply from a guy who says this behaviour was > introduced in 11.X, and not present in 10.X. Didn't have the time to > test on 10.X. I only use 10.x for complex networking in production right now :/ -m > > Regards, -- Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171102164657.59074b14>