Date: Wed, 31 Jan 2007 23:44:34 -0500 From: Chuck Swiger <cswiger@mac.com> To: Jeffrey Williams <jeff@sailorfej.net> Cc: freebsd-stable@freebsd.org Subject: Re: jails and multple interfaces Message-ID: <45C17032.4030807@mac.com> In-Reply-To: <45C081E9.50509@sailorfej.net> References: <45C06A42.6000001@sailorfej.net> <200701311119.47888.freebsd-stable@dino.sk> <45C0722B.3060504@sailorfej.net> <200701311221.34003.freebsd-stable@dino.sk> <45C081E9.50509@sailorfej.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeffrey Williams wrote: [ ... ] > My only concern, and what I was hoping to get more information on, is > whether there are any potential problems with having two active ethernet > interfaces on the same network segment, e.g. arp issues, etc. The problem you are going to run into is that the default behavior of FreeBSD's routing table will cause it to favor only one of the interfaces if two or more NICs are configured onto the same subnet. You can probably over-ride this behavior for jails by setting up some /32 routes for the jail IPs or use IPFW to fwd certain traffic via specific interfaces. If your switch has port aggregation capabilities (aka "port trunking"), you could bind them together-- see "man ng_fec". Otherwise, the normal approach really is to put the two interfaces on two district subnets. However, if you really want to isolate the traffic due to concern over security, you really ought to consider using two separate machines on two separate switches handling two distinct subnets. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C17032.4030807>