Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Jan 2007 23:44:34 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        Jeffrey Williams <jeff@sailorfej.net>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: jails and multple interfaces
Message-ID:  <45C17032.4030807@mac.com>
In-Reply-To: <45C081E9.50509@sailorfej.net>
References:  <45C06A42.6000001@sailorfej.net> <200701311119.47888.freebsd-stable@dino.sk> <45C0722B.3060504@sailorfej.net> <200701311221.34003.freebsd-stable@dino.sk> <45C081E9.50509@sailorfej.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Jeffrey Williams wrote:
[ ... ]
> My only concern, and what I was hoping to get more information on, is 
> whether there are any potential problems with having two active ethernet 
> interfaces on the same network segment, e.g. arp issues, etc.

The problem you are going to run into is that the default behavior of 
FreeBSD's routing table will cause it to favor only one of the interfaces if 
two or more NICs are configured onto the same subnet.  You can probably 
over-ride this behavior for jails by setting up some /32 routes for the jail 
IPs or use IPFW to fwd certain traffic via specific interfaces.

If your switch has port aggregation capabilities (aka "port trunking"), you 
could bind them together-- see "man ng_fec".

Otherwise, the normal approach really is to put the two interfaces on two 
district subnets.  However, if you really want to isolate the traffic due to 
concern over security, you really ought to consider using two separate 
machines on two separate switches handling two distinct subnets.

-- 
-Chuck



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45C17032.4030807>