Date: Sun, 29 Jun 2025 22:55:49 -0400 From: Paul Procacci <pprocacci@gmail.com> To: Mason Loring Bliss <mason@blisses.org> Cc: freebsd-net@freebsd.org Subject: Re: rp_filter equivalent? Message-ID: <CAFbbPuhJm9ra5WAPUZCwOrGx5SKzEY0ecqM2VOEHEQ17T0h3uA@mail.gmail.com> In-Reply-To: <aGH05-Sd25uFPEBf@blisses.org> References: <aGHohWgtKxaPgdeR@blisses.org> <CAFbbPujxeDWotQROy9z4mSsxxr74d0hiQoiU%2Boj_GWgaS9z6hQ@mail.gmail.com> <aGH05-Sd25uFPEBf@blisses.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 29, 2025 at 10:22=E2=80=AFPM Mason Loring Bliss <mason@blisses.= org> wrote: > > On Sun, Jun 29, 2025 at 09:48:58PM -0400, Paul Procacci wrote: > > > The "fix" your problem ...... > > You need to create a bridge. > > Add your main interface to the bridge. > > You can assign your .10 to the bridge. > > Then, you can create your epair. > > Assign the a side the bridge and the b side to your jail. > > Add your .50 the the 'b' side, and add the default route of .1. > > Hrm, hrm. That's what I was doing first. I was basing it off what I use > here: > > https://wiki.freebsd.org/MasonLoringBliss/JailsEpair > > In fact... I... am pretty sure I did exactly what you're suggesting, but > the system told me I couldn't set a default route in the jail because it > wasn't a legal address. > > So: NIC, epair0a in bridge0; epair0b in vnet jail. If epair0b had the > correct (floating) address I couldn't set the default route, because the > default route was in an unrelated /24. I had to set epair0a to something = in > the same /24 for me to get a default route set for epair0b, and I had to > break epair0a out of the bridge. > > I'll mess with it again sometime soon because I feel like it really ought > to have worked the way I set it up first. I'll report back here with more > details. It's working now, but I really don't like *how* it's working. > > -- > Mason Loring Bliss (( If I have not seen as far as others, it is becau= se > mason@blisses.org )) giants were standing on my shoulders. - Hal Abe= lson Ok, I misunderstood what you initially wrote because the language you're using isn't exactly what I'd expect in the world of networking. To clear up any confusion ... you have two ip addresses, each one being in different subnets. The ip assigned to the host and the gateway that the host talks to are in one subnet while the other ip address assigned to the jail/vnet is in an entirely different subnet. The easiest solution here is asking the provider for a gateway you can use with the ip address in the second subnet, assuming it's anything but a /32. Without that, you'd have to forgo using VNET and instead first add the ip address as an alias to the main interface, only then to be assigned to the jail upon startup. It would share the system networking but there'd be no confusion at that point how things get routed. Using VNET, you can try the following within the jail but I've never tried: route add -net w.x.y.z/mask a.b.c.1 route add default a.b.c.1 Not sure if that'd work but seems reasonable. ~Paul -- __________________ :(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPuhJm9ra5WAPUZCwOrGx5SKzEY0ecqM2VOEHEQ17T0h3uA>