Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Oct 2017 16:22:04 +0200
From:      Marko =?UTF-8?B?Q3VwYcSH?= <marko.cupac@mimar.rs>
To:        freebsd-net@freebsd.org
Subject:   setfib (ez)jails and wierd routing
Message-ID:  <20171016162204.5d01a1b1@efreet-freebsd.kappastar.com>

next in thread | raw e-mail | index | archive | help
Hi,

I have already asked this on -jail two weeks ago, but perhaps this is
better place to ask.

I notice wierd routing in my setfib (ez)jails setup.

I have a server with multiple NICs. setfib should ensure that LAN jails
(setfib 1) can not talk to DMZ jails (setfib 2) over loopbacks, but
need to go through firewalls as though they were physical boxes.

pacija@warden3:~ % sudo setfib 1 netstat -rn
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.30.19.190       UGS        bce0
10.30.19.160/27    00:1c:c4:de:0a:86  US         bce0
127.0.0.1          lo0                UHS         lo0
127.0.1.0/24       lo1                US          lo1

pacija@warden3:~ % sudo setfib 2 netstat -rn
Routing tables (fib: 2)

Internet:
Destination        Gateway            Flags     Netif Expire
default            193.53.106.254     UGS        bce1
127.0.0.1          lo0                UHS         lo0
127.0.2.0/24       lo2                US          lo2
193.53.106.0/24    00:1c:c4:de:0a:84  US         bce1

Host has the same default route as fib 1:

pacija@warden3:~ % sudo netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.30.19.190       UGS        bce0
...

If I ssh from the Internet into DMZ jail, everything works as expected.
But if I ping DMZ jail from the Internet, I see reply packets leaving
not the interface they came from (bce1, public address space, DMZ), but
another one (bce0, private address space, LAN). This is kinda
understandable, because jail on fib2 does not have ICMP enabled, so
it is not DMZ jail, but the host (which is in fib 0) who replies to
packets via its default gateway (router on a private LAN).

Is there an easy and elegant way to solve this? Like binding IP address
to fib? I wouldn't like to have to fire up pf on host and meddle with
reply-to rules in order to achieve this, I'd rather revert to old setup
of separate physical servers for each network.

Thank you in advance,

--=20
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupa=C4=87
https://www.mimar.rs/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171016162204.5d01a1b1>