Date: Mon, 30 Oct 2017 22:46:35 +0100 From: Michael Gmelin <grembo@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: Farhan Khan <khanzf@gmail.com>, freebsd-net@freebsd.org Subject: Re: VLANing between jails not segmenting traffic Message-ID: <2A44422B-31A9-4ADC-8FCE-D1F8BC03623C@freebsd.org> In-Reply-To: <59F79902.40408@grosbein.net> References: <4d50ef1e-1cc2-aca2-d390-313ef824d524@gmail.com> <59F79902.40408@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 30. Oct 2017, at 22:26, Eugene Grosbein <eugen@grosbein.net> wrote: >=20 > 31.10.2017 4:08, Farhan Khan =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> Hi all, >>=20 >> I am trying to experiment with setting up two jails on different VLANs, b= ut have not been able to segment traffic. >>=20 >> My configuration was to create vlan1 for jail1 and vlan2 for jail2. >>=20 >> I did the following commands: >> ifconfig vlan1 create vlan 1 vlandev em0 >> ifconfig vlan1 10.1.0.1/24 >> ifconfig vlan2 create vlan 2 vlandev em0 >> ifconfig vlan2 10.2.0.1/24 >>=20 >> Within each jail, I set the interface to be vlan1 and vlan2 and assigned t= hem the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively. >>=20 >> I can still have connectivity between the two VLANs. >>=20 >> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route ou= tbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior w= ould be to say "unable to route". It can even connect to the external interf= ace's IP address. At a minimum it should not even know how to connect to the= 10.2.0.0/24 network at all. >>=20 >> I was advised that its connectivity is because Jails use the base system'= s routing table. If so, how could one possibly separate network traffic? Tha= t's the entire purpose of VLANing. >>=20 >> I have been advised to use pf to prevent that, but shouldn't VLANing prov= ide that separation mechanism? I do not know what I might be doing wrong her= e. >=20 > It seems you are looking for isolated network stacks for jails each having= distinct route table etc. > You need options VIMAGE for your kernel and create jails with vnet option (= man jail) > to obtain this feature. >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" You can use fibs with net.add_addr_allfibs=3D0 to get separate routing table= s (comes with its own set of complications though). -m
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2A44422B-31A9-4ADC-8FCE-D1F8BC03623C>