On 31/10/17 5:26 am, Eugene Grosbein wrote:
31.10.2017 4:08, Farhan Khan пишет:
Hi all,
I am trying to experiment with setting up two jails on different VLANs, but
have not been able to segment traffic.
My configuration was to create vlan1 for jail1 and vlan2 for jail2.
I did the following commands:
ifconfig vlan1 create vlan 1 vlandev em0
ifconfig vlan1 10.1.0.1/24
ifconfig vlan2 create vlan 2 vlandev em0
ifconfig vlan2 10.2.0.1/24
Within each jail, I set the interface to be vlan1 and vlan2 and assigned them
the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively.
I can still have connectivity between the two VLANs.
Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route outbound at all.
An `ifconfig` shows 0xffffff00 (/24) so my expected behavior would be to say "unable
to route". It can even connect to the external interface's IP address. At a minimum
it should not even know how to connect to the 10.2.0.0/24 network at all.
I was advised that its connectivity is because Jails use the base system's
routing table. If so, how could one possibly separate network traffic? That's
the entire purpose of VLANing.
I have been advised to use pf to prevent that, but shouldn't VLANing provide
that separation mechanism? I do not know what I might be doing wrong here.
It seems you are looking for isolated network stacks for jails each having
distinct route table etc.
You need options VIMAGE for your kernel and create jails with vnet option (man
jail)
to obtain this feature.
so, a couple of months later, did you try out VIMAGE?
it's designed to give you EXACTLY what you are looking for.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
