On Wednesday 28 November 2007 08:12:41 am Philip M. Gollucci wrote: > Félix Langelier wrote: > > Hello, > > > > I run a FreeBSD Jailer and I want to have multiple jails in 2 seperate > > networks. The server has 2 network interfaces and each of them are > > connected in a different network. Say vlan1 and vlan2. > > > > My problem is that all the network traffic is going through the first > > interface (vlan1). What I need is that a jail in vlan1 can't communicate > > with a jail in vlan2 (and vice-versa). > > > > Is it possible to split the network traffic in the right interfaces and > > use a diffrent default gateway for each of them ? > > > > Here is my /etc/rc.d configuration. > > > > defaultrouter="192.168.1.1" > > > > static_routes="vlan1 vlan2" > > route_vlan1="-net 192.168.1.0/24 192.168.1.1" > > route_vlan2="-net 192.168.2.0/24 192.168.2.1" > > > > # vlan1 interface config. > > ifconfig_bge0="inet 192.168.1.10 netmask 255.255.255.0" > > ifconfig_bge0_alias0="192.168.1.11 netmask 255.255.255.255" > > > > # vlan2 interface config. > > ifconfig_bge1="inet 192.168.2.10 netmask 255.255.255.0" > > ifconfig_bge1_alias0="inet 192.168.2.11 netmask 255.255.255.255" > > > > I tried to remove the default gateway but then the server was > > unreachable. I am thinking of using pf to resolve my issue. > > Removing the default gateway will work, but you have to add back > _similiar_ routes, you can't just remove it.
PF is probably the way to go. In particular using route-to to send traffic originating from 192.168.2.0/24 to 192.168.2.1 I'm not totally sure what your static routes even accomplish. The kernel will establish routes for directly connected networks automatically. So probably some rules of interest.... # keep jails from talking to each other block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24 block in on bge1 from 192.168.1.0/24 to 192.168.2.0/24 # ignore the default route pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! 192.168.2.0/24 \ keep state # redundant because of the default route # which actually does what we want pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! 192.168.1.0/24 \ keep state -- Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
signature.asc
Description: This is a digitally signed message part.