From owner-freebsd-net@FreeBSD.ORG Tue Aug 28 23:13:55 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3BDF16A418; Tue, 28 Aug 2007 23:13:55 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id 6DB6413C4A5; Tue, 28 Aug 2007 23:13:55 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id D260A7903; Tue, 28 Aug 2007 17:43:14 -0500 (CDT) Received: by mail.tcbug.org (Postfix, from userid 1001) id 7A379342C9C; Tue, 28 Aug 2007 17:43:14 -0500 (CDT) Date: Tue, 28 Aug 2007 17:43:14 -0500 From: Josh Paetzel To: Jeffrey Williams Message-ID: <20070828224314.GB4446@tcbug.org> Mail-Followup-To: Jeffrey Williams , freebsd-jail@freebsd.org, freebsd-net@freebsd.org References: <46D4983E.2050305@sailorfej.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C311HLcnHV2CzHlo" Content-Disposition: inline In-Reply-To: <46D4983E.2050305@sailorfej.net> Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Running jails on multiple subnets with multiple interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Josh Paetzel List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Aug 2007 23:13:55 -0000 --C311HLcnHV2CzHlo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jeffrey Williams wrote: > I have a server with two interfaces, I want to run the host and a couple = of=20 > jails using one interface on one subnet (internal interface, private IP, = behind=20 > NAT/firewall) and some other jails using the other interface on another s= ubnet=20 > (external interface, public IP, DMZ). >=20 > Now my understanding of the challenge in doing this, is that the network = stack=20 > is not "virtualized" in the jails, so all the jails use the same routing = table,=20 > and for obvious reasons only one default router. (also just for sake of c= larity=20 > I don't want to enable routing between interfaces on the jail host) >=20 > Now if I understand all this correctly, then what will happen is, if I se= t the=20 > default router to the internal networks exit router (the NAT/firewall), t= hen=20 > the jails listening on the external interface will only be able to talk t= o=20 > their local subnet, and because the internal subnet won't exist for them = they=20 > won't be able to connect to the network at large. >=20 > If I set the default router to the external networks exit router (the DMZ= =20 > perimeter firewall) then the host and jails listening on the internal net= work=20 > won't be able to be able to talk to the internet beyond the local nets, t= he=20 > jails because the external network doesn't exist for them, and the host b= ecause=20 > even though it can talk to both nets, the services are configured to only= =20 > listen to the internal net, and the it will be trying to send all outgoin= g=20 > traffic to the public net, thus not creating and NAT table entries on the= =20 > NAT/Firewall for the return connections. >=20 > Is there anyway to achieve what I have trying to do? >=20 > Thanks > Jeffrey williams PF makes a very effective workaround to this with it's route-to option...effectively letting you bypass the routing table altogether and set up per IP behavior. For instance, I use it in the following scenario, where a box has two interfaces with public IPs and I don't want answers to connections on the 'secondary' interface to go out the default route. connection 1's router 192.168.1.1 em0 ip 192.168.1.2/24 connection 2's router 10.0.0.1 em1 ip 10.0.0.2/24 if connection 1 is the 'primary' link then set the default route to 192.168.1.1 and put the following rule in pf.conf pass out route-to (em1 10.0.0.1) from 10.0.0.2 to ! 10.0.0.0/24 If you were to give more concrete examples of your config I could probably help you out with a workable pf solution. --=20 Thanks, Josh Paetzel --C311HLcnHV2CzHlo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFG1KUBJvkB8SevrssRAtSWAJ0RaJcQTthdu6m7EvKdsgdlgaXGfACgiUna gt1D/TcQzDwxawX3M1OpOLk= =KZ8Q -----END PGP SIGNATURE----- --C311HLcnHV2CzHlo--