From owner-freebsd-net@FreeBSD.ORG Mon Dec 29 19:34:13 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54CD2592; Mon, 29 Dec 2014 19:34:13 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D026A31C7; Mon, 29 Dec 2014 19:34:12 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 3C4A225D3A42; Mon, 29 Dec 2014 19:34:09 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 469B3C7709D; Mon, 29 Dec 2014 19:34:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id JQgFjP2hO-HG; Mon, 29 Dec 2014 19:34:06 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6] (orange-tun0-ula.sbone.de [IPv6:fde9:577b:c1a9:4420:cabc:c8ff:fe8b:4fe6]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 6F44CC7706F; Mon, 29 Dec 2014 19:34:05 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: IPv6 routes leaking between FIBs? From: "Bjoern A. Zeeb" In-Reply-To: <54A1A8D2.9080704@freebsd.org> Date: Mon, 29 Dec 2014 19:34:03 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <54A0F4A7.5020502@freebsd.org> <54A1A8D2.9080704@freebsd.org> To: Julian Elischer X-Mailer: Apple Mail (2.1993) Cc: freebsd-net@freebsd.org, Jason Healy X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2014 19:34:13 -0000 > On 29 Dec 2014, at 19:17 , Julian Elischer wrote: >=20 > On 12/30/14 1:59 AM, Jason Healy wrote: >> On Dec 29, 2014, at 1:28 AM, Julian Elischer = wrote: >>=20 >>> to some extent this is what it was written for.. teh fib code was = written for Ironport/Cisco for separating the management port from the = data ports onn their appliances, however the VNET code that came later = is an even cleaner way of doing it and FIBs were only used by Ironport = because VNET was not yet available. Have you tried vnet jails for = interface isolation? >> I freely admit that I haven=92t. I=92m just coming over to FreeBSD = and while I=92m aware of jails, I thought of them more as service = isolation than for routing. >>=20 >> I=92m searching around for a moment, and I=92m not 100% sure this is = going to work for my use case. Can you confirm that jails would be the = most appropriate way to solve my problem? These are the major = requirements: >>=20 >> - A router/firewall that will perform NAT from an internal RFC1918 = space to public IPv4, as well as stateful firewalling of IPv6 packets = passed to it. >>=20 >> - 3 interfaces: >> 1) Transit interface (10g, packets to/from PF are received/sent on = this interface) >> 2) PFsync (to connect to a second box for active-active PF) >> 3) Management (LAN side only) > the only hitch may be the pfsync stuff.. I have no idea about how = virtualised that is and I never use pf..or pfsync. pf and VNETs are a cause for panic at the moment; don=92t go that route = (yet). > Basically you can assign a complatly separate network stack to teh = management interface, (or the other ones) > and run whatever the appliation is in the jail.. it's still possible = to communicate with the jailed processes using shared files or fifos, = but they have a completely separate network stack and are therefore = completely unaware of the management interface. > Each jail (if enabled with vnet option) has itsl own interfaces, = routing tables, firewall(s) etc. >=20 >=20 >=20 >> - Separate routing tables for the transit and management interfaces, = so that the transit interface can have a default route that is distinct = from that of the management network. >>=20 >> It sounds to me that if I ran this as a jail, I=92d need to throw the = 10g transit interface and the pfsync interface into the jail, and leave = the management interface on the host. I=92d probably need to run PF in = the jail as well? Or are we just using the jail to isolate the routing = tables, and I=92d still run PF on the host? >>=20 >> I=92m happy to provide more details on the setup in case there=92s a = better way to architect this. I=92m a Debian/OpenBSD guy, so I=92m = sorry if I don=92t have all the terminology sorted out yet... >>=20 >> I will still file a bug against the FIB code, as it sounds like = that=92s not working as intended/designed. >>=20 >> Thanks, >>=20 >> Jason >>=20 >>=20 >>=20 >>=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =97=20 Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend."