Date: Sat, 15 Aug 2020 14:42:52 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: can a domain name config point to a vlan tag at the host Message-ID: <8986e63b-6c0a-58bb-f51e-ec9ad03e12cc@radel.com> In-Reply-To: <66b05a60-69f0-5634-1f1a-3f1f7d5a53d9@qeng-ho.org> References: <5F37E329.3000903@gmail.com> <9a027a2c-3575-25ac-6ccc-0f186a3d6820@qeng-ho.org> <5F37F4BD.5030301@gmail.com> <66b05a60-69f0-5634-1f1a-3f1f7d5a53d9@qeng-ho.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms010404000106040502040301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 8/15/20 13:19, Arthur Chance wrote: >> Now last month a guy posted on the questions list that he was using vl= an >> tags to separate his single dynamic public ip address into 4 vlan tags= =2E >> One for the host and 3 for vnet jails. He states he can ping the publi= c >> internet from inside of the vnet jails using this concept. > That is meaningless AFAIUI. IP addresses are at level 3 of the network > stack, vlans are at level 2, so they don't mix. (Dan Kaminsky can > probably do something weird with them, you do not want to go there for > business purposes. Or sanity.) Also, being able to ping out simply > requires NAT. Being able to receive incoming connections requires publi= c > IP addresses. Welll.....with some risk of muddying the waters further, I'll point out that inbound NAT does exist, especially the variant frequently referred to as "port forwarding."=C2=A0 However, if I remember umpteen messages ba= ck in this thread, one of Ernie's requirements is that he use the standard ports for everything, so this would not solve his problem.=C2=A0 I do, however, suspect, that earlier discussions revolving around making something like this work probably involved this technique. Ernie: By this I mean, it is generally possible (by which I mean it is a common, but not universal, feature), should one want to ssh from the outside world into 3 virtual devices for which one has only private IP addresses, to setup port forwarding, usually on your firewall or whatever device is doing the rest of your NAT, along the lines of: 17.17.17.17:2022 =3D=3D> 192.168.1.2:22 17.17.17.17:2023 =3D=3D> 192.168.2.2:22 17.17.17.17:2024 =3D=3D> 192.168.3.2:22 So you simply tell the remote ssh client to connect to port 2022, 2023, or 2024 depending on which virtual device you wish to connect to.=C2=A0 T= he NAT device on the edge of your network then knows how to mangle the address and port numbers in the headers and the packets can then be routed properly on the internal network using the RFC 1918 addresses. What is not available is to somehow map 17.17.17.17:22 =3D=3D> 192.168.1.2:22 or 192.168.2.2:22 or 192.168.3.2:22= mapping based on some value in DNS (layer 3 routing pays no attention to DNS) or the application data (layer 3 routing pays no attention to the contents of the payload).=C2=A0 Unless of course (and this is a huge unless--of the "this way lies madness" variety) you come up with your own variation on the ssh protocol, write your own custom clients to use the new protocol, write your own proxy to run at the edge of your network, etc., etc.=C2=A0 Hmmmm....just thought of a way to do it with only a custom client in order hide the different port numbers from the user.....=C2=A0=C2=A0 And = then repeat for every other protocol you wish to use. In any case, all the regular ssh clients connect to a fixed address:port combo.=C2=A0 The port defaults to 22.=C2=A0 A given address can have only= one thing listening on a given port.=C2=A0 Unless the protocol and server themselves have some mechanism for multiplexing (eg HTTP & HTTPS) or store & forward (SMTP), as has been discussed earlier in this thread, or there is some type of whizz-bang proxy server that looks at the contents of the application data and then establishes back-end network connections based on that data (say a layer 7, HTTP/HTTPS load balancer than assembles content from different back-end servers based on the contents of the request string), there's no support unless you write your own. --=20 --Jon Radel jon@radel.com --------------ms010404000106040502040301 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C9owggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTla MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9 Olg+nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUBy RjXCA6RQyDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBl gvnkCos+KQWWCo63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtV V4/Vwdax720YpMPJQaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5N ATksUsbfJAr7FLUCAwEAAaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ MjLUMB0GA1UdDgQWBBSCr2yM+MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYD VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7 aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0 eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz 9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/H v+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2ps ZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3 I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7 +1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr8 4JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2 PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9 cbm/vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pW R8p6EjCCBewwggTUoAMCAQICEHQDryTAYaEsgncP8aGW6o4wDQYJKoZIhvcNAQELBQAwgZcx CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1Nh bGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNB IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDMwNDAw MDAwMFoXDTIxMDMwMzIzNTk1OVowgfoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjE1MDEL MAkGA1UECBMCVkExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMRowGAYDVQQJExE2OTE3IFJpZGdl d2F5IERyLjEVMBMGA1UEChMMSm9uIFQuIFJhZGVsMTIwMAYDVQQLEylJc3N1ZWQgdGhyb3Vn aCBKb24gVC4gUmFkZWwgRS1QS0kgTWFuYWdlcjEfMB0GA1UECxMWQ29ycG9yYXRlIFNlY3Vy ZSBFbWFpbDESMBAGA1UEAxMJSm9uIFJhZGVsMRwwGgYJKoZIhvcNAQkBFg1qb25AcmFkZWwu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/dFQxMTnVPcP1TI09m30v8 rSG/VWSFWfFvu/2jzPkNL+ivx6A4LNUbqw4CS73GIKcbp8IrpNQz2oQV6mTv+KVJzJMf8GjA y8EzZjhc2tAXL+Q57omCTuAc6cw2KDYFL0aNWX4CEe/LqfoBDKpJF7HCrwwus55+tTEkAY8j tRkQRMHf47YQVJjD/4pdC/h+7jjI0oSgh1npT7Q3K47g6IkVzjhiH8LCsCSVYaLzRZfgcl3s 0GLE858PV/84l5d/hUVD0u9J2EdKpf+hnFqZnA3qw9R0xFQIE6yOkUvhALw1zxXaiGj0047a gBE2Bhv2UIlj6Q0zPa5kRYDy9vBI6QIDAQABo4IBzTCCAckwHwYDVR0jBBgwFoAUgq9sjPjF /pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFHS/Ewun4pYC9Lla5kkmj4zo7tKcMA4GA1UdDwEB /wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBG BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy ZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3Js MIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29t L0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAYBgNVHREEETAPgQ1qb25AcmFk ZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBUNLBptNFZRBkOUPOCI9TPM6QauLK6jojtbxZO XWvZfKvq8ukWUZTPtaDS5UjsMhlxLf/Crv8HkiVXSzC36cVQyjNjl1u+u/Sbl/6q/TfQk+aK 5jzDd4onQVzlfE33ymtZJgh+4dMPWKuXjRS0OyMLzv3mYCvFO83l1G9rBiaCEfFJHKgVGY1z 3ZU/gsPCQ2a0xf3908lwl5H3SPB3ZzLWDf41o5zV70HXfsgP862KzxU9t46XBGZ8TRl/5fl+ Xj2KQdpyWlNZUS00/UHznxeFO5+bkNaOg24BjwfBOWi0D47CE+6BRWvtrmgciWxefUuYeeIy Qr58KK8DlBCkVF06MYIENTCCBDECAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh bmQgU2VjdXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMA0GCWCGSAFlAwQCAQUAoIIC WTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA4MTUxODQy NTJaMC8GCSqGSIb3DQEJBDEiBCDtwrQAs14NBuQtkYK12Buz9tBChJGEoTWVtH6y2+xQwTBs BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p dGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMIG/BgsqhkiG9w0BCRACCzGBr6CBrDCB lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHQDryTAYaEs gncP8aGW6o4wDQYJKoZIhvcNAQEBBQAEggEAZgoPzmf8jWPfeO+6Ss/D8Vf2IT9wTqNZ0ap4 yF7DCZLmGKKNmf+mpFDilWQByjonEls2hIOmz8LT12S+r67O78PbO5zBnAoVm7q24WbyM2zK +/6HJMxMv9vfLD+cis+iyO3MvodhPWLczLVFvnhXSJVUiqcASjJP+cbnaw73+EDEBvDB3+Hv G3uG3hV8O4LEN2+zICuEas1raMsQWKogMliR/NWKZ5x6uMnOExqBAxvC6Z2lNfI9w7y8b+me oG8X2Qxi/oYdrg0KQqLw/OzVNNNkh1Nf+zegr1AdQ6VupLgCRCm/mP57UlxMX6h2u1wnbRPT 2xdmyiEJoYqJfEMJ4AAAAAAAAA== --------------ms010404000106040502040301--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8986e63b-6c0a-58bb-f51e-ec9ad03e12cc>