Date: Tue, 28 Aug 2007 17:43:14 -0500 From: Josh Paetzel <josh@tcbug.org> To: Jeffrey Williams <jeff@sailorfej.net> Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Running jails on multiple subnets with multiple interfaces Message-ID: <20070828224314.GB4446@tcbug.org> In-Reply-To: <46D4983E.2050305@sailorfej.net> References: <46D4983E.2050305@sailorfej.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--C311HLcnHV2CzHlo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jeffrey Williams wrote: > I have a server with two interfaces, I want to run the host and a couple = of=20 > jails using one interface on one subnet (internal interface, private IP, = behind=20 > NAT/firewall) and some other jails using the other interface on another s= ubnet=20 > (external interface, public IP, DMZ). >=20 > Now my understanding of the challenge in doing this, is that the network = stack=20 > is not "virtualized" in the jails, so all the jails use the same routing = table,=20 > and for obvious reasons only one default router. (also just for sake of c= larity=20 > I don't want to enable routing between interfaces on the jail host) >=20 > Now if I understand all this correctly, then what will happen is, if I se= t the=20 > default router to the internal networks exit router (the NAT/firewall), t= hen=20 > the jails listening on the external interface will only be able to talk t= o=20 > their local subnet, and because the internal subnet won't exist for them = they=20 > won't be able to connect to the network at large. >=20 > If I set the default router to the external networks exit router (the DMZ= =20 > perimeter firewall) then the host and jails listening on the internal net= work=20 > won't be able to be able to talk to the internet beyond the local nets, t= he=20 > jails because the external network doesn't exist for them, and the host b= ecause=20 > even though it can talk to both nets, the services are configured to only= =20 > listen to the internal net, and the it will be trying to send all outgoin= g=20 > traffic to the public net, thus not creating and NAT table entries on the= =20 > NAT/Firewall for the return connections. >=20 > Is there anyway to achieve what I have trying to do? >=20 > Thanks > Jeffrey williams PF makes a very effective workaround to this with it's route-to option...effectively letting you bypass the routing table altogether and set up per IP behavior. For instance, I use it in the following scenario, where a box has two interfaces with public IPs and I don't want answers to connections on the 'secondary' interface to go out the default route. connection 1's router 192.168.1.1 em0 ip 192.168.1.2/24 connection 2's router 10.0.0.1 em1 ip 10.0.0.2/24 if connection 1 is the 'primary' link then set the default route to 192.168.1.1 and put the following rule in pf.conf pass out route-to (em1 10.0.0.1) from 10.0.0.2 to ! 10.0.0.0/24 If you were to give more concrete examples of your config I could probably help you out with a workable pf solution. --=20 Thanks, Josh Paetzel --C311HLcnHV2CzHlo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFG1KUBJvkB8SevrssRAtSWAJ0RaJcQTthdu6m7EvKdsgdlgaXGfACgiUna gt1D/TcQzDwxawX3M1OpOLk= =KZ8Q -----END PGP SIGNATURE----- --C311HLcnHV2CzHlo--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070828224314.GB4446>