Date: Wed, 28 Nov 2007 15:01:28 -0600 From: Josh Paetzel <josh@tcbug.org> To: freebsd-questions@freebsd.org Cc: =?iso-8859-1?q?F=E9lix_Langelier?= <felix.langelier@notarius.com>, "Philip M. Gollucci" <pgollucci@riderway.com> Subject: Re: Network Configuration with Jails. Message-ID: <200711281501.32594.josh@tcbug.org> In-Reply-To: <474D7759.2070200@riderway.com> References: <A528456BFBC1394FB0C91228BD4BC31FD4110C@emilie.notarius.lan> <474D7759.2070200@riderway.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2393661.DE5MDDux0d
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Wednesday 28 November 2007 08:12:41 am Philip M. Gollucci wrote:
> F=E9lix Langelier wrote:
> > Hello,
> >
> > I run a FreeBSD Jailer and I want to have multiple jails in 2 seperate
> > networks. The server has 2 network interfaces and each of them are
> > connected in a different network. Say vlan1 and vlan2.
> >
> > My problem is that all the network traffic is going through the first
> > interface (vlan1). What I need is that a jail in vlan1 can't communicate
> > with a jail in vlan2 (and vice-versa).
> >
> > Is it possible to split the network traffic in the right interfaces and
> > use a diffrent default gateway for each of them ?
> >
> > Here is my /etc/rc.d configuration.
> >
> > defaultrouter=3D"192.168.1.1"
> >
> > static_routes=3D"vlan1 vlan2"
> > route_vlan1=3D"-net 192.168.1.0/24 192.168.1.1"
> > route_vlan2=3D"-net 192.168.2.0/24 192.168.2.1"
> >
> > # vlan1 interface config.
> > ifconfig_bge0=3D"inet 192.168.1.10 netmask 255.255.255.0"
> > ifconfig_bge0_alias0=3D"192.168.1.11 netmask 255.255.255.255"
> >
> > # vlan2 interface config.
> > ifconfig_bge1=3D"inet 192.168.2.10 netmask 255.255.255.0"
> > ifconfig_bge1_alias0=3D"inet 192.168.2.11 netmask 255.255.255.255"
> >
> > I tried to remove the default gateway but then the server was
> > unreachable. I am thinking of using pf to resolve my issue.
>
> Removing the default gateway will work, but you have to add back
> _similiar_ routes, you can't just remove it.
PF is probably the way to go. In particular using route-to to send traffic=
=20
originating from 192.168.2.0/24 to 192.168.2.1
I'm not totally sure what your static routes even accomplish. The kernel w=
ill=20
establish routes for directly connected networks automatically.
So probably some rules of interest....
# keep jails from talking to each other
block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24
block in on bge1 from 192.168.1.0/24 to 192.168.2.0/24
# ignore the default route
pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! 192.168.2.0/2=
4 \
keep state
# redundant because of the default route
# which actually does what we want
pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! 192.168.1.0/2=
4 \
keep state
=2D-=20
Thanks,
Josh Paetzel
PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
--nextPart2393661.DE5MDDux0d
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQBHTdcsJvkB8SevrssRAp3jAJ9p5dl3BGEzm4/RgNKpeDT33z9BMQCgjsFS
Vs8rk2hgrXexLfjImCDRLFk=
=IvGN
-----END PGP SIGNATURE-----
--nextPart2393661.DE5MDDux0d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711281501.32594.josh>