Date: Sat, 15 Aug 2020 18:19:10 +0100 From: Arthur Chance <freebsd@qeng-ho.org> To: Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: can a domain name config point to a vlan tag at the host Message-ID: <66b05a60-69f0-5634-1f1a-3f1f7d5a53d9@qeng-ho.org> In-Reply-To: <5F37F4BD.5030301@gmail.com> References: <5F37E329.3000903@gmail.com> <9a027a2c-3575-25ac-6ccc-0f186a3d6820@qeng-ho.org> <5F37F4BD.5030301@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 15/08/2020 15:44, Ernie Luzar wrote: > Arthur Chance wrote: >> On 15/08/2020 14:29, Ernie Luzar wrote: >>> I set up vlan for the host interface cabled to the public internet. >>> How do I drive internet traffic to the desired vlan name on the host >>> using a registered domain name? >>> >>> My rc.conf has this >>> >>> ifconfig_re0="DHCP" >>> gateway_enable="YES" >>> >>> vlans_re0="1 2 3" >>> >>> # vlan_1Â is for the host >>> # vlan_2Â is for vnet jailA >>> # vlan_3Â is for vnet jailB >>> >>> Final goal is to drive traffic from the public internet using a fqdn to >>> the vnet jailA. >> >> I strongly suggest you read up more about networking because it's >> obvious you don't really understand it. All network traffic goes to *IP >> addresses* not domains. DNS says what addresses to use for a specific >> domain, but *all* connection attempts, whatever the protocol, are to a >> specific numeric IP address. Yes, protocols like HTTP then accept a host >> specification for further "routing" but that happens *after* the initial >> connection is made. >> >> If you want to run N jails with N different domains, all with their own >> traffic to arbitrary ports, you are going to need at least N different >> IP addresses. >> > > I agree with you that I am not a network guru, but I do have a general > big picture understanding. I'm really not sure you do, because many of the questions you're asking are simply not meaningful. Especially when you talk about vlans. > Problem with the network manuals I have read > is they do not give real world examples showing how to implement the > concepts talked about. They contain NO cross over reference to vnet > jails. Also all the public literature on vnet jails never talk about how > to drive public traffic to a vnet jail or that vnet jails are limited to > requiring a virgin public ipv4 address for the vnet jails sole use. > After all the reading and trial and error attempts I come here to ask > questions to get the answers only someone with vnet experience can > answer. Hoping that is you. vnet jails are simply a particular FreeBSD virtualisation technology, they are not magic. vnet jails are a virtual equivalent of having multiple physical computers. Think of them as separate machines and you might be less confused. > As I understand it vnet jails have to have their own host interface > device with a public ip address that is not already in use by the host. No. They can have their own IP addresses, but you cannot use *public* IP addresses without them being assigned to you. (Well you can, you can even use google.com addresses if you want but nobody will route to them so they will be useless.) Unless you have been assigned public addresses you have to use RFC 1918 private addresses which are not visible to the outside world. (On IPv4 of course. IPv6 has it's own way of doing things.) > This translates to a business type of ISP account to get 3 static ipv4 > public addresses. This is a very expensive setup just to do some concept > testing to be able to write a business proposal for in house IT management. Personally I've got a /29 assignment for no extra charge on a home account, but I'm in the UK. If you're doing a purely in house proof of concept just pretend one of the RFC 1918 address ranges is "public" for the purpose of testing. > Now last month a guy posted on the questions list that he was using vlan > tags to separate his single dynamic public ip address into 4 vlan tags. > One for the host and 3 for vnet jails. He states he can ping the public > internet from inside of the vnet jails using this concept. That is meaningless AFAIUI. IP addresses are at level 3 of the network stack, vlans are at level 2, so they don't mix. (Dan Kaminsky can probably do something weird with them, you do not want to go there for business purposes. Or sanity.) Also, being able to ping out simply requires NAT. Being able to receive incoming connections requires public IP addresses. I can imagine he might be using vlans to mix external and internal networks onto the same physical wire with the help of a managed switch, I've seen people use Raspberry Pis as router/firewalls that way, but all internal vlans would be using RFC 1918 addresses. > But the part missing is how to drive public traffic to the vlan tagged > vnet jail. So I ask the question to you again. Is there a way to > configure a domain name setup to not only point to the hosts public ip > address but also to its layer 2 vlan tag? The srv record looked like a > good candidate but could not find any mention of vlan tags. Because vlans are level 2, not level 3. They are not visible at the TCP/IP level. > Or could it be the "A" record ip address field with something like this > x.x.x.x_2 Where in the host vlan_2 is a vnet jail. No. A records contain 32 bit IPv4 addresses, end of story. It's evening here in the UK. I'll be offline until tomorrow afternoon, so don't expect further responses until at least after breakfast Eastern time. -- The number of people predicting the demise of Moore's Law doubles every 18 months.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?66b05a60-69f0-5634-1f1a-3f1f7d5a53d9>