Multiple Subnets/interfaces

Andrew Hotlab andrew.hotlab at hotmail.com
Thu Nov 25 23:07:20 UTC 2010 

> From: danieljfaulknor at gmail.com
> Date: Wed, 24 Nov 2010 16:00:52 +1300
> To: freebsd-jail at freebsd.org
> Subject: Multiple Subnets/interfaces
>
> Hi,
>
> I have a FreeBSD server with two interfaces, both on different physical networks. I want to have some jails on each network.
>
> # This file now contains just the overrides from /etc/defaults/rc.conf.
> hostname="fs1.akl1.generatornz.com"
> ifconfig_bce0="inet 120.xxx.52.2/28"
> ifconfig_bce0_alias0="inet 120.xxx.52.3/32"
> ifconfig_bce0_alias1="inet 120.xxx.52.4/32"
> ifconfig_bce0_alias2="inet 120.xxx.52.6/32"
> ifconfig_bce1="inet 120.xxx.55.146/25"
> ifconfig_bce1_alias0="inet 120.xxx.55.147/25"
> defaultrouter="120.xxx.52.1"
>
> I have added this to my pf:
>
> pass out route-to ($ext_if 120.xxx.55.129) from 120.xxx.55.147 to ! 120.xxx.55.128/23
>

This rule seems correct if you want to allow only the IP 120.xxx.55.147 to be reachable by hosts outside the subnet,
even if the CIDR notation you wrote at the end of the line seems wrong to me. Shouldn't it be 120.xxx.55.128/25 ?
I think that it is a best practice to add the secondary IP address to the bge1 interface with a /32 netmask.

> I can ping 120.xxx.55.147, but i can't connect to any services that netstat is showing that is running:
>
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q  Local Address          Foreign Address       (state)
> tcp4       0      0 ip-120-136-55-14.ssh   *.*                    LISTEN
> tcp4       0      0 ip-120-136-55-14.http  *.*                    LISTEN
> tcp4       0      0 ip-120-136-55-14.9000  *.*                    LISTEN
>

In the past I used such PF rules to enable several jails on the same host in different subnets to reach interconnected
networks, but I have been using the multiple FIB feature since FreeBSD 7.2.  Now I'm running the RELENG_8_1
and I'm still very satisfied by this method, which I feel more "solid" than the PF "hack".

I don't remember exactly why, but in my last functioning ruleset I've just noticed the "no state" command at the end
of each rule.  Hope this might help you.

Sincerely.

Andrew

More information about the freebsd-jail mailing list