VLANing between jails not segmenting traffic

[Farhan Khan]

Hi all,

I am trying to experiment with setting up two jails on different VLANs, 
but have not been able to segment traffic.

My configuration was to create vlan1 for jail1 and vlan2 for jail2.

I did the following commands:
ifconfig vlan1 create vlan 1 vlandev em0
ifconfig vlan1 10.1.0.1/24
ifconfig vlan2 create vlan 2 vlandev em0
ifconfig vlan2 10.2.0.1/24

Within each jail, I set the interface to be vlan1 and vlan2 and assigned 
them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively.

I can still have connectivity between the two VLANs.

Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route 
outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected 
behavior would be to say "unable to route". It can even connect to the 
external interface's IP address. At a minimum it should not even know 
how to connect to the 10.2.0.0/24 network at all.

I was advised that its connectivity is because Jails use the base 
system's routing table. If so, how could one possibly separate network 
traffic? That's the entire purpose of VLANing.

I have been advised to use pf to prevent that, but shouldn't VLANing 
provide that separation mechanism? I do not know what I might be doing 
wrong here.


Thank you
Farhan Khan