VLANing between jails not segmenting traffic

[Michael Gmelin]

> On 30. Oct 2017, at 22:26, Eugene Grosbein <eugen at grosbein.net> wrote:
> 
> 31.10.2017 4:08, Farhan Khan пишет:
>> Hi all,
>> 
>> I am trying to experiment with setting up two jails on different VLANs, but have not been able to segment traffic.
>> 
>> My configuration was to create vlan1 for jail1 and vlan2 for jail2.
>> 
>> I did the following commands:
>> ifconfig vlan1 create vlan 1 vlandev em0
>> ifconfig vlan1 10.1.0.1/24
>> ifconfig vlan2 create vlan 2 vlandev em0
>> ifconfig vlan2 10.2.0.1/24
>> 
>> Within each jail, I set the interface to be vlan1 and vlan2 and assigned them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively.
>> 
>> I can still have connectivity between the two VLANs.
>> 
>> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected behavior would be to say "unable to route". It can even connect to the external interface's IP address. At a minimum it should not even know how to connect to the 10.2.0.0/24 network at all.
>> 
>> I was advised that its connectivity is because Jails use the base system's routing table. If so, how could one possibly separate network traffic? That's the entire purpose of VLANing.
>> 
>> I have been advised to use pf to prevent that, but shouldn't VLANing provide that separation mechanism? I do not know what I might be doing wrong here.
> 
> It seems you are looking for isolated network stacks for jails each having distinct route table etc.
> You need options VIMAGE for your kernel and create jails with vnet option (man jail)
> to obtain this feature.
> 
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

You can use fibs with net.add_addr_allfibs=0 to get separate routing tables (comes with its own set of complications though).

-m