Re: Tunnel interfaces and vnet boundary crossing
- In reply to: John-Mark Gurney : "Re: Tunnel interfaces and vnet boundary crossing"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Aug 2022 21:08:32 UTC
On Wed, 17 Aug 2022 13:12:14 -0700 John-Mark Gurney <jmg@funkthat.com> wrote: > Milan Obuch wrote this message on Mon, Aug 15, 2022 at 08:53 +0200: > > I tried to mimic this in FreeBSD with following commands: > > > > ifconfig gre1 create tunnel 172.16.1.1 172.16.0.1 vnet ov1 > > jexec ov1 ifconfig gre1 10.1.0.2/30 10.1.0.1 > > > > This does not work. I found some older post which made me believing > > this is caused by clearing whole tunnel configuration after moving > > interface into different vnet. My (failed) tests indicate this is > > most probably the cause. > > > > So, my question is, does anybody use tunnel interface similar way? > > Is it possible to achieve what I am trying with netgraph? I am able > > to create some inter-vnet link using epair interface, but this is > > something different. Or ideally, is somebody using IPSEC with VNET > > jails, processing encapsulating packets in base and raw content in > > some child vnet? > > This doesn't work since the tunnel interface needs to see the > interface with the IP to route it to, and since it's in another > jail/vnet, it can't get there. > > The closes thing I can think of is putting an epair in w/ the tunnel > interface, and routing the tunnel out of the vnet via the epair > interface... > > Does this make sense? > Partially, but does not help. Problem is there could be two networks somewhere run by two different entities, different admins, both using, say, 192.168.1.0/24 for LAN segment. With your approach, I would need two routes for the same destination address block via two tunnels. Obviously, not good. Regards, Milan