Re: Tunnel interfaces and vnet boundary crossing

From: Milan Obuch <freebsd-net_at_dino.sk>
Date: Wed, 17 Aug 2022 21:08:32 UTC
On Wed, 17 Aug 2022 13:12:14 -0700
John-Mark Gurney <jmg@funkthat.com> wrote:

> Milan Obuch wrote this message on Mon, Aug 15, 2022 at 08:53 +0200:
> > I tried to mimic this in FreeBSD with following commands:
> > 
> > ifconfig gre1 create tunnel 172.16.1.1 172.16.0.1 vnet ov1
> > jexec ov1 ifconfig gre1 10.1.0.2/30 10.1.0.1
> > 
> > This does not work. I found some older post which made me believing
> > this is caused by clearing whole tunnel configuration after moving
> > interface into different vnet. My (failed) tests indicate this is
> > most probably the cause.
> > 
> > So, my question is, does anybody use tunnel interface similar way?
> > Is it possible to achieve what I am trying with netgraph? I am able
> > to create some inter-vnet link using epair interface, but this is
> > something different. Or ideally, is somebody using IPSEC with VNET
> > jails, processing encapsulating packets in base and raw content in
> > some child vnet?  
> 
> This doesn't work since the tunnel interface needs to see the
> interface with the IP to route it to, and since it's in another
> jail/vnet, it can't get there.
> 
> The closes thing I can think of is putting an epair in w/ the tunnel
> interface, and routing the tunnel out of the vnet via the epair
> interface...
> 
> Does this make sense?
> 

Partially, but does not help. Problem is there could be two networks
somewhere run by two different entities, different admins, both using,
say, 192.168.1.0/24 for LAN segment. With your approach, I would need
two routes for the same destination address block via two tunnels.
Obviously, not good.

Regards,
Milan