Running jails on multiple subnets with multiple interfaces
    Jeffrey Williams 
    jeff at sailorfej.net
       
    Tue Aug 28 15:10:33 PDT 2007
    
    
  
I have a server with two interfaces, I want to run the host and a couple 
of jails using one interface on one subnet (internal interface, private 
IP, behind NAT/firewall) and some other jails using the other interface 
on another subnet (external interface, public IP, DMZ).
Now my understanding of the challenge in doing this, is that the network 
stack is not "virtualized" in the jails, so all the jails use the same 
routing table, and for obvious reasons only one default router. (also 
just for sake of clarity I don't want to enable routing between 
interfaces on the jail host)
Now if I understand all this correctly, then what will happen is, if I 
set the default router to the internal networks exit router (the 
NAT/firewall), then the jails listening on the external interface will 
only be able to talk to their local subnet, and because the internal 
subnet won't exist for them they won't be able to connect to the network 
at large.
If I set the default router to the external networks exit router (the 
DMZ perimeter firewall) then the host and jails listening on the 
internal network won't be able to be able to talk to the internet beyond 
the local nets, the jails because the external network doesn't exist for 
them, and the host because even though it can talk to both nets, the 
services are configured to only listen to the internal net, and the it 
will be trying to send all outgoing traffic to the public net, thus not 
creating and NAT table entries on the NAT/Firewall for the return 
connections.
Is there anyway to achieve what I have trying to do?
Thanks
Jeffrey williams
    
    
More information about the freebsd-net
mailing list