Best practices with network settings for virtualization

Miroslav Lachman 000.fbsd at
Tue May 13 17:44:22 UTC 2014

Julian Elischer wrote:
> On 5/13/14, 6:54 AM, Miroslav Lachman wrote:
>> I originaly posted this to virtualization@ list week ago. I didn't
>> recieved any answer, so maybe this list is better for questions like
>> the following.
>> I would like to ask some really experienced person - what is the best
>> way to run virtual guests connected to network with public IPs?
>> I think many people run unsecure setup with guests with simple bridged
>> network.
>> I know there are many options with tun, bridge, epair, VDE, Open
>> vSwitch etc., my main concern is the setup of network where each guest
>> can use only predefined MAC and predefined IP(s). If some malicious
>> user or malware in guest OS tried to change MAC od IP, I would like to
>> disallow that or do not allow any offending traffic to reach outside
>> network or any other guest running on the same machine.
>> Guests can be VirtualBox, Bhyve or anything else.
> Assuming you mean virtualization like bhyve and not virtualization like
> jails, ad that you can use private addresses for the VMs, you can still
> run each virtual machine inside a VNET jail, then using something like
> epair you can connect the jails to a central 'router' jail that runs
> ipfw and enforces what each jail sends out.
> If you want actual routable addresses on each jail (so that the jail
> sees the outside workd directly it's a bit more difficult because you
> can't act as a 'router' in the middle. Maybe others have more ideas.
> If you need to bridge a bunch of virtual machines so that they have
> addressable interfaces. you can run bhyve or VB inside a vnet jail as
> above but each jail would need to do its own enforcing by having its own
> ipfw, listenning on the virtual interface that is attaching to the
> bridge. I have not done htis but I'm sure it can be done. you'll need to
> experiment.
> just remember that each VNET jail can have it's own firewall and it's
> own interfaces. real or virtual.

Thank you for your answer.
I am mainly interested in to virtualization like Bhyve or VirtualBox 
with routable addresses in guest instances. So it is limited to some 
solutions with virtual network switch with IP+MAC ACL capability. But I 
didn't find any example of this setup on the internet.

Are VNET jails of production quality? And can be Bhyve / VirtualBox 
guest run inside of them? (each guest in separate vnet jail)

Miroslav Lachman

More information about the freebsd-net mailing list