VLANing between jails not segmenting traffic
    Marko Cupać 
    marko.cupac at mimar.rs
       
    Thu Nov  2 15:21:12 UTC 2017
    
    
  
On Thu, 2 Nov 2017 15:42:55 +0100
Michael Gmelin <grembo at freebsd.org> wrote:
> On Thu, 2 Nov 2017 13:19:31 +0100
> Marko Cupać <marko.cupac at mimar.rs> wrote:
> 
> > On Mon, 30 Oct 2017 22:46:35 +0100
> > Michael Gmelin <grembo at freebsd.org> wrote:
> >   
> > > You can use fibs with net.add_addr_allfibs=0 to get separate
> > > routing tables (comes with its own set of complications
> > > though).    
> > 
> > I hoped to go this way, but the fact that host (in fib0) replies to
> > icmp requests destined to jail with raw_sockets disabled (in fib 1)
> > via host's default gateway, making really wierd routing situation.  
> 
> Shouldn't you be able to fix this using a pf pass rule with rtable?
I am sure it could be fixed as you said, but I don't want to introduce
more complexity with PF.
> Maybe you can share more of your setup, quite curious.
I wrote about that here on the list, and on -jail as well (both are
the same):
[https://lists.freebsd.org/pipermail/freebsd-jail/2017-September/003442.html]
[https://lists.freebsd.org/pipermail/freebsd-net/2017-October/049037.html]
I also got off-list reply from a guy who says this behaviour was
introduced in 11.X, and not present in 10.X. Didn't have the time to
test on 10.X.
Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.
Marko Cupać
https://www.mimar.rs/
    
    
More information about the freebsd-net
mailing list