Network Configuration with Jails. [Resolved]

Félix Langelier felix.langelier at notarius.com
Thu Nov 29 12:33:30 PST 2007 

> > Hello,
> >
> > I run a FreeBSD Jailer and I want to have multiple jails in 2 
> > seperate networks. The server has 2 network interfaces and each of 
> > them are connected in a different network. Say vlan1 and vlan2.
> >
> > My problem is that all the network traffic is going through the 
> > first interface (vlan1). What I need is that a jail in vlan1 can't 
> > communicate with a jail in vlan2 (and vice-versa).
> >
> > Is it possible to split the network traffic in the right interfaces 
> > and use a diffrent default gateway for each of them ?
> >
> > Here is my /etc/rc.d configuration.
> >
> > defaultrouter="192.168.1.1"
> >
> > static_routes="vlan1 vlan2"
> > route_vlan1="-net 192.168.1.0/24 192.168.1.1"
> > route_vlan2="-net 192.168.2.0/24 192.168.2.1"
> >
> > # vlan1 interface config.
> > ifconfig_bge0="inet 192.168.1.10 netmask 255.255.255.0"
> > ifconfig_bge0_alias0="192.168.1.11 netmask 255.255.255.255"
> >
> > # vlan2 interface config.
> > ifconfig_bge1="inet 192.168.2.10 netmask 255.255.255.0"
> > ifconfig_bge1_alias0="inet 192.168.2.11 netmask 255.255.255.255"
> >
> > I tried to remove the default gateway but then the server was 
> > unreachable. I am thinking of using pf to resolve my issue.
> >
>
>PF is probably the way to go.  In particular using route-to to send traffic originating from 192.168.2.0/24 to 192.168.2.1
>
>I'm not totally sure what your static routes even accomplish.  The kernel will establish routes for directly connected networks automatically.
>
>So probably some rules of interest....
>
># keep jails from talking to each other
>block in on bge0 from 192.168.2.0/24 to 192.168.1.0/24 block in on bge1 from 192.168.1.0/24 to 192.168.2.0/24
>
># ignore the default route
>pass out route-to (bge1 192.168.2.1) from 192.168.2.0/24 to ! 192.168.2.0/24 \
>     keep state
>
># redundant because of the default route # which actually does what we want pass out route-to (bge0 192.168.1.1) from 192.168.1.0/24 to ! 192.168.1.0/24 \
>      keep state

It's working perfectly.

Thanks Josh !

--
Felix Langelier
Unix Sysadmin
felix.langelier at notarius.com

More information about the freebsd-questions mailing list