Multiple bhyve Guests, Single bridge/tap?

Vincent Olivier vincent at up4.com
Thu Dec 29 22:46:41 UTC 2016 

Hi!

I made a little diagram of the situation that I posted of Twitter. If you are aggressive enough with the web interface you can see a full size version where the labels are clear enough to read.

https://twitter.com/MUP4/status/814595352112283649

I had fun doing it. Hope it provides a little bit of joy to you helpful guys too! :)

> On Dec 29, 2016, at 1:09 PM, Matt Churchyard <churchers at gmail.com> wrote:
> 
> As mentioned a bridge is the virtual equivalent of a switch. It only really makes sense to have more than one bridge if you have more than one interface on your guest(s), and want to connect those interfaces to separate networks. (Or you want some guests on a different network, possibly bridged to a different physical interface).


That is why I made the above diagram. There are multiple networks and multiple interfaces, etc.

> If you want to provide complete network separation between guests, it's much easier to just use the 'private' option to ifconfig when bridging the guest's tap interface. Any bridge member set to private can not talk to any other private bridge member. Of course this is only really applicable in multi-tenant situations like Aryeh says. If they are all your own guests, the fact that they can see each other on the network should hopefully be a non-issue.

Got it. I think that the planned architecture illustrated in the diagram provides the adequate level of isolation.

Here is an explanation of the guest virtual machines and their intended uses:

CINQ: this is the bare-metal OS it provides a Samba service on a ZFS pool to both the 1G and the 10G networks. It also contains all the other virtual machines.

PFSENSE: I guess this is the most sensitive network-wise. It has to provide a DHCP service for both the 1G and the 10G networks (with separate subnets). It provides NAT routing, bandwidth shaping, etc. to the ADSL MODEM for internet access on the 1G network only (not the 10G). Also only for the 1G network, there should be a HTTP/HTTPS proxy (probably squid, depending on what pfsense supports) that transparently further proxies *.onion and *.i2p routing to relevant HTTP/HTTPS/SOCKS proxy services on the ALTNET machine.

ALTNET: “dark web proxy” accessible explicitly or via PFSENSE traffic, uses the internet connection provided by PFSENSE. Requires access to the 1G network (for explicit access), and to the PFSENSE for the Squid transparent proxying and internet for software updates.

UNIFI: network device management for the 1000BASE-T SWITCH and the UNIFI 802.11 AP (access point). Requires access to the 1G network (where the devices are) and the internet for software updates.

CULTURED: modified forked-daapd service for the 1G network. Requires internet access via PFSENSE for software updates.


So I guess, my only question is: will that work?

Thank you all in advance. Maybe I’m getting too excited but with bhyve, FreeBSD makes a lot of sense for the always-on home appliance that I always dreamed of…

Take care,

Vincent

More information about the freebsd-virtualization mailing list