On 12/30/14 1:59 AM, Jason Healy wrote:
On Dec 29, 2014, at 1:28 AM, Julian Elischer <jul...@freebsd.org> wrote:
to some extent this is what it was written for.. teh fib code was written for
Ironport/Cisco for separating the management port from the data ports onn their
appliances, however the VNET code that came later is an even cleaner way of
doing it and FIBs were only used by Ironport because VNET was not yet
available. Have you tried vnet jails for interface isolation?
I freely admit that I haven’t. I’m just coming over to FreeBSD and while I’m
aware of jails, I thought of them more as service isolation than for routing.
I’m searching around for a moment, and I’m not 100% sure this is going to work
for my use case. Can you confirm that jails would be the most appropriate way
to solve my problem? These are the major requirements:
- A router/firewall that will perform NAT from an internal RFC1918 space to
public IPv4, as well as stateful firewalling of IPv6 packets passed to it.
- 3 interfaces:
1) Transit interface (10g, packets to/from PF are received/sent on this
interface)
2) PFsync (to connect to a second box for active-active PF)
3) Management (LAN side only)
the only hitch may be the pfsync stuff.. I have no idea about how
virtualised that is and I never use pf..or pfsync.
Basically you can assign a complatly separate network stack to teh
management interface, (or the other ones)
and run whatever the appliation is in the jail.. it's still possible
to communicate with the jailed processes using shared files or fifos,
but they have a completely separate network stack and are therefore
completely unaware of the management interface.
Each jail (if enabled with vnet option) has itsl own interfaces,
routing tables, firewall(s) etc.
- Separate routing tables for the transit and management interfaces, so that
the transit interface can have a default route that is distinct from that of
the management network.
It sounds to me that if I ran this as a jail, I’d need to throw the 10g transit
interface and the pfsync interface into the jail, and leave the management
interface on the host. I’d probably need to run PF in the jail as well? Or
are we just using the jail to isolate the routing tables, and I’d still run PF
on the host?
I’m happy to provide more details on the setup in case there’s a better way to
architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have all the
terminology sorted out yet...
I will still file a bug against the FIB code, as it sounds like that’s not
working as intended/designed.
Thanks,
Jason
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
