> On 29 Dec 2014, at 19:17 , Julian Elischer <jul...@freebsd.org> wrote: > > On 12/30/14 1:59 AM, Jason Healy wrote: >> On Dec 29, 2014, at 1:28 AM, Julian Elischer <jul...@freebsd.org> wrote: >> >>> to some extent this is what it was written for.. teh fib code was written >>> for Ironport/Cisco for separating the management port from the data ports >>> onn their appliances, however the VNET code that came later is an even >>> cleaner way of doing it and FIBs were only used by Ironport because VNET >>> was not yet available. Have you tried vnet jails for interface isolation? >> I freely admit that I haven’t. I’m just coming over to FreeBSD and while >> I’m aware of jails, I thought of them more as service isolation than for >> routing. >> >> I’m searching around for a moment, and I’m not 100% sure this is going to >> work for my use case. Can you confirm that jails would be the most >> appropriate way to solve my problem? These are the major requirements: >> >> - A router/firewall that will perform NAT from an internal RFC1918 space to >> public IPv4, as well as stateful firewalling of IPv6 packets passed to it. >> >> - 3 interfaces: >> 1) Transit interface (10g, packets to/from PF are received/sent on this >> interface) >> 2) PFsync (to connect to a second box for active-active PF) >> 3) Management (LAN side only) > the only hitch may be the pfsync stuff.. I have no idea about how virtualised > that is and I never use pf..or pfsync.
pf and VNETs are a cause for panic at the moment; don’t go that route (yet). > Basically you can assign a complatly separate network stack to teh management > interface, (or the other ones) > and run whatever the appliation is in the jail.. it's still possible to > communicate with the jailed processes using shared files or fifos, but they > have a completely separate network stack and are therefore completely unaware > of the management interface. > Each jail (if enabled with vnet option) has itsl own interfaces, routing > tables, firewall(s) etc. > > > >> - Separate routing tables for the transit and management interfaces, so >> that the transit interface can have a default route that is distinct from >> that of the management network. >> >> It sounds to me that if I ran this as a jail, I’d need to throw the 10g >> transit interface and the pfsync interface into the jail, and leave the >> management interface on the host. I’d probably need to run PF in the jail >> as well? Or are we just using the jail to isolate the routing tables, and >> I’d still run PF on the host? >> >> I’m happy to provide more details on the setup in case there’s a better way >> to architect this. I’m a Debian/OpenBSD guy, so I’m sorry if I don’t have >> all the terminology sorted out yet... >> >> I will still file a bug against the FIB code, as it sounds like that’s not >> working as intended/designed. >> >> Thanks, >> >> Jason >> >> >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" — Bjoern A. Zeeb Charles Haddon Spurgeon: "Friendship is one of the sweetest joys of life. Many might have failed beneath the bitterness of their trial had they not found a friend." _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
