> On 30. Oct 2017, at 22:26, Eugene Grosbein <eu...@grosbein.net> wrote: > > 31.10.2017 4:08, Farhan Khan пишет: >> Hi all, >> >> I am trying to experiment with setting up two jails on different VLANs, but >> have not been able to segment traffic. >> >> My configuration was to create vlan1 for jail1 and vlan2 for jail2. >> >> I did the following commands: >> ifconfig vlan1 create vlan 1 vlandev em0 >> ifconfig vlan1 10.1.0.1/24 >> ifconfig vlan2 create vlan 2 vlandev em0 >> ifconfig vlan2 10.2.0.1/24 >> >> Within each jail, I set the interface to be vlan1 and vlan2 and assigned >> them the IP addresses 10.1.0.2/24 and 10.2.0.2/24, respectively. >> >> I can still have connectivity between the two VLANs. >> >> Oddly enough, jail1 with IP 10.1.0.2 does not even have a static route >> outbound at all. An `ifconfig` shows 0xffffff00 (/24) so my expected >> behavior would be to say "unable to route". It can even connect to the >> external interface's IP address. At a minimum it should not even know how to >> connect to the 10.2.0.0/24 network at all. >> >> I was advised that its connectivity is because Jails use the base system's >> routing table. If so, how could one possibly separate network traffic? >> That's the entire purpose of VLANing. >> >> I have been advised to use pf to prevent that, but shouldn't VLANing provide >> that separation mechanism? I do not know what I might be doing wrong here. > > It seems you are looking for isolated network stacks for jails each having > distinct route table etc. > You need options VIMAGE for your kernel and create jails with vnet option > (man jail) > to obtain this feature. > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
You can use fibs with net.add_addr_allfibs=0 to get separate routing tables (comes with its own set of complications though). -m _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
