Hi all, > Am 19.05.2025 um 19:28 schrieb Paul Vixie <p...@redbarn.org>: > > If we move all member ifaddrs to the bridge itself, then will arp requests > always have to be broadcast on all member interfaces? If so this is > intolerable from a security perspective, a complete nonstarter.
I am not quite sure I follow. A bridge by definition creates a single broadcast domain so any frame with a layer 2 broadcast destination address must necessarily be flooded to all member ports. If you want separate broadcast domains for e.g. a dozen of epairs you place an IP address on the host side, another IP address in a matching prefix on the jail side, and use the host as the default gateway for the jail. If you want a couple of jails to share a "virtual switch" you place no IP addresses on any of the host sides, only on the jail sides - all in the same prefix - and a single address on the bridge to again provide the default gateway to the jails. You either place IP addresses on interfaces, but then don't bridge but route. Or you bridge, but then do not put IP addresses on the bridge members. This restriction has been in place since the introduction of if_bridge(4) in FreeBSD in 2005. I insist on repeating this point although I am not participating in developmen of networking or any part of the kernel, mainly because - as some might know - I am a very active member of the FreeNAS/TrueNAS community providing a lot of free support. And during the years the main FreeNAS/TrueNAS platform was FreeBSD the proper configuration of networking for jails was one of the by far most frequent support issues occurring. Mainly because iX had got their own implementation wrong in the first place, so you needed to manually work around FreeNAS' defaults. Kind regards, Patrick
