routing issue with Jail hosts :: suggestion requested
Devin Teske
devin.teske at fisglobal.com
Tue Jan 8 20:39:48 UTC 2013
Maybe giving each of the jails their own networking stack would help?
Do you know about VIMAGE?
I have a boot script that makes it easy to test out this new/experimental (yet very stable) feature:
http://druidbsd.sf.net/vimage.shtml
--
Devin
On Jan 8, 2013, at 12:07 PM, Free BSD wrote:
> Dear List Members
>
> I have a scenario where I have an unusual routing need. This is one server with two (or more) interfaces. One of the interface is connected to a public IP network, the other one is connected to the LAN. This box is NOT a gateway machine, just a box serving on two sides of the network. Network diagram below:
>
> Interface em1
> Public IP Network
> Connected to Gateway a.b.c.1 <---+
> |
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @ | @
> @ +----------------+----------------+ @
> @ | | @
> @ +-----------+------------+ +-----------+------------+ @
> @ | Jail 01 | | Jail 02 | @
> @ | Public IP a.b.c.4 | | Public IP a.b.c.5 | @
> @ | Gateway a.b.c.1 | | Gateway a.b.c.1 | @
> @ +------------------------+ +------------------------+ @
> @ @
> @ @
> @ @
> @ +------------------------+ +------------------------+ @
> @ | Jail 03 | | Jail 04 | @
> @ | Private IP x.y.z.101 | | Private IP x.y.z.102 | @
> @ | Gateway x.y.z.1 | | Gateway x.y.z.1 | @
> @ +-----------+------------+ +-----------+------------+ @
> @ | | @
> @ +----------------+----------------+ @
> @ | @
> @ Main Host Server | @
> @ Private IP x.y.z.100 | @
> @ GW x.y.z.1 | @
> @ | @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> |
> Interface em0 |
> Local Area Network/Privae IP |
> Connected to GW x.y.z.1 <-------+
>
>
> Now, the problem is, the jails 03 and 04 needs to use the default route for the LAN, since the main firewall on the network does a NAT to these jails. At the same time, the jails 01 and 02 need to use the default route for the public Network, since there are port mappings on them. I will use pf for firewalling, so only certain traffic from certain direction is available. But some traffic are common and could be from any source (i.e., http/S, smtp/S). So, there is http running in jail 01 and jail 03 (two different servers entirely, serving different sites), or smtp/S on jail 02, which too could be from anywhere.
>
> Given that /by default/ all jails uses the defaultroute of the host system, I am looking into possible work-around/solution and would appreciate your feedback on this matter. If there were any discussion in the similar line, google failed to yield that to me (had been looking for them for the last two days, but most are dealing with using ipfw and NAT on the same interface -- I am connecting different interface to different network, and would prefer that isolation). If anyone is aware of any such discussion, would appreciate links/pointers to that too.
>
> Thanks all.
>
>
>
>
> -------------------------------------------------
>
> VFEmail.net - http://www.vfemail.net
> $14.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas!
> Commercial and Bulk Mail Options! _______________________________________________
> freebsd-jail at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
More information about the freebsd-jail
mailing list