vnet jails on VLAN subinterfaces

Julien Cigar julien at perdition.city
Thu Jun 4 13:44:15 UTC 2020 

On Thu, Jun 04, 2020 at 01:38:32PM +0200, JÁKÓ András wrote:
>  Hello everyone,

Hello,

> 
> I've already asked this on forums.freebsd.org, but didn't get an answer
> yet. I hope someone can answer it here.
> 
> I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN
> per jail. I assigned VLAN subinterfaces to the jail's network stacks:
> 
> em0 - em0.99 (host)
> em0 - em0.100 (jail0)
> em0 - em0.101 (jail1)
> 
> Here em0 and em0.99 belong to the base system while em0.10[01] belong to
> the jails' network stacks.
> 
> This works perfectly so far. But I didn't see this setup mentioned
> anywhere, that's why I'm curious whether this a "valid" setup, do I use
> vnet correctly? Or does it only work by accident?
> 

In your case it's OK, but as VLAN ids are unique per interface you need
x different physical interfaces if x jails (VNET) need to be in the same
VLAN (and use the same interface).

Best option is to use SR-IOV (if your interface support it) to have
multiple virtual NIC, or use bridge + epair (which has an huge
performance impact due to locking issue in if_bridge, although this is
fixed in -CURRENT by @kp)

> 
> I found vnet jail examples using one epair per jail, which is connected
> to the physical interface by a bridge. With tagged 802.1Q VLANs this
> could look something like the following:
> 
> em0 - em0.99 (host)
> em0 - em0.100 - bridge0 - epair0a - epair0b (jail0)
> em0 - em0.101 - bridge1 - epair1a - epair1b (jail1)
> 
> Here epair[01]b belong to the jails' network stacks, and all other
> interfaces to the base system. This works too, but is more complicated
> than the one without bridges and epairs.
> 
> András
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.

More information about the freebsd-jail mailing list