VLANing between jails not segmenting traffic
Michael Gmelin
grembo at freebsd.org
Thu Nov 2 15:53:43 UTC 2017
On Thu, 2 Nov 2017 16:21:01 +0100
Marko Cupać <marko.cupac at mimar.rs> wrote:
> On Thu, 2 Nov 2017 15:42:55 +0100
> Michael Gmelin <grembo at freebsd.org> wrote:
>
> > On Thu, 2 Nov 2017 13:19:31 +0100
> > Marko Cupać <marko.cupac at mimar.rs> wrote:
> >
> > > On Mon, 30 Oct 2017 22:46:35 +0100
> > > Michael Gmelin <grembo at freebsd.org> wrote:
> > >
> > > > You can use fibs with net.add_addr_allfibs=0 to get separate
> > > > routing tables (comes with its own set of complications
> > > > though).
> > >
> > > I hoped to go this way, but the fact that host (in fib0) replies
> > > to icmp requests destined to jail with raw_sockets disabled (in
> > > fib 1) via host's default gateway, making really wierd routing
> > > situation.
> >
> > Shouldn't you be able to fix this using a pf pass rule with
> > rtable?
>
> I am sure it could be fixed as you said, but I don't want to introduce
> more complexity with PF.
It would be something simple like
"pass proto icmp to y rtable n"
If you're not already using pf you obviously don't want to introduce
it only to solve this problem.
>
> > Maybe you can share more of your setup, quite curious.
>
> I wrote about that here on the list, and on -jail as well (both are
> the same):
> [https://lists.freebsd.org/pipermail/freebsd-jail/2017-September/003442.html]
> [https://lists.freebsd.org/pipermail/freebsd-net/2017-October/049037.html]
>
> I also got off-list reply from a guy who says this behaviour was
> introduced in 11.X, and not present in 10.X. Didn't have the time to
> test on 10.X.
I only use 10.x for complex networking in production right now :/
-m
>
> Regards,
--
Michael Gmelin
More information about the freebsd-net
mailing list