Change default NIC used by Bhyve for VM Traffic

[DrexLock]

I have an existing FreeNAS 11 machine setup and running for sometime now. The hardware itself is pretty overkill for what I'm using it for, at the moment only general shares and Plex with potential plans for Bacula down the road. I've been considering leveraging bhyve to run a couple of VMs as well but I've been stuck on changing the network config. When I create a VM its networking is bridged off of my internal network NIC (192.168.1.x), what I'd like to do is change that so that it uses another NIC that I plan to connect to my DMZ (10.10.0.x). That way I can keep my shares and internal plugins on my secure internal LAN NIC while isolating my VMs that are internet facing on my DMZ NIC.

 

[m0nkey_]

I believe what you're asking for should be coming in the FreeNAS 11.1 release. My understanding it should be released mid to end November.

 

[dlavigne]

To add to what @monkey_ said, it is in BETA1 which was released on Monday.

 

[DrexLock]

That would be fantastic if its coming right around the corner. I was a little disappointed with how limited the VM functionality feels in the current 11.0. Increased flexibility could make this a game changer, at least for my use case.

 

[Crolya]

Hi Guys. I'm searching for some help on a similar thread as this one, but not finding current postings. JiC, I'll post here to see if you can redirect me or add the concept, for those considering the same.
I am looking to setup bhyve VMs and have them comm on a separate interface, on a separate subnet, to try and move towards a DMZ VM on the NAS. I've got the router setup to segregate the traffic on the subnets and prevent access, as you would in a DMZ setup (using pfsense).
My worry is that despite all of this subnet segregation, there are vulnerabilities, native to the bhyve VM being hosted on freenas, that will prevent me from trusting this setup as a casual DMZ (port forwarding only). I'm hoping to learn more about whether or not the VM, on it's own interface/subnet, has access to the nas' services in a negative way.
I'm somewhere between noob and seasoned-intermediate on this stuff, so please excuse any obvious things I've missed or left out of my descr.
Thanks to any who can add to this post.

 

[sretalla]

If you think that using another NIC which is also connected to the same FreeNAS box as the first one will change anything, you're likely to be disappointed.

A VM doesn't have any ability to access the FreeNAS host resources, but there are bound to be vulnerabilities in bhyve which could be exploited to gain some kind of unapproved access.

Playing with bhyve probably wins you top prize for not being attractive to anyone hacking as it's not broadly used and isn't likely to be the first (ESXi), second (KVM/QEMU) or even third (Virtualbox) virtualization platform (and I could continue to list at least 3 more) somebody would try if gaining access to your guest by IP address/port redirection.

What it sounds like you're really trying to do is pass a NIC through to the VM for access directly... also be ready for disappointment (for now) as the proper support for that isn't really there in bhyve (although you may be able to do it if you're really determined and the kind of person who is prepared to try a million different ways before success), so waiting for FreeNAS 12 (based on FreeBSD 12) is the best bet there if you really must.

It's probably as safe as it needs to be just running with one NIC and having your VMs bridging to it.

By all means put a proper firewall and reverse proxy with SSL termination and access control (like two factor auth) in front of it and you're unlikely to have a problem.

 

[Crolya]

Thanks much for the feedback.
It sounds like a stout firewall with over-protective rules will help me keep things as safe as they can be. I had thought VLAN tagging might help, but realize penetration risk will likely be the same.
I'll keep my eyes open for progress in this area as I believe VMs on Freenas to be a welcome addition.
Thanks again

 

[sretalla]

It sounds like a stout firewall with over-protective rules will help me keep things as safe as they can be

Agreed. Ingress control the most important to ensure SSL for password and data exchange. nginX reverse proxy and pfSense are two very helpful products.

 

[JohnB]

Posting this in case it may be helpful...

I have two virtual machines:

FreeBSD 12.1-RELEASE

CentOS Linux 8.1.1911

that I originally set up on FreeNAS 11.2-U7. I wanted to configure the VM's to use the second NIC, but after reading several posts here and elsewhere I concluded it wasn't possible, so I configured them in the default manner to share the primary NIC with FreeNAS.

Last night I noticed that FreeNAS 11.3-RELEASE was available, and upon reading the documentation it appeared I could do what I originally wanted.

After upgrading to FreeNAS 11.3-RELEASE I cabled the unused second NIC to the switch, edited the configuration of both VM's to use the second NIC, and started them. Both are now using the second NIC as expected. I'll post a follow-up if I discover any issues.