- Joined
- May 26, 2011
- Messages
- 654
RESOLVED - see post #4
Hi,
I am scratching my head how to set a separate VLAN for my Jail. Bellow is diagram of current setup with the desired Jail config. Basically i have two VLANs defined on the router. Each VLAN has its own network and DHCP server. Router is connected to my HP ProCurve switch and the port is set to TRUNK mode with both VLANs tagged. Aside of the other devices connected to the switch my FreeNAS box is there as well. The port for FreeNAS has VLAN7 set as UnTagged and VLAN3 as Tagged.
- FreeNAS NIC has IP 10.0.7.13 assigned via DHCP because of the Untagged VLAN flag.
- Jail supposed to be on VLAN3 and should get IP assigned from 10.0.3.1 gateway because its traffic supposed to be tagged as VLAN3 - this is where i am stuck ...
Scenario 1 - All OK but not desired
- No VLANs
- epair0b gets IP from 10.0.7.1 network as there is no tagging so it falls under VLAN7
Scenario 2:
- Created VLAN3 interface with VLAN ID "3" and parent NIC as "igb0" and assigned some IP from the same subnet
I was thinking about simply assigning this virtual NIC to the jail but the "NIC" drop down is greyed out if VIMAGE is enabled. If i disable vimage i see only physical NICs, not the virtual VLAN one. I don't see any possibility in the GUI so looks like it has to be done manually.
I've added the vlan3 to the bridge0. After doing so i GOT an IP from DHCP server VLAN3 network (cool!) unfortunately i am not able to access anything outside my local network. I am not even able to ping the gateway on the same network i got IP from.
Host (FreeNAS) setup (other brX and lo0 excluded):
Jail setup (lo0 excluded):
Basically i got IP from DNS on 10.0.3.1 gateway but i cannot reach it (can't even ping) or anything on the network. What i CAN ping is IP of the VLAN3 (10.0.3.89). What i am missing there? Some static route on the host (NAS) ? But which one?
Also i am not quite confident if this is the proper way from security perspective - Having everything in one bridge (where other jails will be added as well) doesn't look OK. Interface in bridge is set into promiscuous mode so it can receive every packet on the network. I don't care if host system (NAS) can inspect every single packet (well it has to as it is the host system with the physical NIC) but my concern is if whatever inside the Jail can get anything from host system or another Jail (on different subnet/vlan). Consider the fact that the security on the Router does not allow that and the Jail is actively isolated by FW rules from the rest of the local networks.
I've searched a bit and found some crumbs but still haven's figured out how to really have a separate VLAN for the jail. Note that i want to keep Jail traffic isolated from the host NAS (for security purpose) so it has to be on different VLAN/network.
Sources i worked with:
https://forums.freenas.org/index.php?threads/vm-networking-vlan-tagging.48716/ // Coral-related, not much usable as there is bhyve in play
https://forums.freenas.org/index.ph...s-multi-jails-freenas-routing-question.39047/ //This was the most close situation but i got lost in between as there is lacp in play. Also OP mentioned that the issue is with FreeNAS itself and that it works on pure FreeBSD (?)
http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html // This is basically similar to my "Scenario 1". Host and Jail on the same subnet/vlan. This works straight out of the box but not my desired case :/
http://www.freebsd.cz/doc/handbook/network-bridging.html
http://www.freebsd.cz/doc/handbook/network-vlan.html
https://gathering.tweakers.net/forum/list_messages/1693573 // Thread is in Dutch so i've used google translator for the whole page. Not sure if the content was translated properly.
++ Bunch of local threads regarding VLANs
Thank you in advance for help!
Alex
Hi,
I am scratching my head how to set a separate VLAN for my Jail. Bellow is diagram of current setup with the desired Jail config. Basically i have two VLANs defined on the router. Each VLAN has its own network and DHCP server. Router is connected to my HP ProCurve switch and the port is set to TRUNK mode with both VLANs tagged. Aside of the other devices connected to the switch my FreeNAS box is there as well. The port for FreeNAS has VLAN7 set as UnTagged and VLAN3 as Tagged.
- FreeNAS NIC has IP 10.0.7.13 assigned via DHCP because of the Untagged VLAN flag.
- Jail supposed to be on VLAN3 and should get IP assigned from 10.0.3.1 gateway because its traffic supposed to be tagged as VLAN3 - this is where i am stuck ...
Scenario 1 - All OK but not desired
- No VLANs
- epair0b gets IP from 10.0.7.1 network as there is no tagging so it falls under VLAN7
Scenario 2:
- Created VLAN3 interface with VLAN ID "3" and parent NIC as "igb0" and assigned some IP from the same subnet
I was thinking about simply assigning this virtual NIC to the jail but the "NIC" drop down is greyed out if VIMAGE is enabled. If i disable vimage i see only physical NICs, not the virtual VLAN one. I don't see any possibility in the GUI so looks like it has to be done manually.
I've added the vlan3 to the bridge0. After doing so i GOT an IP from DHCP server VLAN3 network (cool!) unfortunately i am not able to access anything outside my local network. I am not even able to ping the gateway on the same network i got IP from.
Host (FreeNAS) setup (other brX and lo0 excluded):
Code:
#Ifconfig: igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=a8<VLAN_MTU,JUMBO_MTU,VLAN_HWCSUM> ether 00:25:90:XX:XX:XX inet 10.0.7.13 netmask 0xffffff00 broadcast 10.0.7.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:25:90:XX:XX:XX inet 10.0.3.89 netmask 0xffffff80 broadcast 10.0.3.127 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 3 parent interface: igb0 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 02:58:c0:c0:68:00 nd6 options=1<PERFORMNUD> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 6 priority 128 path cost 2000 member: vlan3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 4 priority 128 path cost 20000 member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ifmaxaddr 0 port 1 priority 128 path cost 20000 epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 02:ff:20:00:06:0a nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active #Routing tables Destination Gateway Flags Netif Expire default 10.0.7.1 UGS igb0 10.0.3.0/25 link#4 U vlan30 10.0.3.89 link#4 UHS lo0 10.0.7.0/24 link#1 U igb0 10.0.7.13 link#1 UHS lo0 127.0.0.1 link#3 UH lo0
Jail setup (lo0 excluded):
Code:
#Ifconfig: epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 32:5e:39:26:37:43 inet 10.0.3.50 netmask 0xffffff00 broadcast 10.0.3.255 nd6 options=9<PERFORMNUD,IFDISABLED> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active
Basically i got IP from DNS on 10.0.3.1 gateway but i cannot reach it (can't even ping) or anything on the network. What i CAN ping is IP of the VLAN3 (10.0.3.89). What i am missing there? Some static route on the host (NAS) ? But which one?
Also i am not quite confident if this is the proper way from security perspective - Having everything in one bridge (where other jails will be added as well) doesn't look OK. Interface in bridge is set into promiscuous mode so it can receive every packet on the network. I don't care if host system (NAS) can inspect every single packet (well it has to as it is the host system with the physical NIC) but my concern is if whatever inside the Jail can get anything from host system or another Jail (on different subnet/vlan). Consider the fact that the security on the Router does not allow that and the Jail is actively isolated by FW rules from the rest of the local networks.
I've searched a bit and found some crumbs but still haven's figured out how to really have a separate VLAN for the jail. Note that i want to keep Jail traffic isolated from the host NAS (for security purpose) so it has to be on different VLAN/network.
Sources i worked with:
https://forums.freenas.org/index.php?threads/vm-networking-vlan-tagging.48716/ // Coral-related, not much usable as there is bhyve in play
https://forums.freenas.org/index.ph...s-multi-jails-freenas-routing-question.39047/ //This was the most close situation but i got lost in between as there is lacp in play. Also OP mentioned that the issue is with FreeNAS itself and that it works on pure FreeBSD (?)
http://shawndebnath.com/articles/2016/03/27/freebsd-jails-with-vlan-howto.html // This is basically similar to my "Scenario 1". Host and Jail on the same subnet/vlan. This works straight out of the box but not my desired case :/
http://www.freebsd.cz/doc/handbook/network-bridging.html
http://www.freebsd.cz/doc/handbook/network-vlan.html
https://gathering.tweakers.net/forum/list_messages/1693573 // Thread is in Dutch so i've used google translator for the whole page. Not sure if the content was translated properly.
++ Bunch of local threads regarding VLANs
Thank you in advance for help!
Alex
Last edited: