Vnet Question

[bigops]

I have been playing with VNETs and have successfully used VNET for multiple jails. In all these cases the jails were associated with a single interface and everything works fine.

The Trunas device has multiple NICS and there is now a requirement to run a Jails in a different network segment. Since this segment has a lower security posture I would like to dedicate a NIC to this segment. While trying to configure this with Vnet0 and the bridge associated with the NIC the Jail comes up but is unable to ping anywhere other than its own IP address. (So the network stack is working)

I was able to make this to work by assigning another VNET and associating the bridge (with the interface in it ) to the new VNET.

My question is does every NIC that needs to be used individually require the creation of a separate VNET? If so what is the max number of VNETs that can be created?

Or am i doing something wrong?

Thanks

 

[Patrick M. Hausen]

The vnetx.y interfaces are created automatically. What you need to do is create one bridge interface for every physical or VLAN that will connect jails.

vnetx.y are in fact renamed epair interfaces. An epair is a virtual patch cable that behaves like an ethernet inside the jail and like a switch port outside the jail. The artefacts you see outside are bridged with the suitable physical/VLAN to connect the jail to the latter. You will end up with as many epair/vnet as you have jails. Or even more - a jail can have two or more interfaces.

Don't worry, the system easily supports thousands of them.

 

[bigops]

Thanks Patrick But that is not what I observed. In the network configuration it wanted me to specify the VNET and bridge. When the new Jail is created it does not give me an option to input anything other than Vnet0 here

In the networking configuration I can only specify VNET:Bridge (if I put bridge there alone it creates and error)

If I put in VNET0:Bridge3 the jail is created but it is not able to ping anywhere else outside the netowrk. So to make it work I had to put in VNET1:Bridge3 here, then save the Jail and then go back to the basic properties and then select Vnet1 here

After that everything seems to work. I still need to work on VLANs in this new VNET stack so before that I wanted to make sure I am following the accepted configuration

Thanks & Regards

 

[Patrick M. Hausen]

vnet0 is the first vnet interface of a jail, vnet1 the second etc. This is all from the jail's point of view. I'll have another look tomorrow or possibly on new year's day. If the jail is supposed to have only one interface, then vnet0:bridgeX is supposed to work.

 

[victort]

Can you share a screenshot of your interface settings? In the GUI

 

[bigops]

These are the Interface Settings. The interface that I am currently working with is igb0

em0 is already associated with other VNET Jails and the Oce0 for non VNET jails and holds the default route.

 

[victort]

This may be a silly question but is the VLAN able to communicate with the LAN?

And is your incoming traffic tagged properly? On each NIC?

 

[bigops]

I am dedicating the NIC to the specific network segment & Jail. So the traffic is untagged.

 

[bigops]

vnet0 is the first vnet interface of a jail, vnet1 the second etc. This is all from the jail's point of view. I'll have another look tomorrow or possibly on new year's day. If the jail is supposed to have only one interface, then vnet0:bridgeX is supposed to work.

Thanks Patrick. Have a wonderful new year

 

[victort]

The only member of the bridge should be the NIC you want it to connect to. In the image there are multiple bridge members.

 

[bigops]

Bridge 3 has only one Interface

 

[victort]

Bridge 3 has only one Interface

I think I’ll have to defer to Patrick. He’s helped me a ton with this network stuff. @Patrick M. Hausen

 

[bigops]

I was about to put this into Production network as the setting of having a separate VNET number seems to work fine. Does anyone think this is a bad idea?