jails Network segregation using bridges, routing, pf, and vnet jails

[ser22]

Hi all,

First of all, I would like to mention that I am not very familiar with the networking aspect of FreeBSD using vnet jails.
I already have read mwl's FreeBSD Mastery Jails, but as he mentions, these cases are beyond the scope of the book.

I've an old home i7 with 32GB of RAM that I would like to use to learn more about using /etc/jail.conf, instead of using sysutils/iocage or sysutils/bastille.

I would like to ask whether my first approach, as per the attached diagram, makes any sense and whether falls under the accepted good practices.

My idea would be to connect the FreeBSD host directly to my ISP router configured in a DMZ.
Force all traffic through a jail, working as a firewall, attached to bridge0.
And use bridge1 and bridge2 to segregate jails and virtualizations.

Anyone has seen a recent practical example of such a configuration?

In any case, I would be more than happy to review any books or articles that you might think would help me.

Thanks in advance

 

[shurik]

Force all traffic through a jail, working as a firewall, attached to bridge0.

What is a sense of firewall inside a separate jail? As for me I prefer to do it on host itself. Firewalling is in-kernel process and all jails use a single host's kernel.

 

[Emrion]

This idea seems curious, but why not? You will have to use several epair, one by bridge/segregation. Never tried that, don't know if it's possible. I guess it won't be easy at least.

What I use at home, is nearly the same but the DMZ is directed to an interface that is 'passthru' to a bhyve VM. I get the packets after the firewall of this VM from a tap, member of a bridge that is connected to my lan (the lan physical interface is a member of this bridge).