bhyve Confused about setting up networking in bhyve

[VulcanRidr]

I am new to bhyve, and am trying to set it up. My end goal is to stand up an OPNsense VM, so I can use it to convert the configs from my pfSense box before migrating the physical box.

So I have looked at several sources, from the handbook, to Vermaden's blog, to a Klara article on the subject, as well as a few others, including the one . The problem I am having is with setting up the networking. Some of the sources use ifconfig to set up the tap devices and the network, like

# ifconfig tap0 create
# sysctl net.link.tap.up_on_open=1
net.link.tap.up_on_open: 0 -> 1
# ifconfig bridge0 create
# ifconfig bridge0 addm igb0 addm tap0
# ifconfig bridge0 up

while others use the vm switch commands:

# vm init
# vm switch create public
# vm switch add public em0

I have been trying to grok the difference between these two setups, but have not found anything that discusses which is better, or whether one is older and the other newer, and what the preferred method of the two would be to use.

Can someone provide me some insight?

Thanks.

 

[Emrion]

It depends if you want to use vm-bhyve or not. It's more or less the same thing.

You connect a tap and your physical interface (the one you get internet thru) to a bridge and when you launch your vm, you specify this tap as virtio-net interface. vm-bhyve does these things for you.

 

[scottro]

Using vm-bhyve, when I've followed the steps in your vm switch command steps, a new VM is automatically on my LAN. That is, my LAN is 192.168.1.0/24. If I create a new VM and let it use DHCP, it will get an address in the 192.168.1.0/24 network.

Which, I think, is just a long way of saying, Yeah, what Emrion said.

 

[VulcanRidr]

Thank you both for your answers. Given that they are two different ways to do the same task. So I plan to use the vm switch approach as suggested. However, now I have a best practices question, as I am unfamiliar with FreeBSD networking beyond the basics.

So my first task, as I said in my original post, is to stand up an OPNsense box. My current pfSense box has 3 interfaces (LAN, DMZ, and internet). So given this state of affairs, do I need to create 3 separate switches, one for each interface (the LAN interface in the OPNsense switch will live on the same switch with the host's interface)? Or can they all live on the same switch? Since the OPNsense will only exist while I migrate the configs, it is a temporary situation...But you know what they say about temporary solutions...

 

[Emrion]

This time, it depends what you want to achieve and the precise network configuration. What is the exact purpose of this DMZ interface?

At home, I use a pfsense VM. The interface that gets internet is a physical one that has been passthru into the VM. The lan is served by a tap connected on a bridge. See: https://forums.freebsd.org/threads/a-freebsd-box-for-home.70451/#post-695571

 

[VulcanRidr]

This time, it depends what you want to achieve and the precise network configuration. What is the exact purpose of this DMZ interface?

The purpose for the DMZ is for wifi and untrusted hosts that I don't necessarily want having access to the internal network, except certain clients via VPN.

At home, I use a pfsense VM. The interface that gets internet is a physical one that has been passthru into the VM. The lan is served by a tap connected on a bridge. See: https://forums.freebsd.org/threads/a-freebsd-box-for-home.70451/#post-695571

And all I really want to achieve is to set OPNsense up temporarily, so I can convert the configs from pfSense, since apparently netgate has made it very...convoluted. So the OPNsense is not a permanent fixture in bhyve.

If I just need the interfaces and can stick them on a single switch, and then name them appropriately, I'm ok with that. Will it allow me to spit out a config?

 

[Emrion]

The purpose for the DMZ is for wifi and untrusted hosts that I don't necessarily want having access to the internal network, except certain clients via VPN.

I mix wifi and lan without restriction as I consider that a lan is insecure nowadays. But, it's another subject.

I'm afraid I ain't understand what you really want to achieve, what is your network scheme and which machines are implied. So, I can't really answer. The devil is in details, some say.

What is for sure: a bridge is like a switch, so all the interfaces you connect to will freely communicate each with others. You can set up any number of tap and pass them to a VM, there will be as many available interfaces inside the VM (vtnetN). You can also set up as many bridges as you want and connect it to the interfaces you want. It's just you can connect an interface to only one bridge.

You have many others network elements you can use for specific purpose, see ifconfig(8).

Note that I can't say what vm-bhyve is capable about that as I don't use it.

 

[VulcanRidr]

I'm afraid I ain't understand what you really want to achieve, what is your network scheme and which machines are implied. So, I can't really answer. The devil is in details, some say.

Basically, what I am trying to do is to temporarily stand up an OPNsense instance, with three interfaces, in bhyve. The only purpose of this vm is to convert the configuration of pfsense to opnsense. Once I am comfortable that the config will work on actual hardware, I will save said config, upgrade my existing firewall to opnsense. Once that is done, I plan to destroy the vm. This is in no way a permanent installation, and if I could, I would stand opnsense up in a jail, but that is not possible, since it needs to muck with kernel stuff.

That is the purpose of this exercise.

What is for sure: a bridge is like a switch, so all the interfaces you connect to will freely communicate each with others. You can set up any number of tap and pass them to a VM, there will be as many available interfaces inside the VM (vtnetN). You can also set up as many bridges as you want and connect it to the interfaces you want. It's just you can connect an interface to only one bridge.

You have many others network elements you can use for specific purpose, see ifconfig(8).

Okay, so from what you seem to be saying, I am going to need a separate switch/bridge for each interface, since they are on separate networks. For example the internal network is on the 172.20.15.0/24, the wifi network is on the 192.168.0.0/24, and the external is whatever my ISP gives me. I can't just create one bridge/switch and assign all three interfaces to it, and just name the interfaces and hope it "just works" based on the name. Now having said that, I do not have a physical interface for each switch...

Note that I can't say what vm-bhyve is capable about that as I don't use it.

From what I have been seeing, they are two different paths to the same goal.

 

[hpnothp]

I strongly suggest using "managed bridges" from vm-bhyve package - it let's you keep original networking and just automatically append bridge to it after network is configured - reducing possible interference to minimum. On other side - if you manually configure bridge in /etc/rc.conf it will usually change behavior (I was unable to use DHCP client with such manual bridge configuration).

I wrote step by step guide how to use vm-bhyve on: https://github.com/hpaluch/freebsd-files/blob/master/VM-BHYVE.md