Hey folks -
I have a server with a lagg interface of two 10GigE interfaces, and it's VLAN'd as well. On VLAN, 200, is my private, RFC1918 addressed internal VLAN. The second, VLAN 50, is the public side. What I'm attempting to do is put interface lagg0.50 into fib 1, and start public-facing jails in that fib and on that interface. The server itself doesn't have an IP on lagg0.50, it only does on lagg0.200 (the internal).
The thing I'm seeing is that host routes for each jail cross-bleed into the opposing fib. Or, more accurately, they get put into both fibs for some reason. For instance, my public DNS server is scarecrow. When I start his jail, his /32 gets added to fib 1, and it also gets added to fib 0. The reverse happens when I start my nas file serving jail. When he starts, his /32 gets put into both fibs: 0 and 1.
I can go through and manually remove all of the incorrect fib routes, but I have to do that every time a jail restarts. Which is tedious. Basically, what I want to prevent is a public jail directly accessing a private jail without routing through my upstream router first. With the host routes in each fib, that's exactly what happens: the public jail tries to reach directly to the private via the interface. And if I don't have pf running on the server, the jail will be able to do that.
Scarecrow's jail.conf entry (with the IP removed) is:
The nas one is different of course:
The appropriate bits in
And lagg0.50 is actually in fib 1 as expected:
Is there a way to accomplish what I want? In other words, force the jails to follow their fibs' default route to get to the jails in the other fib, without manually deleting the /32s?
Thanks.
I have a server with a lagg interface of two 10GigE interfaces, and it's VLAN'd as well. On VLAN, 200, is my private, RFC1918 addressed internal VLAN. The second, VLAN 50, is the public side. What I'm attempting to do is put interface lagg0.50 into fib 1, and start public-facing jails in that fib and on that interface. The server itself doesn't have an IP on lagg0.50, it only does on lagg0.200 (the internal).
The thing I'm seeing is that host routes for each jail cross-bleed into the opposing fib. Or, more accurately, they get put into both fibs for some reason. For instance, my public DNS server is scarecrow. When I start his jail, his /32 gets added to fib 1, and it also gets added to fib 0. The reverse happens when I start my nas file serving jail. When he starts, his /32 gets put into both fibs: 0 and 1.
I can go through and manually remove all of the incorrect fib routes, but I have to do that every time a jail restarts. Which is tedious. Basically, what I want to prevent is a public jail directly accessing a private jail without routing through my upstream router first. With the host routes in each fib, that's exactly what happens: the public jail tries to reach directly to the private via the interface. And if I don't have pf running on the server, the jail will be able to do that.
Scarecrow's jail.conf entry (with the IP removed) is:
Code:
# scarecrow (external, authoritative DNS)
scarecrow {
host.hostname = "scarecrow";
exec.fib=1;
ip4.addr += "lagg0.50|[REDACTED]/32";
}The nas one is different of course:
Code:
# nas
nas {
host.hostname = "nas";
ip4.addr += "lagg0.200|192.168.10.2";
mount = "/local/export /local/jails/nas/export nullfs rw 0 0";
mount += "/local/timemachine /local/jails/nas/timemachine nullfs rw 0 0";
}The appropriate bits in
/etc/rc.conf
Code:
vlans_lagg0="50 200"
ifconfig_lagg0_50="up fib 1"
# lagg1 (private)
ifconfig_lagg0_200="inet 192.168.10.1/24"
defaultrouter="192.168.10.254"And lagg0.50 is actually in fib 1 as expected:
Code:
# ifconfig lagg0.50 | grep fib
fib: 1Is there a way to accomplish what I want? In other words, force the jails to follow their fibs' default route to get to the jails in the other fib, without manually deleting the /32s?
Thanks.
