With version 15's new VLAN aware bridges, we only need one bridge at the host level and one epair per jail to handle networking for every jail's needs.
Prior to version 15, when I was trying to build a vnet jailed gateway with a handful of VLANs I had to create an octopus of bridges (one per VLAN) and lots of dangling epairs. Version 15's new tech changed all that. Not only can all of the external VLANs collapse into one bridge, but now we can fold all private bridges into the one host bridge (add internal-only VLAN IDs to isolate communications).
With the VLAN aware bridges you only need one bridge on the host and one (possibly trunked) epair dropped into the jail. Make an epair VLAN aware epair and configure each epair/bridge connection to the subset of VLANs used by the jail. For any private jail-to-jail internal networks, use a new VLAN ID to connect a subgroup of jails via their epairs through the bridge.
The key is to get the ifconfig settings correct. Here's an example for the set up (without the jail configuration files) for a host, a physical interface (igb0 with VLANs 10,20) and two subjails with three VLANs (10, 20, 2001):
With the above configuration, external packets arriving on VLAN 10 go to jail0 and those arriving on VLAN 20 go to jail1. Meanwhile, for jail0 and jail1 to communicate, they can use VLAN 2001.
Inside the jail, the epair VLANs can be splintered off:
jail0 communicates with the external network via epair0b.10.
jail1 communicates with the external network via epair1b.20.
Both jails communicate with each other using epair0b.2001 and epair1b.2001.
I built a complex test platform and watched ICMP packets zip around. I can share the code.
Hat tip to reddit user u/-iwantmy2dollars- for their post, which prompted my testing and this post.
Prior to version 15, when I was trying to build a vnet jailed gateway with a handful of VLANs I had to create an octopus of bridges (one per VLAN) and lots of dangling epairs. Version 15's new tech changed all that. Not only can all of the external VLANs collapse into one bridge, but now we can fold all private bridges into the one host bridge (add internal-only VLAN IDs to isolate communications).
With the VLAN aware bridges you only need one bridge on the host and one (possibly trunked) epair dropped into the jail. Make an epair VLAN aware epair and configure each epair/bridge connection to the subset of VLANs used by the jail. For any private jail-to-jail internal networks, use a new VLAN ID to connect a subgroup of jails via their epairs through the bridge.
The key is to get the ifconfig settings correct. Here's an example for the set up (without the jail configuration files) for a host, a physical interface (igb0 with VLANs 10,20) and two subjails with three VLANs (10, 20, 2001):
Code:
ifconfig bridge0 create up
ifconfig bridge0 vlanfilter addm igb0 tagged 10,20 up
ifconfig epair0 create -vlanhwfilter up
ifconfig epair0b -vlanhwfilter up
ifconfig bridge0 vlanfilter addm epair0a tagged 10,2001 up
ifconfig epair1 create -vlanhwfilter up
ifconfig epair1b -vlanhwfilter up
ifconfig bridge0 vlanfilter addm epair1a tagged 20,2001 up
# Pass epair0b into jail0 (vnet.interface = epair0b)
# Pass epair1b into jail1 (vnet.interface = epair1b)With the above configuration, external packets arriving on VLAN 10 go to jail0 and those arriving on VLAN 20 go to jail1. Meanwhile, for jail0 and jail1 to communicate, they can use VLAN 2001.
Inside the jail, the epair VLANs can be splintered off:
Code:
ifconfig -j jail0 epair0b.10 create inet 192.168.10.55/24 up
ifconfig -j jail0 epair0b.2001 create inet 10.20.01.0/31 up
ifconfig -j jail1 epair1b.20 create inet 192.168.20.55/24 up
ifconfig -j jail0 epair1b.2001 create inet 10.20.01.1/31 upjail0 communicates with the external network via epair0b.10.
jail1 communicates with the external network via epair1b.20.
Both jails communicate with each other using epair0b.2001 and epair1b.2001.
I built a complex test platform and watched ICMP packets zip around. I can share the code.
Hat tip to reddit user u/-iwantmy2dollars- for their post, which prompted my testing and this post.