Host IP address on bridge or epair?

Hi,

I created a bridge (bridge0) on my host, to which I have added the physical interface of the host. The documentation states: "If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces". I understand why setting an IP address on a member interface is nonsense: It would be like setting an IP address on a port of a network switch.

What I don't like about assigning the host IP address to the bridge, is that it makes my host sort of merge with the bridge. I see the host as just another machine (with its own IP address) connected to a (dumb) network switch (which does not have any IP address) by a cable.

What I want to know is whether using an epair interface for the host would work as well, and if so, what the trade-offs in security and performance (in that order) are?

Here are the two configurations that I tested:
  • Assign the IP address of the host to bridge0:
Code:
...
cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 SYNCDHCP"
ifconfig_em0="up"
...
  • Create an epair interface, add one end to bridge0, and assign the IP address of the host to the other end. Do not assign any IP address to the bridge:
Code:
...
cloned_interfaces="epair0 bridge0"
ifconfig_bridge0="addm em0 addm epair0a up"
ifconfig_em0="up"
ifconfig_epair0a="up"
ifconfig_epair0b="DHCP"
...

In both situations DNS look-up for and pinging of Internet hosts worked fine.

Also, I tried to find a book about FreeBSD (networking), but unfortunately most books are dated. Any book tips are welcome.

Thanks in advance for your help.
 
It's for running jails eventually. But I have only just started with the basic configuration of the jails host. This is the first bridge, and the physical network interface will be a member of it. Later on I want to create more (possibly dozens) of bridges, each with its own purpose, and with server jails needed for that purpose connected to it, i.e. I want to physically separate jails with different purposes. I will create router jails connected to two bridges, that route traffic from function-specific bridges to the bridge connected to the physical interface.

I am creating Ansible scripts to set everything up automatically, and I want to make sure I model the network connection(s) of the jails host correctly. In this case I got kind of stuck because the network interface of the host is a (virtual) bridge, instead of a network interface connected to the bridge using a network cable. As someone with basic knowledge of networking, this seems weird. It also makes the model a bit more complex.

If it makes no difference, I will do it as the handbook says. If there are (subtle) differences, I would like to know about them so I can make an informed decision about which one best fits my situation. Any pointers to more comprehensive documentation (online or offline) is fine. I don't mind putting in some effort to understand what is going on.

Note that this is for a home network, so only security is essential. Good performance would be nice to have.
 
Later on I want to create more (possibly dozens) of bridges, each with its own purpose, and with server jails needed for that purpose connected to it, i.e. I want to physically separate jails with different purposes.
Note that nothing will be physically separated when everything runs on the same host.
I will create router jails connected to two bridges, that route traffic from function-specific bridges to the bridge connected to the physical interface.
This will not be possible with regular jails (routing/networking is done on the host, not the jail). You can get something like this using VMs though.
 
Note that nothing will be physically separated when everything runs on the same host.

Yep, I know. I just don't know how to call it: virtual physical separation? I at least wanted to make it hard for, for example, public web servers to reach private servers by setting up the appropriate routing and firewalls.

This will not be possible with regular jails (routing/networking is done on the host, not the jail). You can get something like this using VMs though.

Ah, I see. I will dive deeper into the features and limitations, and adjust my thinking.

I kind of ruled VMs out because they are more heavyweight, but maybe I should reconsider. See my question below.

Use Bhyve as VMs will be completely separate from each other.

Like I said above: VMs are usually more heavyweight than OS-level virtualization. How does bhyve compare to jails in terms of overhead?

Sorry, for all my beginner questions, but I have only used Linux the last 10+ years. I tried to get this sort of set-up working on Linux. Unfortunately, I got stuck with the interpretation of router advertisements. It turned out systemd had not implemented this yet, and when I looked at the systemd code and read the systemd stories, I decided that I did not want to set up my system with immature software. Linux can probably do a wonderful job if you do not use systemd, but I did not want to fight an uphill battle.
 
Yep, I know. I just don't know how to call it: virtual physical separation? I at least wanted to make it hard for, for example, public web servers to reach private servers by setting up the appropriate routing and firewalls.

Someone asked similar questions before and its not possible to do that on the same LAN card. If you want completely separate public and private network then you'll need two LAN cards to do that and you will have two different subnets. The only way with a single LAN card is to set private server's configurations to only listen on certain IP addresses or ports and reject everything else.

Like I said above: VMs are usually more heavyweight than OS-level virtualization. How does bhyve compare to jails in terms of overhead?

It'll take more resources than OS-level virtualization and its more beneficial to run non-FreeBSD OSes in Bhyve. Multiple instances of FreeBSD is better with Jail.
 
Back
Top