Jail Networking

Hi, I'm on FreeBSD 13.2, trying to set up a jail network, I'm not too sure on the proper terminology here, so do correct me, but I want it set up in a way that the host system doesn't exactly show that the jail exists in a way, so when I do ifconfig, it doesn't show all the jails, just the stand alone network interfaces and the other things on them. This is because in the long run, there are going to be a lot of jails on here, like several hundred, so I don't want them all to show up when I do ifconfig. Anyways, here's my current set up:

ifconfig:
Code:
vmx0: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:50:56:91:12:76
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vmx1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:50:56:91:0f:63
        inet 10.8.0.31 netmask 0xffffff00 broadcast 10.8.0.255
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vmx2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:50:56:91:9a:25
        inet 10.1.0.148 netmask 0xffffff00 broadcast 10.1.0.255
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vmx3: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
        ether 00:50:56:91:e1:c6
        inet 10.40.0.15 netmask 0xffffff00 broadcast 10.40.0.255
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
rc.conf:
Code:
ifconfig_vmx1="inet 10.8.0.31 netmask 255.255.255.0"
ifconfig_vmx2="inet 10.1.0.148 netmask 255.255.255.0"
ifconfig_vmx3="inet 10.40.0.15/24"

defaultrouter="10.8.0.1"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
jail_enable="YES"
ezjail_enable="YES"
And that's pretty much all I've done on here so far. I've tried to create a bridge between vmx 3 and the jail I've made, but I just cant seem to get a connection on the jail. Does anyone know how I could archive the functionality I'm after? Thanks.
 
Not possible. The host runs the jails, so it HAS to know about them.
Yeah I know, and I'm fine with jails appearing when I run jls in the host. It's just under the ifconfig, is there no way to just not have the jails show there? Maybe some sort of bridge or something, idk
 
What interfaces are you talking about? The epair(4) ones from VNET jails? No, you can't 'hide' those from the host either.
 
What interfaces are you talking about? The epair(4) ones from VNET jails? No, you can't 'hide' those from the host either.
So, i dont think they need to be Vnet jails, i think what i need is a type of bridge, do forgive me here im not too great with names, but a netgraph bridge? does that ring any bells? im sure there are other ways to go about it, but the whole point is, that long term, this host could possibly have 1000 jails on it, so when i do ifconfig on it, i really dont want to be seeing 1000 different jail ips come up. however, its fine to see them when i do jls if you know what i mean.
 
If you're not going to use VNET jails then bind the jail directly to the interface. That interface is going to have a whole bunch of aliases attached to it. Nothing you can do about that, the system has to know where an IP address is.
 
If you're not going to use VNET jails then bind the jail directly to the interface. That interface is going to have a whole bunch of aliases attached to it. Nothing you can do about that, the system has to know where an IP address is.
Ok, I think I understand. So, are you saying VNET jails are what I should use for this then? I'll need to do some research on them.
 
Ok, i think i understand. so, are you saying VNET jails are what i should use for this then?
That's not what I said. Using VNET jails would create two epair(4) interfaces per jail, I thought you were worried about the number of interfaces.
 
Just 1 bridge that has every single jail on it, but just doesn't display the jails under the bridge when I run ifconfig.
You're only moving the problem from an actual interface (vmx0 for example) to a bridge(4) interface. No matter how you connect them those IP addresses are going to show up.
 
You're only moving the problem from an actual interface (vmx0 for example) to a bridge(4) interface. No matter how you connect them those IP addresses are going to show up.
Yeah that makes sense, thats what i had in my last set up and yeah it did exactly that. So, is there nothing you can think of then to achive something like this? I am really lost, ive done so much research and its always just lead to nothing lol
 
is there no way to just not have the jails show there?
use a group for your local interfaces as described in ifconfig(8), then you can simply do ifconfig <groupname> to only show interfaces belonging to that group.
Interfaces can have multiple groups attached to them and groups can be used in pf.conf, so especially on systems with many interfaces and/or jails this often comes in very handy.
I usually add interfaces that are used by the host to the "local" group. this way I can get a quick view of all locally used interfaces, even on virtualization hosts with dozens of epair and vlan interfaces.
 
Back
Top