I'm creating a series of network gateway/tunnels with vnet and jails (FreeBSD 12.1p8). The topology looks something like this:
NICjail: Contains the physical NIC (igb0), bridge0, and epair members for connection to other tunnel jails (VPNs, Tor, I2P).
VPN1jail: Connects to NICjail via epair. Contains a bridge and epairs to connect to WORKjails for daily activities.
VPN2jail: Same as VPN1, but for different identities purposes.
... And so on ...
No problems creating the jails or interfaces. However, I'm a bit unsure about properly configuring the IP/netmask, whether I need to use NAT, or if I can just use my existing subnet address space. For example, I set up the following:
NICjail: igb0 has IP 192.168.1.11, and bridge0 has IP 192.168.1.12, with epair1a attached.
VPN1jail: epair1b has 192.168.1.13 and bridge1 has IP 192.168.14, with epair2a attached.
WORKjail: epair2b has 192.168.1.15. `traceroute 1.1.1.1` shows me hopping to 192.168.1.13 --> 192.168.1.11 --> 192.168.1.1(my physical router) --> internet --> 1.1.1.1
Tentatively, it appears that I have accomplished gateway isolation for WORKjail, forcing traffic through VPN1 --> NICjail. Am I on the right track here? Is this a reasonable way to configure the jail network topology and proceed with configuring packet filtering and setting up the VPN? I'm not sure ... is it more secure to use NAT at each hop? Or maybe further subnet the address space by doing something like: NICjail: igb0 has IP 192.168.11/24, and bridge0 has IP 192.168.1.129/25. Or even assigning something like 10.0.0.1/24 to bridge0.
I have read through most of Michael Lucas Networking for SysAdmins book (and his Jails/FreeBSD books). Still trying to get a handle on networking. Any help is greatly appreciated.
EDIT: I am actually completely unable thus far to even use a network like 10.0.0.1/24. Any downstream jails on the 10.0.0.0/24 network are only able to ping back to 192.168.1.11 (igb0), but I have utterly failed to get them to ping to 192.168.1.1 (my router to the outside internet). gateway_enable, net.inet.ip.forwarding=1, and default route 192.168.1.1 are set in the NICjail. Do I have to do set up NAT on the NICjail?
NICjail: Contains the physical NIC (igb0), bridge0, and epair members for connection to other tunnel jails (VPNs, Tor, I2P).
VPN1jail: Connects to NICjail via epair. Contains a bridge and epairs to connect to WORKjails for daily activities.
VPN2jail: Same as VPN1, but for different identities purposes.
... And so on ...
No problems creating the jails or interfaces. However, I'm a bit unsure about properly configuring the IP/netmask, whether I need to use NAT, or if I can just use my existing subnet address space. For example, I set up the following:
NICjail: igb0 has IP 192.168.1.11, and bridge0 has IP 192.168.1.12, with epair1a attached.
VPN1jail: epair1b has 192.168.1.13 and bridge1 has IP 192.168.14, with epair2a attached.
WORKjail: epair2b has 192.168.1.15. `traceroute 1.1.1.1` shows me hopping to 192.168.1.13 --> 192.168.1.11 --> 192.168.1.1(my physical router) --> internet --> 1.1.1.1
Tentatively, it appears that I have accomplished gateway isolation for WORKjail, forcing traffic through VPN1 --> NICjail. Am I on the right track here? Is this a reasonable way to configure the jail network topology and proceed with configuring packet filtering and setting up the VPN? I'm not sure ... is it more secure to use NAT at each hop? Or maybe further subnet the address space by doing something like: NICjail: igb0 has IP 192.168.11/24, and bridge0 has IP 192.168.1.129/25. Or even assigning something like 10.0.0.1/24 to bridge0.
I have read through most of Michael Lucas Networking for SysAdmins book (and his Jails/FreeBSD books). Still trying to get a handle on networking. Any help is greatly appreciated.
EDIT: I am actually completely unable thus far to even use a network like 10.0.0.1/24. Any downstream jails on the 10.0.0.0/24 network are only able to ping back to 192.168.1.11 (igb0), but I have utterly failed to get them to ping to 192.168.1.1 (my router to the outside internet). gateway_enable, net.inet.ip.forwarding=1, and default route 192.168.1.1 are set in the NICjail. Do I have to do set up NAT on the NICjail?