I have my FreeBSD router running 12.2-RELEASE, and it has six GigE interfaces,
I want to upend this configuration and compartment things using jails somewhat. I envision putting the wired network routing functions into one jail that can see
The question is, can I do this easily by allowing both jails to see the
I also want to somehow keep
em0 to em5. Currently, em0 is the WAN port that connects to the internet, receiving an ISP-assigned IP address via dhclient. em1 connects to my internal network. The device also runs my wireless network on wlan0 on a different IP subnet than the wired network. An IPFW firewall handles filtering stuff coming in from the Internet and NAT, as well as allowing both the wired and wireless subnets to get out to the internet, and it also prevents those two networks from to talking to each other.I want to upend this configuration and compartment things using jails somewhat. I envision putting the wired network routing functions into one jail that can see
em0 via an epair(4) set, and I want to put the wireless lan into another jail that runs hostapd and has its own epair(4) set, but set things so that they both see em0. Both jails will be VNET and run their own copies of an IPFW firewall to setup NAT in each for the requisite RFC1918 subnet ranges, forwarding out to em0 to reach the public internet.The question is, can I do this easily by allowing both jails to see the
em0 interface? My understanding of VNET jails is if you give one a physical interface from the host, then that interface disappears from the host's point-of-view, meaning if I gave em0 to the router jail, the wlan jail would not be able to see it for its own purposes. I am thinking that you could put em0 onto a bridge(4) layer alongside epair0a (router) and epair1a (wlan), but how would the host OS know how to properly route traffic coming in from em0 to the correct epair(4) device so that wireless traffic goes to the wlan jail and wired traffic goes to the router jail? Or is this a case where VLANs might be useful?I also want to somehow keep
em0 accessible to the host, because it will run Snort in inline mode on em0 so that I can catch any nastiness and drop it before either of the jails can see things. I am open to moving the Snort piece into a third jail and only give it a passive look at traffic, though, since I know there are some issues with Snort's inline mode on FreeBSD (mainly limited to IPv4 w/o using netgraph). If I went this route, then a third 'snort' jail would likely involve a similar setup as the above two jails.
Last edited:
