Virtual MAC per jail IP

I have a Fritz!Box 7490 router which is unable to handle Port-forwarding and firewall ACL rules on IPv4 or IPv6 aliases, since the MAC adres is the same for the alias IP addresses. See also the Knowledge-base item.

I am running jails on my system, as such I really need to be able to set ACL and port-forwardings on per IP basis. Since I am not able to change the Fritz!Box (and cannot disable the firewall) I have to fix it on the FreeBSD side.

I have been fiddling with creation of tun(4)/tap(4) devices to create virtual MAC addresses and combine them with a bridge(4) to the bge(4) interface, yet I do not think I am following the proper route, since the tun/tap interfaces needs to be controlled in-order to be marked 'up'/'active'.

Hints welcome on alternative software-based routes to follow
 
You could either use VIMAGE interfaces with your jails and directly bridge them to the external/physical interface, or connect the jails to an internal bridge and let the host (e.g. PF) handle NAT/forwarding to the jails. This way you can point all forwarding rules on the fritzbox to your jails-host IP.


On the long run, I'd try to get rid of that toy-router ASAP - they tend to constantly cause headaches; can't handle much more than average "home-user" loads without frequent hiccups/packet loss/panics and have proven enough times in the past to be massive security hazards... I'd never use one of these without a proper gateway/firewall between it and the local network (...one that can handle proper NAT/port forwarding).
 
The Fritz!box should be able to be put into "bridge" or "passthrough" mode. When I had xDSL I had the same modem. Once in bridge mode you can attach a "proper" firewall (another FreeBSD machine for example) to it and it will be directly connected to the internet.
 
You could either use VIMAGE interfaces with your jails and directly bridge them to the external/physical interface
VIMAGE or epair(4) together with if_bridge(4) seems to be the missing link, thanks! I will try to fiddle something together and post the results.

or connect the jails to an internal bridge and let the host (e.g. PF) handle NAT/forwarding to the jails. This way you can point all forwarding rules on the fritzbox to your jails-host IP.
I cannot create those forwarding rules, since the Fritz!Box does allow creating those, as (weirdly enough) it uses the MAC (internally) as key to store the rules.

On the long run, I'd try to get rid of that toy-router ASAP - they tend to constantly cause headaches; can't handle much more than average "home-user" loads without frequent hiccups/packet loss/panics and have proven enough times in the past to be massive security hazards... I'd never use one of these without a proper gateway/firewall between it and the local network (...one that can handle proper NAT/port forwarding).
I know, getting rid of the modem is unfortunately not possible. I tried using an FreeBSD based router on APU board (Thread 51213), yet there are to many special things to consider, like telephony, IP-TV and more which makes it very hard.

The Fritz!box should be able to be put into "bridge" or "passthrough" mode. When I had xDSL I had the same modem. Once in bridge mode you can attach a "proper" firewall (another FreeBSD machine for example) to it and it will be directly connected to the internet.
Unfortunately the bridge mode means the above described functions no longer work, but it is a temping idea indead.
 
Using epair(4) seems to work as expected. Had to do some trickery with ether to assign an static MAC to the interface, else it might differ after a reboot.

Not so sure if I like the the interface definitions in jail configurations, but it seems to-do the trick for now.

/etc/rc.conf
Code:
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0 up"

/etc/jails.conf
Code:
erwt {
   $if = "28";
   $ip_addr = "80.127.152.${if}";
   $mask = "255.255.255.0";
   $ip6_addr = "2001:984:ac89:1:1234:5678:${if}:1";
   $prefixlen = "64";

   host.hostname = "erwt.vanderzwet.net";
   path = "/local0/jails/erwt";
   ip4.addr += "$ip_addr";
   ip6.addr += "$ip6_addr";
   allow.raw_sockets = 1;
   exec.clean;
   exec.system_user = "root";
   exec.jail_user = "root";
   exec.consolelog = "/var/log/jail_erwt_console.log";
   exec.fib = "1";
   mount.devfs;
   allow.set_hostname = 0;
   allow.sysvipc = 1;

   # Commands to run on host before jail is created
   exec.prestart += "/sbin/ifconfig epair${if} create up";
   exec.prestart += "/sbin/ifconfig epair${if}a up";
   exec.prestart += "/sbin/ifconfig epair${if}b ${ip_addr} netmask ${mask} up";
   exec.prestart += "/sbin/ifconfig epair${if}b inet6 ${ip6_addr} prefixlen ${prefixlen} up";
   exec.prestart += "/sbin/ifconfig epair${if}b ether 02:ff:40:00:${if}:0b";
   exec.prestart += "/sbin/ifconfig bridge0 addm epair${if}a up";

   exec.start += "/bin/sh /etc/rc";

   exec.stop = "/bin/sh /etc/rc.shutdown";
   exec.poststop  += "/sbin/ifconfig bridge0 deletem epair${if}a";
   exec.poststop  += "/sbin/ifconfig epair${if}a destroy";
}
 
yet there are to many special things to consider, like telephony, IP-TV and more which makes it very hard.

Mostly these additional services are only on different VLANs, so nothing magical going on.
Telephony is mostly better done via proper SIP/VoIP anyways instead of the weird non-standards some/most ISPs are using, e.g. to force you using the number only from your home connection. When using a proper SIP/VoIP provider you can use your local phone numbers from any Internet connection, even from Mobile. (We're way into the 21st century - this should have been the norm for years....)

For IPTV it's often sufficient to use IGMPproxy and set some rules for multicast traffic.
For most (if not all) ISPs there are all informations available you might need. The pfSense forums are always a good first start for getting an idea of what configuration is necessary for any given ISP.

I'm also back on ancient copper lines since a few months and using an ALLNET BM100VDSL2 Modem. This Modem can handle the VLAN-Tagging on outgoing connections and provide these VLANS to different tagged or non-tagged VLANs on the inside or allocate a separate LAN connector (there are 4 available) to each of the external VLANs to completely seperate your home network, telephone system and IPTV from each other.
 
Back
Top