Virtual network interface for a jail with no IP connectivity from the host

[zirias@]

I'm setting up a system with a router/firewall in a bhyve vm. This router will have exclusive access to the hardware NICs (using PCI passthru).

Now what I want to have is some virtual networks on bridges .. for example let's say my bridge0 is a "virtual switch" for my internal, protected network. This bridge should connect one tap interface used by the router/firewall vm with interfaces of the jails belonging to the internal network. Now, if I give these jails a tap interface as well, this interface is available on the host system, with IP connectivity -- that's not what I want. How could I setup the jails so they have an interface bridged on the host, but without IP connectivity to the host?

 

[zirias@]

I achieved the setup I wanted by activating VIMAGE in the kernel and using epair(4) interfaces for the jails. Now I get this in dmesg:

WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.

But at least I couldn't find any reports that it's still unstable on 11.1, so I'll give it a try.

The host's rc.conf has this network configuration:

cloned_interfaces="bridge0 bridge1 epair0 epair1"
ifconfig_bridge0="inet 192.168.17.101 netmask 255.255.255.0"
ifconfig_bridge1="addm epair0a addm epair1a"
ifconfig_epair0a="up"
ifconfig_epair1a="up"
defaultrouter="192.168.17.1"

Here, bridge0 is for the management network (192.168.17) containing the host machine, bridge1 for the internal network (192.168.42) with atm two jails. The bhyve router/firewall vm "plugs" into both bridges for routing between them and the outside world.

A jail's rc.conf then has for example this:

ifconfig_epair0b="inet 192.168.42.109 netmask 255.255.255.0"
defaultrouter="192.168.42.1"

and in jail.conf, I added a global vnet = new; and for the individual jail a vnet.interface = epair0b; For now, this works like a charm.