PF vm-bhyve && dnsmasq

G

GogoFC

Other than read the THE BOOK OF PF, what is a proper way of doing this that doesn't involve vlans, if I was to get serious with this. The book is on my to do list, obviously I haven't finished it.

What is a proper way to over-complicate this network but to keep the two networks separate and not to be able to talk to each-other but still have dhcp etc. Someone mentioned running two instances of dnsmasq, but I still only have one physical interface. In FreeBSD would that be adding rules in pf.conf?

I created two virtual switches with 'supposedly' different subnets, using dnsmasq for dns and dhcp, pf for nat and gateway enabled. Everything works fine when it comes to VM guests, they receive dhcp in accordance to their switch name assigned, but they can all talk to each-other regardless of 'subnet', that doesn't really mean anything does it, it needs to be defined in pf?

/etc/pf.conf
Code: 
nat on wlan0 from {10.0.1.0/24} to any -> (wlan0)
nat on wlan0 from {10.0.2.0/24} to any -> (wlan0)
vm switch list
Code: 
NAME     TYPE      IFACE       ADDRESS      PRIVATE  MTU  VLAN  PORTS
public   standard  vm-public   10.0.1.1/24  no       -    -     -
public2  standard  vm-public2  10.0.2.1/24  no       -    -     -

/usr/local/etc/dnsmasq.conf
Code: 
domain-needed
except-interface=lo0
bind-interfaces
local-service
dhcp-authoritative
interface=vm-public
dhcp-range=10.0.1.100,10.0.1.200
interface=vm-public2
dhcp-range=10.0.2.100,10.0.2.200

Switching bind-interfaces on and off didn't do anything in terms of anyone can ping anyone, don't understand what that does but probably nothing regarding this.
 
Looks like your missing the dhcp-option line/s
Here is mine:
Code: 
domain-needed
bogus-priv
strict-order
no-resolv
interface=lagg0
interface=em1
#listen-address=::1,127.0.0.1,192.168.1.1
expand-hosts
server=1.1.1.1
server=8.8.4.4
dhcp-authoritative
dhcp-range=set:em1,192.168.2.10,192.168.2.20,72h
dhcp-range=set:lagg0,192.168.1.100,192.168.1.140,72h
dhcp-option=em1,option:router,192.168.2.1
dhcp-option=lagg0,option:router,192.168.1.1
 
GogoFC said:
but to keep the two networks separate and not to be able to talk to each-other but still have dhcp etc.
Click to expand...
Sorry I missed this part. Yes pf is defiantly one way to go.

dnsmasq can handle this and from your settings you need pf rules to do this:
Isolate 10.0.1.1 from 10.0.2.1 and vice-versa. Another approach could isolate via interface based rule.
 
Phishfry said:
Looking at some tutorials I noticed that vm-bhyve might not need the dhcp-option settings.
Click to expand...
Hey thanks man for all of it, and your conf file, it's nice to see other people's conf files.

I did have the option "port=0" which essentially disables the DNS, so after removing it DNS started to work :) , well I have to start somewhere :) copy paste.

dhcp option might be better, I will try it, to specify interfaces, I guess dnsmasq knew to lease dhcp from the same subnet as I didn't have to specify it.
 
You must log in or register to reply here.
Back
Top