Hi all,
In this case I have set up 2 totally separate sets of jails on 2 nics using 2 networks.
/etc/rc.conf
this configuration renames igb0/1 to igb0wan and igb1wan
it binds them to the bridge and binds each network to its own epair
resulting in this
as expected the wan jails can ping the internet and ping the .100 application jails.. where as the application jails can only ping other jails on the internal network, they can not ping the internet or any other jails not on their network.
first question..
Is this the "best" approach?
second question..
how do I make the application jails tag their traffic as say vlan 10 and 20 so the output of said application servers can be easily routed by upstream switches?
thanks
In this case I have set up 2 totally separate sets of jails on 2 nics using 2 networks.
/etc/rc.conf
Code:
gateway_enable="YES"
# configure igb0 and igb1 with wan access
ifconfig_igb0_name="igb0wan"
ifconfig_igb1_name="igb1wan"
ifconfig_igb0wan="up"
ifconfig_igb1wan="up"
# define clones
cloned_interfaces="bridge0 bridge1 bridge2 bridge3"
# define igb0/1 wanbridges
ifconfig_bridge0_name="igb0wanbridge"
ifconfig_bridge1_name="igb1wanbridge"
# define private bridges for lo1 and lo2
ifconfig_bridge2_name="igb0pbridge"
ifconfig_bridge3_name="igb1pbridge"
# bring bridges online
ifconfig_igb0wanbridge="addm igb0wan up"
ifconfig_igb1wanbridge="addm igb1wan up"
this configuration renames igb0/1 to igb0wan and igb1wan
it binds them to the bridge and binds each network to its own epair
resulting in this
Code:
+-----+------------------+-------+--------------+---------------------------+
| JID | NAME | STATE | RELEASE | IP4 |
+=====+==================+=======+==============+===========================+
| 6 | igb0-application | up | 13.0-RELEASE | 172.16.24.100 |
+-----+------------------+-------+--------------+---------------------------+
| 2 | igb0wan | up | 13.0-RELEASE | 10.100.10.144,172.16.24.1 |
+-----+------------------+-------+--------------+---------------------------+
| 7 | igb1-application | up | 13.0-RELEASE | 10.10.10.100 |
+-----+------------------+-------+--------------+---------------------------+
| 3 | igb1wan | up | 13.0-RELEASE | 10.100.10.143,10.10.10.1 |
+-----+------------------+-------+--------------+---------------------------+
as expected the wan jails can ping the internet and ping the .100 application jails.. where as the application jails can only ping other jails on the internal network, they can not ping the internet or any other jails not on their network.
first question..
Is this the "best" approach?
second question..
how do I make the application jails tag their traffic as say vlan 10 and 20 so the output of said application servers can be easily routed by upstream switches?
thanks
Last edited: