Hello
I am migrating complex Linux setup. It has policy routing and NAT's over both BGP/bird and static routes, vlans, gre tunnel, vpn's, packet filtering, local services on xen domains (bridges), etc. Part of it's setup are pair of dummy interfaces, used as DMZ's with IP's from routed ranges (no ARP).
My question is: What driver must be used in FreeBSD to get same functionality as with dummy interfaces in Linux? From what i read until now vtnet and tap seem to be possible choices, however i can't figure which one is better. Also as i understand ng_eiface creates virtual interface, however i still can't figure if kernel routing works with netgraph when it is not bound to any physical interface (never used it before).
Just to note again. I an _not_ asking how to set alias/bridge/second mac/vlan/firewall forwarding/netgraph/etc., attached to one of the physical interfaces. What i need is virtual interface, completely independent from physical ones, with working routing to/from it. Possibility to bridge it to xen domains may be usable, but if impossible there are ways to go around.
I am migrating complex Linux setup. It has policy routing and NAT's over both BGP/bird and static routes, vlans, gre tunnel, vpn's, packet filtering, local services on xen domains (bridges), etc. Part of it's setup are pair of dummy interfaces, used as DMZ's with IP's from routed ranges (no ARP).
My question is: What driver must be used in FreeBSD to get same functionality as with dummy interfaces in Linux? From what i read until now vtnet and tap seem to be possible choices, however i can't figure which one is better. Also as i understand ng_eiface creates virtual interface, however i still can't figure if kernel routing works with netgraph when it is not bound to any physical interface (never used it before).
Just to note again. I an _not_ asking how to set alias/bridge/second mac/vlan/firewall forwarding/netgraph/etc., attached to one of the physical interfaces. What i need is virtual interface, completely independent from physical ones, with working routing to/from it. Possibility to bridge it to xen domains may be usable, but if impossible there are ways to go around.