- Joined
- May 26, 2011
- Messages
- 654
Hah yea i feel you. I've spent almost whole day figuring out why the F$%# the host NIC (igb0) is being added to the bridge and screwing the jail subnet. I had new bugreport prepared with all the details but went to 400-check again before submitting. I went through the whole jail config again and "just" tried the "none" instead of auto. The moment i saw the proper IP in the GUI i was like "Riiiiight, makes sense ... (FU$^#^ "auto" piece of CR#$)..."Phew -- nice writeup -- sometimes I get to the point I've figure I've wasted so much time on this topic that once its running I don't want to modify -- BUT
Nope, I've dropped whole VLAN1 because of my paranoia level over 9000. VLAN-1 is default. I don't want any defaults :] So i have several non-default VLANs on my local network. They're marked as Un-Tagged on the switch ports for devices which are VLAN NOT aware (like Workstation, HTPC, TV, ....). Then i have two TRUNK ports with all of my VLAN TAGs included.Just some clarification points for me so I can try when I have time
1. Your running untagged VLAN1 and tagged VLAN(s) into FreeNAS?
First one is for my "UniFi AC Lite" AP (as i have multiple SSIDs, each with separate VLAN for isolation between personal devices/network and "Guests").
Second one is the NAS so i can isolate the Jails as described above.
Note that both of these switch ports have one VLAN marked as UnTagged. This ensures that both devices will be on the internal/secured subnet. FreeNAS itself could be on tagged VLAN as well (your setup) but the UnifiAP can NOT be on tagged VLAN otherwise the UniFi controller wont connect to AP. (Maybe Ubiquiti already fixed that maybe not, no idea. I had this issue like 4 years ago as well as bunch of other ppl as i saw on their support forums. Or maybe there was the VLAN-1 hard-coded in AP firmware so that was the only one "working"? Not sure but I've figured it out by untagged port and no complains since then.)
Yes, first approach is plain bridge between Jail and host NIC. Anyway i would NOT go that way with exposed Jails to outside world because NAS and Jail (or more jails withing the same bridge) would share the network stack. The iface gets into promiscuous mode so if any of the Jails gets compromised one could easily2. With your setup -- are you able to create a jail/VM that runs on this untagged network? I'm thinking for example of a bridge0, with untagged traffic on it? How would you set this up?
tcpdump
and sniff whatever goes through not only the jail iface itself but the other jails AND the NAS itself as well. (I am not 100% sure here so correct me if i am wrong but this is how i understand the "bridge")So the second and "safe" approach is to drop VNET completely and go with NAT instead. In that case the network stack is separated from HOST system. Packets gets tagged by the untagged VLAN ID when they arrive on switch port.
Or there is a third way if you have multiple NICs on the HOST system. In that case you could just pass the whole interface to Jail and have it physically separated by different cable/switchport (where you can TAG it by different ID)
I saw your ifconfig output and i was scratching my head why you don't have the parent NIC as a member of bridge and i had. I would say it is because even your parent NIC is on VLAN. No idea how the "auto" decides what is the "default iface" though.3. The remainder of your setup for the tagged networks - bridge/vlan creation and vnet configuration looks great. Thanks for that tip to set to none rather than auto. Mine are all set at auto.
Hope this helps. Good luck if you ever going to touch your working network. :D
Last edited: