Mirrors/BastilleBSD_bastille
1
0
Fork 1
mirror of https://github.com/BastilleBSD/bastille.git synced 2025-12-12 18:09:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

docs: networking: update vlan

Browse Source
This commit is contained in:
tschettervictor
2025-11-21 20:00:11 -07:00
committed by GitHub
parent 13345b6773
commit b7fe5a5be2
1 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/chapters/networking.rst
View File

@@ -396,21 +396,29 @@ on your system is.
VLAN Configuration VLAN Configuration
------------------ ------------------
Jail VLAN Tagging
^^^^^^^^^^^^^^^^^
Bastille supports VLANs to some extent when creating jails. When creating a jail, Bastille supports VLANs to some extent when creating jails. When creating a jail,
use the ``--vlan ID`` options to specify a VLAN ID for your jail. This will set use the ``--vlan ID`` options to specify a VLAN ID for your jail. This will set
the proper variables inside the jails `rc.conf` to add the jail to the specified the proper variables inside the jails `rc.conf` to add the jail to the specified
VLAN. When using this method, the interface being assigned must carry tagged VLAN VLAN. The jail will then take care of tagging the traffic. Do not use ``-v|--vlan``
packets, e.g. you can bridge a VLAN trunk to the jail and in the jail you then can if you have already configured the host interface to tag the traffic. See limitations
access all VLANs. But be careful: This may have security implications. below.
You cannot use the ``-V|--vnet`` options with interfaces that have dots (.) in the When using this method, the interface being assigned must be a trunk interface.
name, which is the standard way of naming a VLAN interface. This is due to the This means that it passes all traffic, leaving any VLAN tags as they are.
limitations of the JIB script that Bastille uses to manage VNET jails.
Host VLAN Tagging
^^^^^^^^^^^^^^^^^
Another method is to configure a host interface to tag the traffic. This way, the
jail doesn't have to worry about it.
You can only use ``-B|--bridge`` with host VLAN interfaces, due to the limitation
mentioned below. With this method we create the bridge interfaces in ``rc.conf``
and configure them to tag the traffic by VLAD ID.
You can however use ``-B|--bridge`` with VLAN interfaces (even with dots in the
name). Using this method you create bridge interfaces in ``rc.conf`` and only
add VLANs that are needed for the jail. The jail only has access to these VLANs
and not to the whole trunk.
Below is an ``rc.conf`` snippet that was provided by a user who has such a Below is an ``rc.conf`` snippet that was provided by a user who has such a
configuration. configuration.
@@ -441,6 +449,17 @@ configuration.
Notice that the interfaces are bridge interfaces, and can be used with ``-B|--bridge`` Notice that the interfaces are bridge interfaces, and can be used with ``-B|--bridge``
without issue. without issue.
VLAN Limitations
^^^^^^^^^^^^^^^^
You cannot use the ``-V|--vnet`` options with interfaces that have dots (.) in the
name, which is the standard way of naming a VLAN interface. This is due to the
limitations of the JIB script that Bastille uses to manage VNET jails.
Do not attempt to configure both the host and the jail to tag VLAN traffic.
If you use the host method, do not use ``-v|--vlan`` when creating the jail.
Doing so will prevent the jail from having network access.
Regarding Routes Regarding Routes
---------------- ----------------