# VNET, regular jails, gateways and defaultrouters



## max21 (Nov 21, 2015)

I read http://www.ehow.com/about_6648327_difference-between-gateway-router.html


> if one router is congested or compromised, you can simply take out that router and the other routers will determine other possible paths to get data across the network. If you take a gateway out, you bring a whole network down.



Since I don’t a spare computer to run as a default router behind my ISP router I'll  do it with a jail and build a network of jails behind it.  If this makes any since I see two options.

If I was to use VNET jails, could the first jail run as the defaultrouter, and the next jail runs as the Gateway for other jails?  Maybe it`s like PF cleaning things up and routing to the router.  Is that one way  it can work?  What role would the host play? 
	
	



```
gateway_enable=”NO”
```
Or if I just use regular jails without VNET, would I make the host the defaultrouter and the first jail the gateway?   I guest this would be a bad idea based on Chris Loza article, but if this is the way it’s done what additional programs would be needed to help protect the host if running as defaultrouter?  Would packet filtering be enough?

I don’t want to throw things off by my intent of use, because there will be other things I will want to try, but for now, I want to use my FreeBSD desktop and laptop as the user to connect to a VPN provider, with as much added security on the host as possible, while at the same time learning as much as I can with my own networking model through the use of jails on a single machine.  I just want to catch up.


----------



## Savagedlight (Nov 22, 2015)

With VNET, you can create your own custom topology. This could include a jail working as gateway/router between an internal and external (to the host) network. All you need to do is set up bridges (bridgeN) interfaces and attach the correct interfaces to the correct bridges. Remember, if you're attaching a physical NIC to a bridge, move the hosts IP for that NIC to the bridge.

Without VNET, you'll probably bind jails to a private network range (say, 192.168.1.x/24) and do NAT between that and the external-to-host network on the host system.


----------



## max21 (Nov 22, 2015)

Thank you Savagedlight, if I had not read the ONLY six in the entire world … The six threads googled to this forum …  about OpenVPN in jail I would still not know how jails really work.  I thought you have to go into the jail if you need something done other than running a webservers, etc.  But for desktops, I now understand that the host application will interact with the device in _/dev_ that the jail is using.  Just when things are starting to get clear, I come to see that OpenVPN don’t even install.  I tried on 10.0 and 10.1-p4.   Now I got bigger problems than what comes first, the jail-router or the gateway. 

openvpn-2.3.4 _and_ openvpn-2.3.8 give the error 127 ... same as of over 6 _long_ years ago.  

https://forums.freebsd.org/threads/imagemagick-error-code-127.20121/

This was the solution many version ago that don’t work for what the port have today.  I’m going to have to start a new thread.  I got a feeling that others are using 8.2 to run openvpn.  Maybe someone will post the secrete receipt.

Anyway, thanks again Savagedlight for making vnet all so clear, especially about how to handle the host:


Savagedlight said:


> With VNET, you can create your own custom topology. This could include a jail working as gateway/router between an internal and external (to the host) network. All you need to do is set up bridges (bridgeN) interfaces and attach the correct interfaces to the correct bridges. Remember, if you're attaching a physical NIC to a bridge, move the hosts IP for that NIC to the bridge.
> 
> Without VNET, you'll probably bind jails to a private network range (say, 192.168.1.x/24) and do NAT between that and the external-to-host network on the host system.


----------

