Archiv für den Monat: Juni 2014

FreeBSD 10: LACP failover, Multiple Bridge, in-Kernel IPFW NAT und CARP in der Jail

WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.

Gewünscht sind folgende Funktionen:

Link Aggregation and Failover mit Ethernet (Primary) und WLan (Backup) ohne beim abklemmen des LAN-Kabels ein packet loss zu bekommen
– LACP mit Spanning Tree Protocol
– Multiple Bridge:
-> bridge0 (vswitch0) mit lagg0 (sowie stp), tap0, tun0 und epair1a bis epair50a
-> epair51a verbindet bridge0
-> epair51b verbindet bridge1
-> bridge1 (vswitch1) mit epair52a bis epair55a
-> bridge2 (vswitch2) mit tap1 bis tap5 für isolierten VirtualBox Traffic
-> der FreeBSD HOST nutzt IPFW mit in-Kernel NAT (ohne IPDIVERT und Userland NATd)
-> eine Jail für IP-Forwarding zwischen vswitch1 und vswitch0
-> zwei Jails mit CARP (für high availability)

plitc_vimage_multi_vswitch

FreeBSD Beastie LACP failover, Multiple Bridge, in-Kernel IPFW NAT und CARP

Punkt 1: neuer Kernel für VIMAGE, IPFW mit in-Kernel NAT, LACP, CARP, BRIDGE und weiteren Modulen

Dummynet (QoS) funktioniert NICHT in der Jail, jedoch kann man mit speziellen Einstellungen direkt das Bridge-Interface, auf dem HOST, filtern!

if_epair Patch beachten!

$
cd /usr/ports/devel/subversion/ && make install clean
 
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/src zroot/usr/src
zfs create -o checksum=sha256 -o compression=lz4 -o mountpoint=/usr/obj zroot/usr/obj
 
cd /usr
chflags -R noschg /usr/obj/*
rm -rfv /usr/obj/*
rm -rfv /usr/src/*
rm -rfv /usr/src/.svn
 
cd /usr/src
svn checkout https://svn0.eu.FreeBSD.org/base/releng/10.0 /usr/src
svn up /usr/src
$
$
cd /usr/src/sys/amd64/conf
mkdir /root/kernels
cp GENERIC /root/kernels/MBRIDGE
ln -s /root/kernels/MBRIDGE
vi /root/kernels/MBRIDGE
$
$
### ### ### PLITC ### ### ###
#
cpu             HAMMER
ident           MBRIDGE

makeoptions     DEBUG=-g                        # Build kernel with gdb(1) debug symbols
makeoptions     WITH_CTF=1                      # Run ctfconvert(1) for DTrace support

### < --- --- --- > ###

options         IPFIREWALL                      # enables IPFW
options         IPFIREWALL_VERBOSE              # enables logging for rules with log keyword
options         IPFIREWALL_VERBOSE_LIMIT=256    # limits number of logged packets per-entry
options         IPFIREWALL_DEFAULT_TO_ACCEPT    # sets default policy to pass what is not explicitly denied
### options         IPDIVERT                        # enables NATd Support
options         IPFIREWALL_NAT                  # IPFW in-Kernel NAT support
options         LIBALIAS                        # required for in-Kernel NAT / replacement for NATd

options         DUMMYNET                        # traffic shaper, bandwidth manager and delay emulator
options         HZ=1000                         # strongly recommended

device          carp
device          lagg
device          enc
device          gre
options         XBONEHACK

options         TCP_SIGNATURE                   # include support for RFC 2385

options         VIMAGE                          # Network Stack Virtualization
options         NULLFS                          # NULL filesystem

### VIMAGE - if_bridge/epair virtualization // ###
device          if_bridge
device          epair
### // VIMAGE - if_bridge/epair virtualization ###

### VIMAGE - netgraph virtualization // ###
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_BRIDGE
options         NETGRAPH_EIFACE
options         NETGRAPH_SOCKET
### // VIMAGE - netgraph virtualization ###

device          tap                             # virtual link layer 2 device

options         VFS_AIO

### DEFAULT ### options         TCP_OFFLOAD     # TCP offload

options         RACCT                           # Resource accounting
options         RCTL                            # Controls resource limits

device          crypto                          # core crypto support
device          cryptodev                       # /dev/crypto for access to h/w

device          rndtest                         # FIPS 140-2 entropy tester

device          hifn                            # Hifn 7951, 7781, etc.
options         HIFN_DEBUG                      # enable debugging support: hw.hifn.debug
options         HIFN_RNDTEST                    # enable rndtest support

device          ubsec                           # Broadcom 5501, 5601, 58xx
options         UBSEC_DEBUG                     # enable debugging support: hw.ubsec.debug
options         UBSEC_RNDTEST                   # enable rndtest support

options         IPSEC                           # IP security (requires device crypto)
options         IPSEC_NAT_T                     # NAT-T support, UDP encap of ESP

options         FDESCFS                         # File descriptor filesystem

### NOT WITH VIMAGE ### device          pf
### NOT WITH VIMAGE ### device          pflog
### NOT WITH VIMAGE ### device          pfsync
### NOT WITH VIMAGE ### options         ALTQ
### NOT WITH VIMAGE ### options         KTR_ALQ
### NOT WITH VIMAGE ### options         ALTQ_CBQ       # Class Based Queueing
### NOT WITH VIMAGE ### options         ALTQ_RED       # Random Early Detection
### NOT WITH VIMAGE ### options         ALTQ_RIO       # RED In/Out
### NOT WITH VIMAGE ### options         ALTQ_HFSC      # Hierarchical Packet Scheduler
### NOT WITH VIMAGE ### options         ALTQ_CDNR      # Traffic conditioner
### NOT WITH VIMAGE ### options         ALTQ_PRIQ      # Priority Queueing
### NOT WITH VIMAGE ### options         ALTQ_NOPCC     # Required if the TSC is unusable
### NOT WITH VIMAGE ### options         ROUTETABLES=15 # max 16 FIB (Forward Information Base/multiple routing tables) support
### NOT WITH VIMAGE ### options         MROUTING       # multicast routing
#
### colors // ###
options     SC_PIXEL_MODE
options     SC_NORM_ATTR=(FG_CYAN|BG_BLACK) # The normal text will be blue on black background
options     SC_KERNEL_CONS_ATTR=(FG_RED|BG_BLACK) # Kernel message will be red on black background
### // colors ###
#
### ### ### PLITC ### ### ###
$

Punkt 2: Kernel bauen/installieren

$
cd /usr/src
time make buildkernel KERNCONF=MBRIDGE
time make installkernel KERNCONF=MBRIDGE

reboot
$

Punkt 3: /etc/rc.conf

$
vi /etc/rc.conf

### ### ### PLITC ### ### ###
#
### LACP failover // ###
ifconfig_bge0="up"
ifconfig_bge0="ether DE:AD:BE:EF:BA:BE"
wlans_wpi0="wlan0"
ifconfig_wlan0="WPA"
ifconfig_wpi0="ether DE:AD:BE:EF:BA:BE"
ifconfig_lagg0="laggproto failover laggport bge0 laggport wlan0 DHCP"
ifconfig_lagg0_ipv6="inet6 accept_rtadv"
ip6addrctl_policy="ipv6_prefer"
### // LACP failover ###
#
### interfaces // ###
cloned_interfaces="lagg0 bridge0 bridge1 bridge2 tap0 tap1 tap2 tap3 tap4 tap5 tun0 tun1 tun2 tun3 tun4 tun5 tun6 tun7 tun8 tun9 tun10 epair1 epair2 epair3 epair4 epair5 epair6 epair7 epair8 epair9 epair10 epair11 epair12 epair13 epair14 epair15 epair16 epair17 epair18 epair19 epair20 epair21 epair22 epair23 epair24 epair25 epair26 epair27 epair28 epair29 epair30 epair31 epair32 epair33 epair34 epair35 epair36 epair37 epair38 epair39 epair40 epair41 epair42 epair43 epair44 epair45 epair46 epair47 epair48 epair49 epair50 epair51 epair52 epair53 epair54 epair55"
#
ifconfig_tap0="up"
ifconfig_tap1="up"
ifconfig_tap2="up"
ifconfig_tap3="up"
ifconfig_tap4="up"
ifconfig_tap5="up"
#
ifconfig_tun0="up"
ifconfig_tun1="up"
ifconfig_tun2="up"
ifconfig_tun3="up"
ifconfig_tun4="up"
ifconfig_tun5="up"
ifconfig_tun6="up"
ifconfig_tun7="up"
ifconfig_tun8="up"
ifconfig_tun9="up"
ifconfig_tun10="up"
#
ifconfig_epair1a="up"
ifconfig_epair2a="up"
ifconfig_epair3a="up"
ifconfig_epair4a="up"
ifconfig_epair5a="up"
ifconfig_epair6a="up"
ifconfig_epair7a="up"
ifconfig_epair8a="up"
ifconfig_epair9a="up"
ifconfig_epair10a="up"
ifconfig_epair11a="up"
ifconfig_epair12a="up"
ifconfig_epair13a="up"
ifconfig_epair14a="up"
ifconfig_epair15a="up"
ifconfig_epair16a="up"
ifconfig_epair17a="up"
ifconfig_epair18a="up"
ifconfig_epair19a="up"
ifconfig_epair20a="up"
ifconfig_epair21a="up"
ifconfig_epair22a="up"
ifconfig_epair23a="up"
ifconfig_epair24a="up"
ifconfig_epair25a="up"
ifconfig_epair26a="up"
ifconfig_epair27a="up"
ifconfig_epair28a="up"
ifconfig_epair29a="up"
ifconfig_epair30a="up"
ifconfig_epair31a="up"
ifconfig_epair32a="up"
ifconfig_epair33a="up"
ifconfig_epair34a="up"
ifconfig_epair35a="up"
ifconfig_epair36a="up"
ifconfig_epair37a="up"
ifconfig_epair38a="up"
ifconfig_epair39a="up"
ifconfig_epair40a="up"
ifconfig_epair41a="up"
ifconfig_epair42a="up"
ifconfig_epair43a="up"
ifconfig_epair44a="up"
ifconfig_epair45a="up"
ifconfig_epair46a="up"
ifconfig_epair47a="up"
ifconfig_epair48a="up"
ifconfig_epair49a="up"
ifconfig_epair50a="up"
#
ifconfig_epair51a="up"
ifconfig_epair52a="up"
ifconfig_epair53a="up"
ifconfig_epair54a="up"
ifconfig_epair55a="up"
#
ifconfig_bridge0_name="vswitch0"
#
ifconfig_vswitch0="addm lagg0 stp lagg0 addm tap0 addm epair1a addm epair2a addm epair3a addm epair4a addm epair5a addm epair6a addm epair7a addm epair8a addm epair9a addm epair10a addm epair11a addm epair12a addm epair13a addm epair14a addm epair15a addm epair16a addm epair17a addm epair18a addm epair19a addm epair20a addm epair21a addm epair22a addm epair23a addm epair24a addm epair25a addm epair26a addm epair27a addm epair28a addm epair29a addm epair30a addm epair31a addm epair32a addm epair33a addm epair34a addm epair35a addm epair36a addm epair37a addm epair38a addm epair39a addm epair40a addm epair41a addm epair42a addm epair43a addm epair44a addm epair45a addm epair46a addm epair47a addm epair48a addm epair49a addm epair50a addm epair51a"
#
ifconfig_bridge1_name="vswitch1"
#
ifconfig_vswitch1="addm epair51b addm epair52a addm epair53a addm epair54a addm epair55a"
#
ifconfig_bridge2_name="vswitch2"
#
ifconfig_vswitch2="addm tap1 addm tap2 addm tap3 addm tap4 addm tap5"
### // interfaces ###
#
### Firewall // ###
firewall_enable="YES"
#firewall_type="open"
firewall_logging="YES"
firewall_type="/etc/firewall.rules"
firewall_script="/etc/rc.firewall.local"
#
pf_enable="NO"                  # PF aktivieren (Modul, wenn noetig, aktivieren)
pf_rules="/etc/pf.conf"         # Datei mit Regeldefinitionen fuer pf
pf_flags=""                     # zusaetzliche Parameter fuer den Start von pfctl
pflog_enable="NO"               # starte pflogd(8)
pflog_logfile="/var/log/pflog"  # wo soll pflogd die Protokolldatei speichern
pflog_flags=""                  # zusaetzliche Parameter fuer den Start von pflogd
### // Firewall ###
#
### ### ### PLITC ### ### ###
$

Auf keinen Fall darf die Option: ipv6_activate_all_interfaces=“YES“ verwendet werden, dies führt zu einem Kernelcrash!

lagg0: IPv6 address on bge0 have been removed before adding it as a member to prevent IPv6 address scope violation

Verwendet man direkt eine IP-Adresse auf dem Bridge-Interface (z.B. zum ipfw filtern für Dummynet QoS), darf man allen Bridge-Membern keine direkte IP-Adresse mehr zuweisen (generierte IPv6 link-local Adressen durch ipv6_activate_all_interfaces)!

(If the bridge host needs an IP address, set it on the bridge interface, not on the member interfaces.)

Punkt 4: /etc/rc.firewall.local

$
vi /etc/rc.firewall.local

#!/bin/sh
### ### ### PLITC // ### ### ###
/sbin/ipfw -q flush
/sbin/ipfw -q pipe flush
/sbin/ipfw -q queue flush
/sbin/ipfw -q /etc/firewall.rules
### ### ### // PLITC ### ### ###
# EOF
$
$
chmod 755 /etc/rc.firewall.local
$

Punkt 5: /etc/firewall.rules

$
vi /etc/firewall.rules

### ### ### Firewall // ### ### ###
### default // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
add 65000 allow ip from any to any
### // default ###
### ### ### // Firewall ### ### ###
# EOF
$

Punkt 6: Jail(1) – „local1“ mit CARP (Master)

$
vi /usr/local/etc/ezjail/local1

### ### ### EZJAIL // ### ### ###
export jail_local1_hostname="local1"
#export jail_local1_ip="0.0.0.0"
export jail_local1_rootdir="/usr/jails/local1"
export jail_local1_exec_start="/bin/sh /etc/rc"
export jail_local1_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_local1_mount_enable="YES"
export jail_local1_devfs_enable="YES"
export jail_local1_devfs_ruleset="22"
export jail_local1_procfs_enable="YES"
export jail_local1_fdescfs_enable="YES"
export jail_local1_image=""
export jail_local1_imagetype="zfs"
export jail_local1_attachparams=""
export jail_local1_attachblocking=""
export jail_local1_forceblocking=""
export jail_local1_zfs_datasets=""
export jail_local1_cpuset=""
export jail_local1_fib=""
export jail_local1_parentzfs="zroot/ezjail"
export jail_local1_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_local1_post_start_script=""
### VIMAGE // ###
export jail_local1_exec_poststart0="ifconfig epair1b vnet local1"
export jail_local1_exec_poststart1="ifconfig tun1 vnet local1"
export jail_local1_exec_poststart2="jexec local1 /sbin/ifconfig epair1b 192.168.0.211/24"
export jail_local1_exec_poststart3="jexec local1 /sbin/route add default 192.168.0.249"
export jail_local1_exec_poststart4="jexec local1 /sbin/ifconfig epair1b vhid 1 pass testpass alias 192.168.0.220/24"
### // VIMAGE ###
### ### ### // EZJAIL ### ### ###
# EOF
$

Das devfs_ruleset kann man sich hier anschauen.

CARP bekam für FreeBSD 10 ein rewrite, ein pseudo-device ist nicht mehr nötig

Punkt 7: Jail(1) – „local1“ sysctl

$
vi /etc/sysctl.conf

### CARP // ###
net.inet.carp.preempt=1
### // CARP ###
# EOF
$

Punkt 8: Jail(2) – „local2“ mit CARP (Backup)

$
vi /usr/local/etc/ezjail/local2

### ### ### EZJAIL // ### ### ###
export jail_local2_hostname="local2"
#export jail_local2_ip="0.0.0.0"
export jail_local2_rootdir="/usr/jails/local2"
export jail_local2_exec_start="/bin/sh /etc/rc"
export jail_local2_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_local2_mount_enable="YES"
export jail_local2_devfs_enable="YES"
export jail_local2_devfs_ruleset="22"
export jail_local2_procfs_enable="YES"
export jail_local2_fdescfs_enable="YES"
export jail_local2_image=""
export jail_local2_imagetype="zfs"
export jail_local2_attachparams=""
export jail_local2_attachblocking=""
export jail_local2_forceblocking=""
export jail_local2_zfs_datasets=""
export jail_local2_cpuset=""
export jail_local2_fib=""
export jail_local2_parentzfs="zroot/ezjail"
export jail_local2_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_local2_post_start_script=""
### VIMAGE // ###
export jail_local2_exec_poststart0="ifconfig epair2b vnet local2"
export jail_local2_exec_poststart1="ifconfig tun2 vnet local2"
export jail_local2_exec_poststart2="jexec local2 /sbin/ifconfig epair2b 192.168.0.212/24"
export jail_local2_exec_poststart3="jexec local2 /sbin/route add default 192.168.0.249"
export jail_local2_exec_poststart4="jexec local2 /sbin/ifconfig epair2b vhid 1 advskew 100 pass testpass alias 192.168.0.220/24"
### // VIMAGE ###
### ### ### // EZJAIL ### ### ###
# EOF
$

Punkt 9: Jail(2) – „local2“ sysctl

$
vi /etc/sysctl.conf

### CARP // ###
net.inet.carp.preempt=1
### // CARP ###
# EOF
$

Punkt 10: CARP testen

Ping von einem externen Interface/Jail auf 192.168.0.220

$
tcpdump -npi epair1b -T carp
$
$
tcpdump -npi epair2b -T carp
$

wahlweise die Interfaces mit ifconfig epair1b/2b down runterfahren

Punkt 11: Jail(3) – „local3“ für IP-Forwarding / NAT

$
vi /usr/local/etc/ezjail/local3

### ### ### EZJAIL // ### ### ###
export jail_local3_hostname="local3"
#export jail_local3_ip="0.0.0.0"
export jail_local3_rootdir="/usr/jails/local3"
export jail_local3_exec_start="/bin/sh /etc/rc"
export jail_local3_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_local3_mount_enable="YES"
export jail_local3_devfs_enable="YES"
export jail_local3_devfs_ruleset="22"
export jail_local3_procfs_enable="YES"
export jail_local3_fdescfs_enable="YES"
export jail_local3_image=""
export jail_local3_imagetype="zfs"
export jail_local3_attachparams=""
export jail_local3_attachblocking=""
export jail_local3_forceblocking=""
export jail_local3_zfs_datasets=""
export jail_local3_cpuset=""
export jail_local3_fib=""
export jail_local3_parentzfs="zroot/ezjail"
export jail_local3_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_local3_post_start_script=""
### VIMAGE // ###
export jail_local3_exec_poststart0="ifconfig epair3b vnet local3"
export jail_local3_exec_poststart1="ifconfig epair4b vnet local3"
export jail_local3_exec_poststart2="ifconfig tun3 vnet local3"
export jail_local3_exec_poststart3="jexec local3 /sbin/ifconfig epair3b 192.168.0.222/24"
export jail_local3_exec_poststart4="jexec local3 /sbin/route add default 192.168.0.249"
export jail_local3_exec_poststart5="jexec local3 /sbin/ifconfig epair4b 192.168.1.222/24"
### // VIMAGE ###
### ### ### // EZJAIL ### ### ###
# EOF
$

Punkt 12: Jail(3) – „local3“ sysctl

$
vi /etc/sysctl.conf

### ### ### FORWARDING // ### ### ###
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=0
net.inet6.ip6.forwarding=1
### traffic shaping // ###
# Forces a single pass through the firewall. If set to 0,
# packets coming out of a pipe will be reinjected into the
# firewall starting with the rule after the matching one.
# NOTE: there is always one pass for bridged packets.
#
net.inet.ip.fw.one_pass=1
#
### // traffic shaping ###
### ### ### // FORWARDING ### ### ###
# EOF
$

Punkt 13: Jail(3) – „local3“ /etc/rc.conf

$
vi /etc/rc.conf

### ### ### FORWARDING // ### ### ###
gateway_enable="YES"
firewall_enable="YES"
#firewall_type="open"
firewall_type="/etc/firewall.rules"
firewall_script="/etc/rc.firewall.local"
#natd_enable="YES"
#natd_interface="epair3b"
#natd_flags=""
#natd_flags="-f /etc/natd.conf"
### ### ### // FORWARDING ### ### ###
# EOF
$

Punkt 14: Jail(3) – „local3“ /etc/rc.firewall.local

$
vi /etc/rc.firewall.local

### ### ### FORWARDING // ### ### ###
/sbin/ipfw -q flush
/sbin/ipfw -q pipe flush
/sbin/ipfw -q queue flush
/sbin/ipfw -q /etc/firewall.rules
### ### ### // FORWARDING ### ### ###
# EOF

chmod 755 /etc/rc.firewall.local
$

Punkt 15: Jail(3) – „local3“ /etc/firewall.rules

$
vi /etc/firewall.rules

### ### ### FORWARDING NAT // ### ### ###
### Start // ###
add 00100 check-state
### // Start ###
### nat // ###
# nat 1 config if epair3b reset log same_ports redirect_port tcp 192.168.1.10:10000-10001 10000-10001 redirect_port udp 192.168.1.10:10000-10001 10000-10001
# add 60000 nat 1 ip4 from any to any via epair3b
nat 1 config if epair3b reset
add 60001 nat 1 all from 192.168.1.0/24 to any out via epair3b
add 60002 nat 1 all from any to me in via epair3b
### // nat ###
### default // ###
add 60100 allow ip from any to any via lo0
add 60200 deny ip from any to 127.0.0.0/8
add 60300 deny ip from 127.0.0.0/8 to any
add 60400 deny ip from any to ::1
add 60500 deny ip from ::1 to any
add 60600 allow ipv6-icmp from :: to ff02::/16
add 60700 allow ipv6-icmp from fe80::/10 to fe80::/10
add 60800 allow ipv6-icmp from fe80::/10 to ff02::/16
add 60900 allow ipv6-icmp from any to any ip6 icmp6types 1
add 61000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
add 65000 allow ip from any to any
### // default ###
### ### ### // FORWARDING NAT ### ### ###
# EOF
$

Punkt 16: Jail(3) – „local3“ neustarten/ipfw rules reload

$
ezjail-admin onestop local3
ezjail-admin onestart local3
ezjail-admin console local3
/etc/rc.firewall.local
ipfw list
exit
$

Punkt 17: vswitch1 / epair51b – eine IP aus dem NAT Netzwerk zuweisen

$
ifconfig epair51b inet 192.168.1.100 netmask 255.255.255.0
$

Punkt 18: Jail(4) – „local4“ NAT Client

$
vi /usr/local/etc/ezjail/local4

### ### ### EZJAIL // ### ### ###
export jail_local4_hostname="local4"
#export jail_local4_ip="0.0.0.0"
export jail_local4_rootdir="/usr/jails/local4"
export jail_local4_exec_start="/bin/sh /etc/rc"
export jail_local4_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_local4_mount_enable="YES"
export jail_local4_devfs_enable="YES"
export jail_local4_devfs_ruleset="22"
export jail_local4_procfs_enable="YES"
export jail_local4_fdescfs_enable="YES"
export jail_local4_image=""
export jail_local4_imagetype="zfs"
export jail_local4_attachparams=""
export jail_local4_attachblocking=""
export jail_local4_forceblocking=""
export jail_local4_zfs_datasets=""
export jail_local4_cpuset=""
export jail_local4_fib=""
export jail_local4_parentzfs="zroot/ezjail"
export jail_local4_parameters="allow.raw_sockets=1 allow.sysvipc=1"
export jail_local4_post_start_script=""
### VIMAGE // ###
export jail_local4_exec_poststart0="ifconfig epair52b vnet local4"
export jail_local4_exec_poststart1="ifconfig tun4 vnet local4"
export jail_local4_exec_poststart2="jexec local4 /sbin/ifconfig epair52b 192.168.1.50/24"
export jail_local4_exec_poststart3="jexec local4 /sbin/route add default 192.168.1.222"
### // VIMAGE ###
### ### ### // EZJAIL ### ### ###
# EOF
$

ein Ping innerhalb von local4 sollte jetzt über vswitch1 -> vswitch0 -> local3 -> externes Gateway funktionieren

Ergänzungen:
23.06.2014 – das lacp failover bezieht sich nur auf den HOST, die bridge-devices können davon nicht profitieren

That’s FreeBSD