no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== Multi-tenant router or firewall ======
+{{description>Multi-tenant router and firewall example}}
+This lab shows how to create multi-tenant router or firewall using jail/vnet (available since BSDRP 1.80).
+===== Presentation =====
+==== Network diagram ====
+Lab build following [[documentation:examples:How to build a BSDRP router lab]]: 5 routers with full-meshed link and one shared LAN.
+Here is the logical and physical view:
+{{:documentation:examples:multi-tenant-router-firewall.png}}
+==== Setting-up a virtual lab ====
+=== Downloading BSD Router Project images ===
+Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
+=== Download Lab scripts ====
+More information on these BSDRP lab scripts available on [[documentation:examples:How to build a BSDRP router lab]].
+Start the lab with full-meshed 5 routers and one shared LAN, on this example using bhyve lab script on FreeBSD:
+<code>
+[root@FreeBSD]~# tools/BSDRP-lab-bhyve.sh -i BSDRP-1.71-full-amd64-serial.img.xz -n 5 -l 1
+BSD Router Project (http://bsdrp.net) - bhyve full-meshed lab script
+Setting-up a virtual lab with 5 VM(s):
+- Working directory: /tmp/BSDRP
+- Each VM have 1 core(s) and 256M RAM
+- Switch mode: bridge + tap
+- 1 LAN(s) between all VM
+- Full mesh Ethernet links between each VM
+VM 1 have the following NIC:
+- vtnet0 connected to VM 2
+- vtnet1 connected to VM 3
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+- vtnet4 connected to LAN number 1
+VM 2 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 3
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+- vtnet4 connected to LAN number 1
+VM 3 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 4
+- vtnet3 connected to VM 5
+- vtnet4 connected to LAN number 1
+VM 4 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 3
+- vtnet3 connected to VM 5
+- vtnet4 connected to LAN number 1
+VM 5 have the following NIC:
+- vtnet0 connected to VM 1
+- vtnet1 connected to VM 2
+- vtnet2 connected to VM 3
+- vtnet3 connected to VM 4
+- vtnet4 connected to LAN number 1
+For connecting to VM'serial console, you can use:
+- VM 1 : cu -l /dev/nmdm1B
+- VM 2 : cu -l /dev/nmdm2B
+- VM 3 : cu -l /dev/nmdm3B
+- VM 4 : cu -l /dev/nmdm4B
+- VM 5 : cu -l /dev/nmdm5B
+</code>
+===== Configuration =====
+  * Router 4 (R4) hosts the 3 routers/firewalls for each 3 customers.
+  * Router 1 (R1) belongs to customer 1, router 2 (R2) to customer 2 and router 3 (R3) to customer 3.
+  * Router 5 (R5) simulates a simple Internet host.
+==== Router 5: Simple Internet host ====
+R5 simulate a simple Internet host:
+<code>
+sysrc hostname=R5
+hostname R5
+sysrc ifconfig_vtnet3="inet 10.254.254.5/24"
+sysrc -x gateway_enable
+sysrc -x ipv6_gateway_enable
+service netif restart
+service routing restart
+config save
+</code>
+==== Router 1: Customer 1 workstation====
+R1 simulate customer 1's workstation, generate customer 1' SSH keys:
+<code>
+sysrc hostname=R1
+hostname R1
+sysrc ifconfig_vtnet4="up"
+sysrc vlans_vtnet4="1"
+sysrc ifconfig_vtnet4_1="inet 10.0.0.1/24"
+sysrc defaultrouter="10.0.0.254"
+sysrc -x gateway_enable
+sysrc -x ipv6_gateway_enable
+service netif restart
+service routing restart
+ssh-keygen -f /root/.ssh/id_rsa -N ''
+config save
+</code>
+Then display the public SSH key (need to declare it into the customer 1's firewall):
+<code>
+cat .ssh/id_rsa.pub
+ssh-rsa (...) root@R1
+</code>
+==== Router 2: Customer 2 workstation====
+R2 simulate customer 2's workstation, and host customer 2 SSH keys too.
+<code>
+sysrc hostname=R2
+hostname R2
+sysrc ifconfig_vtnet4="up"
+sysrc vlans_vtnet4="2"
+sysrc ifconfig_vtnet4_2="inet 10.0.0.1/24"
+sysrc defaultrouter="10.0.0.254"
+sysrc -x gateway_enable
+sysrc -x ipv6_gateway_enable
+service netif restart
+service routing restart
+ssh-keygen -f /root/.ssh/id_rsa -N ''
+config save
+</code>
+Then display the public SSH key (need to declare it into the customer 2's firewall):
+<code>
+cat .ssh/id_rsa.pub
+ssh-rsa (...) root@R2
+</code>
+==== Router 3: Customer 3 workstation====
+R3 simulate customer 3's workstation, and host customer 3 SSH keys too.
+<code>
+sysrc hostname=R3
+hostname R3
+sysrc ifconfig_vtnet4="up"
+sysrc vlans_vtnet4="3"
+sysrc ifconfig_vtnet4_3="inet 10.0.0.1/24"
+sysrc defaultrouter="10.0.0.254"
+sysrc -x gateway_enable
+sysrc -x ipv6_gateway_enable
+service netif restart
+service routing restart
+ssh-keygen -f /root/.ssh/id_rsa -N ''
+config save
+</code>
+Then display the public SSH key (need to declare it into the customer 3's firewall):
+<code>
+cat .ssh/id_rsa.pub
+ssh-rsa (...) root@R3
+</code>
+==== Router 4: multi-tenant ipfw firewall ====
+Router 4 is a multi-tenant ipfw firewall: It hosts 3 firewalls for each customer.
+Then we will configure:
+  * Bridge and VLAN interfaces
+  * Enable ipfw (firewall modules needs to be loaded on the host for being available into jails)
+<code>
+sysrc hostname=R4
+sysrc cloned_interfaces="bridge0"
+sysrc ifconfig_bridge0="inet 10.254.254.4/24 addm vtnet3"
+sysrc ifconfig_vtnet3="up"
+sysrc ifconfig_vtnet4="up"
+sysrc vlans_vtnet4="1 2 3"
+sysrc ifconfig_vtnet4_1="up"
+sysrc ifconfig_vtnet4_2="up"
+sysrc ifconfig_vtnet4_3="up"
+sysrc firewall_enable="YES"
+sysrc firewall_nat_enable="YES"
+sysrc firewall_type="open"
+service netif restart
+hostname R4
+service ipfw start
+config save
+</code>
+Then install the customers SSH public keys:
+<code>
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA... root@R1" > /tmp/cust1.ssh.pub
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA... root@R2" > /tmp/cust2.ssh.pub
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA... root@R3" > /tmp/cust3.ssh.pub
+</code>
+Create 3 jailed firewalls, one for each customers:
+<code>
+tenant -c -j customer1 -f /tmp/cust1.ssh.pub -i bridge0/10.254.254.1/24,vtnet4.1/10.0.0.254/24 -g 10.254.254.5
+tenant -c -j customer2 -f /tmp/cust2.ssh.pub -i bridge0/10.254.254.2/24,vtnet4.2/10.0.0.254/24 -g 10.254.254.5
+tenant -c -j customer3 -f /tmp/cust3.ssh.pub -i bridge0/10.254.254.3/24,vtnet4.3/10.0.0.254/24 -g 10.254.254.5
+</code>
+Last step, because they are virtual firewalls and not simple routers, we will enable firewall in open mode into their internal rc.conf for allowing customers to SSH into them:
+<code>
+sysrc -f /etc/jails/customer1/rc.conf firewall_enable="YES"
+sysrc -f /etc/jails/customer1/rc.conf firewall_nat_enable="YES"
+sysrc -f /etc/jails/customer1/rc.conf firewall_type="open"
+sysrc -f /etc/jails/customer2/rc.conf firewall_enable="YES"
+sysrc -f /etc/jails/customer2/rc.conf firewall_nat_enable="YES"
+sysrc -f /etc/jails/customer2/rc.conf firewall_type="open"
+sysrc -f /etc/jails/customer3/rc.conf firewall_enable="YES"
+sysrc -f /etc/jails/customer3/rc.conf firewall_nat_enable="YES"
+sysrc -f /etc/jails/customer3/rc.conf firewall_type="open"
+</code>
+Configuration will be now automatically saved when changed detected into /etc, then you do not need to use "config save" on the host once a jail is created.
+Then to start the jails:
+<code>
+service jail start
+</code>
+===== Customers firewalls configuration =====
+Each customer should be able to ssh into their new firewalls using their SSH keys.
+==== Customer 1 ====
+From customer 1's workstation R1:
+<code>
+[root@R1]~# ssh 10.0.0.254
+The authenticity of host '10.0.0.254 (10.0.0.254)' can't be established.
+ECDSA key fingerprint is SHA256:extHiTI3L94Ks1TPnMI66zq+4t+frkAnvRVSkYk3qak.
+No matching host key fingerprint found in DNS.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '10.0.0.254' (ECDSA) to the list of known hosts.
+BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team
+All rights reserved.
+BSDRP is under the Simplified BSD license.
+Documentation: http://bsdrp.net
+Discover BSDRP tools with "help" command
+Keyboard layout can be changed with this command:
+kbdcontrol -l keymap_file (<TAB> for list available maps)
+root has logged on pts/0 from 10.0.0.1.
+[root@customer1]~#
+</code>
+Now connected to his firewall, this customer can configure its own firewall rules:
+<code>
+sysrc -x firewall_type
+sysrc firewall_script="/etc/ipfw.rules"
+cat > /etc/ipfw.rules <<'EOF'
+#!/bin/sh
+fwcmd="/sbin/ipfw -q"
+ext_if="epair1b"
+int_if="vtnet4.1"
+${fwcmd} -f flush
+${fwcmd} nat 1 config if ${ext_if} same_ports deny_in unreg_only reset
+${fwcmd} add pass ip from any to any via lo0
+${fwcmd} add pass ip from any to any via ${int_if}
+${fwcmd} add nat 1 ip from any to any via ${ext_if}
+'EOF'
+service ipfw restart
+config save
+</code>
+Check firewall rules:
+<code>
+[root@customer1]~# ipfw show
+  0    0 allow ip from any to any via lo0
+91 7756 allow ip from any to any via vtnet4.1
+  0    0 nat 1 ip from any to any via epair1b
+  0    0 deny ip from any to any
+</code>
+Now, from R1, try to reach public Internet server R5:
+<code>
+[root@R1]~# ping -c 3 10.254.254.5
+PING 10.254.254.5 (10.254.254.5): 56 data bytes
+bytes from 10.254.254.5: icmp_seq=0 ttl=63 time=0.211 ms
+bytes from 10.254.254.5: icmp_seq=1 ttl=63 time=0.186 ms
+bytes from 10.254.254.5: icmp_seq=2 ttl=63 time=0.181 ms
+--- 10.254.254.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.181/0.193/0.211/0.013 ms
+</code>
+==== Customer 2 ====
+From customer 2's workstation R1:
+<code>
+[root@R2]~# ssh 10.0.0.254
+The authenticity of host '10.0.0.254 (10.0.0.254)' can't be established.
+ECDSA key fingerprint is SHA256:zC+ryVAd9v1lTvSb+THFj5i8aYfFi2I6VvayF1TIhVo.
+No matching host key fingerprint found in DNS.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '10.0.0.254' (ECDSA) to the list of known hosts.
+BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team
+All rights reserved.
+BSDRP is under the Simplified BSD license.
+Documentation: http://bsdrp.net
+Discover BSDRP tools with "help" command
+Keyboard layout can be changed with this command:
+kbdcontrol -l keymap_file (<TAB> for list available maps)
+root has logged on pts/0 from 10.0.0.1.
+[root@customer2]~#
+</code>
+Now connected to his firewall, this customer can configure its own firewall rules:
+<code>
+sysrc -x firewall_type
+sysrc firewall_script="/etc/ipfw.rules"
+cat > /etc/ipfw.rules <<'EOF'
+#!/bin/sh
+fwcmd="/sbin/ipfw -q"
+ext_if="epair2b"
+int_if="vtnet4.2"
+${fwcmd} -f flush
+${fwcmd} nat 1 config if ${ext_if} same_ports deny_in unreg_only reset
+${fwcmd} add pass ip from any to any via lo0
+${fwcmd} add pass ip from any to any via ${int_if}
+${fwcmd} add nat 1 ip from any to any via ${ext_if}
+'EOF'
+service ipfw restart
+config save
+</code>
+Check firewall rules:
+<code>
+[root@customer2]~# ipfw show
+  0    0 allow ip from any to any via lo0
+91 7756 allow ip from any to any via vtnet4.2
+  0    0 nat 1 ip from any to any via epair2b
+  0    0 deny ip from any to any
+</code>
+Now, from R2, try to public Internet server R5:
+<code>
+[root@R2]~# ping -c 3 10.254.254.5
+PING 10.254.254.5 (10.254.254.5): 56 data bytes
+bytes from 10.254.254.5: icmp_seq=0 ttl=63 time=0.211 ms
+bytes from 10.254.254.5: icmp_seq=1 ttl=63 time=0.186 ms
+bytes from 10.254.254.5: icmp_seq=2 ttl=63 time=0.181 ms
+--- 10.254.254.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.181/0.193/0.211/0.013 ms
+</code>
+==== Customer 3 ====
+From customer 3's workstation R1:
+<code>
+[root@R3]~# ssh 10.0.0.254
+The authenticity of host '10.0.0.254 (10.0.0.254)' can't be established.
+ECDSA key fingerprint is SHA256:iCkc1w5zzeQL+X3qyEwovuEAGNvD+rfftsitMAlK+Xk.
+No matching host key fingerprint found in DNS.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '10.0.0.254' (ECDSA) to the list of known hosts.
+BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team
+All rights reserved.
+BSDRP is under the Simplified BSD license.
+Documentation: http://bsdrp.net
+Discover BSDRP tools with "help" command
+Keyboard layout can be changed with this command:
+kbdcontrol -l keymap_file (<TAB> for list available maps)
+root has logged on pts/0 from 10.0.0.1.
+[root@customer3]~#
+</code>
+Now connected to his firewall, this customer can configure its own firewall rules:
+<code>
+sysrc -x firewall_type
+sysrc firewall_script="/etc/ipfw.rules"
+cat > /etc/ipfw.rules <<'EOF'
+#!/bin/sh
+fwcmd="/sbin/ipfw -q"
+ext_if="epair3b"
+int_if="vtnet4.3"
+${fwcmd} -f flush
+${fwcmd} nat 1 config if ${ext_if} same_ports deny_in unreg_only reset
+${fwcmd} add pass ip from any to any via lo0
+${fwcmd} add pass ip from any to any via ${int_if}
+${fwcmd} add nat 1 ip from any to any via ${ext_if}
+'EOF'
+service ipfw restart
+config save
+</code>
+Check firewall rules:
+<code>
+[root@customer3]~# ipfw show
+  0    0 allow ip from any to any via lo0
+91 7756 allow ip from any to any via vtnet4.3
+  0    0 nat 1 ip from any to any via epair3b
+  0    0 deny ip from any to any
+</code>
+Now, from R3, try to public Internet server R5:
+<code>
+[root@R3]~# ping -c 3 10.254.254.5
+PING 10.254.254.5 (10.254.254.5): 56 data bytes
+bytes from 10.254.254.5: icmp_seq=0 ttl=63 time=0.211 ms
+bytes from 10.254.254.5: icmp_seq=1 ttl=63 time=0.186 ms
+bytes from 10.254.254.5: icmp_seq=2 ttl=63 time=0.181 ms
+--- 10.254.254.5 ping statistics ---
+packets transmitted, 3 packets received, 0.0% packet loss
+round-trip min/avg/max/stddev = 0.181/0.193/0.211/0.013 ms
+</code>
+===== Using pf firewall in place of ipfw =====
+pf need a little more configuration because by default /dev/pf is hidden from jail.
+Then, on the host we need to:
+  - In place of loading the ipfw/ipfw-nat modules we need to load the pf module (but still disabling pf on our host for this example)
+  - Modify default devd rules for allowing jails to see /dev/pf (if you want to use tcpdump inside your jail, you should use bpf device too)
+  - Replacing nojail tag by nojailvnet tag into /etc/rc.d/pf ([[https://github.com/ocochard/BSDRP/blob/master/BSDRP/patches/freebsd.rc.jailvnet.patch|already done into BSDRP]] and into [[https://svnweb.freebsd.org/base?view=revision&revision=320802|FreeBSD -head]])
+Preparing configuration:
+<code>
+cat > /etc/devfs.rules <<'EOF'
+[devfsrules_jailpf=4]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path 'pf' unhide
+'EOF'
+pf_enable="YES"
+pf_flags="-d"
+echo "set skip on {lo1 vtnet4}" > /etc/pf.conf
+</code>
+Now reloading devd and loading pf module:
+<code>
+service pf start
+service devfs restart
+</code>
+You can now declare pf in place of ipfw into your jails rc.conf:
+<code>
+sysrc -f /etc/jails/customer1/rc.conf pf_enable="YES"
+echo "pass all" > /etc/jails/customer1/pf.conf
+sysrc -f /etc/jails/customer2/rc.conf pf_enable="YES"
+echo "pass all" > /etc/jails/customer2/pf.conf
+sysrc -f /etc/jails/customer3/rc.conf pf_enable="YES"
+echo "pass all" > /etc/jails/customer3/pf.conf
+</code>
+Now you can start customers jails, and let customers SSH into their firewalls and configure their own rules:
+<code>
+[root@customer2]~# pfctl -s rules
+pass all flags S/SA keep state
+</code>
+===== Under the hood: jails-on-nanobsd =====
+[[https://github.com/ocochard/BSDRP/blob/master/BSDRP/Files/usr/local/sbin/tenant|BSDRP's tenant shell script]] creates jail configuration compliant with a host running nanobsd.
+Then these jails need to be configured for a nanobsd:
+  - Being nullfs based for being hosted on a read-only root filesystem
+  - Have  their /etc and /var into tmpfs disks (then we need to populate these directory before each start)
+  - Configuration changes need to be saved with nanobsd configuration tools, like "config save" on BSDRP
+And on the host:
+  - [[https://github.com/ocochard/BSDRP/blob/master/BSDRP/Files/usr/local/sbin/autosave|autosave daemon]] need to be enabled: Each time a customer will issue a "config save" inside a jail, his configuration diffs will be save into host's /etc/jails/. And this directory is a RAM disk too, then we need to automatically save hosts configuration on changes.
+Here are examples of configuration files generated:
+host jail.conf:
+<code>
+customer1 {
+    jid = 1;
+    path          = "/var/jails/customer1";
+    # Because we are using jail on nanobsd, the jail directories are volatil (mounted into /var/jails)
+    # They didn't exist after a reboot, then we need to create jail directories with exec.prestart
+    # But mount.* instructions are called before exec.prestart, then we need to call mount manually
+    # into the exec.prestart
+    #mount.devfs;
+    #mount.fstab   = "/etc/fstab.customer1";
+    #devfs_ruleset = 4;
+    host.hostname = "customer1";
+    vnet new;
+    allow.chflags = 1;
+    exec.start    = "/bin/sh /etc/rc";
+    exec.stop     = "/bin/sh /etc/rc.shutdown";
+    exec.clean;
+    exec.consolelog = "/var/log/jail.customer1";
+    exec.poststop  = "logger poststop jail customer1";
+    # Commands to run on host before jail is created
+    exec.prestart  = "logger pre-starting jail customer1";
+    exec.prestart  += "mkdir -p /var/jails/customer1/dev";
+    exec.prestart  += "mkdir -p /var/jails/customer1/etc";
+    exec.prestart  += "mkdir -p /var/jails/customer1/var";
+    exec.prestart  += "mkdir -p /var/jails/customer1/cfg";
+    exec.prestart  += "mkdir -p /var/jails/customer1/root";
+    exec.prestart  += "mkdir -p /var/jails/customer1/bin";
+    exec.prestart  += "mkdir -p /var/jails/customer1/sbin";
+    exec.prestart  += "mkdir -p /var/jails/customer1/lib";
+    exec.prestart  += "mkdir -p /var/jails/customer1/libexec";
+    exec.prestart  += "mkdir -p /var/jails/customer1/usr";
+    exec.prestart  += "mkdir -p /var/jails/customer1/conf/base";
+    exec.prestart  += "test -L /var/jails/customer1/tmp || ln -s /var/tmp /var/jails/customer1/tmp";
+    exec.prestart  += "mount -F /etc/fstab.customer1 -a";
+    exec.prestart  += "mount -t devfs -o rw,ruleset=4 devfs /var/jails/customer1/dev";
+    # Copy reference and backuped files to /etc
+    exec.prestart  += "cp -a /conf/base/ /var/jails/customer1";
+    exec.prestart  += "cp -a /etc/jails/customer1/ /var/jails/customer1/etc/";
+    # Prevent diskless
+    exec.prestart  += "test -f /var/jails/customer1/etc/diskless && rm /var/jails/customer1/etc/diskless
+|| true";
+    vnet.interface  += "epair1b";
+    exec.prestart  += "ifconfig epair1 create up";
+    exec.prestart  += "ifconfig epair1a up";
+    exec.prestart  += "ifconfig bridge0 addm epair1a up";
+    # fix bug that assing same MAC to all epairXb interface
+    # TO DO: convert this id into hexa
+    exec.prestart  += "ifconfig epair1b ether 02:ff:00:00:ff:1";
+    exec.poststop  += "ifconfig bridge0 deletem epair1a";
+    exec.poststop  += "ifconfig epair1a destroy";
+    vnet.interface  += "vtnet4.1";
+    exec.poststop  += "ifconfig vtnet4.1 -vnet 1";
+    exec.prestart  += "logger jail customer1 pre-started";
+    exec.poststop  += "umount /var/jails/customer1/dev";
+    exec.poststop  += "umount -a -F /etc/fstab.customer1";
+    exec.poststop  += "logger jail customer1 post-stopped";
+}
+</code>
+/etc/fstab.customer1:
+<code>
+tmpfs /var/jails/customer1/etc tmpfs rw,size=16000000 0 0
+tmpfs /var/jails/customer1/var tmpfs rw,size=16000000 0 0
+/root /var/jails/customer1/root nullfs ro 0 0
+/bin /var/jails/customer1/bin nullfs ro 0 0
+/sbin /var/jails/customer1/sbin nullfs ro 0 0
+/lib /var/jails/customer1/lib nullfs ro 0 0
+/libexec /var/jails/customer1/libexec nullfs ro 0 0
+/usr /var/jails/customer1/usr nullfs ro 0 0
+/conf/base /var/jails/customer1/conf/base nullfs ro 0 0
+/etc/jails/customer1 /var/jails/customer1/cfg nullfs rw,noatime 0 0
+</code>