21
24.1 Production Series / Re: OPNsense in a jail on a FreeBSD host?
« Last post by nxg on April 26, 2024, 06:16:43 pm »Yes, jails do typically share the kernel – that's what makes them lightweight. So running OPNsense as a complete OS would indeed require something like bhyve.
But OPNsense is to a substantial extent a layer on top of FreeBSD (someone will surely shout if I'm muddled about this), so given a suitable FreeBSD install, there will (?) be some set of installed userland software which would turn a FreeBSD install into a OPNsense install (this, as far as I understand it, is what opnsense-update does). And walling different userlands off from each other is to some extent what jails are for.
I'm guessing, though, that opnsense-update won't work in a jail, simply because the jail won't have the right degree of access to (inter alia) the pf firewall in the host.
(To be clear, I'm running FreeBSD anyway, and it looks like running a full OPNsense install virtualised under bhyve is the next thing to explore, but I'm just trying to confirm I should rule out opnsense-in-jail as a more lightweight alternative).
But OPNsense is to a substantial extent a layer on top of FreeBSD (someone will surely shout if I'm muddled about this), so given a suitable FreeBSD install, there will (?) be some set of installed userland software which would turn a FreeBSD install into a OPNsense install (this, as far as I understand it, is what opnsense-update does). And walling different userlands off from each other is to some extent what jails are for.
I'm guessing, though, that opnsense-update won't work in a jail, simply because the jail won't have the right degree of access to (inter alia) the pf firewall in the host.
(To be clear, I'm running FreeBSD anyway, and it looks like running a full OPNsense install virtualised under bhyve is the next thing to explore, but I'm just trying to confirm I should rule out opnsense-in-jail as a more lightweight alternative).