I made a little diagram of the situation that I posted of Twitter. If you are 
aggressive enough with the web interface you can see a full size version where 
the labels are clear enough to read.


I had fun doing it. Hope it provides a little bit of joy to you helpful guys 
too! :)

> On Dec 29, 2016, at 1:09 PM, Matt Churchyard <church...@gmail.com> wrote:
> As mentioned a bridge is the virtual equivalent of a switch. It only really 
> makes sense to have more than one bridge if you have more than one interface 
> on your guest(s), and want to connect those interfaces to separate networks. 
> (Or you want some guests on a different network, possibly bridged to a 
> different physical interface).

That is why I made the above diagram. There are multiple networks and multiple 
interfaces, etc.

> If you want to provide complete network separation between guests, it's much 
> easier to just use the 'private' option to ifconfig when bridging the guest's 
> tap interface. Any bridge member set to private can not talk to any other 
> private bridge member. Of course this is only really applicable in 
> multi-tenant situations like Aryeh says. If they are all your own guests, the 
> fact that they can see each other on the network should hopefully be a 
> non-issue.

Got it. I think that the planned architecture illustrated in the diagram 
provides the adequate level of isolation.

Here is an explanation of the guest virtual machines and their intended uses:

CINQ: this is the bare-metal OS it provides a Samba service on a ZFS pool to 
both the 1G and the 10G networks. It also contains all the other virtual 

PFSENSE: I guess this is the most sensitive network-wise. It has to provide a 
DHCP service for both the 1G and the 10G networks (with separate subnets). It 
provides NAT routing, bandwidth shaping, etc. to the ADSL MODEM for internet 
access on the 1G network only (not the 10G). Also only for the 1G network, 
there should be a HTTP/HTTPS proxy (probably squid, depending on what pfsense 
supports) that transparently further proxies *.onion and *.i2p routing to 
relevant HTTP/HTTPS/SOCKS proxy services on the ALTNET machine.

ALTNET: “dark web proxy” accessible explicitly or via PFSENSE traffic, uses the 
internet connection provided by PFSENSE. Requires access to the 1G network (for 
explicit access), and to the PFSENSE for the Squid transparent proxying and 
internet for software updates.

UNIFI: network device management for the 1000BASE-T SWITCH and the UNIFI 802.11 
AP (access point). Requires access to the 1G network (where the devices are) 
and the internet for software updates.

CULTURED: modified forked-daapd service for the 1G network. Requires internet 
access via PFSENSE for software updates.

So I guess, my only question is: will that work?

Thank you all in advance. Maybe I’m getting too excited but with bhyve, FreeBSD 
makes a lot of sense for the always-on home appliance that I always dreamed of…

Take care,

freebsd-virtualization@freebsd.org mailing list
To unsubscribe, send any mail to 

Reply via email to