We're doing a similar thing, with many zones, each on its own vnic. After a lot of late-night experimentation, we've got a first model working. All zones are in a subnet different to our 'normal' internal machines...
Our first experiment has been to add additional granularity of control by using Crossbow - excellent! - and features of IPFilter - to direct only specific ports to specific zones. We found we had to kill the nwam service, using network/physical only. We're then using NAT redirection to get traffic on specific ports into our 'ZoneWorld', where subnet '50' is the subnet in which the ZoneMachine lives, and all zones are in subnet '0'. All are exclusive-ip zones. In our config below, rge0 is the physical interface; address ...50.100 is the externally-facing address; the only 'way out' for all the zones. Following is a snippet of a working /etc/ipf/ipnat.conf file, sending all web traffic to a discrete zone: rdr rge0 192.168.50.100/32 port 80 -> 192.168.0.200 port 80 rdr rge0 192.168.50.100/32 port 443 -> 192.168.0.200 port 443 A lot of good notes on these forums, and elsewhere - thanks, all! - but with varying levels of 'version accuracy'. Your mileage may vary. We found the Crossbow Community Group Testing Server recipe most helpful: # http://hub.opensolaris.org/bin/view/Community+Group+testing/crossbow (differing from this recipe, though, we have not needed to populate /etc/defaultrouter in each zone). Have fun! Lou -- This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org