Two firejail instances through two separate network interfaces - is it possible?

[transpetaflops]

I have two network interfaces on my host connected to two separate ISPs. The second one is a backup and normally not configured or used. Using firejail on the first interface, which is the default for the host, works perfectly as expected but I struggle to get a second firejail instance to run using the second interface.
In VirtualBox I can leave the second interface unconfigured, bridge it to a virtual interface in the guest and then use dhcp from the guest and it will happily use the second interface. Is a similar configuration possible with firejail?

[kris7t]

You can try the --net option to specify the network interface in conjunction with the --ip dhcp and possibly --ip6 dhcp options to configure the network inside the firejail sandbox. However, if you do this directly, I think your network interface will be (termporarily) moved into the sandbox. So if you want to continue using the network interface (e.g., for other sandboxes or virtual machines) you should instead pass a bridge interface to --net (while keeping --ip dhcp and --ip6 dhcp), which will add a new interface to the bridge for the sandbox.

Using --ip dhcp or --ip6 dhcp requires dhclient (the ISC DHCP client) to be installed. Alternatively, you can use simply omit the '--ipargument to automatically configure an unused IP address with ARP scanning, but that will likely conflict with the policy in use on the network. You may also specify a static IP address after--ip`.

If you want IPv6 support in the sandbox, you'll need to use --ip6 dhcp and your network should have stateful DHCPv6. Alternatively, you can specify a static IPv6 address after --ip6, but I can't recommend such configurations due to the nature of IPv6.

As for my setup, I run a DHCP server (dhcpd), DNS server (unbound), IPv6 router advertisemend daemon (radvd) locally on my bridge interfaces, and set up routing to my network interfaces with iptables. This is equivalent to what e.g., libvirt does if you use a NATed network, and offers more flexibility than bridging to your network interface directly. However, if you want to have IPv6 connectivity in multiple sandboxes/virtual machines, and you have a single (public) IPv6 address assigned to your network interface (this is probably not compliant with the IPv6 specification, but sadly common with ISPs), then you'll have to use NAT66, which is strongly frowned upon.