From owner-freebsd-jail@freebsd.org Tue Jan 5 11:05:06 2021 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4A4254E1106 for ; Tue, 5 Jan 2021 11:05:06 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (mail.foucry.net [IPv6:2a01:4f9:4a:1fd8::17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D98m114Kcz3pVJ for ; Tue, 5 Jan 2021 11:05:04 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (unknown [192.168.12.17]) by mail.foucry.net (Postfix) with ESMTP id 503E2112B0 for ; Tue, 5 Jan 2021 11:04:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at foucry.net Received: from mail.foucry.net ([192.168.12.17]) by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024) with ESMTP id suF_4tl-fnax for ; Tue, 5 Jan 2021 11:04:43 +0000 (UTC) Received: by mail.foucry.net (Postfix, from userid 58) id A93AA11502; Tue, 5 Jan 2021 11:04:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609844683; bh=8Rr30M3Fdluj0F8Euw4wD9Z/ywJBER98D37g4ujL9kc=; h=Date:From:To:Subject; b=J6Ss24vVVNs2tWcmyxt0bA+ssRrc9nu+zczJHfOrLFQFdZZsqN9uqZdJSXzDbRnZ8 CwwZ9bDMESlF4RrU9g4ZWXTrYbY0tnL40D28jImG92VQutwAq+chO9gum8zCCBiKQQ 6t76Syv0qSz/cXNJEJ+BynPxq7Hn9N/OP9wwdF94= Received: from mithril.localdomain (lfbn-dij-1-1138-109.w90-125.abo.wanadoo.fr [90.125.86.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.foucry.net (Postfix) with ESMTPSA id 6E861111ED for ; Tue, 5 Jan 2021 11:04:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609844681; bh=8Rr30M3Fdluj0F8Euw4wD9Z/ywJBER98D37g4ujL9kc=; h=Date:From:To:Subject; b=oNs5nDNA3wpo+mT8PWK01Exmxy9yDwmFCpAKZ0cM5K3Y1UnCJY6qtXhNMA5ivXnh5 Vq96TpildIKAbfNv0K3g4I5F/bns3hj0URwhnJHUcm1QWeCYdI3IFSLa6svMzJcsbF UnxMmtw/fa0wGXnLmmjivFgCJ2qAwWGx+/aZ/zI4= Received: from mithril (localhost [IPv6:::1]) by mithril.localdomain (Postfix) with ESMTP id 7726074F79 for ; Tue, 5 Jan 2021 12:04:40 +0100 (CET) Date: Tue, 5 Jan 2021 12:04:40 +0100 From: Jacques Foucry To: freebsd-jail@freebsd.org Subject: Need help with VNET, Jail and IPv6 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4D98m114Kcz3pVJ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=foucry.net header.s=dkim header.b=J6Ss24vV; dkim=pass header.d=foucry.net header.s=dkim header.b=oNs5nDNA; dmarc=pass (policy=none) header.from=foucry.net; spf=pass (mx1.freebsd.org: domain of jacques@foucry.net designates 2a01:4f9:4a:1fd8::17 as permitted sender) smtp.mailfrom=jacques@foucry.net X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:4f9:4a:1fd8::17:from]; RCVD_COUNT_FIVE(0.00)[6]; R_DKIM_ALLOW(-0.20)[foucry.net:s=dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a01:4f9:4a:1fd8::17:from:127.0.2.255]; MID_RHS_NOT_FQDN(0.50)[]; DKIM_TRACE(0.00)[foucry.net:+]; DMARC_POLICY_ALLOW(-0.50)[foucry.net,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; TAGGED_FROM(0.00)[freebsd]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 11:05:06 -0000 Hello all, On my hosted machine I already have many "classical" jails. But I would like to switch to modern schema with Bridge and vnet. With IPv4 I have no problem. In fact is almost like without Bridge/VNET: ifconfig em0bridge em0bridge: flags=8843 metric 0 mtu 1500 ether 02:36:b3:c1:8a:00 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 groups: bridge nd6 options=9 nyjail{ host.hostname="mywebite.fr"; path="/jails/mywebsite"; allow.mount=true; allow.raw_sockets; vnet; vnet.interface = "e0b_${name}"; exec.prestart += "jib addm ${name} em0"; exec.poststop += "jib destroy ${name}"; exec.start = "/sbin/ifconfig e0b_${name} 10.1.1.28/24"; exec.start += "/sbin/route add default 10.1.1.254"; exec.poststart += "/sbin/ifconfig e0a_${name} 10.1.1.254/24"; exec.poststop += "/sbin/ifconfig e0b_${name} -vnet ${name}"; exec.poststop += "/sbin/ifconfig deletem e0b_${name}"; exec.poststop += "sleep 2"; exec.poststop += "/sbin/ifconfig e0b_${name} destroy"; persist=true; mount.fstab="/etc/fstab.${name}"; } With pf I could connect througt ssh to my jail: jails_net = "{192.168.12.0/24 10.1.1.0/24}" nat on $ext_if from $jails_net to any -> ($ext_if) myjail_v4="10.1.1.28" myjail_v6="2a01:4f9:4a:1fd8::28" myjail_ports = 2228 rdr on $ext_if inet proto tcp from any to $ext_if port $myjail_ports -> $myjail_v4 rdr on $ext_if inet6 proto tcp from any to $ext_if port $myjail_ports -> $myjail_v6 pass in log quick on $ext_if proto tcp from any to $myjail_v4 port pass in log quick on $ext_if proto tcp from any to $myjail_v6 port The old fashion mail use em0_alias for IPv6 em0: flags=8943 metric 0 mtu 1500 options=81009b ether b4:2e:99:6a:80:9d inet6 2a01:4f9:4a:1fd8::2 prefixlen 64 inet6 fe80::b62e:99ff:fe6a:809d%em0 prefixlen 64 scopeid 0x1 inet6 2a01:4f9:4a:1fd8::5 prefixlen 64 inet6 2a01:4f9:4a:1fd8::16 prefixlen 64 inet6 2a01:4f9:4a:1fd8::14 prefixlen 64 inet6 2a01:4f9:4a:1fd8::15 prefixlen 64 inet6 2a01:4f9:4a:1fd8::21 prefixlen 64 inet6 2a01:4f9:4a:1fd8::25 prefixlen 64 inet6 2a01:4f9:4a:1fd8::29 prefixlen 64 inet6 2a01:4f9:4a:1fd8::17 prefixlen 64 inet6 2a01:4f9:4a:1fd8::11 prefixlen 64 inet6 2a01:4f9:4a:1fd8::12 prefixlen 64 inet6 2a01:4f9:4a:1fd8::18 prefixlen 64 inet6 2a01:4f9:4a:1fd8::22 prefixlen 64 inet6 2a01:4f9:4a:1fd8::19 prefixlen 64 inet6 2a01:4f9:4a:1fd8::28 prefixlen 64 inet 95.217.83.231 netmask 0xffffffc0 broadcast 95.217.83.255 media: Ethernet autoselect (1000baseT ) status: active nd6 options=21 My goal is first to have on jail (myjail) working with IPv4 and IPv6 then, slowly migrate the old jail to the new way. So, I need help to configure myjail to have IPv6 working: - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did I use? - did the bridge have an IPv6 to be the defaultrouter6? I try with no luck. - did I need some configuration on PF? Thanks for reading me (I sure I not really clear) and for your advice. Btw, after I successfully configure myjail (and the other one) I will wrote a how-to. -- Jacques Foucry From owner-freebsd-jail@freebsd.org Tue Jan 5 21:39:46 2021 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DEF384CB9A1 for ; Tue, 5 Jan 2021 21:39:46 +0000 (UTC) (envelope-from me+freebsd@igalic.co) Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "SwissSign Server Gold CA 2014 - G22" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9QrJ1Kydz3MPQ for ; Tue, 5 Jan 2021 21:39:43 +0000 (UTC) (envelope-from me+freebsd@igalic.co) Date: Tue, 05 Jan 2021 21:39:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=igalic.co; s=protonmail2; t=1609882775; bh=kkaBlY3s+JAQk3q0nMqLvIEaf2JUz3nIc7DlLeRdf+Y=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=ZXrZhOaPnCqHUSv8siNtYTR26NH/1xa7rpvFDG0i9vV8kdgrFC8fIfwcoIOPVuArv rdeeNs6kzUtLdwgB+vVHukMhfwGCUe858vf9tAi66C88oSORwHX47YQ8h0vaTBdmRq smNu4wDjSWoWyHtW3qBCyFQO9gtz0whs36JWlIwAYcyaAUwF23a9IrsgK3MhNY+39a xAF3+kM8PRCLV9AGZLkOwtD/cvrZqXjB2UtTkujiKKrSUGVe+GlwHuP88IIyAf2w6u q94rK7Ga859+0wSaruTkZdHxcdEZih9EPjMTD+I1geLVhS1a0WUj/XXD+71Ma+aHoD ZOJrpvEEYAupw== To: Jacques Foucry From: =?utf-8?Q?Mina_Gali=C4=87?= Cc: freebsd-jail@freebsd.org Reply-To: =?utf-8?Q?Mina_Gali=C4=87?= Subject: Re: Need help with VNET, Jail and IPv6 Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=1.8 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NEW_DOMAIN_28D, URIBL_FRESH_28D_SURBL shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Rspamd-Queue-Id: 4D9QrJ1Kydz3MPQ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=igalic.co header.s=protonmail2 header.b=ZXrZhOaP; dmarc=none; spf=pass (mx1.freebsd.org: domain of me@igalic.co designates 185.70.40.133 as permitted sender) smtp.mailfrom=me@igalic.co X-Spamd-Result: default: False [-3.50 / 15.00]; HAS_REPLYTO(0.00)[me+freebsd@igalic.co]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:185.70.40.0/24]; DKIM_TRACE(0.00)[igalic.co:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RBL_DBL_DONT_QUERY_IPS(0.00)[185.70.40.133:from]; ASN(0.00)[asn:62371, ipnet:185.70.40.0/24, country:CH]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[freebsd]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[igalic.co:s=protonmail2]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; FREEFALL_USER(0.00)[me]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[freebsd]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[igalic.co]; SPAMHAUS_ZRD(0.00)[185.70.40.133:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 21:39:46 -0000 > Hello all, Hi Jacques, > On my hosted machine I already have many "classical" jails. > > But I would like to switch to modern schema with Bridge and vnet. > > With IPv4 I have no problem. In fact is almost like without Bridge/VNET: For: https://alpha.pkgbase.live/ instead of libioc I just used jail.conf. With: https://antranigv.am/weblog_en/posts/vnet-jail-howto/ as basis for the IPv4 setup. > My goal is first to have on jail (myjail) working with IPv4 and IPv6 then= , > > slowly migrate the old jail to the new way. > > So, I need help to configure myjail to have IPv6 working: > > - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did = I use? > - did the bridge have an IPv6 to be the defaultrouter6? I try with no l= uck. > - did I need some configuration on PF? > > Thanks for reading me (I sure I not really clear) and for your advice= . > > Btw, after I successfully configure myjail (and the other one) I will= wrote a how-to. > Okay, let's see if I can hit all beats: Here's the paste of webserver.jail.conf, rc.conf (highlights) and pf.conf https://gist.github.com/87ba10c1c5611ed32367d5d48ef5f402 I'll explain some of the important bits: my ISP binds the IPv4 to the MAC, but not the IPv6, go figure. That's why I leave the IPv4 address on the main interface, instead of fiddl= ing with MAC addresses and moving it to the bridge. On the bridge, we have the IPv6 and the IPv4 NAT; That's handy, as it also = means we only need one interface for both IPv4 and IPv6. cloned_interfaces=3D"bridge0" # jail NAT and Network access ifconfig_bridge0=3D"inet 192.168.17.1/24" gateway_enable=3D"YES" note that we explicitly enable link-local addresses, because, as per spec, = they are needed to make IPv6 work: # working IPv6 setup needs link-local addresses (according to the spec) ipv6_activate_all_interfaces=3D"YES" ifconfig_bridge0_ipv6=3D"inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal" ipv6_defaultrouter=3D"fe80::1%vtnet0" # enable IPv6 gateway ipv6_gateway_enable=3D"YES" and in the jail.conf it's really just about adding the IPv6 addresses to th= e interfaces, too! vnet.interface =3D "$jepair"; exec.prestart =3D "ifconfig epair${id} create up"; exec.prestart +=3D "ifconfig epair${id}a up descr vnet-${name}"; exec.prestart +=3D "ifconfig $bridge addm epair${id}a up"; exec.start =3D "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start +=3D "/sbin/ifconfig epair${id}b ${ipaddr}"; exec.start +=3D "/sbin/ifconfig epair${id}b inet6 ${ip6addr}"; exec.start +=3D "/sbin/route add default ${gw}"; exec.start +=3D "/sbin/route add -inet6 default ${gw6}"; exec.start +=3D "/bin/sh /etc/rc"; I also highly recommend adding IPv6 nameservers to your resolv.conf; that w= ay, if you broke your IPv4 setup, you still have working IPv6! Being NAT, IPv4 routing is obviously happening via the host. Aaaaand, given that my ISP uses fe80::1 as the default gateway, the only wa= y to make jails' IPv6 routing work was by routing it thru the host. as for pf, it's only used for NAT. No firewalling, and I'm not doing anything to IPv6. That's all from me, i hope it helps. > -- > > Jacques Foucry best of luck, Mina From owner-freebsd-jail@freebsd.org Wed Jan 6 11:07:50 2021 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4BB094CC5E8 for ; Wed, 6 Jan 2021 11:07:50 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (fournil.foucry.net [95.217.83.231]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9mmh1ZV9z3MT7 for ; Wed, 6 Jan 2021 11:07:47 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (unknown [192.168.12.17]) by mail.foucry.net (Postfix) with ESMTP id D7014119C1 for ; Wed, 6 Jan 2021 11:07:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at foucry.net Received: from mail.foucry.net ([192.168.12.17]) by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024) with ESMTP id f67OUpLQZKQ2 for ; Wed, 6 Jan 2021 11:07:26 +0000 (UTC) Received: by mail.foucry.net (Postfix, from userid 58) id 6AD6C11B43; Wed, 6 Jan 2021 11:07:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609931246; bh=a5HkwM74Lgu1U99lDG7X1H3A3xsWvwRbPQRl805MOpA=; h=Date:From:To:Subject:References:In-Reply-To; b=JQvf67zTnZykPuhdkVvYWMOUErrVCGbRrYnlNPmIKBbOKHWq0Ue3s675lg00ojfOD LU5Cgdez3UTJrcwz5GOrAVBLtC+Zf3CTtdA4ZJ4fYDW3gKfzCzarm09w2Dar4ANSdX 4yuWVrxToOMD7KxB8J0V9nLSPz/hSKSy/hZmDPEo= Received: from mithril.localdomain (lfbn-dij-1-1138-109.w90-125.abo.wanadoo.fr [90.125.86.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.foucry.net (Postfix) with ESMTPSA id 2C62C11B42 for ; Wed, 6 Jan 2021 11:07:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609931244; bh=a5HkwM74Lgu1U99lDG7X1H3A3xsWvwRbPQRl805MOpA=; h=Date:From:To:Subject:References:In-Reply-To; b=DCiVzeSYk8d0+IJbhlP3sP2vBvP1pL4HOqZuXk8ogHVl/ml4d7lcZ9Vm+b3Ty2VmY p/4BLrPdOUBdSvAtt7TIRIBAhh2VEMzHQIyCRKY4OgigBzmw0AwQC5V+jUvK6PUCKT Jjq7L0mrn6zYMEVcboTnYLu11tCE7fnR+n5G+FNY= Received: from mithril (localhost [IPv6:::1]) by mithril.localdomain (Postfix) with ESMTP id 29A1B78872 for ; Wed, 6 Jan 2021 12:07:23 +0100 (CET) Date: Wed, 6 Jan 2021 12:07:23 +0100 From: Jacques Foucry To: freebsd-jail@freebsd.org Subject: Re: Need help with VNET, Jail and IPv6 Message-ID: Mail-Followup-To: freebsd-jail@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4D9mmh1ZV9z3MT7 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=foucry.net header.s=dkim header.b=JQvf67zT; dkim=pass header.d=foucry.net header.s=dkim header.b=DCiVzeSY; dmarc=pass (policy=none) header.from=foucry.net; spf=pass (mx1.freebsd.org: domain of jacques@foucry.net designates 95.217.83.231 as permitted sender) smtp.mailfrom=jacques@foucry.net X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[95.217.83.231:from]; RCVD_COUNT_FIVE(0.00)[6]; R_DKIM_ALLOW(-0.20)[foucry.net:s=dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[95.217.83.231:from:127.0.2.255]; MID_RHS_NOT_FQDN(0.50)[]; DKIM_TRACE(0.00)[foucry.net:+]; DMARC_POLICY_ALLOW(-0.50)[foucry.net,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; TAGGED_FROM(0.00)[freebsd]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 11:07:50 -0000 Le mardi 05 janv. 2021 à 21:39:27 (+0000), Mina Galić à écrit: > > > Hello all, > > Hi Jacques, > > > > On my hosted machine I already have many "classical" jails. > > > > But I would like to switch to modern schema with Bridge and vnet. > > > > With IPv4 I have no problem. In fact is almost like without Bridge/VNET: > > For: > > https://alpha.pkgbase.live/ > > instead of libioc I just used jail.conf. With: > > https://antranigv.am/weblog_en/posts/vnet-jail-howto/ I already read this and succesfully made a IPv4 jail with this tuto. > > as basis for the IPv4 setup. > > > My goal is first to have on jail (myjail) working with IPv4 and IPv6 then, > > > > slowly migrate the old jail to the new way. > > > > So, I need help to configure myjail to have IPv6 working: > > > > - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did I use? > > - did the bridge have an IPv6 to be the defaultrouter6? I try with no luck. > > - did I need some configuration on PF? > > > > Thanks for reading me (I sure I not really clear) and for your advice. > > > > Btw, after I successfully configure myjail (and the other one) I will wrote a how-to. > > > > Okay, let's see if I can hit all beats: > > Here's the paste of webserver.jail.conf, rc.conf (highlights) and pf.conf > > https://gist.github.com/87ba10c1c5611ed32367d5d48ef5f402 Thanks, that really clear. > > I'll explain some of the important bits: > > my ISP binds the IPv4 to the MAC, but not the IPv6, go figure. > That's why I leave the IPv4 address on the main interface, instead of fiddling with MAC addresses and moving it to the bridge. > > On the bridge, we have the IPv6 and the IPv4 NAT; That's handy, as it also means we only need one interface for both IPv4 and IPv6. > > cloned_interfaces="bridge0" > # jail NAT and Network access > ifconfig_bridge0="inet 192.168.17.1/24" > gateway_enable="YES" > > note that we explicitly enable link-local addresses, because, as per spec, they are needed to make IPv6 work: > > # working IPv6 setup needs link-local addresses (according to the spec) > ipv6_activate_all_interfaces="YES" > ifconfig_bridge0_ipv6="inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal" > ipv6_defaultrouter="fe80::1%vtnet0" Why vtnet instead of vnet ? Is there a difference that I did saw? > # enable IPv6 gateway > ipv6_gateway_enable="YES" > > and in the jail.conf it's really just about adding the IPv6 addresses to the interfaces, too! > > vnet.interface = "$jepair"; > > exec.prestart = "ifconfig epair${id} create up"; > exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; > exec.prestart += "ifconfig $bridge addm epair${id}a up"; > > exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; > exec.start += "/sbin/ifconfig epair${id}b ${ipaddr}"; > exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}"; > exec.start += "/sbin/route add default ${gw}"; > exec.start += "/sbin/route add -inet6 default ${gw6}"; > exec.start += "/bin/sh /etc/rc"; > > I also highly recommend adding IPv6 nameservers to your resolv.conf; that way, if you broke your IPv4 setup, you still have working IPv6! That a good advice too :-) > Being NAT, IPv4 routing is obviously happening via the host. > Aaaaand, given that my ISP uses fe80::1 as the default gateway, the only way to make jails' IPv6 routing work was by routing it thru the host. > as for pf, it's only used for NAT. > No firewalling, and I'm not doing anything to IPv6. > > That's all from me, i hope it helps. Sure it'a help, thanks for your advices, your time and expertise. -- Jacques Foucry