From owner-freebsd-questions@freebsd.org Mon Aug 6 23:28:42 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33357106983E for ; Mon, 6 Aug 2018 23:28:42 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8529470948 for ; Mon, 6 Aug 2018 23:28:41 +0000 (UTC) (envelope-from shamim.shahriar@gmail.com) Received: by mail-wr1-x431.google.com with SMTP id r16-v6so13886743wrt.11 for ; Mon, 06 Aug 2018 16:28:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=q28Rr3ukEoejegN5p0dORC3jKLHew0eiLhoA4SPDlyU=; b=rudbKDF00TbKjSie6iuv/SnQTtfQ9Yp8KN2BTzZE3Rhnqg2FgfL4MBGmUMLepSN8Py oILGSe6fXw92XzH+p50zAfGXadSjTvw8Ic/35wCg9XF/yOyu89Xa1SoS776p7NGw7cN3 iIyDzB5Nye71/K5JKFEQBKcYlN6GXkCv2nS8xOYU9k7JjGF/uofdST2WqUcXdePpzjxe j8yc7HftqGCOKdpqL9Tp1umBxOsav63JuIwp65sfVhV6QzF5NnX3i2QxqKRFeW2Yy4wS /+xEocKoyy3X4ecIidKPDZ3K2uZLlo5pWoKPrdYCaoVIv541XTeHyg1SOpv1I9yDGoAG QVsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=q28Rr3ukEoejegN5p0dORC3jKLHew0eiLhoA4SPDlyU=; b=fnLzs92gpLP9vKuEqIRNdzFM0RXjsqJctvM02S4yvftzqFbyv8RQZZM3z92qQX6/wZ I6Yz+qIXbeJ2Ne8VyQKsAUjuOGkQr1VPo2vt6XwSMZPbUvh1DCAApyf0EolTIcdRo4R+ BorUxpwCfpOcJ3lwH3gMotPbwKhxhqWLKugwK0Mk5jeyzbIjNOHTqWAKg5tjLDhj5aCv SJKOkDJsepxYPOqzbgnhMzTgqVtqPa5QB1Q/6bgQjdWwwJqqYuOW62Q5HVjr8K8v5GsS cvwLpX2ZTwny28B+6sYvPccRenHn/usiTRtI4mmGisUOTqSFTWZFzFcZ/L+FMTLyE0Jc Ki0w== X-Gm-Message-State: AOUpUlGXYTsERxvyggvTZFFVWou7tNyB1/WvqEV9kmMS9ifxyIYnnaam 1cf7bQ6CwSm0qvx3Uaom91b9ZhA= X-Google-Smtp-Source: AAOMgpcrbcctDaYRt5xIvw3ROAsw6b80PMApT2uL8MIYbm6NA44gHBMrX6s+hD/Pr5mz6SyTUpjmtA== X-Received: by 2002:adf:f74d:: with SMTP id z13-v6mr11634577wrp.85.1533598120003; Mon, 06 Aug 2018 16:28:40 -0700 (PDT) Received: from osk.homenet (cpc91746-watf12-2-0-cust328.15-2.cable.virginm.net. [81.109.177.73]) by smtp.googlemail.com with ESMTPSA id l5-v6sm10623835wrq.86.2018.08.06.16.28.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Aug 2018 16:28:39 -0700 (PDT) Subject: Re: Jails - IPv4 and IPv6 To: freebsd-questions@freebsd.org References: <5B6895CB.1070004@gmail.com> From: Shamim Shahriar Message-ID: Date: Tue, 7 Aug 2018 00:28:38 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <5B6895CB.1070004@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 23:28:42 -0000 On 06/08/2018 19:39, Ernie Luzar wrote: > Philipp Vlassakakis wrote: >> Hello, everybody, >> >> does anyone use IPv4 and IPv6 in production jails and can provide >> feedback about the configuration and stability of VIMAGE/VNET in >> FreeBSD 11.2? >> >> Currently I only use IPv4 in my jails (via NAT) and would like to >> switch to VIMAGE and roll out IPv6. >> How do you use IPv4 and IPv6 with jails? >> >> Thanks and greetings >> Philipp >> >> > > I use VIMAGE/VNET jails with IPv4 & IPv6 addresses for public access. > VIMAGE/VNET has been stable but only supports ipfw firewall which > includes a bug where all the VNET jails IPFW firewalls log files write > to the hosts IPFW firewall log intermingling the log records. I use > qjail to create and manage my VIMAGE/VNET jails. > Hi Ernie Not sure how is your setup like, but I manage firewall for all my jails from the host itself -- i.e., the main host I have all the epair devices created from the main host, along with the a bridge device, and initially add only the main interface to the bridge0 cloned_interfaces="bridge0 epair0 epair1 epair2 epair3 " # List of cloned network interfaces to create. ifconfig_bridge0="addm bge0 up" Then comes the jails, where each jail is attached to one of the epair device via the /etc/jail.conf, and each epair gets an IPv4 address from there as well. when the jail starts up, the jails add the IPv6 address via its own rc.conf ifconfig_epair3b_ipv6="inet6 aaaa:bbbb:cccc:def0::4:2 prefixlen 64" ipv6_defaultrouter="aaaa:bbbb:cccc:def0::1" so the IPv6 gets set on the epair device when the jail starts and all the firewalling is done from the main host itself -- NOT the individual jails. In my mind, having the firewall at the main host made sense to start with -- so I do not need to manage N number of firewalls on individual jails and using up all the resources for all the large tables (bogons, for example). So I used the pf from the main host, and so far it seems to have held things together pretty well. I do not use any additional layer to create the jails -- they are created on the base without qjail, iocage or any other layer in-between. Hope this helps. Best regards