Date: Wed, 6 Jan 2021 12:07:23 +0100 From: Jacques Foucry <jacques+freebsd@foucry.net> To: freebsd-jail@freebsd.org Subject: Re: Need help with VNET, Jail and IPv6 Message-ID: <X/WZ622kPxk5aGxe@mithril> In-Reply-To: <PDZWZVhs6L8L5RMO0bOj_l8ZoHeRfN_NDZbTOZB5lclL8YInRJFSc9wPIzWtxlk252EsAST1VYEl9A6F7l3ni2Is4mDVkYdvVT6JZ7ATMYU=@igalic.co> References: <X/RHyJhoGIwN7rkF@mithril> <PDZWZVhs6L8L5RMO0bOj_l8ZoHeRfN_NDZbTOZB5lclL8YInRJFSc9wPIzWtxlk252EsAST1VYEl9A6F7l3ni2Is4mDVkYdvVT6JZ7ATMYU=@igalic.co>
next in thread | previous in thread | raw e-mail | index | archive | help
Le mardi 05 janv. 2021 à 21:39:27 (+0000), Mina Galić à écrit: > > > Hello all, > > Hi Jacques, > > > > On my hosted machine I already have many "classical" jails. > > > > But I would like to switch to modern schema with Bridge and vnet. > > > > With IPv4 I have no problem. In fact is almost like without Bridge/VNET: > > For: > > https://alpha.pkgbase.live/ > > instead of libioc I just used jail.conf. With: > > https://antranigv.am/weblog_en/posts/vnet-jail-howto/ I already read this and succesfully made a IPv4 jail with this tuto. > > as basis for the IPv4 setup. > > > My goal is first to have on jail (myjail) working with IPv4 and IPv6 then, > > > > slowly migrate the old jail to the new way. > > > > So, I need help to configure myjail to have IPv6 working: > > > > - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did I use? > > - did the bridge have an IPv6 to be the defaultrouter6? I try with no luck. > > - did I need some configuration on PF? > > > > Thanks for reading me (I sure I not really clear) and for your advice. > > > > Btw, after I successfully configure myjail (and the other one) I will wrote a how-to. > > > > Okay, let's see if I can hit all beats: > > Here's the paste of webserver.jail.conf, rc.conf (highlights) and pf.conf > > https://gist.github.com/87ba10c1c5611ed32367d5d48ef5f402 Thanks, that really clear. > > I'll explain some of the important bits: > > my ISP binds the IPv4 to the MAC, but not the IPv6, go figure. > That's why I leave the IPv4 address on the main interface, instead of fiddling with MAC addresses and moving it to the bridge. > > On the bridge, we have the IPv6 and the IPv4 NAT; That's handy, as it also means we only need one interface for both IPv4 and IPv6. > > cloned_interfaces="bridge0" > # jail NAT and Network access > ifconfig_bridge0="inet 192.168.17.1/24" > gateway_enable="YES" > > note that we explicitly enable link-local addresses, because, as per spec, they are needed to make IPv6 work: > > # working IPv6 setup needs link-local addresses (according to the spec) > ipv6_activate_all_interfaces="YES" > ifconfig_bridge0_ipv6="inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal" > ipv6_defaultrouter="fe80::1%vtnet0" Why vtnet instead of vnet ? Is there a difference that I did saw? > # enable IPv6 gateway > ipv6_gateway_enable="YES" > > and in the jail.conf it's really just about adding the IPv6 addresses to the interfaces, too! > > vnet.interface = "$jepair"; > > exec.prestart = "ifconfig epair${id} create up"; > exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; > exec.prestart += "ifconfig $bridge addm epair${id}a up"; > > exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; > exec.start += "/sbin/ifconfig epair${id}b ${ipaddr}"; > exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}"; > exec.start += "/sbin/route add default ${gw}"; > exec.start += "/sbin/route add -inet6 default ${gw6}"; > exec.start += "/bin/sh /etc/rc"; > > I also highly recommend adding IPv6 nameservers to your resolv.conf; that way, if you broke your IPv4 setup, you still have working IPv6! That a good advice too :-) > Being NAT, IPv4 routing is obviously happening via the host. > Aaaaand, given that my ISP uses fe80::1 as the default gateway, the only way to make jails' IPv6 routing work was by routing it thru the host. > as for pf, it's only used for NAT. > No firewalling, and I'm not doing anything to IPv6. > > That's all from me, i hope it helps. Sure it'a help, thanks for your advices, your time and expertise. -- Jacques Foucry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?X/WZ622kPxk5aGxe>