From owner-freebsd-jail@freebsd.org Wed Jan 6 11:07:50 2021 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4BB094CC5E8 for ; Wed, 6 Jan 2021 11:07:50 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (fournil.foucry.net [95.217.83.231]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9mmh1ZV9z3MT7 for ; Wed, 6 Jan 2021 11:07:47 +0000 (UTC) (envelope-from jacques+freebsd@foucry.net) Received: from mail.foucry.net (unknown [192.168.12.17]) by mail.foucry.net (Postfix) with ESMTP id D7014119C1 for ; Wed, 6 Jan 2021 11:07:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at foucry.net Received: from mail.foucry.net ([192.168.12.17]) by mail.foucry.net (mail.foucry.net [192.168.12.17]) (amavisd-new, port 10024) with ESMTP id f67OUpLQZKQ2 for ; Wed, 6 Jan 2021 11:07:26 +0000 (UTC) Received: by mail.foucry.net (Postfix, from userid 58) id 6AD6C11B43; Wed, 6 Jan 2021 11:07:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609931246; bh=a5HkwM74Lgu1U99lDG7X1H3A3xsWvwRbPQRl805MOpA=; h=Date:From:To:Subject:References:In-Reply-To; b=JQvf67zTnZykPuhdkVvYWMOUErrVCGbRrYnlNPmIKBbOKHWq0Ue3s675lg00ojfOD LU5Cgdez3UTJrcwz5GOrAVBLtC+Zf3CTtdA4ZJ4fYDW3gKfzCzarm09w2Dar4ANSdX 4yuWVrxToOMD7KxB8J0V9nLSPz/hSKSy/hZmDPEo= Received: from mithril.localdomain (lfbn-dij-1-1138-109.w90-125.abo.wanadoo.fr [90.125.86.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.foucry.net (Postfix) with ESMTPSA id 2C62C11B42 for ; Wed, 6 Jan 2021 11:07:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=foucry.net; s=dkim; t=1609931244; bh=a5HkwM74Lgu1U99lDG7X1H3A3xsWvwRbPQRl805MOpA=; h=Date:From:To:Subject:References:In-Reply-To; b=DCiVzeSYk8d0+IJbhlP3sP2vBvP1pL4HOqZuXk8ogHVl/ml4d7lcZ9Vm+b3Ty2VmY p/4BLrPdOUBdSvAtt7TIRIBAhh2VEMzHQIyCRKY4OgigBzmw0AwQC5V+jUvK6PUCKT Jjq7L0mrn6zYMEVcboTnYLu11tCE7fnR+n5G+FNY= Received: from mithril (localhost [IPv6:::1]) by mithril.localdomain (Postfix) with ESMTP id 29A1B78872 for ; Wed, 6 Jan 2021 12:07:23 +0100 (CET) Date: Wed, 6 Jan 2021 12:07:23 +0100 From: Jacques Foucry To: freebsd-jail@freebsd.org Subject: Re: Need help with VNET, Jail and IPv6 Message-ID: Mail-Followup-To: freebsd-jail@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Queue-Id: 4D9mmh1ZV9z3MT7 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=foucry.net header.s=dkim header.b=JQvf67zT; dkim=pass header.d=foucry.net header.s=dkim header.b=DCiVzeSY; dmarc=pass (policy=none) header.from=foucry.net; spf=pass (mx1.freebsd.org: domain of jacques@foucry.net designates 95.217.83.231 as permitted sender) smtp.mailfrom=jacques@foucry.net X-Spamd-Result: default: False [-3.50 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[95.217.83.231:from]; RCVD_COUNT_FIVE(0.00)[6]; R_DKIM_ALLOW(-0.20)[foucry.net:s=dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[95.217.83.231:from:127.0.2.255]; MID_RHS_NOT_FQDN(0.50)[]; DKIM_TRACE(0.00)[foucry.net:+]; DMARC_POLICY_ALLOW(-0.50)[foucry.net,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; ARC_NA(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; TAGGED_FROM(0.00)[freebsd]; MAILMAN_DEST(0.00)[freebsd-jail] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 11:07:50 -0000 Le mardi 05 janv. 2021 à 21:39:27 (+0000), Mina Galić à écrit: > > > Hello all, > > Hi Jacques, > > > > On my hosted machine I already have many "classical" jails. > > > > But I would like to switch to modern schema with Bridge and vnet. > > > > With IPv4 I have no problem. In fact is almost like without Bridge/VNET: > > For: > > https://alpha.pkgbase.live/ > > instead of libioc I just used jail.conf. With: > > https://antranigv.am/weblog_en/posts/vnet-jail-howto/ I already read this and succesfully made a IPv4 jail with this tuto. > > as basis for the IPv4 setup. > > > My goal is first to have on jail (myjail) working with IPv4 and IPv6 then, > > > > slowly migrate the old jail to the new way. > > > > So, I need help to configure myjail to have IPv6 working: > > > > - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did I use? > > - did the bridge have an IPv6 to be the defaultrouter6? I try with no luck. > > - did I need some configuration on PF? > > > > Thanks for reading me (I sure I not really clear) and for your advice. > > > > Btw, after I successfully configure myjail (and the other one) I will wrote a how-to. > > > > Okay, let's see if I can hit all beats: > > Here's the paste of webserver.jail.conf, rc.conf (highlights) and pf.conf > > https://gist.github.com/87ba10c1c5611ed32367d5d48ef5f402 Thanks, that really clear. > > I'll explain some of the important bits: > > my ISP binds the IPv4 to the MAC, but not the IPv6, go figure. > That's why I leave the IPv4 address on the main interface, instead of fiddling with MAC addresses and moving it to the bridge. > > On the bridge, we have the IPv6 and the IPv4 NAT; That's handy, as it also means we only need one interface for both IPv4 and IPv6. > > cloned_interfaces="bridge0" > # jail NAT and Network access > ifconfig_bridge0="inet 192.168.17.1/24" > gateway_enable="YES" > > note that we explicitly enable link-local addresses, because, as per spec, they are needed to make IPv6 work: > > # working IPv6 setup needs link-local addresses (according to the spec) > ipv6_activate_all_interfaces="YES" > ifconfig_bridge0_ipv6="inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal" > ipv6_defaultrouter="fe80::1%vtnet0" Why vtnet instead of vnet ? Is there a difference that I did saw? > # enable IPv6 gateway > ipv6_gateway_enable="YES" > > and in the jail.conf it's really just about adding the IPv6 addresses to the interfaces, too! > > vnet.interface = "$jepair"; > > exec.prestart = "ifconfig epair${id} create up"; > exec.prestart += "ifconfig epair${id}a up descr vnet-${name}"; > exec.prestart += "ifconfig $bridge addm epair${id}a up"; > > exec.start = "/sbin/ifconfig lo0 127.0.0.1 up"; > exec.start += "/sbin/ifconfig epair${id}b ${ipaddr}"; > exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}"; > exec.start += "/sbin/route add default ${gw}"; > exec.start += "/sbin/route add -inet6 default ${gw6}"; > exec.start += "/bin/sh /etc/rc"; > > I also highly recommend adding IPv6 nameservers to your resolv.conf; that way, if you broke your IPv4 setup, you still have working IPv6! That a good advice too :-) > Being NAT, IPv4 routing is obviously happening via the host. > Aaaaand, given that my ISP uses fe80::1 as the default gateway, the only way to make jails' IPv6 routing work was by routing it thru the host. > as for pf, it's only used for NAT. > No firewalling, and I'm not doing anything to IPv6. > > That's all from me, i hope it helps. Sure it'a help, thanks for your advices, your time and expertise. -- Jacques Foucry