From owner-freebsd-questions@freebsd.org Sun Oct 4 22:59:18 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9FF5BA0E653 for ; Sun, 4 Oct 2015 22:59:18 +0000 (UTC) (envelope-from niklaas@kulturflatrate.net) Received: from mail2.kulturflatrate.net (mail2.kulturflatrate.net [IPv6:2a01:4f8:121:52ad::3:1]) by mx1.freebsd.org (Postfix) with ESMTP id 6A3CF1928 for ; Sun, 4 Oct 2015 22:59:18 +0000 (UTC) (envelope-from niklaas@kulturflatrate.net) Received: from [10.0.0.38] (mail.kulturflatrate.net [IPv6:2a01:488:66:1000:2ea3:77dd:0:1]) (Authenticated sender: niklaas@kulturflatrate.net) by mail2.kulturflatrate.net (Postfix) with ESMTPSA id 9E7572D1C3 for ; Mon, 5 Oct 2015 00:59:13 +0200 (CEST) To: freebsd-questions@freebsd.org From: Niklaas Baudet von Gersdorff Subject: IPv6 only Jails cannot connect to the outside world X-Enigmail-Draft-Status: N1110 Message-ID: <5611AFCA.4010909@kulturflatrate.net> Date: Mon, 5 Oct 2015 01:01:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2015 22:59:18 -0000 Hi, I successfully run a server with several jails configured with ezjail. Normally, each jail gets a private IPv4 on lo1 and another public IPv6 on re0, i.e. the external interface. These jails can connect to the outside world perfectly: > $ telnet -4 google.com 80 > Trying 173.194.116.99... > Connected to google.com. > Escape character is '^]'. > $ telnet -6 google.com 80 > Trying 2a00:1450:4001:80c::100e... > Connected to google.com. > Escape character is '^]'. Today I created a jail that only has an IPv6. This jail cannot connect: > root@ipv6only:~ # telnet google.com 80 > google.com: hostname nor servname provided, or not known I don't know why. It has a public IPv6 registered on re0. I use pf as firewall. What I realised is that, if I turn off the following nat rule, also those jails that have both IPv4 and IPv6 cannot connect neither via IPv4 nor IPv6 too. > nat on $ext_if from ( $jail_net ) to any -> $ext_if I would understand if they weren't able to connect via IPv4 anymore (because their private IPv4 aren't translated on the $ext_if) but I do not understand why IPv6 doesn't work on these jails then too. It seems as if my IPv6 connectivity only works if IPv4 connectivity is guaranteed since IPv6 once also worked as shown above?! Of course, in my pf.conf I have > pass out on $ext_if proto { tcp udp } from ( $ext_net ) to any port { ssh domain http https } to allow outgoing traffic from any jail with a public IP registered at the external interface. On the jails' host I have > gateway_enable="YES" > ipv6_gateway_enable="YES" Do I have to set something specifically in the jails that they connect over IPv6 through the host? I assume it's difficult to help me on this because I haven't stated my entire network (especially my firewall) setup yet. Nevertheless, I run into the same problem even with the firewall disabled. Thus, I guess it's rather a necessary step I missed when configuring an ezjail with IPv6 only. I would very much appreciate if someone can point me into a possible direction worth investigating. Key question: How to configure a jail with ezjail that only has an IPv6? I already spent days trying different configurations etc. -- Niklaas