From owner-freebsd-net@freebsd.org  Mon Oct 29 14:56:05 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C20810DC66C;
 Mon, 29 Oct 2018 14:56:05 +0000 (UTC)
 (envelope-from driesm.michiels@gmail.com)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com
 [IPv6:2a00:1450:4864:20::52a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F02D4744E0;
 Mon, 29 Oct 2018 14:56:04 +0000 (UTC)
 (envelope-from driesm.michiels@gmail.com)
Received: by mail-ed1-x52a.google.com with SMTP id x31-v6so7557743edd.8;
 Mon, 29 Oct 2018 07:56:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:mime-version:thread-index
 :content-language;
 bh=GnNWeFLMAFKwApD/io69T6hOwo9dy/f8J4J5aTyid3k=;
 b=GJns8jgolmXgY7XPxsYWSfeDMIDiWPLbAdZ6OJtOCo5MUXF47o3Z8WweQ9hXR9/XUF
 pyzwbnMqLIW/uZGRkIKCdXtKVNTDdF5P3O/OeAiCga/N/+3iU/3T9eaKesBbc8bHY4jp
 U4kHcmIDEebefZougIuARQ7//FpXjwVP1+3SsKmltb2EaWSS5xN68K/OXLnY2sGfP8Uj
 GRaT8s3sZnSnsTd8XimV9ZnWDQBX5WkC2PNNLRjNRb5UgpRN3HERhbUn1EvVeg6am+XR
 BSlY+s2RCf3pS/B00iEcej0bSpZd6kgT/yhjqoPYfMVPMEoIbPI1g2P15qrnIEaD5k91
 KdsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version
 :thread-index:content-language;
 bh=GnNWeFLMAFKwApD/io69T6hOwo9dy/f8J4J5aTyid3k=;
 b=cqybgqFAC07epukkKHJh8QVGaOdCIA6ImAu9R7SvXaD/lgTLOjupqOkVbmy++Zu6fX
 vPSeWdppMjw0upUW2ZmvJUdCMxADJR49YzpNRXtRsWk9stLWradZXOfDvp5pzkpi7IYl
 5fQc5kMWEpRky/CBCcgGeSHBxPfvC9uRBBk9EqvmFt9yUZMgLwnMK0Mm4KMkMTW8F8wm
 8ZqmzGnc9Xnxfci2EGBWv3WHY8mSOwraiBTrT3HCQM+BdzulFE26BK0NjmiYOrXnzhmm
 vPCeUuLNqCL/GG1Ek13hj3vrxV/YeGHNHWp+XQm1XGGxCxK6u0oVFQPhtV5LZP1fzuhr
 JyBQ==
X-Gm-Message-State: AGRZ1gJ43iGlBOqn7wtFQ5ZlNMiEWI4fGS8c0SPyidJu0T/xNs8IsNWN
 9fyYhcGdAQoOkBAJNpUH1Qo3F1Vs
X-Google-Smtp-Source: AJdET5fmGVONCUQxiL3JKaGdvj2j/H+0P4nn5CiOzcgDvJktnoQjmm0XP9D8TRbP4dDYqMaiPKGUzA==
X-Received: by 2002:a50:c31b:: with SMTP id
 a27-v6mr14070675edb.160.1540824962734; 
 Mon, 29 Oct 2018 07:56:02 -0700 (PDT)
Received: from DriesPC (ptr-8skldq3xswuq8a34v25.18120a2.ip6.access.telenet.be.
 [2a02:1811:2512:a100:35fd:d497:da03:c13d])
 by smtp.gmail.com with ESMTPSA id b36-v6sm6725815ede.11.2018.10.29.07.56.01
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 29 Oct 2018 07:56:01 -0700 (PDT)
From: "Dries Michiels" <driesm.michiels@gmail.com>
To: <freebsd-ipfw@freebsd.org>,
	<freebsd-net@freebsd.org>
Subject: Configuring IPv6 on jails
Date: Mon, 29 Oct 2018 15:56:02 +0100
Message-ID: <005c01d46f97$8389d4a0$8a9d7de0$@gmail.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdRvlmpPDc05euGbSk6EEsHBeBmztw==
Content-Language: nl-be
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 14:56:05 -0000

Hello,

 

I'm converting everything in my network to dual stack. So far so good. I
came to a stop when I started to think about my jails.

Right now my jails have a private IPv4 address and get NAT-ed by IPFW to
reach to IPv4 internet.

 

My ISP gives me a /56 IPv6 prefix which I obtain by using DHCPv6
(net/dhcp6). 

net/dhcp6 puts a /64 prefix from that /56 range on my LAN interface and from
there rtadvd takes over.

 

How can I assign a global address to my jails without too much scripting
(using net/dhcp6 or other solutions, see below)?

 

I was thinking about a few solutions;

*	Either use VIMAGE for the jails. Attach jails to the same bridge,
use net/dhcp6 to put a /64 prefix on the bridge and let rtadvd run on it.

This way I can use rtsold in the jails to obtain an IPv6 address from the
prefix assigned to the bridge.

*	Use IPFW IPv6 prefix translation for the jail /64 prefix; translate
between global routable /64 prefix and fd00::1/64 (as example). The latter
can be statically configured in jail.conf.

My problem here is that the IPFW rule needs the external prefix as an
argument. My prefix is dynamic so this might be tricky and indicates
scripting to me.

Isn't there a way to let IPFW determine what interface to use (and thus IPv6
prefix) for external translation? (for IPv4 NAT there is no need to specify
the external IPv4 address)

*	Script everything .. put some IPv6 addresses on my jail interface
(lo1 at the moment) and script it so that jail.conf picks an IPv6 address
from that interface.

 

Right now my biggest question is how I can make my jails access the internet
over IPv6 using a dynamic /64 prefix without scripting.

Can anyone give me some extra advice, help, or indicate another more elegant
solution in deploying my setup? 

 

Thanks.