From nobody Wed Dec 22 10:02:31 2021 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C5D721903AF4 for ; Wed, 22 Dec 2021 10:02:42 +0000 (UTC) (envelope-from meka@tilda.center) Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JJpm13QSlz4X5N for ; Wed, 22 Dec 2021 10:02:41 +0000 (UTC) (envelope-from meka@tilda.center) Received: from tilda.center (178-220-5-137.static.isp.telekom.rs [178.220.5.137]) by c3po.tilda.center (Postfix) with ESMTPSA id 29ABD3E8C0 for ; Wed, 22 Dec 2021 11:02:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center; s=c3po; t=1640167352; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EOzGNhswUIsu8dvCLtpHzAzo+luhLX1DdZKxKZz7MRU=; b=lJS6JKPTHLrJZnwbIyXItBfO6O/i4emyVzbqJUTWYPRKzAJVMXNbSHx06BazbcND0bwVbE iD00ONI0ph7EIBKEATpK01U2bp12RQiNmwoE950kXUF/VaO8+5854yMoyypvC1SFuLMRvA AxYzWgiZTuj/761QLfc7b3i63JO12UQ= Date: Wed, 22 Dec 2021 11:02:31 +0100 From: Goran =?utf-8?B?TWVracSH?= To: freebsd-net@freebsd.org Subject: Re: IPv6 with VNET jails Message-ID: <20211222100231.qlxdxkdslohs6zn3@tilda.center> References: <20211221163015.l5axsxvpksbv7om5@tilda.center> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="bsotrfjydbl3xrl5" Content-Disposition: inline In-Reply-To: <20211221163015.l5axsxvpksbv7om5@tilda.center> X-Rspamd-Queue-Id: 4JJpm13QSlz4X5N X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=fail ("headers rsa verify failed") header.d=tilda.center header.s=c3po header.b=lJS6JKPT; dmarc=pass (policy=reject) header.from=tilda.center; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-1.20 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_SPAM_SHORT(1.00)[0.999]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; NEURAL_SPAM_MEDIUM(0.99)[0.988]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_DKIM_REJECT(0.00)[tilda.center:s=c3po]; DKIM_TRACE(0.00)[tilda.center:-]; DMARC_POLICY_ALLOW(0.00)[tilda.center,reject]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_MIXED_CHARSET(0.71)[subject]; ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --bsotrfjydbl3xrl5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello, To answer my own question, I was missing this line in PF: nat on $ext_if inet6 from cbsd0:network to any -> ($ext_if:0) There, "inet6" and "$ext_if:0" are important bits. Without :0 PF would load-balance IPv6 addresses and that's link-local one and one assigned by rtsold. I hope this helps someone in the future. Regards, meka --bsotrfjydbl3xrl5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmHC97QACgkQWj1Tknov rLbX/hAAoYzHBPakWqK5W8xNCz9huSc49ouAhyPfmJGdnN+8BbbL7ey8iXCbkBqm IghP/A9vdEokboEJxokYKcoZLKRhxo91c4RSP1TP1Zf/Zmtr2MK0L23lO3vP2PyB I9vT+aE1V5+KDhsczh9MKwYu9Hbu1pmWcafLcn2XyZ4THiJ+3aaRqdEOjfahFnPC TgdeDQpu9cjVxIpYMvKLNU1yTjIoaVgwo9BRaIgaq43nAFReA0EQ4PIQQlAScPCT DPWmmp6o+d224gZ/gzde4kong/T/i7JdPgRh7lb4g2XZZ7tQdSoVFQw30tTMb9qB EAhNYtDiXsxlldaajCDlBKwMR9xHgfgVvx/XmGNjdGrFbAVfw1F0dx1Sc8UqgA2P SzpBskD1/0DzNDp6PA+iMfrVY0kXzMjR6GL7PXG9K0fyhr5d6JSFINSnArvMbFJB g8mqUveWhCyVGgepUr1WDJNHxptzbOI45Q9tLGDM+iUI1BJMfz1iE85pwzAm4p8o SUcU2CztMLAVHTDv+F40QrvlewtwZxFYsB4ErJTQWPr5mkdLdR70qi6fAkf4V6xr g/22suhjTu431bu2VFWwkqRfwkRAA6q6w77Iy0b8X1Td3za6PMgYHtuFVNqnprpw 8gmMfGrbCMRPEywwEd+i4lVT2xKJcA1hJb9kpg74/RvgTt/sHig= =Rmob -----END PGP SIGNATURE----- --bsotrfjydbl3xrl5--