> Hello all,
Hi Jacques,
> On my hosted machine I already have many "classical" jails.
>
> But I would like to switch to modern schema with Bridge and vnet.
>
> With IPv4 I have no problem. In fact is almost like without Bridge/VNET:
For:
https://alpha.pkgbase.live/
instead of libioc I just used jail.conf. With:
https://antranigv.am/weblog_en/posts/vnet-jail-howto/
as basis for the IPv4 setup.
> My goal is first to have on jail (myjail) working with IPv4 and IPv6 then,
>
> slowly migrate the old jail to the new way.
>
> So, I need help to configure myjail to have IPv6 working:
>
> - configure a IPv6 on e0b_myjail is easy, but which defaultrouter6 did I
> use?
> - did the bridge have an IPv6 to be the defaultrouter6? I try with no luck.
> - did I need some configuration on PF?
>
> Thanks for reading me (I sure I not really clear) and for your advice.
>
> Btw, after I successfully configure myjail (and the other one) I will
> wrote a how-to.
>
Okay, let's see if I can hit all beats:
Here's the paste of webserver.jail.conf, rc.conf (highlights) and pf.conf
https://gist.github.com/87ba10c1c5611ed32367d5d48ef5f402
I'll explain some of the important bits:
my ISP binds the IPv4 to the MAC, but not the IPv6, go figure.
That's why I leave the IPv4 address on the main interface, instead of fiddling
with MAC addresses and moving it to the bridge.
On the bridge, we have the IPv6 and the IPv4 NAT; That's handy, as it also
means we only need one interface for both IPv4 and IPv6.
cloned_interfaces="bridge0"
# jail NAT and Network access
ifconfig_bridge0="inet 192.168.17.1/24"
gateway_enable="YES"
note that we explicitly enable link-local addresses, because, as per spec, they
are needed to make IPv6 work:
# working IPv6 setup needs link-local addresses (according to the spec)
ipv6_activate_all_interfaces="YES"
ifconfig_bridge0_ipv6="inet6 2a01:4f9:c010:c64c::1/64 auto_linklocal"
ipv6_defaultrouter="fe80::1%vtnet0"
# enable IPv6 gateway
ipv6_gateway_enable="YES"
and in the jail.conf it's really just about adding the IPv6 addresses to the
interfaces, too!
vnet.interface = "$jepair";
exec.prestart = "ifconfig epair${id} create up";
exec.prestart += "ifconfig epair${id}a up descr vnet-${name}";
exec.prestart += "ifconfig $bridge addm epair${id}a up";
exec.start = "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start += "/sbin/ifconfig epair${id}b ${ipaddr}";
exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}";
exec.start += "/sbin/route add default ${gw}";
exec.start += "/sbin/route add -inet6 default ${gw6}";
exec.start += "/bin/sh /etc/rc";
I also highly recommend adding IPv6 nameservers to your resolv.conf; that way,
if you broke your IPv4 setup, you still have working IPv6!
Being NAT, IPv4 routing is obviously happening via the host.
And, given that my ISP uses fe80::1 as the default gateway, the only way to
make jails' IPv6 routing work was by routing it thru the host.
as for pf, it's only used for NAT.
No firewalling, and I'm not doing anything to IPv6.
That's all from me, i hope it helps.
> --
>
> Jacques Foucry
best of luck,
Mina
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
