Hi,
I've Apache in jail configured with IPv4 and IPv6. My setup was OK for some time (year or so), but it's not working as expected after HW and OS upgrade (9.0 to 9.1). Using the same configuration as before the upgrade Apache is not responding to IPv6 queries.
Jail's IPs are configured on custom loopback interface and NATed with PF. For the purpose of the troubleshooting IPv6 traffic is passed quick in the beginning of the filtering rules.
Configuration on host:
/etc/rc.conf:
/etc/sysctl.conf:
/usr/local/etc/ezjail/webserver:
$JAIL/httpd.conf:
Local test (host) are OK - Apache is answering to IPv6 queries. I can't ping my IPv6 gateway from jail.
This very setup worked prior to OS upgrade. OS was reinstalled from scratch. Some configuration files were merged (rc.conf, sysctl.conf, etc.), some were reapplied (httpd.conf). I was not able to find what I did wrong or differently as I had on 9.0-RELEASE.
I'd expect problem is that I do rdr on IPv6 address but I don't NAT, so traffic can't go back from jail to outside of the network. But as this setup did work last time, I'm trying to figure out why.
I know putting WWW_PUB_IP6 on egress interface would solve this problem, but I'd like to keep any jail IPs on custom interface.
Thanks for hints.
I've Apache in jail configured with IPv4 and IPv6. My setup was OK for some time (year or so), but it's not working as expected after HW and OS upgrade (9.0 to 9.1). Using the same configuration as before the upgrade Apache is not responding to IPv6 queries.
Jail's IPs are configured on custom loopback interface and NATed with PF. For the purpose of the troubleshooting IPv6 traffic is passed quick in the beginning of the filtering rules.
Configuration on host:
Code:
PUB_IP IPv4 of the host on egress interface
PUB_IP6 IPv6 of the host on egress interface
WWW_PUB_IP6 IPv6 in the jail
/etc/rc.conf:
Code:
ifconfig_lo252_alias1="inet 192.168.252.2 netmask 255.255.255.255"
ifconfig_lo666_ipv6="inet6 <WWW_PUB_IP6> prefixlen 64"
# pfctl -snat
Code:
nat pass on em0 inet from 192.168.252.0/24 to any -> PUB_IP
rdr pass on em0 inet proto tcp from any to PUB_IP port = http -> 192.168.252.2
rdr pass on em0 inet proto tcp from any to PUB_IP port = https -> 192.168.252.2
rdr pass on em0 inet6 proto tcp from any to PUB_IP6 port = http -> WWW_PUB_IP6
rdr pass on em0 inet6 proto tcp from any to PUB_IP6 port = https -> WWW_PUB_IP6
/etc/sysctl.conf:
Code:
security.jail.allow_raw_sockets=1
/usr/local/etc/ezjail/webserver:
Code:
export jail_webserver_ip="192.168.252.2,WWW_PUB_IP6"
$JAIL/httpd.conf:
Code:
Listen 192.168.252.2:80
Listen [WWW_PUB_IP6]:80
Local test (host) are OK - Apache is answering to IPv6 queries. I can't ping my IPv6 gateway from jail.
This very setup worked prior to OS upgrade. OS was reinstalled from scratch. Some configuration files were merged (rc.conf, sysctl.conf, etc.), some were reapplied (httpd.conf). I was not able to find what I did wrong or differently as I had on 9.0-RELEASE.
I'd expect problem is that I do rdr on IPv6 address but I don't NAT, so traffic can't go back from jail to outside of the network. But as this setup did work last time, I'm trying to figure out why.
I know putting WWW_PUB_IP6 on egress interface would solve this problem, but I'd like to keep any jail IPs on custom interface.
Thanks for hints.