Hello everyone...
I'm fairly new to FreeBSD and come from a Linux/Docker background, but I've been amazed and impresed with the jails functionality in this OS.
I've deployed a small DevOps/CI stack on a small Intel mini-PC in my home, using IPv4, if_bridge, and iocage. I'm trying to migrate that stack to a VPS host, but using only iPV6
I have one virtual NIC from my VPS provider, vtnet0, and I've attached it to a bridge, bridge0, which iocage is configured to use for vnet jail interfaces.
I've set an inet6 address on the bridge, configured it to clone the MAC address of the first interface. When the bridge is cloned, it's created with `addm vtnet0` as an argument.
When my host boots, the bridge gets the VPS-assigned IPv6 address, and then the jailed host performs it's own SLAAC process and finds the correct router. Everything is fine on that front.
What I'm struggling with is getting the jail hosts to listen on a TCP socket on their assigned IPv6 address. I can ping the host, the jail, and they can ping each other, as well as ipv6.google.com. The jail can also access the internet, and I've got DNS64 working, and can install things with pkg in the jail.
On the host, I can also open listening sockets, and connect to them from the jail, but when I try to do so on the jailed guest, nothing gets through, either from the host, or the internet.
Basically, the jailed host can initiate connections just fine, but cannot listen.
I'm not running a firewall quite yet, because I want things to just work before I secure things, and restrict ports.
Here's my /etc/sysctl.conf:
and /etc/rc.conf:
I was hoping to avoid setting up NAT rules at this stage, and to use the if_bridge as a network switch, using my VPS's router.
Do I still have to set up NAT, to allow the jailed hosts to listen and respond to connections?
I'm fairly new to FreeBSD and come from a Linux/Docker background, but I've been amazed and impresed with the jails functionality in this OS.
I've deployed a small DevOps/CI stack on a small Intel mini-PC in my home, using IPv4, if_bridge, and iocage. I'm trying to migrate that stack to a VPS host, but using only iPV6
I have one virtual NIC from my VPS provider, vtnet0, and I've attached it to a bridge, bridge0, which iocage is configured to use for vnet jail interfaces.
I've set an inet6 address on the bridge, configured it to clone the MAC address of the first interface. When the bridge is cloned, it's created with `addm vtnet0` as an argument.
When my host boots, the bridge gets the VPS-assigned IPv6 address, and then the jailed host performs it's own SLAAC process and finds the correct router. Everything is fine on that front.
What I'm struggling with is getting the jail hosts to listen on a TCP socket on their assigned IPv6 address. I can ping the host, the jail, and they can ping each other, as well as ipv6.google.com. The jail can also access the internet, and I've got DNS64 working, and can install things with pkg in the jail.
On the host, I can also open listening sockets, and connect to them from the jail, but when I try to do so on the jailed guest, nothing gets through, either from the host, or the internet.
Basically, the jailed host can initiate connections just fine, but cannot listen.
I'm not running a firewall quite yet, because I want things to just work before I secure things, and restrict ports.
Here's my /etc/sysctl.conf:
Code:
hostname="alcatraz"
sshd_enable="YES"
ntpd_enable="YES"
static_routes="linklocal"
# Fix virtio random issue
devmatch_blacklist="virtio_random.ko"
# Disable sendmail
sendmail_enable="NONE"
#ifconfig_vtnet0="DHCP -rxcsum -tso"
#ifconfig_vtnet0_ipv6="inet6 accept_rtadv -rxcsum6 -tso6"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-aF"
## End of VPS configuration
cloned_interfaces="bridge0"
create_args_bridge0="addm vtnet0 up"
autobridge_interfaces="bridge0"
autobridge_bridge0="vtnet0"
ifconfig_vtnet0="up"
ifconfig_bridge0_ipv6="inet6 accept_rtadv -rxcsum6 -tso6 auto_linklocal up"
gateway_enable="YES"
ipv6_gateway_enable="YES"
ipv6_cpe_wanif="bridge0"
and /etc/rc.conf:
Code:
# $FreeBSD$
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
kern.ipc.maxsockbuf=67108864
net.inet.tcp.sendbuf_max=67108864
net.inet.tcp.recvbuf_max=67108864
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_inc=16384
#net.inet.tcp.recvbuf_inc=524288
#net.inet.tcp.cc.algorithm=htcp
security.jail.allow_raw_sockets=1
net.inet.tcp.tso=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.link.bridge.ipfw=0
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=0
net.link.bridge.inherit_mac=1
I was hoping to avoid setting up NAT rules at this stage, and to use the if_bridge as a network switch, using my VPS's router.
Do I still have to set up NAT, to allow the jailed hosts to listen and respond to connections?