Hi gang!
Now that I have most of my network migrated to FreeBSD I'm currently looking into securing and optimizing my network. In the mean time my hosting provider has launched a new private network feature. Meaning so much that you can hookup your VPS systems into a 'pool' after which they can communicate though internal channels. The best part is that this traffic isn't deducted from the monthly quota on data traffic, simply because you're not using public channels any more.
I'm using this setup to allow my servers to contact a backup VPS which I'm using to keep data "off server" (the next step is to copy the data off site).
And to secure things a little further I'm only allowing my servers to access the backup server through it's jail, this time actually called central.dogma (finally a cool and suitable name
).
Now, the IPv4 part was easy. I soon realized that the only reason I couldn't access my jail directly through the network was due to the netmask being set to 32 by default. Some people solve this by adding a new alias to the network device, I simply specified /24 as the netmask in /etc/jail.conf (and /etc/rc.conf). (note that this also doesn't require net.inet.ip.forwarding to be set).
So far so good. Basically I got all I need, but I want more
IPv6 turned out to be a little harder.
As expected the netmask, or prefixlen, is set to 128 by default which isn't very useful. Because I'm using a private range (fc00) I've set the prefixlen to 7. But despite this setting it remains impossible for me to connect to the jail through IPv6.
I can rule out issues with the firewall and setting net.inet6.ip6.forwarding made no difference either.
I'm sure it's something I'm overlooking here. Question is what?
I am aware of the several tools available (sysutils/ezjail for example) which might be able to set all of this up automatically. That's not an option for me at this time. My goal isn't so much to get a working solution; I already have one when using IPv4.
I'm merely trying to understand why it doesn't work as I expected it.
Now that I have most of my network migrated to FreeBSD I'm currently looking into securing and optimizing my network. In the mean time my hosting provider has launched a new private network feature. Meaning so much that you can hookup your VPS systems into a 'pool' after which they can communicate though internal channels. The best part is that this traffic isn't deducted from the monthly quota on data traffic, simply because you're not using public channels any more.
I'm using this setup to allow my servers to contact a backup VPS which I'm using to keep data "off server" (the next step is to copy the data off site).
And to secure things a little further I'm only allowing my servers to access the backup server through it's jail, this time actually called central.dogma (finally a cool and suitable name
).Now, the IPv4 part was easy. I soon realized that the only reason I couldn't access my jail directly through the network was due to the netmask being set to 32 by default. Some people solve this by adding a new alias to the network device, I simply specified /24 as the netmask in /etc/jail.conf (and /etc/rc.conf). (note that this also doesn't require net.inet.ip.forwarding to be set).
So far so good. Basically I got all I need, but I want more
IPv6 turned out to be a little harder.
As expected the netmask, or prefixlen, is set to 128 by default which isn't very useful. Because I'm using a private range (fc00) I've set the prefixlen to 7. But despite this setting it remains impossible for me to connect to the jail through IPv6.
I can rule out issues with the firewall and setting net.inet6.ip6.forwarding made no difference either.
I'm sure it's something I'm overlooking here. Question is what?
I am aware of the several tools available (sysutils/ezjail for example) which might be able to set all of this up automatically. That's not an option for me at this time. My goal isn't so much to get a working solution; I already have one when using IPv4.
I'm merely trying to understand why it doesn't work as I expected it.
