I've been using FreeBSD for a little over a year, but using only IPv4 until recently. I actually have two instances -- an OPNsense router, and a DMZ-style server that runs base-FreeBSD using jails to isolate each of the services -- DNS (BIND9), HTTP (nginx), DB (MariaDB), several Java and PHP web-apps each in their own jail and reverse-proxied via nginx, etc.
I've recently enabled IPv6 on my networks, which was fairly straightforward with the OPNsense router. Everything is working fine for the client devices on the LANS, but I'm running into some problems getting the DMZ server to work with IPv6. There's two issues I'm dealing with.
#1. Not getting default route from DHCP/router advertisement
Currently the main problem is that the server does not seem to be registering the IPv6 default route advertised by the router. It does accept the prefix and generate its own address based on the prefix, but to get any IPv6 routed outside of the DMZ I need to manually set the default route on the command line.
What am I missing or doing wrong? Here is the relevant part of my /etc/rc.conf
#2. How to give each service/jail a separate IPv6 address without using a bunch of prefixes, or putting them on the same subnet/VLAN?
You'll note above that I use VLANs on the em0 interface to segregate the various DMZ services. This physical interface is a point-to-point connection with the router, and I use the VLANs to isolate the services/jails from each other. (There are actually several more VLANS than what I listed above, but for the sake of simplicity I left them out.) I use FIBs for each of the jails to route their traffic through their own VLAN interfaces and default gateways (the router takes the 172.30.xx.2 address on each VLAN). This is easy enough to do with IPv4 private IP space, since I'm using port forwards and it all gets NATed from/to the public address anyways. Therefore these addresses are never exposed to the public internet, or even to my LAN for that matter.
Also note that VLAN #2 on em0 is the "main" interface that the host system uses, and the one that is currently getting a dynamically-generated IPv6 address based on the router's advertisement.
(Side note: I don't want to put the host interface on em0 untagged for reasons having to do with the router's next-gen-firewall config/logging. And just generally being able to troubleshoot issues by isolating a service or application. For example, if I want to see all the traffic that is coming strictly from the host, and NOT from any of the jails/services, I'd rather just be able to put the listener on VLAN 2, instead of having to process all the traffic on the entire physical interface and then filter out any tagged VLAN traffic to just see the host-only traffic. But I digress...)
Problem is... I'm concerned that for IPv6, if I use a separate prefix delegation for each service, it feels pretty excessive. Do I really need to use a separate /64 prefix for ONE address? (two if you count the router...)
My thought is to re-use the same prefix that the primary interface uses, and just give each service a different suffix. The router for that service could have the same suffix but with the final bit different.
For example, if the primary interface takes the address:
2500:ae24:50:17af:645a:324:11fe:10a1
I could use the prefix to generate each of the jail/service's addresses:
2500:ae24:50:17af::53:0 (DNS) with router 2500:ae24:50:17af::53:1
2500:ae24:50:17af::80:0 (www) with router 2500:ae24:50:17af::80:1
ETC.
(In other words, I've effectively created a series of /112 subnets)
How realistic is this approach? Does anyone have a different suggestion? I haven't even attempt to implement this yet, because I want to get the default route working automatically first. Thoughts?
I've recently enabled IPv6 on my networks, which was fairly straightforward with the OPNsense router. Everything is working fine for the client devices on the LANS, but I'm running into some problems getting the DMZ server to work with IPv6. There's two issues I'm dealing with.
#1. Not getting default route from DHCP/router advertisement
Currently the main problem is that the server does not seem to be registering the IPv6 default route advertised by the router. It does accept the prefix and generate its own address based on the prefix, but to get any IPv6 routed outside of the DMZ I need to manually set the default route on the command line.
What am I missing or doing wrong? Here is the relevant part of my /etc/rc.conf
Code:
ifconfig_em0="inet 169.254.0.0/32" # VLANS only. Not used untagged
vlans_em0="2 53 80"
ifconfig_em0_2="inet 172.30.2.1/30" # primary (host-system) address
ifconfig_em0_53="inet 172.30.53.1/30" # DNS server
ifconfig_em0_80="inet 172.30.80.1/30" # nginx Web-server
defaultrouter="172.30.2.2"
ipv6_gateway_enable="YES"
ipv6_network_interfaces="em0_2" # also tried this and the next line with 'em0.2' , but no luck ...
ipv6_default_interface="em0_2"
ifconfig_em0_2_ipv6="inet6 accept_rtadv"#2. How to give each service/jail a separate IPv6 address without using a bunch of prefixes, or putting them on the same subnet/VLAN?
You'll note above that I use VLANs on the em0 interface to segregate the various DMZ services. This physical interface is a point-to-point connection with the router, and I use the VLANs to isolate the services/jails from each other. (There are actually several more VLANS than what I listed above, but for the sake of simplicity I left them out.) I use FIBs for each of the jails to route their traffic through their own VLAN interfaces and default gateways (the router takes the 172.30.xx.2 address on each VLAN). This is easy enough to do with IPv4 private IP space, since I'm using port forwards and it all gets NATed from/to the public address anyways. Therefore these addresses are never exposed to the public internet, or even to my LAN for that matter.
Also note that VLAN #2 on em0 is the "main" interface that the host system uses, and the one that is currently getting a dynamically-generated IPv6 address based on the router's advertisement.
(Side note: I don't want to put the host interface on em0 untagged for reasons having to do with the router's next-gen-firewall config/logging. And just generally being able to troubleshoot issues by isolating a service or application. For example, if I want to see all the traffic that is coming strictly from the host, and NOT from any of the jails/services, I'd rather just be able to put the listener on VLAN 2, instead of having to process all the traffic on the entire physical interface and then filter out any tagged VLAN traffic to just see the host-only traffic. But I digress...)
Problem is... I'm concerned that for IPv6, if I use a separate prefix delegation for each service, it feels pretty excessive. Do I really need to use a separate /64 prefix for ONE address? (two if you count the router...)
My thought is to re-use the same prefix that the primary interface uses, and just give each service a different suffix. The router for that service could have the same suffix but with the final bit different.
For example, if the primary interface takes the address:
2500:ae24:50:17af:645a:324:11fe:10a1
I could use the prefix to generate each of the jail/service's addresses:
2500:ae24:50:17af::53:0 (DNS) with router 2500:ae24:50:17af::53:1
2500:ae24:50:17af::80:0 (www) with router 2500:ae24:50:17af::80:1
ETC.
(In other words, I've effectively created a series of /112 subnets)
How realistic is this approach? Does anyone have a different suggestion? I haven't even attempt to implement this yet, because I want to get the default route working automatically first. Thoughts?
