Hi All.
My server's jail need outgoing internet connection for Let's encrypt OCSP Staple, but connect problem IPv6 only.
Detail
Here:
/etc/pf.conf
/etc/jail.conf
Short interval time test result as below, NG/OK interval (Total test time (10 times): less 1 minutes)
But tested NG and next test NG still if both long interval time.
I assume queue issue, but haven't in PF rule.
IPv4 100% OK as below.
I tried to turn on forward but problem still.
Connect pass 50%, so assume outgoing rule path completed.
Can help me hint/troublehoot/debug if possible?
Thanks all very much.
My server's jail need outgoing internet connection for Let's encrypt OCSP Staple, but connect problem IPv6 only.
Detail
ifconfig
Code:
wan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8000a<TXCSUM,VLAN_MTU,LINKSTATE> ether 00:1e:68:c4:e1:9e inet6 2001:b011:a480:592f:21e:68ff:fec4:e19e prefixlen 64 inet6 fe80::21e:68ff:fec4:e19e%wan0 prefixlen 64 scopeid 0x1 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet 10.0.0.254 netmask 0xffffff00 inet 10.0.0.2 netmask 0xffffffff inet 10.0.0.1 netmask 0xffffffff inet6 fe80::1%lo1 prefixlen 64 scopeid 0x5 inet6 fd00::ffff:ffff:fffe prefixlen 96 inet6 fd00::ffff:a00:2 prefixlen 128 inet6 fd00::ffff:a00:1 prefixlen 128 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1460 inet6 fe80::547:4b0e:4df6:1f7c%ng0 prefixlen 64 scopeid 0x6 inet 122.117.86.253 --> 168.95.98.254 netmask 0xffffffff nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Here:
- ng0: Virtual interface created by net/mpd5 (VDSL dial-up PPPoE).
- lo1: Virtual interface clone from lo0, attach all of jail.
- wan0: "Physical interface to VDSL modem", attached IPv6 address by net/dhcp6 and got from above interface 'ng0'.
- 10.0.0.2 / fd00::ffff:a00:2: HTTP server Jail's address.
- 10.0.0.1 / fd00::ffff:a00:1: DNS server Jail's address.
/etc/pf.conf
Code:
ext_if = "ng0" ext_inet6_if = "wan0" set limit { states 10000, frags 5000 } set loginterface $ext_if set loginterface $ext_inet6_if set skip on lo0 set skip on lo1 set optimization aggressive set block-policy drop set state-policy if-bound set require-order yes scrub in all fragment reassemble nat log on $ext_if inet6 from fd00::ffff:a00:2 to any -> ($ext_inet6_if) nat log on $ext_if inet from 10.0.0.2 to any -> ($ext_if) rdr on $ext_if inet6 proto { udp, tcp } from any to ($ext_inet6_if) port domain -> fd00::ffff:a00:1 rdr on $ext_if inet proto { udp, tcp } from any to ($ext_if) port domain -> 10.0.0.1 rdr on $ext_if inet6 proto { tcp } from any to ($ext_inet6_if) port http https -> fd00::ffff:a00:2 rdr on $ext_if inet proto { tcp } from any to ($ext_if) port http https -> 10.0.0.2 block all pass quick proto pfsync == UDP == pass out quick on $ext_if inet6 proto udp all pass out quick on $ext_if inet proto udp all pass in quick on $ext_if inet6 proto udp from any to fd00::ffff:a00:1 port domain pass in quick on $ext_if inet proto udp from any to 10.0.0.1 port domain == TCP == pass out quick on $ext_if inet6 proto tcp all pass out quick on $ext_if inet proto tcp all pass in quick on $ext_if inet6 proto tcp from any to "fd00::ffff:a00:1 fd00::ffff:a00:2" port http https domain pass in quick on $ext_if inet proto tcp from any to "10.0.0.1 10.0.0.2" port http https domain
/etc/jail.conf
Code:
allow.nomount; allow.noraw_sockets; allow.noset_hostname; allow.nosysvipc; exec.clean; exec.jail_user = "root"; exec.start += "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.system_user = "root"; host.hostname = "epopen.com"; interface = "lo1"; mount.devfs; path = "/usr/jail/${name}"; persist; domain { ip4.addr = "10.0.0.1"; ip6.addr = "fd00::ffff:a00:1"; } http { ip4.addr = "10.0.0.2"; ip6.addr = "fd00::ffff:a00:2"; }
Short interval time test result as below, NG/OK interval (Total test time (10 times): less 1 minutes)
Code:
ist test: NG. # curl http://\[2404:6800:4008:c01::6a\] curl: (7) Failed to connect to 2404:6800:4008:c01::6a port 80: Operation timed out 2nd test: OK. # curl http://\[2404:6800:4008:c01::6a\] <!DOCTYPE html> <html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</b> <ins>That’s an error.</ins> <p>The requested URL <code>/</code> was not found on this server. <ins>That’s all we know.</ins> 3rd test: NG. 4nd test: OK. 5th test: NG. .....
But tested NG and next test NG still if both long interval time.
I assume queue issue, but haven't in PF rule.
IPv4 100% OK as below.
Code:
# curl http://108.177.125.147 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.com/">here</A>. </BODY></HTML>
I tried to turn on forward but problem still.
Code:
# sysctl net.inet.ip.forwarding=1 # sysctl net.inet6.ip6.forwarding=1
Connect pass 50%, so assume outgoing rule path completed.
Can help me hint/troublehoot/debug if possible?
Thanks all very much.
Last edited: