Hello folks,
I run FreeBSD 14.0-RELEASE-p6 on a 4 disks HPE NAS.
I would like to have several jails with ipv4 and ipv6 connectivity.
On the host here is the network configuration (from
The jail definition:
Some common variables are defined in
Still on the host, the
The
Starting demojail.
From it I can ping
May be I am on the problem for to long and I can't see what's wrong. I must miss something essential, but I cannot figure what.
Could you please help me?
Thanks in advance for reading me, your help, advises and your time.
Best Regards,
Jacques
I run FreeBSD 14.0-RELEASE-p6 on a 4 disks HPE NAS.
I would like to have several jails with ipv4 and ipv6 connectivity.
On the host here is the network configuration (from
rc.conf):
Code:
ifconfig_bge0="inet 192.168.1.83 netmask 255.255.255.0"
defaultrouter="192.168.1.254"
ipv6_activate_all_interfaces="YES"
ifconfig_bge0_ipv6="inet6 2a01:e0a:434:44e0::83 prefixlen 64"
gateway_enable="YES"
ipv6_gateway_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 10.0.10.253 netmask 255.255.255.0"
ipv6_defaultrouter="fe80::72fc:8fff:fe69:3816%bge0
ifconfig_bridge0="addm bge0"The jail definition:
Code:
demojail {
host.hostname = "${name}"; # hostname
$id = "99";
path = "/jails/${name}"; # root directory
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
$ip_addr = "10.0.1.${id}"; # Jail ipv4 address
$ip_route = "10.0.1.253"; # Gateway or host's ipv4 address
$ip6_addr = "2a01:e0a:434:44e0::${id}"; # Jail ipv6 address
$ip6_route = "2a01:e0a:434:44e0::1"; # Gateway or host's ipv6 address
vnet;
vnet.interface = "epair${id}b";
exec.prestart = "/sbin/ifconfig epair${id} create up";
exec.prestart += "/sbin/ifconfig bridge0 addm epair${id}a";
exec.start = "/sbin/ifconfig epair${id}b inet ${ip_addr}/24 up";
exec.start += "/sbin/ifconfig epair${id}b inet6 ${ip6_addr} up";
exec.start += "/sbin/route add default -gateway ${ip_route}";
exec.start += "/sbin/route add -inet6 default -gateway ${ip6_route}";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop = "ifconfig epair${id}a destroy";
persist;
}Some common variables are defined in
/etc/jail.conf.Still on the host, the
netstat -rn output:
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.254 UGS bge0
127.0.0.1 link#3 UH lo0
192.168.1.0/24 link#1 U bge0
192.168.1.83 link#3 UHS lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 link#3 URS lo0
default fe80::72fc:8fff:fe69:3816%bge0 UGS bge0
::1 link#3 UHS lo0
::ffff:0.0.0.0/96 link#3 URS lo0
2a01:e0a:434:44e0::/64 link#1 U bge0
2a01:e0a:434:44e0::83 link#3 UHS lo0
fe80::%lo0/10 link#3 URS lo0
fe80::%bge0/64 link#1 U bge0
fe80::9af2:b3ff:fef1:423e%lo0 link#3 UHS lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
ff02::/16 link#3 URS lo0The
pf.conf file:
Code:
ext_if="bge0"
jailnet="10.0.1.0/24"
dns_ports = "{53 953 8053}"
dns_v4 = "10.0.10.73"
dns_v6 = "2a01:e0a:434:44e0::73"
icmp_types = "{ echoreq, unreach, redir, timex }"
table <bruteforce> persist
nat pass on $ext_if inet from $jailnet to any -> ($ext_if)
rdr log on $ext_if inet proto {udp tcp} from any to $ext_if port $dns_ports -> $dns_v4
rdr log on $ext_if inet6 proto {udp tcp} from any to $ext_if port $dns_ports -> $dns_v6
## Set default policy ##
block in log all
block quick log from <brutforce>
block drop in log quick on $ext_if from <f2b> to any
block return in log all
# SSH
pass in on $ext_if proto tcp to port { ssh } \
keep state (max-src-conn 15, max-src-conn-rate 3/1, \
overload <brutforce> flush global)
pass in quick on $ext_if proto {udp tcp} from any to $dns_v6 port $dns_ports
pass in quick on $ext_if proto {udp tcp} from any to $dns_v4 port $dns_ports flags S/SA keep state
set skip on { lo0, bridge0 }
# Allow ICPM/ICMP6
pass inet proto icmp all icmp-type $icmp_types keep state
pass quick proto icmp6 all
# Allow out
pass out all keep stateStarting demojail.
From it I can ping
ipv6.google.com but I cannot ping google.comifconfig ouput:
Code:
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0 metric 0 mtu 33152
options=0
groups: pflog
epair99b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:8e:ad:d6:f1:0b
inet 10.0.1.99 netmask 0xffffff00 broadcast 10.0.1.255
inet6 2a01:e0a:434:44e0::99 prefixlen 64
inet6 fe80::8e:adff:fed6:f10b%epair99b prefixlen 64 scopeid 0x7
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>netstat -rn output:
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.0.1.253 UGS epair99b
10.0.1.0/24 link#7 U epair99b
10.0.1.99 link#8 UHS lo0
127.0.0.1 link#8 UH lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 link#8 URS lo0
default 2a01:e0a:434:44e0::1 UGS epair99b
::1 link#8 UHS lo0
::ffff:0.0.0.0/96 link#8 URS lo0
2a01:e0a:434:44e0::/64 link#7 U epair99b
2a01:e0a:434:44e0::99 link#8 UHS lo0
fe80::%lo0/10 link#8 URS lo0
fe80::%epair99b/64 link#7 U epair99b
fe80::8e:adff:fed6:f10b%lo0 link#8 UHS lo0
fe80::%lo0/64 link#8 U lo0
fe80::1%lo0 link#8 UHS lo0
ff02::/16 link#8 URS lo0May be I am on the problem for to long and I can't see what's wrong. I must miss something essential, but I cannot figure what.
Could you please help me?
Thanks in advance for reading me, your help, advises and your time.
Best Regards,
Jacques
