jails Jail with external IP

[d-s]

Hi

I'm pretty new to FreeBSD, but I want to consolidate my local services around FreeBSD. The way I am imagining that is I have one FreeBSD (currently in a VM on a Synology) and a number of jails for dedicated services - like DNS. I can create a jail and install what I want to it. I can also configure PF, so a port on the host is proxied to the jail.

But this is not perfect. Let's say I run AdBlock Home in one jail and ruTorrent in another. Both of those services expose web interfaces, so it would be best if they could all use port 80. The perfect scenario would be if I could have a dedicated external (so available for other devices on the network) IP for each of those jails. This way, I could add a dedicated info in my DNS and "rtorrent.local" would open the interface.

Is it possible for a FreeBSD + Jails to use dedicated IPs? Please assume that I have close to no knowledge around networking.

 

[patmaddox]

Yes, the Handbook section on jails covers exactly this:

An IP address: which is assigned to the jail. The IP address of a jail is often an alias address for an existing network interface.

So, add a bunch of IP addresses to your interface. Assign one IP to each of the jails.

 

[d-s]

Hey, this works without any problems! Thank you patmaddox

I have one extra question, as my understanding of how routing works breaks here

1. I can now ssh directly to jail
2. When scanning the network (network tools on iOS), all aliases are visibie.

But my Unify controller doesn't see them - just the host. I'd love for it to be able to identnfity traffic and count network usage. Is it possible? I have no idea why it's not visible there.

The last missing piece for me is having a dedicated MAC address for each jail

 

[im]

For jails with different services you can use single primary external IP.
For few jails which require the same ports - you can use different IPs specified on your interface.
It should be the best solution if your FreeBSD located inside LAN and you have a lot of IPs for every jail.

But if you want to have FreeBSD with single external IP and have no possibility to buy more than 1 external IP:
My own simple choice for jails related to multiple sites/services with http port 80 is:
1) configure on lo0 or lo1 interface few IPs related to some new local network like 192.168.xxx.yyy
2) configure jails to use these local IPs
3) install and configure http(s) server www/nginx on the host.
It listens port 80 (and 443) on the external IP and acts as a reverse web proxy for sites in different jails.
Nginx will acceppts external http(s) requests and forwards http requests to different local IPs(and ports) depending on name of the site (http-host header).
Also nginx can forward raw tcp requests lile tcp-proxy. Google about tcp-streams if you need it.
4) for jails on local IPs which requre access to internet - I have configured NAT for IPs on lo* interface.

I can provide config examples by request.

I use this and similar configurations for my web servers more than 10 years to have separate jail per web-site.

Nowadays FreeBSD offers better solution like "vnet for jails", but it is not so easy for beginners.

 

[d-s]

Well, Wiki solved my last problems!

Jails/VNET - FreeBSD Wiki

How do I mark thread as solved?

 

[SirDice]

I can also configure PF, so a port on the host is proxied to the jail.

This isn't a proxy. Please understand there's a difference. That said, a (reverse) proxy is the solution to your problem.

Both of those services expose web interfaces, so it would be best if they could all use port 80.

Run a reverse proxy like net/haproxy on the host. That receives the connections to port 80. The reverse proxy can then be configured to 'switch' to different backends (i.e. different jails) based on the HTTP 1.1 Host header.

The difference here is that a packet filter like PF (or any of the other firewalls), only act on layer 3 (IP). They translate the (destination) IP address to another address and forward the packet (this is what PF's rdr does). A proxy receives a full connection and will create a new connection to the backend. More or less like a "man-in-the-middle". That allows you to make decisions based on layer 7 information, like the host header of HTTP.

 

[cachou46260]

on the subject of PF, my tests between an NFS server (v4 only) in a jail (FreeBSD 14.0 RELEASE) and a client (FreeBSD and Debian) performing a 'mount' via IPv6 seem to show that PF's 'rdr' mechanism doesn't work: the call ends in a timeout.

 

[SirDice]

my tests between an NFS server (v4 only) in a jail (FreeBSD 14.0 RELEASE) and a client (FreeBSD and Debian) performing a 'mount' via IPv6 seem to show that PF's 'rdr' mechanism doesn't work: the call ends in a timeout.

You can't redirect IPv4 to IPv6 or vice versa.

 

[cachou46260]

Excuse my English, SirDice: when i said 'NFS server (v4 only)', i spoke of the NFS version not the IP version.
So there is no redirection from IPv4 to IPv6 or vice versa.
In my tests, 2 (real, not VM) machines in a LAN use IPv4 and IPv6 : connections with NFS work via IPv4, don't work via IPv6.
More precisely, the call 'mount -t nfs public_or_linklocal_IPv6_address_of_host:/NFS_share_resource ...') fails but the "same" call 'mount - t nfs public_or_linklocal_IPv6_address_of_NFSjail:/NFS_share_resource ...' works.
(The first call is supposed to be redirected by a "standard" PF's rdr, the second not.)
Obviously, in IPv4, the 2 forms of connection (the first one with PF's rdr) do work too.

 

[SirDice]

when i said 'NFS server (v4 only)', i spoke of the NFS version not the IP version.

Ah, a misunderstanding on my part.

More precisely, the call 'mount -t nfs public_or_linklocal_IPv6_address_of_host:/NFS_share_resource ...') fails but the "same" call 'mount - t nfs public_or_linklocal_IPv6_address_of_NFSjail:/NFS_share_resource ...' works.

Where are you making the connection from? A redirect on the external interface only applies to incoming packets on that interface. A connection from the host will not pass the interface, thus a redirect is never applied.

 

[cachou46260]

From a machine (Debian or FreeBSD) installed in the same LAN than the machine hosting the NFS server.
This host has only one hardware interface (re0) and the jail is bridged with it via a VNET.
Here is the ifconfig of the host(there is a second jail in which has to run a web server) :

re0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=82099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether b4:2e:99:ea:ce:76
    inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::b62e:99ff:feea:ce76%re0 prefixlen 64 scopeid 0x1
    inet6 2a01:xxxx:yyyy:zzzz:428d:5cff:feb4:9122 prefixlen 64
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=0
    ether 58:9c:fc:10:ff:fa
    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
    member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 9 priority 128 path cost 2000
    member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 5 priority 128 path cost 2000
    member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
            ifmaxaddr 0 port 1 priority 128 path cost 55
    groups: bridge
    nd6 options=9<PERFORMNUD,IFDISABLED>
pflog0: flags=1000141<UP,RUNNING,PROMISC,LOWER_UP> metric 0 mtu 33152
    options=0
    groups: pflog
epair1a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: VNET for nfs jail
    options=8<VLAN_MTU>
    ether 02:36:73:ef:58:0a
    inet6 fe80::36:73ff:feef:580a%epair1a prefixlen 64 scopeid 0x5
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: VNET for webserver jail
    options=8<VLAN_MTU>
    ether 02:46:2e:df:96:0a
    inet6 fe80::46:2eff:fedf:960a%epair2a prefixlen 64 scopeid 0x9
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

The NFS jail ifconfig -j 1 :

lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0 metric 0 mtu 33152
    options=0
    groups: pflog
epair1b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:36:73:ef:58:0b
    inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::36:73ff:feef:580b%epair1b prefixlen 64 scopeid 0x6
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Nota : I suppressed the public IPv6 address of the 2 jails.

So from the Debian machine (in the same LAN than the host):
mount -v -t nfs -o vers=4.2 [2a01:xxxx:yyyy:zzzz:428d:5cff:feb4:9122]:/share /mnt/tmp fails.
Idem for :
mount -v -t nfs -o vers=4.2 [fe80::b62e:99ff:feea:ce76%enp1s0]:/share /mnt/tmp
They both end (after a certain time) with a timeout.

But the command mount -v -t nfs -o vers=4.2 [fe80::36:73ff:feef:580b%enp1s0]:/share /mnt/tmp works.
And a similar command with the public IPv6 address of the jail should work.

Of course the mount via IPv4 (to 192.168.1.100 or 192.168.1.101) work.

 

[junkyalleycat]

cachou46260, there could be a few reasons, do you have packet forwarding enabled for ipv6? also, do you have other rules to support your rdr? a rdr will literally rewrite a destination on a packet, but this alone won't work unless you have a way of correctly rewriting the packet on it's way back to the client again, otherwise the client will drop the unknown packets (because source on the packet won't match anything in it's lookup).

Also, if you are connecting to your jail with a global (not link local), then the jail, which is missing a global, won't have a route to send the rdr packets back on.

 

[cachou46260]

Thanks for your response junkyalleycat.
Yes : sysctl net.inet6.ip6.forwarding gives

net.inet6.ip6.forwarding: 1

In my pf.conf (written with pain) there are 2 rules concerning this problem : the rdr itself and a pass in ... keep state (similar to the rules for IPv4).
tcpdump shows activity during the call but my knowledge is not sufficient to interpret it correctly.
Il will try some other tests with public IPv6 address in the jail (side a or b) to find a 'back way' (from the jail to the caller).

 

[SirDice]

Can you show us the entire pf.conf?

With NAT (both source and destination NAT) your rules need to be set on the 'translated' address. NAT is done first, then the rules are evaluated.

Example:

rdr on $ext_if from any to ($ext_if) port 1234 -> $jail_ip port 1234

pass in on $ext_if from any to $jail_ip port 1234

Note how the pass rule allows the traffic to the $jail_ip address, not the address of $ext_if. Because the incoming packet is redirected first, then the rules are applied.

 

[cachou46260]

Can you show us the entire pf.conf?

Of course (even if I've made so many attempts that I'm not sure if my file is correct any more).
Some lines have been grabbed from the left and the right...
(To preserve a little confidentiality, I mask the public addresses)

EXTERNAL_INTERFACE="re0"
INTERNAL_INTERFACE="re0"
LOCAL_NETWORK=$INTERNAL_INTERFACE:network
PRIVATE_ADDRESSES="{192.168.1.0/24}"
HOSTv4 = "192.168.1.100"
HOSTv6 = "2a01:xxxx:yyyy:zzzz:428d:5cff:feb4:9122"
MANDATORY_SERVICES = "{ ssh, domain,  ntp, auth, 22222 }"
NFS_SERVER6 = "2a01:xxxx:yyyy:zzzz:36:73ff:feef:580b"
NFS_SERVER="192.168.1.101"
NFS_SERVICES = "{ nfsd, rpcbind }"
WEB_SERVER6 = "2a01:xxxx:yyyy:zzzz:46:2eff:fedf:960b"
WEB_SERVER = "192.168.1.102"
WEB_SERVICES = "{ http, https }"

# Allowed ICMP types
# The additional ICMPv6 types are for neighbor discovery (RFC 4861)
# see also  icmp6(4).
ICMP4_TYPES  = "{ echoreq, unreach }"
ICMP6_TYPES = "{ echoreq, unreach, routeradv, neighbrsol, neighbradv }"

# For the hosts that exceed the limits
table <SERVICES_SPAMMERS> persist
table <NFS_SPAMMERS> persist
table <WEBSERVER_SPAMMERS> persist

## The reserved addresses defined in RFC 1918 are declared as non routable
NON_ROUTABLE = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4, 224.0.0.0/3}"

### Reassemble fragmented packets
scrub in on $EXTERNAL_INTERFACE all fragment reassemble
### NAT and redirection for incoming calls (from internet)
nat pass on $EXTERNAL_INTERFACE from $PRIVATE_ADDRESSES to any -> ($EXTERNAL_INTERFACE)
# rdr on $EXTERNAL_INTERFACE proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv4
# rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $NFS_SERVICES -> $NFS_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $NFS_SERVICES -> $NFS_SERVER6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $WEB_SERVICES -> $WEB_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $WEB_SERVICES -> $WEB_SERVER6
### Pass loopback
set skip on lo0
### Block spoofs
antispoof for lo0
antispoof for $EXTERNAL_INTERFACE
# Rules to block brute access
block in quick from <SERVICES_SPAMMERS>
block in quick from <NFS_SPAMMERS>
block in quick from <WEBSERVER_SPAMMERS>
# Rules to block non routable addresses
#block drop in quick on $LOCAL_NETWORK from $NON_ROUTABLE to any
#block drop out quick on $LOCAL_NETWORK from any to $NON_ROUTABLE

block in all

# Rules for outgoing traffic
pass out all keep state
# Rules for ingoing traffic
# - allow necessary protocols
pass in inet proto {udp, tcp} from any to $HOSTv4 port $MANDATORY_SERVICES keep state \
    (max-src-conn 15, max-src-conn-rate 3/1, overload <SERVICES_SPAMMERS> flush global)
pass in inet6 proto {udp, tcp} from any to any port $MANDATORY_SERVICES keep state \
    (max-src-conn 15, max-src-conn-rate 3/1, overload <SERVICES_SPAMMERS> flush global)
# - allow incoming traffic to services hosted in jails
pass in inet proto tcp from any to $NFS_SERVER port $NFS_SERVICES keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <NFS_SPAMMERS> flush global)
pass in inet6 proto tcp from any to $NFS_SERVER6 port $NFS_SERVICES keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <NFS_SPAMMERS> flush global)
pass in proto {udp, tcp} from any to $WEB_SERVER port $WEB_SERVICES keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <WEBSERVER_SPAMMERS> flush global)
pass in inet6 proto {udp, tcp} from any to $WEB_SERVER6 port $WEB_SERVICES keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, overload <WEBSERVER_SPAMMERS> flush global)
# Allow ICMP
pass inet proto icmp icmp-type $ICMP4_TYPES
pass inet6 proto icmp6 icmp6-type $ICMP6_TYPES
# Allow all outgoing traffic
pass out quick on $EXTERNAL_INTERFACE

 

[SirDice]

(To preserve a little confidentiality, I use xxxx:yyyy:zzzz in the public addresses)

That's fine. Just need to see your rules.

rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $NFS_SERVICES -> $NFS_SERVER6

No need for NAT here. Your $NFS_SERVER6 is a global IPv6 address. So it's directly accessible. One of the major points of IPv6 is to stop the NAT cludges.

 

[cachou46260]

A remark : for an independant reason, the host needs to access to a NFS resource (managed by the NFS jail).
It is done (in the /etc/jail.conf by a

exec.poststart "mount -o nfsv4 192.168.1.101:/share ...";

), command that of course works.

 

[cachou46260]

Contrary to what I said earlier, I have another concern.
With the command (from a Debian machine in the same LAN)

mount -v -t nfs -o vers=4.2 [fe80::36:73ff:feef:580b%enp1s0]:/share /mnt/tmp

, the connection is apparently made but :

ls -al /mnt/tmp

gives

ls: lecture du répertoire '/mnt/tmp': Erreur d'entrée/sortie
total 0

!
In English : read directory '/mnt/tmp': input/output error

 

[cachou46260]

The difference here is that a packet filter like PF (or any of the other firewalls), only act on layer 3 (IP). They translate the (destination) IP address to another address and forward the packet (this is what PF's rdr does). A proxy receives a full connection and will create a new connection to the backend. More or less like a "man-in-the-middle". That allows you to make decisions based on layer 7 information, like the host header of HTTP.

I am rereading your explanation above and I am thinking...
The PF's rdr serves its purpose if and only if all the packets exchanged beetwen the caller and callee are requests (from caller to callee) and replies (from callee to caller). Otherwise the path (from callee to caller) is perhaps undefined. Isn't this what happens in my case?
Clearly : is the address translation completely done in IPv4, but not in IPv6 ?

 

[SirDice]

If you use a reverse proxy on the host (nginx, haproxy, etc) then you don't need to rdr anything. The incoming connection is terminated on the host, the reverse proxy creates a new connection to the backend servers. Your backend webservers will only see the requests coming from the host. In that case you don't need to mangle the source or destination addresses of a packet (which is basically what NAT does).

If your backends (jails or actual separate hosts) have a global IPv6 address you don't need to translate anything, those addresses only need to be correctly routed.

 

[cachou46260]

I'm laughing (a little) yellow for guess ! I use nginx for the webserver in the second jail. In fact, I've only just installed it: it's not working yet.
I don't doubt that a solution with a reverse proxy - but question: in the host or in a jail ? - solves the problem of access in IPv6.
How complex is it to configure this program, which will only serve as an intermediate stage?

But... it's a work-around. The basic question is : why can't i build my solution ? Namely a host (empty with SSH only, no GUI), 2 jails (1 for NFS, 1 for NGINX) strictly secured (by ZFS). Apart from nginx, everything is pure FreeBSD (and mostly runs in kernel space).
Are you sure that rdr really fulfils its function in IPv6?

On the other hand, NAT is not a problem for me since the jails have to receive (and respond) and not send (to outside).

 

[cachou46260]

If your backends (jails or actual separate hosts) have a global IPv6 address you don't need to translate anything, those addresses only need to be correctly routed.

I don't see how 2 jails can share a same global address. So for my configuration, i need 3 global addresses :1 for SSH, 1 for NFS and 1 for NGINX, knowing that the last is really public whereas the 2 fist are reserved to some persons for special actions.

 

[SirDice]

The reverse proxy is A solution. It is what I use on my VPS. I only have 1 IP address there. But still wanted to split different web applications into separate jails. Lets see if we can fix your current setup.

Remove these:

### NAT and redirection for incoming calls (from internet)
nat pass on $EXTERNAL_INTERFACE from $PRIVATE_ADDRESSES to any -> ($EXTERNAL_INTERFACE)
# rdr on $EXTERNAL_INTERFACE proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv4
# rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $NFS_SERVICES -> $NFS_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $NFS_SERVICES -> $NFS_SERVER6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $WEB_SERVICES -> $WEB_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $WEB_SERVICES -> $WEB_SERVER6

There's no need for any NAT trickery, your jails are bridged (layer 2 connection). So they "live" on the same network as your re0 interface. And simply mount the NFS share or access to the website on their assigned IPv4 or IPv6 address.

So for my configuration, i need 3 global addresses :1 for SSH, 1 for NFS and 1 for NGINX, knowing that the last is really public whereas the 2 fist are reserved to some persons for special actions.

Yes. And that's fine. All have a unique address (both IPv4 and IPv6) so there's really no need for any NAT trickery here. Treat a jail (or VM; same deal) as a separate computer on the network. Each computer on the network has a unique IP address. Having a host with 2 jails is no different from having 3 separate hosts.

 

[cachou46260]

The reverse proxy is A solution. It is what I use on my VPS. I only have 1 IP address there. But still wanted to split different web applications into separate jails. Lets see if we can fix your current setup.

Remove these:

### NAT and redirection for incoming calls (from internet)
nat pass on $EXTERNAL_INTERFACE from $PRIVATE_ADDRESSES to any -> ($EXTERNAL_INTERFACE)
# rdr on $EXTERNAL_INTERFACE proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv4
# rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to any port $MANDATORY_SERVICES -> $HOSTv6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $NFS_SERVICES -> $NFS_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $NFS_SERVICES -> $NFS_SERVER6
rdr on $EXTERNAL_INTERFACE inet proto {udp, tcp} from any to $HOSTv4 port $WEB_SERVICES -> $WEB_SERVER
rdr on $EXTERNAL_INTERFACE inet6 proto {udp, tcp} from any to $HOSTv6 port $WEB_SERVICES -> $WEB_SERVER6

There's no need for any NAT trickery, your jails are bridged (layer 2 connection). So they "live" on the same network as your re0 interface. And simply mount the NFS share or access to the website on their assigned IPv4 or IPv6 address.


Yes. And that's fine. All have a unique address (both IPv4 and IPv6) so there's really no need for any NAT trickery here. Treat a jail (or VM; same deal) as a separate computer on the network. Each computer on the network has a unique IP address. Having a host with 2 jails is no different from having 3 separate hosts.

Well : i will take your advice and remove all redirections.
Consequences :

1. Each function needs a global IPv6 address : 1 for SSH, 1 for NFS and 1 for NGINX (knowing that only the last is really public)
2. These 3 addresses must be declared somewhere in an internet provider under symbolic names (until now, i have only 1)
3. From outside (off the LAN containing the host), the only access is via IPv6 unless a 'symbolic addresses <-> IPv4 addresses' routing is redefined (in the host or an external box)
4. From inside, IPv4 can be eventually used via a local DNS or definitions in /etc/hosts

Have I understood everything correctly?

I'm having a little difficulty : if i move my machine from another place (another internet provider), i have to change my 3 adresses (which are determined by the provider...)

 

[SirDice]

1) similar to the IPv4 addresses, they need to have a unique IPv6 address in the same range as the rest of your LAN.
2) you're talking about DNS here. It really depends, you might already have a DNS server on the LAN? For internal use that's fine.
3) Access will need to be arranged on the edge router/firewall. By LAN do you mean the internal network? Because I fear you're not quite grasping what a LAN is.
4) Same thing can be done with IPv6. Same file and/or DNS server.