Background
I host a FreeBSD jail host in Vultr, and everything has been working well for some time. Vultr gives me a single IPv4 address which I attach to vtnet0. All of my jails connect to a bridge interface with its own private IP address (192.168.1.1/24). I use the Pf packet filter to NAT outbound traffic from my jails to the Internet and redirect inbound traffic to the appropriate jail based on the destination port number.
Here is what it all looks like:
Various guides suggest I could have added vtnet0 and all my public and private addresses to the bridge interface. I had trouble getting that to work, and in any case this configuration creates a nice separation between my public and private networks.
Problem
Now I would like to support IPv6, and am not certain how to best provide IPv6 connectivity to my jails. Vultr provides a single /64 subnet per server. If they provided something like a /48, then I would assign a /64 address on vtnet0 and a separate /64 on bridge0. Since there is only a single /64 to work with, I think I will need to adopt a less "clean" solution.
Which of these would be best, or is there something else I should be doing in this situation?
I host a FreeBSD jail host in Vultr, and everything has been working well for some time. Vultr gives me a single IPv4 address which I attach to vtnet0. All of my jails connect to a bridge interface with its own private IP address (192.168.1.1/24). I use the Pf packet filter to NAT outbound traffic from my jails to the Internet and redirect inbound traffic to the appropriate jail based on the destination port number.
Here is what it all looks like:
Code:
+ webhost
+----------+ 1.2.3.4 +------+ 192.168.1.1 /
| Internet | <--> vtnet0 | host | bridge0 <----> -+ mailhost
+----------+ +------+ \
+ dnsVarious guides suggest I could have added vtnet0 and all my public and private addresses to the bridge interface. I had trouble getting that to work, and in any case this configuration creates a nice separation between my public and private networks.
Problem
Now I would like to support IPv6, and am not certain how to best provide IPv6 connectivity to my jails. Vultr provides a single /64 subnet per server. If they provided something like a /48, then I would assign a /64 address on vtnet0 and a separate /64 on bridge0. Since there is only a single /64 to work with, I think I will need to adopt a less "clean" solution.
Which of these would be best, or is there something else I should be doing in this situation?
- Should I add vtnet0 to the existing bridge interface so that my host and all guests can connect over the /64? I tried to experiment with this, and have struggled to get it working correctly.
- Should I create a new /64 in the ULA address range (fd00::/8) for bridge0, and then use NPTv6 to translate addresses to the /64 range Vultr provides? I read that IPFW supports NPTv6. If that is true, then I would need to transition from using Pf to IPFW.
- Should I continue using the "bridge0" for IPv4 traffic, and create a separate bridge interface for IPv6 traffic? In this case I would connect vtnet0 to the new bridge and all guests. I like the way this would keep IPv4 and IPv6 traffic separated so I could experiment with one without disrupting the other.
- Does FreeBSD allow me to subdivide my /64 into smaller subnets? I know that most software out there assumes that IPv6 traffic uses /64 throughout. If FreeBSD is flexible in this regard, then I could perhaps assign separate /96 subnets to vtnet0 and bridge0, and then declare it to be /64 when it exits to the Internet.
