IPv6 only Jails cannot connect to the outside world

Niklaas Baudet von Gersdorff niklaas at kulturflatrate.net
Sun Oct 4 22:59:18 UTC 2015


I successfully run a server with several jails configured with ezjail.
Normally, each jail gets a private IPv4 on lo1 and another public IPv6
on re0, i.e. the external interface. These jails can connect to the
outside world perfectly:

> $ telnet -4 google.com 80
> Trying
> Connected to google.com.
> Escape character is '^]'.

> $ telnet -6 google.com 80
> Trying 2a00:1450:4001:80c::100e...
> Connected to google.com.
> Escape character is '^]'.

Today I created a jail that only has an IPv6. This jail cannot connect:

> root at ipv6only:~ # telnet google.com 80
> google.com: hostname nor servname provided, or not known

I don't know why. It has a public IPv6 registered on re0.

I use pf as firewall. What I realised is that, if I turn off the
following nat rule, also those jails that have both IPv4 and IPv6 cannot
connect neither via IPv4 nor IPv6 too.

> nat on $ext_if from ( $jail_net ) to any -> $ext_if                                                              

I would understand if they weren't able to connect via IPv4 anymore
(because their private IPv4 aren't translated on the $ext_if) but I do
not understand why IPv6 doesn't work on these jails then too. It seems
as if my IPv6 connectivity only works if IPv4 connectivity is guaranteed
since IPv6 once also worked as shown above?!

Of course, in my pf.conf I have

> pass out on $ext_if proto { tcp udp } from ( $ext_net ) to any port { ssh domain http https }                    

to allow outgoing traffic from any jail with a public IP registered at
the external interface.

On the jails' host I have

> gateway_enable="YES"                                                                                             
> ipv6_gateway_enable="YES"

Do I have to set something specifically in the jails that they connect
over IPv6 through the host?

I assume it's difficult to help me on this because I haven't stated my
entire network (especially my firewall) setup yet. Nevertheless, I run
into the same problem even with the firewall disabled. Thus, I guess
it's rather a necessary step I missed when configuring an ezjail with
IPv6 only.

I would very much appreciate if someone can point me into a possible
direction worth investigating. Key question: How to configure a jail
with ezjail that only has an IPv6? I already spent days trying different
configurations etc.


More information about the freebsd-questions mailing list