Jails - IPv4 and IPv6

Shamim Shahriar shamim.shahriar at gmail.com
Mon Aug 6 23:28:42 UTC 2018 

On 06/08/2018 19:39, Ernie Luzar wrote:
> Philipp Vlassakakis wrote:
>> Hello, everybody,
>>
>> does anyone use IPv4 and IPv6 in production jails and can provide 
>> feedback about the configuration and stability of VIMAGE/VNET in 
>> FreeBSD 11.2?
>>
>> Currently I only use IPv4 in my jails (via NAT) and would like to 
>> switch to VIMAGE and roll out IPv6.
>> How do you use IPv4 and IPv6 with jails?
>>
>> Thanks and greetings
>> Philipp
>>
>>
>
> I use VIMAGE/VNET jails with IPv4 & IPv6 addresses for public access. 
> VIMAGE/VNET has been stable but only supports ipfw firewall which 
> includes a bug where all the VNET jails IPFW firewalls log files write 
> to the hosts IPFW firewall log intermingling the log records. I use 
> qjail to create and manage my VIMAGE/VNET jails.
>

Hi Ernie

Not sure how is your setup like, but I manage firewall for all my jails 
from the host itself -- i.e., the main host

I have all the epair devices created from the main host, along with the 
a bridge device, and initially add only the main interface to the bridge0

cloned_interfaces="bridge0 epair0 epair1 epair2 epair3 "           # 
List of cloned network interfaces to create.
ifconfig_bridge0="addm bge0 up"

Then comes the jails, where each jail is attached to one of the epair 
device via the /etc/jail.conf, and each epair gets an IPv4 address from 
there as well. when the jail starts up, the jails add the IPv6 address 
via its own rc.conf

ifconfig_epair3b_ipv6="inet6 aaaa:bbbb:cccc:def0::4:2 prefixlen 64"
ipv6_defaultrouter="aaaa:bbbb:cccc:def0::1"

so the IPv6 gets set on the epair device when the jail starts

and all the firewalling is done from the main host itself -- NOT the 
individual jails. In my mind, having the firewall at the main host made 
sense to start with -- so I do not need to manage N number of firewalls 
on individual jails and using up all the resources for all the large 
tables (bogons, for example). So I used the pf from the main host, and 
so far it seems to have held things together pretty well.

I do not use any additional layer to create the jails -- they are 
created on the base without qjail, iocage or any other layer in-between.

Hope this helps.

Best regards

More information about the freebsd-questions mailing list