Date: Tue, 7 Aug 2018 00:28:38 +0100 From: Shamim Shahriar <shamim.shahriar@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Jails - IPv4 and IPv6 Message-ID: <b0a0efbd-ae69-bacd-127b-66801a466713@gmail.com> In-Reply-To: <5B6895CB.1070004@gmail.com> References: <A7BCF1EF-7E21-4009-8C70-CA13F68B81FF@lists.vlassakakis.de> <5B6895CB.1070004@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/08/2018 19:39, Ernie Luzar wrote: > Philipp Vlassakakis wrote: >> Hello, everybody, >> >> does anyone use IPv4 and IPv6 in production jails and can provide >> feedback about the configuration and stability of VIMAGE/VNET in >> FreeBSD 11.2? >> >> Currently I only use IPv4 in my jails (via NAT) and would like to >> switch to VIMAGE and roll out IPv6. >> How do you use IPv4 and IPv6 with jails? >> >> Thanks and greetings >> Philipp >> >> > > I use VIMAGE/VNET jails with IPv4 & IPv6 addresses for public access. > VIMAGE/VNET has been stable but only supports ipfw firewall which > includes a bug where all the VNET jails IPFW firewalls log files write > to the hosts IPFW firewall log intermingling the log records. I use > qjail to create and manage my VIMAGE/VNET jails. > Hi Ernie Not sure how is your setup like, but I manage firewall for all my jails from the host itself -- i.e., the main host I have all the epair devices created from the main host, along with the a bridge device, and initially add only the main interface to the bridge0 cloned_interfaces="bridge0 epair0 epair1 epair2 epair3 " # List of cloned network interfaces to create. ifconfig_bridge0="addm bge0 up" Then comes the jails, where each jail is attached to one of the epair device via the /etc/jail.conf, and each epair gets an IPv4 address from there as well. when the jail starts up, the jails add the IPv6 address via its own rc.conf ifconfig_epair3b_ipv6="inet6 aaaa:bbbb:cccc:def0::4:2 prefixlen 64" ipv6_defaultrouter="aaaa:bbbb:cccc:def0::1" so the IPv6 gets set on the epair device when the jail starts and all the firewalling is done from the main host itself -- NOT the individual jails. In my mind, having the firewall at the main host made sense to start with -- so I do not need to manage N number of firewalls on individual jails and using up all the resources for all the large tables (bogons, for example). So I used the pf from the main host, and so far it seems to have held things together pretty well. I do not use any additional layer to create the jails -- they are created on the base without qjail, iocage or any other layer in-between. Hope this helps. Best regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b0a0efbd-ae69-bacd-127b-66801a466713>