# How can I assign an IPv6 address to a jail on a cloned interface?



## japoc (Jun 18, 2019)

Hello,

I have some jails on my FreeBSD host. They have IPv4 addresses on a cloned interface lo2 I created. None of the jails has an ip address on the external interface of the host. They only use the cloned interface lo2 and I configured my pf firewall so that the host acts as a router and does NAT so that the jails can access the internet.

This is working, but now I'd like the jails to be able to access the IPv6 internet. I'd like that the jails don't face the internet directly, so that the host can decide which port to open and/or redirect to each jail.
Unfortunately I don't know how IPv6 is supposed to be configured. For example, I don't know what kind of IPv6 address I can assign to the lo2 interface, or to my jails and how to do that so this network of jails remains local.

Could you help me achieve this? Any help or pointer in the right direction would be appreciated.

I add the /etc/jail.conf and the /etc/rc.conf of the host below.


/etc/jail.conf

```
myjail {
    host.hostname = myjail;
    interface = lo2;
    ip4.addr = 10.240.0.3;
}
myotherjail {
    host.hostname = myotherjail;
    interface = lo2;
    ip4.addr = 10.240.0.4;
}
yetanotherjail {
    host.hostname = yetanotherjail;
    interface = lo2;
    ip4.addr = 10.240.0.5;
}
```

/etc/rc.conf

```
zfs_enable="YES"
### Added by OVH - block start
# Network configuration (IPv4)
ifconfig_em0="inet 111.222.3.4 netmask 255.255.255.0 broadcast 111.222.3.255"
defaultrouter="111.222.3.254"

# Network configuration (IPv6)
ifconfig_em0_ipv6="inet6 2001:xxxx:xxxx:xxxx::1 prefixlen 128 accept_rtadv no_radr"
ipv6_network_interfaces="em0"
ipv6_default_interface="em0"
ipv6_defaultrouter="2001:xxxx:xxxx:xxxx:ff:ff:ff:ff"
ipv6_route_ovhgw="2001:xxxx:xxxx:xxxx:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_static_routes="ovhgw"

# Various options
dumpdev="AUTO"
clear_tmp_enable="YES"
accounting_enable="YES"

# Daemons
ntpd_enable="YES"
sshd_enable="YES"
local_unbound_enable="YES"
### Added by OVH - block end
hostname="xxxxxxxxxxxxxx.eu"
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
ip6addrctl_policy="ipv4_prefer"
cloned_interfaces="lo2"
ifconfig_lo2="inet 10.240.0.1 netmask 255.240.0.0"
jail_enable="YES"
```


----------



## SirDice (Jun 18, 2019)

japoc said:


> Could you help me achieve this? Any help or pointer in the right direction would be appreciated.




```
ip6.addr, ip6.saddrsel, ip6
             A set of IPv6 options for the jail, the counterparts to ip4.addr,
             ip4.saddrsel and ip4 above.
```
See jail(8).



japoc said:


> For example, I don't know what kind of IPv6 address I can assign to the lo2 interface, or to my jails and how to do that so this network of jails remains local.








						Link-local address - Wikipedia
					






					en.wikipedia.org


----------



## japoc (Jun 18, 2019)

Thanks, actually, I had seen this, but what kind of value can I put in there? I don't know what would be a valid value for the ip6.addr field.
Edit: you edited your message and this wikipedia link might have the answer. I'm going to read it.


----------



## jasonvp (Jun 18, 2019)

japoc said:


> Thanks, actually, I had seen this, but what kind of value can I put in there? I don't know what would be a valid value for the ip6.addr field.



The IPv6 address that you want assigned to the jail.  Just like you do with the IPv4 line.


```
jail {
           ip6.addr = "<IPv6 address>/128";
}
```


----------



## SirDice (Jun 18, 2019)

Usually IPv6 link-local addresses are generated automatically. But you could also use "normal" IPv6 global addresses. The firewall on the host can easily be configured to block incoming direct access while still allowing outgoing traffic. I assume you have a firewall running anyway, as you need to do some NAT for the jail's outgoing IPv4 traffic.


----------



## japoc (Jun 18, 2019)

Thanks guys.
I'm reinstalling a test server now. What I'm planning to do when the server is ready is to add the lines:


```
ifconfig_lo2_ipv6="inet6 fe80::aaaa:aaaa:aaaa:aaaa prefixlen 128"
```

to the /etc/rc.conf. I mean, litterally adding those 16 'a's since it's my understanding that I can choose any value for the 64 last bits of the address of the interface (or would that break some established convention?). Also there is no way to distinguish between distinct local networks, right?

And in /etc/jail.conf I would add

```
myjail {
    ...
    ip6.addr: fe80::aaaa:aaaa:aaaa:aaab/128;
}

myotherjail {
    ...
    ip6.addr: fe80::aaaa:aaaa:aaaa:aaac/128;
}

...
```

Would that work? Is this the good way of doing this?


----------



## japoc (Jun 18, 2019)

Actually I think I'm going to use "local ipv6 unicast addresses" described here: https://tools.ietf.org/html/rfc4193.html
This seems to be the best choice. You can have a subnet of addresses that are not supposed to be routable on the internet.


----------



## SirDice (Jun 19, 2019)

With jails there's no  need to create the aliases on the interfaces beforehand. If configured correctly in jail.conf the IP addresses (both IPv4 and IPv6) will be added when the jail is started and removed when the jail is stopped.


----------



## japoc (Jun 19, 2019)

I'm starting to understand more about IPv6. I understand that it's going to be very impractical for my use.
For example, how would I redirect port 80 to a particular jail, port 800 to another jail, and say, listen to port 900 directly on the host? In IPv4 that's easy, I can do:


```
rdr pass on <ext_if> inet proto <proto> from any to (<ext_if>) port <host_port> -> <jail_ip4> port <jail_port>
```

Once I have an IP for my server I don't have to deal with with IP addresses or DNS records anymore in the web interface of OVH.
Now with IPv6? Each jail has its IPv6 and you can't redirect the traffic to it transparently.
That's very inconvenient if I can't have a host running a network of jails on the inside and looking like a single machine from the outside.


----------



## japoc (Jun 19, 2019)

Plus I don't think OVH assigned me a pool of IPs for that server to use. I just have one IPv4 address and one IPv6 address. If I want some jail to be able to listen to a port on the public internet, how am I supposed to do that? I can't just make up IPv6 addresses like that and set them as AAAA records for my domains.


----------

