# Jails, IPv6 and port blocking



## Moviuro (Aug 13, 2015)

Hi all,
So this time, I'll expose the whole issue with my setup (a bit tricky, so sit back ).
I have a server that sits in an OVH datacenter (kimsufi) and that has one IPv4 address and an IPv6 /64 (which is pretty terrible, I know it). So, I sign up for a free IPv6 tunnel at HurricaneElectric and get an IPv6 /48. Yay!
However, bad news: this IPv6 tunnel blocks all IRC ports (in order to stall bots requesting tunnels and abuse IRC servers). So my idea is: create a jail for irc/znc that will connect to freenode using one adress provided by OVH and perhaps listen on one address provided by HE.
Here is my server setup:

I use pf to do the firewalling
I'd like my ZNC jail to use one or both of the following two addresses:
2001:41d0:e:10a7::7a:6e63

2001:470:7a83:6f74::7a:6e63

I use loopbacks interface for my jails. Namely, the IPv6 address provided by HE go there. I give one IPv4 and one IPv6 to my jails, in general
	
	



```
lo3: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.10.30.1 netmask 0xffffff00
        inet6 2001:470:7a83:6f74::1 prefixlen 64 # the first two are aliases for the server
        inet 10.10.30.19 netmask 0xffffff00
        inet6 2001:470:7a83:6f74:0:73:616d:6261 prefixlen 64 # one jail
        inet 10.10.30.12 netmask 0xffffff00
        inet6 2001:470:7a83:6f74:0:6261:636b:7570 prefixlen 64 # an other one
        inet 10.10.30.77 netmask 0xffffff00
        inet6 2001:470:7a83:6f74:7465:7272:6172:6961 prefixlen 64 # an other one
        inet6 2001:470:7a83:6f74::7a:6e63 prefixlen 64 # This is the ZNC jail's address
        inet 10.10.30.18 netmask 0xffffff00
        inet6 2001:470:7a83:6f74:7379:6e63:7468:696e prefixlen 64 # ...
        inet 10.10.30.5 netmask 0xffffff00
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```


```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether ec:a8:6b:f1:c8:a3
        inet 151.80.YY.XX netmask 0xffffff00 broadcast 151.80.YY.XX
        inet6 fe80::eea8:6bff:fef1:c8a3%em0 prefixlen 64 scopeid 0x1
        inet6 2001:41d0:e:10a7::1 prefixlen 64 # OVH supplied address
        inet6 2001:41d0:e:10a7::7a:6e63 prefixlen 64 # ZNC
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

OVH IPv6 setup sucks, so I don't know what the real address of my OVH GW is:
2001:41d0:e:10ff:ff:ff:ff:ff (note that it is not in my /64)
fe80::1ee6:c7ff:fe52:740%em0

I hope I gave all relevant information. I have no preference for anything (I just want my jail to work and allow clients to connect to ZNC), so suggest anything that might work!

At the moment, I have my ZNC jail successfully connecting to freenode using its OVH address. However, my clients can't connect to ZNC using any of its 2 IPv6 addresses: I'm _positive_ it is not a firewalling issue: pflog0 stays quiet when trying to connect...
Here are the routing tables:
	
	



```
Routing tables

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
default                           2001:470:1f14:d41::1          UGS        gif0
::1                               link#2                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:470:1f14:d41::1              link#6                        UH         gif0
2001:470:1f14:d41::2              link#6                        UHS         lo0
2001:470:7a83:6261::/64           link#4                        U           lo2
2001:470:7a83:6261::1             link#4                        UHS         lo0
2001:470:7a83:6f74::/64           link#5                        U           lo3
2001:470:7a83:6f74::1             link#5                        UHS         lo0
2001:470:7a83:6f74::7a:6e63       link#5                        UHS         lo0
2001:470:7a83:6f74:0:73:616d:6261 link#5                        UHS         lo0
2001:470:7a83:6f74:0:6261:636b:7570 link#5                        UHS         lo0
2001:470:7a83:6f74:7379:6e63:7468:696e link#5                        UHS         lo0
2001:470:7a83:6f74:7465:7272:6172:6961 link#5                        UHS         lo0
2001:470:7a83:7670::/64           link#8                        U          tun0
2001:470:7a83:7670::1             link#8                        UHS         lo0
2001:470:7a83:7765::/64           link#3                        U           lo1
2001:470:7a83:7765::1             link#3                        UHS         lo0
2001:470:7a83:7765:706f:7068:6f62:65 link#3                        UHS         lo0
2001:470:7a83:dead::/64           tun0                          US         tun0
2001:41d0:e:10a7::/64             link#1                        U           em0
2001:41d0:e:10a7::1               link#1                        UHS         lo0
2001:41d0:e:10a7::7a:6e63         link#1                        UHS         lo0
2001:41d0:e:10ff:ff:ff:ff:ff      ec:a8:6b:f1:c8:a3             UHS         em0
fe80::/10                         ::1                           UGRS        lo0
fe80::%em0/64                     link#1                        U           em0
fe80::eea8:6bff:fef1:c8a3%em0     link#1                        UHS         lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
fe80::%gif0/64                    link#6                        U          gif0
fe80::eea8:6bff:fef1:c8a3%gif0    link#6                        UHS         lo0
fe80::%tun0/64                    link#8                        U          tun0
fe80::eea8:6bff:fef1:c8a3%tun0    link#8                        UHS         lo0
ff01::%em0/32                     fe80::eea8:6bff:fef1:c8a3%em0 U           em0
ff01::%lo0/32                     ::1                           U           lo0
ff01::%lo1/32                     2001:470:7a83:7765::1         U           lo1
ff01::%lo2/32                     2001:470:7a83:6261::1         U           lo2
ff01::%lo3/32                     2001:470:7a83:6f74::1         U           lo3
ff01::%gif0/32                    2001:470:1f14:d41::2          U          gif0
ff01::%tun0/32                    fe80::eea8:6bff:fef1:c8a3%tun0 U          tun0
ff02::/16                         ::1                           UGRS        lo0
ff02::%em0/32                     fe80::eea8:6bff:fef1:c8a3%em0 U           em0
ff02::%lo0/32                     ::1                           U           lo0
ff02::%lo1/32                     2001:470:7a83:7765::1         U           lo1
ff02::%lo2/32                     2001:470:7a83:6261::1         U           lo2
ff02::%lo3/32                     2001:470:7a83:6f74::1         U           lo3
ff02::%gif0/32                    2001:470:1f14:d41::2          U          gif0
ff02::%tun0/32                    fe80::eea8:6bff:fef1:c8a3%tun0 U          tun0
```


----------



## SirDice (Aug 13, 2015)

Just use the /64 you already had. It may be just a "/64", but that's still way more addresses than you could possibly use.


----------



## Moviuro (Aug 13, 2015)

SirDice said:


> Just use the /64 you already had. It may be just a "/64", but that's still way more addresses than you could possibly use.


So I could put my jails in the /64 and keep the same addressing scheme? (say, first 80 bits fixed on each loopback interface lo1, lo2, lo3)

However, I do need the /48 because this server is also my default IPv6 router for my VPN and the IPv6 LAN that sits behind one VPN client, and the remote LAN requires a /64 to properly work (SLAAC).


----------

