# VPS, PF, EzJail and public IPs



## jbo (Feb 9, 2016)

I am new to jails and I need some guidance getting the following scenario working:

I have a VPS running FreeBSD 10.2 64-Bit. That VPS has one public IPv4 and one public IPv6 address. I can get additional IPv4 addresses for $2 per month and additional IPv6 addresses for free. So of course I would like to use IPv6 in the following setup.

Right now the FreeBSD 10.2 installation on the VPS is working fine. It is running a PF firewall that blocks all incoming traffic beside SSH and HTTP and allows all outgoing traffic.

I want to create a jail using EzJail. In that jail I would like to run a webserver (Nginx, PHP-FPM, MySQL). Note that currently there's already an Nginx installation running on the host itself.

First thing I did is getting an additional free IPv6 address. Now `ifconfig` on the host shows multiple IPs (the IPv4 and the two IPv6 but on the same interface).
Then I created the jail using EzJail. In the configuration I use the newly acquired IPv6 address and assign it to the interface _em0_ of the jail.

Now, my question is: How do I configure my host (namely PF) to pass everything on that new IPv6 address to the jail so from the outside the jail behaves like a dedicated host?
Do I want to setup some NAT/PAT on the host that passes everything on that IPv6 to the jail and run a dedicated PF instance on the jail?
Also, the host is accessible via SSH using port 22. As I am having a second public IP I guess I can make the jail become accessible via SSH using port 22 too, is that correct?

I hope that somebody understood what I'd like to ask


----------



## SirDice (Feb 10, 2016)

If you have multiple Internet IP addresses you can bind the jail to the external interface directly and assign it the 'extra' IP address. If you only have one Internet address you would need to create a local interface (lo1 is commonly used) with a local network and bind the jail to that. For the 'internal' case you'd need to set up NAT, for the 'external' case this isn't needed.


----------



## jbo (Feb 10, 2016)

Thank you very much for your answer.
The problem I have is that all external IPs are listed on the same interface when executing `ifconfig` on the host. I always thought that each interface must have exactly one IP address, not more and not less? It looks like this:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether xx:xx:xx:xx:xx:xx
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
        inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast 84.22.111.255
        inet6 xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx prefixlen 128
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
```

I am obviously not a networking guru.


----------



## SirDice (Feb 10, 2016)

joel.bodenmann said:


> I always thought that each interface must have exactly one IP address, not more and not less?


Nope, interfaces can have multiple IP addresses. These are called IP aliases.


----------



## jbo (Feb 10, 2016)

Ah, thanks for that clarification!

So now I have *em0* on my host with one IPv4 and two IPv6 addresses and I created the jail and assigned one of the IPv6 addresses to its interface also named *em0*. Executing `ifconfig` in the jail shows that there's just one IPv6 assigned to the *em0* interface so in my opinion so far everything seems to work. However, I can't access "the internet" from the jail. I know that pings wont work but even if I try to install a package it can't resolve the names.
Things I did/checked:

IPv6 support is enabled on the host. This setting is in /etc/rc.conf on the host: `ifconfig_em0_ipv6="inet6 accept_rtadv"`.
I double checked that I assigned to correct IPv6 to the jail.
I copied the content of /etc/resolv.conf from the host to the jail. However, the listed IP addresses for the nameservers are IPv4 addresses. Is this a problem I am only using an IPv6 address in the jail?
Thank you for your help!


----------



## SirDice (Feb 10, 2016)

joel.bodenmann said:


> [*]I copied the content of /etc/resolv.conf from the host to the jail. However, the listed IP addresses for the nameservers are IPv4 addresses. Is this a problem I am only using an IPv6 address in the jail?


Yes. You only have IPv6 access on the jail so obviously you can't connect to an IPv4 address[*]. I'm sure your provider also has IPv6 DNS servers, set those in /etc/resolv.conf and things should start to work. 

[*] Strictly speaking this isn't true as there are ways to "map" IPv4 to IPv6. But for simplicity's sake it's safe to remember you can only connect IPv6 to IPv6 and IPv4 to IPv4.


----------



## jbo (Feb 10, 2016)

Thanks! I contacted the VPS hoster to ask for IPv6 addresses of their DNS servers. After all they claim to be fully IPv6 ready 

When you say that I should think of it that I can only connect IPv6 to IPv6 and IPv4 to IPv4.... When I am running a web server on an IPv6, and I use an AAA record on my DNS (for IPv6), does this means that when a client wants to browse the website all his infrastructure (including his personal computer) needs to be IPv6 compatible?


----------



## SirDice (Feb 10, 2016)

joel.bodenmann said:


> When you say that I should think of it that I can only connect IPv6 to IPv6 and IPv4 to IPv4.... When I am running a web server on an IPv6, and I use an AAA record on my DNS (for IPv6), does this means that when a client wants to browse the website all his infrastructure (including his personal computer) needs to be IPv6 compatible?


Yes, that's correct.


----------



## jbo (Feb 11, 2016)

Thank you very much for your kind help, Sir. Very much appreciated!


----------

