# ezjail; apache ; ipv4 and ipv6



## _martin (Mar 14, 2013)

Hi, 

I've Apache in jail configured with IPv4 and IPv6. My setup was OK for some time (year or so), but it's not working as expected after HW and OS upgrade (9.0 to 9.1). Using the same configuration as before the upgrade Apache is not responding to IPv6 queries. 

Jail's IPs are configured on custom loopback interface and NATed with PF. For the purpose of the troubleshooting IPv6 traffic is passed quick in the beginning of the filtering rules. 

Configuration on host:

```
PUB_IP        IPv4 of the host on egress interface
PUB_IP6       IPv6 of the host on egress interface
WWW_PUB_IP6   IPv6 in the jail
```

/etc/rc.conf:


```
ifconfig_lo252_alias1="inet 192.168.252.2 netmask 255.255.255.255"
ifconfig_lo666_ipv6="inet6 <WWW_PUB_IP6> prefixlen 64"
```

`# pfctl -snat`

```
nat pass on em0 inet from 192.168.252.0/24 to any -> PUB_IP
rdr pass on em0 inet proto tcp from any to PUB_IP port = http -> 192.168.252.2
rdr pass on em0 inet proto tcp from any to PUB_IP port = https -> 192.168.252.2
rdr pass on em0 inet6 proto tcp from any to PUB_IP6 port = http -> WWW_PUB_IP6
rdr pass on em0 inet6 proto tcp from any to PUB_IP6 port = https -> WWW_PUB_IP6
```

/etc/sysctl.conf:

```
security.jail.allow_raw_sockets=1
```

/usr/local/etc/ezjail/webserver:


```
export jail_webserver_ip="192.168.252.2,WWW_PUB_IP6"
```

$JAIL/httpd.conf:


```
Listen 192.168.252.2:80
Listen [WWW_PUB_IP6]:80
```

Local test (host) are OK - Apache is answering to IPv6 queries. I can't ping my IPv6 gateway from jail. 

This very setup worked prior to OS upgrade. OS was reinstalled from scratch. Some configuration files were merged (rc.conf, sysctl.conf, etc.), some were reapplied (httpd.conf). I was not able to find what I did wrong or differently as I had on 9.0-RELEASE. 

I'd expect problem is that I do rdr on IPv6 address but I don't NAT, so traffic can't go back from jail to outside of the network. But as this setup did work last time, I'm trying to figure out why.

I know putting WWW_PUB_IP6 on egress interface would solve this problem, but I'd like to keep any jail IPs on custom interface.

Thanks for hints.


----------



## SirDice (Mar 15, 2013)

Did you enable IPv6 routing?


```
ipv6_gateway_enable="YES"
```


----------



## _martin (Mar 15, 2013)

SirDice said:
			
		

> Did you enable IPv6 routing?
> 
> 
> ```
> ...



I didn't have this in my original /etc/rc.conf, nor any special settings in /etc/sysctl.conf. I think that toggle mainly enables route advertisement on the system. But I have (by default):

`# sysctl net.inet6.ip6.forwarding`

```
net.inet6.ip6.forwarding: 1
```


----------



## SirDice (Mar 15, 2013)

matoatlantis said:
			
		

> I think that toggle mainly enables route advertisement on the system.


No, it does not. It enables routing. Without it no traffic will pass from one interface to another.


----------



## _martin (Mar 15, 2013)

SirDice said:
			
		

> No, it does not. It enables routing. Without it no traffic will pass from one interface to another.



Ok, but still I've 


```
net.inet6.ip6.forwarding: 1
```

which is set by this toggle.


----------



## SirDice (Mar 15, 2013)

Both do the same thing but it's more common to set gateway_enable and/or ipv6_gateway_enable.


----------



## _martin (Mar 15, 2013)

SirDice said:
			
		

> Both do the same thing but it's more common to set gateway_enable and/or ipv6_gateway_enable.



Right, I agree. 

As you mentioned gateway_enable, I don't have this set in /etc/rc.conf either. Nor in /etc/sysctl.conf. On the system though (I've not set this manually): 

`# sysctl -A | grep -i "ip.*\.forw"`

```
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
```

If I have to guess I'd say this was done by PF ; something I should verify.

But I still can't find what is wrong with my setup :/


----------



## SirDice (Mar 15, 2013)

matoatlantis said:
			
		

> If I have to guess I'd say this was done by PF ; something I should verify.


No, I'm sure it wasn't PF. Have a look in /etc/sysctl.conf, it's likely set there.


----------



## _martin (Mar 15, 2013)

SirDice said:
			
		

> No, I'm sure it wasn't PF. Have a look in /etc/sysctl.conf, it's likely set there.



Me neither. I do have IPv4 forwarding set in the file, not the IPv6. But as I did too many tests during this troubleshooting I must admit that I /most likely/ had to set it manually. But again, my setup is still not working :/


----------



## _martin (Mar 18, 2013)

I finally had some time and made a test in VMware using 9.0-RELEASE. It seems there was some regression in 9.1 causing this issue; my setup works on 9.0, but fails on 9.1. 

My assumption of NAT/redirect was not correct - once it's redirected state is kept and traffic will have a path from/to jail.

The only thread close to my issue I found is this mailing list.

I've never opened PR before; I'll try to reply to that mailing list first. I've posted this here just in case somebody else has this issue.


----------

