# Accessing a jail directly through IPv6; what am I overlookin



## ShelLuser (Sep 30, 2013)

Hi gang!

Now that I have most of my network migrated to FreeBSD I'm currently looking into securing and optimizing my network. In the mean time my hosting provider has launched a new private network feature. Meaning so much that you can hookup your VPS systems into a 'pool' after which they can communicate though internal channels. The best part is that this traffic isn't deducted from the monthly quota on data traffic, simply because you're not using public channels any more.

I'm using this setup to allow my servers to contact a backup VPS which I'm using to keep data "off server" (the next step is to copy the data off site).

And to secure things a little further I'm only allowing my servers to access the backup server through it's jail, this time actually called central.dogma (finally a cool and suitable name ).

Now, the IPv4 part was easy. I soon realized that the only reason I couldn't access my jail directly through the network was due to the netmask being set to 32 by default. Some people solve this by adding a new alias to the network device, I simply specified /24 as the netmask in /etc/jail.conf (and /etc/rc.conf). (note that this also doesn't require net.inet.ip.forwarding to be set).

So far so good. Basically I got all I need, but I want more 

IPv6 turned out to be a little harder.

As expected the netmask, or prefixlen, is set to 128 by default which isn't very useful. Because I'm using a private range (fc00) I've set the prefixlen to 7. But despite this setting it remains impossible for me to connect to the jail through IPv6.

I can rule out issues with the firewall and setting net.inet6.ip6.forwarding made no difference either.

I'm sure it's something I'm overlooking here. Question is what?

I am aware of the several tools available (sysutils/ezjail for example) which might be able to set all of this up automatically. That's not an option for me at this time. My goal isn't so much to get a working solution; I already have one when using IPv4.

I'm merely trying to understand why it doesn't work as I expected it.


----------



## SirDice (Sep 30, 2013)

Either use the global IPv6 addresses or use the link-local (fe80::) addresses.


----------



## kpa (Sep 30, 2013)

I think it's best to use 64 prefixlen for IPv6 addresses. The alias rule for IPv4 addresses where you have to use a /32 if the address is in an already existing subnet does not apply to IPv6 addresses.


----------



## ShelLuser (Oct 6, 2013)

A late response, but thanks for the input. As it turns out I was a bit too hasty with "the IPv4 part was easy" because although it was easy to set up it turns out that there are some caveats I need to solve first.

I'm leaving this issue open ("unsolved") for now because I can't be sure yet if its caused by my configuration or also related to my current timeout issues.


----------

