Follow

Anybody here got mad skills with pf, NAT and IPv6 on ?

I have my jails on an extra loopback device (lo1) and have rules like this in my pf.conf to get traffic to them:

rdr pass on $ext_if proto tcp to port 80 -> 10.101.1.2 port 80

This is what I suspect to be the cause behind the jails not being reachable over IPv6.

First of all – is that really the case?

And secondly, how do I add IPv6 support to that?

10.101.1.0/24 being the subnet used for the jails on lo1 in case that wasn't clear.

I already tried adding the same rule with an IPv6 address, but that doesn't fix my issue:

rdr pass on $ext_if proto tcp to port 80 -> fe80::10.101.1.2%lo1 port 80

Show thread

@phryk isn't tcp6 instead of tcp what you need? I don't have IPv6 anywhere, so I can't test it

@meka Weird. I thought the same but have no idea where I got that from because pfctl -nf /etc/pf.conf gave me a syntax error with that…

@meka Mhh, no syntax error, but no working NAT either, it seems…

@meka Oh, the jails don't even get v6 addresses assigned, even tho I specified ip6.addr… >:/

@meka On second try (after finally getting nmap going on a different host where I have working IPv6), I'm seeing that v6 NAT *does* work for SSH so I'm assuming this isn't the NAT after all but rather the nginx setup…

Thought it'd do v6 by default…

@meka Wait, I'm stupid, this is the hosts ssh, got nothing to do with the jails. m)

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!