FreeNAS 11.1U4 & iocage : IPv6 not working

[seedz]

Hi !
I've been searching the forum and the internets for 3 days now without any success, so I'm opening this post.

I've been trying to setup IPv6 on my 11.1RELEASE iocage jails, but have failed.
The IPv6 addresses seem to work (they're here ?), but if i ping or try to access the web server of the jail, it goes to the FreeNAS box : passthrough to the jail isn't there (?)
Same things happen from across the internet, from an other computer on my local network, or from the FreeNAS box itself (an ssh to the jail's IPv6 goes to the FreeNAS box)

my setup :
- on the freenas box

Code:

root@fnas:~ # ifconfig
nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=c2099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
		ether 00:24:1d:ea:fa:e6
		hwaddr 00:24:1d:ea:fa:e6
		inet 192.168.1.40 netmask 0xffffff00 broadcast 192.168.1.255
		inet 192.168.1.202 netmask 0xffffff00 broadcast 192.168.1.255
		inet6 fe80::224:1dff:feea:fae6%nfe0 prefixlen 64 scopeid 0x1
		inet6 XXXX:XXXX:XXXX:XX00:e8d2:56c8:846:1 prefixlen 56
		inet6 XXXX:XXXX:XXXX:XX00:e8d2:56c8:846:1000 prefixlen 56
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		media: Ethernet autoselect (1000baseT <full-duplex>)
		status: active
nfe1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=c219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
		ether 00:24:1d:ea:fa:e7
		hwaddr 00:24:1d:ea:fa:e7
		inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
		nd6 options=9<PERFORMNUD,IFDISABLED>
		media: Ethernet autoselect (1000baseT <full-duplex>)
		status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
		options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
		inet6 ::1 prefixlen 128
		inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
		inet 127.0.0.1 netmask 0xff000000
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		ether 02:df:85:dd:5a:00
		nd6 options=1<PERFORMNUD>
		groups: bridge
		id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
		maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
		root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
		member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
				ifmaxaddr 0 port 5 priority 128 path cost 2000
		member: nfe0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
				ifmaxaddr 0 port 1 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=8<VLAN_MTU>
		ether 02:79:90:00:05:0a
		hwaddr 02:79:90:00:05:0a
		nd6 options=1<PERFORMNUD>
		media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
		status: active
		groups: epair

root@fnas:~ # iocage get all NextCloud | grep ip
allow_sysvipc:0
ip4:new
ip4_addr:nfe0|192.168.1.202/24
ip4_saddrsel:1
ip6:new
ip6_addr:nfe0|XXXX:XXXX:XXXX:XX00:e8d2:56c8:846:1000/56
ip6_saddrsel:1
root@fnas:~ # iocage get all NextCloud | grep route
defaultrouter:none
defaultrouter6:none
root@fnas:~ # iocage get all NextCloud | grep vnet
interfaces:vnet0:bridge0
vnet:off
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_interfaces:none

the epair is for an old jail that i still have to migrate to iocage.


inside of the jail :

Code:

root@NextCloud:~ # cat /etc/rc.conf
host_hostname="NextCloud"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# services
sshd_enable="YES"
apache24_enable="YES"
#redis_enable="YES"

# IPv6
ipv6_activate_all_interfaces="YES"
ifconfig_rl0_ipv6="inet6 accept_rtadv"
rtsold_enable="NO"
#rtsold_enable="YES"
ifconfig_nfe0_ipv6="XXXX:XXXX:XXX:XX00:e8d2:56c8:846:1000/56"
ipv6_defaultrouter="XXXX:XXXX:XXXX:XX00:e8d2:56c8:846:1"


root@NextCloud:~ # ifconfig
nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=c2099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
		ether 00:24:1d:ea:fa:e6
		hwaddr 00:24:1d:ea:fa:e6
		inet 192.168.1.202 netmask 0xffffff00 broadcast 192.168.1.255
		inet6 XXXX:XXXX:XXXX:XX00:e8d2:56c8:846:1000 prefixlen 56
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		media: Ethernet autoselect (1000baseT <full-duplex>)
		status: active
nfe1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=c219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
		ether 00:24:1d:ea:fa:e7
		hwaddr 00:24:1d:ea:fa:e7
		nd6 options=9<PERFORMNUD,IFDISABLED>
		media: Ethernet autoselect (1000baseT <full-duplex>)
		status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
		options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		ether 02:df:85:dd:5a:00
		nd6 options=1<PERFORMNUD>
		groups: bridge
		id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
		maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
		root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
		member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
				ifmaxaddr 0 port 5 priority 128 path cost 2000
		member: nfe0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
				ifmaxaddr 0 port 1 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=8<VLAN_MTU>
		ether 02:79:90:00:05:0a
		hwaddr 02:79:90:00:05:0a
		nd6 options=1<PERFORMNUD>
		media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
		status: active
		groups: epair

the box in itself :
old Gigabyte Mobo for dual AMD Opteron 2373 EE
32Go DDR2 ECC
single pair of same brand on board GB NIC

the jail is perfectly accessible from IPv4.
but having the crappy ISP router i have, I need to use IPv6 to circumvent the lack of loopback or DNS setup functionalities, as well as the semi dynamic IPv4 address (may or may not change upon a router reboot, purely random)

I could use some pointers, or some voodoo even.

 

[dlavigne]

This has been fixed for the next version, due out in a few weeks: https://redmine.ixsystems.com/issues/24607.

 

[seedz]

so, IPv6 isn't working at all before 11.2 rolls out ?
how much would 'few weeks' be ?

 

[dlavigne]

It's in the nightlies now, depending upon how much you need that feature and how production your system is.

Current roadmap has BETA1 slated for June 4: https://redmine.ixsystems.com/projects/freenas/roadmap.

 

[seedz]

so, i've upgraded to nightlies, and i'm now on 11.2

I have the exact same problem :
the freenas box answers in place of the jails even when i'm trying to reach the jails IPv6.

this is driving me nuts :>

 

[seedz]

edit : figured it out

using vnet, i could make IPv6 work fine
I just had to find that you need to set a tunable to include the physical NIC you want the jails on to be able to access the internet, or it just stays a jail only "network"

as a reference to future people having the problem and finding this post :

this is what you should include in your tunables, after adding the VirtIO capability to your jail and rebooting the freenas box :
variable : ifconfig_vnetX where X is the number for your vnet where your jails are attaching to
value : addm NIC up where NIC is the name of your physical NIC you want to jails to be able to access
type : rc.conf

 

[marschal]

@seedz. Tried adding the tunable, but unfortunately I still do not get any IPV6 address inside the jail. Any further suggestions?

 

[seedz]

i've lost IPv6 from router, but !
I had it working for a while by making a script that would go on start up :

Code:

ifconfig epair0b inet6 auto_linklocal
ifconfig epair0b inet6 accept_rtadv
service rtsold start
/sbin/ping6 -c 10 google.com

of course, you must add rtsold_enable="YES"

 

[marschal]

Thx, this seems to work and to assign the jail an IPv6 address. Anyway this seems to be a little bit hacky. Is there really no out-of-the-box way to do this?

Since 11.2-RC2 the UI (jail configuration) enabled "autocinfigure ipv6". But unfortunately this does exactly nothing :(

 

[marschal]

OK, i've managed to get this working now. I extended seedz's script to also let nginx (serving nextcloud inside the jail) to listen to ipv6 requests. This works for me.

Code:

#!/bin/sh
#
# Manually configure IPv6 in jail
# and let nginx also listen on ipv6
#
# /etc/rc.d/setup_ipv6
#

set -e
set -u

# Let jail get an IPv6 address from router
ifconfig epair0b inet6 auto_linklocal
ifconfig epair0b inet6 accept_rtadv
service rtsold start || true

# check if nginx runs with IPv6 and restart if not
if ! grep -Eq "listen \[::\]*" /usr/local/etc/nginx/conf.d/nextcloud.conf; then
  sed -ie "/listen 80;/a\\
  listen [::]:80;\\
" /usr/local/etc/nginx/conf.d/nextcloud.conf
  service nginx restart
  echo "replaced nginx nextcloud config and restarted nginx"
else
  echo "nothing to do"
fi

place this file in /etc/rc.d/ inside the jail. BTW I'm using the standrad plugin jail in 11.2-RC2.

--marschal

 

[wesgeorge]

This is still broken in 11.2 release.
The fix still works (I didn't need to do anything to my tunables), and I've added the script to my rc.d, but is there a bug filed on this yet?

root@plex:/ # uname -a
FreeBSD plex 11.2-STABLE FreeBSD 11.2-STABLE #0 r325575+fc3d65faae6(freenas/11.2-stable): Wed Dec 5 15:08:42 EST 2018 root@nemesis.tn.ixsystems.com:/freenas-11.2-releng/freenas/_BE/objs/freenas-11.2-releng/freenas/_BE/os/sys/FreeNAS.amd64 amd64

Despite the name, that's a bog standard iocage jail, not the prebuilt plex plugin jail.

root@plex:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:60:14:fa:0a
hwaddr 02:f9:d0:00:09:0b
inet 192.168.1.240 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
root@plex:/ # ifconfig epair0b inet6 auto_linklocal
root@plex:/ # ifconfig epair0b inet6 accept_rtadv
root@plex:/ # service rtsold start
plexmediaserver_enable: YES -> YES
plexmediaserver_enable: YES -> YES
Starting rtsold.
root@plex:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:60:14:fa:0a
hwaddr 02:f9:d0:00:09:0b
inet 192.168.1.240 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::ff:60ff:fe14:fa0a%epair0b prefixlen 64 scopeid 0x2
inet6 2xxx:xxx:x:0:ff:60ff:fe14:fa0a prefixlen 64 autoconf
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
root@plex:/ # ping6 google.com
PING6(56=40+8+8 bytes) 2xxx:xxx:x:0:ff:60ff:fe14:fa0a --> 2607:f8b0:4004:80b::200e
16 bytes from 2607:f8b0:4004:80b::200e, icmp_seq=0 hlim=56 time=18.981 ms
16 bytes from 2607:f8b0:4004:80b::200e, icmp_seq=1 hlim=56 time=13.307 ms
16 bytes from 2607:f8b0:4004:80b::200e, icmp_seq=2 hlim=56 time=13.930 ms

 

[dlavigne]

This is still broken in 11.2 release.

To clarify: the output you posted is due to applying the script? As in, IPv6 wasn't working out of the box?

If so, please create a ticket at bugs.freenas.org as IPv6 should be working for 11.2-RELEASE.