Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 09 Nov 2018 13:14:53 -0500
From:      Ernie Luzar <luzar722@gmail.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>,  "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>
Subject:   12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf
Message-ID:  <5BE5CE9D.9030503@gmail.com>

next in thread | raw e-mail | index | archive | help
Hello lists;

testing 12.0-beta3 vnet jail that is using pf firewall.
net.inet.ip.forwarding =1 for the vnet jail.
Host is running ipfilter firewall.
The kldload pf.ko pflog.ko command has been issued.
10.0.10.30 is the ip address assigned to the vnet jail in the jail.conf.
Using this nat rule

nat on epair2b from 10.0.0.30/24 to any -> (vge0)

vge0 is the hosts interface facing the public internet and a member of 
bridge2 along with member epair2a.

When I do a ping 8.8.8.8 from the vnet jail console I get message
"Time to live exceeded"

The vnet jail pflog shows in and out on epair2b 10.0.10.30 > 8.8.8.8

Thinking the NAT rule is incorrect because the pflog doesn't show the 
nated ip address assigned by the isp.   OR maybe the nat rule is not 
functional in a vnet jail because I found a bug.

Am I missing something here? Help please.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5BE5CE9D.9030503>