From owner-freebsd-jail@freebsd.org  Thu Dec  6 18:40:35 2018
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id EF065130E90B;
 Thu,  6 Dec 2018 18:40:34 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com
 [IPv6:2607:f8b0:4864:20::12b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 54A9A79EC2;
 Thu,  6 Dec 2018 18:40:34 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: by mail-it1-x12b.google.com with SMTP id i145so2975310ita.4;
 Thu, 06 Dec 2018 10:40:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=message-id:date:from:user-agent:mime-version:to:subject
 :content-transfer-encoding;
 bh=6CxJQo4h2TvauhRu9xGsWgyD0x8mDF99c0gJ2IRlSL0=;
 b=Lyij1Kq+Ta55oTUsdU0E6h07wBmDBLueEcQgG7tzvtaidK+2RK8ZhrYXD/ZW8bfmq8
 77jCKl98tBlqRI0c8hxzGb7YCp5qDlvwlBUANHVYo4sNpIklWdjbPHeV7qfPNNnJTypI
 dmg3O5oQ0ShiAQPnF2AKaz7sQa5b0xlkorbdJELIWwAVBqKgMfYWizQfbjtLo0h8MCQH
 SyUW0z0MdM1MMDXyPx60/aIRi88vx39xBBWZxdtVFvrWh9b+Z/ELMiQlEvP+6XojTq5M
 nNyD0HsvcHuS2kEhX9u4b2GYDUOADcxXvV7s7Y6JUwS0P5/W3Z1uPYmsItEjHEFvDJXU
 vi7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :subject:content-transfer-encoding;
 bh=6CxJQo4h2TvauhRu9xGsWgyD0x8mDF99c0gJ2IRlSL0=;
 b=PCmO9HA1DGRD/EXUtv9D5koiju/0NTyqiS2FjMflrWkQ8JxbxUsVTFI18+vhQVVm9m
 uOtDcUXYAB5hBeqsTr7fV2zsWnAmVxjJaPm8hQ24m6piDgLcHR3Za4k9xZvN8RgNB0zX
 O8NGbJDtvOlH/EPB1yLqI6IvWZ+vo6BPmagaZQxVuoo7PLxUmlDwwhgvh9jq1fOINf5W
 yC4PAsgRD5QVBszb4aJIgCOa46a5mkfuDhbj6o8u2ufC/FZY6ZSTx2ZDpKQ6m8HsYr4a
 IT8m0rKQcRo+rMm9t8KB2w0Z5CB4yFQy9FVG90DGa6aYoeGhOwpH8Y/zCP1Po0fAO1sU
 4SZg==
X-Gm-Message-State: AA+aEWbgr8kOvNqPBzAKAzB9kl4jzr66mQ9xsO1kKCP7SFmbJ7smhGNj
 3xC8ySEdkiTMdXfgWzrRa608clRZ
X-Google-Smtp-Source: AFSGD/Vf+Gzd/JIV0TYcgkPjLukVisWWK8jkRC3AU29dPYcHipsKGiJp4msQ2kUYt3MUzuqJMJYd2A==
X-Received: by 2002:a24:2452:: with SMTP id f79mr14495329ita.143.1544121633575; 
 Thu, 06 Dec 2018 10:40:33 -0800 (PST)
Received: from [10.0.10.7] (cpe-65-25-62-234.neo.res.rr.com. [65.25.62.234])
 by smtp.googlemail.com with ESMTPSA id b5sm759778itc.44.2018.12.06.10.40.32
 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 06 Dec 2018 10:40:32 -0800 (PST)
Message-ID: <5C096D20.3040305@gmail.com>
Date: Thu, 06 Dec 2018 13:40:32 -0500
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: FreeBSD current <freebsd-current@freebsd.org>, 
 "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>,
 "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: 12.0-RC3 vnet jail with pf firewall/NAT not working
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 54A9A79EC2
X-Spamd-Result: default: False [-5.89 / 15.00]; ARC_NA(0.00)[];
 TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com];
 RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 RCVD_COUNT_THREE(0.00)[3];
 IP_SCORE(-1.90)[ip: (-6.57), ipnet: 2607:f8b0::/32(-1.52), asn: 15169(-1.31),
 country: US(-0.09)]; DKIM_TRACE(0.00)[gmail.com:+];
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 RCVD_IN_DNSWL_NONE(0.00)[b.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; NEURAL_HAM_SHORT(-0.98)[-0.985,0];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 18:40:35 -0000

Have gateway host, (ie; host that is connected directly to the public 
internet.) running a vnet jail that has pf firewall running inside of 
it. When I start the vnet jail I see a few dhclient tasks auto start for 
vge0 which is the interface added as member to the bridge. I take this 
to mean that the vnet jails external network is configured correctly.

Can not ping 8.8.8.8 from the vnet jails console. I can see the pf rules 
are loaded. But the pf log shows no traffic at all.

Think problem is with the nat rule syntax or the nat function of pf is 
non-functional. Can not reach the public internet using this nat rule

nat pass on epair2b inet from 10.0.20.10 to any -> xx.xx.xx.xx

10.0.20.10 is ip address assigned to the vnet jail
xx.xx.xx.xx is the ip address assigned to the host by the isp.

Also tried this with no joy

nat pass on epair2b inet from 10.0.20.10 to any ->  epair2b

Anyone been able to get pf NAT to work in a live vnet jail in this manner?