From owner-freebsd-questions@freebsd.org Fri Nov 9 18:14:59 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30FAF1103927; Fri, 9 Nov 2018 18:14:59 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-it1-x134.google.com (mail-it1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4289386BE3; Fri, 9 Nov 2018 18:14:58 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-it1-x134.google.com with SMTP id r12-v6so4296241ita.3; Fri, 09 Nov 2018 10:14:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=knK0td3sxIrU4x61CRGY6w1xD7bn4x29V7AmPu9rNqE=; b=KK6bLlxdyWzkKwKIsWXnh/EdoO0m2jLrgy2vlSsB0ierAgP8RE3Bh6akxX0ShC0DXw xG+kfvP/IK5+cpSXFCpzRVPSE2p1HwDag92xASUrN7uil2lJYIR+mVlaG6kPPJlbYvCX tkNSJCR7PJliYv8OAt+0sC1LRpc2+eSCdRJmwnXer8URLZyxEQaFR+galgyUeXuxZSyJ PYfklyEMqbkTn6y7IVudRq5uAZYEBfQt3FTq58Vhmh6QAN5eVylRyaGy7E3KgFNgzBfX obqAx6OjsFdHaunWPAyBO01vF6BblOjOh9XHKICyz7kBjl6Ywb4e+EHebRcBSsY8f0LV xbdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=knK0td3sxIrU4x61CRGY6w1xD7bn4x29V7AmPu9rNqE=; b=jmWEYY/lCW7Lq9aI0auwZ7NbkQVYJCZPWic5pdlq/Y1k4GCbbAUtGKTTlIR2JQ6nyF KIEjeractH+c9NOYh9NylTLp3x9IrVznCWc7JwIgXt0se3j/NjzUq4qouh309L28WlWK XEoYWJO636suXzSkG3fbA35v+YBDPIljqzenKUHFQFEVyji4RsV+IJotHVHPobDPwHjh DrOcyCmVIlApK0qFz/WqgyqT3FTLLimoMEwIlmWgNTJTSno2O/Hck+rtJomho8jjEiTh DlPr2D4tuVaSjaySkTRxIRqLG9jr8kdvXYPr/1qaXCs4TWx0nR1t2xM0Iu3XjU1oshh6 61zg== X-Gm-Message-State: AGRZ1gLG3eRPlGD5fbKaXIyr5bOu4WnMSB+rpsseIdpN9p9U+f6Scxbi QIONZMTzR9dA2m+jaOzsM7xUkCsL X-Google-Smtp-Source: AJdET5eBkPtfnAr7d+sWxPcgkH0IXqDF+zOFlOemsRt2TGnjtjppAOWjfx4hrx7sI/B0dLOyJMLobA== X-Received: by 2002:a24:4488:: with SMTP id o130-v6mr1498283ita.111.1541787297407; Fri, 09 Nov 2018 10:14:57 -0800 (PST) Received: from [10.0.10.7] (cpe-65-25-48-31.neo.res.rr.com. [65.25.48.31]) by smtp.googlemail.com with ESMTPSA id 22-v6sm3053631ioc.22.2018.11.09.10.14.56 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 09 Nov 2018 10:14:56 -0800 (PST) Message-ID: <5BE5CE9D.9030503@gmail.com> Date: Fri, 09 Nov 2018 13:14:53 -0500 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4289386BE3 X-Spamd-Result: default: False [-4.96 / 200.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-0.96)[ipnet: 2607:f8b0::/32(-2.85), asn: 15169(-1.88), country: US(-0.09)]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[4.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_SHORT(-0.99)[-0.990,0]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2018 18:14:59 -0000 Hello lists; testing 12.0-beta3 vnet jail that is using pf firewall. net.inet.ip.forwarding =1 for the vnet jail. Host is running ipfilter firewall. The kldload pf.ko pflog.ko command has been issued. 10.0.10.30 is the ip address assigned to the vnet jail in the jail.conf. Using this nat rule nat on epair2b from 10.0.0.30/24 to any -> (vge0) vge0 is the hosts interface facing the public internet and a member of bridge2 along with member epair2a. When I do a ping 8.8.8.8 from the vnet jail console I get message "Time to live exceeded" The vnet jail pflog shows in and out on epair2b 10.0.10.30 > 8.8.8.8 Thinking the NAT rule is incorrect because the pflog doesn't show the nated ip address assigned by the isp. OR maybe the nat rule is not functional in a vnet jail because I found a bug. Am I missing something here? Help please.