Date: Tue, 29 Oct 2019 12:40:23 +1100 From: Nathan Robertson <nathan@robertsonfamily.id.au> To: MJ <mafsys1234@gmail.com>, freebsd-questions@freebsd.org Subject: Re: Masquerading MAC addresses Message-ID: <CAHMnXuSGyXoor8z7jNu-Ei2fp32gB5go3FugBLbpLL6A7GrWyw@mail.gmail.com> In-Reply-To: <699b96b0-2259-10a0-52fd-9a6a75588515@gmail.com> References: <CAHMnXuRstRXw7eWiB0yZPJ%2BKuhsLax6rFcD_nU2LvfrMk7fkqA@mail.gmail.com> <edf518bf-e895-a3f2-3481-4b9addacfdc5@gmail.com> <699b96b0-2259-10a0-52fd-9a6a75588515@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 29 Oct 2019 at 12:06, MJ <mafsys1234@gmail.com> wrote: > > On 29/10/2019 11:31 am, MJ wrote: > > > > On 29/10/2019 10:57 am, Nathan Robertson wrote: > >> [...] > >> Any idea of where I should look or who I could ask about MAC NAT on > FreeBSD? > > > > Sounds like you need some sort of ARP proxy? > > Something went wrong. > > Anyway, if that's what you need, look at > https://www.freshports.org/net-mgmt/choparp > I don't think proxy ARP is quite enough. It's possibly half the answer, as it'll make ARP requests from servers on the VPS vendors network work ok, and probably make inbound packets work ok (although possibly could confuse the jail server), but when the jail sends an ethernet frame (which goes over an ethernet bridge to the physical adapter, then out over the wire to the network), the source MAC address will still be the jail one, not the host one. The result is the VPS vendor will packet filter the outbound ethernet frame. The only way I can think of defeating this is SNAT / masquerade of the ethernet frame. (I'm trying to avoid doing a TCP level port forward, as I'd prefer the jail host to not have an IP address on this interface).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHMnXuSGyXoor8z7jNu-Ei2fp32gB5go3FugBLbpLL6A7GrWyw>