From owner-freebsd-questions@freebsd.org Tue Oct 29 01:40:39 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 85D23163D1D for ; Tue, 29 Oct 2019 01:40:39 +0000 (UTC) (envelope-from nathan@robertsonfamily.id.au) Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 472Dn04bHvz3HVf for ; Tue, 29 Oct 2019 01:40:36 +0000 (UTC) (envelope-from nathan@robertsonfamily.id.au) Received: by mail-ot1-x332.google.com with SMTP id b19so6055180otq.10 for ; Mon, 28 Oct 2019 18:40:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=robertsonfamily-id-au.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=qJmrqsmKNrw+D4kSqwD9NTLI9PRJmwaY2HbUWcDV7FY=; b=CiagQ2HesA4o4Oimp/ExkjgxL11g/OuYoUqT6iRoLD+Ozyqueyfbcld0BgGJP/v3Bw 3/q8V90243AtObpnyIuvLCg+0O1ustmX+FhhksCqxdOJXTdN1jdNTorQFghSDeD6gRQj pifJNlfKgclCqc2/9m4So9P/jQSDIoGM3gdB0gz6TKY2wHMTui6FbMxN3kRDPlmQIyoj 9/VQReF3sUlumUS3jAGxhJPeXGsizTS1wbCL6x4S1Iof+11tTHdE8aANFMV7e4cZVlov YqpygMPSjJBF5rLdXjFrKVXD5wUW6AFYzjpkGfpW+Wr03xDLRSUcKqs5NWbq7kybWFTB pSYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=qJmrqsmKNrw+D4kSqwD9NTLI9PRJmwaY2HbUWcDV7FY=; b=jHmyNiJsN6mOKkdufrv3ErO33dptl+xmg7j4UscJlgnYv5B+KzDf+ONzWlEExJz4Rp IPkysWXpYyGqjdEoHn9R5mEEoKL+QoOeCiM8GuIH94hzhmzl/9VzvdVwS12o9wQKzH65 ssJnD3BeYoRaTxH/JehSAikjN+ptNWHRVcVBXVGAIzVFp/b20SBFDvKauIumd68gPYet fOUibEzJtVAz/qbbEmXTVFQgPNlOGLXpowR9Rch+NQWSbpOKdjJDV5+tlZacUI/7qnX0 Vw02J/ikPej/sYMulFTz2haQPdwKBzi2S+GESTvNoRjb3sFYfxaH4CE6FahXMyCSuJPI v0pA== X-Gm-Message-State: APjAAAVAWjB2NvlpSY2wIVIifBzFRaJSH9PDlfuyJTnJMp2mIYS7SFx8 tmglJyl81g5vD6dKTojqYIEsUNn3SnvoFqv/c63SJg== X-Google-Smtp-Source: APXvYqxBroAA2Fw6aA2f1l18c1rJqI851h/DwOeEsVqyX93XmxXvlUPfD1xxjpedb9cpUUKEiN9sE8m5excw9vckGZE= X-Received: by 2002:a9d:7756:: with SMTP id t22mr9037585otl.43.1572313235105; Mon, 28 Oct 2019 18:40:35 -0700 (PDT) MIME-Version: 1.0 References: <699b96b0-2259-10a0-52fd-9a6a75588515@gmail.com> In-Reply-To: <699b96b0-2259-10a0-52fd-9a6a75588515@gmail.com> From: Nathan Robertson Date: Tue, 29 Oct 2019 12:40:23 +1100 Message-ID: Subject: Re: Masquerading MAC addresses To: MJ , freebsd-questions@freebsd.org X-Rspamd-Queue-Id: 472Dn04bHvz3HVf X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=robertsonfamily-id-au.20150623.gappssmtp.com header.s=20150623 header.b=CiagQ2He; dmarc=none; spf=none (mx1.freebsd.org: domain of nathan@robertsonfamily.id.au has no SPF policy when checking 2607:f8b0:4864:20::332) smtp.mailfrom=nathan@robertsonfamily.id.au X-Spamd-Result: default: False [-3.89 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[robertsonfamily-id-au.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[robertsonfamily.id.au]; URI_COUNT_ODD(1.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[robertsonfamily-id-au.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-2.59)[ip: (-8.44), ipnet: 2607:f8b0::/32(-2.40), asn: 15169(-2.05), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Oct 2019 01:40:39 -0000 On Tue, 29 Oct 2019 at 12:06, MJ wrote: > > On 29/10/2019 11:31 am, MJ wrote: > > > > On 29/10/2019 10:57 am, Nathan Robertson wrote: > >> [...] > >> Any idea of where I should look or who I could ask about MAC NAT on > FreeBSD? > > > > Sounds like you need some sort of ARP proxy? > > Something went wrong. > > Anyway, if that's what you need, look at > https://www.freshports.org/net-mgmt/choparp > I don't think proxy ARP is quite enough. It's possibly half the answer, as it'll make ARP requests from servers on the VPS vendors network work ok, and probably make inbound packets work ok (although possibly could confuse the jail server), but when the jail sends an ethernet frame (which goes over an ethernet bridge to the physical adapter, then out over the wire to the network), the source MAC address will still be the jail one, not the host one. The result is the VPS vendor will packet filter the outbound ethernet frame. The only way I can think of defeating this is SNAT / masquerade of the ethernet frame. (I'm trying to avoid doing a TCP level port forward, as I'd prefer the jail host to not have an IP address on this interface).