From owner-freebsd-ipfw@freebsd.org Sat Nov 28 17:55:00 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C983BA3723C for ; Sat, 28 Nov 2015 17:55:00 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 65C241A37; Sat, 28 Nov 2015 17:55:00 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by lfdl133 with SMTP id l133so156074161lfd.2; Sat, 28 Nov 2015 09:54:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9rVUJohWhyx658CiLKLxyh9FiILS6AxyOWem7m76Lu4=; b=wy43I0kNCeRAtFLrVTi554MLmubZ+orwxZGC+3jpwS79B6LRkKvDErTrGCVX1bJbIu ucC7F6qsRHZMsa4QkwMZ7OdgyqvZD2zWzE2XCVFFZyGHQ3cExEGG/qYhpSBlAZYAKA5a WoG4o/Y6K1IEeOYaE2HAU913C7rYJo6G9hayAnLzLwNRzYU+SN5aUq9L1+9CPHflhnG9 earqSM/8Ar6oHPZO25X3pn7EYwCdc0Bx2wHT2T0r+QofacQhSYUy6acLivYl1/2f1Ubs 4VRVb5iKZGx3IEUQdq0VJ29AxWJYBlCbbXjgAWr19dBcRKw30MyaGerCa8MKlfcJ38bU 3OjA== MIME-Version: 1.0 X-Received: by 10.112.199.194 with SMTP id jm2mr17231244lbc.109.1448733298441; Sat, 28 Nov 2015 09:54:58 -0800 (PST) Received: by 10.25.41.193 with HTTP; Sat, 28 Nov 2015 09:54:58 -0800 (PST) In-Reply-To: References: <94B91F98-DE01-4A10-8AB5-4193FE11AF3F@reddog.com.au> <20151013142301.B67283@sola.nimnet.asn.au> <20151014232026.S15983@sola.nimnet.asn.au> <9908EC22-344F-4D0B-8930-7D2C70B084A1@reddog.com.au> <32DEEFB3-E41F-40CD-8E1A-520FB261C572@reddog.com.au> <564C8879.8070307@freebsd.org> <20151119032200.T27669@sola.nimnet.asn.au> <9D81BDD4-200C-40AB-AB24-B1112881E43A@reddog.com.au> <3BF360A8-35E6-4043-8AFF-87D983F29C66@reddog.com.au> <5652B9EB.10805@freebsd.org> Date: Sun, 29 Nov 2015 04:54:58 +1100 Message-ID: Subject: Re: Kernel NAT issues From: Dewayne Geraghty To: Nathan Aherne Cc: Julian Elischer , "freebsd-ipfw@freebsd.org" , Ian Smith Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2015 17:55:01 -0000 Nathan, I've gone the same way that you have, ie bunch of jails that are individually providing services& kernel Nat. It takes careful planning and the knowledge that the default route will be the first IP in your jail.conf list for each jail. Getting jails to play nice means fiddling around with all interfaces. If you can take ipfw out of the equation until you can see tcpdump traffic doing what you want; the challenge hasn't been ipfw in my experience. (& yes initially I've had three tcpdumps going at once too; along with old friends: raw ip & ping ) Enjoy the fun of getting it to work, it's well worth the effort. (And be thankful that you aren't using pf, another level of complexity but suits my needs perfectly) ;) Dewayne