PF Bumping my head against pf and networking and jails again

[BlueCoder]

Plain freebsd jail, no ezjail or other magic.

Local network and wifi is on 192.168.0.0/24
Trying to bridge all jails to bridge0 with 192.168.1.0/24
epair#a on bridge0 while epair#b the jail interface

If I setup the bridge:

bridge0
epair1a
epair2a
epair3a

2,3 are the test jails while epair1 is for system.
epair1b is setup as 192.168.1.1/24 and routing is on between interfaces for this server.

A ping from from jail test2 with 192.168.1.3 to 8.8.8.8 stops at the external interface and doesn't get translated by NAT according to tcpdump.
I can ping 192.168.0.1 192.168.1.1 and the external assigned ip just fine. If I launch other jails I can ping them. A ping just doesn't NAT to the external internet. All other internal traffic is natted just fine.

If I skip setting up bridge0 and setup a single epair.... jail traffic from a test jail gets natted properly.
epair2a gets 192.168.1.1/24 and 2b gets 192.168.1.2/24 in the jail. All is identical expect for not going through a bridge.

pf.conf:
nat on $ext from 192.168.0.0/16 to any -> ($ext)

set skip on lo0
set skip on bridge0

block log all

pass from $ext to any keep state
pass from 192.168.0.0/16 to any keep state

 

[SKull]

Are those VNET jails?

 

[SirDice]

You cannot bridge with a wireless network. The wireless interface essentially needs to 'spoof' the MAC addresses of the jails, and it's going to refuse to do this. Same problem with bridging a wireless and wired interface. So don't attach the wireless interface to the bridge.

And with different network segments (192.168.0.0/24 and 192.168.1.0/24) you don't need to NAT, but you have to make sure your routing is set up properly. The other hosts (and your router) need to know where 192.168.1.0/24 is.

 

[chrbr]

And with different network segments (192.168.0.0/24 and 192.168.1.0/24) you don't need to NAT, but you have to make sure your routing is set up properly. The other hosts (and your router) need to know where 192.168.1.0/24 is.

Is that possible with a home setup consisting of a plastic router, one PC as a host running one jail?
How would the syntax look like? A hint where to look is fine.
In my current setup I have connected the jail to the host via lo1. For feeding a browser in the jail via http I run a proxy on the host listening at lo1. That works. NAT works as well but I do not use that option.

 

[SirDice]

Is that possible with a home setup consisting of a plastic router

Depends a bit on the router. Some allow you to add static routes. Which is what you would need to do. If you can't add static routes then you would need to resort to NAT on the FreeBSD host. Not using NAT here would be the preferred solution, NAT just adds another layer of potential misconfiguration and will make it more difficult to remotely access any of the services running in those jails.