PF Jail pinging host public ip but not able to access the cloud - VNET

[TrOuBLe]

I have an issue forwarding the packets to the cloud from the jail.
I have tested Netgraph and epair with the same result.
I have enabled nat in sysctl.conf>> net.inet.ip.forwarding=1
I have disabled PF totally and tried with nat enabled

nat on $ext_if inet from $jail_if to any -> ($ext_if)

In the Jail rc.conf, I have defined the defaultroute to the router ip.

Any tip or guidance would be appreciated.
Thanks

 

[SirDice]

I have enabled nat in sysctl.conf>> net.inet.ip.forwarding=1

This does NOT enable NAT. It has absolutely nothing to do with NAT actually. This enables routing between interfaces, nothing more, nothing less. Please use gateway_enable="YES" in rc.conf instead.

 

[TrOuBLe]

This does NOT enable NAT. It has absolutely nothing to do with NAT actually. This enables routing between interfaces, nothing more, nothing less. Please use gateway_enable="YES" in rc.conf instead.

I have tried it... Thanks for the clarification, well noted! but still not working same result....

 

[SirDice]

The routing is done by the host. The jail's traffic is routed through the host, the 'public' IP of the host is tied to that same host. No packet ever leaves the host this way. Run tcpdump(1) on your external interface and you can probably see the jail's packets leave the host. But you get no response because the source address is likely a private range (RFC 1918) address.

 

[TrOuBLe]

The routing is done by the host. The jail's traffic is routed through the host, the 'public' IP of the host is tied to that same host. No packet ever leaves the host this way. Run tcpdump(1) on your external interface and you can probably see the jail's packets leave the host. But you get no response because the source address is likely a private range (RFC 1918) address.

the ng0_xxx is configured with a public ip of the same subnet of the host external interface.
If i understood correctly i need to enable pf for routing the packets back to the jail?

Thanks!

 

[SirDice]

the ng0_xxx is configured with a public ip of the same subnet of the host external interface.
If i understood correctly i need to enable pf for routing the packets back to the jail?

Explain exactly how you configured your jail. And what IP addresses are on what interfaces. Don't need the exact IP addresses (especially not your public ones), just need to get a better idea of how you configured things.

 

[TrOuBLe]

Well i had all my jails working perfectly without VNET until i was forced to used to technical development requirements...
Jail.conf

# $FreeBSD$

fullbasejail {
        $baseroot="/jails/freebsd/13/";
        host.hostname = "${name}";              # hostname
        path = "$baseroot/${name}/base/";       # root directory

        exec.prestart = "cp /etc/resolv.conf $path/etc";
        exec.poststop = "rm $path/etc/resolv.conf";

        exec.clean;
        exec.system_user = "root";
        exec.jail_user = "root";

        #
        # NB: Below 4-lines required
        #
        vnet;
        # netgraph
        vnet.interface = "ng0_xxx";                     # vnet interface(s)
        exec.prestart += "jng bridge xxx hn0";  # bridge interface(s)
        exec.poststop += "jng shutdown xxx";    # destroy interface(s)
        # if_bridge
        #vnet.interface = "e0b_xxx";            # vnet interface(s)
        #exec.prestart += "jib addm xxx em0";   # bridge interface(s)
        #exec.poststop += "jib destroy xxx";    # destroy interface(s)

        # Standard recipe
        exec.start += "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown jail";
        exec.consolelog = "$baseroot/${name}/.cfg/jail_${name}_console.log";
        mount.devfs;    # mount devfs


        # Optional (default off)
        devfs_ruleset = "6";            # rule to unhide bpf for DHCP
        allow.mount;                    # mount /etc/fstab.xxx
        allow.set_hostname = 1;         # Allow hostname to change
        allow.sysvipc = 1;              # Allow SysV Interprocess Comm.
        allow.raw_sockets = 1;          # Allow Ping from inside the jail
        allow.chflags;
        mount.fstab = "/jails/freebsd/13/${name}/.cfg/fstab";
}

jail rc.conf

# jail ip address and routing #
ifconfig_ng0_xxx="inet 192.168.2.111 netmask 255.255.255.0"
defaultrouter="192.168.2.1"


# Start or stop services #
cron_flags="$cron_flags -J 15"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
syslogd_flags="-c -ss"
ipv6_activate_all_interfaces="NO"
sshd_enable="YES"

Host devfs.rules

[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path fuse unhide
add path zfs unhide

[devfsrules_jail_vnet=5]
add include $devfsrules_jail
add path pf unhide

[defaultrules_jail_vpn=6]
add include $devfsrules_jail_vnet
add path 'tun*' unhide
add path zfs unhide
add path pflog unhide
add path pfsynv unhide
add path 'bpf*' unhide

Host rc.conf

ifconfig_hn0="inet 192.168.2.100 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
gateway_enable="YES"
#pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
sshd_enable="YES"

ifconfig host

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8001b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,LINKSTATE>
        ether 00:15:5d:08:64:0a
        inet 192.168.2.100 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog

ifconfig Jail

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
ng0_xxx: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=28<VLAN_MTU,JUMBO_MTU>
        ether 02:00:d2:08:64:0a
        hwaddr 58:9c:fc:10:ff:d7
        inet 192.168.2.111 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Thanks a lot for your follow up