Vnet Jail communication with the host system

Hello ,

does anyone uses vnet jails and can explain me why the communication from the host to the jail is not possible ?

all jails are connect via a bridge1 , the bridge is connected to my real network.

The Host and Jail1 knows each other , I can see the arp request an reply and they have the correct ip and mac address binding.

sharky@freebsd:~ $ sudo arp -a
? ( at 52:54:00:a6:e8:eb on vtnet0 permanent [ethernet]
? ( at 02:b5:98:56:4b:0b on vtnet0 expires in 1105 seconds [ethernet]

root@unbound:/ # ifconfig | grep 02:b5:98:56:4b:0b
ether 02:b5:98:56:4b:0b

root@unbound:/ # arp -a | grep 100
freebsd ( at 52:54:00:a6:e8:eb on eth0 expires in 855 seconds [ethernet]

My test was an ssh connection or a dns request from the host to the jail . I can see the packet on the host system and also inside the jail ( tcpdump )

But the "application layer" aka unbound or ssh never receive the packet ? It is weird.... the unbound log does not get a dns request... .

What is also interesting is that ssh from jail to jail is possible. For me it looks like the the internal layer 2 forwarding is broken .
I have created a drawing . It would even help if someone could double check my jail config . Thank you !

Bildschirmfoto 2022-09-24 um 13.14.36.png
I got some help .

Could solve the problem by using this rc.conf. Without create_args_bridge1 I could not get it working.

Sometimes the interface was added to the bridge , but no had no ip or the interface was not added to the bridge ...

create_args_bridge1="addm vtnet0"
ifconfig_bridge1="inet netmask"

# this command is necessary , without the ip is not reachable.