VNET Jails + ESX + Networking

[incin]

Hello,

I am testing out vnet jails and I am having trouble inside the jail as traffic can not leave the host. Setup as follows:

HOST (VM running on ESX 6.7, VLAN is in promiscuous mode 'Accept' in vCenter)
FreeBSD 12.1-RELEASE-p2 amd64
Hostname = jails-01
NIC interface = vmx0, 192.168.10.10

I have gateway enabled in my rc.conf on the host.

jail.conf

mount.devfs;
allow.raw_sockets;
exec.system_user = "root";
exec.jail_user = "root";
vnet;
path = "/usr/jails/$name";
exec.clean;

walnuts {
    host.hostname = "walnuts";
    vnet.interface="ng0_walnuts";
    exec.prestart += "jng bridge walnuts vmx0";
    exec.poststop += "jng shutdown walnuts";
}

rc.conf of my walnuts jail

hostname="walnuts"
ifconfig_ng0_walnuts="192.168.10.11/24"
defaultrouter="192.168.10.254"
cron_flags="$cron_flags -J 15"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
syslogd_flags="-c -ss"

The host, jails-01, can ping the jail walnuts and walnuts can ping the host. Walnuts can ping another vnet jail called tickets I have created.

The host, jails-01, can ping anything on the 192.168.10.x subnet.

The jails can not ping past vmx0.

Most setups I have been viewing have jails in a different subnet so some sort of NAT is required in PF. In my case if PF needed if the jails and host are on the same network segment?

I have attached my netgraph show image so you can see the hooks.