[Bug 236523] No FQDN ping from a Jail with NAT and ipfw

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Mar 14 10:10:50 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236523

            Bug ID: 236523
           Summary: No FQDN ping from a Jail with NAT and ipfw
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: arm64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: arm
          Assignee: freebsd-arm at FreeBSD.org
          Reporter: joneum at FreeBSD.org

Is there a Bug / Problem with NAT and ipfw on arm64?

This config works with amd64 on FreeBSD12.0

It does not work on a RaspberryPi 3 with FreeBSD 12.0 and CURRENT / arm64

Config:
/etc/rc.conf

hostname="rpi3project.local"
keymap=de
ifconfig_ue0="inet 192.168.2.90 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
sshd_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

jail_enable="YES"

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

#IPFW
firewall_enable="YES"
#firewall_type="open"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"

#NAT
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 255.255.255.0"
gateway_enable="YES"

growfs_enable="YES"

######################

/etc/jail.conf:

exec.start="/bin/sh /etc/rc";

exec.stop="/bin/sh /etc/rc.shutdown";

exec.clean;

mount.devfs;

interface="lo1";

jail1icinga {
  host.hostname = "jail1icinga.local";
  path = /usr/jails/jail1icinga;
  ip4.addr = "10.0.0.1";
  allow.raw_sockets=1;
  allow.chflags;
  allow.mount.procfs;
  allow.mount.devfs;
}

#########################

/etc/ipfw.conf:

cmd="/sbin/ipfw -q"

lan_if="ue0"
ipaddr="192.168.2.30/24"

vm_net="10.0.0.0/28"

$cmd flush
$cmd queue flush
$cmd pipe flush

$cmd add 10 check-state

$cmd add 20 allow all from me to $vm_net setup keep-state

# NAT
$cmd nat 1 config if $lan_if

$cmd add 50 nat 1 all from $vm_net to not $vm_net
$cmd add 60 nat 1 all from any to $ipaddr

$cmd add 70 allow all from any to any

#####################

/etc/resolv.conf  (maihost + jail)

nameserver 192.168.2.1


#####################

# jls
   JID  IP Address      Hostname                      Path
     1  10.0.0.1        jail1icinga.local             /usr/jails/jail1icinga

# jexec 1 csh

root at jail1icinga:/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=124 time=16.328 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=124 time=16.232 ms

root at jail1icinga:/ # ping www.google.de
ping: cannot resolve www.google.de: Host name lookup failure

#######################

On a FreeBSD 12.0 / amd64 with the same config (copy) into the jail:
ot # jexec 1 csh
root at jail1icinga:/ # ping www.google.de
PING www.google.de (172.217.16.131): 56 data bytes
64 bytes from 172.217.16.131: icmp_seq=0 ttl=57 time=17.520 ms
64 bytes from 172.217.16.131: icmp_seq=1 ttl=57 time=17.293 ms
^C

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-arm mailing list