PF TAGged jail traffic fails pass rule on egress
Beeblebrox
zaphod at berentweb.com
Sun Dec 18 13:33:21 UTC 2016
Ian - thanks for the answer.
I already have pflog enabled on wan0 (egress), but nothing of value there.
After your ide re " no actual packets on lo2" I ran tcpdump on that interface; indeed no traffic shows up.
I moved the jails to a new vlan1 with /24 subnet, with x.x.0.1 empty and jails starting from x.x.0.2/32. This obviously facilitates NAT from pf in that NAT is now not needed for inter-jail communication.
However, nothing changes for the greater problem of packet tagging as "tcpdump -i vlan1" shows no packet traversal as was the case on lo2. I also realised that since pf.conf has:
nat on wan0 from !(wan0) to any -> wan0
Attempts to tag packets post-nat is useless because source-ip (jail) has been replaced by the ip of wan0. This seems to leave me with limited choices
1. NAT & TAG each jail separately (ie: nat pass on wan0 from $jdns to any tag TD -> wan0)
2. Use a single tag for all packets leaving vlan1 so as to simplify the nat rules
Neither which offers a satisfactory configuration because of other complications each solution causes. As reminder: Ultimate goal is to allow only pre-defined port traffic per jail. I can't find a simpler way than TAGGING to accomplish this.
PS I've also found that the OpenBSD syntax "!(tagged )" is not recognised on FreeBSD...
Thanks & Regards
--
FreeBSD_amd64_11-Stable_RadeonKMS
Please CC my email when responding, mail from list is not delivered.
More information about the freebsd-pf
mailing list