UDP connections from NAT'ed jails

[Peter Ludikovsky]

Hi,

With the adapdation on the VM:

    [peter at doctor ~]$ sudo service pf reload
    Reloading pf rules.
    [peter at doctor ~]$ cat /etc/pf.conf 
    IP_PUB="10.0.2.15"
    IP_JAIL="192.168.5.2"
    NET_JAIL="192.168.5.0/24"
    scrub in all
    #set skip on lo
    nat pass on em0 from $NET_JAIL to any -> $IP_PUB
    pass out keep state
    [peter at doctor ~]$ sudo pfctl -sn
    nat pass on em0 inet from 192.168.5.0/24 to any -> 10.0.2.15
    [peter at doctor ~]$ host pkg.freebsd.org
    pkg.freebsd.org is an alias for pkgmir.geo.freebsd.org.
    pkgmir.geo.freebsd.org has address 149.20.1.201
    pkgmir.geo.freebsd.org has IPv6 address 2001:4f8:1:11::50:1

No change in the jail.

tcpdump on the host shows resolution happening for the jail-host, but
nothing for the jail itself.

Regards,
/peter


Am 26. Februar 2018 13:58:23 MEZ schrieb Kristof Provost <kristof at sigsegv.be>:
>On 26 Feb 2018, at 18:11, Peter Ludikovsky wrote:
>> I'm experimenting with jails in preparation for moving my home server
>> from Linux to FreeBSD. I'm doing this from within a VirtualBox VM, 
>> since
>> it's easier to revert to a previous state in case I break something.
>>
>> My biggest issue ATM is that my first jail can't resolve any host.
>TCP
>> and ICMP packets pass without issue, but DNS requests time out. I
>> checked with tcpdump on both the outside interface of the VM and of 
>> the
>> host, neither show any DNS requests. Both hosts use 9.9.9.10 as the 
>> DNS
>> server in /etc/resolv.conf.
>>
>…
>> Anyone got a pointer on what's going wrong here?
>>
>Hmm. That’s interesting. Can you tcpdump on the host to see what’s 
>going on with your DNS packets?
>
>Also, I’d try to remove the ‘set skip on lo’ pf rule.
>
>Regards,
>Kristof
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe at freebsd.org"