How does jail NAT port forwarding work?

LMCDZ

Cadet
Joined
Jan 2, 2021
Messages
8
I have lots of jails that are all configured the same way. On a NAT with ports forwarded to the host.
The host has the following two interfaces:
ix0 192.168.0.8 (physical interface)
wg0 10.0.0.8 (wireguard interface)
Screenshot from 2021-01-07 16-08-01.png

I can access the hosts services such as ssh or web ui at 192.168.0.2:22 or 10.0.0.8:22
But the jail forwarded ports are only accessible on 192.168.0.8:2222 and are blocked to 10.0.0.8:2222

How is the port forwarding working? Does it only convert host subnet 192.168.0.x addresses to the jails vnet address 172.16.0.x? or is it meant to bind the interfaces?
I have never had issues like this when I bind ports on docker containers. Something strange is happening here and jail port forwarding is not working with wireguard at all.

Code:
ifconfig
ix0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=e13abb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO6,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
    ether d0:50:99:d1:12:76
    inet 192.168.0.8 netmask 0xffffff00 broadcast 192.168.0.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=9<PERFORMNUD,IFDISABLED>
ix1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether d0:50:99:d1:12:77
    media: Ethernet autoselect
    status: no carrier
    nd6 options=1<PERFORMNUD>
ix2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether d0:50:99:d1:12:78
    media: Ethernet autoselect
    status: no carrier
    nd6 options=1<PERFORMNUD>
ix3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
    ether d0:50:99:d1:12:79
    media: Ethernet autoselect
    status: no carrier
    nd6 options=1<PERFORMNUD>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
    groups: pflog
wg0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1420
    options=80000<LINKSTATE>
    inet 10.0.0.8 --> 10.0.0.8 netmask 0xffffffff
    groups: tun
    nd6 options=101<PERFORMNUD,NO_DAD>
    Opened by PID 2152
vnet0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    description: associated with jail: test as nic: epair0b
    options=8<VLAN_MTU>
    ether d2:50:99:ae:1b:75
    hwaddr 02:f0:56:a2:ba:0a
    inet 172.16.0.1 netmask 0xfffffffc broadcast 172.16.0.3
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=1<PERFORMNUD>
 

LMCDZ

Cadet
Joined
Jan 2, 2021
Messages
8
Hosts routing table:
Code:
$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.0.1        UGS         ix0
10.0.0.0/24        wg0                US          wg0
10.0.0.8           link#7             UH          wg0
localhost          link#5             UH          lo0
172.16.0.0/30      link#8             U       vnet0.3
172.16.0.1         link#8             UHS         lo0
192.168.0.0/24     link#1             U           ix0
192.168.0.8        link#1             UHS         lo0

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              localhost          UGRS        lo0
localhost          link#5             UH          lo0
::ffff:0.0.0.0/96  localhost          UGRS        lo0
fe80::/10          localhost          UGRS        lo0
fe80::%lo0/64      link#5             U           lo0
fe80::1%lo0        link#5             UHS         lo0
ff02::/16          localhost          UGRS        lo0


Jails routing table:
Code:
$ netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            172.16.0.1         UGS     epair0b
localhost          link#1             UH          lo0
172.16.0.0/30      link#3             U       epair0b
172.16.0.2         link#3             UHS         lo0

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              localhost          UGRS        lo0
localhost          link#1             UH          lo0
 
Top