diffusae:
I am running a Tor node in a Freebsd jail with the following pf rules :
scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good.
There is no "pass out quick" or "pass out on" statement?
Sure, there is. pass out on $ext_if proto { tcp udp icmp } all modulate state Be sure to flush and reload the rules before testing, but you certainly did.
It passes the exit traffic to th public IP. The incoming traffic is passed to the different jail IPs according to the port.
Is the outgoing traffic routed, too?
Be careful with the cloned interface and the /etc/hosts configurations for your BSD and jails. Misconfiguration also often leads to network problems.
Yes, that's it. I've tested the known rules for Transparent Proxy on a FreeBSD11 (amd64) VM.
https://github.com/lattera/transtor/blob/master/pf.conf
It was no problem to configure it with a cloned interface. It works on the fly, but there was no jail.
I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with and without a jail and it only works locally and also dropped all other network connections. I am not sure, if something is missing in RPI ISO-Images Snapshots,
Would be surprising as not much is needed to make it work.
but the main problem should be cloned interface.
It was hard to discover, but on the end, I have had a "connection timeout". Do you use any "special" configuration inside the jail?
Nothing more than a operational resolv.conf and an adapted /etc/hosts
Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Yes both are configured/activated in /etc/rc.conf (like pf and pflog)