My jail host is somehow allowing jails which are assigned their own interface parented to a vlan to access management vlan hosts it's bypassing the router and it looks like the freebsd jail hypervisor itself is forwarding packets to the management vlan, despite never putting gateway_enable="YES" into rc.conf traceroute is contradicting ifconfig saying an ip address is not on a interface i'm using standard iocage stands. vnet is off my topology is the main hypervisor operating system's ipas on at a lagg0 interface in failover mode across to intel gigabit nics pointed to vlan1 the iocage jails are assigned to an alias interface 'jail' each jail with a unique ipv4 and ipv6 address the jail interface is renamed lagg0_4 or vlan4 on interface lagg0 all those cluster physical links go into a layer 3 switch, which is trunked to a openwrt router which handles firewalling and cross-vlan talk, nat, etc my computer which is on the management vlan 192.168.55.5 i ran nc -vkl 4000 which binds to 0.0.0.0 port 4000 TCP and inside one of the tails (192.168.4.31) i ran nc -v 192.168.55.5 4000 the connection succeeded and on my computer I see these lines: Listening on 0.0.0.0 4000 Connection received on 192.168.4.31 12606 hello that should not happen i thought my router was passing it through so I connected my laptop to the switch vlan 4, and tried to repeat nc -v 192.168.55.5 4000 i was unable to replicate i then on the jail hypervisor ran traceroute -i jail -s 192.168.4.31 192.168.55.5 traceroute complained the jail interface didn't contain that IP address, which directly contradicts what ifconfig jail says i removed -i jail and ran traceroute again and it succeeded that shouldn't happen either interestingly there was no router inbetween according to traceroute, it was direct. That lead me to believe the jail hypervisor is forwarding the packets which also should not be possible because sys.inet.forward=0 sys.inet.forwarding is 0