On 2017 Jul 04 (Tue) at 16:24:53 +0200 (+0200), Claus Lensbøl wrote: :Hi Peter, : :I'm getting: :# route -T75 default ::1 -blackhole :route: botched keyword: default :usage: route [-dnqtv] [-T tableid] command [[modifiers] args] :commands: add, change, delete, exec, flush, get, monitor, show :
Sorry, I missed the -inet6 keyword: route -n add -inet6 default ::1 -blackhole :or: : :# route -T75 add default ::1 -blackhole :route: ::1: bad address : :Am I missing something in your message? : :(Is this btw a general recommendation or a proposed solution?) : Over 90% of the rdomain problems I've seen in the past, are related to missing routes. Always have a default in every rdomain, even if it is a blackhole route. : :On 04-07-2017 16:11, Peter Hessler wrote: :> Always Always ALWAYS ALWAYS create a default route in each routing domain. :> :> !/sbin/route -T XXX default ::1 -blackhole :> :> :> :> On 2017 Jul 04 (Tue) at 15:16:24 +0200 (+0200), Claus Lensbøl wrote: :> :Hi misc, :> : :> :I'm having trouble with implementing rdomains and IPv6. :> : :> :I have followed this guide which might be a bit old but the best I could :> :find: :> :https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ :> : :> :I have made a set-up with two machines connected by an openBSD router. :> : :> :Machine: "internet" :> :============ :> :# cat /etc/hostname.em1 :> :inet6 2a01:7e8:1:800::2fd/126 :> :!route add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe :> : :> :Machine: "router" :> :============ :> :# cat /etc/hostname.em1 :> :inet6 2a01:7e8:1:800::2fe/126 :> :!route -T 0 add 2a01:7e8:35:fab::/64 ::1 :> :# cat /etc/hostname.em2 :> :rdomain 75 :> :!route -T75 exec /usr/sbin/sshd :> :inet6 alias 2a01:7e8:35:fab::1/64 :> :# pfctl -sr :> :block return all :> :pass all flags S/SA :> :block return in on ! lo0 proto tcp from any to any port 6000:6010 :> :pass in on em2 inet6 from 2a01:7e8:35:fab::/64 to 2a01:7e8:1:800::2fd :> :flags S/SA rtable 0 :> :pass out on em1 all flags S/SA :> : :> :Machine: "client" :> :============ :> :# sudo ip addr add 2a01:7e8:35:fab::2/64 dev vboxnet0 :> :# sudo ip -6 route add 2a01:7e8:1:800::2fc/126 via 2a01:7e8:35:fab::1 :> : :> :I am able to ping between router<->internet, router<->client, but not :> :between client<->internet. :> : :> :If pinging from client->internet, no replies are retuned. Doing tcpdump :> :on em1 on the router gives: :> :16:56:42.017347 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo :> :request [flowlabel 0xe1717] :> :16:56:42.017811 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply :> :16:56:42.018114 2a01:7e8:1:800::2fe > 2a01:7e8:1:800::2fd: icmp6: time :> :exceeded in-transit for 2a01:7e8:35:fab::2 :> : :> :Removing the route (route -T 0 delete 2a01:7e8:35:fab::/64 ::1) gives no :> :replies and tcpdump gives: :> :16:58:59.565667 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo :> :request [flowlabel 0xe1717] :> :16:58:59.566298 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply :> :16:58:59.569637 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply :> : :> :Adding a route on em1 (rtable 0) as: :> :# route -T 0 add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe :> :, yields the same results as with no route. :> : :> :I tried removing all routes to 2a01:7e8:35:fab::/64 on the router, and :> :add to pf: :> :pass in on em1 inet6 to 2a01:7e8:35:fab::/64 rtable 75 :> : :> :I'm pretty sure that I'm missing some understanding of rtables. :> :Can someone point me in the right direction? :> :I'm guessing that I need a way to move packets from rtable 0 to rtable 75. :> : :> :Btw, this set-up is made with virtualbox, but I have an identical :> :physical set-up with the same issue. :> : :> :-- :> :Med venlig hilsen/Best regards :> :Claus Lensbøl :> : :> :Fab:IT ApS :> :Vesterbrogade 37, 2. th :> :DK-1620 København :> :Tlf: +45 70 202 407 :> :Main Site: www.fab-it.dk :> :VPS Product: vpsforce.eu :> : :> : :> : :-- :Med venlig hilsen/Best regards :Claus Lensbøl : :Fab:IT ApS :Vesterbrogade 37, 2. th :DK-1620 København :Tlf: +45 70 202 407 :Main Site: www.fab-it.dk :VPS Product: vpsforce.eu : : -- "Gee, Toto, I don't think we are in Kansas anymore."
