Hi Peter On 04-07-2017 16:32, Peter Hessler wrote: > On 2017 Jul 04 (Tue) at 16:24:53 +0200 (+0200), Claus Lensbøl wrote: > :Hi Peter, > : > :I'm getting: > :# route -T75 default ::1 -blackhole > :route: botched keyword: default > :usage: route [-dnqtv] [-T tableid] command [[modifiers] args] > :commands: add, change, delete, exec, flush, get, monitor, show > : > > Sorry, I missed the -inet6 keyword: > > route -n add -inet6 default ::1 -blackhole Doing this in rtable 0 gives issues as I already have a default route to the internet machine. # route -T0 -n add -inet6 default ::1 -blackhole add net default: gateway ::1: File exists
Doing this in rtable 75 unfortunately has no impact (the pings still get out but not back) (,though it might be a good idea to have it there). > > :or: > : > :# route -T75 add default ::1 -blackhole > :route: ::1: bad address > : > :Am I missing something in your message? > : > :(Is this btw a general recommendation or a proposed solution?) > : > > Over 90% of the rdomain problems I've seen in the past, are related to > missing routes. Always have a default in every rdomain, even if it is a > blackhole route. I guess I'm the 10% then. Do you have other tricks? > > : > :On 04-07-2017 16:11, Peter Hessler wrote: > :> Always Always ALWAYS ALWAYS create a default route in each routing domain. > :> > :> !/sbin/route -T XXX default ::1 -blackhole > :> > :> > :> > :> On 2017 Jul 04 (Tue) at 15:16:24 +0200 (+0200), Claus Lensbøl wrote: > :> :Hi misc, > :> : > :> :I'm having trouble with implementing rdomains and IPv6. > :> : > :> :I have followed this guide which might be a bit old but the best I could > :> :find: > :> > :https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ > :> : > :> :I have made a set-up with two machines connected by an openBSD router. > :> : > :> :Machine: "internet" > :> :============ > :> :# cat /etc/hostname.em1 > :> :inet6 2a01:7e8:1:800::2fd/126 > :> :!route add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe > :> : > :> :Machine: "router" > :> :============ > :> :# cat /etc/hostname.em1 > :> :inet6 2a01:7e8:1:800::2fe/126 > :> :!route -T 0 add 2a01:7e8:35:fab::/64 ::1 > :> :# cat /etc/hostname.em2 > :> :rdomain 75 > :> :!route -T75 exec /usr/sbin/sshd > :> :inet6 alias 2a01:7e8:35:fab::1/64 > :> :# pfctl -sr > :> :block return all > :> :pass all flags S/SA > :> :block return in on ! lo0 proto tcp from any to any port 6000:6010 > :> :pass in on em2 inet6 from 2a01:7e8:35:fab::/64 to 2a01:7e8:1:800::2fd > :> :flags S/SA rtable 0 > :> :pass out on em1 all flags S/SA > :> : > :> :Machine: "client" > :> :============ > :> :# sudo ip addr add 2a01:7e8:35:fab::2/64 dev vboxnet0 > :> :# sudo ip -6 route add 2a01:7e8:1:800::2fc/126 via 2a01:7e8:35:fab::1 > :> : > :> :I am able to ping between router<->internet, router<->client, but not > :> :between client<->internet. > :> : > :> :If pinging from client->internet, no replies are retuned. Doing tcpdump > :> :on em1 on the router gives: > :> :16:56:42.017347 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo > :> :request [flowlabel 0xe1717] > :> :16:56:42.017811 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo > reply > :> :16:56:42.018114 2a01:7e8:1:800::2fe > 2a01:7e8:1:800::2fd: icmp6: time > :> :exceeded in-transit for 2a01:7e8:35:fab::2 > :> : > :> :Removing the route (route -T 0 delete 2a01:7e8:35:fab::/64 ::1) gives no > :> :replies and tcpdump gives: > :> :16:58:59.565667 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo > :> :request [flowlabel 0xe1717] > :> :16:58:59.566298 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo > reply > :> :16:58:59.569637 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo > reply > :> : > :> :Adding a route on em1 (rtable 0) as: > :> :# route -T 0 add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe > :> :, yields the same results as with no route. > :> : > :> :I tried removing all routes to 2a01:7e8:35:fab::/64 on the router, and > :> :add to pf: > :> :pass in on em1 inet6 to 2a01:7e8:35:fab::/64 rtable 75 > :> : > :> :I'm pretty sure that I'm missing some understanding of rtables. > :> :Can someone point me in the right direction? > :> :I'm guessing that I need a way to move packets from rtable 0 to rtable 75. > :> : > :> :Btw, this set-up is made with virtualbox, but I have an identical > :> :physical set-up with the same issue. > :> : > :> :-- > :> :Med venlig hilsen/Best regards > :> :Claus Lensbøl > :> : > :> :Fab:IT ApS > :> :Vesterbrogade 37, 2. th > :> :DK-1620 København > :> :Tlf: +45 70 202 407 > :> :Main Site: www.fab-it.dk > :> :VPS Product: vpsforce.eu > :> : > :> : > :> > : > :-- > :Med venlig hilsen/Best regards > :Claus Lensbøl > : > :Fab:IT ApS > :Vesterbrogade 37, 2. th > :DK-1620 København > :Tlf: +45 70 202 407 > :Main Site: www.fab-it.dk > :VPS Product: vpsforce.eu > : > : > -- Med venlig hilsen/Best regards Claus Lensbøl Fab:IT ApS Vesterbrogade 37, 2. th DK-1620 København Tlf: +45 70 202 407 Main Site: www.fab-it.dk VPS Product: vpsforce.eu
