Hello You may need a direct route to the gateway as well
Happy holidays, Scott On Dec 24, 2017 4:08 PM, "Paul B. Henson" <hen...@acm.org> wrote: Thanks for the info. I don't want to move any interfaces to a non-default routing domain, I just want to be able to run a process with a different default route. I can make that work, via the route -T 10 exec you mention after setting a default route in that domain. But I can't seem to get traffic for my local subnet sent out my internal interface, even after I add a route to it in the non-default routing domain. Dunno, maybe I'm missing something. I set it up like: Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 24.x.x.x UGS 0 2 - 8 umb0 10.0/16 10.128.0.20 UGS 0 0 - 8 em0 But 'ping 10.128.0.20' shows the packets going out umb0, not em0? Thanks again. On Sat, Dec 23, 2017 at 05:07:37PM +0100, Sebastian Benoit wrote: > > When you create a new routing domain, for example by adding an interface to > a routing domain (e.g. ifconfig umb0 rdomain 10), you create a new routing > table 10. It will be empty until you add an address on umb0 or, for example > add your default route. > > This routing table will be used to forward packets that are "in that routing > domain" (the packet is marked with the rdomain or rather the rtable it will > use). How does the packet get marked? > > Three ways: > > * with pf, as you have discovered. As the manpage documents, the > mark needs to be set before route lookup is done. > > * when a paket comes in on an interface in rdomain 10, it will stay in > rdomain 10 (unless pf changes it). > > * a packet is generated on the local machine by a process that "is in that > routing domain". I.e. processes are also marked with a rdomain. > > To start a process in a specific rdomain (10), use "route -T 10 exec > command", for example > > route -T 10 exec ping -n ip > > or even > > route -T 10 exec ksh > > Processes spawned by that shell will inherit the rdomain. > > Note that i used -n in the ping example. DNS resolving using the resolvers > in resolv.conf might not work, as long as those resolvers are not reachable > in rdomain 10. > > Hope this helps ...
