Thank you, that works fine.
Jiri On Thu, Jan 31, 2019 at 11:26 PM Sebastian Benoit <benoit-li...@fb12.de> wrote: > > Jiri B(jiri...@gmail.com) on 2019.01.31 22:23:34 +0100: > > Hello, > > > > I'm trying to isolate an app running on OpenBSD on network level and thus I > > have started > > the app in a specific rdomain. > > > > I can successfully make traffic from the rdomain to reach Internet: > > > > pass out quick on rdomain 1 to any nat-to (egress) rtable 0 > > that rule is only evaluated when the packes pass through a network > interface. > > > But I cannot figure out how to make the app in this rdomain 1 to communicate > > which daemons in default rdomain (0). > > > > With above rule I would see something like this on lo0 (rdomain0): > > > > Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17) > > > > Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. > > It seems it does not know how to send back replies ? > > yes, because rdomain 0 does not have a route to what network you have in > rdomain 1. > > Btw. its hard to talk about this without you giving the actual networks and > IPs used. > > > Without 'nat-to (egress)' the replies would be just send via default gw in > > rdomain 0: > > > > mx1# tcpdump -i vio0 -n -e -ttt icmp > > tcpdump: listening on vio0, link-type EN10MB > > Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: > > 199.195.x.x > 172.16.1.2: icmp: echo reply > > > > (172.16.1.2 was the IP in rdomain 1) > > > > Any idea what would be PF rule to make this working - ie. make an app in > > rdomain X talk to daemons in rdomain 0. > > > > I also tried to use pair interfaces but I failed too. > > Try this: > > # set up two connected pair interfaces: > ifconfig pair8 inet 192.168.2.8/24 rdomain 8 > ifconfig pair1 inet 192.168.2.1/24 rdomain 0 > ifconfig pair1 patch pair8 > > # they now can ping each other: > ping 192.168.2.8 > route -T 8 exec ping 192.168.2.1 > > # my em0 interface in rdomain 0 has the IP 192.168.1.52: > em0: flags=208847<UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu > 1500 > lladdr 44:c6:86:5a:c2:f7 > index 1 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect > status: active > inet 192.168.1.52 netmask 0xffffff00 broadcast 192.168.1.255 > > # add a route to 192.168.1.52 to rdomain 8: > route -T 8 add 192.168.1.52 192.168.2.1 > route -T 8 exec ping 192.168.1.52 > > # the traffic back from rdomain 0 to rdomain 8 works now, because packets > # are send with source ip 192.168.2.8, and rdomain 0 has a route to that IP > # through pair1. > > Now run your service on 192.168.1.52. > > /Benno
