Zach Nedwich(z...@znedw.com) on 2019.02.03 07:54:23 +1000: > Apologies for hijacking but how can I redirect other hosts to a pair in > PF? I've tried adding a route manually to the hosts via the gateway and > adding a rdr-to in PF but I can't reach any hosts in the second rdomain, > only the gateway.
well, i guess you might be missing a route. But you are not giving any details, just a vague description of your problem. If i want to read about puzzles, i prefer reading Ready Player One, not openbsd-misc. /B > > Cheers, > Zach > > On February 3, 2019 7:20:28 AM GMT+10:00, Jiri B <jiri...@gmail.com> wrote: > >Thank you, that works fine. > > > > > >Jiri > > > > > >On Thu, Jan 31, 2019 at 11:26 PM Sebastian Benoit > ><benoit-li...@fb12.de> wrote: > >> > >> Jiri B(jiri...@gmail.com) on 2019.01.31 22:23:34 +0100: > >> > Hello, > >> > > >> > I'm trying to isolate an app running on OpenBSD on network level > >and thus I > >> > have started > >> > the app in a specific rdomain. > >> > > >> > I can successfully make traffic from the rdomain to reach Internet: > >> > > >> > pass out quick on rdomain 1 to any nat-to (egress) rtable 0 > >> > >> that rule is only evaluated when the packes pass through a network > >> interface. > >> > >> > But I cannot figure out how to make the app in this rdomain 1 to > >communicate > >> > which daemons in default rdomain (0). > >> > > >> > With above rule I would see something like this on lo0 (rdomain0): > >> > > >> > Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ > >NS? .(17) > >> > > >> > Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. > >> > It seems it does not know how to send back replies ? > >> > >> yes, because rdomain 0 does not have a route to what network you have > >in > >> rdomain 1. > >> > >> Btw. its hard to talk about this without you giving the actual > >networks and > >> IPs used. > >> > >> > Without 'nat-to (egress)' the replies would be just send via > >default gw in > >> > rdomain 0: > >> > > >> > mx1# tcpdump -i vio0 -n -e -ttt icmp > >> > tcpdump: listening on vio0, link-type EN10MB > >> > Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: > >> > 199.195.x.x > 172.16.1.2: icmp: echo reply > >> > > >> > (172.16.1.2 was the IP in rdomain 1) > >> > > >> > Any idea what would be PF rule to make this working - ie. make an > >app in > >> > rdomain X talk to daemons in rdomain 0. > >> > > >> > I also tried to use pair interfaces but I failed too. > >> > >> Try this: > >> > >> # set up two connected pair interfaces: > >> ifconfig pair8 inet 192.168.2.8/24 rdomain 8 > >> ifconfig pair1 inet 192.168.2.1/24 rdomain 0 > >> ifconfig pair1 patch pair8 > >> > >> # they now can ping each other: > >> ping 192.168.2.8 > >> route -T 8 exec ping 192.168.2.1 > >> > >> # my em0 interface in rdomain 0 has the IP 192.168.1.52: > >> em0: > >flags=208847<UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> > >mtu 1500 > >> lladdr 44:c6:86:5a:c2:f7 > >> index 1 priority 0 llprio 3 > >> groups: egress > >> media: Ethernet autoselect > >> status: active > >> inet 192.168.1.52 netmask 0xffffff00 broadcast 192.168.1.255 > >> > >> # add a route to 192.168.1.52 to rdomain 8: > >> route -T 8 add 192.168.1.52 192.168.2.1 > >> route -T 8 exec ping 192.168.1.52 > >> > >> # the traffic back from rdomain 0 to rdomain 8 works now, because > >packets > >> # are send with source ip 192.168.2.8, and rdomain 0 has a route to > >that IP > >> # through pair1. > >> > >> Now run your service on 192.168.1.52. > >> > >> /Benno > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. > --
