On 3/28/23 17:27, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman <kayasa...@gmail.com> wrote:
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
I'm wondering for rdomains as I'm using a vlan as my egress interface,
do I need to use an svlan for Q-in-Q?
Just going through the man 4 vlan doc: https://man.openbsd.org/vlan.4
I rejigged things a bit and created a test vlan with an old laptop as
client that I'm trying to ping one of the Goolge addresses with. Both my
WAN vlan and internal vlan are on rdomain 2 but for some reason I'm not
able to activate NAT at all despite using a modified version of one of
my already existing match ... nat-to.... rules
So far tcpdump is showing LAN traffic on the external vlan instead of my
public IP which indicates that my NAT rules aren't working.... actually
I also have pftop -vr running too which isn't showing any packets
hitting the match rule for the G-NET default route.
Unfortunately till now I have not been able to get any traffic working
properly on rdomain 2 :-( and really stuck on what and how to do about
it....
