On Mon, 15 Apr 2024, at 21:33, Thomas wrote:
> Hi all,
>
> I'm greatly enjoying OpenBSD and have it on most of my devices as I try
> to set up my "perfect lab". I would like some feedback / thoughts about
> one behaviour which I don't quite get.
>
> I have a VM for the world facing side of my network. I have a wireguard
> network to link it up to a home router and other devices. My wireguard
> traffic is coming onto my VM through wg0.
>
> On my home router, I'm redirecting all wifi traffic to wg0 using the
> routing tables like so:
> default 192.168.0.1 wg0
> IP_VM IP_Gateway bse0
> 192.168.0.1 wg0 wg0
>
> And natting outbound traffic on wg0 like so:
> pass out on wg0 from $int_if:network nat-to wg0
>
> I wanted to try out using route-to on my VM instead of using different
> rdomain or just to try something else. I have another wireguard tunnel,
> wg1 to relay my internal traffic further.
>
> I did not touch the routing tables at all and have something like:
> pass in on wg0 inet from wg0:network to !wg0:network route-to wg1
> pass out on wg1 nat-to wg1
>
> Works like a charm. Now what I don't get is that for troubleshooting
> purposes, I needed to send some traffic to the world on my VM (instead
> of onward through wg1) and I initially tried:
> pass in log on wg0 inet from wg0:network to !wg0:network route-to vio0
> pass out log on $vio0 nat-to $vio0
>
> Routing tables:
> default IP_Gateway vio0
> _Gateway MAC_Gateway vio0
>
> But this does not work. Removing "route-to vio0" does work, eg.
> pass in log on wg0 inet from wg0:network to !wg0:network #route-to vio0
> pass out log on vio0 nat-to vio0
Never mind, I forgot to check this mailing list and read that I needed to put
the source address on this line:
pass in log on wg0 inet from wg0:network to !wg0:network route-to IP_GATEWAY
I suppose that then the oddity is that this works with wg1 and may be a corner
case of the wireguard interface as it's assigned xxx.xxx.xxx.xxx/32 by the VPN
provider and so destination address = source address?
One side question as I consider using rdomain. man 4 rdomain gives as an
example:
A pf.conf(5) snippet to block incoming port 80, and nat-to and move to
rtable 0 on interface em1:
block in on rdomain 4 proto tcp to any port 80
match out on rdomain 4 to !$internal_net nat-to (em1) rtable 0
Should it not be "match in" in the 2nd line? man 5 pf.conf reads:
rtable number
Used to select an alternate routing table for the routing lookup.
Only effective before the route lookup happened, i.e. when
filtering inbound.
Or does it work because it's a match statement?
Thanks all,
