Re: NAT Reflection rules for FreeBSD PF

2016-11-16 Thread Niklaas Baudet von Gersdorff
Oliver Peter [2016-11-16 12:05 +0100] : > The interesting thing here is that /all/ traffic happens on lo0 - even for > jail1 which sits on lo1 only - which I don't understand. I had been wondering about the same thing some while ago: http://marc.info/?l=freebsd-questions&m=147049889417893&w=2

Re: ARP table entries / ifconfig needs to be issued twice when moving IP

2016-06-21 Thread Niklaas Baudet von Gersdorff
Michael Gmelin [2016-06-21 11:25 +0200] : > As the packets came from host C, this is expected behaviour. Host C had > the ARP entry cached (or if it wasn't on the same network, some network > equipment had). Ok. Thanks a lot for clarifying this. > What I'm describing is the machine having the IP

Re: ARP table entries / ifconfig needs to be issued twice when moving IP

2016-06-20 Thread Niklaas Baudet von Gersdorff
Michael Gmelin [2016-06-21 02:27 +0200] : > I'm not sure if it's just me being tired, but I'm facing the following > problem on 10.3-RELEASE when moving an IPv4 alias from one host to > the other. This is an example of what I'm seeing: [...] > It's still in the arp table as a non-permanent entry,

Re: And what about ipv6_defaultrouter?

2016-06-10 Thread Niklaas Baudet von Gersdorff
Hiroki Sato [2016-06-11 06:00 +0900] : > "rfc6204w3" is only documented in the result of "sysctl -d > net.inet6.ip6.rfc6204w3". This is what I was looking for. Thanks a lot. Niklaas signature.asc Description: PGP signature

Re: And what about ipv6_defaultrouter?

2016-06-10 Thread Niklaas Baudet von Gersdorff
Hiroki Sato [2016-06-11 05:37 +0900] : > Unfortunately there is no documentation other than manual page > because this is a bit tricky. rc.conf(5) explains as follows: > > >ipv6_cpe_wanif > > (str) If the variable is set to an interface name, the > ifconfig(8) options ``i

Re: And what about ipv6_defaultrouter?

2016-06-10 Thread Niklaas Baudet von Gersdorff
Hiroki Sato [2016-06-10 22:50 +0900] : > A router does not accept RAs (more strictly, default route > information in RA) because it is a sender of RAs. However, some > devices such as CPE need to behave like a host for the uplink and a > router for the LAN. In that case, an interface on the

Re: And what about ipv6_defaultrouter?

2016-06-10 Thread Niklaas Baudet von Gersdorff
krad [2016-06-10 11:23 +0100] : > No, you should only need the if you want to act as a router for some other > machines. > > gateway_enable="YES" > ipv6_gateway_enable="YES" I need these for jails that are connected on lo1 and a VPN tunnel on tap0. Sorry, in case that was essential information t

Re: And what about ipv6_defaultrouter?

2016-06-10 Thread Niklaas Baudet von Gersdorff
Niklaas Baudet von Gersdorff [2016-06-10 08:52 +0200] : > 8< > ifconfig_vtnet0="DHCP" > ifconfig_vtnet0_ipv6="inet6 accept_rtadv" > rtsold_enable="YES" > >

And what about ipv6_defaultrouter?

2016-06-09 Thread Niklaas Baudet von Gersdorff
Hello, according to my provider, both the IPv6 and the default gateway for my virtual server are sent via router advertisements. So, I have the following in rc.conf: 8< ifconfig_vtnet0="DHCP" ifconfig_vtnet0_ipv6="inet6 accept_rtadv" rtsold_enable="YES" ---

Re: Getting CARP to broadcast on a different interface

2016-06-09 Thread Niklaas Baudet von Gersdorff
I can't believe it but I managed to do this: Niklaas Baudet von Gersdorff [2016-06-08 18:30 +0200] : > Then, I could use devd to assign the public failover IP (that I actually > wanted to share with CARP on vtnet0) to the public interface vtnet0. > CARP(4) provides an example on h

Re: Getting CARP to broadcast on a different interface

2016-06-08 Thread Niklaas Baudet von Gersdorff
Niklaas Baudet von Gersdorff [2016-06-08 18:30 +0200] : > Then, I could use devd to assign the public failover IP (that I actually > wanted to share with CARP on vtnet0) to the public interface vtnet0. > CARP(4) provides an example on how to use carp status change events for >

Re: Getting CARP to broadcast on a different interface

2016-06-08 Thread Niklaas Baudet von Gersdorff
Matthew Grooms [2016-06-08 11:02 -0500] : > Rewriting the multicast destination would be a neat trick, but sadly no. > You can't rewrite a destination address on egress. Using a route-to rule > would only modify the destination MAC address. If you were using > OpenBSD, you would switch from mul

Re: Getting CARP to broadcast on a different interface

2016-06-08 Thread Niklaas Baudet von Gersdorff
Trond Endrestøl [2016-06-08 15:53 +0200] : > Although it sounds pretty bad, you could set up CARP on the internal > network and use those CARP events to control the main interfaces, e.g. > re-adjust their annoncement intervals, or something equally awful. Thanks, Trond. As you said, not that it

Getting CARP to broadcast on a different interface

2016-06-08 Thread Niklaas Baudet von Gersdorff
Hello, is it possible to configure CARP in such a way that it sends its broadcasts on an interface different from the one that gets the shared IP address assigned? Unfortunately, my provider blocks broadcast and multicast on public interfaces of virtual machines. However, they offer to set up an

Re: IPv6, ULAs and FreeBSD

2016-05-28 Thread Niklaas Baudet von Gersdorff
Mark Tinka [2016-05-28 14:11 +0200] : > Why don't you have GUA IPv6 address space? > > Your ISP should be able to assign you a /48 or /56 prefix for you to > use on your LAN. That's more than plenty of space. As I wrote, I only got a /112 form my ISP. This still exceeds the amount of addresses t

Re: IPv6, ULAs and FreeBSD

2016-05-27 Thread Niklaas Baudet von Gersdorff
Mark Tinka [2016-05-27 23:57 +0200] : > On 27/May/16 21:02, Kevin Oberman wrote: > > > This is fine, but why not use link-local for the VPN links? That's > > the primary reason for them. > > That's really not good advice. > > I'd caution against using link-local addresses for any type of > serv

Re: IPv6, ULAs and FreeBSD

2016-05-27 Thread Niklaas Baudet von Gersdorff
Kevin Oberman [2016-05-27 12:02 -0700] : > This is fine, but why not use link-local for the VPN links? That's the > primary reason for them. (N.B. I am not aware of your architectural > details, and ULAs for the VPNs might be appropriate.) Is it? I didn't know that I can use link-local addresses

Re: IPv6, ULAs and FreeBSD,Re: IPv6, ULAs and FreeBSD

2016-05-27 Thread Niklaas Baudet von Gersdorff
sth...@nethelp.no [2016-05-27 08:53 +0200] : > I don't see any problem using ULA with for instance /124 netmask: [...] > 96 bit works too: [...] FreeBSD version? Mine is 10.3-RELEASE-p3. Dunno. Could be that I made some mistake but I also tried the setup with /96 and adding the route to the tap0

Re: IPv6, ULAs and FreeBSD

2016-05-27 Thread Niklaas Baudet von Gersdorff
Kevin Oberman [2016-05-26 21:11 -0700] : > There are a lot of excellent reasons to avoid ULAs. There are a very > few good, or even so-so reasons to use them. The most commonly cited > reason is security which is almost always wrong. In almost 20 years of > working with IPv6 I have yet to see any

Re: IPv6, ULAs and FreeBSD

2016-05-26 Thread Niklaas Baudet von Gersdorff
://www.tinc-vpn.org/pipermail/tinc/2016-May/004573.html Niklaas Baudet von Gersdorff [2016-05-24 08:17 +0200] : > I want to serve IPv4 subnets 10.1.0.0/16 (machine A) and 10.2.0.0/16 > (machine B), and IPv6 subnets fd16:dcc0:f4cc:0:0:1::/96 (machine A) and > fd16:dcc0:f4cc:0:0:2::/96 (

tinc and IPv6 routing, or: how to set up a local IPv6

2016-05-22 Thread Niklaas Baudet von Gersdorff
Hello, I alread consulted freebsd-questions@ [1] but I have remained unsuccessful to solve the following issue. In case this is something obvious, please bear with me. I am not a professional, it's just my hobby to play around with computers. 1: http://docs.freebsd.org/cgi/mid.cgi?20160519124