Re: route gateway link#0 meaning

2025-01-19 Thread Janne Johansson
I'm trying to understand the output of > route -n show -inet6: > > fd00:1234:5678:9abc::1 link#0UHc0 2352456 - > 3 wg0 > fd00:1234:5678:9abc::2 wg0 UHl0 4290 - > 1 wg0 > fd00:1234:5678:9abc::4

route gateway link#0 meaning

2025-01-18 Thread Chris Narkiewicz
utput of route -n show -inet6: fd00:1234:5678:9abc::1 link#0UHc0 2352456 - 3 wg0 fd00:1234:5678:9abc::2 wg0 UHl0 4290 - 1 wg0 fd00:1234:5678:9abc::4 link#0UHc0 3936647 - 3 wg0 fd00:1234

pf route-to

2024-08-12 Thread 04-psyche . totter
Hi all, I am failing at a basic routing. I have included this rule in my pf.conf: pass out quick proto udp from any to any port 51820 route-to 192.168.1.254 I thought this would be force egress traffic with destination port 51820 to use 192.168.1.254 as a gateway, instead of the default

Re: default route for a subset of addresses

2024-07-18 Thread Kapetanakis Giannis
> wgkey > wgpeer wgaip 0.0.0.0/0 wgendpoint 51868 > !route -T4 -n add default 10.2.0.2 > wgrtable 0 > == > I started to realize that that wg interface had no clue how to get > back to the hosts on the vlan. Attempting to add routes did not work &

Re: default route for a subset of addresses

2024-07-17 Thread Sonic
On Wed, Jul 17, 2024 at 11:55 AM Sonic wrote: > The wg interface using an rdomain: Got it to work, although it seems a bit convoluted. The wg interface config: == rdomain 4 inet 10.2.0.2/32 wgkey wgpeer wgaip 0.0.0.0/0 wgendpoint 51868 !route -T4 -n add defa

Re: default route for a subset of addresses

2024-07-17 Thread Sonic
On Tue, Jul 16, 2024 at 3:23 PM Stuart Henderson wrote: > Your route-to should specify the IP to send packets to, not an interface > (which would expand to the _local_ address on that interface) Even then the problem exists. Tried today with an rdomain and the same issue. I'm thinki

Re: default route for a subset of addresses

2024-07-16 Thread Stuart Henderson
Your route-to should specify the IP to send packets to, not an interface (which would expand to the _local_ address on that interface) -- Sent from a phone, apologies for poor formatting. On 16 July 2024 20:17:08 Sonic wrote: On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: Your

Re: default route for a subset of addresses

2024-07-16 Thread Sonic
On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: > Your main options are to use PF route-to (config for this is reasonably > obvious, but make sure that wgaip is set to allow the relevant addresses), > > route-to is reasonably obvious. The problem I'm having with route-

Re: default route for a subset of addresses

2024-07-16 Thread Sonic
On Tue, Jul 16, 2024 at 4:41 AM Zé Loff wrote: > Apologies, I misread your question. Sorry for the noise. My query was not as clear as it could have been. My apologies and thank you for your input. Chris

Re: default route for a subset of addresses

2024-07-16 Thread Zé Loff
On Mon, Jul 15, 2024 at 09:20:49PM -0400, Sonic wrote: > On Mon, Jul 15, 2024 at 5:36 PM Zé Loff wrote: > > If it is specific for a subset of addresses, and not the default > > route then... it won't be the default. It'll be a specific route for > > those address

Re: default route for a subset of addresses

2024-07-15 Thread Sonic
On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: > Your main options are to use PF route-to (config for this is reasonably > obvious, but make sure that wgaip is set to allow the relevant addresses), > or use multiple rtables and use PF to adjust the rtable used for packets >

Re: default route for a subset of addresses

2024-07-15 Thread Sonic
On Mon, Jul 15, 2024 at 5:36 PM Zé Loff wrote: > If it is specific for a subset of addresses, and not the default > route then... it won't be the default. It'll be a specific route for > those addresses. I mean a default route from those specific addresses that is differe

Re: default route for a subset of addresses

2024-07-15 Thread Stuart Henderson
On 2024-07-15, Sonic wrote: > Hello, > > I'm trying to find the best way (although I haven't been successful at > finding any way currently) to have a default route for a subset of > addresses. > > I have several vlans, but no vlan interfaces on the OpenBSD router

Re: default route for a subset of addresses

2024-07-15 Thread Zé Loff
On Mon, Jul 15, 2024 at 05:26:03PM -0400, Sonic wrote: > Hello, > > I'm trying to find the best way (although I haven't been successful at > finding any way currently) to have a default route for a subset of > addresses. If it is specific for a subset of addresses, and n

default route for a subset of addresses

2024-07-15 Thread Sonic
Hello, I'm trying to find the best way (although I haven't been successful at finding any way currently) to have a default route for a subset of addresses. I have several vlans, but no vlan interfaces on the OpenBSD router as the routing between vlans is handled by a layer 3 switch. I

Re: route -n show blackhole routes

2024-06-25 Thread Claudio Jeker
On Tue, Jun 25, 2024 at 10:54:16AM +0200, Claudio Jeker wrote: > On Tue, Jun 25, 2024 at 08:35:18AM -, Stuart Henderson wrote: > > On 2024-06-24, Tom Smyth wrote: > > > Folks, > > > while reviewing nsh I was wondering how to improve show route > > >

Re: route -n show blackhole routes

2024-06-25 Thread Tom Smyth
so what is the alternative pardion my ignorance but is it like a views in a DB so we use a bit more memory so as the route (eg blackhole route is copied to a table of blackhole routes ? and an arp entry / host route is copied to an arp table that can be dumped on demand .. (with the necessary

Re: route -n show blackhole routes

2024-06-25 Thread Tom Smyth
Thanks Stuart, Ill take a look at how the prefix searches are done ... and see if I can re-use that for route(8) if people think that it would be useful to have in route(8) Thanks again, Tom Smyth On Tue, 25 Jun 2024 at 09:39, Stuart Henderson wrote: > > On 2024-06-24, Tom Smyth

Re: route -n show blackhole routes

2024-06-25 Thread Claudio Jeker
On Tue, Jun 25, 2024 at 08:35:18AM -, Stuart Henderson wrote: > On 2024-06-24, Tom Smyth wrote: > > Folks, > > while reviewing nsh I was wondering how to improve show route commands... > > reviewing the man route man page, > > > > there doesnt seem

Re: route -n show blackhole routes

2024-06-25 Thread Stuart Henderson
On 2024-06-24, Tom Smyth wrote: > Folks, > while reviewing nsh I was wondering how to improve show route commands... > reviewing the man route man page, > > there doesnt seem to be a straight forward way of displaying > blackhole routes without using > > route sh

route -n show blackhole routes

2024-06-24 Thread Tom Smyth
Folks, while reviewing nsh I was wondering how to improve show route commands... reviewing the man route man page, there doesnt seem to be a straight forward way of displaying blackhole routes without using route show |grep B for blackhole route show |grep R for Reject is there something

Re: Issue with pf route-to and routing tables

2024-04-16 Thread Thomas
ables like so: > default192.168.0.1 wg0 > IP_VM IP_Gatewaybse0 > 192.168.0.1 wg0 wg0 > > And natting outbound traffic on wg0 like so: > pass out on wg0 from $int_if:network nat-to wg0 > > I wanted to try out using

Issue with pf route-to and routing tables

2024-04-15 Thread Thomas
bse0 192.168.0.1 wg0 wg0 And natting outbound traffic on wg0 like so: pass out on wg0 from $int_if:network nat-to wg0 I wanted to try out using route-to on my VM instead of using different rdomain or just to try something else. I have another wireguard tunnel, wg1 to relay my inte

Re: Programmatically add default IPv6 route

2024-02-23 Thread Florian Obser
er >> when adding a default IPv6 route to PPP peer. >> >> Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 default route: Network >> is unreachable >> >> Adding the default route from route(8) works when the connection is >> established. >&

Re: Programmatically add default IPv6 route

2024-02-23 Thread Denis Fondras
Le Fri, Feb 23, 2024 at 08:58:59PM +0100, Claudio Jeker a écrit : > > > > Should I also send the IFP, IFA and BRD sockaddrs from pppd(8) ? > > Don't think so. > > > How comes message sent from route(8) have more attributes when received by > > monitor ? >

Re: Programmatically add default IPv6 route

2024-02-23 Thread Claudio Jeker
On Fri, Feb 23, 2024 at 06:25:18PM +0100, Denis Fondras wrote: > Hello, > > I am trying to add IPv6 support for pppd(8) (IPv6CP) and I encounter a blocker > when adding a default IPv6 route to PPP peer. > > Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 defau

Re: Programmatically add default IPv6 route

2024-02-23 Thread Denis Fondras
One more information, ENETUNREACH is issued on line 521 of net/route.c. Could this be some kind of race condition ? >From route monitor, I get this after my RTM_ADD : ``` RTM_CHGADDRATTR: address attributes being changed: len 224, if# 7, name ppp0, metric 0, flags: sockad

Programmatically add default IPv6 route

2024-02-23 Thread Denis Fondras
Hello, I am trying to add IPv6 support for pppd(8) (IPv6CP) and I encounter a blocker when adding a default IPv6 route to PPP peer. Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 default route: Network is unreachable Adding the default route from route(8) works when the connecti

Re: snmpd and route changes

2024-02-23 Thread Stuart Henderson
Not 100% sure but there's a chance that this will work how you expect in -current. https://github.com/openbsd/src/commit/029c661593e4bba8652393dbb912eaf3b5031eec On 2024-02-23, Marko Cupać wrote: > Hi, > > my OpenBSD firewall has static default route to the Internet over > e

snmpd and route changes

2024-02-23 Thread Marko Cupać
Hi, my OpenBSD firewall has static default route to the Internet over external interface, and gets routes to internal subnets by means of OSPF with Juniper switch over internal interface. Host on one of internal subnets queries snmpd listening on internal interface of OpenBSD firewall. When OSPF

Re: Using pf route-to to Route Network Traffic a tun interface and Replying from it

2023-06-05 Thread David Gwynne
On Tue, May 30, 2023 at 06:07:32PM +0300, Nick Andersen wrote: > Hi Folks, hi. > > I am writing to seek assistance regarding an issue I am experiencing in > trying to route my Personal Computer's network traffic to a TUN interface. > My objective is to modify som

Re: Route based IPsec

2023-05-31 Thread B. Atticus Grobe
On 5/31/23 05:03, Valdrin MUJA wrote: > Hi Claudio & David, > > Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. I've been using OSPF over wireguard for several years now. It works quite well. You just have to add `wgaip 224.0.0.0/8' to allow multicast over

Re: Route based IPsec

2023-05-31 Thread Valdrin MUJA
g my work with the wireguard config.) From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Wednesday, May 31, 2023 12:09 To: David Gwynne Cc: Misc Subject: Re: Route based IPsec On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > >

Re: Route based IPsec

2023-05-31 Thread Claudio Jeker
On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > > > > On 31 May 2023, at 18:33, Claudio Jeker wrote: > > > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > >> > >> > >>> On 27 May 2023, at 21:40, Stuart Henderson > >>> wrote: > >>> > >>> On 2023-05-27, Vald

Re: Route based IPsec

2023-05-31 Thread David Gwynne
> On 31 May 2023, at 18:33, Claudio Jeker wrote: > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: >> >> >>> On 27 May 2023, at 21:40, Stuart Henderson >>> wrote: >>> >>> On 2023-05-27, Valdrin MUJA wrote: Does OpenBSD have routed based IPsec support? >>> >>> Not

Re: Route based IPsec

2023-05-31 Thread Claudio Jeker
On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > > > > On 27 May 2023, at 21:40, Stuart Henderson > > wrote: > > > > On 2023-05-27, Valdrin MUJA wrote: > >>Does OpenBSD have routed based IPsec support? > > > > Not yet. > > while you wait, it might be possible to configure

Re: Route based IPsec

2023-05-30 Thread Valdrin MUJA
Thanks David, I'll try it soon. From: owner-m...@openbsd.org on behalf of David Gwynne Sent: Wednesday, May 31, 2023 01:35 To: Stuart Henderson Cc: misc@openbsd.org Subject: Re: Route based IPsec > On 27 May 2023, at 21:40, Stuart Henderson wrote

Re: Route based IPsec

2023-05-30 Thread David Gwynne
> On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg

Using pf route-to to Route Network Traffic a tun interface and Replying from it

2023-05-30 Thread Nick Andersen
Hi Folks, I am writing to seek assistance regarding an issue I am experiencing in trying to route my Personal Computer's network traffic to a TUN interface. My objective is to modify some of its content and subsequently return the traffic back. So far, I have successfully created a TUN inte

Re: Route based IPsec

2023-05-27 Thread Hrvoje Popovski
On 27.5.2023. 9:24, Valdrin MUJA wrote: > Hello, > > I need Route based IPsec solution to set up between a firewall device and > my OpenBSD firewall. > However, I am a little confused about this: > I created more than one enc device, I did policy based routing with PF bu

Re: Route based IPsec

2023-05-27 Thread Stuart Henderson
On 2023-05-27, Valdrin MUJA wrote: > Does OpenBSD have routed based IPsec support? Not yet.

Route based IPsec

2023-05-27 Thread Valdrin MUJA
Hello, I need Route based IPsec solution to set up between a firewall device and my OpenBSD firewall. However, I am a little confused about this: I created more than one enc device, I did policy based routing with PF but no results. I guess this is not the intended use of interfaces like

Re: dhcpleased losing route

2023-05-11 Thread Peter Hessler
On 2023 May 12 (Fri) at 00:10:33 +1000 (+1000), David Diggles wrote: :Here's a longer tcpdump that should have a couple of rounds. :The ISP does offer ipv6 but I'm not ready to give up on dhcp yet. : You can run both in parallel, no problems with that. -- Expect the worst. It's the least you c

Re: dhcpleased losing route

2023-05-11 Thread David Diggles
Yes this is now fixed. Thanks everyone! Stuart's suggestion of "received-on" is indeed excellent and is what I've used. On Thu, May 11, 2023 at 04:13:34PM +0200, Florian Obser wrote: > On 2023-05-11 08:08 +10, David Diggles wrote: > > On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew w

Re: dhcpleased losing route

2023-05-11 Thread Florian Obser
On 2023-05-11 08:08 +10, David Diggles wrote: > On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: >> >> This looks like the thing I ran into a while ago where I had an overly >> broad nat-to rule for outgoing traffic that applied to traffic from the >> host as well as the networks

Re: dhcpleased losing route

2023-05-11 Thread David Diggles
Here's a longer tcpdump that should have a couple of rounds. The ISP does offer ipv6 but I'm not ready to give up on dhcp yet. tcpdump: WARNING: snaplen raised from 116 to 1500 22:54:27.011337 202.63.67.36.68 > 202.63.66.1.67: xid:0x10040a18 C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400 HN:"

Re: dhcpleased losing route

2023-05-11 Thread Mike Fischer
You are still getting a 5 minute lease. So that seems to be normal for your provider? (Maybe they only have a very limited pool of IPv4 addresses and want to be able to reuse them ASAP? Might explain why the initial DHCP:OFFER took so long as well.) But you don’t show what happens when the leas

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
Ok here's the Apple pcap for a working implementation. tcpdump -r airport.dhcp.pcap tcpdump: WARNING: snaplen raised from 116 to 1500 12:26:04.010316 0.0.0.0.bootpc > 255.255.255.255.bootps:

Re: dhcpleased losing route

2023-05-10 Thread Stuart Henderson
On 2023-05-10, Jonathan Matthew wrote: > If there's a pf rule like 'match out on $iface nat-to ($iface)', making > that only apply to traffic received on another interface will probably > help. "received-on" is excellent for making rules only apply to packets coming from some specific interface.

Re: dhcpleased losing route

2023-05-10 Thread Sebastian Benoit
David Diggles(da...@elven.com.au) on 2023.05.11 08:09:54 +1000: > Thanks Florian, here's a tcpdump from the Apple (NetBSD) router. > This implementatin isn't losing the default route. > > tcpdump -n -i mgi1 -s1500 -vv port 67 or 68 > tcpdump: listening on mgi1, l

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
Thanks Florian, here's a tcpdump from the Apple (NetBSD) router. This implementatin isn't losing the default route. tcpdump -n -i mgi1 -s1500 -vv port 67 or 68 tcpdump: listening on mgi1, link-type EN10MB (Ethernet), capture size 1500 bytes 07:15:36.010329 IP (tos 0x10, ttl 128, id 0

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: > > This looks like the thing I ran into a while ago where I had an overly > broad nat-to rule for outgoing traffic that applied to traffic from the > host as well as the networks behind it. This meant dhcpleased's unicast > packet

Re: dhcpleased losing route

2023-05-10 Thread Jonathan Matthew
On Wed, May 10, 2023 at 04:38:25PM +0200, Florian Obser wrote: > ( this is a good dhcp state diagram to follow along at home: > https://commons.wikimedia.org/wiki/File:DHCP_Client_State_Diagram_-_en.png ) > > On 2023-05-10 23:07 +10, David Diggles wrote: > > I probably should have done numeric t

Re: dhcpleased losing route

2023-05-10 Thread Florian Obser
( this is a good dhcp state diagram to follow along at home: https://commons.wikimedia.org/wiki/File:DHCP_Client_State_Diagram_-_en.png ) On 2023-05-10 23:07 +10, David Diggles wrote: > I probably should have done numeric tcpdump output. Here's both again. > > tcpdump: WARNING: snaplen raised fr

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
I probably should have done numeric tcpdump output. Here's both again. tcpdump: WARNING: snaplen raised from 116 to 1500 22:36:40.276682 0.0.0.0.68 > 255.255.255.255.67: xid:0x74253f08 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
On Wed, May 10, 2023 at 05:55:28AM -, Stuart Henderson wrote: > On 2023-05-10, David Diggles wrote: > > My ISP provides connection via DHCP. > > > > Every 5 minutes or so when dhcpleased is renewing the lease, > > my default route disappears for a few seconds.

Re: dhcpleased losing route

2023-05-10 Thread Otto Moerbeek
t to `# rcctl start dhcpleased` when > > you are done with the testing.) > > > > > > Does the interface go down and up for some reason every 5 minutes? That > > might cause dhcpleased(8) to renew the lease. > > > > > > HTH > > Mike > &

Re: dhcpleased losing route

2023-05-10 Thread David Diggles
and up for some reason every 5 minutes? That might > cause dhcpleased(8) to renew the lease. > > > HTH > Mike > > > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > > >>

Re: dhcpleased losing route

2023-05-09 Thread Mike Fischer
to renew the lease. HTH Mike > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > >> >> Just to update, I've added the following to dhclient.conf but >> it's still renewing every 5 minutes

Re: dhcpleased losing route

2023-05-09 Thread Stuart Henderson
On 2023-05-10, David Diggles wrote: > My ISP provides connection via DHCP. > > Every 5 minutes or so when dhcpleased is renewing the lease, > my default route disappears for a few seconds. That isn't supposed to happen. I just checked on a machine which has 10 minute leases and

Re: dhcpleased losing route

2023-05-09 Thread Otto Moerbeek
On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > Just to update, I've added the following to dhclient.conf but > it's still renewing every 5 minutes (approximately) and the > default route is disappearing for a couple of seconds. :( > > send dhcp-l

Re: dhcpleased losing route

2023-05-09 Thread David Diggles
Just to update, I've added the following to dhclient.conf but it's still renewing every 5 minutes (approximately) and the default route is disappearing for a couple of seconds. :( send dhcp-lease-time 86400; On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > My

dhcpleased losing route

2023-05-09 Thread David Diggles
My ISP provides connection via DHCP. Every 5 minutes or so when dhcpleased is renewing the lease, my default route disappears for a few seconds. Definitely I'll be looking at requesting a longer lease by putting a setting in /etc/dhclient.conf but is there any way I can stop the default

Re: Static default route for a subnet

2023-03-29 Thread Kaya Saman
the interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. The rule in use is this one: match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet}

Re: Static default route for a subnet

2023-03-29 Thread Kaya Saman
the interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. The rule in use is this one: match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet}

Re: Static default route for a subnet

2023-03-28 Thread Kaya Saman
the interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. I think I can confirm this. Certainly I don't see any difference between putting th

Re: Static default route for a subnet

2023-03-28 Thread Stuart Henderson
lved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. > The rule in use is this one: > > match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rt

Re: Static default route for a subnet

2023-03-28 Thread Kaya Saman
h thing as "default gateway for a subnet". One way to do what you want is with PF "route-to" rules applying only to packets with a source address in the subnet of interest (and likewise for "reply-to" to handle incoming connections, maybe in conjunction with rdr-to).

Re: Static default route for a subnet

2023-03-28 Thread Stuart Henderson
et". One way to do what you want is with PF "route-to" rules applying only to packets with a source address in the subnet of interest (and likewise for "reply-to" to handle incoming connections, maybe in conjunction with rdr-to). This is a little messier config, but if th

Static default route for a subnet

2023-03-28 Thread Kaya Saman
it and found a similar yet I think different situation on the mailing lists: https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route I think the above was more to do with using 2x default routes in a multipath setup rather then simply trying to get one particular subnet to use another IS

Re: Route selected IP traffic across wg(4) tunnel

2023-03-10 Thread Zack Newman
Hey Zach It's actually "Zack". I thought I would try to use the pf routing option `route-to` to accomplish this as it seemed like it might be a simple solution. You might be able to, but I prefer using pf to only filter traffic when I can get away with it-obviously for things

Re: Route selected IP traffic across wg(4) tunnel

2023-03-10 Thread Chris Jones
se also suggested using rdomain and rtable but I thought I would try to use the pf routing option `route-to` to accomplish this as it seemed like it might be a simple solution. I guess I just don't quite understand how it works. If I was to use a new rdomain/rtable, how would I go about routi

Re: Route selected IP traffic across wg(4) tunnel

2023-03-09 Thread Zack Newman
Wondering if anyone has a "best practice" for pealing IP traffic off (in this case an AppleTV) and routing all the traffic across a Wireguard tunnel. Not sure what you mean by "pealing [sic] IP traffic off"; but when I need source-based routing, I prefer using rdomain(4)s and rtable(4)s. wg(4) i

Route selected IP traffic across wg(4) tunnel

2023-03-06 Thread Chris Jones
Good afternoon, Wondering if anyone has a "best practice" for pealing IP traffic off (in this case an AppleTV) and routing all the traffic across a Wireguard tunnel. I've looked at the pf(4) routing option **route-to** and tried setting this up to the best of my knowledg

Re: dhcpcd sometimes fails to route ipv6 /48

2022-08-18 Thread void
erlap. On the router, the /48 remains on the LAN interface, the ND /64 appears under pppoe0 in ifconfig. I've clearly made errors initially configuring the openbsd client machine. Other machines on the LAN get a /48 and route it fine. I'll try again with rad and slaacd rather than dhcpc

Re: dhcpcd sometimes fails to route ipv6 /48

2022-08-18 Thread Stefan Sperling
here is already in the dhcpcd package on OpenBSD 7.0 and up. But your case is different. In your case, the RB tree lookup might still be choosing the wrong prefix to delete, because your LAN is a using wider prefix than the WAN side. Assuming the final rt_cmp_netmask() call I added in rt_cmp_dest()

dhcpcd sometimes fails to route ipv6 /48

2022-08-18 Thread void
Hello misc@, I have an edgerouter lite 3 router running openbsd 7.1 octeon. The connection is via pppoe and has native ipv4 and ipv6. The router gets an ND /64 and PD /48. The /48 is served on the LAN-facing side. This setup works well, usually. What sometimes happens is that a LAN machine won

Re: route added with wg tunnel which breaks my internal network

2022-04-24 Thread Łukasz Moskała
Hi, > I have no idea where that failing route comes from. I'd say that it comes from hostname.wg0: > inet6 fd00:22:dec:e2::100 64 If I understand correctly, you have fd00:22:dec:e2::/64 on both wg0 and em0. Having two the same prefixes on two network interfaces will always cause pr

Re: route advertisement question

2021-12-27 Thread Florian Obser
On 2021-12-26 19:43 UTC, mgra...@brainfat.net wrote: > So my question is, is this expected behavior? When the router advertisement > does not have a router and > thus sets the router lifetime to 0 (as it should), should slaacd ignore > advertisement? Or should > it still configure an IP address

Re: route one port via a specific host (both directions)

2021-12-10 Thread Claus Assmann
On Fri, Dec 10, 2021, Michael Hekeler wrote: > Am 10.12.21 08:49 schrieb Claus Assmann: > > I am trying to run an SMTP server on a dynamic IP address > Running a smtp server on dynamic IP is just asking for troubles. That's why I want to run the server behind a static IP -- as my mail explained..

Re: route one port via a specific host (both directions)

2021-12-10 Thread Michael Hekeler
Am 10.12.21 08:49 schrieb Claus Assmann: > I am trying to run an SMTP server on a dynamic IP address Running a smtp server on dynamic IP is just asking for troubles.

Re: route one port via a specific host (both directions)

2021-12-10 Thread Crystal Kolipe
On Fri, Dec 10, 2021 at 08:49:08AM +, Claus Assmann wrote: > I am trying to run an SMTP server on a dynamic IP address > (and maybe other services later on, e.g., DNS or HTTP) We recently published a comprehensive guide for running inbound and outbound SMTP from a dynamic IP via an IPSEC tunne

Re: route one port via a specific host (both directions)

2021-12-10 Thread Stuart Henderson
t; want. Me too. For this case I would place the tunnel interface in an alternative rdomain, add a default route in that rdomain to the tunnel endpoint (rpute -T2 add default XX), and run the MTA in the route table matching that rdomain (rcctl set $daemon rtable 2). I have been happy with wg(4) for thi

Re: route one port via a specific host (both directions)

2021-12-10 Thread Łukasz Moskała
o/from the host (DYNAMIC) with the dynamic IP >address. > >To route the port incoming it seems I can use: >DYNAMIC$ ssh -o ExitOnForwardFailure=yes -N -R 25:localhost:25 STATIC > >This also has the advantage that the routing is only active >as long as DYNAMIC is up and running w

route one port via a specific host (both directions)

2021-12-10 Thread Claus Assmann
I am trying to run an SMTP server on a dynamic IP address (and maybe other services later on, e.g., DNS or HTTP) For this, I would like to redirect traffic via a host (STATIC) which has a static IP address to/from the host (DYNAMIC) with the dynamic IP address. To route the port incoming it

pf route-to reply-to ipv6 link local address does not work

2021-10-05 Thread Pierre-Edouard
Running openbsd 6.9 stable here I am not able to use a pf rule using route-to/reply-to with an ipv6  linklocal address. example: pass out inet6 route-to fe80::abcd%em0 The syntax is valid and therefore is accepted but the "%em0" is striped out when config is pushed. The packe

Re: ipsec with default route and routing of internal networks

2021-10-05 Thread Hrvoje Popovski
On 14.9.2021. 13:12, Hrvoje Popovski wrote: > On 13.9.2021. 15:52, Stuart Henderson wrote: >> On 2021-09-13, Hrvoje Popovski wrote: >>> On 13.9.2021. 14:08, Tom Smyth wrote: Can you do  an exception for the ranges ...  so internet - private ips you dont want over the tunnel) ik

Re: ipsec with default route and routing of internal networks

2021-09-14 Thread Hrvoje Popovski
On 13.9.2021. 15:52, Stuart Henderson wrote: > On 2021-09-13, Hrvoje Popovski wrote: >> On 13.9.2021. 14:08, Tom Smyth wrote: >>> Can you do  an exception for the ranges ...  so internet - private ips >>> you dont want over the tunnel) >>> >>> ike esp from 10.90.0.0/24 to any

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Stuart Henderson
On 2021-09-13, Hrvoje Popovski wrote: > On 13.9.2021. 14:08, Tom Smyth wrote: >> Can you do  an exception for the ranges ...  so internet - private ips >> you dont want over the tunnel) >> >> ike esp from 10.90.0.0/24 to any encrypt   >> and  >> >>  10.90.0.0/24

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Hrvoje Popovski
On 13.9.2021. 14:08, Tom Smyth wrote: > Can you do  an exception for the ranges ...  so internet - private ips > you dont want over the tunnel) > > ike esp from 10.90.0.0/24 to any encrypt   > and  > >  10.90.0.0/24 to   NOT  [networks you dont want > o

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth
Can you do an exception for the ranges ... so internet - private ips you dont want over the tunnel) ike esp from 10.90.0.0/24 to any encrypt and 10.90.0.0/24 to NOT [networks you dont want over the tunnel) ? On Mon, 13 Sept 2021 at 13:02, Hrvoje Popovski wrote: > Hi, > > On 13.9.2021. 1

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Hrvoje Popovski
Hi, On 13.9.2021. 12:58, Tom Smyth wrote: > Hi Hrvoje,  > > is 10.90.0.0/24 local to your firewall, and if I > understand your rule, > ike esp from 10.90.0.0/24  to any    you are saying   > encrypt all traffic comming from 10.90.0.0/24

Re: ipsec with default route and routing of internal networks

2021-09-13 Thread Tom Smyth
Hi Hrvoje, is 10.90.0.0/24 local to your firewall, and if I understand your rule, ike esp from 10.90.0.0/24 to anyyou are saying encrypt all traffic comming from 10.90.0.0/24 should the tunnel be more specific ? like from 10.90.0.0/24 to another network across the tunnel ike esp from 10.90

ipsec with default route and routing of internal networks

2021-09-13 Thread Hrvoje Popovski
Hi all, I have a firewall that routes few internal networks, 10.90/24, 10.91/24, 10.92/24. And i have some static routes to other firewalls, but i don't think that is relevant to this problem. For network 10.90/24 i have ipsec tunnel, and i need to push any traffic from that network to the intern

Re: npppd - changing clients' route table

2021-09-13 Thread Stuart Henderson
On 2021-09-12, Radek wrote: > Sorry for the late reply, adding ":framed-ip-netmask=255.255.255.0:" doesn't > solve the problem. Tested on Win10. framed-ip-netmask controls addition of the route on the npppd machine, not the client. You only use it if you have multiple add

Re: npppd - changing clients' route table

2021-09-12 Thread Radek
t; > >> How about if you configure the npppd-users > >> > >> rdk: > >> :password=pasword:\ > >> :framed-ip-address=10.109.4.254:\ > >> :framed-ip-netmask=255.255.255.0: > >> > >> The server (npppd) will configure a r

Re: route -iface doesn't work

2021-03-08 Thread Paul de Weerd
Florian helped me off-list: # route add 10.1.1.13 -iface -cloning 10.2.2.13 does the trick (if you do the same on the other end, of course). I'm not really sure how this works, or what RTF_CLONING means other than this comment from the manpage: -cloning RTF_CLONING genera

route -iface doesn't work

2021-03-08 Thread Paul de Weerd
Hi all, I'm probably missing something rather obvious, but I can't get route -iface to work. According to the manpage: If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, the -iface modifier

Re: npppd - changing clients' route table

2021-02-21 Thread YASUOKA Masahiko
4" should have been "10.109.4.254". >> How about if you configure the npppd-users >> >> rdk: >> :password=pasword:\ >> :framed-ip-address=10.109.4.254:\ >> :framed-ip-netmask=255.255.255.0: >> >> The server (npppd) will conf

Fw: Re: npppd - changing clients' route table

2021-02-21 Thread Radek
ord:\ > :framed-ip-address=10.109.4.254:\ > :framed-ip-netmask=255.255.255.0: > > The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > session authenticated by the above "rdk". I have tried to configure npppd-users with netmask /24, but it doesnt ma

  1   2   3   4   5   6   7   8   9   10   >