Hi misc (again), After talking with the author of the article referenced (Joel Knight) I will follow up with this.
First of all, I've created a version of this using IPv4 instead of IPv6, with only the addresses changed. It works as supposed. I am running 6.1. Creating a return route to 2a01:7e8:35:fab::/64 via ::1 (in rdomain 0) makes the packets loop in lo0: # tcpdump -i lo0 14:49:19.691833 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691842 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691855 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691866 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691875 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691893 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691899 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691906 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691912 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691919 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691925 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691932 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691938 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691945 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691951 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691958 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691964 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691971 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691977 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691984 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691990 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.691997 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692003 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692010 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692016 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692023 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692029 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692039 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692050 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692057 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692064 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692070 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692076 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692083 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692090 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692096 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692102 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692109 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692115 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692122 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692128 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692134 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692141 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692147 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692154 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692160 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692166 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692173 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692179 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692186 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692192 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692199 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692205 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692211 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692218 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692224 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692231 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692237 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692243 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692250 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692256 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692263 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply 14:49:19.692269 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply [hlim 1] Netstat of rdomain 0: # route -T0 exec netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface default 2a01:7e8:1:800::2fd UGS 0 10 - 8 em1 ::/96 ::1 UGRS 0 0 32768 8 lo0 ::/104 ::1 UGRS 0 0 32768 8 lo0 ::1 ::1 UHhl 15 30 32768 1 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0 ::224.0.0.0/100 ::1 UGRS 0 0 32768 8 lo0 ::255.0.0.0/104 ::1 UGRS 0 0 32768 8 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32768 8 lo0 2002::/24 ::1 UGRS 0 0 32768 8 lo0 2002:7f00::/24 ::1 UGRS 0 0 32768 8 lo0 2002:e000::/20 ::1 UGRS 0 0 32768 8 lo0 2002:ff00::/24 ::1 UGRS 0 0 32768 8 lo0 2a01:7e8:1:800::2fc/126 2a01:7e8:1:800::2fe UCn 1 0 - 4 em1 2a01:7e8:1:800::2fd 08:00:27:09:c7:e2 UHLch 1 531327 - 3 em1 2a01:7e8:1:800::2fe 08:00:27:32:d8:87 UHLl 0 418 - 1 em1 2a01:7e8:35:fab::/64 ::1 UGS 0 529555 32768 8 lo0 fe80::/10 ::1 UGRS 0 1 32768 8 lo0 fec0::/10 ::1 UGRS 0 0 32768 8 lo0 fe80::%em1/64 fe80::a00:27ff:fe32:d887%em1 UCn 0 0 - 4 em1 fe80::a00:27ff:fe32:d887%em1 08:00:27:32:d8:87 UHLl 0 0 - 1 em1 fe80::1%lo0 fe80::1%lo0 UHl 0 0 32768 1 lo0 ff01::/16 ::1 UGRS 1 2 32768 8 lo0 ff01::%em1/32 fe80::a00:27ff:fe32:d887%em1 Um 0 1 - 4 em1 ff01::%lo0/32 ::1 Um 0 1 32768 4 lo0 ff02::/16 ::1 UGRS 1 2 32768 8 lo0 ff02::%em1/32 fe80::a00:27ff:fe32:d887%em1 Um 0 1 - 4 em1 ff02::%lo0/32 ::1 Um 0 1 32768 4 lo0 If this is a regression or an implementation problem (or perhaps some documentation missing for v6 behaving differently), I don't know. Just to add the to the tests, I've syspatched my system with all the errata patches for 6.1, but with the same results. I'm posting this, hoping to bring some eyes to rdomains and IPv6. / Claus On 04-07-2017 15:16, Claus Lensbøl wrote: > Hi misc, > > I'm having trouble with implementing rdomains and IPv6. > > I have followed this guide which might be a bit old but the best I could > find: > https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ > > I have made a set-up with two machines connected by an openBSD router. > > Machine: "internet" > ============ > # cat /etc/hostname.em1 > inet6 2a01:7e8:1:800::2fd/126 > !route add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe > > Machine: "router" > ============ > # cat /etc/hostname.em1 > inet6 2a01:7e8:1:800::2fe/126 > !route -T 0 add 2a01:7e8:35:fab::/64 ::1 > # cat /etc/hostname.em2 > rdomain 75 > !route -T75 exec /usr/sbin/sshd > inet6 alias 2a01:7e8:35:fab::1/64 > # pfctl -sr > block return all > pass all flags S/SA > block return in on ! lo0 proto tcp from any to any port 6000:6010 > pass in on em2 inet6 from 2a01:7e8:35:fab::/64 to 2a01:7e8:1:800::2fd > flags S/SA rtable 0 > pass out on em1 all flags S/SA > > Machine: "client" > ============ > # sudo ip addr add 2a01:7e8:35:fab::2/64 dev vboxnet0 > # sudo ip -6 route add 2a01:7e8:1:800::2fc/126 via 2a01:7e8:35:fab::1 > > I am able to ping between router<->internet, router<->client, but not > between client<->internet. > > If pinging from client->internet, no replies are retuned. Doing tcpdump > on em1 on the router gives: > 16:56:42.017347 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo > request [flowlabel 0xe1717] > 16:56:42.017811 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply > 16:56:42.018114 2a01:7e8:1:800::2fe > 2a01:7e8:1:800::2fd: icmp6: time > exceeded in-transit for 2a01:7e8:35:fab::2 > > Removing the route (route -T 0 delete 2a01:7e8:35:fab::/64 ::1) gives no > replies and tcpdump gives: > 16:58:59.565667 2a01:7e8:35:fab::2 > 2a01:7e8:1:800::2fd: icmp6: echo > request [flowlabel 0xe1717] > 16:58:59.566298 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply > 16:58:59.569637 2a01:7e8:1:800::2fd > 2a01:7e8:35:fab::2: icmp6: echo reply > > Adding a route on em1 (rtable 0) as: > # route -T 0 add 2a01:7e8:35:fab::/64 2a01:7e8:1:800::2fe > , yields the same results as with no route. > > I tried removing all routes to 2a01:7e8:35:fab::/64 on the router, and > add to pf: > pass in on em1 inet6 to 2a01:7e8:35:fab::/64 rtable 75 > > I'm pretty sure that I'm missing some understanding of rtables. > Can someone point me in the right direction? > I'm guessing that I need a way to move packets from rtable 0 to rtable 75. > > Btw, this set-up is made with virtualbox, but I have an identical > physical set-up with the same issue. > -- Med venlig hilsen/Best regards Claus Lensbøl Fab:IT ApS Vesterbrogade 37, 2. th DK-1620 København Tlf: +45 70 202 407 Main Site: www.fab-it.dk VPS Product: vpsforce.eu
