Hello, I'm trying to isolate an app running on OpenBSD on network level and thus I have started the app in a specific rdomain.
I can successfully make traffic from the rdomain to reach Internet: pass out quick on rdomain 1 to any nat-to (egress) rtable 0 But I cannot figure out how to make the app in this rdomain 1 to communicate which daemons in default rdomain (0). With above rule I would see something like this on lo0 (rdomain0): Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17) Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. It seems it does not know how to send back replies ? Without 'nat-to (egress)' the replies would be just send via default gw in rdomain 0: mx1# tcpdump -i vio0 -n -e -ttt icmp tcpdump: listening on vio0, link-type EN10MB Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: 199.195.x.x > 172.16.1.2: icmp: echo reply (172.16.1.2 was the IP in rdomain 1) Any idea what would be PF rule to make this working - ie. make an app in rdomain X talk to daemons in rdomain 0. I also tried to use pair interfaces but I failed too. Jiri