Apologies for hijacking but how can I redirect other hosts to a pair in PF? I've tried adding a route manually to the hosts via the gateway and adding a rdr-to in PF but I can't reach any hosts in the second rdomain, only the gateway.
Cheers, Zach On February 3, 2019 7:20:28 AM GMT+10:00, Jiri B <jiri...@gmail.com> wrote: >Thank you, that works fine. > > >Jiri > > >On Thu, Jan 31, 2019 at 11:26 PM Sebastian Benoit ><benoit-li...@fb12.de> wrote: >> >> Jiri B(jiri...@gmail.com) on 2019.01.31 22:23:34 +0100: >> > Hello, >> > >> > I'm trying to isolate an app running on OpenBSD on network level >and thus I >> > have started >> > the app in a specific rdomain. >> > >> > I can successfully make traffic from the rdomain to reach Internet: >> > >> > pass out quick on rdomain 1 to any nat-to (egress) rtable 0 >> >> that rule is only evaluated when the packes pass through a network >> interface. >> >> > But I cannot figure out how to make the app in this rdomain 1 to >communicate >> > which daemons in default rdomain (0). >> > >> > With above rule I would see something like this on lo0 (rdomain0): >> > >> > Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ >NS? .(17) >> > >> > Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org. >> > It seems it does not know how to send back replies ? >> >> yes, because rdomain 0 does not have a route to what network you have >in >> rdomain 1. >> >> Btw. its hard to talk about this without you giving the actual >networks and >> IPs used. >> >> > Without 'nat-to (egress)' the replies would be just send via >default gw in >> > rdomain 0: >> > >> > mx1# tcpdump -i vio0 -n -e -ttt icmp >> > tcpdump: listening on vio0, link-type EN10MB >> > Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98: >> > 199.195.x.x > 172.16.1.2: icmp: echo reply >> > >> > (172.16.1.2 was the IP in rdomain 1) >> > >> > Any idea what would be PF rule to make this working - ie. make an >app in >> > rdomain X talk to daemons in rdomain 0. >> > >> > I also tried to use pair interfaces but I failed too. >> >> Try this: >> >> # set up two connected pair interfaces: >> ifconfig pair8 inet 192.168.2.8/24 rdomain 8 >> ifconfig pair1 inet 192.168.2.1/24 rdomain 0 >> ifconfig pair1 patch pair8 >> >> # they now can ping each other: >> ping 192.168.2.8 >> route -T 8 exec ping 192.168.2.1 >> >> # my em0 interface in rdomain 0 has the IP 192.168.1.52: >> em0: >flags=208847<UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> >mtu 1500 >> lladdr 44:c6:86:5a:c2:f7 >> index 1 priority 0 llprio 3 >> groups: egress >> media: Ethernet autoselect >> status: active >> inet 192.168.1.52 netmask 0xffffff00 broadcast 192.168.1.255 >> >> # add a route to 192.168.1.52 to rdomain 8: >> route -T 8 add 192.168.1.52 192.168.2.1 >> route -T 8 exec ping 192.168.1.52 >> >> # the traffic back from rdomain 0 to rdomain 8 works now, because >packets >> # are send with source ip 192.168.2.8, and rdomain 0 has a route to >that IP >> # through pair1. >> >> Now run your service on 192.168.1.52. >> >> /Benno -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
