Re: Ask ospfd

[Claudio Jeker]

On Tue, Feb 02, 2021 at 12:06:37PM +0700, Adiwangsa Kusumah wrote:
> Dear All,
> 
> I have topology as below:
> 
> UP1 UP2
> \ /
>   \  /
>   OBSD6.6
> /\
>   /\
> OSPF1OSPF2
> 
> 
> I use openbgpd to upstream and  openospfd to internal
> I want my openbsd send 0.0.0.0/0 to my ospf (single area)
> 
> At my bgpd.conf  I add
> network 0.0.0.0/0
> 
> Ay my ospfd I tri to add
> redistribute default
> and/or
> redistribute 0.0.0.0/0
> 
> when i check my ospf, there is no 0.0.0.0 send to my internal network
> 
> ospfctl sh database self-originated
> 
> Link ID Adv Router  Age  Seq#   Checksum
> 10. xxx.xxx.248  103.xxx.xxx.11   1225 0x8048 0x2471
> 10. xxx.xxx.252  103. xxx.xxx.11   1225 0x804a 0xf797
> 103. xxx.xxx.72103. xxx.xxx.11   1225 0x8048 0xe1c4
> 103. xxx.xxx.60   103. xxx.xxx.11   1225 0x804a 0x858d
> 103. xxx.xxx.12   103. xxx.xxx.11   1225 0x804a 0x3b05
> 
> Is that any additional configuration at my bgpd.conf or my ospfd.conf?
> Your advice will be appreciated.
> 

ospfd(4) redistribute requires that the corresponding route is present in
the routing table (route -n get default). This is not the case for
bgpd(8). So make sure that you have a default route in kernel routing table.

-- 
:wq Claudio

Ask ospfd

[Adiwangsa Kusumah]

Dear All,

I have topology as below:

UP1 UP2
\ /
  \  /
  OBSD6.6
/\
  /\
OSPF1OSPF2


I use openbgpd to upstream and  openospfd to internal
I want my openbsd send 0.0.0.0/0 to my ospf (single area)

At my bgpd.conf  I add
network 0.0.0.0/0

Ay my ospfd I tri to add
redistribute default
and/or
redistribute 0.0.0.0/0

when i check my ospf, there is no 0.0.0.0 send to my internal network

ospfctl sh database self-originated

Link ID Adv Router  Age  Seq#   Checksum
10. xxx.xxx.248  103.xxx.xxx.11   1225 0x8048 0x2471
10. xxx.xxx.252  103. xxx.xxx.11   1225 0x804a 0xf797
103. xxx.xxx.72103. xxx.xxx.11   1225 0x8048 0xe1c4
103. xxx.xxx.60   103. xxx.xxx.11   1225 0x804a 0x858d
103. xxx.xxx.12   103. xxx.xxx.11   1225 0x804a 0x3b05

Is that any additional configuration at my bgpd.conf or my ospfd.conf?
Your advice will be appreciated.

Thx & regards,


ps:
When I use frrouting, I got 0.0.0.0 to my ospf

Re: relayd + pfsync

[Kapetanakis Giannis]

On 02/02/2021 05:18, Jordan Geoghegan wrote:

Hello,

I had a question about using relayd with pfsync.

I have a small gateway/load-balancer set up with relayd, carp and pfsync plus 
BGPd for IP failover, and everything is working great. I was pleasantly 
surprised at how easy it was to get pfsync tunnelled over wireguard. Things 
failover perfectly, and I'm happy as a clam.

I however do have a question about some pfsync/relayd details that I'm not 
fully clear on:

With all the plumbing being done with relayd and all the associated TCP/TLS/HTTP(s) 
checks it's doing, it ends up setting up and tearing down a decent number of connections 
on a recurring basis. I know in PF you can use the "no-sync" keyword to prevent 
states created by certain rules from being synced across the wire, but I haven't found a 
way to do this with rules/states generated by relayd.

It's probably largely irrelevant in the grand scheme of things, but I found it 
slightly irritating having hundreds or thousands of state table entries 
experiencing constant churn while being synced over the wire. Having the noise 
from the relayd connectivity checks syncing back and forth makes using tcpdump 
on a pfsync interface much less convenient. All these state table entries will 
never be used should the machine fail-over, as all the connectivity checks are 
initiated from the local IP address, rather that the CARP address.

So I guess what I'm trying to ask is: Is there a way to have relayd not sync 
it's TCP/TLS/etc connectivity checks via pfsync?

I was hoping to get a sanity check here so I can confirm weather or not I'm 
totally off base here.

I currently have "keep state (no-sync)" peppered throughout my config for rules I want 
excluded from pfsync, as the pf config is quite simple. Maybe I'm missing something obvious, but is 
there a "sync" option? ie the ability to manually specify exactly which rules/states you 
want synced?

Would some sort of rule like "pass out on $int_if proto tcp to any user _relayd keep 
state (no-sync)" do what I want, or would that also catch the traffic I'm trying to 
load balance as well?

Any insight or advice would be much appreciated.

P.S  Sorry for the wall of text

Regards,

Jordan


Hi,

As you said, you can use the no-sync.

Relayd checks don't create any pf rules. Only the listen creates rules
pfctl -sr -a'relayd/ldap'

pass in quick on rdomain 0 inet proto tcp from any to x.x.x.x port = 636 
flags S/SA keep state (tcp.established 4200) tag RELAYD_ldap rdr-to 
 port 1636 least-states sticky-address


local checks from LB to hosts can have the no-sync.
I have these in my config

# checks from LB
pass out quick on $ldap_if proto tcp from ($ldap_if) to 
($ldap_if:network) port {1389, 1636} keep state (no-sync)


Maybe you have another rule (out on $ldap_if) before, that allows the 
traffic?


I handle incoming traffic (to LB) with pftag on relayd.conf and I 
specifically allow them on out direction.


# client rules
pass out quick on $ldap_if tagged RELAYD_ldap keep state 
(tcp.established 4200)


G

relayd + pfsync

[Jordan Geoghegan]

Hello,

I had a question about using relayd with pfsync.

I have a small gateway/load-balancer set up with relayd, carp and pfsync plus 
BGPd for IP failover, and everything is working great. I was pleasantly 
surprised at how easy it was to get pfsync tunnelled over wireguard. Things 
failover perfectly, and I'm happy as a clam.

I however do have a question about some pfsync/relayd details that I'm not 
fully clear on:

With all the plumbing being done with relayd and all the associated 
TCP/TLS/HTTP(s) checks it's doing, it ends up setting up and tearing down a 
decent number of connections on a recurring basis. I know in PF you can use the 
"no-sync" keyword to prevent states created by certain rules from being synced 
across the wire, but I haven't found a way to do this with rules/states 
generated by relayd.

It's probably largely irrelevant in the grand scheme of things, but I found it 
slightly irritating having hundreds or thousands of state table entries 
experiencing constant churn while being synced over the wire. Having the noise 
from the relayd connectivity checks syncing back and forth makes using tcpdump 
on a pfsync interface much less convenient. All these state table entries will 
never be used should the machine fail-over, as all the connectivity checks are 
initiated from the local IP address, rather that the CARP address.

So I guess what I'm trying to ask is: Is there a way to have relayd not sync 
it's TCP/TLS/etc connectivity checks via pfsync?

I was hoping to get a sanity check here so I can confirm weather or not I'm 
totally off base here.

I currently have "keep state (no-sync)" peppered throughout my config for rules 
I want excluded from pfsync, as the pf config is quite simple. Maybe I'm 
missing something obvious, but is there a "sync" option? ie the ability to 
manually specify exactly which rules/states you want synced?

Would some sort of rule like "pass out on $int_if proto tcp to any user _relayd 
keep state (no-sync)" do what I want, or would that also catch the traffic I'm 
trying to load balance as well?

Any insight or advice would be much appreciated.

P.S  Sorry for the wall of text

Regards,

Jordan

Re: rdsetroot and gzip'd bsd.rd

[Daniel Jakots]

On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt"
 wrote:

> Should rdsetroot be able to edit gzip'd files?  I am not sure about
> that.

Yeah, I don't think so either. gzip(1) can be easily used to uncompress
it beforehand. 

But the result is still that rdsetroot on -current is not able to
extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF
64-bit LSB executable, x86-64, version 1" bsd.rd).

Re: rdsetroot and gzip'd bsd.rd

[Theo de Raadt]

Should rdsetroot be able to edit gzip'd files?  I am not sure about
that.

BTW, at least one arch bsd.rd's has been gzip'd over the decades, so
this is simply an observation on a common architecture, it has been
with us forever.

Daniel Jakots  wrote:

> Hi,
> 
> Running -current amd64, I fetched a -current amd64 bsd.rd, then run
> $ rdsetroot -x bsd.rd ramdisk
> rdsetroot: bsd.rd: not an elf
> 
> I didn't expect that, so I run file on it which said
> bsd.rd: gzip compressed data, max compression, from Unix
> 
> I naively tried to gunzip it:
> $ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz
> $ file bsd.rd
> bsd.rd: ELF 64-bit LSB executable, x86-64, version 1
> 
> so I ran rdsetroot again
> $ rdsetroot -x bsd.rd ramdisk
> rdsetroot: symbol table not found
> 
> 
> I guess it's because of
> https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050
> 
> 
> Is it because now bsd.rd is stripped and rdsetroot needs to be updated
> to not expect a symbol table? Or am I missing something?
> 
> 
> Cheers,
> Daniel
> 

rdsetroot and gzip'd bsd.rd

[Daniel Jakots]

Hi,

Running -current amd64, I fetched a -current amd64 bsd.rd, then run
$ rdsetroot -x bsd.rd ramdisk
rdsetroot: bsd.rd: not an elf

I didn't expect that, so I run file on it which said
bsd.rd: gzip compressed data, max compression, from Unix

I naively tried to gunzip it:
$ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz
$ file bsd.rd
bsd.rd: ELF 64-bit LSB executable, x86-64, version 1

so I ran rdsetroot again
$ rdsetroot -x bsd.rd ramdisk
rdsetroot: symbol table not found


I guess it's because of
https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050


Is it because now bsd.rd is stripped and rdsetroot needs to be updated
to not expect a symbol table? Or am I missing something?


Cheers,
Daniel

Re: amdgpu unstable atm

[rgc]

On Mon, Jan 25, 2021 at 05:33:22PM +0900, rgc wrote:
> misc@
> 
> pkg_add -u; sysupgrade -ks this morning
> i see firefox-esr pull a new gtk (iirc) build ... quirks-3.517
> on firefox is visualsource.net playing commit videos
> seems to be working good now ... and it seems firefox is more snappier
> 
> i still see these on xconsole
> > [drm] *ERROR* Error in DP aux read transaction, not writing source specific 
> > data
> > [drm] *ERROR* Error in DP aux read transaction, not writing source specific 
> > data
> but no hangs or crashes at the moment.
> 
> ~ rgc
> 

misc@

it's been a few days
some crashes still occured ..
one time i've already killed firefox-esr and was just using stterm when X 
crashed.

in the meantime, i've done a BIOS update. 
i have SVM (AMDs vmm support) enabled which automatically shares 1Gb to iGPU.
and running pkg_add -u and sysupgrade every other day.

kern.version=OpenBSD 6.8-current (GENERIC.MP) #302: Sat Jan 30 21:51:53 MST 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

running spyder3 and firefox-esr at the same time, no issues so far

~ rgc

Re: "No O/S" after drive replacement with / on raid1

[Stefan Sperling]

On Sun, Jan 31, 2021 at 09:47:22PM +0300, Serge wrote:
> Hello.
> 
> I use 2 disks in mirror with root partition on softraid.
> Say they are sd0a and sd1a and SR is sd2.
> For example sd0 fails. I shutdown system, replace failed drive, 
> boot from good one, copy layout, rebuild array, all disks online 
> and system is up and running.
> Then sd1 fails. I shutdown system, replace sd1, power on and...
> 
> Using drive 0, partition 3.
> No O/S
> _
> 
> 
> Reading manuals, faqs and mailing lists led me to the following:
> I reproduce the issue and after replacement first failed drive run
> # installboot -v sd2
> 
> After that I can boot successfully from both drives.
> 
> Unfortunately I can not find this solution (is it a solution?) 

Yes, this is the right solution.

Installboot writes the bootloader to all chunks. If a chunk is replaced
with a fresh disk this disk won't carry a boot loader unless installboot
is run again.

Re: seeing carp interface state change for unknown reason ; cluestick hunting

[David Gwynne]

> On 1 Feb 2021, at 6:02 pm, Bryan Stenson  wrote:
> 
> Hi all -
> 
> I'm trying to setup a pair of ERL3 octeon routers in master/standby
> mode via carp/pfsync to route traffic from my internal lan to the
> internet.  I've seen strange behavior wrt carp on these machines, so
> in an attempt to reduce the problem, I've removed one completely.
> 
> Even with only a single box (ERL3-01) on the network configured as a
> carp member, the carp interface state periodically changes (as seen
> from ifstated(8)).
> 
> I'm wondering if disconnecting the other ERL3 device is a valid isolated test.
> 1.  Will/might this cause issues with the carp device, as it cannot
> determine state from any other host?

If carp state flaps around while it is the only device on the network, that 
would imply the parent device is flapping around.

> 2.  Will/might this cause issues as it cannot send/receive pfsync
> updates (the other node is disconnected).

pfsync doesn't really care about carp state.

> 3.  Is there something else in my setup causing carp to fail here?

I'd be running "route monitor" and looking for link state changes on the carp 
parent interface.

> 4.  Could this be hardware/temperature related to this ERL3?  Wouldn't
> I see an additional error in dmesg if the physical device (cnmac2)
> failed periodically?
> 
> I'd appreciate any pointers here...I feel like I'm missing something dumb.

My first ideas are above. If it turns out the carp parent is stable we can try 
come up with something else.

dlg

> 
> Thanks in advance.
> 
> Bryan
> 
> Here are some of my configs.  If I've missed including something
> critical to help describe my setup, please let me know and I'll add
> it.
> 
> ## Help me OBSD-Misc Kenobi.  You're my only hope. ##
> 
> erl3-01# uname -a
> OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon
> 
> erl3-01# dmesg
> ...
> carp1: state transition: BACKUP -> MASTER
> carp1: state transition: BACKUP -> MASTER
> carp1: state transition: BACKUP -> MASTER
> carp1: state transition: BACKUP -> MASTER
> carp1: state transition: BACKUP -> MASTER
> carp1: state transition: BACKUP -> MASTER
> 
> erl3-01# tail mbox
> Mon, 1 Feb 2021 06:49:26 + (UTC)
> From: Charlie Root 
> Date: Mon, 1 Feb 2021 06:49:25 + (UTC)
> To: root@localhost
> Subject: carp master changed
> Message-ID: <515eb74cff427...@erl3-01.siliconvortex.com>
> Status: RO
> 
> master is now erl3-01.siliconvortex.com
> 
> 
> erl3-01# sysctl -a | grep carp
> net.inet.carp.allow=1
> net.inet.carp.preempt=1
> net.inet.carp.log=2
> 
> erl3-01# cat /etc/hostname.carp1
> #carp for lan side
> 192.168.122.1/23 carpdev vlan100 vhid 1 pass somethinglongandsecret
> 
> erl3-01# cat /etc/hostname.vlan100
> vnetid 100 parent cnmac2
> up
> 
> erl3-01# cat /etc/hostname.cnmac2
> inet 192.168.1.253 255.255.254.0
> 
> erl3-01# cat /etc/hostname.pfsync0
> up syncdev cnmac1
> 
> erl3-01# cat /etc/hostname.cnmac1
> inet 10.10.200.1 255.255.255.252
> 
> erl3-01# cat /etc/ifstated.conf
> # Initial State
> init-state auto
> 
> # Macros
> if_carp_up="carp1.link.up"
> if_carp_down="!carp1.link.up"
> 
> state auto {
>  if $if_carp_up {
>set-state master
>  }
> 
>  if $if_carp_down {
>set-state backup
>  }
> }
> 
> state master {
>  init {
>run "echo master is now `hostname` | mail -s 'carp master changed'
> root@localhost"
> }
> 
>  if $if_carp_down {
>set-state backup
>  }
> }
> 
> state backup {
>  init {
>run "echo backup is now `hostname` | mail -s 'carp master changed
> root@localhost"
>  }
> 
>  if $if_carp_up {
>set-state master
>  }
> }
> 
> erl3-01# cat /etc/pf.conf
> # adopted from https://www.openbsd.org/faq/pf/example1.html
> wan_dev = cnmac0
> lan_dev = cnmac2
> carp_dev = vlan100
> pfsync_dev = cnmac1
> table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
>172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
>192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
>203.0.113.0/24 }
> 
> # carp
> pass quick on $lan_dev proto carp keep state (no-sync)
> 
> # pfsync
> pass quick on $pfsync_dev proto pfsync keep state (no-sync)
> 
> set block-policy drop
> set loginterface $wan_dev
> set skip on lo0
> 
> match in all scrub (no-df random-id max-mss 1440)
> 
> # redirect DNS queries to localhost
> pass in quick on { $carp_dev $lan_dev } proto { udp tcp } from any to
> any port domain rdr-to 192.168.1.253 port domain
> 
> # NAT to the world
> match out on $wan_dev inet from !($wan_dev:network) to any nat-to ($wan_dev:0)
> 
> antispoof quick for { $wan_dev }
> 
> # martians
> block in quick on $wan_dev from  to any
> block return out quick on $wan_dev from any to 
> 
> block all
> 
> # manage buffer bloat
> queue outq on $wan_dev flows 1024 bandwidth 3M max 3M qlimit 1024 default
> queue inq on $lan_dev flows 1024 bandwidth 45M max 45M qlimit 1024 default
> 
> pass out quick inet
> 
> pass in on { $carp_dev $lan_dev } inet
> 

ospfd adv 0.0.0.0/0

[kab4...@yahoo.com]

HI all, I get openbgpd and openospfd at same openbsd 6.6server I want my ospf 
adv 0.0.0.0/0 to my network.
I put network 0.0.0.0/0 at bgpd.confI put redistribute default at ospfd.cong
ospfctl sh database self-originated

Link ID         Adv Router      Age  Seq#       Checksum10. xxx.xxx.248  
103.xxx.xxx.11   1225 0x8048 0x247110. xxx.xxx.252  103. xxx.xxx.11   1225 
0x804a 0xf797103. xxx.xxx.72    103. xxx.xxx.11   1225 0x8048 
0xe1c4103. xxx.xxx.60   103. xxx.xxx.11   1225 0x804a 0x858d103. xxx.xxx.12 
  103. xxx.xxx.11   1225 0x804a 0x3b05103. xxx.xxx.40    103. xxx.xxx.11   
1225 0x804a 0x2a47103. xxx.xxx.44    103. xxx.xxx.11   1225 0x8049 
0x046a103. xxx.xxx.48    103. xxx.xxx.11   1225 0x8049 0xdb8e103. 
xxx.xxx.128  103. xxx.xxx.11   1785 0x806f 0x2aad
Just link in my frrrouting: sh ip ospf database self-originate
       OSPF Router with ID (103. xxx.xxx.3)
                Router Link States (Area 0.0.0.0)

Link ID         ADV Router      Age  Seq#       CkSum  Route0.0.0.0         
103. xxx.xxx.3    1365 0x8020 0x9beb E2 0.0.0.0/0 [0x0]10. xxx.xxx.252  
103. xxx.xxx.3     545 0x801f 0xc0cf E2 10. xxx.xxx.252/30 [0x0]103. 
xxx.xxx.216   103. xxx.xxx.3     515 0x801f 0x0114 E2 103. xxx.xxx.216/30 
[0x0]103. xxx.xxx.3    103. xxx.xxx.3     745 0x801f 0x9cad E2 103. 
xxx.xxx.3/32 [0x0]
Regards

seeing carp interface state change for unknown reason ; cluestick hunting

[Bryan Stenson]

Hi all -

I'm trying to setup a pair of ERL3 octeon routers in master/standby
mode via carp/pfsync to route traffic from my internal lan to the
internet.  I've seen strange behavior wrt carp on these machines, so
in an attempt to reduce the problem, I've removed one completely.

Even with only a single box (ERL3-01) on the network configured as a
carp member, the carp interface state periodically changes (as seen
from ifstated(8)).

I'm wondering if disconnecting the other ERL3 device is a valid isolated test.
1.  Will/might this cause issues with the carp device, as it cannot
determine state from any other host?
2.  Will/might this cause issues as it cannot send/receive pfsync
updates (the other node is disconnected).
3.  Is there something else in my setup causing carp to fail here?
4.  Could this be hardware/temperature related to this ERL3?  Wouldn't
I see an additional error in dmesg if the physical device (cnmac2)
failed periodically?

I'd appreciate any pointers here...I feel like I'm missing something dumb.

Thanks in advance.

Bryan

Here are some of my configs.  If I've missed including something
critical to help describe my setup, please let me know and I'll add
it.

## Help me OBSD-Misc Kenobi.  You're my only hope. ##

erl3-01# uname -a
OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon

erl3-01# dmesg
...
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER

erl3-01# tail mbox
Mon, 1 Feb 2021 06:49:26 + (UTC)
From: Charlie Root 
Date: Mon, 1 Feb 2021 06:49:25 + (UTC)
To: root@localhost
Subject: carp master changed
Message-ID: <515eb74cff427...@erl3-01.siliconvortex.com>
Status: RO

master is now erl3-01.siliconvortex.com


erl3-01# sysctl -a | grep carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2

erl3-01# cat /etc/hostname.carp1
#carp for lan side
192.168.122.1/23 carpdev vlan100 vhid 1 pass somethinglongandsecret

erl3-01# cat /etc/hostname.vlan100
vnetid 100 parent cnmac2
up

erl3-01# cat /etc/hostname.cnmac2
inet 192.168.1.253 255.255.254.0

erl3-01# cat /etc/hostname.pfsync0
up syncdev cnmac1

erl3-01# cat /etc/hostname.cnmac1
inet 10.10.200.1 255.255.255.252

erl3-01# cat /etc/ifstated.conf
# Initial State
init-state auto

# Macros
if_carp_up="carp1.link.up"
if_carp_down="!carp1.link.up"

state auto {
  if $if_carp_up {
set-state master
  }

  if $if_carp_down {
set-state backup
  }
}

state master {
  init {
run "echo master is now `hostname` | mail -s 'carp master changed'
root@localhost"
}

  if $if_carp_down {
set-state backup
  }
}

state backup {
  init {
run "echo backup is now `hostname` | mail -s 'carp master changed
root@localhost"
  }

  if $if_carp_up {
set-state master
  }
}

erl3-01# cat /etc/pf.conf
# adopted from https://www.openbsd.org/faq/pf/example1.html
wan_dev = cnmac0
lan_dev = cnmac2
carp_dev = vlan100
pfsync_dev = cnmac1
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
203.0.113.0/24 }

# carp
pass quick on $lan_dev proto carp keep state (no-sync)

# pfsync
pass quick on $pfsync_dev proto pfsync keep state (no-sync)

set block-policy drop
set loginterface $wan_dev
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)

# redirect DNS queries to localhost
pass in quick on { $carp_dev $lan_dev } proto { udp tcp } from any to
any port domain rdr-to 192.168.1.253 port domain

# NAT to the world
match out on $wan_dev inet from !($wan_dev:network) to any nat-to ($wan_dev:0)

antispoof quick for { $wan_dev }

# martians
block in quick on $wan_dev from  to any
block return out quick on $wan_dev from any to 

block all

# manage buffer bloat
queue outq on $wan_dev flows 1024 bandwidth 3M max 3M qlimit 1024 default
queue inq on $lan_dev flows 1024 bandwidth 45M max 45M qlimit 1024 default

pass out quick inet

pass in on { $carp_dev $lan_dev } inet