Re: default route for a subset of addresses

> wgkey > wgpeer wgaip 0.0.0.0/0 wgendpoint 51868 > !route -T4 -n add default 10.2.0.2 > wgrtable 0 > == > I started to realize that that wg interface had no clue how to get > back to the hosts on the vlan. Attempting to add routes did not work &

Re: default route for a subset of addresses

On Wed, Jul 17, 2024 at 11:55 AM Sonic wrote: > The wg interface using an rdomain: Got it to work, although it seems a bit convoluted. The wg interface config: == rdomain 4 inet 10.2.0.2/32 wgkey wgpeer wgaip 0.0.0.0/0 wgendpoint 51868 !route -T4 -n add defa

Re: default route for a subset of addresses

On Tue, Jul 16, 2024 at 3:23 PM Stuart Henderson wrote: > Your route-to should specify the IP to send packets to, not an interface > (which would expand to the _local_ address on that interface) Even then the problem exists. Tried today with an rdomain and the same issue. I'm thinking it

Re: default route for a subset of addresses

Your route-to should specify the IP to send packets to, not an interface (which would expand to the _local_ address on that interface) -- Sent from a phone, apologies for poor formatting. On 16 July 2024 20:17:08 Sonic wrote: On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: Your

Re: default route for a subset of addresses

On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: > Your main options are to use PF route-to (config for this is reasonably > obvious, but make sure that wgaip is set to allow the relevant addresses), > > route-to is reasonably obvious. The problem I'm having with route-to is

Re: default route for a subset of addresses

On Tue, Jul 16, 2024 at 4:41 AM Zé Loff wrote: > Apologies, I misread your question. Sorry for the noise. My query was not as clear as it could have been. My apologies and thank you for your input. Chris

Re: default route for a subset of addresses

On Mon, Jul 15, 2024 at 09:20:49PM -0400, Sonic wrote: > On Mon, Jul 15, 2024 at 5:36 PM Zé Loff wrote: > > If it is specific for a subset of addresses, and not the default > > route then... it won't be the default. It'll be a specific route for > > those addresses. >

Re: default route for a subset of addresses

On Mon, Jul 15, 2024 at 6:17 PM Stuart Henderson wrote: > Your main options are to use PF route-to (config for this is reasonably > obvious, but make sure that wgaip is set to allow the relevant addresses), > or use multiple rtables and use PF to adjust the rtable used for packets >

Re: default route for a subset of addresses

On Mon, Jul 15, 2024 at 5:36 PM Zé Loff wrote: > If it is specific for a subset of addresses, and not the default > route then... it won't be the default. It'll be a specific route for > those addresses. I mean a default route from those specific addresses that is different from th

Re: default route for a subset of addresses

On 2024-07-15, Sonic wrote: > Hello, > > I'm trying to find the best way (although I haven't been successful at > finding any way currently) to have a default route for a subset of > addresses. > > I have several vlans, but no vlan interfaces on the OpenBSD router as > t

Re: default route for a subset of addresses

On Mon, Jul 15, 2024 at 05:26:03PM -0400, Sonic wrote: > Hello, > > I'm trying to find the best way (although I haven't been successful at > finding any way currently) to have a default route for a subset of > addresses. If it is specific for a subset of addresses, and not th

default route for a subset of addresses

Hello, I'm trying to find the best way (although I haven't been successful at finding any way currently) to have a default route for a subset of addresses. I have several vlans, but no vlan interfaces on the OpenBSD router as the routing between vlans is handled by a layer 3 switch. I also have

Re: route -n show blackhole routes

On Tue, Jun 25, 2024 at 10:54:16AM +0200, Claudio Jeker wrote: > On Tue, Jun 25, 2024 at 08:35:18AM -, Stuart Henderson wrote: > > On 2024-06-24, Tom Smyth wrote: > > > Folks, > > > while reviewing nsh I was wondering how to improve show route > > >

Re: route -n show blackhole routes

so what is the alternative pardion my ignorance but is it like a views in a DB so we use a bit more memory so as the route (eg blackhole route is copied to a table of blackhole routes ? and an arp entry / host route is copied to an arp table that can be dumped on demand .. (with the necessary

Re: route -n show blackhole routes

Thanks Stuart, Ill take a look at how the prefix searches are done ... and see if I can re-use that for route(8) if people think that it would be useful to have in route(8) Thanks again, Tom Smyth On Tue, 25 Jun 2024 at 09:39, Stuart Henderson wrote: > > On 2024-06-24, Tom Smyth

Re: route -n show blackhole routes

On Tue, Jun 25, 2024 at 08:35:18AM -, Stuart Henderson wrote: > On 2024-06-24, Tom Smyth wrote: > > Folks, > > while reviewing nsh I was wondering how to improve show route commands... > > reviewing the man route man page, > > > > there doesnt s

Re: route -n show blackhole routes

On 2024-06-24, Tom Smyth wrote: > Folks, > while reviewing nsh I was wondering how to improve show route commands... > reviewing the man route man page, > > there doesnt seem to be a straight forward way of displaying > blackhole routes without using > > route sh

route -n show blackhole routes

Folks, while reviewing nsh I was wondering how to improve show route commands... reviewing the man route man page, there doesnt seem to be a straight forward way of displaying blackhole routes without using route show |grep B for blackhole route show |grep R for Reject is there something

Re: Issue with pf route-to and routing tables

> default192.168.0.1 wg0 > IP_VM IP_Gatewaybse0 > 192.168.0.1 wg0 wg0 > > And natting outbound traffic on wg0 like so: > pass out on wg0 from $int_if:network nat-to wg0 > > I wanted to try out using route-to on my

Issue with pf route-to and routing tables

1 wg0 wg0 And natting outbound traffic on wg0 like so: pass out on wg0 from $int_if:network nat-to wg0 I wanted to try out using route-to on my VM instead of using different rdomain or just to try something else. I have another wireguard tunnel, wg1 to relay my internal traffic fu

Re: Programmatically add default IPv6 route

er >> when adding a default IPv6 route to PPP peer. >> >> Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 default route: Network >> is unreachable >> >> Adding the default route from route(8) works when the connection is >> established. >>

Re: Programmatically add default IPv6 route

Le Fri, Feb 23, 2024 at 08:58:59PM +0100, Claudio Jeker a écrit : > > > > Should I also send the IFP, IFA and BRD sockaddrs from pppd(8) ? > > Don't think so. > > > How comes message sent from route(8) have more attributes when received by > > monitor ? > &g

Re: Programmatically add default IPv6 route

On Fri, Feb 23, 2024 at 06:25:18PM +0100, Denis Fondras wrote: > Hello, > > I am trying to add IPv6 support for pppd(8) (IPv6CP) and I encounter a blocker > when adding a default IPv6 route to PPP peer. > > Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 defa

Re: Programmatically add default IPv6 route

One more information, ENETUNREACH is issued on line 521 of net/route.c. Could this be some kind of race condition ? >From route monitor, I get this after my RTM_ADD : ``` RTM_CHGADDRATTR: address attributes being changed: len 224, if# 7, name ppp0, metric 0, flags: sockad

Programmatically add default IPv6 route

Hello, I am trying to add IPv6 support for pppd(8) (IPv6CP) and I encounter a blocker when adding a default IPv6 route to PPP peer. Feb 23 17:26:45 rt-01 pppd[64071]: Couldn't add IPv6 default route: Network is unreachable Adding the default route from route(8) works when the connection

Re: snmpd and route changes

Not 100% sure but there's a chance that this will work how you expect in -current. https://github.com/openbsd/src/commit/029c661593e4bba8652393dbb912eaf3b5031eec On 2024-02-23, Marko Cupać wrote: > Hi, > > my OpenBSD firewall has static default route to the Internet over > extern

snmpd and route changes

Hi, my OpenBSD firewall has static default route to the Internet over external interface, and gets routes to internal subnets by means of OSPF with Juniper switch over internal interface. Host on one of internal subnets queries snmpd listening on internal interface of OpenBSD firewall. When OSPF

Re: Using pf route-to to Route Network Traffic a tun interface and Replying from it

On Tue, May 30, 2023 at 06:07:32PM +0300, Nick Andersen wrote: > Hi Folks, hi. > > I am writing to seek assistance regarding an issue I am experiencing in > trying to route my Personal Computer's network traffic to a TUN interface. > My objective is to modify some

Re: Route based IPsec

On 5/31/23 05:03, Valdrin MUJA wrote: > Hi Claudio & David, > > Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. I've been using OSPF over wireguard for several years now. It works quite well. You just have to add `wgaip 224.0.0.0/8' to allow multicast over

Re: Route based IPsec

g my work with the wireguard config.) From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Wednesday, May 31, 2023 12:09 To: David Gwynne Cc: Misc Subject: Re: Route based IPsec On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > >

Re: Route based IPsec

On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > > > > On 31 May 2023, at 18:33, Claudio Jeker wrote: > > > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > >> > >> > >>> On 27 May 2023, at 21:40, Stuart Henderson > >>> wrote: > >>> > >>> On 2023-05-27,

Re: Route based IPsec

> On 31 May 2023, at 18:33, Claudio Jeker wrote: > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: >> >> >>> On 27 May 2023, at 21:40, Stuart Henderson >>> wrote: >>> >>> On 2023-05-27, Valdrin MUJA wrote: Does OpenBSD have routed based IPsec support? >>> >>> Not

Re: Route based IPsec

On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > > > > On 27 May 2023, at 21:40, Stuart Henderson > > wrote: > > > > On 2023-05-27, Valdrin MUJA wrote: > >>Does OpenBSD have routed based IPsec support? > > > > Not yet. > > while you wait, it might be possible to

Re: Route based IPsec

Thanks David, I'll try it soon. From: owner-m...@openbsd.org on behalf of David Gwynne Sent: Wednesday, May 31, 2023 01:35 To: Stuart Henderson Cc: misc@openbsd.org Subject: Re: Route based IPsec > On 27 May 2023, at 21:40, Stuart Henderson wr

Re: Route based IPsec

> On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg

Using pf route-to to Route Network Traffic a tun interface and Replying from it

Hi Folks, I am writing to seek assistance regarding an issue I am experiencing in trying to route my Personal Computer's network traffic to a TUN interface. My objective is to modify some of its content and subsequently return the traffic back. So far, I have successfully created a TUN interface

Re: Route based IPsec

On 27.5.2023. 9:24, Valdrin MUJA wrote: > Hello, > > I need Route based IPsec solution to set up between a firewall device and > my OpenBSD firewall. > However, I am a little confused about this: > I created more than one enc device, I did policy based routing with PF bu

Re: Route based IPsec

On 2023-05-27, Valdrin MUJA wrote: > Does OpenBSD have routed based IPsec support? Not yet.

Route based IPsec

Hello, I need Route based IPsec solution to set up between a firewall device and my OpenBSD firewall. However, I am a little confused about this: I created more than one enc device, I did policy based routing with PF but no results. I guess this is not the intended use of interfaces like

Re: dhcpleased losing route

On 2023 May 12 (Fri) at 00:10:33 +1000 (+1000), David Diggles wrote: :Here's a longer tcpdump that should have a couple of rounds. :The ISP does offer ipv6 but I'm not ready to give up on dhcp yet. : You can run both in parallel, no problems with that. -- Expect the worst. It's the least you

Re: dhcpleased losing route

Yes this is now fixed. Thanks everyone! Stuart's suggestion of "received-on" is indeed excellent and is what I've used. On Thu, May 11, 2023 at 04:13:34PM +0200, Florian Obser wrote: > On 2023-05-11 08:08 +10, David Diggles wrote: > > On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew

Re: dhcpleased losing route

On 2023-05-11 08:08 +10, David Diggles wrote: > On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: >> >> This looks like the thing I ran into a while ago where I had an overly >> broad nat-to rule for outgoing traffic that applied to traffic from the >> host as well as the

Re: dhcpleased losing route

Here's a longer tcpdump that should have a couple of rounds. The ISP does offer ipv6 but I'm not ready to give up on dhcp yet. tcpdump: WARNING: snaplen raised from 116 to 1500 22:54:27.011337 202.63.67.36.68 > 202.63.66.1.67: xid:0x10040a18 C:202.63.67.36 vend-rfc1048 DHCP:REQUEST LT:86400

Re: dhcpleased losing route

You are still getting a 5 minute lease. So that seems to be normal for your provider? (Maybe they only have a very limited pool of IPv4 addresses and want to be able to reuse them ASAP? Might explain why the initial DHCP:OFFER took so long as well.) But you don’t show what happens when the

Re: dhcpleased losing route

Ok here's the Apple pcap for a working implementation. tcpdump -r airport.dhcp.pcap tcpdump: WARNING: snaplen raised from 116 to 1500 12:26:04.010316 0.0.0.0.bootpc >

Re: dhcpleased losing route

On 2023-05-10, Jonathan Matthew wrote: > If there's a pf rule like 'match out on $iface nat-to ($iface)', making > that only apply to traffic received on another interface will probably > help. "received-on" is excellent for making rules only apply to packets coming from some specific interface.

Re: dhcpleased losing route

David Diggles(da...@elven.com.au) on 2023.05.11 08:09:54 +1000: > Thanks Florian, here's a tcpdump from the Apple (NetBSD) router. > This implementatin isn't losing the default route. > > tcpdump -n -i mgi1 -s1500 -vv port 67 or 68 > tcpdump: listening on mgi1, link-type E

Re: dhcpleased losing route

Thanks Florian, here's a tcpdump from the Apple (NetBSD) router. This implementatin isn't losing the default route. tcpdump -n -i mgi1 -s1500 -vv port 67 or 68 tcpdump: listening on mgi1, link-type EN10MB (Ethernet), capture size 1500 bytes 07:15:36.010329 IP (tos 0x10, ttl 128, id 0, offset 0

Re: dhcpleased losing route

On Thu, May 11, 2023 at 07:27:22AM +1000, Jonathan Matthew wrote: > > This looks like the thing I ran into a while ago where I had an overly > broad nat-to rule for outgoing traffic that applied to traffic from the > host as well as the networks behind it. This meant dhcpleased's unicast >

Re: dhcpleased losing route

On Wed, May 10, 2023 at 04:38:25PM +0200, Florian Obser wrote: > ( this is a good dhcp state diagram to follow along at home: > https://commons.wikimedia.org/wiki/File:DHCP_Client_State_Diagram_-_en.png ) > > On 2023-05-10 23:07 +10, David Diggles wrote: > > I probably should have done numeric

Re: dhcpleased losing route

( this is a good dhcp state diagram to follow along at home: https://commons.wikimedia.org/wiki/File:DHCP_Client_State_Diagram_-_en.png ) On 2023-05-10 23:07 +10, David Diggles wrote: > I probably should have done numeric tcpdump output. Here's both again. > > tcpdump: WARNING: snaplen raised

Re: dhcpleased losing route

I probably should have done numeric tcpdump output. Here's both again. tcpdump: WARNING: snaplen raised from 116 to 1500 22:36:40.276682 0.0.0.0.68 > 255.255.255.255.67: xid:0x74253f08 vend-rfc1048 DHCP:REQUEST HN:"sarah" CID:1.220.159.219.40.20.191 PR:SM+DG+NS+HN+DN+BR+119+121 RQ:202.63.67.36

Re: dhcpleased losing route

On Wed, May 10, 2023 at 05:55:28AM -, Stuart Henderson wrote: > On 2023-05-10, David Diggles wrote: > > My ISP provides connection via DHCP. > > > > Every 5 minutes or so when dhcpleased is renewing the lease, > > my default route disappears for a few secon

Re: dhcpleased losing route

` when > > you are done with the testing.) > > > > > > Does the interface go down and up for some reason every 5 minutes? That > > might cause dhcpleased(8) to renew the lease. > > > > > > HTH > > Mike > > > > > Am 10.05.2

Re: dhcpleased losing route

ery 5 minutes? That might > cause dhcpleased(8) to renew the lease. > > > HTH > Mike > > > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > > >> > >> Just t

Re: dhcpleased losing route

d(8) to renew the lease. HTH Mike > Am 10.05.2023 um 07:28 schrieb Otto Moerbeek : > > On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > >> >> Just to update, I've added the following to dhclient.conf but >> it's still renewing every 5 minutes (approx

Re: dhcpleased losing route

On 2023-05-10, David Diggles wrote: > My ISP provides connection via DHCP. > > Every 5 minutes or so when dhcpleased is renewing the lease, > my default route disappears for a few seconds. That isn't supposed to happen. I just checked on a machine which has 10 minute leases and

Re: dhcpleased losing route

On Wed, May 10, 2023 at 01:17:05PM +1000, David Diggles wrote: > > Just to update, I've added the following to dhclient.conf but > it's still renewing every 5 minutes (approximately) and the > default route is disappearing for a couple of seconds. :( > > send dhcp-lease-time

Re: dhcpleased losing route

Just to update, I've added the following to dhclient.conf but it's still renewing every 5 minutes (approximately) and the default route is disappearing for a couple of seconds. :( send dhcp-lease-time 86400; On Wed, May 10, 2023 at 01:00:00PM +1000, David Diggles wrote: > My ISP provi

dhcpleased losing route

My ISP provides connection via DHCP. Every 5 minutes or so when dhcpleased is renewing the lease, my default route disappears for a few seconds. Definitely I'll be looking at requesting a longer lease by putting a setting in /etc/dhclient.conf but is there any way I can stop the default route

Re: Static default route for a subnet

interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. The rule in use is this one: match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rt

Re: Static default route for a subnet

interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. The rule in use is this one: match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rt

Re: Static default route for a subnet

interfaces involved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. I think I can confirm this. Certainly I don't see any difference between putting the 'rtabl

Re: Static default route for a subnet

ved (the $vpn_net1 interface and $gnet_if) have been configured with "rdomain 2" then the route lookups will automatically use rtable 2 and you don't need to reset it in pf. > The rule in use is this one: > > match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2 If

Re: Static default route for a subnet

as "default gateway for a subnet". One way to do what you want is with PF "route-to" rules applying only to packets with a source address in the subnet of interest (and likewise for "reply-to" to handle incoming connections, maybe in conjunction with rdr-to). T

Re: Static default route for a subnet

One way to do what you want is with PF "route-to" rules applying only to packets with a source address in the subnet of interest (and likewise for "reply-to" to handle incoming connections, maybe in conjunction with rdr-to). This is a little messier config, but if the old setu

Static default route for a subnet

think different situation on the mailing lists: https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route I think the above was more to do with using 2x default routes in a multipath setup rather then simply trying to get one particular subnet to use another ISP specifically. Currently I

Re: Route selected IP traffic across wg(4) tunnel

Hey Zach It's actually "Zack". I thought I would try to use the pf routing option `route-to` to accomplish this as it seemed like it might be a simple solution. You might be able to, but I prefer using pf to only filter traffic when I can get away with it-obviously for things like

Re: Route selected IP traffic across wg(4) tunnel

e also suggested using rdomain and rtable but I thought I would try to use the pf routing option `route-to` to accomplish this as it seemed like it might be a simple solution. I guess I just don't quite understand how it works. If I was to use a new rdomain/rtable, how would I go about routing a sing

Re: Route selected IP traffic across wg(4) tunnel

Wondering if anyone has a "best practice" for pealing IP traffic off (in this case an AppleTV) and routing all the traffic across a Wireguard tunnel. Not sure what you mean by "pealing [sic] IP traffic off"; but when I need source-based routing, I prefer using rdomain(4)s and rtable(4)s. wg(4)

Route selected IP traffic across wg(4) tunnel

Good afternoon, Wondering if anyone has a "best practice" for pealing IP traffic off (in this case an AppleTV) and routing all the traffic across a Wireguard tunnel. I've looked at the pf(4) routing option **route-to** and tried setting this up to the best of my knowled

Re: dhcpcd sometimes fails to route ipv6 /48

. On the router, the /48 remains on the LAN interface, the ND /64 appears under pppoe0 in ifconfig. I've clearly made errors initially configuring the openbsd client machine. Other machines on the LAN get a /48 and route it fine. I'll try again with rad and slaacd rather than dhcpcd on the client

Re: dhcpcd sometimes fails to route ipv6 /48

e dhcpcd package on OpenBSD 7.0 and up. But your case is different. In your case, the RB tree lookup might still be choosing the wrong prefix to delete, because your LAN is a using wider prefix than the WAN side. Assuming the final rt_cmp_netmask() call I added in rt_cmp_dest() favours a /48 over

dhcpcd sometimes fails to route ipv6 /48

Hello misc@, I have an edgerouter lite 3 router running openbsd 7.1 octeon. The connection is via pppoe and has native ipv4 and ipv6. The router gets an ND /64 and PD /48. The /48 is served on the LAN-facing side. This setup works well, usually. What sometimes happens is that a LAN machine

Re: route added with wg tunnel which breaks my internal network

Hi, > I have no idea where that failing route comes from. I'd say that it comes from hostname.wg0: > inet6 fd00:22:dec:e2::100 64 If I understand correctly, you have fd00:22:dec:e2::/64 on both wg0 and em0. Having two the same prefixes on two network interfaces will always cause problem

Re: route advertisement question

On 2021-12-26 19:43 UTC, mgra...@brainfat.net wrote: > So my question is, is this expected behavior? When the router advertisement > does not have a router and > thus sets the router lifetime to 0 (as it should), should slaacd ignore > advertisement? Or should > it still configure an IP

Re: route one port via a specific host (both directions)

On Fri, Dec 10, 2021, Michael Hekeler wrote: > Am 10.12.21 08:49 schrieb Claus Assmann: > > I am trying to run an SMTP server on a dynamic IP address > Running a smtp server on dynamic IP is just asking for troubles. That's why I want to run the server behind a static IP -- as my mail

Re: route one port via a specific host (both directions)

Am 10.12.21 08:49 schrieb Claus Assmann: > I am trying to run an SMTP server on a dynamic IP address Running a smtp server on dynamic IP is just asking for troubles.

Re: route one port via a specific host (both directions)

On Fri, Dec 10, 2021 at 08:49:08AM +, Claus Assmann wrote: > I am trying to run an SMTP server on a dynamic IP address > (and maybe other services later on, e.g., DNS or HTTP) We recently published a comprehensive guide for running inbound and outbound SMTP from a dynamic IP via an IPSEC

Re: route one port via a specific host (both directions)

nt. Me too. For this case I would place the tunnel interface in an alternative rdomain, add a default route in that rdomain to the tunnel endpoint (rpute -T2 add default XX), and run the MTA in the route table matching that rdomain (rcctl set $daemon rtable 2). I have been happy with wg(4) for this use

Re: route one port via a specific host (both directions)

o/from the host (DYNAMIC) with the dynamic IP >address. > >To route the port incoming it seems I can use: >DYNAMIC$ ssh -o ExitOnForwardFailure=yes -N -R 25:localhost:25 STATIC > >This also has the advantage that the routing is only active >as long as DYNAMIC is up and running w

route one port via a specific host (both directions)

I am trying to run an SMTP server on a dynamic IP address (and maybe other services later on, e.g., DNS or HTTP) For this, I would like to redirect traffic via a host (STATIC) which has a static IP address to/from the host (DYNAMIC) with the dynamic IP address. To route the port incoming

pf route-to reply-to ipv6 link local address does not work

Running openbsd 6.9 stable here I am not able to use a pf rule using route-to/reply-to with an ipv6  linklocal address. example: pass out inet6 route-to fe80::abcd%em0 The syntax is valid and therefore is accepted but the "%em0" is striped out when config is pushed. T

Re: ipsec with default route and routing of internal networks

On 14.9.2021. 13:12, Hrvoje Popovski wrote: > On 13.9.2021. 15:52, Stuart Henderson wrote: >> On 2021-09-13, Hrvoje Popovski wrote: >>> On 13.9.2021. 14:08, Tom Smyth wrote: Can you do  an exception for the ranges ...  so internet - private ips you dont want over the tunnel)

Re: ipsec with default route and routing of internal networks

On 13.9.2021. 15:52, Stuart Henderson wrote: > On 2021-09-13, Hrvoje Popovski wrote: >> On 13.9.2021. 14:08, Tom Smyth wrote: >>> Can you do  an exception for the ranges ...  so internet - private ips >>> you dont want over the tunnel) >>> >>> ike esp from 10.90.0.0/24 to

Re: ipsec with default route and routing of internal networks

On 2021-09-13, Hrvoje Popovski wrote: > On 13.9.2021. 14:08, Tom Smyth wrote: >> Can you do  an exception for the ranges ...  so internet - private ips >> you dont want over the tunnel) >> >> ike esp from 10.90.0.0/24 to any encrypt   >> and  >> >>  10.90.0.0/24

Re: ipsec with default route and routing of internal networks

On 13.9.2021. 14:08, Tom Smyth wrote: > Can you do  an exception for the ranges ...  so internet - private ips > you dont want over the tunnel) > > ike esp from 10.90.0.0/24 to any encrypt   > and  > >  10.90.0.0/24 to   NOT  [networks you dont want >

Re: ipsec with default route and routing of internal networks

Can you do an exception for the ranges ... so internet - private ips you dont want over the tunnel) ike esp from 10.90.0.0/24 to any encrypt and 10.90.0.0/24 to NOT [networks you dont want over the tunnel) ? On Mon, 13 Sept 2021 at 13:02, Hrvoje Popovski wrote: > Hi, > > On 13.9.2021.

Re: ipsec with default route and routing of internal networks

Hi, On 13.9.2021. 12:58, Tom Smyth wrote: > Hi Hrvoje,  > > is 10.90.0.0/24 local to your firewall, and if I > understand your rule, > ike esp from 10.90.0.0/24  to any    you are saying   > encrypt all traffic comming from 10.90.0.0/24

Re: ipsec with default route and routing of internal networks

Hi Hrvoje, is 10.90.0.0/24 local to your firewall, and if I understand your rule, ike esp from 10.90.0.0/24 to anyyou are saying encrypt all traffic comming from 10.90.0.0/24 should the tunnel be more specific ? like from 10.90.0.0/24 to another network across the tunnel ike esp from

ipsec with default route and routing of internal networks

Hi all, I have a firewall that routes few internal networks, 10.90/24, 10.91/24, 10.92/24. And i have some static routes to other firewalls, but i don't think that is relevant to this problem. For network 10.90/24 i have ipsec tunnel, and i need to push any traffic from that network to the

Re: npppd - changing clients' route table

On 2021-09-12, Radek wrote: > Sorry for the late reply, adding ":framed-ip-netmask=255.255.255.0:" doesn't > solve the problem. Tested on Win10. framed-ip-netmask controls addition of the route on the npppd machine, not the client. You only use it if you have multiple addresse

Re: npppd - changing clients' route table

gt; >> How about if you configure the npppd-users > >> > >> rdk: > >> :password=pasword:\ > >> :framed-ip-address=10.109.4.254:\ > >> :framed-ip-netmask=255.255.255.0: > >> > >> The server (npppd) will configure a route

Re: route -iface doesn't work

Florian helped me off-list: # route add 10.1.1.13 -iface -cloning 10.2.2.13 does the trick (if you do the same on the other end, of course). I'm not really sure how this works, or what RTF_CLONING means other than this comment from the manpage: -cloning RTF_CLONING generates

route -iface doesn't work

Hi all, I'm probably missing something rather obvious, but I can't get route -iface to work. According to the manpage: If the destination is directly reachable via an interface requiring no intermediary system to act as a gateway, the -iface modifier should

Re: npppd - changing clients' route table

4" should have been "10.109.4.254". >> How about if you configure the npppd-users >> >> rdk: >> :password=pasword:\ >> :framed-ip-address=10.109.4.254:\ >> :framed-ip-netmask=255.255.255.0: >> >> The server (npppd) will conf

Fw: Re: npppd - changing clients' route table

ord:\ > :framed-ip-address=10.109.4.254:\ > :framed-ip-netmask=255.255.255.0: > > The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > session authenticated by the above "rdk". I have tried to configure npppd-users with netmask /24, but it doesnt ma

Re: npppd - changing clients' route table

10.109.4.254 > > client> route print > Network Destination Netmask Gateway Interface Metric > 0.0.0.0 0.0.0.0 192.168.1.1192.168.1.101 > 20 > 10.0.0.0 255.0.0.0 10.109.4.254 10.109.4.1 >

npppd - changing clients' route table

Hi, I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254. If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254 client> route print Network Destination Netmask Gate

PF route-to and divert-packet

Hi Misc, I’m trying to use policy based routing (route-to) with divert-packet feature. I’m just using example code written at divert’s man page. (man divert) I’ve two WAN interfaces which are pppoe0(default gw) and pppoe. Those pf rules works below: # pass in log quick on vether10 inet proto udp

  1   2   3   4   5   6   7   8   9   10   >