On 4/3/23 11:25, Claudio Jeker wrote:
On Mon, Apr 03, 2023 at 10:53:26AM +0100, Kaya Saman wrote:
Hey guys,
...
Taking an excerpt from the website I was following:
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/
Citing:
Creating a loopback interface in rdomain 2 so that Host 1 can talk to Host 2
would look like:
ifconfig lo2 rdomain 2 127.0.0.1
route -T 2 add 192.168.1/24 127.0.0.1
Since lo2 is created inside rdomain 2, the IP address assigned to it doesn't
conflict with lo0 in rdomain 0.
Sure I can see traffic inside one of the loopbacks and tcpdump does claim
"pass out" but then nothing else happens. The other loopback interfaces have
no traffic in them and the destination network has no traffic either.
This is very much expected since you probably did not carefully read the
cited website.
You need a special pf.conf setup to make that work. As one caveat
mentioned in the article is that the default pf.conf rulesets skips lo(4)
interfaces and so the traffic will just be dropped (since there is no
state lookup and so no way to bounce the reverse traffic back into the
other rdomain).
In general I would suggest use pair(4) to route traffic between rdomains.
Doing it in pf(4) gives you more control but it requires careful handling
of the rulesets (as you noticed).
Hi Claudio,
thanks for the response and advice on pair (4), I will definitely read it.
Maybe you are correct in that I didn't carefully read or perhaps I
confused things badly.... I have a mixture of ASD and most likely ADHD
and when the panic kicks in things become difficult including
communication and understanding.
I wish I had a spare system to test things properly and understand
better, unfortunately I am having to adapt a live production system and
with a large number of lines in the PF rule set is not easy.
The caveat you mention about skipping lo (4) I disabled (I think?) as
per changing the 'set skip' to this:
#set skip on { lo, enc0 }
set skip on { enc0 }
so the loopback should be active in PF, further down in my config I have
a clause like this too:
#Allow Internal Communications
pass in on lo0
pass out on lo0
pass in on lo2
pass out on lo2
pass in on lo3
pass out on lo3
Maybe due to my existing PF things might not work properly in anycase, I
just wish I knew more about what I was doing to really have a handle on
the situation.
I'm still eager to contribute with a write up if you are interested but
due to my "circumstances" I maybe the only one with these issues.... :-(
so maybe writing things up in my case maybe useless and will probably
not be understood by anyone in general.
With PF the biggest handling issue is when mixing and matching using the
'quick' keyword as things get handled differently. Both the websites I
cited do *not* contain the 'quick' keyword at all. My local pf ruleset
contains many "pass in quick" or "block in quick" statements.
I would definitely be extremely happy to hear any more suggestions if
there are any but for now I will look at studying "pair (4)".
Thank you so much for chiming in! I really appreciate it :-D
Best regards,
Kaya
