From owner-freebsd-pf@freebsd.org Wed Mar 4 10:03:12 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BA6F426A8D5 for ; Wed, 4 Mar 2020 10:03:12 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48XTwJ4btyz4HH6; Wed, 4 Mar 2020 10:03:12 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 7D10CFDD0; Wed, 4 Mar 2020 10:03:12 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.183.1] (ptr-8rg5e4f7ukvki2vza9q.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:2408:6002:2df3:c225:4584:5be]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id EC78E15DCA; Wed, 4 Mar 2020 11:03:09 +0100 (CET) From: "Kristof Provost" To: "Sean Yeh" Cc: freebsd-pf@freebsd.org Subject: Re: ALTQ feature of PF in FreeBSD Date: Wed, 04 Mar 2020 11:03:09 +0100 X-Mailer: MailMate (1.13.1r5671) Message-ID: <82251045-98CE-4B08-8716-BD958714017C@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2020 10:03:12 -0000 On 29 Feb 2020, at 0:35, Sean Yeh wrote: > Hi FreeBSD-pf members, > > I hope you guys are enjoying your weekend! > > I was wondering if any of you happened to know if the code for the > ALTQ > feature of pf could be separated and used for NetBSD's pf function. > I'm > currently investigating methods to improve NetBSD's ALTQ feature, > which > hasn't been updated in 15+ years: > https://wiki.netbsd.org/projects/project/altq/ > > According to the man pages of freeBSD's pf function, FreeBSD uses a > modified pf of openBSD 4.5 pf function. Are there any complications > that > you foresee trying to port FreeBSD's current ALTQ code into NetBSD? > > Thank you for all your help, > It might be more interesting to look at dummynet. Last year there was a GSoC proposal (in FreeBSD) to port dummynet to pf. Sadly the project wasn’t selected, but I believe the student did spend some time on investigating it. I’ll ask them to get in touch with you. Best regards, Kristof From owner-freebsd-pf@freebsd.org Wed Mar 4 12:20:17 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DB95D26D5BD for ; Wed, 4 Mar 2020 12:20:17 +0000 (UTC) (envelope-from meka@tilda.center) Received: from comms.tilda.center (comms.tilda.center [217.69.6.248]) by mx1.freebsd.org (Postfix) with ESMTP id 48XXyR1J4Qz4MRW; Wed, 4 Mar 2020 12:20:14 +0000 (UTC) (envelope-from meka@tilda.center) Received: from hal9000.home.meka.rs (178-223-70-218.dynamic.isp.telekom.rs [178.223.70.218]) by comms.tilda.center (Postfix) with ESMTPSA id BD7D317D5D; Wed, 4 Mar 2020 13:20:07 +0100 (CET) Date: Wed, 4 Mar 2020 13:20:06 +0100 From: Goran =?utf-8?B?TWVracSH?= To: Kristof Provost Cc: Sean Yeh , freebsd-pf@freebsd.org Subject: Re: ALTQ feature of PF in FreeBSD Message-ID: <20200304122006.m464vyg3izrrrzkh@hal9000.home.meka.rs> References: <82251045-98CE-4B08-8716-BD958714017C@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5oi2belonpivdgdk" Content-Disposition: inline In-Reply-To: <82251045-98CE-4B08-8716-BD958714017C@FreeBSD.org> X-Rspamd-Queue-Id: 48XXyR1J4Qz4MRW X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.34 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tilda.center:s=mail]; NEURAL_HAM_MEDIUM(-0.97)[-0.966,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[tilda.center:+]; DMARC_POLICY_ALLOW(-0.50)[tilda.center,reject]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[218.70.223.178.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:20473, ipnet:217.69.0.0/20, country:US]; FREEMAIL_CC(0.00)[gmail.com]; IP_SCORE(-0.38)[asn: 20473(-1.84), country: US(-0.05)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Mar 2020 12:20:18 -0000 --5oi2belonpivdgdk Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 04, 2020 at 11:03:09AM +0100, Kristof Provost wrote: > It might be more interesting to look at dummynet. > Last year there was a GSoC proposal (in FreeBSD) to port dummynet to pf. > Sadly the project wasn=E2=80=99t selected, but I believe the student did = spend some > time on investigating it. > > I=E2=80=99ll ask them to get in touch with you. > > Best regards, > Kristof The "student" is me (well, one of my juniors, to be exact, but I was co-mentoring). I started looking into dummynet+pf again few days ago, so I don't have anything new, but if you do choose to use dummynet, please ping me. Regards, meka --5oi2belonpivdgdk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAl5fnPMACgkQWj1Tknov rLZpCg/9FMuyu9CAbfRNYx8bHKAIBaFalrT5/vLERfFaxry95Wh1Fn3YHwqJJhpN XTcTk4i6S/iihYxC1nt/l8nddvBZKj4BM3N+LLrlncAE/fF5V08XBhMFTG7CWw+E N2/fcadNqlJzMGc3fG5Lxhoje15x8v3TO+U0q2KwRdLwsfT/uoX7T5zqnIpxAI8S DE7rTe9Vs508a8BvdxJrxxaKKRF9v16r7qmtDmIW7tfA6gNUrWCrz5QyIvhCu/bo ald4AzwIQTUOHv5EeAwVW/VYeF5zEcVu10fxaF2Hvwo2O3m5IhhrVAKl9ILC2Gib M/2ONPNft3cv2SeBFetPLVE6FwqbnsFuw3gScEj6f/LxQzcGjt6o8uNIgjnTfrTd ++y7lUU2DA2un7PLmxMZHhj1wwQYtJySjqhIekJGuKe9uqedigWRChBsH/KDVFHx nLjaOfUasinki4UuJ8KQ0SAE4ZojzbGvL4aIv0mjU72lYYPBpW0VbNUdKhPYJu9D 6X2VtQIQPLLaAq+33tM+WJRUmNTph6jl5uyee6zGFVKiPOdhF3iDXt8eJwp6Opgk m8xCZNNfUK3QhrHR0gr6LP4ci5JaBaMGzCsYZrNoqixNk4K9b+meqQTO/tRdKfrV d+TtAP8wXLtdTV3dtL/3/jm077k7R70J3kcf4QOiGuTs2plqMy4= =2J9l -----END PGP SIGNATURE----- --5oi2belonpivdgdk-- From owner-freebsd-pf@freebsd.org Thu Mar 5 00:13:57 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 33778256430 for ; Thu, 5 Mar 2020 00:13:57 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-oln040092064079.outbound.protection.outlook.com [40.92.64.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Xrnv2Wd0z4K77 for ; Thu, 5 Mar 2020 00:13:54 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XhLOefcQrD9Dl9aVf8ZQoVckcKSE65ndnvS7wnrFD04rKglhBBDjvhOe7vxEkaJ2Ik6pbmN09HfufD3QWyjR0cC4DF7rMeNwnDWgHPv6aR5idls8FN+OuE9TQLtfXieC+xKIKe6izL/aHJVKwJ43orDHh0Zza+2HRV0TsSWS8Ium96w7dLJQNl572d7bsOpxrUDJlQEaslj4RZCqaM5Uo4wRmxhASTqwEJn/siJ/So7hKVBLbF3K/lmJ2FOFZuEUr5O8h/Tfp4sp4IakaUiTJWkLapw/bcu85Gx4N1QDWJEa/6M60O5ExMkNmlQzv731ryFEqeYFlXWTDNODYX6pzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UpSNh17u3nRlQIHef+jqV/2DonzXMcP1aqPBDYM0Nug=; b=Kjdiz24VeVhhYBhTlg4nY2d7t1meaM9eI/nC3BqCjjRa33MJKe38QJu38r4JAbjDMZspzn9XeaO1+eNVZqUji/TWjYCH4yiYSRgPJTdTKwZN1CcK+SwZGT0uVYPGUzFQXruV6HYfV68wDHu85hUPDwF27gnMnowGH050m1ZQGpPYrmxXqZRrSWoW/7gsyjkW/5z9qI78O9SPKo5ClWaEB4PWhWcjETCQxt9NyFQboV+Om5mutbNsGv1qIl7W18b8ZHa4Gi2ZvvVkxr4+VFFT3MsJFApBLgFzt4nDwqwkT5YRprp8XXCRSXRcgiOA+iUI2gUGv7Eb0dpxhCKoqikxxQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HE1EUR01FT060.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e18::38) by HE1EUR01HT159.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e18::508) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11; Thu, 5 Mar 2020 00:13:53 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (10.152.0.54) by HE1EUR01FT060.mail.protection.outlook.com (10.152.0.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Thu, 5 Mar 2020 00:13:53 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521]) by VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521%7]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 00:13:53 +0000 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM3PR07CA0117.eurprd07.prod.outlook.com (2603:10a6:207:7::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.6 via Frontend Transport; Thu, 5 Mar 2020 00:13:52 +0000 Received: from slackstro.home.lan ([172.16.93.12]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 0250DmVl024792 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 5 Mar 2020 01:13:49 +0100 (CET) (envelope-from kisscoolandthegangbang@hotmail.fr) From: kaycee gb To: "freebsd-pf@freebsd.org" Subject: Communication between routing domains and nat Thread-Topic: Communication between routing domains and nat Thread-Index: AQHV8oLzw0TNoTMJoEikdAQ14t1y8w== Date: Thu, 5 Mar 2020 00:13:52 +0000 Message-ID: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM3PR07CA0117.eurprd07.prod.outlook.com (2603:10a6:207:7::27) To VE1PR03MB5629.eurprd03.prod.outlook.com (2603:10a6:803:11e::30) x-incomingtopheadermarker: OriginalChecksum:F165672737B9107127D2D0E6A44090D998C69C1B3EFD1CDD937CDB1DFCEC839C; UpperCasedChecksum:4EFCF11A9DD4135B6D4C95C9D5EDE0FAA1B02DEF75BEDFB4220123544497167D; SizeAsReceived:7793; Count:49 x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-unknown-linux-gnu) x-tmn: [Oi2cPoimtYcJTLItuUj9RlhffkbU2Ewk] x-microsoft-original-message-id: <20200305011347.01134a69@slackstro.home.lan> x-ms-publictraffictype: Email x-incomingheadercount: 49 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 08b27136-f552-4750-24c9-08d7c09a1614 x-ms-traffictypediagnostic: HE1EUR01HT159: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: KoULZ0UZUixe8+F0K+1mMFmk+TVgScPzZKRYHG4XQDTdstKc6tHkFJ8igUZLfAc4vdPOczyBgf2LhLtaXL9A1iF/yk3JrZmzCD/40wxMQw2cFRjQAruDLyEbolKQIgitci2AEVYnT7GumQq9OqOaET0wbCz9GKokM640D6/oifttgRpB5hw4BSzZzso4/to8 x-ms-exchange-antispam-messagedata: s/CWVC45xceqpXfBgN7WsiUEXltxzlEsXSuiZK1qX1K+1chM2sw+T00GetESBhKaY/tCad7V5LICTWd6RBZfh3TB23pu2O1vwvu7Ayx6R/gMUvz+0q1poNGjErRGGiw16+XHLsBpc9KB4Xnl4VW2pw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-ID: <5B3CF96EDCEE0A4A95EF30E53E560C20@eurprd03.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 08b27136-f552-4750-24c9-08d7c09a1614 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 00:13:52.9646 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT159 X-Rspamd-Queue-Id: 48Xrnv2Wd0z4K77 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.64.79 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.78 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; RECEIVED_SPAMHAUS_PBL(0.00)[139.37.1.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; FREEMAIL_FROM(0.00)[hotmail.fr]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-0.98)[-0.985,0]; IP_SCORE(0.00)[ipnet: 40.64.0.0/10(-3.82), asn: 8075(-3.10), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; RCVD_IN_DNSWL_NONE(0.00)[79.64.92.40.list.dnswl.org : 127.0.3.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2020 00:13:57 -0000 Hello, I am experimenting with routing domains/fibs and I'm blocked by this situat= ion.=20 The topology ____________________ | Fbsd box / fib0 | | _10.91.0 __ |---ext link---------- | | j1 / fib1 | | | | |net 10.91.1 | | | | |__bridge1___| | | | ____________ | _____|_____ | | j2 / fib2 | | tunnel | | | | net 10.91.2| | |192.168.1 | | |__bridge2___| |---------------| service1 | |____________________| |___________| fib0 has a default route to reach the world and a route to join service1 vi= a the tunnel. fib2 has a restricted routing information and a default route v= ia bridge2 (renamed to jsw2).=20 # netstat -rn4 -F 0 Routing tables Internet: Destination Gateway Flags Netif Expire default EXTGW UGS vtnet0 10.0.0.0/8 127.0.0.1 UR1 lo0 10.91.0.254 link#3 UHS lo0 10.91.0.254/32 link#3 U jsw0 10.91.100.0/24 tun0 US tun0 10.91.100.1 link#10 UHS lo0 10.91.110.0/24 tun1 US tun1 10.91.110.1 link#11 UHS lo0 10.255.1.1 link#6 UHS lo0 10.255.1.2 link#6 UH gre0 10.255.11.1 link#7 UHS lo0 10.255.11.2 link#7 UH gre1 10.255.255.1 link#8 UHS lo0 10.255.255.2 link#8 UH gre2 127.0.0.1 link#2 UH lo0 169.254.0.0/16 127.0.0.1 UR1 lo0 172.16.0.0/12 127.0.0.1 UR1 lo0 EXTERNALNET/22 link#1 U vtnet0 EXTERNALIP link#1 UHS lo0 192.168.0.0/16 127.0.0.1 UR1 lo0 192.168.1.0/24 10.255.1.2 UG1 gre0 # netstat -rn4 -F 2 Routing tables (fib: 2) Internet: Destination Gateway Flags Netif Expire default 10.91.2.254 UGS jsw2 10.91.0.254/32 lo0 US lo0 10.91.2.1 link#5 UHS lo0 10.91.2.1/32 link#5 U jsw2 10.91.2.2 link#5 UHS lo0 10.91.2.2/32 link#5 U jsw2 10.91.2.3 link#5 UHS lo0 10.91.2.3/32 link#5 U jsw2 10.91.2.5 link#5 UHS lo0 10.91.2.5/32 link#5 U jsw2 10.91.2.254 link#5 UHS lo0 10.91.2.254/32 link#5 U jsw2 127.0.0.1 lo0 UHS lo0 With the help of pf I am able to reach service1 (which is in fib0 ) from j2 ( which is in fib2) via the tunnel. pass out log quick on jsw2 proto udp from $j2 to $rsnns port 53 rtable 0=20 So it seems routing between domains works.=20 I am trying to reach the same service via the external net. The rule based = on the above one. pass out log quick on jsw2 proto udp from $j2 to $rsnextns port 53 rtable 0 But that is not working. The connection hang for a moment and timeouts.=20 If I add EXTERNALNET and change default gateway via EXTERNALGW in fib2, I c= an reach service1 via external link without changing anything in pf.=20 I do not really understand why this is blocking. I am looking for some time= and can't find an explanation for that. Should I expect routing problems when N= AT is involved with fibs ? I don't know. After adding the EXTERNALs to fib2 th= at is working and that uses NAT too.=20 I am for sure missing something. Anyone running something similar succesful= ly ?=20 Oh, because I forgot that, host is running on FreeBSD 11.3 amd64.=20 P.S. I hope my beautilful ascii art will stay intact :x Kaycee, From owner-freebsd-pf@freebsd.org Thu Mar 5 09:50:28 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 279DC263F85 for ; Thu, 5 Mar 2020 09:50:28 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04olkn0821.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::821]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Y5b621yYz43J8 for ; Thu, 5 Mar 2020 09:50:25 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mAw/KV3OR2WCiHDT/yr8tToUr6iHqtd37FucWHTKG97Fs4yRlIeXYRZoMx2ENNXZL8/B8m+jJDlJ0KnrTAFHCOVgARE9bjD/3/2VyfKaI1kS/Y++4Lfz44MN3A21QWTreQ86k8r0KlSZR52yAIpFxesm45XP4rjaYl9eWcZ//WSlTzmbK2wf5sMqk5OCKm25YlKltG/4DgXXTwoCVv1p9ulR+S7RKTxUV95u85QHgnCq6Dc1BjCY5lX7mNUxxs95HbIWNEfYKler5ol/XIhSVJlTTYDNkDl4+56x0aCcTGTYNf3h5kj/wq0IAczFSDjD+ft6sdEpOC6RoB8N8NtH5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jlGZGAqa2slP4zmK1Wersmh8zw3Qb1sl3GG3aaIbku4=; b=OvaR8hy/m+LWX73DnRbLjtBR0M88NvpO331fso+J0GG0j/aHBPHg7VPlYQZWeVIzhOmmlUn4nAPZ2jyR0uDvTx7aaSLA9N6tPA8iMGD/pjS/yxZgpc1PlPynX1yV1KcSOkWpCGmn7kPflmCfwSq5RmUrC5uGgg1hlRcD1i4w+XelOolkNWpJXegAkX7oLVcqPIS5yYoJOJKRdzW7FY2mn/c//fwKQVofyTr1uKmsNGWubsZjnEkJZbJWZrRarxA+KuiO4TvyIrXVtgZHQjDcMOUPEao2VZ/vrgbahN4NvtkIp6abZrB84IN4XYKwsHY59CeAvyBii7ItWGAwYTFfKQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from DB3EUR04FT054.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0c::36) by DB3EUR04HT243.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0c::399) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11; Thu, 5 Mar 2020 09:50:24 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (10.152.24.52) by DB3EUR04FT054.mail.protection.outlook.com (10.152.24.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Thu, 5 Mar 2020 09:50:24 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521]) by VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521%7]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 09:50:24 +0000 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM4PR0701CA0007.eurprd07.prod.outlook.com (2603:10a6:200:42::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.9 via Frontend Transport; Thu, 5 Mar 2020 09:50:23 +0000 Received: from slackstro.home.lan ([172.16.93.12]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 0259oLbs057144 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 5 Mar 2020 10:50:22 +0100 (CET) (envelope-from kisscoolandthegangbang@hotmail.fr) From: kaycee gb To: "freebsd-pf@freebsd.org" Subject: Re: Communication between routing domains and nat Thread-Topic: Communication between routing domains and nat Thread-Index: AQHV8oLzw0TNoTMJoEikdAQ14t1y86g5wfAA Date: Thu, 5 Mar 2020 09:50:24 +0000 Message-ID: References: In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM4PR0701CA0007.eurprd07.prod.outlook.com (2603:10a6:200:42::17) To VE1PR03MB5629.eurprd03.prod.outlook.com (2603:10a6:803:11e::30) x-incomingtopheadermarker: OriginalChecksum:A4C0666DE09FD1ABA2546945100912197C8FA9EE07986DD84618E14ABA915420; UpperCasedChecksum:000AA218BA6EDBC31549F02CEF65B374DD13554430C21FFB567509EE02CBFC30; SizeAsReceived:7978; Count:51 x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-unknown-linux-gnu) x-tmn: [aFzFz4Ok0a5xvZbwAjIK14fMifGxCCko] x-microsoft-original-message-id: <20200305105020.793d61b3@slackstro.home.lan> x-ms-publictraffictype: Email x-incomingheadercount: 51 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: a2426eb3-04cc-488e-7bbb-08d7c0eaa03b x-ms-traffictypediagnostic: DB3EUR04HT243: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: nd+X4fwT0Kqp5mbf1z1AHfSjbVucP34nJbqI23Wvpth3Zd7YPDFloe65tUhs9OfD8bmwF9/nSKP3NbUaMfYI3Dz+TDC12oKizqqqrWNp+FaVjl2keUWAZMh56MEsKH4p/6H+/nd9IprS2tqqn1ZYhcX6vNhJiUr9zZKtlfPEYC5w4Tp+4EQtv5FUii87gBPg x-ms-exchange-antispam-messagedata: QYcGjkr2+QXXDlqOVGnIRSUL8fqI4Owc3CzUnbmqd1TxLwCfU9fZt7AMEEmB5/v0iP7EUCNXdWuKFMyVH/nYO9MAgQ3QZFb5npiwhsOj7BkXweRihPsOX6EDcw2vZrtBI8KOli9/+fcqPUtvRWmnQA== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: a2426eb3-04cc-488e-7bbb-08d7c0eaa03b X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 09:50:24.3405 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3EUR04HT243 X-Rspamd-Queue-Id: 48Y5b621yYz43J8 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 2a01:111:f400:fe0c::821 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.79 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; NEURAL_HAM_MEDIUM(-0.99)[-0.986,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; FREEMAIL_FROM(0.00)[hotmail.fr]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(0.00)[ipnet: 2a01:111:f000::/36(-3.99), asn: 8075(-3.10), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[i=1]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; RECEIVED_SPAMHAUS_PBL(0.00)[139.37.1.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2020 09:50:28 -0000 Here is my pf.conf. I tried to slim it down as much as possible and in the = same time preserve important informations in my opinion. I can reproduce what I = said before with those lines.=20 table { $private_nets } table { $bcast_nets, $ext_if:broadcast } table persist table persist nat on $ext_if inet from $j2 to any port 53 -> ( $ext_if )=20 pass quick on lo0 from 127.0.0.1 to 127.0.0.1 pass quick on lo0 from $j2 to $j2 rtable 2 block log quick on lo0 block log quick on jsw1 pass out log quick on jsw2 proto udp from $j2 to $service1 port 53 rtable 0 pass out log quick on jsw2 proto udp from $j2 to $service1ext port 53 rtabl= e 0 block log quick on jsw2 pass in quick on tun0 proto udp from $tun0net to $vcns port 53 rtable 0 pass quick on { tun0, tun1 } proto gre block log quick on tun0 block log quick on tun1 pass in quick on gre0 proto ospf from { $gre0vc, $gre0rsn } pass in quick on gre1 proto ospf from { $gre1vc, $gre1rsn } pass out quick on gre0 proto ospf from { $gre0vc, $gre0rsn } pass out quick on gre1 proto ospf from { $gre1vc, $gre1rsn } pass in quick on { gre0, gre1 } proto udp from $service1 to $vcns port 53 rtable 0=20 pass in quick on { gre0, gre1 } proto udp from $rsnnet2 to $vcns port 53 rtable 0=20 pass in quick on { gre0, gre1 } proto tcp from $service1 to $vcns port 53 rtable 0=20 pass in quick on { gre0, gre1 } proto tcp from $rsnnet2 to $vcns port 53 rtable 0=20 pass in quick on { gre0, gre1 } proto tcp from { $rsnnet1, $rsnnet2 } to $vcsrv port 22=20 pass quick on { gre0, gre1 } proto gre block log quick on gre0 block log quick on gre1 block log quick on gre2 block in quick on $ext_if from block in quick on $ext_if from block in quick on $ext_if to block in quick on $ext_if proto tcp from to $ext_ip port 22 pass in quick on $ext_if proto tcp from any to $ext_ip port 22 block in log quick on $ext_if to $ext_ip pass out quick on $ext_if from $ext_ip block out log quick on $ext_if from ! $ext_ip block log quick Maybe someone would see something I can't see myself.=20 kaycee,