From owner-freebsd-net@freebsd.org Fri Mar 31 02:36:18 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 426EDD26A40 for ; Fri, 31 Mar 2017 02:36:18 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5]) by mx1.freebsd.org (Postfix) with ESMTP id ABDC2DAD for ; Fri, 31 Mar 2017 02:36:16 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.98.5_1 for FreeBSD at relay2.tomsk.ru Received: from [212.73.125.240] (HELO admin.sibptus.transneft.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16) with ESMTPS id 39656343; Fri, 31 Mar 2017 08:31:44 +0600 Received: from admin.sibptus.transneft.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.transneft.ru (8.14.9/8.14.9) with ESMTP id v2V2aE5o037695; Fri, 31 Mar 2017 09:36:14 +0700 (KRAT) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.transneft.ru (8.14.9/8.14.9/Submit) id v2V2aB9P037693; Fri, 31 Mar 2017 09:36:11 +0700 (KRAT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.transneft.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Fri, 31 Mar 2017 09:36:11 +0700 From: Victor Sudakov To: Michael Sierchio Cc: Andrea Venturoli , freebsd-net@freebsd.org Subject: Re: OpenVPN and policy routing Message-ID: <20170331023611.GA37113@admin.sibptus.transneft.ru> References: <20170330032222.GA18053@admin.sibptus.transneft.ru> <81f24563-1abb-e804-d2a3-7fa772a0c78d@netfence.it> <20170330074615.GA25049@admin.sibptus.transneft.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.dreamwidth.org/pubkey?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 User-Agent: Mutt/1.7.1 (2016-10-04) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2017 02:36:18 -0000 Michael Sierchio wrote: > I use different FIBs in the ipfw ruleset to accomplish policy based > routing, including via a tun interface. I've just found out that even when tun0 is in fib 0, you can use it as a gateway from a different fib, and it works: root@km:~ # netstat -rn -4 -F1 Routing tables (fib: 1) Internet: Destination Gateway Flags Netif Expire default 192.168.154.5 UGS tun0 95.170.158.128/27 link#2 U rl1 127.0.0.1 link#4 UH lo0 192.168.11.0/24 link#3 U ste0 192.168.14.0/24 link#1 U rl0 192.168.154.5 link#5 UH tun0 root@km:~ # root@km:~ # ifconfig tun0 tun0: flags=8051 metric 0 mtu 1500 options=80000 inet6 fe80::2e0:4cff:feb0:6dd4%tun0 prefixlen 64 scopeid 0x5 inet 192.168.154.6 --> 192.168.154.5 netmask 0xffffffff nd6 options=21 Opened by PID 717 root@km:~ # I.e. all directly connected networks are available from all fibs, not just the default one. It probably depends on the net.add_addr_allfibs systcl setting. So, my task would be best solved by "ifconfig fxp2 fib 1". Thanks to all who replied. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN AS43859