Date: Thu, 5 Mar 2020 00:13:52 +0000 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Communication between routing domains and nat Message-ID: <VE1PR03MB562931A6CA1034C2C604288FA0E20@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | raw e-mail | index | archive | help
Hello, I am experimenting with routing domains/fibs and I'm blocked by this situat= ion.=20 The topology ____________________ | Fbsd box / fib0 | | _10.91.0 __ |---ext link---------- | | j1 / fib1 | | | | |net 10.91.1 | | | | |__bridge1___| | | | ____________ | _____|_____ | | j2 / fib2 | | tunnel | | | | net 10.91.2| | |192.168.1 | | |__bridge2___| |---------------| service1 | |____________________| |___________| fib0 has a default route to reach the world and a route to join service1 vi= a the tunnel. fib2 has a restricted routing information and a default route v= ia bridge2 (renamed to jsw2).=20 # netstat -rn4 -F 0 Routing tables Internet: Destination Gateway Flags Netif Expire default EXTGW UGS vtnet0 10.0.0.0/8 127.0.0.1 UR1 lo0 10.91.0.254 link#3 UHS lo0 10.91.0.254/32 link#3 U jsw0 10.91.100.0/24 tun0 US tun0 10.91.100.1 link#10 UHS lo0 10.91.110.0/24 tun1 US tun1 10.91.110.1 link#11 UHS lo0 10.255.1.1 link#6 UHS lo0 10.255.1.2 link#6 UH gre0 10.255.11.1 link#7 UHS lo0 10.255.11.2 link#7 UH gre1 10.255.255.1 link#8 UHS lo0 10.255.255.2 link#8 UH gre2 127.0.0.1 link#2 UH lo0 169.254.0.0/16 127.0.0.1 UR1 lo0 172.16.0.0/12 127.0.0.1 UR1 lo0 EXTERNALNET/22 link#1 U vtnet0 EXTERNALIP link#1 UHS lo0 192.168.0.0/16 127.0.0.1 UR1 lo0 192.168.1.0/24 10.255.1.2 UG1 gre0 # netstat -rn4 -F 2 Routing tables (fib: 2) Internet: Destination Gateway Flags Netif Expire default 10.91.2.254 UGS jsw2 10.91.0.254/32 lo0 US lo0 10.91.2.1 link#5 UHS lo0 10.91.2.1/32 link#5 U jsw2 10.91.2.2 link#5 UHS lo0 10.91.2.2/32 link#5 U jsw2 10.91.2.3 link#5 UHS lo0 10.91.2.3/32 link#5 U jsw2 10.91.2.5 link#5 UHS lo0 10.91.2.5/32 link#5 U jsw2 10.91.2.254 link#5 UHS lo0 10.91.2.254/32 link#5 U jsw2 127.0.0.1 lo0 UHS lo0 With the help of pf I am able to reach service1 (which is in fib0 ) from j2 ( which is in fib2) via the tunnel. pass out log quick on jsw2 proto udp from $j2 to $rsnns port 53 rtable 0=20 So it seems routing between domains works.=20 I am trying to reach the same service via the external net. The rule based = on the above one. pass out log quick on jsw2 proto udp from $j2 to $rsnextns port 53 rtable 0 But that is not working. The connection hang for a moment and timeouts.=20 If I add EXTERNALNET and change default gateway via EXTERNALGW in fib2, I c= an reach service1 via external link without changing anything in pf.=20 I do not really understand why this is blocking. I am looking for some time= and can't find an explanation for that. Should I expect routing problems when N= AT is involved with fibs ? I don't know. After adding the EXTERNALs to fib2 th= at is working and that uses NAT too.=20 I am for sure missing something. Anyone running something similar succesful= ly ?=20 Oh, because I forgot that, host is running on FreeBSD 11.3 amd64.=20 P.S. I hope my beautilful ascii art will stay intact :x Kaycee,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB562931A6CA1034C2C604288FA0E20>