From owner-freebsd-pf@freebsd.org Thu Mar 5 00:13:57 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 33778256430 for ; Thu, 5 Mar 2020 00:13:57 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-oln040092064079.outbound.protection.outlook.com [40.92.64.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Xrnv2Wd0z4K77 for ; Thu, 5 Mar 2020 00:13:54 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XhLOefcQrD9Dl9aVf8ZQoVckcKSE65ndnvS7wnrFD04rKglhBBDjvhOe7vxEkaJ2Ik6pbmN09HfufD3QWyjR0cC4DF7rMeNwnDWgHPv6aR5idls8FN+OuE9TQLtfXieC+xKIKe6izL/aHJVKwJ43orDHh0Zza+2HRV0TsSWS8Ium96w7dLJQNl572d7bsOpxrUDJlQEaslj4RZCqaM5Uo4wRmxhASTqwEJn/siJ/So7hKVBLbF3K/lmJ2FOFZuEUr5O8h/Tfp4sp4IakaUiTJWkLapw/bcu85Gx4N1QDWJEa/6M60O5ExMkNmlQzv731ryFEqeYFlXWTDNODYX6pzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UpSNh17u3nRlQIHef+jqV/2DonzXMcP1aqPBDYM0Nug=; b=Kjdiz24VeVhhYBhTlg4nY2d7t1meaM9eI/nC3BqCjjRa33MJKe38QJu38r4JAbjDMZspzn9XeaO1+eNVZqUji/TWjYCH4yiYSRgPJTdTKwZN1CcK+SwZGT0uVYPGUzFQXruV6HYfV68wDHu85hUPDwF27gnMnowGH050m1ZQGpPYrmxXqZRrSWoW/7gsyjkW/5z9qI78O9SPKo5ClWaEB4PWhWcjETCQxt9NyFQboV+Om5mutbNsGv1qIl7W18b8ZHa4Gi2ZvvVkxr4+VFFT3MsJFApBLgFzt4nDwqwkT5YRprp8XXCRSXRcgiOA+iUI2gUGv7Eb0dpxhCKoqikxxQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HE1EUR01FT060.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e18::38) by HE1EUR01HT159.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e18::508) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11; Thu, 5 Mar 2020 00:13:53 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (10.152.0.54) by HE1EUR01FT060.mail.protection.outlook.com (10.152.0.249) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Thu, 5 Mar 2020 00:13:53 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521]) by VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521%7]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 00:13:53 +0000 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM3PR07CA0117.eurprd07.prod.outlook.com (2603:10a6:207:7::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.6 via Frontend Transport; Thu, 5 Mar 2020 00:13:52 +0000 Received: from slackstro.home.lan ([172.16.93.12]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 0250DmVl024792 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 5 Mar 2020 01:13:49 +0100 (CET) (envelope-from kisscoolandthegangbang@hotmail.fr) From: kaycee gb To: "freebsd-pf@freebsd.org" Subject: Communication between routing domains and nat Thread-Topic: Communication between routing domains and nat Thread-Index: AQHV8oLzw0TNoTMJoEikdAQ14t1y8w== Date: Thu, 5 Mar 2020 00:13:52 +0000 Message-ID: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM3PR07CA0117.eurprd07.prod.outlook.com (2603:10a6:207:7::27) To VE1PR03MB5629.eurprd03.prod.outlook.com (2603:10a6:803:11e::30) x-incomingtopheadermarker: OriginalChecksum:F165672737B9107127D2D0E6A44090D998C69C1B3EFD1CDD937CDB1DFCEC839C; UpperCasedChecksum:4EFCF11A9DD4135B6D4C95C9D5EDE0FAA1B02DEF75BEDFB4220123544497167D; SizeAsReceived:7793; Count:49 x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-unknown-linux-gnu) x-tmn: [Oi2cPoimtYcJTLItuUj9RlhffkbU2Ewk] x-microsoft-original-message-id: <20200305011347.01134a69@slackstro.home.lan> x-ms-publictraffictype: Email x-incomingheadercount: 49 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 08b27136-f552-4750-24c9-08d7c09a1614 x-ms-traffictypediagnostic: HE1EUR01HT159: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: KoULZ0UZUixe8+F0K+1mMFmk+TVgScPzZKRYHG4XQDTdstKc6tHkFJ8igUZLfAc4vdPOczyBgf2LhLtaXL9A1iF/yk3JrZmzCD/40wxMQw2cFRjQAruDLyEbolKQIgitci2AEVYnT7GumQq9OqOaET0wbCz9GKokM640D6/oifttgRpB5hw4BSzZzso4/to8 x-ms-exchange-antispam-messagedata: s/CWVC45xceqpXfBgN7WsiUEXltxzlEsXSuiZK1qX1K+1chM2sw+T00GetESBhKaY/tCad7V5LICTWd6RBZfh3TB23pu2O1vwvu7Ayx6R/gMUvz+0q1poNGjErRGGiw16+XHLsBpc9KB4Xnl4VW2pw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-ID: <5B3CF96EDCEE0A4A95EF30E53E560C20@eurprd03.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 08b27136-f552-4750-24c9-08d7c09a1614 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2020 00:13:52.9646 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR01HT159 X-Rspamd-Queue-Id: 48Xrnv2Wd0z4K77 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.64.79 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.78 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; RECEIVED_SPAMHAUS_PBL(0.00)[139.37.1.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; FREEMAIL_FROM(0.00)[hotmail.fr]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-0.98)[-0.985,0]; IP_SCORE(0.00)[ipnet: 40.64.0.0/10(-3.82), asn: 8075(-3.10), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; RCVD_IN_DNSWL_NONE(0.00)[79.64.92.40.list.dnswl.org : 127.0.3.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2020 00:13:57 -0000 Hello, I am experimenting with routing domains/fibs and I'm blocked by this situat= ion.=20 The topology ____________________ | Fbsd box / fib0 | | _10.91.0 __ |---ext link---------- | | j1 / fib1 | | | | |net 10.91.1 | | | | |__bridge1___| | | | ____________ | _____|_____ | | j2 / fib2 | | tunnel | | | | net 10.91.2| | |192.168.1 | | |__bridge2___| |---------------| service1 | |____________________| |___________| fib0 has a default route to reach the world and a route to join service1 vi= a the tunnel. fib2 has a restricted routing information and a default route v= ia bridge2 (renamed to jsw2).=20 # netstat -rn4 -F 0 Routing tables Internet: Destination Gateway Flags Netif Expire default EXTGW UGS vtnet0 10.0.0.0/8 127.0.0.1 UR1 lo0 10.91.0.254 link#3 UHS lo0 10.91.0.254/32 link#3 U jsw0 10.91.100.0/24 tun0 US tun0 10.91.100.1 link#10 UHS lo0 10.91.110.0/24 tun1 US tun1 10.91.110.1 link#11 UHS lo0 10.255.1.1 link#6 UHS lo0 10.255.1.2 link#6 UH gre0 10.255.11.1 link#7 UHS lo0 10.255.11.2 link#7 UH gre1 10.255.255.1 link#8 UHS lo0 10.255.255.2 link#8 UH gre2 127.0.0.1 link#2 UH lo0 169.254.0.0/16 127.0.0.1 UR1 lo0 172.16.0.0/12 127.0.0.1 UR1 lo0 EXTERNALNET/22 link#1 U vtnet0 EXTERNALIP link#1 UHS lo0 192.168.0.0/16 127.0.0.1 UR1 lo0 192.168.1.0/24 10.255.1.2 UG1 gre0 # netstat -rn4 -F 2 Routing tables (fib: 2) Internet: Destination Gateway Flags Netif Expire default 10.91.2.254 UGS jsw2 10.91.0.254/32 lo0 US lo0 10.91.2.1 link#5 UHS lo0 10.91.2.1/32 link#5 U jsw2 10.91.2.2 link#5 UHS lo0 10.91.2.2/32 link#5 U jsw2 10.91.2.3 link#5 UHS lo0 10.91.2.3/32 link#5 U jsw2 10.91.2.5 link#5 UHS lo0 10.91.2.5/32 link#5 U jsw2 10.91.2.254 link#5 UHS lo0 10.91.2.254/32 link#5 U jsw2 127.0.0.1 lo0 UHS lo0 With the help of pf I am able to reach service1 (which is in fib0 ) from j2 ( which is in fib2) via the tunnel. pass out log quick on jsw2 proto udp from $j2 to $rsnns port 53 rtable 0=20 So it seems routing between domains works.=20 I am trying to reach the same service via the external net. The rule based = on the above one. pass out log quick on jsw2 proto udp from $j2 to $rsnextns port 53 rtable 0 But that is not working. The connection hang for a moment and timeouts.=20 If I add EXTERNALNET and change default gateway via EXTERNALGW in fib2, I c= an reach service1 via external link without changing anything in pf.=20 I do not really understand why this is blocking. I am looking for some time= and can't find an explanation for that. Should I expect routing problems when N= AT is involved with fibs ? I don't know. After adding the EXTERNALs to fib2 th= at is working and that uses NAT too.=20 I am for sure missing something. Anyone running something similar succesful= ly ?=20 Oh, because I forgot that, host is running on FreeBSD 11.3 amd64.=20 P.S. I hope my beautilful ascii art will stay intact :x Kaycee,