Hi all, I'm greatly enjoying OpenBSD and have it on most of my devices as I try to set up my "perfect lab". I would like some feedback / thoughts about one behaviour which I don't quite get.
I have a VM for the world facing side of my network. I have a wireguard network to link it up to a home router and other devices. My wireguard traffic is coming onto my VM through wg0. On my home router, I'm redirecting all wifi traffic to wg0 using the routing tables like so: default 192.168.0.1 wg0 IP_VM IP_Gateway bse0 192.168.0.1 wg0 wg0 And natting outbound traffic on wg0 like so: pass out on wg0 from $int_if:network nat-to wg0 I wanted to try out using route-to on my VM instead of using different rdomain or just to try something else. I have another wireguard tunnel, wg1 to relay my internal traffic further. I did not touch the routing tables at all and have something like: pass in on wg0 inet from wg0:network to !wg0:network route-to wg1 pass out on wg1 nat-to wg1 Works like a charm. Now what I don't get is that for troubleshooting purposes, I needed to send some traffic to the world on my VM (instead of onward through wg1) and I initially tried: pass in log on wg0 inet from wg0:network to !wg0:network route-to vio0 pass out log on $vio0 nat-to $vio0 Routing tables: default IP_Gateway vio0 _Gateway MAC_Gateway vio0 But this does not work. Removing "route-to vio0" does work, eg. pass in log on wg0 inet from wg0:network to !wg0:network #route-to vio0 pass out log on vio0 nat-to vio0 I'm guessing that this may have to be since it's routed "twice"? Eg. routed-to and a second time with the default route of the routing tables? So I understand why route-to is not necessary in this case, but I would think route-to should still work and that means I don't get how it's working? I've tried used pflog0 to check the above rules but cannot see any difference: in both cases, it's passing in on wg0 through vio0 and src IP is rewritten to VM public IP. I'm thinking of more complex rules to split traffic from wg0 between wg1 and vio0 based on the ports and using route-to vio0 seemed the easiest way to do so. Thanks in advance, Thomas
