Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-09-20 Thread Stuart Henderson 
On 2019-09-20, radek  wrote:
> Hello Patrick,
> I am sorry for the late reply.
>
> I have replaced my ALIX/Soekris production routers with APU1C and with PC box 
> (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). 
> Both are running 6.5/amd64 and both are fully syspatched.

Please try a -current snapshot for starters, quite a number of iked bugs
have been fixed since then including some which would cause connectivity
problems during rekeying. (If you *really* can't update the whole thing,
it should work to build -current iked on a 6.5 system, but no guarantees).

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Rachel Roch 
Sep 20, 2019, 15:57 by k...@plek.org:

>> On Sep 20, 2019, at 01:38, Rachel Roch
>>
>> Regarding the other gmake suggestion, that possibility occurred to me after 
>> sending yesterday's email, but I guess I would have to edit various source 
>> files to make sure its calling the right command.  Not rocket science I 
>> guess, but equally could be time consuming to make sure I've caught all the 
>> right spots in the code.
>>
>
> I tested it before sending the suggestion. I just ran gmake and it built fine.
>

I appreciate your beta testing of your suggestion !   ;-)

I shall run off to my nearest OpenBSD console forthwith.

Thank you.

ipsec pf queuing wierdness

2019-09-20 Thread Marko Cupać 
Hi,

while trying to implement queuing by service inside ipsec tunnel, by
tagging traffic first (both in ipsec.conf or enc0 in pf.conf) and then
setting queue by tag on outbound physical interface, I noticed that all
traffic ends up in same queue - the first one which starts queuing (not
default one).

Anyone interested looking deeper into it? At this point I'm starting
to suspect it could be a bug, or at least undocumented caveat. I'll
reply with much more information if someone responds :)

Thank you in advance,

-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Travis Cole 


> On Sep 20, 2019, at 01:38, Rachel Roch
> 
> Regarding the other gmake suggestion, that possibility occurred to me after 
> sending yesterday's email, but I guess I would have to edit various source 
> files to make sure its calling the right command.  Not rocket science I 
> guess, but equally could be time consuming to make sure I've caught all the 
> right spots in the code.

I tested it before sending the suggestion. I just ran gmake and it built fine.

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

2019-09-20 Thread radek 
Hello Patrick,
I am sorry for the late reply.

I have replaced my ALIX/Soekris production routers with APU1C and with PC box 
(cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). 
Both are running 6.5/amd64 and both are fully syspatched.

A also added "inet proto { tcp, udp, icmp }" to my match rule on the both sides:
match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, 
$backup_local } nat-to $ext_if set prio (3, 7)

It does not make any changes. VPN still needs to be restarted with similar freq.
Date: Thu, 19 Sep 2019 23:15:39 +0200 (CEST)
Date: Fri, 20 Sep 2019 01:49:59 +0200 (CEST)
Date: Fri, 20 Sep 2019 03:37:15 +0200 (CEST)
Date: Fri, 20 Sep 2019 06:12:31 +0200 (CEST)
Date: Fri, 20 Sep 2019 08:46:45 +0200 (CEST)
Date: Fri, 20 Sep 2019 11:25:08 +0200 (CEST)
Date: Fri, 20 Sep 2019 13:59:06 +0200 (CEST)


> In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
But at the time of VPN issue both sides can ping each other on public IPs. Only 
the VPN tunnel does not work as expected, untill restart of iked.

> It appears that you have ICMP allow rules which is a good idea in my opinion.
> Have you ever done any logging of these packets. Is there any legitimate 
> requests from your ISP?
No, there are not any ICMP requests from my ISP.
TCPDUMP shows only some pings from the world, mostly from Amazon's IPs.
The following was logged just before VPN traffic stalls:
13:38:09.194783 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:38:09.194845 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40]
13:39:51.130602 18.138.136.9 > A.A.A.A: icmp: echo request (DF)
13:39:51.130665 A.A.A.A > 18.138.136.9: icmp: echo reply
13:42:42.825866 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:42:42.825938 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40]
13:44:17.474364 18.136.167.37 > A.A.A.A: icmp: echo request (DF)
13:44:17.474434 A.A.A.A > 18.136.167.37: icmp: echo reply
13:47:55.225820 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:47:55.225883 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40]
13:49:30.624877 18.138.136.9 > A.A.A.A: icmp: echo request (DF)
13:49:30.624945 A.A.A.A > 18.138.136.9: icmp: echo reply
13:53:45.675943 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:53:45.676008 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40]
13:55:02.593285 18.136.167.37 > A.A.A.A: icmp: echo request (DF)
13:55:02.593347 A.A.A.A > 18.136.167.37: icmp: echo reply
13:55:31.703602 18.228.131.118 > A.A.A.A: icmp: echo request (DF)
13:55:31.703671 A.A.A.A > 18.228.131.118: icmp: echo reply

On the other side of VPN ICMP logs are similar.

> Do you have an alternate DNS server you can test against? Are you using your 
> ISP’s DNS?
On the one side I can use any DNS I want. I was using google's 8.8.8.8 and 
ISP's DNS. If I change to 1.1.1.1 and 1.0.0.1 my problem still occurs.
On the other side the ISP redirects all DNS requests to its own DNS. 

Any idea?

On Sun, 25 Aug 2019 20:28:27 -0500
Patrick Dohman  wrote:

> Radek
> In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
> I also believe that defining specific proto's in your nat rule can decrease 
> interrupts. 
> You might consider the following to modification to your nat rule to 
> specificity allow UDP & ICMP.
> 
> match out log on $ext_if inet proto { tcp, udp, icmp } rom { $lan_rac_local, 
> $backup_local } nat-to $ext_if set prio (3, 7)
> 
> It appears that you have ICMP allow rules which is a good idea in my opinion.
> Have you ever done any logging of these packets. Is there any legitimate 
> requests from your ISP?
> Do you have an alternate DNS server you can test against? Are you using your 
> ISP’s DNS?
> Perhaps the new OpenBSD unwind package is worth investigating ;)
> ]Regards
> Patrick
> 
> > On Aug 25, 2019, at 1:31 PM, Radek  wrote:
> > 
> > Hello Patrick, 
> > 
> >> In my opinion your net5501’s system calls per interval are relatively high.
> >> The (traps sys) column on my firewall hovers between 40 & 50 quite 
> >> consistently.
> >> My understanding is that system calls are things like program calls & 
> >> library access.
> > Is there any way to decrease these values?
> > 
> >> Many commercial routers run a customized kernel & rely on a striped down 
> >> user-land.
> >> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
> >> things like storage or virtualization.
> >> The OpenBSD O.S includes all the user-land tools such as ping & top in 
> >> addition to a standardized precompiled kernel. 
> > Ok, I get it.
> > 
> > 
> > On Fri, 23 Aug 2019 21:12:35 -0500
> > Patrick Dohman  wrote:
> > 
> >> In my opinion your net5501’s system calls per interval are relatively high.
> >> The (traps sys) column on my firewall hovers between 40 & 50 quite 
> >> consistently.
> >> My understanding is that system calls are things like program calls & 
> >> library access.
> >> 
> >> In addition your

Re: alias vs inet alias in hostname.if

2019-09-20 Thread Hrvoje Popovski 
On 20.9.2019. 13:12, Stuart Henderson wrote:
> On 2019-09-20, Hrvoje Popovski  wrote:
>> Hi all,
>>
>> if i have "alias" directive in hostname.if with dot-notation netmask and
>> networks are in 10/8 or 172.16/12 it seems i'm getting classless /8 or
>> /16 networks ...
> 
> hostname.if(5) format is weird and a bit annoying, the word "netmask"
> is added to the ifconfig command for "inet alias" but not for bare
> "alias" which is passed directly to ifconfig and results in it using the
> standard netmask for the class of address holding the network.
> 
>> but if i have "inet alias" or "alias" with cidr notation netmaks in
>> hostname.if everything seems fine and classful :)
> 
> that's passed as a single argument to ifconfig which treats it as you'd
> expect.
> 
>> i'm not sure if this is intentional or not so i'm reporting it here on
>> misc@
> 
> mostly intentional I think, still annoying though!
> 
> 

Thank you for info...

yes, little annoying but it's fine :)

Re: alias vs inet alias in hostname.if

2019-09-20 Thread Stuart Henderson 
On 2019-09-20, Hrvoje Popovski  wrote:
> Hi all,
>
> if i have "alias" directive in hostname.if with dot-notation netmask and
> networks are in 10/8 or 172.16/12 it seems i'm getting classless /8 or
> /16 networks ...

hostname.if(5) format is weird and a bit annoying, the word "netmask"
is added to the ifconfig command for "inet alias" but not for bare
"alias" which is passed directly to ifconfig and results in it using the
standard netmask for the class of address holding the network.

> but if i have "inet alias" or "alias" with cidr notation netmaks in
> hostname.if everything seems fine and classful :)

that's passed as a single argument to ifconfig which treats it as you'd
expect.

> i'm not sure if this is intentional or not so i'm reporting it here on
> misc@

mostly intentional I think, still annoying though!

alias vs inet alias in hostname.if

2019-09-20 Thread Hrvoje Popovski 
Hi all,

if i have "alias" directive in hostname.if with dot-notation netmask and
networks are in 10/8 or 172.16/12 it seems i'm getting classless /8 or
/16 networks ...


inet 192.168.42.1 255.255.255.0
alias 10.10.10.0 255.255.255.0

ix0: flags=8843 mtu 1500
inet 192.168.42.1 netmask 0xff00 broadcast 192.168.42.255
inet 10.10.10.0 netmask 0xff00 broadcast 10.255.255.255

10/8   10.10.10.0 UCn   ix0
10.10.10.0 ec:f4:bb:da:f7:f8  UHLl  ix0
10.255.255.255 10.10.10.0 UHb   ix0



inet 10.10.10.0 255.255.255.0
alias 172.16.2.1 255.255.255.0

ix0: flags=8843 mtu 1500
inet 10.10.10.0 netmask 0xff00 broadcast 10.10.10.255
inet 172.16.2.1 netmask 0x broadcast 172.16.255.255

172.16/16  172.16.2.1 UCn   ix0
172.16.2.1 ec:f4:bb:da:f7:f8  UHLl  ix0
172.16.255.255 172.16.2.1 UHb   ix0


but if i have "inet alias" or "alias" with cidr notation netmaks in
hostname.if everything seems fine and classful :)

i'm not sure if this is intentional or not so i'm reporting it here on
misc@

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Martin Schröder 
Am Fr., 20. Sept. 2019 um 10:36 Uhr schrieb Rachel Roch :
> pkg_add node_exporter ?

It's in current so 6.6 will have it.

Best
   Martin

Re: 6.5 crashing on an old Thinkpad 600X

2019-09-20 Thread Jan Stary 
On Sep 19 23:10:31, g...@gwennelson.co.uk wrote:
> Hi all, I've been trying to fix up an old Thinkpad, a 600X model with a
> Pentium III and 64mb RAM,

Is 64MB of RAM even workable for current?

> I get some errors in the AML code:
> https://imgur.com/gallery/IRrpgmk

The panic immediately follows a malloc() call.
I wouldn't be surprised if you juts don't have enough memory.
You can also try disabling acpi* at boot(8).

> Unfortunately I can't obtain a dmesg as the machine has no networking and
> I've managed to kill the bootloader while trying to update.

Reinstall with current/i386 from a CD.
(How come the Thinkpad has no networking?)

Re: Prometheus node_exporter on OpenBSD - anyone managed ?

2019-09-20 Thread Rachel Roch 
Claudio,

pkg_add node_exporter ?

I already had a good look at the package list on the FTP mirror and can't see 
any node_exporter there ?  pkg_add seems to agree with me, it says "can't find 
node_exporter" ?

Certainly pkg_add would be my preferred option, but it seems someone has forgot 
poor old node_exporter for recent releases ?  

Regarding the other gmake suggestion, that possibility occurred to me after 
sending yesterday's email, but I guess I would have to edit various source 
files to make sure its calling the right command.  Not rocket science I guess, 
but equally could be time consuming to make sure I've caught all the right 
spots in the code.


Sep 20, 2019, 05:29 by cje...@diehard.n-r-g.com:

> On Thu, Sep 19, 2019 at 10:13:23PM +, Travis Cole wrote:
>
>>
>> Looks like they are assuming GNU make.
>>
>>
>> Try doing the build with 'gmake'.
>>
>>
>> If you don't already have gmake installed:
>>
>>
>> # pkg_add gmake
>>
>
> Or just do `pkg_add node_exporter`. While prometheus does not provide
> a pre-compiled binary OpenBSD does.
>
>> On Thu, Sep 19, 2019 at 11:49:20PM +0200, Rachel Roch wrote:
>> > Hi,
>> > 
>> > The official Prometheus github repo 
>> > (https://github.com/prometheus/node_exporter) 
>> >  appears to suggest in 
>> > multiple places that node_exporter is capable of working on OpenBSD.
>> > 
>> > But although they provide pre-compiled binaries for multiple platforms 
>> > including NetBSD (https://github.com/prometheus/node_exporter/releases) 
>> >  they seemingly 
>> > don't provide a binary for OpenBSD.
>> > 
>> > So I tried downloading the source and compiling it, but I get a screenful 
>> > of nasty sounding messages, e.g.:
>> > Bad modifier: , ,$(shell $(GO) env GOPATH)))   
>> >   
>> > Bad modifier: , ,$(shell $(GO) env GOPATH)))   
>> >   
>> > No closing parenthesis in archive specification
>> >   
>> > *** Parse error: Error in archive specification: "(, \.'))" 
>> > (Makefile.common:41)   
>> >   
>> > *** Parse error: Need an operator in 'else' (Makefile.common:51)   
>> >   
>> > *** Parse error: Need an operator in '' (Makefile.common:54)   
>> >   
>> > *** Parse error: Need an operator in '' (Makefile.common:55)   
>> >   
>> > *** Parse error: Need an operator in 'endif' (Makefile.common:61)  
>> >   
>> > Bad modifier: , ,$(shell go env GOPATH)))  
>> >   
>> > Bad modifier: , ,$(shell go env GOPATH))) 
>> > 
>> > 
>> > Given the popularity of Prometheus, I'm sure someone on-list must be 
>> > actively running it ?
>> > 
>> > Thanks !
>> > 
>> > Rachel
>> > 
>>
>
> -- 
> :wq Claudio
>

Re: Bad fonts in pdf

2019-09-20 Thread Stuart Henderson 
On 2019-09-19, openbsd-misc-nos...@riseup.net  
wrote:
> Here is screenshot: https://screenshots.firefox.com/LyKbRyGMRT3sDHbu/null
>
> I had this problem in the past, but can't remeber what font should I install?
>
> Thanks!
>
>

It might be helpful to explain what the problem is because it's not obvious.

Re: 6.5 crashing on an old Thinkpad 600X

2019-09-20 Thread Stuart Henderson 
On 2019-09-19, Gwen Nelson  wrote:
> Hi all, I've been trying to fix up an old Thinkpad, a 600X model with a
> Pentium III and 64mb RAM, I get some errors in the AML code:
>
> https://imgur.com/gallery/IRrpgmk
>
> Unfortunately I can't obtain a dmesg as the machine has no networking and
> I've managed to kill the bootloader while trying to update.
>
> Any ideas?

First I'd try a snapshot, if that doesn't help then I'd try "boot -c"
and "disable acpitz". If you can get it booting, the acpi tables
generated in the report by running sendbug as root might help track
it down.

64MB is really pushing it for a useful system though.

Re: What is the 3rd column in the learned mac address list in ifconfig

2019-09-20 Thread Tom Smyth 
Thanks Claudio :) appreciate it ...

On Fri, 20 Sep 2019 at 07:24, Claudio Jeker 
wrote:

> On Fri, Sep 20, 2019 at 07:16:15AM +0100, Tom Smyth wrote:
> > Hi all, hope those of you at eurobsdcon are enjoying your selves
> > wish I was there
> > I waswondering what is the  3rd column in the learned mac address list in
> > the column is a number 0 or 1 after the interface name in
> >   ifconfig  bridge x
> >
> > ihave highlighted with ** the value i'm interested in
> > Addresses (max cache: 100, timeout: 240):
> > 00:17:c8:3e:08:22 em2 *0* flags=0<>
>
> This would be the age of the entry.
>
> >
> > ifconfig  bridge x
> >
> >
> > bridge0: flags=41
> > index 7 llprio 3
> > groups: bridge
> > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
> > rstp
> > em2 flags=3
> > port 4 ifpriority 0 ifcost 0
> > em1 flags=3
> > port 3 ifpriority 0 ifcost 0
> > vether0 flags=3
> > port 10 ifpriority 0 ifcost 0
> > Addresses (max cache: 100, timeout: 240):
> > 00:17:c8:3e:08:22 em2 0 flags=0<>
> > 1c:c3:eb:68:05:29 em1 0 flags=0<>
> > b8:bc:1b:1e:9d:9f em1 0 flags=0<>
> > 38:f9:d3:47:db:54 em1 1 flags=0<>
> > 48:bf:6b:e6:27:c2 em1 0 flags=0<>
> > 74:d4:35:80:51:91 em2 1 flags=0<>
> > 74:44:01:81:9b:7e em1 0 flags=0<>
> >
> > --
> > Kindest regards,
> > Tom Smyth.
>
> --
> :wq Claudio
>


-- 
Kindest regards,
Tom Smyth.

Re: What is the 3rd column in the learned mac address list in ifconfig

2019-09-20 Thread Claudio Jeker 
On Fri, Sep 20, 2019 at 07:16:15AM +0100, Tom Smyth wrote:
> Hi all, hope those of you at eurobsdcon are enjoying your selves
> wish I was there
> I waswondering what is the  3rd column in the learned mac address list in
> the column is a number 0 or 1 after the interface name in
>   ifconfig  bridge x
> 
> ihave highlighted with ** the value i'm interested in
> Addresses (max cache: 100, timeout: 240):
> 00:17:c8:3e:08:22 em2 *0* flags=0<>

This would be the age of the entry.
 
> 
> ifconfig  bridge x
> 
> 
> bridge0: flags=41
> index 7 llprio 3
> groups: bridge
> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
> rstp
> em2 flags=3
> port 4 ifpriority 0 ifcost 0
> em1 flags=3
> port 3 ifpriority 0 ifcost 0
> vether0 flags=3
> port 10 ifpriority 0 ifcost 0
> Addresses (max cache: 100, timeout: 240):
> 00:17:c8:3e:08:22 em2 0 flags=0<>
> 1c:c3:eb:68:05:29 em1 0 flags=0<>
> b8:bc:1b:1e:9d:9f em1 0 flags=0<>
> 38:f9:d3:47:db:54 em1 1 flags=0<>
> 48:bf:6b:e6:27:c2 em1 0 flags=0<>
> 74:d4:35:80:51:91 em2 1 flags=0<>
> 74:44:01:81:9b:7e em1 0 flags=0<>
> 
> -- 
> Kindest regards,
> Tom Smyth.

-- 
:wq Claudio

What is the 3rd column in the learned mac address list in ifconfig

2019-09-20 Thread Tom Smyth 
Hi all, hope those of you at eurobsdcon are enjoying your selves
wish I was there
I waswondering what is the  3rd column in the learned mac address list in
the column is a number 0 or 1 after the interface name in
  ifconfig  bridge x

ihave highlighted with ** the value i'm interested in
Addresses (max cache: 100, timeout: 240):
00:17:c8:3e:08:22 em2 *0* flags=0<>


ifconfig  bridge x


bridge0: flags=41
index 7 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
em2 flags=3
port 4 ifpriority 0 ifcost 0
em1 flags=3
port 3 ifpriority 0 ifcost 0
vether0 flags=3
port 10 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
00:17:c8:3e:08:22 em2 0 flags=0<>
1c:c3:eb:68:05:29 em1 0 flags=0<>
b8:bc:1b:1e:9d:9f em1 0 flags=0<>
38:f9:d3:47:db:54 em1 1 flags=0<>
48:bf:6b:e6:27:c2 em1 0 flags=0<>
74:d4:35:80:51:91 em2 1 flags=0<>
74:44:01:81:9b:7e em1 0 flags=0<>

-- 
Kindest regards,
Tom Smyth.

Re: Incoming connection via VLAN

2019-09-20 Thread Felix Hanley 
On Fri, Aug 30, 2019 at 11:32:02AM +1000, Felix Hanley wrote:
> Hello all,
> 
> My home internet connection (Internode Australia) has recently been
> "upgraded" and is now delivered via vlan ID 2. Previously had the
> following configuration which worked without issue:
> 
> # cat /etc/hostname.em0
> up
> 
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev em0 authproto pap \
> authname 'x...@internode.on.net' \
> authkey '' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
> 
> After working out the vlan stuff I now have the following:
> 
> # cat /etc/hostname.em0
> up
> 
> # cat /etc/hostname.vlan2
> vnetid 2 parent em0 txprio 1
> up
> 
> # cat /etc/hostname.pppoe0
> inet 0.0.0.0 255.255.255.255 NONE \
> llprio 1 mtu 1440 \
> pppoedev vlan2 authproto pap \
> authname 'x...@internode.on.net' \
> authkey '' up
> dest 0.0.0.1
> inet6 eui64
> !/sbin/route add default -ifp pppoe0 0.0.0.1
> !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0
> !/etc/rc.d/dhcp6c restart
> !/sbin/pfctl -ef /etc/pf.conf
> 
> I am able to access the internet fine. My problem is incoming
> connections are unable to access the OBSD router but are able to be
> redirected to internal hosts just fine. There was no problems with this
> prior to the vlan stuff. My stripped down pf.conf is:
> 
> # cat /etc/pf.conf
> egress = "pppoe0"
> zappa = "10.0.1.2"
> 
> set skip on lo
> set skip on vlan2
> set block-policy drop
> set loginterface $egress
> 
> queue outq on $egress bandwidth 13M max 13M flows 1024 qlimit 1024 default
> 
> match in inet all scrub (no-df random-id)
> match on $egress inet scrub (max-mss 1440)
> # NAT all outbound IPv4 traffic from the rest of our network
> match out on $egress inet from !($egress:network) to any nat-to ($egress:0)
> 
> antispoof quick for lo
> 
> pass in on $egress proto { tcp udp } from any to ($egress) port { ssh
> http https }
> pass in on $egress proto tcp from any to ($egress) port 51022 rdr-to
> $zappa port ssh
> 
> Running tcpdump on pppoe0 show ICMP packets but never any SSH (or other
> TCP) packets coming in on egress. I am confused that rdr-to works but
> not connections to the router do not.
> 
> Any help would be greatly appreciated.
> 
> -felix

So it turns out that my configuration was fine.

Internode reinstated their default firewall when they set up my new
service. This was blocking incoming ports 80, 443 etc.

Thanks for your time.

-felix