Thanks, I've solved this issue by creating another bridge on my router (for LAN) - Tor uses another interface on router in rdomain 2.
To make troubleshooting easier, I've installed Tor on OpenBSD VM. The problem now is that I can ping my router from the VM and I can ping the VM from the router. But when I ping 8.8.8.8 from the VM, I get no response. route -T 2 exec ping 8.8.8.8 from the router works fine: # route -T 2 exec ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=40.113 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=32.074 ms And I've got in rtable 2: 192.168.12/24 192.168.12.1 UC 1 13 - 4 vether2 192.168.12.1 router_MAC UHLl 0 66 - 1 vether2 192.168.12.13 VM_MAC UHLc 0 15 - 4 vether2 192.168.12.255 192.168.12.1 UHb 0 0 - 1 vether2 Relevant pf.conf on router entries: pass in quick on vether2 inet from 192.168.12.13 to any rtable 2 pass out quick on vether2 rtable 2 pass in quick on vether1 from any to any rtable 2 pass out quick on vether1 from any to any rtable 2 Any ideas here? On 05/15/16 12:10, Stefan Sperling wrote: > On Sat, May 14, 2016 at 10:53:49PM +0200, Piotr Kubaj wrote: >> Hi, >> >> I need help with multiple routing tables, because the tutorials on the >> Internet is pretty much scarce. The router is Ubiquiti EdgeRouter Lite >> running OpenBSD 5.9. >> >> >> I've got two public IP's attached by DHCP - since I don't want to use >> multiple physical NIC's, I use two vether interfaces (with different >> MAC's) in bridge with a physical NIC (cnmac0). >> >> Behind the router, I've got a home server with FreeBSD running multiple >> jails. The server itself and all jails but one are to use the vether0 >> NIC on the router with its IP. One jail (running Tor exit node) is to >> use the vether1 NIC with its IP. >> >> >> That's why two routing tables are necessary. >> >> The whole server is in 192.168.11.0/24 class with Tor jail using >> 192.168.11.13 (other services use other IP's). >> All outgoing and incoming traffic from 192.168.11.13 is to use vether1 >> NIC. Other IP's are to use vether0 for all the traffic. >> When I want to add 192.168.11/24 class to rdomain2, I get: >> # route -T 2 add 192.168.11/24 192.168.11.1 >> route: writing to routing socket: Network is unreachable >> add net 192.168.11/24: gateway 192.168.11.1: Network is unreachable > You cannot reach 192.168.11.1 in rdomain 2 because there is no > interface in rdomain 2 which has an address from 192.168.11/24. > > They key point seems to be that you're trying to route between different > rdomains. I believe you must use pf to route traffic coming from this > IP (which is in rdomain 0) to vether1 (which is in rdomain 2) > > See the pf.conf man page and search for 'rdomain' and 'rtable'.
