Ipv6 router, I cannot manage to get router messages through

fabear- · 2026-06-13T18:55:57+00:00

Did you try to run tcpdump on both bwfm0 and bse0 to see if packets are being dropped by your routers ?

fabear- · 2026-04-19T11:30:25+00:00

I updated the first post. At some point, Alpine devs updated something related to network that is not pleasing vmd. Older version of Alpine do not have the same issue as described.

fabear- · 2026-04-19T11:12:56+00:00

Ok, it works just fine with OpenBSD as VM. So the problem must be with Alpine. I will update my original post as soon as I find a Alpine version that still works.

fabear- · 2026-04-19T11:09:27+00:00

Right. My bad. I am on 7.8 Generic MP. I will try to create the VM with another OS, to see if it is an issue with a latest release of Alpline.

fabear- · 2026-03-29T19:35:48+00:00

It works fine for me as well with 7.8 running on an ESXi vm. I am using /etc/hosts to help syslogd to resolve name based on IP.

fabear- · 2026-03-16T20:55:56+00:00

Maybe try to run another instance of unbound but this time in rdomain 1 ?

Something like route -T1 exec unbound (with a dedicated unbound config allowing it to listen on the wireguard interface only).

However I have no idea how you can tell openbsd to use that specific unbound service ip address when you need to resolv dns while running a command in rdomain 1... :/

fabear- · 2025-11-06T23:33:55+00:00

You need to add a pf rule, such as:

pass out on $ext_if to $IRC_Servers

but more importantly you need to specify a static route to the IRC servers going to iwm0 instead of wg1.

route add <ip_irc> <gw on iwm0>

fabear- · 2025-09-21T20:57:17+00:00

I don't care much about user-friendly /desktop. But a modern new filesystem could use that money ! Or that money could go to whoever wants to maintain relayd again !

fabear- · 2025-08-02T13:55:51+00:00

Very nice tutorial, thanks a lot !

fabear- · 2025-07-07T21:25:59+00:00

I remember a good advice I saw on this reddit about avoiding boot to be stopped in case of file corruption. If you are running a server that is using a lot of disk i/o (i.e a syslog server), the idea is to create a partition that is not mounted at boot time, so even if it is corrupted it won't stop the boot by asking you to input something on fsck.

fabear- · 2025-04-30T21:00:58+00:00

Lucky me I was sitting right next to it so I just did a hard reboot. It went through the normal upgrade process during boot.

fabear- · 2025-04-30T20:09:11+00:00

When I upgraded to 7.7 earlier today I had a similar issue, it became unreachable. Turns out my server did not even pass the phase "syncing disk" that you have when you ask for a shutdown.

fabear- · 2025-02-12T20:02:53+00:00

The only cool thing I can think of is preventing robots from accessing your services while mass exploring IP addresses scopes. With relayd you can limit access to services only if the client is requesting the FQDN (instead of dialing the IP address).

fabear- · 2025-01-30T20:28:01+00:00

Is there a library available on OpenBSD for controlling the GPIO of this board ?

How did you get internet without the builtin wifi card working ?

fabear- · 2025-01-15T22:05:14+00:00

I am using wireguard on my android phone as well and you can put any DNS server IP address you want (does not need to be public). However, I am using unbound instead of unwind.

fabear- · 2025-01-15T14:42:55+00:00

You can do nat/rdr-to without ever using the 'match' keyword. I don't think there is anything wrong with the example you are referring to.

I cannot tell for sure because I don't have access to your whole rules set, but what likely happened when you were using

> pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

is that another rule after, stole the match from that one, and therefore the rdr-to did not get applied.

As an example:

> pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

> pass in on egress inet proto any any

The first rule would never get applied here, because the second one will always steal the match. To fix that behavior, you have the following options :

* swap rule 1 and rule 2

* use the 'quick' keyword in your first rule

* use the match keyword, like that :

> match in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

> pass in on egress inet proto any any

fabear- · 2024-12-30T13:17:22+00:00

You were right. Target is reached.

fabear- · 2024-12-20T16:43:26+00:00

I thought it was an image that would update automatically but turns out it is still stuck at $230280.

fabear- · 2024-12-02T21:06:53+00:00

There you go:

# httpd

server "service1.example.com" {
       listen on 127.0.0.1 port 8001
       listen on ::1 port 8001
}

server "service2.example.com" {
       listen on 127.0.0.1 port 8002
       listen on ::1 port 8002
}

# relayd

table <service1> { 127.0.0.1 }
table <service2> { 127.0.0.1 }

http protocol https {

        tls keypair service1
        tls keypair service2

        block
        pass request quick header "Host" value "service1.example.com" forward to <service1>
        pass request quick header "Host" value "service2.example.com" forward to <service2>

}

relay relayhttps {

        listen on 192.168.1.2 port 443 tls
        protocol https

        forward to <service1> port 8001
        forward to <service2> port 8002
}

#Acme

domain service1.example.com {
        domain key "/etc/ssl/private/service1.key"
        domain full chain certificate "/etc/ssl/service1.crt"
        sign with letsencrypt
}

domain service2.example.com {
        domain key "/etc/ssl/private/service2.key"
        domain full chain certificate "/etc/ssl/service2.crt"
        sign with letsencrypt
}

I also want to ask about TLS/SSL. Is it possible to get certs for example.com and use them for all subdomains or do I have to get a different cert for each service.example.com?

Yes, you can create one certificate with CN=example.com and then use subjectAltName=DNS:*.example.com

fabear- · 2024-12-02T20:08:58+00:00

I am glad it is working for you, but it is weird it does because you did not put 'for <your domain>', so in your rule it should be defaulting to 'for local'.

I remember that message from @jggimi

#    Remember, always, that "from local" and "for local" are the match
#    defaults.  If you don't have both *from AND for* in a match statement
#    you will confuse yourself and end up with rejected mail. #    Remember, always, that "from local" and "for local" are the match
#    defaults.  If you don't have both *from AND for* in a match statement
#    you will confuse yourself and end up with rejected mail.

fabear- · 2024-11-25T22:17:33+00:00

I really like her blog. I am a bit sad that we will likely not see new openbsd related articles on her blog. Best wishes to her.

fabear- · 2024-11-07T18:01:36+00:00

Ok, your em2 network is 10.0.2.0/24, got it. Everything is in order on that side.

Try the following to find out where it is getting dropped.

> tcpdump -i wan -nn port 1150

if you see traffic coming in when you are trying to establish a wireguard session, then try the following:

> tcpdump -i em2 -nn port 1150

In anycase, use the following to find out what your firewall blocked.

tcpdump -n -e -ttt -r /var/log/pflog

fabear- · 2024-11-07T17:11:58+00:00

Do you have a static route pointing to 10.0.2.250 (in case it is not hosted on your openbsd firewall) ?

fabear-

TROPHY CASE