Hello,
> It means that your directly internet-accessible hosts have a way that
> they can reach your internal-network hosts without going through the
> firewall.
>
> Many network admins would consider this a problem.
I am not sure what you mean by this, but when you do allocation of
globally accessible addresses, I do not want the router to do any
filtering on them, I want the the traffic to be completely controlled by
the container.
> that's fine, you have thought about how to arrange things for this
Yeah, it might look weird but I do not think it is specifically bad.
I would like to point out I am aware that NAT is not the drop in
solutions big ISPs make it sound. A lot of ISPs say "ah yeah you are
completely safe behind a NAT, that is why you should never port forward"
but this disinformation is mainly to stop people from self hosting, and
secondly, is it give a false sense of security.
However, NAT on the other hand does provide some security, without
redirecting the ports to internal addresses, none of the containers are
wan facing, which does add additional security, on top of the existing
firewall within the containers of course.
If anyone is wondering, I run both external and internal services,
therefore yes having a LAN is useful.
> fwiw, you're using an expensive ISP which has ample spare addresses,
> there's a faorly good chance they'll give you more if asked.
Although I get the /29 block free, and also could request another one if
I can justify my need for it, I can assure you the monthly bill
definitely makes up for the number of addresses I got.
Also I pay for A&A for a reason, they are the most reliable ISP in the
UK, and I do not think that is up for debate. Not only that, they have
supported dual stack addressing longer than any other ISP, and they are
still one of the only UK ISPs to give out IPv6, which in 2023 is getting
ridiculous, the UK needs to catch up with the rest of Europe!
But, just because I *can* ask for more IPv4s, doesn't mean I should. I
proactively try to make each address go a long way as I would like to
contribute as little as possible to the IPv4 exhaustion. The only time I
need the other /29 block is:
- Giving a container to a friend, its hard to use server resources by
yourself, sharing is caring :)
- Redundancy, adding multiple A records and having backup webservers or
email servers require having more global addresses.
But apart from that, I do not mind doing port forwards through the NAT
and try to make that address go further.
> it's common to be able to use the network interface on which a packet
> is received as part of the decision whether to accept that packet.
> most example rulesets you'll find do that, so be aware if cribbing from
> other setups.
I am aware, but I am not aimlessly copying and pasting rules, they were
(mostly) all written by hand, the only thing which was not, is the
initial NAT lines which I used the configuration from the manpages so I
could get the router working initially, but since I learnt more how pf
works, I have written everything myself.
Besides, I do not know if it is good or bad practice, but when I was
writing my rules I did not like using "any" and would prefer to specify
specific blocks. If something weird happens I would rather the packet
dropped rather than go through an "any" filter.
> t's not a loopback, it's the network address.
Sorry my mistake, I keep typing these emails during the middle of the
night, this was one such embarrassing mistake :/
I am aware loopback is an interface which does exactly what it sounds like.
> there are other ways to do it but they are fiddly, more fragile
> (requiring changes on every host if the router hardwarw address is
> changed), and really not recommended to go down that route unless you
> have a solid grasp of the basics.
Even in enterprise they would sacrifice 1 address for each block, I just
was more curious if it was possible, not whether is would ever be a good
idea. In general, the more simple you keep it, the less problems you
will have.
> there's going to be some reason for this but it'll be easier to fix
> what's obviously a problem first and then go from there.
The only way I see this being possible is if the routing table routes
the entire /29 block to the router itself.
Maybe it could be caused by the use of alias over just plain inet? Is
there hidden logic behind the use of alias?
> yes, or you can leave off the broadcast address, it's set by default anyway.
This is where I get weird and say I rather specify it anyways cause I
like how it looks :P
> (remember to renumber the existing .57 host if you're going to use .57
> for the router)
I incremented to .58, however the same issue still exists.
Unless you have any other suggestions, I got a feeling the only logical
place this error is occurring is within the routing table. But as far as
I am aware, and as you highlighted in a previous email, OpenBSD should
take care of adding the routing rules, either by arp discovery or by
what is specified within hostname.if(5).
I have seen very little use of "alias", thus I am not too sure how it
behaves, I have seen its use within hostname.if(5), where it is used to
give additional addresses on a 192.168.0.0/16 block to the device, but
never trying to route said aliases.
Any suggestions to what I can try?
I think it is pretty clear that attempting to route aliases is not going
to work, so is the next step trying to vlan? Because vlan's increase
complexity by a lot, and the most simple solution (apart from another
physical interface, as that is not currently possible) would be preferable.
Thank for the help,
--
Polarian
GPG signature: 0770E5312238C760
Website: https://polarian.dev
JID/XMPP: polarian@polarian.dev
No comments:
Post a Comment