eyJhb changed the topic of #nixos-on-your-router to: NixOS on your Router || https://logs.nix.samueldr.com/nixos-on-your-router
<hexa-> thanks everyone!
syhn has joined #nixos-on-your-router
siraben has quit [Changing host]
siraben has joined #nixos-on-your-router
siraben has joined #nixos-on-your-router
<eyJhb> Am I doing something obvious wrong here? https://termbin.com/33c3 ifUplink is enp7s0, which is my public interface on my server. I just want to redirect traffic from port
<eyJhb> 9091, to the veth
<eyJhb> Which is inside a namespace :) I can curl from my server, but the DNAT does not seem to work
<NinjaTrappeur> Do you have a route in your netns pointing back to your server via
<NinjaTrappeur> Your dnat does not seem wrong to me. I'd not trust myself though, better try to tcpdump just to make sure the dnat indeed works ;)
<eyJhb> NinjaTrappeur: I hadn't enabled ip_forward... :/ So now I can get stuff INTO my namespace, but I cannot get it out again (curl on the root namespace works fine) - https://termbin.com/b3ot
<NinjaTrappeur> ip netns exec $yourns route get
<NinjaTrappeur> I think you miss the route back home
mvnetbiz_ has quit [Ping timeout: 245 seconds]
thefloweringash has quit [Ping timeout: 245 seconds]
n0emis[m] has quit [Ping timeout: 245 seconds]
<eyJhb> NinjaTrappeur: I have tried to add it, as can be seen here - https://termbin.com/w7qm and there is also the result of that command line :)
n0emis[m] has joined #nixos-on-your-router
mvnetbiz_ has joined #nixos-on-your-router
thefloweringash has joined #nixos-on-your-router
<NinjaTrappeur> I don't get it, sorry (I don't use ns that much, I might be missing something obvious).
<NinjaTrappeur> I assume you can't ping from the ns, even with the route right?
<eyJhb> Nope, not able to. And I am in the same boat, but only knowing even less about ns :p
<NinjaTrappeur> :)
<NinjaTrappeur> Please write the solution here when you find it, I'm hooked now :)
<eyJhb> NinjaTrappeur: I am so close to just doing a ssh local connection each time I need it :p
<NinjaTrappeur> I'm wondering how nftables is considering the return packet. Is it handled by a output chain type or a forward one?
<NinjaTrappeur> you're not setting any policy nor accepting anything on your forward chain.
<eyJhb> I could just do a policy accept and test?
<NinjaTrappeur> (since you're route seems to be alright, my gut feeling is that something along the way eats your delicious data. By elemination, it's either the firewall, either some ns magic)
<NinjaTrappeur> yup
<NinjaTrappeur> *your route
<eyJhb> No dice :(
<eyJhb> Shouldn't I be able to combine DNAT/SNAT together? ie. it would be ideal if it changes the ip from the incoming ip, to, and then goes into the veth, which will then know how to handle the route, etc.
<NinjaTrappeur> I guess you could. But conceptually, I don't understand what blocks us.
<NinjaTrappeur> Maybe something to do with the firewall config of your veth's ns?
<NinjaTrappeur> gotta go. Ping me if you find the solution :)
<eyJhb> Shouldn't be any firewall :/
<eyJhb> Will do NinjaTrappeur :p
<eyJhb> I got a little further, and now it will try to send it out to using route ` via dev wg0 `
<eyJhb> Is this cheating? socat tcp-listen:9091,reuseaddr,fork tcp-connect:
<eyJhb> NinjaTrappeur: `oifname veth0 masquerade`
syhn has quit [Ping timeout: 245 seconds]
syhn has joined #nixos-on-your-router