On Mon, Mar 16, 2026 at 07:51:40PM -0400, Isaac Meerleo wrote:
> I am trying to create a sort of managed switch out of my OpenBSD box.
> Effectively, my goal is to assign each IP to a NIC:
> 
> # Management
> ?? ?? ?? ?? mang_if = "vport0"
> ?? ?? ?? ?? mang_ip = "x.x.x.26"
> # Home Network
> ?? ?? ?? ?? home_if = "igc0"
> ?? ?? ?? ?? home_ip = "x.x.x.27"
> # Personal
> ?? ?? ?? ?? fugu_if = "igc1"
> ?? ?? ?? ?? fugu_ip = "x.x.x.28"
> # Production
> ?? ?? ?? ?? prod_if = "igc2"
> ?? ?? ?? ?? prod_ip = "x.x.x.29"
> # Buddy
> ?? ?? ?? ?? andy_if = "igc3"
> ?? ?? ?? ?? andy_ip = "x.x.x.30"
> 
> I did this with pf and veb(4). It works... sort of. With pf
> running my ruleset and `ifconfig veb0 link1`, all the downlink
> networks can reach the internet and are having a great time. But
> when I ping or ssh to x.x.x.26 I get nothing. In fact, the
> OpenBSD box doesn't have internet at all. Even if I `set skip on
> lo` and `pass all`, ssh and ping to .26 fail. But if I
> `ifconfig veb0 -link1`, all of a sudden I can touch interne
> (even with the below pf.conf set). Is this a bug? Also, is there
> a better approach?
> 
> 
> edge# cat /etc/hostname.veb0
> description "WAN Bridge"
> add em0?? ??# WAN
> add igc0?? # Home Network
> add igc1?? # Personal
> add igc2?? # Production
> add igc3?? # Buddy's Network
> add vport0 # Host Management
> link1
> up
> 
> edge# cat /etc/pf.conf
> # Home Network
> ?? ?? ?? ?? home_if = "igc0"
> ?? ?? ?? ?? home_ip = "x.x.x.27"
> # Fugu Farm
> ?? ?? ?? ?? fugu_if = "igc1"
> ?? ?? ?? ?? fugu_ip = "x.x.x.28"
> # Production
> ?? ?? ?? ?? prod_if = "igc2"
> ?? ?? ?? ?? prod_ip = "x.x.x.29"
> # Andrew
> ?? ?? ?? ?? andy_if = "igc3"
> ?? ?? ?? ?? andy_ip = "x.x.x.30"
> 
> 
> ### Options
> set skip on { lo vport0 }
> set limit table-entries 1000000
> 
> 
> # Normalize and de-fragment
> match in all scrub (no-df random-id max-mss 1440)
> 
> 
> ### Meat and Potatos
> block log all
> 
> # Allow Traffic on WAN Uplink
> pass on em0
> 
> # Connect host stack to bridge
> pass on vport0
> 
> pass?? in on $home_if from $home_ip
> pass out on $home_if to?? ??$home_ip
> 
> pass?? in on $fugu_if from $fugu_ip
> pass out on $fugu_if to?? ??$fugu_ip
> 
> pass?? in on $prod_if from $prod_ip
> pass out on $prod_if to?? ??$prod_ip
> 
> pass?? in on $andy_if from $andy_ip
> pass out on $andy_if to?? ??$andy_ip
> 
> 
> edge# ls /etc/hostname.{em0,igc*} # All just contain "up"
> /etc/hostname.em0?? ?? ?? ??/etc/hostname.igc1?? ?? ?? /etc/hostname.igc3
> /etc/hostname.igc0?? ?? ?? /etc/hostname.igc2
> 
> edge# cat /etc/hostname.vport0
> inet x.x.x.26 255.255.255.0
> up

it's not clear, but i assume em0 is also part of the veb?

are you using this exact ruleset when you're having trouble with link1
and connections to/from vport0? my best guess is that you've been
running with link1 set but without "set skip on vport0", and the
problem you're hitting is that pf runs twice for packets vport packets.
once on the vport interface and again on the physical veb ports.

if you connect from vport to the internet, your packet will go out
vport0, and then it will go out em0 again. because pf doesn't do
interface tracking or anything by default, it'll think the packet is
being replayed and block it.

set skip on vport0 should fix this though, which is why im confused.