I'm struggling a bit with ipna. The idea was I would have a zone running tailscale, that would redirect and map incoming packets over internal network to other zones. I can see the packets coming in, I can see the nat sessions being created for them, but I never see them leave through the internal interface. What am i missing?

s/ipna/ipnat

The first things I would check are (a) that ip forwarding is enabled, and (b) that anti-spoofing protection (ie allowed-address) is disabled

allowed-address is set, so that could be it

if I stop the zone, unset it with zonecfg and boot the zone, will it take effect?

On the internal interface, that is.

understood, will try

well, ipv4 forwarding seems to be enable according to routeadm, allowed-address is unset for the internal interface of the nat zone

but no luck

is it enough if forwarding is enable in the zone?

how is the forwarding zone plumbed up to other zones?

there's an internal0 etherstub in the global zones, the zones have interfaces plugged into it

dunno, I might nuke it all and start over

just to be extra sure, is "rdr ext0 from any to any port = 8000 -> 192.168.111.251 port 8000" the thing I'm looking for?

when it comes to configuring ipnat

i have 3 lines: map wan0 192.168.40.0/24 -> W.X.Y.Z portmap tcp 40000:60000

map wan0 192.168.40.0/24 -> W.X.Y.Z portmap udp 40000:60000

map wan0 192.168.40.0/24 -> W.X.Y.Z

I also have "rdr wan0 W.X.Y.Z port A -> 192.168.40.202 port B udp age 7500" to map one specific port (for SIP)

aru: ipnat.conf(5) doesn't document a "from any to any" syntax for rdr. I think you just specify the inbound-dst / outbound-src address and port.

one other thing to look at is the routing table on the nat zone - does it have default pointing at ext0 ?

doesn't it? You can piece it together from the description of the grammar on top

how does the first line work?

so, the most simple case. In my global zone I'm running python -m http.server -b 0.0.0.0 8000, in my ipnat rules i have "rdr rge0 from any to any port = 8001 -> 192.168.0.150 port 8000 tcp". 192.168.0.150 is the machine's ip, with this I can hit it on either port 8000 (regular) or 8001 (redirected)

If I switch the right hand side address to 127.0.0.1, it breaks

almost sounds like I have forwarding disabled

ok, not sure what I was doing wrong before

everything it seems

aru: oops, misread the grammar (missed the "fromto" rule somehow); anyhow my known working config didn't use the fromto syntax

now the thing I'm running into is, if I have an already existing zone, how to add an interface with allowed-address to it? I can add it with zonecfg, but then the interface appears inside the zone without an ip address and I can't set it from within the zone

Does anyone here have 2 (or more) OmniOS hosts with 10G links between them, with IPv6 configured, that can test something for me?

pastebin.com/089VtwXj shows some ... interesting .. differences between IPv4 and IPv6 speeds.

I'd really like to understand what's going on here.

(I should add, those numbers are for hosts that are directly cabled together, no switch involved.)

and the numbers are fairly consistent across multiple tests.