From nobody Thu Mar 07 21:53:57 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TrNNr37njz5Dv97
	for <questions@mlmmj.nyi.freebsd.org>; Thu,  7 Mar 2024 21:54:04 +0000 (UTC)
	(envelope-from kh@panix.com)
Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TrNNq4ry6z3x6L
	for <questions@freebsd.org>; Thu,  7 Mar 2024 21:54:03 +0000 (UTC)
	(envelope-from kh@panix.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=panix.com header.s=panix header.b=V5BuDBLs;
	dmarc=pass (policy=none) header.from=panix.com;
	spf=pass (mx1.freebsd.org: domain of kh@panix.com designates 166.84.1.89 as permitted sender) smtp.mailfrom=kh@panix.com
Received: from rain.cave (c-73-142-21-0.hsd1.ma.comcast.net [73.142.21.0])
	by mailbackend.panix.com (Postfix) with ESMTPSA id 4TrNNp4NTXz4YBx
	for <questions@freebsd.org>; Thu,  7 Mar 2024 16:54:02 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=panix.com; s=panix;
	t=1709848442; bh=+S0iJffXPnXfOJtu6JwReUFKxTCgxiWXEPG3MGnLamY=;
	h=Date:From:To:Subject:References:In-Reply-To;
	b=V5BuDBLsPjtnj57e5dDWNQGG0+c1kBfz5Yv9BsdPaQy+djREjqVTC0oE1wkuL+Unm
	 iAONzQrrFUd2bI2zGivXcUec0qF8Q1mGD+e71OPNppU/5CoaxvgPfplVeoOM24uL7p
	 KRbPR78LZRFKHGkTGMa7fOxXd4TgL0GSGk/rtsZw=
Date: Thu, 7 Mar 2024 16:53:57 -0500
From: Kurt Hackenberg <kh@panix.com>
To: questions@freebsd.org
Subject: Re: Setting up a Wireguard router (with FreeBSD)
Message-ID: <Zeo3daOaApHW3Oqk@rain.cave>
References: <00f7b360407633f787f061b4d15740b9@airmail.cc>
 <Zejoc-Wj4iPhXYQK@rain.cave>
 <17ae35e240ce2ec5cb414251e4fca43c@airmail.cc>
 <ZekFvw6ro9iftrk0@rain.cave>
 <5355beb513e7b1f3e975130886b14ade@airmail.cc>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <5355beb513e7b1f3e975130886b14ade@airmail.cc>
User-Agent: Mutt/2.2.12 (2023-09-09)
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	DMARC_POLICY_ALLOW(-0.50)[panix.com,none];
	R_SPF_ALLOW(-0.20)[+ip4:166.84.1.64/26:c];
	R_DKIM_ALLOW(-0.20)[panix.com:s=panix];
	MIME_GOOD(-0.10)[text/plain];
	RWL_MAILSPIKE_GOOD(-0.10)[166.84.1.89:from];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	ASN(0.00)[asn:2033, ipnet:166.84.0.0/16, country:US];
	RCVD_COUNT_ONE(0.00)[1];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_TLS_ALL(0.00)[];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	DKIM_TRACE(0.00)[panix.com:+]
X-Rspamd-Queue-Id: 4TrNNq4ry6z3x6L

On Thu, Mar 07, 2024 at 05:36:28PM +0000, Christopher Waldbach wrote:

>This practice is so common in Germany and in other European countries, 
>that I assumed my (rather brief) reference would be enough to let 
>people know what I was going on about. I thought it was well known.
>
>In Germany just about all ISPs use this method - some better than 
>others. The only ISP who still gives out public IPv4 addresses (that I 
>know of) to consumers is Deutsche Telekom...

I see.  It's news to me.  I'm in the US, where home connections still 
get a single public IPv4 address (assigned through DHCP, so it could change).

>You are making it sound much more complicated than it is. :-)
>
>The CGN and everything my ISP does is completely transparent to me. It 
>works fine.

Good, but that doesn't mean it's not complicated, or that it works when 
you add more complication.  Also, I seem to remember that carrier-grade 
NAT sometimes includes more than one level of NAT.

I don't have any new ideas about the problem.  Debug, I guess, grind it 
out -- details of NATs and tunnels, and look around in the Pi, routing 
table and such.  Maybe compare its routing table with and without the 
VPN.  Look for log messages, do experiments.

A bug in FreeBSD's routing is not my first suspect.  Maybe something in 
Wireguard specifically...it's relatively new, and Lexi told us about 
that panic on arm64 under load...I guess you could try some other VPN code...