View Single Post
  #2   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It looks like your netmasks. It's does not appear to be routing, and it is probably not PF.
Code:
arp who-has 192.168.2.24 tell 192.168.1.100
It looks like OpenBSD thinks these are on the same subnet. They are not, you have two NICs for local LANs, and these should be on separate subnets, with packets routhing through your OpenBSD router. Check to make sure you have correct netmasks defined for em1 and ... re0, which I think you meant instead of "em2".

If the netmasks are correct, did you define a bridge(4) device?

---

Routing works the same on OpenBSD as on any other system with a TCP/IP protocol stack; it's just that mis-configurations (usually in PF) often look like routing problems, because systems can't reach each other.

Just to aid your understanding -- routing tables are only used when departing one's own subnet. Most commonly there is only one router on a subnet, so only a default route is added, which points to the "gateway" that then routes packets onward. On OpenBSD, the mygate(5) file is used by netstart(8) to set a single default route if DHCP is not used.

You need more than a default route only when there are at least two routers on a subnet. In those cases, a default route won't be sufficient. Here's a common example -- a tiered set of firewalls. The DMZ subnet here has two routers:

{internet} - [Firewall A] - DMZ Web servers 10.1.1/24 - [Firewall B] - DBs and Users 192.168.1/24

Systems on the DMZ have a default route of Firewall A, but they also need a route for the 192.168.1 subnet, pointing to Firewall B. With just a default route, they would point packets destined for the inner platforms through Firewall A, and that's the wrong direction.

For those behind Firewall B, they only need a single default route -- because all outgoing packets go through B.

---

A pf.conf(5) file is much easier to read than pfctl(8) rules list. I would have prefered that, but here's what I see in your block and pass rules from pfctl:
  • All these rules are "quick". The first matching rule will apply to all packets.
Code:
block drop in log quick on ! em1 inet from 192.168.1.0/24 to any
This appears to be an antispoof for 192.168.1/24 on em1.
Code:
block drop in log quick inet from 192.168.1.1 to any
Any unsolicited packets from 192.168.1.1 will be blocked.
Code:
block drop in log quick on ! em0 from (em0:network) to any
This appears to be an antispoof for em0.
Code:
block drop in log quick from (em0) to any
Any unsolicited packets from em0, a dynamically addressed network, will be blocked.
Code:
block drop in log quick on re0 inet6 from fe80::e291:f5ff:fe20:3eb0 to any
Any unsolicited packets from that IPv6 address will be blocked.
Code:
pass out quick all flags S/SA keep state
pass in quick all flags S/SA keep state
Anything not blocked above will be passed; establish a state table entry if the protocol allows, with default timeouts for stateless protocols, eliminating further rule analysis while the state table entry exists.
Reply With Quote