View Single Post
  #1   (View Single Post)  
Old 14th June 2013
KintaroBC KintaroBC is offline
New User
 
Join Date: Jul 2011
Posts: 7
Default Routing between two subnets, routes not working.

I am trying to get a wireless router running, it was already configured as a NAT with two interfaces one for the Internet and for the LAN. I added an atheros based wireless adapter, and tried setting it up. I tried using a bridge of a virtual ethernet device with the IP (vether0), and the devices for the local network (fxp0, athn0). This didn't work, and the vether device was stuck on a 10M type of media. I don't think that works when the media is different on the two other adapters. DHCP wasn't working on vether0 like it should, so something was wrong, probably the media thing.

So I decided another strategy of having two subnets, so I set things up as follows...
Code:
menger:root # cat /etc/hostname.fxp0                                                                   
inet 192.168.0.1 255.255.255.0 192.168.0.255
up
menger:root # cat /etc/hostname.athn0                                                                  
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey Nintendo64 wpaprotos wpa2
I set up dhcpd.conf to provide addresses for these subnets, with the right default route and a static route between them.

Code:
  
menger:root # cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#guide to this pf.conf...
# queues: 34, matches: 80, everything else: 88

#interfaces
int_if="fxp0"
wifi_if="athn0"
ext_if="pppoe0"

#networks
lan_net="192.168.0.0/24"
wifi_net="192.168.1.0/24"

#hosts
menger="{ 192.168.0.1, 192.168.1.1 }"
weiner="192.168.0.2"
wifiweiner="192.168.1.2"
fekete="192.168.0.3"
mises="10.0.0.10"

#host port forwarding
weiner_ports = "{ 8333 }"
wweiner_ports = "{ 54874 }"
fekete_ports = "{ 17001, 39191, 5938, 2022 }"
mises_ports = "{ 3022 }"

#other
tcp_services="{ 22 }"
icmp_types="echoreq"    

#queue ports
ssh_ports = "{ 22, 2022, 3022 }"
im_ports = "{ 1863, 5190, 5222, 8444 }"
game_ports = "{ 27000:27050, 4380 }"

altq on $ext_if cbq bandwidth 1080Kb queue { std, ssh_im, dns, game }
queue std on $ext_if bandwidth 500Kb cbq(default borrow)
queue ssh_im on $ext_if bandwidth 200Kb priority 3 cbq(red)
queue dns on $ext_if bandwidth 25Kb priority 4
queue game on $ext_if bandwidth 255Kb priority 5 cbq(red)

altq on $int_if cbq bandwidth 100Mb queue { lan, int }
queue lan on $int_if            bandwidth 92Mb cbq(default)
queue int on $int_if            bandwidth 7000Kb { std, ssh_im, dns, game }
 queue std on $int_if           bandwidth 6000Kb cbq(borrow)
 queue ssh_im on $int_if        bandwidth 200Kb priority 4
 queue dns on $int_if           bandwidth 200Kb priority 5
 queue game on $int_if          bandwidth 600Kb priority 6 cbq(red)

altq on $wifi_if cbq bandwidth 54Mb queue { lan, int }
queue lan on $wifi_if           bandwidth 46Mb cbq(default)
queue int on $wifi_if           bandwidth 500Kb { std, ssh_im, dns}
 queue std on $wifi_if          bandwidth 400Kb cbq(borrow)
 queue ssh_im on $wifi_if       bandwidth 50Kb priority 4
 queue dns on $wifi_if          bandwidth 50Kb priority 5

set skip on lo

# this is the squid proxy line
#pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128
#pass in quick on $int_if inet proto tcp from !$mises to any port 80 rdr-to $mises port 3128
#pass out quick on $int_if inet proto tcp to $mises port 3128 \
        received-on $int_if nat-to $int_if

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on $wifi_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#match out on egress inet from $int_if to any nat-to (egress:0)
#match out on egress inet from $wifi_if to any nat-to (egress:0)

pass            # to establish keep-state

block in quick from urpf-failed to any  # use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

block in log
pass out quick

match inet proto { tcp udp } queue(std)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im)
match inet proto udp to port $game_ports queue game
match inet from $menger queue lan
match inet to $menger queue lan

antispoof quick for { lo $int_if $wifi_if }

pass in on egress inet proto tcp from any to (egress) \
        port $tcp_services

#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151

#nat port redirects
pass in on egress inet proto { tcp udp } to (egress) port $weiner_ports rdr-to $weiner
pass in on egress inet proto { tcp udp } to (egress) port $wweiner_ports rdr-to $wweiner
pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete
pass in on egress inet proto { tcp udp } to (egress) port $mises_ports rdr-to $mises

pass in inet proto icmp all icmp-type $icmp_types

pass in on $int_if
pass in on $wifi_if
I am aware some of the macros in my pf.conf are unused, but they might become handy.

Last edited by KintaroBC; 14th June 2013 at 10:38 AM.
Reply With Quote