DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st December 2009
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default problems with wifi access point

Hello.

I'm trying to build an OpenBSD wifi access point for my home office but after some trying I still have some problems. Maybe you can help me here?

I have the following wifi usb adapter:
Quote:
Dec 31 11:06:12 router /bsd: rum0 at uhub0
Dec 31 11:06:12 router /bsd: port 2 "Ralink 802.11 bg WLAN" rev 2.00/0.01 addr 3
Dec 31 11:06:13 router /bsd: rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address 90:e6:ba:f0:0a:0f
first, I'm configuring the wifi network device with wpa2:
Quote:
# ifconfig rum0 192.168.2.254 255.255.255.0 media autoselect mode 11g mediaopt hostap nwid test wpa wpaprotos wpa2 wpaakms psk wpapsk `wpa-psk test password` up
ifconfig rum0 shows the following:
Quote:
# ifconfig rum0
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 90:e6:ee:c0:ca:0f
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid test chan 2 bssid 90:e6:ba:f0:0a:0f wpapsk 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxx wpaprotos wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm
inet 192.168.2.254 netmask 0xffffff00 broadcast 255.255.255.0
inet6 fe80::92e6:baff:fef0:a0f%rum0 prefixlen 64 scopeid 0x7
after that, the following kernel massage appears, should I worry about that?
Quote:
Dec 31 11:36:55 router /bsd: ehci_idone: ex=0xe0328a00 is done!
then, I'm starting dhcpd which listens on rum0 with the following config:
Quote:
option subnet-mask 255.255.255.0;
default-lease-time 7200;
max-lease-time 14400;
authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
option broadcast-address 192.168.2.255;
option routers 192.168.2.254;
option domain-name-servers xxx.xxx.xxx.xxx;
range 192.168.2.101 192.168.2.105;
}
So far so good. I configured the pf firewall to pass all traffic from or to rum0 for the time being and change that later. I added NAT on rum0.

Do I need hostapd?
My firewall shows some igmp traffic. Is that necessary?

When I'm connecting a client (my iphone or an old apple laptop) to the wifi network it correctly connects and I can browse the web, but every 10 seconds the interface re-initializes (shuts down and connects immediately). Every 10 sec dhcp requests from the client and ACKs from my router will appear. There seems to be something wrong here...
Quote:
Dec 31 11:18:50 router dhcpd[19526]: DHCPREQUEST for 192.168.2.102 from 00:33:36:3f:dc:b2 via rum0
Dec 31 11:18:50 router dhcpd[19526]: DHCPACK on 192.168.2.102 to 00:33:36:3f:dc:b2 via rum0
Dec 31 11:19:01 router dhcpd[19526]: DHCPREQUEST for 192.168.2.102 from 00:33:36:3f:dc:b2 via rum0
Dec 31 11:19:01 router dhcpd[19526]: DHCPACK on 192.168.2.102 to 00:33:36:3f:dc:b2 via rum0
Dec 31 11:19:14 router dhcpd[19526]: DHCPREQUEST for 192.168.2.102 from 00:33:36:3f:dc:b2 via rum0
Dec 31 11:19:14 router dhcpd[19526]: DHCPACK on 192.168.2.102 to 00:33:36:3f:dc:b2 via rum0
Any help would be gladly appreciated.

And I happy new year to all of you!
Reply With Quote
  #2   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

I will be trying out something similar to this quite soon (bath and food first) and will post back on my results.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #3   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Have you tried specifying a channel? chan 2 might cause problems, or perhaps some type of USB power/compatability setting?

Just testing out configs almost ready to post back on it.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #4   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Hmm oddly enough i am showing "status: no network" for some reason (on 2 different computers) although i got everything else configured and are able to ping that IP address, i have "no network" ... as soon as i get past that i will try to post something helpful.

Update; I also tried an atheros based Dlink PCMCIA card with exactly the same results "status: no network" sheeeet already.....
__________________
The more you learn, the more you realize how little you know ....

Last edited by There0; 1st January 2010 at 09:42 AM.
Reply With Quote
  #5   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

If anybody has any information regarding the "status: no network" problem i am experiencing please come forth I have spent almost 3 hours on this googleing my eyes off with no results, thx.
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #6   (View Single Post)  
Old 1st January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

I switched the channels and played with the options a while (using 11b instead of 11g and other modes) but with every setting I've got the same results: host connects, after about 10 seconds it disconnects. Maybe something with the encryption? wpa2 not working properly? I also turned off dhcpd and gave the host manual ip addresses, no change either. This is the only thing that turns out in the logs:

Quote:
Jan 01 11:35:39.645899 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.2: igmp leave 224.0.0.251
Jan 01 11:35:39.652837 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 11:35:40.856841 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 11:35:56.385936 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.2: igmp leave 224.0.0.251
Jan 01 11:35:56.386263 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 11:36:02.994187 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 11:36:08.103319 rule 19/(ip-option) pass in on rum0: 192.168.2.102 > 224.0.0.2: igmp leave 224.0.0.251
And no, sorry, I can't explain why you're getting "no network". I'm using a plain OpenBSD 4.6 installed from scratch a few days ago. (Instead of just updating I decided to re-install the whole thing from 4.4.)
Reply With Quote
  #7   (View Single Post)  
Old 1st January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

Insert as first rule a block log (all) . Then run tcpdump on the pflog0 device. Make a connection and see whether you see any blocked traffic.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
And no, sorry, I can't explain why you're getting "no network". I'm using a plain OpenBSD 4.6 installed from scratch a few days ago. (Instead of just updating I decided to re-install the whole thing from 4.4.)
Am i out of line in asking if you have tried this setup WITHOUT any type of encryption?

For some reason i just spent another hour or so scouring the mailing list for something, no luck yet, might post there and see what happens. Oddly enough these are all working fine daily pieces of hardware, leaves me a bit shocked as this is a fresh install as well ...
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
  #9   (View Single Post)  
Old 1st January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Ok. This seems to be all kind of traffic generated when I'm connecting my apple notebook without any encryption:

Code:
Jan 01 12:27:14.995251 rule 19/(ip-option) pass in on rum0: 192.168.2.101 > 224.0.0.2: igmp leave 224.0.0.251
Jan 01 12:27:14.995492 rule 19/(ip-option) pass in on rum0: 192.168.2.101 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 12:27:15.233747 rule 141/(match) block in on rum0: 192.168.2.101.63186 > 192.168.2.255.137: udp 50
Jan 01 12:27:15.503536 rule 141/(match) block in on rum0: 192.168.2.101.63186 > 192.168.2.255.137: udp 50
Jan 01 12:27:15.773348 rule 141/(match) block in on rum0: 192.168.2.101.63186 > 192.168.2.255.137: udp 50
Jan 01 12:27:16.005773 rule 141/(match) block in on rum0: 192.168.2.101.52465 > 192.168.2.254.192: udp 4
Jan 01 12:27:16.345618 rule 19/(ip-option) pass in on rum0: 192.168.2.101 > 224.0.0.251: igmp nreport 224.0.0.251
Jan 01 12:27:16.506266 rule 141/(match) block in on rum0: 192.168.2.101.63282 > 192.168.2.254.192: udp 4
Jan 01 12:27:18.007505 rule 141/(match) block in on rum0: 192.168.2.101.54894 > 192.168.2.254.192: udp 4
Jan 01 12:27:18.501488 rule 141/(match) block in on rum0: 192.168.2.101.51276 > 192.168.2.255.137: udp 50
Jan 01 12:27:18.501675 rule 141/(match) block in on rum0: 192.168.2.101.65155 > 192.168.2.254.192: udp 4
Jan 01 12:27:18.772553 rule 141/(match) block in on rum0: 192.168.2.101.51276 > 192.168.2.255.137: udp 50
Jan 01 12:27:19.040897 rule 141/(match) block in on rum0: 192.168.2.101.51276 > 192.168.2.255.137: udp 50
Jan 01 12:27:19.999965 rule 141/(match) block in on rum0: 192.168.2.101.57817 > 192.168.2.254.192: udp 4
Jan 01 12:27:20.498712 rule 141/(match) block in on rum0: 192.168.2.101.55357 > 192.168.2.254.192: udp 4
In the syslog-file, dhcpd reports the following:
Code:
Jan  1 12:26:48 router dhcpd[18319]: DHCPDISCOVER from 00:33:36:37:78:8e via rum0
Jan  1 12:26:48 router dhcpd[18319]: icmp_echorequest 192.168.2.101: No route to host
Jan  1 12:26:48 router dhcpd[18319]: DHCPOFFER on 192.168.2.101 to 00:33:36:37:78:8e via rum0
Jan  1 12:26:49 router dhcpd[18319]: DHCPREQUEST for 192.168.2.101 from 00:33:36:37:78:8e via rum0
Jan  1 12:26:49 router dhcpd[18319]: DHCPACK on 192.168.2.101 to 00:33:36:37:78:8e via rum0
Jan  1 12:27:12 router dhcpd[18319]: DHCPREQUEST for 192.168.2.101 from 00:33:36:37:78:8e via rum0
Jan  1 12:27:12 router dhcpd[18319]: DHCPACK on 192.168.2.101 to 00:33:36:37:78:8e via rum0
This is my current routing table (I blacked out the mac addresses and some provider-specific ip addresses):
Code:
# route -n show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            xxx.xxx.xxx.xxx    UGS       10   573911     -     8 axe0
192.168.1/24       link#2             UC         2        0     -     4 gem0
192.168.1.1        00:xx:xx:xx:xx:xx  UHLc       1      278     -     4 lo0
192.168.1.96       00:xx:xx:xx:xx:xx  UHLc       5   568082     - L   4 gem0
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0
127.0.0.1          127.0.0.1          UH         4  2399870 33200     4 lo0
xxx.xxx.xx/21      link#5             UC         1        0     -     4 axe0
xxx.xxx.xxx.xxx    127.0.0.1          UGHS       0     1067 33200     8 lo0
xxx.xxx.xxx.xxx    00:xx:xx:xx:xx:xx  UHLc       1        0     -     4 axe0
192.168.2/24       link#7             C          2        0     -     4 rum0
192.168.2.101      00:xx:xx:xx:xx:xx  HLc        1        1     -     4 rum0
192.168.2.102      00:xx:xx:xx:xx:xx  HLc        0        7     -     4 rum0
224/4              127.0.0.1          URS        0      283 33200     8 lo0
Maybe there's a routing issue here? Why should report dhcpd "nor route to host" then?

Last edited by J65nko; 1st January 2010 at 12:55 PM. Reason: s/quote/code/g tags
Reply With Quote
Old 1st January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

O... I forgot to mention. I'm using a Mac mini for all this. So architecture is MacPPC.
Reply With Quote
Old 1st January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Ah... Maybe there is a wrong route here...

Quote:
# telnet 192.168.2.101 22
Trying 192.168.2.101...
telnet: connect to address 192.168.2.101: No route to host
and the firewall reports:
Quote:
Jan 01 12:43:13.616167 rule 141/(match) block out on rum0: 192.168.2.254.38531 > 192.168.2.101.22: S 2055694503:2055694503(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
Reply With Quote
Old 1st January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

Code:
an 01 12:27:18.772553 rule 141/(match) block in on rum0: 192.168.2.101.51276 > 192.168.2.255.137: udp 50
Jan 01 12:27:19.040897 rule 141/(match) block in on rum0: 192.168.2.101.51276 > 192.168.2.255.137: udp 50
Jan 01 12:27:19.999965 rule 141/(match) block in on rum0: 192.168.2.101.57817 > 192.168.2.254.192: udp 4
Jan 01 12:27:20.498712 rule 141/(match) block in on rum0: 192.168.2.101.55357 > 192.168.2.254.192: udp 4
Your firewall is blocking port 137, which is OK
Code:
$ grep 137 /etc/services
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
However port 192 seems to be used by Apple wireless stuff. See http://isc.sans.org/port.html?port=192.
Code:
Protocol	Service	Name
tcp	osu-nms	OSU Network Monitoring System
udp	osu-nms	OSU Network Monitoring System
And
Quote:
Port 192 UDP used by Apple AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant Reference: http://support.apple.com/kb/TS1629
So blocking this might not be such a good idea
Add a rule to allow this port 192 traffic, and see whether that helps.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
Ok. This seems to be all kind of traffic generated when I'm connecting my apple notebook without any encryption:
Is apparently when he was getting the blocked to port 192 messages, later on he states;

Quote:
I'm allowing any traffic on rum0 (the wifi interface) and that's what happening.
Quote:
Jan 01 12:47:16.736765 rule 11/(match) pass in on rum0: 192.168.2.101.52823 > 192.168.2.254.192: udp 4
Which seems to be fine, he said he was passing all traffic through, and logging it, i could be tired and not proccessing (mentally) properly .
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 1st January 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

OpenBSD does not support 802.11 power saving features when in hostap mode, remember to disable power saving on all your clients.
Reply With Quote
Old 1st January 2010
There0 There0 is offline
./dev/null
 
Join Date: Jul 2008
Posts: 169
Thanked 10 Times in 10 Posts
Default

Quote:
Maybe OpenBSD does not support hostap mode with your adapter properly or your adapter sets some strange hardware modes.
The hostap mode is supported on the atheros (5212) chipset, it was both my iwi and iwn that do not support it

Quote:
Oh maybe you have enable auto-power down or auto sleep? I've read somewhere that my adapter doesn't support that correctly.
Correct those chipset do not fare well with power savings at all, i was trying to connect from my IPod touch, and another notebook, both same HAL error.

I was researching the ral and rum and those both do support what i am after, unfortunitly i do not have one of those chipsets, i have a Linksys wireless N (not supported by OpenBSD) that ima looking to trade off, also a couple other PCMCIA adaptors.

Quote:
It's more an issue what kind of traffic my firewall blocks or does not forward
Have you tried "set skip on rum0" in your pf.conf file? I use the following to nat on all non $EXT interfaces, not sure what your pf.conf looks like but those packets are being passed in;

Code:
nat on $EXT from !$EXT:network to any -> ($EXT)
I did not get past the entering the password for the wifi network, it failed and dumped "ath0: unable to reset hardware; hal status 3633410968" to dmesg every time
__________________
The more you learn, the more you realize how little you know ....
Reply With Quote
Old 2nd January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

Thanks for the answers and sorry for the delay. I needed some sleep.

First I tried
Code:
set skip on rum0
but without any change. Both clients (the iphone, the Apple notebook) disconnecting after about a minute.

Then I tried your minimalistic firewall configuration but without a change. However, I'm using tcpdump -n -e -ttt -i pflog0 for parsing the firewall rules. First I suspected that still anti-spoof is being turned on but I turned that one off and still no change. What I discovered is, that now all incoming traffic from my clients to 224.0.0.0/8 also are passed through the firewall to the outside and also these strange igmp packets that are being logged from a rule that shouldn't log at all (pass in quick on rum0 inet from (rum0:network:*) to any flags S/SA keep state.)

Could it be also possible that I have set up some strange timeouts via sysctl or in the pf.conf that could cause this behaviour? This is what I had earlier in my pf.conf. No changes in my sysctl.conf.

Code:
set timeout interval 10
set timeout frag 20
set timeout src.track 5
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 tcp.es
tablished 86400 }
set timeout { udp.first 10, udp.single 10, udp.multiple 10 }
I also enabled multicast routing in my sysctl but without any change (obviously):

Code:
sysctl net.inet.ip.mforwarding=1
sysctl net.inet.ip.multipath=1
So. Maybe wrong routes are the problem here? My internal ethernet network has a 10.x.x.x subnet. So there should be no conflicts at all.

Code:
# route -n show | grep rum0
192.168.2/24       link#7             UC         1        0     -     4 rum0
192.168.2.99       00:33:36:3f:dc:b2  UHLc       0      501     -     4 rum0
fe80::%rum0/64                     link#7                         UC         0        0     -     4 rum0
fe80::33e6:baff:fef0:a0f%rum0      33:33:33:f0:0a:0f              UHL        0        0     -     4 lo0
ff01::%rum0/32                     link#7                         UC         0        0     -     4 rum0
ff02::%rum0/32                     link#7                         UC         0        0     -     4 rum0
Reply With Quote
Old 1st January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

Try the following pf.conf
Code:
# pf.conf

EXT="pppoe0"
INT="re1"
WLAN='rum0'

# used by J65nko only
EXT="fxp0"
INT="lo1"
WLAN='lo2'
# ------------------

TCP_PORTS = "www"
UDP_PORTS = 'domain'

set block-policy drop
set skip on lo0

# ---------- NAT/RDR section
nat on $EXT from $INT:network  -> ($EXT)
nat on $EXT from $WLAN:network  -> ($EXT)

# keep VISTA and XP happy
match on pppoe0 scrub (max-mss 1440)

# DEFAULT POLICY
block log (all)

# ---- OUTGOING TRAFFIC

# -- external interface
pass out quick on $EXT tagged OK

# -- internal interface

# --- INCOMING TRAFFIC

# - internal interface
pass in quick on $INT inet proto tcp from $INT:network to any port $TCP_PORTS tag OK
pass in quick on $INT inet proto udp from $INT:network to any port $UDP_PORTS tag OK

# -- internal wireless
pass in quick on $WLAN inet proto tcp from $WLAN:network to any port $TCP_PORTS tag OK
pass in quick on $WLAN inet proto udp from $WLAN:network to any port $UDP_PORTS tag OK
A test parse on my 1 NIC desktop box where I had to spoof two interfaces, else pf chokes on stuff like $WLAN:network
Code:
# pfctl -vvnf mayuka.pf  
EXT = "pppoe0"
INT = "re1"
WLAN = "rum0"
EXT = "fxp0"
INT = "lo1"
WLAN = "lo2"
TCP_PORTS = "www"
UDP_PORTS = "domain"
set block-policy drop
set skip on { lo0 }
@0 nat on fxp0 inet from 10.0.0.0/24 to any -> (fxp0) round-robin
@1 nat on fxp0 inet from 10.2.2.0/24 to any -> (fxp0) round-robin
@0 match on pppoe0 all scrub (max-mss 1440)
@1 block drop log (all) all
@2 pass out quick on fxp0 all flags S/SA keep state tagged OK
@3 pass in quick on lo1 inet proto tcp from 10.0.0.0/24 to any port = www flags S/SA keep state tag OK
@4 pass in quick on lo1 inet proto udp from 10.0.0.0/24 to any port = domain keep state tag OK
@5 pass in quick on lo2 inet proto tcp from 10.2.2.0/24 to any port = www flags S/SA keep state tag OK
@6 pass in quick on lo2 inet proto udp from 10.2.2.0/24 to any port = domain keep state tag OK
With a default policy of block log (all) all blocked packets can be seen with tcpdump -eni pflog0. When no blocked packets are shown by this tcpdump, then in 99% of the cases you have a routing problem.

I hope that just like me you, you used a different subnet for both the internal NIC and WLAN. Even if I have to spoof interfaces I do this
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 2nd January 2010
mayuka mayuka is offline
Fdisk Soldier
 
Join Date: Dec 2009
Posts: 57
Thanked 0 Times in 0 Posts
Default

PS: The full routing table is in this post:

http://www.daemonforums.org/showpost...12&postcount=9
Reply With Quote
Old 2nd January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

Let us really debug this thing ?
  • Enable sshd on the OBSD router. Tell it to listen on the internal interface only (/etc/ssh/sshd_config)
  • Disable those multipath routing sysctls.
  • Load the minimalistic pf.conf I suggested without any messing around with timeout values. I was assuming you used pppoe, if not modify.
    Flush all existing pf rules and settings with 'pfctl' Add ssh to the allowed TCP services to pass in.
  • From your OBSD box in the wired network open up 4 xterms to ssh in to your OBSD firewall.

    In all xterms, use ssh to log in in to your router and 'su - root' because
    you will be wiretapping all interfaces on your OpenBSD router.

    1. # tcpdump -eni $EXT
    2. # tcpdump -eni $INT 'not port ssh'
    3. # tcpdump -eni $WLAN
    4. # tcpdump -eni pflog0

    From this same box in yet another xterm do dig www.google.com
    You should see the DNS request arrive on you $INTand leave on $EXT and
    the answer entering on $EXT, and leaving on $INT to arrive on your box

    Now make a connection on the wireles client and repeat the dig www.google.com.

    If it is a windows wireless client which doesn't have 'dig' use 'nslookup'
    Alternatively, you also could use 'ping' but then you first have to allow ICMP trafficin the pf.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 2nd January 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

BTW your wireless clients need the IP address of you $WLAN NIC set as default gateway.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless NIC for access point dewarrn1 FreeBSD General 1 15th September 2009 11:01 PM
How do I edit my .profile to permanently have an ftp site to point to badguy OpenBSD Packages and Ports 12 19th July 2009 02:05 AM
OpenBSD Wi-Fi acces point LordZ OpenBSD General 4 18th October 2008 10:33 AM
Point-to-Point VPN + Firewall + Router (sorta) - What should I use? Bruco FreeBSD General 6 5th July 2008 11:09 PM
Configuring a wireless access point Serge FreeBSD General 6 6th June 2008 04:07 PM


All times are GMT. The time now is 05:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick