DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default I.P addressing confusion

I'm wanting to set up a network. I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch. In the book "building Internet firewalls"(o'reilly) this set up is described as a screened subnet architecture. However the external interface on the OpenBSD dedicated firewall will have to get it's I.P via dhcp (192.168.1.*) from the border router. That or it can be a static I.P on the same subnet as the border routers dhcp range 192.168.1.*(but outside the dhcp range) but that would be trickier. The internal interface of this dedicated firewall would be static and on a different subnet as the external interface (192.168.2.*). Then this internal interface could give out I.Ps to the internal network that are on 192.168.2.*. If it did N.A.T for packets from the internal network. But then N.A.T would be being done twice; once by the OpenBSD dedicated firewall and once on the border router, before going off to the net.
Or is it a better approach to NOT do N.A.T on the OpenBSD firewall and have all I.Ps on the whole network assigned as static(outside of the border router's dhcp range, but all on the same subnet(192.168.1.*))?.
Basically is there any point in the OpenBSD box doing dhcp and N.A.T for hosts on the internal network?. I guess the answer is no. But i just wanted to hear your opinions, if you have the time.
The border router is a home router. I wanted to have a normal triple-homed dedicated firewall and put it in the border router's DMZ but it proved unpredictable and tricky. So i just wondered what the best I.P addressing scheme would be for my newer way.
Thank you for your time. And fare ye well
Reply With Quote
  #2   (View Single Post)  
Old 16th January 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

I have the following setup
Code:
      I N T E R N E T
             |
             |
             |
-------------|---------------
       85.xxx.xxx.xxx
     external interface

    Speedtouch Router

     internal interface
         10.0.0.138
-------------|---------------
             |
             |
-------------|---------------
         10.0.0.200
     external interface

     OpenBSD   Firewall

     internal interface
       192.168.0.1/24
-------------|---------------
             |
             |
          ---|---
          switch
          ---|---
             |
             |
-------------|---------------
       192.168.0.10/24
           Desktop 
-----------------------------
And I don't do double NAT The Speedtouch does NAT.
Because the Speedtouch router only knows the 10.0.0.0 network it has to be told that incoming packets (the replies) for the 192.168.0.0 network have to be sent to the 10.0.0.200 interface.

In other words, this 10.0.0.200 interface is the gateway for the 192.168.0.0 network. On the Speedtouch I added the following static route:
Code:
	
Destination 		Source 		        Gateway 		Intf
192.168.0.0/24 		10.0.0.138/32 		10.0.0.200 		eth0
So if your router allows you to configure static routes, then you could do a similar setup.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 16th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

The border router is just a home router. It's not very configurable. erm why wouldn't just assigning a static internal I.P address for hosts on the internal network work? and have all interfaces on the same subnet(192.168.1.*), just only the OpenBSD dedicated firewall's external interface get it's I.P via dhcp from the border router. I think with the border router that i've got at the moment i have to either do this or hope that it does N.A.T and routing for hosts on another private subnet i.e 192.168.2.*. And either do N.A.T twice or just try using the different subnets anyhow. It's just a home router though.
Thank you very much for your reply.
Reply With Quote
  #4   (View Single Post)  
Old 16th January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by unixjingleman View Post
I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch.
It is not altogether clear from the information presented that the services purchased from your ISP will support such a structure.
  • Customarily, ISP's hand out a single IP address which is assigned via DHCP. This address is not typically a public address which is accessible from the outside world (work, school, public library, etc.), although the IP address assigned may not be what is typically classified as a non-routable RFC1918 private address. Most of the public doesn't need anything more than a single address (nor understands it...), & they don't need real public address so this is most likely the cheapest & most prevalent plan many ISP's provide to customers. It also doesn't require that ISP's allocate a public address solely for your use either. From the ISP's perspective, having to assign a real publicly accessible address to a single user involves a resource with higher value, so they charge more.

    You mention having servers in front of the firewall. If all your ISP is providing is a single address, implementing a DMZ where multiple machines exposed to the Internet, each with their own static IP address goes into the domain of what ISP's classify as business accounts. Each server which is to independently be accessible from elsewhere on the Internet will need its own static IP address given the topology described. One option is to pay a monthly fee for each IP address, but this can quickly become costly. Publicly accessible IP addresses not yet allocated are dwindling in number. Expect to pay more for having them assigned to you.
  • The second flaw in what is described is that the firewall resides on the same switch as some number of servers & the connection to the ISP. These servers are getting no benefit of the firewall. For a firewall to have any effect, all traffic has to go through the firewall first. One possible way this can be done is to connect one interface of the firewall directly to the ISP connection, & another firewall interface to some internal switch. Assuming NAT has been configured, any number of clients & servers can sit on the internal side.
  • Otherwise, your message segues into questioning whether one should configure DHCP or simply assign internal addresses to the various hosts manually. This is a personal choice. Home environments don't typically have so many systems that DHCP saves a signficant amount of administration & maintenance, however it can make life simpler -- somewhat. It's your decision.
  • As for NAT, it only needs to be done once. Home environments do not require complicated topologies.
  • Lastly, when asking network topology questions, provide a diagram of what you intend to implement. Having a picture will clarify in your own mind what is going on, & it will certainly help anyone else attempting to make a useful response. What was initially described was the following:
    Code:
         internal network --- switch --- firewall --- switch --- ISP
                                                         |
                                                      servers
    What I suspect you really want is the following:
    Code:
        internal network --- switch --- firewall ---  ISP
                                |
                             servers
    Not knowing the details of how you connect to your ISP, you may need some multiple-purpose device to be inserted between the firewall & ISP, but that detail is left for you to figure out. You may have already done so.
Reply With Quote
  #5   (View Single Post)  
Old 16th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

The border router has it's own firewall. The OpenBSD box was going to be just the firewall for the internal network. So i have a firewall protecting the servers(on the border router) and a firewall protecting the internal network. The OpenBSD box would just separate the internal network from the perimeter network and control access between these two areas. Like i say i tried to have the OpenBSD box as a triple-homed box that was in the border router's DMZ but this proved too tricky, due to the fact that the border router is just a home router.
What i needed to know is: Is it alright to have all interfaces apart from the OpenBSD dedicated firewall's external interface configured as static internal addresses that are all on the same subnet as the border router's internal interface(192.168.1.*) but are outside of the dhcp range(addresses that the border router gives out)?. Or should i assign a static internal I.P address for the OpenBSD box's internal interface that is on a different subnet to it's external interface(192.168.2.*) and then have this internal interface do dhcp and N.A.T for the internal network and give out addresses to the internal network that are on the 192.168.2.* subnet?.
So should i do:
Code:
      192.168.2.10     192.168.1.67               192.168.1.254
                (int interface)      (ext interface)            (internal interface)
                        |--------------|                                       |border router |
-----|--------------| OpenBSD    |----------------|---------------|----------------|
      |                 |--------------|                    |
     192.168.2.20                                         |
      internal host                                  servers on 192.168.1.*
Or should i just have all machines with static internal addresses(192.168.1.*) that are on the same subnet as the internal interface of the border router but outside of it's dhcp range?. Which is technically that best idea?. I realise that if the OpenBSD box is doing dhcp for the internal network then the addresses it gives out will have to be on a different subnet than the addresses given out via dhcp by the border router.
The diagram is slightly simplified. Obviously switches are involved(the servers and the OpenBSD box are on a switch that is attached to the border router. The internal host(s) are on a switch that is attached to the OpenBSD firewall box). Also i'm very sorry to keep bothering you all. I really am very grateful for all the help i'm getting. I understand if you don't want to help me any further.
Thank you for your time and replies.
Regards unixjingleman
Reply With Quote
  #6   (View Single Post)  
Old 16th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

The diagram doesn't look anything like it did when i drew it. I'm sorry i don't know why this is. It is meant to indicate that the border router's internal interface has an I.P of 192.168.1.254. The OpenBSD box is supposed to have an external I.P of 192.168.1.67. And an internal address of 192.168.2.10.
Reply With Quote
  #7   (View Single Post)  
Old 16th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

Right so having all the interfaces in the whole network on 192.168.1.* and static/outside of the dhcp range of the border router is alright. O.K please ignore my previous posts. That's all i wanted to know. Sorry to keep bothering you. Just ignore. I'll get on with building the network now. Unless there are any further points?. Does pf do N.A.T by default?.
Thank you so much for all the advice. It must be trying helping n00bs?.
Reply With Quote
  #8   (View Single Post)  
Old 16th January 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by unixjingleman View Post
Does pf do N.A.T by default?.
Studying the PF User's Guide & the section on NAT will be highly worth your time.
Quote:
The diagram doesn't look anything like it did when i drew it.
vBulletin does strange things with code blocks. This can be corrected by repeated editing & previewing. Spacing gets munged, so what appears correct during editing will not display as intended.

The alternative is to attach a diagram created by some other means, but attachments take more time of potential responders. If your goal is for people to respond, making sure that messages have all information clearly presented upon first viewing helps. Personally, I don't care for attachments.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Maildir and courier imap confusion pca General software and network 0 4th February 2010 01:02 PM
ip alias confusion hamba FreeBSD General 2 5th June 2008 10:23 AM
Install confusion delboy FreeBSD Ports and Packages 2 25th May 2008 09:20 PM


All times are GMT. The time now is 12:26 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick