DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th February 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default simple network questions

Hi there
I'm building a network with a topology illustrated below:
Code:
|internal system|---|switch|----|OpenBSD|------|switch|------|border router|
The OpenBSD box is a dedicated firewall that protects the internal network. Attached to the first switch(the switch that is attached to the border router) are my servers. So the servers are protected by the border router's firewall and their own firewalls, and access to the internal network, and between the servers and the internal network, is controlled by the OpenBSD box.
It took me a while to put dd-wrt on the border router so that this set-up is supported. The only questions i now have are:
1)would it be best to just bring up the OpenBSD's internal interface statically and to bring up the interfaces of machines on the internal subnet statically also. So that the OpenBSD box isn't doing dhcp for the internal network, it is just a firewall for it?
2)In which case should i have the border router as the DNS server for all the machines on the whole network?
3)Or would it be better for the machines on the internal network to get their I.Ps via dhcp, from the OpenBSD box(bearing in mind that the servers already get their I.Ps via dhcp from the border router) and have the OpenBSD as the DNS server for the internal network also?

Thank you for your time and any replies you might send
regards unixjingleman
Reply With Quote
  #2   (View Single Post)  
Old 27th February 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,930
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by unixjingleman View Post
would it be best to just bring up the OpenBSD's internal interface statically and to bring up the interfaces of machines on the internal subnet statically also. So that the OpenBSD box isn't doing dhcp for the internal network, it is just a firewall for it?
For such a small network, the benefits of separating the DHCP server from the firewall is negligible. This has been discussed before.
Quote:
In which case should i have the border router as the DNS server for all the machines on the whole network?
I tend to doubt that your border router is acting as a DNS server. I suspect it is relaying DNS received from your ISP.
Quote:
Or would it be better for the machines on the internal network to get their I.Ps via dhcp, from the OpenBSD box(bearing in mind that the servers already get their I.Ps via dhcp from the border router) and have the OpenBSD as the DNS server for the internal network also?
You are mixing two different subjects together. Separate them.
  • Whatever box serves DHCP is up to you.
  • Hosting DNS yourself only has value if you have your own unique domain. Otherwise, take advantage of whatever your ISP provides.
There are no magic or definitive answers to your questions. If this were a large corporate network, separation of functionality would have greater importance, but deciding what machine will serve what functionality in such a small network is all a matter of personal choice & opinion. Why don't you experiment & decide what is best for your environment?
Reply With Quote
  #3   (View Single Post)  
Old 27th February 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

Oh yeah sorry i meant that as far as the hosts are concerned it's the DNS server(the border router or the OpenBSD box). Thanks for your swift reply.
Reply With Quote
  #4   (View Single Post)  
Old 27th February 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,245
Thanked 182 Times in 149 Posts
Default

My OpenBSD box is behind a ADSL router. It also acts as caching resolving nameserver server for the network. All network clients have the IP address of this box in "/etc/resolv.conf".

Another instance, actually Bernstein's tinydns runs an authoritative nameserver for my local domain 'utp.xnet'.

Code:
 $ dig +norecurse hercules.utp.xnet @192.168.222.11

; <<>> DiG 9.4.2-P2 <<>> +norecurse hercules.utp.xnet @192.168.222.11
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63605
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;hercules.utp.xnet.             IN      A

;; ANSWER SECTION:
hercules.utp.xnet.      604800  IN      A       192.168.222.20

;; AUTHORITY SECTION:
utp.xnet.               259200  IN      NS      ns1.utp.xnet.

;; ADDITIONAL SECTION:
ns1.utp.xnet.           259200  IN      A       192.168.222.11

;; Query time: 1 msec
;; SERVER: 192.168.222.11#53(192.168.222.11)
;; WHEN: Sun Feb 27 23:12:05 2011
;; MSG SIZE  rcvd: 85
And it also acts as DHCP server
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 27th February 2011 at 10:19 PM. Reason: DHCP remark
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple backup questions unixjingleman FreeBSD General 15 27th February 2011 11:21 PM
Simple pf ruleset jhp FreeBSD General 2 30th March 2010 02:05 PM
A simple question Mr-Biscuit Off-Topic 1 16th April 2009 04:26 PM
Simple Firewall with PF jones FreeBSD General 3 7th November 2008 02:02 AM
Couple of network questions (NAT, firewalls) ivanatora FreeBSD General 10 21st July 2008 05:26 PM


All times are GMT. The time now is 09:36 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick