DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th October 2011
domdurocher domdurocher is offline
Real Name: Dominic Durocher
New User
 
Join Date: Oct 2011
Location: Montreal
Posts: 5
Thanked 0 Times in 0 Posts
Default wired and wifi sharing but cant use bridging

Ok, here we go...

I'm working on my network, it look like that physically:



|cable isp|------|openbsd|--(wired)
|
|
(wifi)

(Disregard the graph above, forum formating messed it up)


What I want to do is to share the network between the wired side and the wifi. I have considered bridging the openbsd wifi and wired nic, worked for a while but it drive my wifi adapter fubar after a few hrs. I been digging about that problem before but no luck on that side. So now here I am asking around about alternative on how to achieve a sharing between those 2 adapter without bridging.

Now what I have in mind is to put each adapter on a seperate subnet and tweak the routing table but so far it's beyong my knowledge.

re0 isp cable (dhcp auto)
ral0 wifi 192.168.2.1 255.255.255.0
sk0 wired 192.168.1.1 255.255.255.0

what I see so far is pinging from a laptop on 192.168.2 network (wifi) will show icmp request on the wired gateway and on the wired station but no reply are sent back. Same thing if I ping from the wifi adapter to the wired netword device. request is received but no reply. work fine from wired station or from wired adapter on the openbsd to the wired network.

That being said, I would appreciate your suggestions on how I could get the wifi and the wired to talk to eachother without using bridging on the wifi adapter because of the problem mentionned above.

Thanks in advance.

Last edited by domdurocher; 4th October 2011 at 10:48 AM. Reason: (Disregard the graph above, forum formating messed it up)
Reply With Quote
  #2   (View Single Post)  
Old 4th October 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,935
Thanked 190 Times in 160 Posts
Default

First of all, welcome!
Quote:
Originally Posted by domdurocher View Post
Now what I have in mind is to put each adapter on a seperate subnet and tweak the routing table but so far it's beyong my knowledge.
You will want to study:
Quote:
what I see so far is pinging from a laptop on 192.168.2 network (wifi) will show icmp request on the wired gateway and on the wired station but no reply are sent back. Same thing if I ping from the wifi adapter to the wired netword device. request is received but no reply. work fine from wired station or from wired adapter on the openbsd to the wired network.
It is not clear whether you have set net.inet.ip.forwarding which is required to pass packets from one interface to another. Details are covered in Section 6.2.7 referenced above.
Reply With Quote
  #3   (View Single Post)  
Old 4th October 2011
domdurocher domdurocher is offline
Real Name: Dominic Durocher
New User
 
Join Date: Oct 2011
Location: Montreal
Posts: 5
Thanked 0 Times in 0 Posts
Default

Thanks for the reply ocicat,

Yes I enabled net.inet.ip.forwarding. Both wired and wifi have access to the internet on my isp cable going trough my openbsd box and a set of pf rules. that work perfectly.

Has for the route man page, I already tryed to add a route for the 192.168.2.0/24 via the 192.168.1.1 gateway but it didn't worked. still no reply to pings and no communications between wifi and wired.
Reply With Quote
  #4   (View Single Post)  
Old 4th October 2011
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

You will find it helpful to place diagrams between [code] and [/code] tags, so that the forum does not reformat your content.

Both subnets are managed by OpenBSD? And both can reach the Internet?

If your re0 subnet is supplied with an Internet address, then OpenBSD is conducting Network Address Translation. PF is required. Therefore:

It is my guess that PF is where your problem is located; I am guessing you have a default deny ruleset, and no pass rules between the two subnets defined.
Reply With Quote
  #5   (View Single Post)  
Old 5th October 2011
domdurocher domdurocher is offline
Real Name: Dominic Durocher
New User
 
Join Date: Oct 2011
Location: Montreal
Posts: 5
Thanked 0 Times in 0 Posts
Default

ok, I guess i should provide more insight on my configs.

re0 isp cable (dhcp auto)
ral0 wifi 192.168.2.1 255.255.255.0 Subnet controlled by dhcpd
sk0 wired 192.168.1.1 255.255.255.0 Subnet controlled by dhcpd

dhcpd.conf
Code:
#	$OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:		192.168.1.0/255.255.255.0
# Domain name:		my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:		192.168.1.32 - 192.168.1.127
#
option  domain-name "domain.com";
option  domain-name-servers 206.248.154.22, 206.248.154.170;

subnet 192.168.1.0 netmask 255.255.255.0
{
        option routers 192.168.1.1;

        range 192.168.1.50 192.168.1.100;

        host XPS        {
                hardware ethernet 00:19:B9:3E:EF:05;
                fixed-address 192.168.1.10;
                        }

        host Vault      {
                hardware ethernet 00:14:FD:11:B2:94;
                fixed-address 192.168.1.11;
                        }

        host Nano_wired {
                hardware ethernet 00:1e:68:c5:45:1f;
                fixed-address 192.168.1.14;
                        }

}


subnet 192.168.2.0 netmask 255.255.255.0
{
        option routers 192.168.2.1;

        range 192.168.2.50 192.168.2.100;


        host Android    {
                hardware ethernet 90:21:55:B4:35:BE;
                fixed-address 192.168.2.13;
                        }

        host Nano_wifi  {
                hardware ethernet 00:22:69:3D:8D:96;
                fixed-address 192.168.2.12;
                        }
}
pf.conf
Code:
#PF config file

# macros

Ext_if = "re0"
Int_if = "{sk0 ral0}"
Wired = "sk0"
Wifi = "ral0"

# options
set block-policy return
set loginterface re0
set skip on lo

# match rules
match in all scrub (no-df)

# filter rules
block all
pass quick on $Int_if proto icmp
pass on $Int_if from 192.168.1.0/24
pass on $Int_if from 192.168.2.0/24
pass out on $Int_if to $Ext_if
pass in on $Ext_if from { 192.168.1.0/24 192.168.2.0/24 } 
pass out on $Ext_if proto{tcp udp icmp} all modulate state
pass out on $Ext_if from {192.168.1.0/24 192.168.2.0/24} to any \
 nat-to (re0)
hostname.ral0
Code:
media DS2 mode 11g mediaopt hostap 
chan 3 
nwid infected2 wpakey youwish!!! wpaprotos wpa1,wpa2
inet 192.168.2.1 255.255.255.0 192.168.2.255
up
hostname.sk0
Code:
inet 192.168.1.1 255.255.255.0 192.168.1.255
up
hostname.re0
Code:
dhcp
sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets

route show
Code:
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
69.165.210.16/29   link#1             UC         0        0     -     4 re0
localhost          localhost          UH         0       86 33200     4 lo0
192.168.1/24       link#2             UC         1        0     -     4 sk0
192.168.1.10       00:19:b9:3e:ef:05  UHLc       1       83     -     4 sk0
192.168.2/24       link#5             UC         1        0     -     4 ral0
192.168.2.13       link#5             UHLc       0        8     -     4 ral0

Internet6:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
localhost          localhost          UH         0        0 33200     4 lo0
fe80::%re0/64      link#1             UC         0        0     -     4 re0
fe80::%sk0/64      link#2             UC         0        0     -     4 sk0
fe80::%lo0/64      fe80::1%lo0        U          0        0     -     4 lo0
fe80::%ral0/64     link#5             UC         0        0     -     4 ral0
ff01::%re0/32      link#1             UC         0        0     -     4 re0
ff01::%sk0/32      link#2             UC         0        0     -     4 sk0
ff01::%lo0/32      localhost          UC         0        0     -     4 lo0
ff01::%ral0/32     link#5             UC         0        0     -     4 ral0
ff02::%re0/32      link#1             UC         0        0     -     4 re0
ff02::%sk0/32      link#2             UC         0        0     -     4 sk0
ff02::%lo0/32      localhost          UC         0        0     -     4 lo0
ff02::%ral0/32     link#5             UC         0        0     -     4 ral0
That being said follow me a little more here ill show you what get me really confused.

First ping within the same subnet:

ping from gateway adapter sk0 192.168.1.1 to 192.168.1.11

tcpdump on gateway
# tcpdump -i sk0 icmp
tcpdump: listening on sk0, link-type EN10MB
20:10:32.388756 192.168.1.1 > 192.168.1.11: icmp: echo request
20:10:32.389051 192.168.1.11 > 192.168.1.1: icmp: echo reply

ping from gateway
$ ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11): 56 data bytes
64 bytes from 192.168.1.11: icmp_seq=0 ttl=64 time=3.621 ms
--- 192.168.1.11 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 3.621/3.621/3.621/0.000 ms

now ping from wifi subnet to wired subnet

ping from gateway adapter ral0 192.168.2.1 to 192.168.1.11

tcpdump on gateway
# tcpdump -i sk0 icmp
tcpdump: listening on sk0, link-type EN10MB
20:15:12.994278 192.168.2.1 > 192.168.1.11: icmp: echo request
20:15:14.003019 192.168.2.1 > 192.168.1.11: icmp: echo request
20:15:15.013017 192.168.2.1 > 192.168.1.11: icmp: echo request

ping from gateway

$ ping -I 192.168.2.1 192.168.1.11
PING 192.168.1.11 (192.168.1.11): 56 data bytes
--- 192.168.1.11 ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss

Here it is, why do I dont get a reply on 192.168.1.11 when ping from 192.168.2.1. I have checked and tcpdump on 192.168.1.11 do not show reply either.

any suggestions?
Reply With Quote
  #6   (View Single Post)  
Old 5th October 2011
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

I think I might see the problem. I believe it is possible that the only filter rule that matches non-ICMP traffic between your two internal networks is "block all".

You can confirm this by adding "log" to all of your pass/block rules, and running tcpdump with pflog0. It will show which rule applies to any packet being examined.

In particular your "pass on" multiple interfaces by $Int_if macro may not be producing the results you want. # pfctl -s rules will show you the ruleset with all expansions of macros and lists, and if you use # pfctl -vs rules you get the rule numbers that are used with the pflog tcpdump output.

----

A quick test is to change the block all rule to a pass all. If you can suddenly connect, you know that your PF configuration is the culprit.
Reply With Quote
  #7   (View Single Post)  
Old 5th October 2011
domdurocher domdurocher is offline
Real Name: Dominic Durocher
New User
 
Join Date: Oct 2011
Location: Montreal
Posts: 5
Thanked 0 Times in 0 Posts
Default

jggimi,

I did the test without the deny all in pf and its still a no go. On my part if pf would be the problem I am positive that the icmp request wouldnt get to the 192.168.1.11 station. now my problem is that the request get to the station but no reply are sent back and that only when coming from 192.168.2.0/24. there are no fw on that station and I replicated the problem on several other station with different os... the problem is still present when pf is disable so can we put pf out of the loop.
Reply With Quote
  #8   (View Single Post)  
Old 5th October 2011
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Thank you for letting me know. Well, there goes that theory.

Unfortunately, nothing else seems obviously out-of-sorts. I note that in your routing table, only one device shows a MAC address. If that output was produced after you've run your tests and been communicating, I'd be concerned. (I'm guessing it was soon after a boot, though.)

You may want to edit that post to remove your actual Internet address.
Reply With Quote
  #9   (View Single Post)  
Old 6th October 2011
domdurocher domdurocher is offline
Real Name: Dominic Durocher
New User
 
Join Date: Oct 2011
Location: Montreal
Posts: 5
Thanked 0 Times in 0 Posts
Default

Quote:
You may want to edit that post to remove your actual Internet address.
My provider gives dynamic ip and pf is doing a pretty good job on keeping everybody out. Thanks for the heads up anyway.

I'll keep scratching my head about this, will post when I find the solution.

Regards
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD, PF, bridging and 10gE mbw OpenBSD Security 6 5th January 2012 08:51 PM
Wired/Optical Microsoft IntelliMouse Explorer 3.0 installation vigol FreeBSD General 2 17th November 2009 12:34 PM
FTP users sharing same home directory phreud FreeBSD General 6 11th November 2008 10:11 PM
Request for Opinions: A secure way of sharing modules TerryP Off-Topic 2 10th August 2008 07:18 PM
Wireless + wired = confused network setup davidgurvich FreeBSD General 3 27th May 2008 06:10 PM


All times are GMT. The time now is 10:43 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick