DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default A Very Simple Wireless Access Point

Hello everyone.

I am trying to setup a basic wireless internet using wpa2 and a dhcpd server that will hand out clients.

I am following along in the book of PF and so far I am able to see the wireless adapter and connect to it. However I am not able to obtain an ip address on the client.

/etc/dhcpd.interfaces
Code:
athn0
Code:
up media autoselect mode 11g chan 1 nwid unwiredbsd nwkey 0x1deadbeef9
dhcp
After a reboot it appears that openbsd is looking to obtain a ip address via dhcp? I want the clients to get the ip address and openbsd to hand them out with dhcpd.

I even tried starting httpd athn0 but had no luck

What am I doing wrong here? Why can I not get a ip address on the client?
Reply With Quote
  #2   (View Single Post)  
Old 4th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by EverydayDiesel View Post
After a reboot it appears that openbsd is looking to obtain a ip address via dhcp? I want the clients to get the ip address and openbsd to hand them out with dhcpd.
You have not mentioned how dhcpd(8) is configured on the access point.
  • Have you customized /etc/dhcpd.conf?
  • Is dhcpd(8) started through /etc/rc.conf.local?
DHCP configuration for both client & server is covered in Section 6.4 of the FAQ.
Reply With Quote
  #3   (View Single Post)  
Old 4th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

I have not done any customizations to dhcpd except what was listed above (and i did start it via 'dhcpd athn0'

I will read it and see what i can come up with
Reply With Quote
  #4   (View Single Post)  
Old 4th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Your /etc/hostname.athn0 file should have a static address. It is a DHCP server for a subnet; that subnet should be known to you.

Your /etc/dhcpd.conf configuration must describe that same subnet, and have a range of dynamic addresses. It can also provide additional information such as routers and domain name server addresses.

Picture, if you will, this network. It is attached to the Internet at some Internet address a.b.c.d. The GATEWAY device, OpenBSD, needs to have two NICs: a connection to the Internet, and a connection to a private network, containing addresses which are not permitted on the Internet itself, such as any address beginning with 192.168.*.* or 10.*. There are others. Google for RFC 1918.
Code:
{Internet} --- a.b.c.d [GATEWAY] 10.0.0.1 -- {Private Network}
Your Gateway needs to have two NICs: the athn0 NIC, and at least one additional NIC.

IPv4 forwarding must be enabled in /etc/sysctl.conf.

Network Address Translation must be used in PF, so that any communication from one of the devices on the 10.0.0.0/24 network destined for the Internet gets translated to a.b.c.d. (e.g., "match out on $external_nic from !($external_nic) nat-to ($external_nic)")

The dhcpd.conf file must define the 10.0.0.0/24 subnet ("subnet 10.0.0.0 netmask 255.255.255.0;"). A range within that subnet must be defined for dynamic address assignments ("range 10.0.0.10 10.0.0.100;"). If you want devices on that private network to reach the Internet, the configuration must also define 10.0.0.1 as a router ("option routers 10.0.0.1;"), and you will likely want to point them to a DNS server ("option domain-name-servers 4.4.4.4 8.8.8.8;").

---

I hope this helps.
Reply With Quote
  #5   (View Single Post)  
Old 4th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

That does help alot.

Here are the steps that i have done but it is still not working. dhcpd says (failed)
when cat /var/log/messages
i get
Code:
Cant listen on athn0 - dhcpd.conf has no subnet declaration for 10.2.0.1
/etc/hostname.athn0
Code:
up media autoselect mediaopt hostap mode 11g chan 7 nwid MY_SSID wpa wpakey MY_PWD_GOES_HERE
10.2.0.1
/etc/hostname.xl0
Code:
inet 10.1.0.1 255.0.10.0
/etc/dhcpd.conf
Code:
        option  domain-name "my.domain";
        option  domain-name-servers 4.4.4.4;

        subnet 192.168.1.0 netmask 255.255.255.0 {
                option routers 10.1.0.1

                range 192.168.1.32 192.168.1.127;
        }
Code:
echo 'dhcpd_flags="athn0"' >>/etc/rc.conf.local
/etc/sysctl.conf was edited for
Code:
net.inet.ip.forwarding=1
/etc/pf.conf (this is really open for now)
Code:
EXT_IF = "xl0"
WRLS_IF = "athn0"

match out on egress inet from !(egress:network) to any nat-to (egress:0)

pass out on $EXT_IF from any to any
pass out on $WRLS_IF from any to any
pass in on $WRLS_IF from any to any
Can you tell me where my subnets are wrong please?
Reply With Quote
  #6   (View Single Post)  
Old 4th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You might have missed a post containing an example of a dhcpd.conf in your PF-related thread. It would merely need to have the shared-network declaration removed, and the IP addresses changed to match your WiFi subnet.

For more on dhcpd configuration, you might find FAQ 6.4.2 helpful.

Edited to add:

Your netmasks need revision. in xl0, 255.0.10.0 isn't valid, and you have no netmask for athn0, and no "inet" declaration.
Reply With Quote
  #7   (View Single Post)  
Old 4th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Thanks I changed the subnet and added a netmask to athn0 and it is handing out IP addresses.

I currently have a main firewall and then another machine(wireless server) that has a wireless card. The wireless server hands out an ip address to the client but no internet connection. on the wireless machine i have the following command to monitor pf

Code:
tcpdump -n -e -ttt- i pflog0
but there is no output. The client is my cell phone so i am not able to ping.

The wireless server is able to ping the main firewall.
The wireless server is able to return results from nslookup www.google.com
Reply With Quote
  #8   (View Single Post)  
Old 4th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OK. Your atnh0's NIC uses the address 10.2.0.1, with some subnet which is now valid?

If so, your dhcpd.conf is using a different subnet. 192.168.1.0/24, and a range within for dynamic addresses.

No wonder your network isn't communicating.
Reply With Quote
  #9   (View Single Post)  
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

they are both 255.255.255.0 but still no internet.

I changed my pf.conf to look like this so I could catch the blocks

Code:
EXT_IF = "xl0"
WRLS_IF = "athn0"

block log all

match out on egress inet from !(egress:network) to any nat-to (egress:0)

pass out on $EXT_IF from any to any
pass out on $WRLS_IF from any to any
pass in on $WRLS_IF from any to any
Reply With Quote
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'll try to be clearer. Please excuse me if you understood me previously, but from your last post I think you may still be confused.

Your dhcp.conf last posted above was pointing to the WRONG SUBNET. None of the 192.168 addresses referenced in that configuration file are valid. All of them must be in the range defined by your athn0 subnet, which is addressed at 10.2.0.1, and if it is a /24, then your dhcp.conf must point to addresses in 10.2.0.0/24. Here are the changes I would make, if I've understood your addressing.
Code:
     option  domain-name "my.domain";
     option  domain-name-servers 4.4.4.4;

        subnet 10.2.0.0 netmask 255.255.255.0 {
                option routers 10.2.0.1
                range 10.2.0.32 10.2.0.127;
        }
Reply With Quote
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Adding:

Your router definition was also incorrect, which is why I've altered its address. Yes, you have a router at 10.1.0.1, but that is not a router in the 10.2.0.0/24 subnet.
Reply With Quote
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

I will post my full config just in case i am not understanding.

/etc/hostname.athn0
Code:
up media autoselect mediaopt hostap mode 11g chan 7 nwid MY_SSID wpa wpakey MY_PWD_GOES_HERE
10.2.0.1 255.0.0.0
/etc/hostname.xl0
Code:
inet 10.1.0.1 255.0.0.0
/etc/dhcpd.conf
Code:
        option  domain-name "my.domain";
        option  domain-name-servers 4.4.4.4;

        subnet 10.2.0.0 netmask 255.0.0.0 {
                option routers 10.2.0.1

                range 10.2.0.32 10.2.0.99;
        }
Code:
echo 'dhcpd_flags="athn0"' >>/etc/rc.conf.local
/etc/sysctl.conf was edited for
Code:
net.inet.ip.forwarding=1
/etc/pf.conf (this is really open for now)
Code:
EXT_IF = "xl0"
WRLS_IF = "athn0"

block log all

match out on egress inet from !(egress:network) to any nat-to (egress:0)

pass out on $EXT_IF from any to any
pass out on $WRLS_IF from any to any
pass in on $WRLS_IF from any to any
I did go to 255.0.0.0 instead of 255.255.255.0 does this matter? Shouldnt i see the connection via tcp dump?
Reply With Quote
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

I think my problem is in my nat.

ifconfig xl0:
groups: is not showing up

but

ifconfig athn0
groups: wlan egress

so how can i tell openbsd that xl0 is egress?
Reply With Quote
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Each of your NICs must be in its own subnet. You seem to misunderstand IPv4 subnetting and netmasks. The mask defines the number of bits of the 32-bit address which make up the subnet. As an example, a CIDR of /24 and a netmask of 255.255.255.0 or 0xFFFFFF00 all mean the same thing:

11111111 11111111 11111111 00000000

24 bits of ones followed by 8 bits of zeros. The addresses in the zero portion make up the number of bits in the subnet.

And in a subnet, the lowest address is reserved for the subnet itself, and is used in routing, and the highest address is reserved for broadcasts to all devices in the subnet. You may recall in your PF thread I mentioned a /30, the smallest subnet available except for point to point networks?

A /30 netmask, in bits, looks like this:

11111111 11111111 11111111 11111100

There are two bits for addressing a /30, which is four values: 00, 01, 10, and 11. The first and last of those addresses are reserved, the remaining two are available for assignment to devices.

e.g.: 192.168.39.16/30:

192.168.39.16 - the network
192.168.39.17 - first device
192.168.39.18 - second device
192.168.39.19 - broadcast

Some of the tables in this Wikipedia article may help.
----

As shown in your latest post above:

1. Your hostname.athn0 is misconfigured.

1a) You have no "inet" declaration in front of the IPv4 address
1b) You have defined the netmask as 255.0.0.0. This is a /8, which has a range of 10.0.0.0 - 10.255.255.255. That is a subnet containing 16 million 177 thousand and 216 addresses, and it conflicts with your xl0 subnet. If you set this to a /24 instead, it will range from 10.2.0.0 - 10.2.0.255.

2. Your hostname.xl0 is misconfigured.

It is in the same /8 subnet as your athn0 NIC, which is incorrect. If you set this to a /24 instead, it will range from 10.1.0.0 - 10.1.0.255.

3. Your dhcpd.conf is misconfigured.

It is a /8, as your other NICs, and needs to match the athn0 subnet once you have corrected it.

---

(NAT is not strictly required, but I will recommend retaining it for now, as if you wish to route without NAT you must add to your routing table in your outermost network.)

Last edited by jggimi; 5th July 2014 at 01:50 AM. Reason: I chose the wrong base address for my /30 example.
Reply With Quote
Old 5th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

One of the best (& classic...) explanations/tutorials on IPv4 addressing is the following:

http://tiszai.tricon.hu/PDF/3comip.pdf

Note that this 3Com whitepaper can found at numerous sources, but be aware that the formating is incorrect at some URL's -- in the translation to PDF, exponents may not be correctly superscripted. The link provided above is correct.

Reply With Quote
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

Im a bit confused. First you said that the nics must be on seperate subnets 255.255.255.0 and then you said to make them both /24? I am assuming that /24 means 255.255.255.0 on both?
Reply With Quote
Old 5th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by EverydayDiesel View Post
I am assuming that /24 means 255.255.255.0 on both?
Correct. 24 bits (or the first three octets in dotted decimal notation...) are used to define the network portion of the IPv4 address.
Quote:
First you said that the nics must be on seperate subnets 255.255.255.0 and then you said to make them both /24?
Subnets are defined by the network portion of the IPv4 address, & the network mask is needed to determine how many bits are in the network portion. It is perfectly acceptable that the subnets separated by a router all have the same network mask -- as long as the value of the network portion of the separate subnets are unique.

I highly recommend study of the IPv4 addressing whitepaper provided earlier. There appears to be a number of fundamental addressing rules you need to understand in order to implement routing correctly.

Last edited by ocicat; 5th July 2014 at 03:21 AM. Reason: clarity
Reply With Quote
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

thank you for the reply. I did change all the subnets to 255.255.255.0 and rebooted but still no internet.
Reply With Quote
Old 5th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 124
Default

it is working now. i want to thank everyone that helped with this mess.

I will read the doc so i can understand subnet masks better in the future.

Thanks again
Reply With Quote
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Correct. The notation /24 means 24 bits of ones, followed by 8 bits of zeros.

The notation /24 is exactly the same as decimal 255.255.255.0 and is exactly the same as hexadecimal 0xFFFFFF00. All three of these mean the same thing: 24 bits of ones followed by 8 bits of zeros.

The way you had the NICs configured above, with a netmask of "255.0.0.0", means 8 bits of ones followed by 24 bits of zeros. Since the first 8 bits was the same: 00001010, or decimal 10, both NICs were in the same subnet. Or would have been, if you had configured the athn0 file with the keyword "inet".

This subnet begins at 10.0.0.0, the address of the network. It's broadcast address is 10.255.255.255, and between those two reserved addresses, there are 16,177,214 IP addresses which can be assigned to devices in this subnet.

---

With CIDR notation, any number of bits can be used to define the size of the netmask. But for we human beings, we define our IP address in terms of four 8-bit decimal octets (bytes) with periods in between them. So CIDRs of /8, /16, and /24 are the easiest for us to see and understand, because they set the number of bits of ones at 1, 2, or 3 octet boundaries,

A /24 is very handy for our small networks, for two reasons. 1) There are 256 addresses, 254 of them available for devices. 2) The three left bytes define the subnet, and the rightmost byte defines the devices within the subnet.

Example:

10.0.0.1/24 and 10.0.0.207/24 are obviously in the same subnet, because only the right most octet is different. No router is needed for these two devices to communicate. However, a device at10.0.5.13/24 is in a different subnet, because the first three octets are different. IP traffic would need to be routed between the two subnets.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Access Point varung90 OpenBSD General 1 2nd July 2014 10:26 AM
Google details location services opt-out for Wi-Fi access point owners J65nko News 0 16th November 2011 09:53 AM
problems with wifi access point mayuka OpenBSD General 60 4th February 2010 10:29 AM
Wireless NIC for access point dewarrn1 FreeBSD General 1 15th September 2009 11:01 PM
Configuring a wireless access point Serge FreeBSD General 6 6th June 2008 04:07 PM


All times are GMT. The time now is 03:58 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick