|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
home router + firewall behind ISP router
Hi,
I've been trying to set up an OpenBSD firewall inside my local network behind my ISP's router. I generally know what and how I should do it. I've read openbsd "Building a router", Peter Hansen's "PF Guide" and gazillion threads. The closest to what I need are those two threads: http://daemonforums.org/showthread.php?t=7953 http://daemonforums.org/showthread.php?t=9782 My architecture is like that: INTERNET <-> ISP router (public, dhcp) to 192.168.1.1<-> 192.168.1.254 (OPENBSD two nic) 10.0.0.1 <-> 10.0.0.2 SWITCH (soho router used as a switch) <- (dhcp - e.g. 10.0.0.100) LAN (home computers, linux) nevermind the dhcp on the inside - it's just temporary From the openbsd router itself, I can ping every host in my network and the internet. From the machines in 10.0.0.0 I can ping the 10/8 and 192.168.1.0 network, but I can't reach to the internet. jggimi said in http://daemonforums.org/showthread.php?t=7953: Quote:
Quote:
1. What (static) routes should I add and where? I can't add any on my ISP's router. or 2. What NAT rules should I have in my PF or in general, how should my pf.conf look in order just to connect nodes in the network to the internet? or 3. Should I use vether(4)? |
|
|||
jggimi thank you for your as always thorough, clear and exhaustive answer. You are truly ment to be a guru
As far as the merrits are concerned. I have written what is my problem Quote:
Unfortunately, it's the problem I thought it was - either add route to the isp gateway or double nat. The problem with my ISP router is that it's a typical consumer product (S@GEM) given by the ISP. It has the web-interface set up by ISP with hardly any settings. And I know there's a linux inside I could control if was given access - but probably that's not gonna happen. I'm gonna call the ISP and talk about either me or them adding a route, but people on the phone mostly aren't technical. I could of course change the ISP gateway to something more commercial: D-link, tp-link etc., but that would require additional money I don't want to invest right now. I know it's not much, but still... What would be the pf rules for a double nat on the router? Again, my problem is: Quote:
Another funny thing is that from 10.0.0.0 network, when I ping external domains (e.g. daemonforums.org) the domain gets resolved to IP, but the ping is dead. What the truck? Is this because my ISP router is also a DNS server to my local network? |
|
||||
Review the Network Address Translation section of the PF User's Guide. Your rule would likely be similar to:
Code:
match out on <your.external.NIC> from 10.0.0.0/24 to any nat-to 192.168.1.254 Quote:
Quote:
Last edited by jggimi; 16th March 2017 at 10:16 AM. Reason: typos, one thinko |
|
|||
Ok, I had this rule but instead of any i had sis0:network, so it didn't cross my ISP router. stupid mistake...but! for my excuse ...I try not to eat from the bowl of copypasta and understand the whole thing so I write pf rules on my own
Quote:
Quote:
Last edited by beiroot; 16th March 2017 at 11:45 AM. Reason: more explanation |
|
||||
Quote:
If a device on the 10.0.0.0/24 network -- OTHER than your router -- is directed to use the nameserver running in the ISP gateway device at 192.168.1.1, it will not receive any domain resolution responses from the device. Let us pretend it is a workstation at address 10.0.0.5.
|
|
||||
Quote:
My ISP-supplied router doesn't have a user interface toggle for everything but the telnet(1) interface does |
|
||||
A "S@GEM" router may be a device from http://www.sagemcom.com. Their broadband gateway devices seem to be capable of adding static routes. http://setuprouter.com/router/sagem/...1416-large.htm
Most importantly, their web portal offers support. http://www.sagemcom.com/contact/ |
|
|||
Guys,
Unfortunately it's not a typical consumer Sagemcom router. It's called Sagemcom Orange Funbox (how lame is that?) and it's 100% branded for Orange (inside and outside). btw... before I typed S@gem, but they have something called Sagemcom F@st - that's where the @ came from. It's a ~different type of adsl modems. The Orange Funbox is probably based on something from this series. Sometimes wires in my brain do funny things jggimi, I know, every cheap router nowadays has an option to add static routes and I would do it if I had one. But this one is strongly branded and the normal router options are just not there. I guess I just need to invest some cash and switch to something normal. Are there any obsd-friendly hardware with built-in adsl modems? I don't mean like a normal PC, but rather something like alix, apu, soerkis etc. None of the mentioned have - I've checked it. Last edited by beiroot; 17th March 2017 at 12:04 PM. Reason: added note about routing |
|
||||
To my understanding, there are ADSL modems with PCI and miniPCI connectors. But I doubt that any are supported by OpenBSD.
The most common practice is to configure an external ADSL modem in "bridge" mode, so that it operates as a pass-through device rather than as a router. |
|
|||
When my ISP supplied modem died an early death, I replaced it with a simple, cheap Netis ADSL2 modem and flashed my old Linksys wrt54gV8 router with DD-wrt. When OpenBSD-current began to provide wireless "N" support, I bought a Trendnet TEW-732BR ($11USD refurbished and still available) and flashed it with OpenWRT.
My ISP uses PPPoE and would either sell you a modem/router for about $100 or rent the same for $10/month. The modem came pre-configured, and from a security standpoint was set up for remote management - hopefully by the ISP only. I was able to find/obtain my ISP settings along with the username/password for PPPoE. I bought a cheap $20 modem and had two options for setup. The first was is described by @Jggimi above - put the modem in bridge mode and enter the PPPoE settings in the router. Both the modem and router are on the same network. The second option, was to enter the PPPoE settings in the modem and use the routing capabilities of the modem to create a subnet. Both worked for me and I settled on the subnet option. I'm happy with my setup and, now several month old, it has already paid for itself. You have a myriad of options but many of them hinge on the protocol and settings that your ISP uses. From the standpoint of an OpenBSD router, one of the things I considered were wired, OpenBSD setups that you linked in the first post and then subneting a cheap wireless access point to the router. There is also a nascent FreeBSD router project and NetBSD has early/incomplete support for some embedded MIPS devices. Last edited by shep; 18th March 2017 at 02:15 AM. |
|
|||
I did find a website, with screenshots, that describes connecting a third party modem/router combination to Orange here. This example suggests that the VCI=0, VPI=38 with a PPPoA protocol. The Netis BS4201, that I used, had these options and I suspect that most third party modems do also.
Note that the VCI, VPI and encapsulation settings are Country and ISP specific. Netgear guide w/ table of ISP settings by provider and Country. Edit: The linked article notes that the MTU needs to be 1492 but gives the wrong rationale. The maximal packet size for PPPoE is 1492. Last edited by shep; 18th March 2017 at 09:45 PM. |
|
|||
Quote:
I am currently using openbsd 6.0 with pf as my router/firewall. I originally had it hooked up to an adsl router, and it was NOT configured to use bridge mode. I have since switched to a cable modem, and it is also NOT configured to bridge mode. In fact, I made no changes at all to any of the config files when I changed form adsl to cable. I just plugged my openbsd router to the new modem with the network cable and everything just worked. I am using an apu2c4 with a wle200nx. Everything works fine. I'll be more than happy to post any of my config files here so you can see how I have things set up. Last edited by amphibious; 17th March 2017 at 08:57 PM. |
|
|||
Thanks for your replies, but what you suggest is buying something extra and I promised myself I will not spend a single $ to get everything working. I'm trying to work with what I have.
So far I'm double nat-ing what jggimi confirmed, can be problematic. My next experiment is external adsl router on usb - Orange gave them way before the current Sagems. Anyway, this can be fun amphibious - i'd more than happy to see your configs. Btw, I'm digging into "the book of pf", so expect more questions |
|
|||
Quote:
sure thing. Give me till tomorrow, and I will start posting them up for you. Please tell me which files you are interested in specific. |
|
|||||
Quote:
Quote:
Quote:
Quote:
ADSL Modem+router [192.168.1.1] <-> [192.168.1.254] OBSD router+firewall ... and later on routing the packets to different subnets. But that requires a double nat as we discussed earlier. Quote:
Last edited by beiroot; 27th March 2017 at 09:08 PM. |
|
|||
Quote:
Essentially yes. You can Daisy-Chain routers. On my setup I told my ADSL Modem+router(192.168.1.1) to offer a very narrow range of DHCP addresses on its single RJ-45 nic: 192.168.2.1 to 192.168.2.1. I then set my SOHO wireless router to use a Static IP address of 192.168.2.1. My work station and network printer have static IP's 192.168.2.2 and 192.168.2.3 respectively. The SOHO hands out a limited number of DHCP addresses to my wireless devices starting at 192.168.2.5 and ending at 192.168.2.12. I'm commenting without knowing how much flexibility your branded "Orange" modem router provides. If it is really limited, there are 3rd party ADSL modems that are reported to work with your ISP. I understand wanting to use the hardware you have, but if it is too restrictive, there are low cost options. I purchased a new ADSL modem for $20 USD + $7 Shipping that has a very low current draw 0.5millamps at 5 Volts. My ISP rents modem/routers for $10month, Coming up on 5 months I'm money ahead. Edit: Clarified that my modem has a single nic as described by jggimi's example that follows. Last edited by shep; 28th March 2017 at 12:49 AM. |
|
||||
To be clear, I was thinking of a modem which has an Ethernet connection to serve the local network. Keep this in mind for my two examples below.
Quote:
Let us pretend that the your Internet IP address is 203.0.133.17. Let us also pretend that the gateway device is acting as a NAT router, and provides both DHCPd services and a local RFC 1918 network: 192.168.1/24. None of your devices in the local network are "on" the Internet directly, all of their traffic in and out to the Internet share the single 203.0.133.17 address, which is actually assigned to the gateway device. Now, let's switch that gateway device from being a router to being a bridge. The ISP's Internet connection is now directly available. In bridge mode, we would use a single Ethernet connection between the gateway device and a local router -- such as OpenBSD. The IP address on that externally facing NIC of the local router would be 203.0.113.17. Because, in bridge mode, the connection to the Internet does not go through NAT, it is the actual Internet address served by the ISP. The gateway device is no longer a router making any decisions -- it is merely passing packets along between the ISP's media and the local network media. |
|
|||
pf.conf
sorry it took a while to reply. I have been away.
here is my pf.conf file Code:
nt_if="{ athn0 em1 em2 }" set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) block all pass out quick inet pass in on $int_if inet pass in quick on egress inet proto tcp from any to any port 22 pass in on egress inet proto tcp from any to (egress) port 22 pass in on egress inet proto tcp from any to (egress) port 80 pass in on egress inet proto tcp from any to (egress) port 443 Mine is not configured as nat. It's cofigured as a router/firewall. I don't have another server. my apu2 is just hooked up to my cable modem. Take a look at the following link I found. It can be very helpful in setting things up, https://github.com/gonzalo-/apu2_openbsd let me know what other files you may want to see. Last edited by amphibious; 30th March 2017 at 11:57 PM. |
|
|||
Quote:
jggimi, thank you again for a clear explanation, you Sir, are a hero! amphibious, thanks for the config and link, I'll analyze it and give feedback as soon as I can. ----- I decided to play a little with my network architecture, so instead of the Orange adsl+router I'll try old usb adsl modem - just to configure a usb network device and test bridge mode. Wonder how that'll work out. In the long run it seems that a little investment is inevitable, so what do you think would be the best shot? ADSL modem with bridging capability? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
simple openbsd home router cable modem local lan | Nivekg | OpenBSD General | 11 | 18th April 2016 11:24 PM |
Building a Firewall/Router prepurchase questions | azarian | OpenBSD Security | 19 | 16th January 2015 11:05 AM |
Routing/NAT problem setting up home wireless router on Alix board | ritter_k | OpenBSD General | 11 | 17th November 2013 08:36 PM |
pf firewall, is it a bridge or router? | tomp | OpenBSD Security | 8 | 17th August 2011 06:12 PM |
Is there a purpose for using pf if you have a hardware router/firewall? | guitarscn | OpenBSD Security | 9 | 23rd January 2009 12:22 AM |