DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default simple openbsd home router cable modem local lan

Hi,

I've been (for several weeks) trying to setup my home router after I upgraded from openbsd 5.4. The version I ran before for several years gave us years of trouble free and safe internet use.

However, after the upgrade to 5.9, something awful happened. My router stopped working. Here is my topology and configuration

INTERNET <-> (CABLE MODEM) <-> (OPENBSD two nic) <-> SWITCH <-* LAN (home computers, linux)

I used to run in openbsd two subnets 192.168.0.0 and 192.168.1.0, then after the upgrade, that no longer worked. Then temporarily I setup the network in both em0 and em1 nics as 192.168.0.2 and 192.168.0.10 respectively. The modem router has the address 192.168.0.1, it's a router because I use the wireless capabilities. Btw, I also upgraded the modem because of my cable company said so.

I've tried so many different things and followed countless how-tos and other forum's advise. I just can't figure out what went wrong. Btw, the reason I want the two subnets back is because with one I was able to access my ssh openbsd router from 'outside' and even though it's configured to only allow my user id, I would prefer that it be closed to the internet.

My configs:

OPENBSD:
Code:
# cat sysctl.conf                                                                                                                             
net.inet.ip.forwarding=1
Code:
# cat rc.conf.local                                                                                                                           
afs=YES                 # mount and run afs
check_quotas=NO
unbound_flags=
apmd_flags=YES
Code:
# cat hostname.bridge0                                                                                                                        
add em0
add em1
up
Code:
# cat hostname.em0                                                                                                                            
inet 192.168.0.2 255.255.255.0
!route add -net 192.168.1.0/24 192.168.0.1
Code:
# cat hostname.em1 
inet 192.168.1.2 255.255.255.0
Code:
# cat networks                                                                                                                                
BASE-ADDRESS.MCAST.NET  224
loopback                127     loop
 # Your subnets follow...
Code:
# cat mygate                                                                                                                                  
192.168.0.1
Btw, I was trying to use unbound on and off
ON
Code:
# cat resolv.conf                                                                                                                             
nameserver 127.0.0.1
OFF
Code:
# cat resolv.conf                                                                                                                             
nameserver 75.75.75.75
nameserver 75.75.75.76
LINUX debian jessie
Code:
/etc# cat networks 
default         0.0.0.0
loopback        127.0.0.0
localnet        192.168.1.1
link-local      192.168.1.0
Code:
/etc# cat network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.1.21
        netmask 255.255.0.0
        gateway 192.168.1.1
        network 192.168.1.0
        broadcast 192.168.1.255
        post-up route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1
        pre-down route del -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.1.1
The system pings the internet and internally just fine
The routing tables are

OPENBSD
Code:
# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.0.1        UGS        3       36     -     8 em0  
loopback           localhost          UGRS       0        3 32768     8 lo0  
localhost          localhost          UHl        1      421 32768     1 lo0  
192.168.0/24       192.168.0.2        UC         2       43     -     4 em0  
192.168.0.1        d4:04:cd:fd:23:eb  UHLc       2       39     -     4 em0  
192.168.0.2        00:15:17:d7:81:52  UHLl       0       63     -     1 em0  
192.168.0.21       00:24:8c:7c:5f:53  UHLc       1       39     -     4 em0  
192.168.0.255      192.168.0.2        UHb        0        0     -     1 em0  
192.168.1/24       pterod             UCP        1       36     -     4 em1  
192.168.1/24       192.168.0.1        UGS        0        2     -     8 em0  
pterod             00:15:17:d7:81:53  UHLl       0      833     -     1 em1  
trex               00:24:8c:7c:5f:53  UHLc       0       31     - L   4 em1  
192.168.1.255      pterod             UHb        0        6     -     1 em1  
BASE-ADDRESS.MCAST localhost          URS        0     3708 32768     8 lo0
Code:
# ifconfig                                                                                                                                    
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=18b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,MPSAFE> mtu 1500
        lladdr 00:15:17:d7:81:52
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
em1: flags=18b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,MPSAFE> mtu 1500
        lladdr 00:15:17:d7:81:53
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
bridge0: flags=41<UP,RUNNING>
        groups: bridge
        priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
        em0 flags=3<LEARNING,DISCOVER>
                port 1 ifpriority 0 ifcost 0
        em1 flags=3<LEARNING,DISCOVER>
                port 2 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
        priority: 0
        groups: pflog
LINUX
Code:
/etc# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
link-local      192.168.1.1     255.255.0.0     UG    0      0        0 eth0
link-local      *               255.255.0.0     U     0      0        0 eth0
Code:
/etc# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:24:8c:7c:5f:53  
          inet addr:192.168.0.21  Bcast:192.168.0.255  Mask:255.255.0.0
          inet6 addr: fe80::224:8cff:fe7c:5f53/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:72277 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41263 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:85848730 (81.8 MiB)  TX bytes:6650915 (6.3 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:161 errors:0 dropped:0 overruns:0 frame:0
          TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:15772 (15.4 KiB)  TX bytes:15772 (15.4 KiB)
I also used pf on and off, some say you need it to do nat others, that you don't because the bridge will do that. All very confusing. When do you need it, does not needing it mean that your system will not use pf and not be firewalled? It needs to have a firewall, that's the whole purpose of having a dedicated openbsd router otherwise I'd just use the modem's firewall, which I'd rather not.

So, the million dollar question might be, what do I have to do to get it to work as illustrated above?

First time post, long, long time lurker...

Thanks,

Last edited by ocicat; 17th April 2016 at 10:39 AM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #2   (View Single Post)  
Old 17th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,730
Default

Hello, and welcome.

I'm not sure where to start. I see several configuration problems, and there is one key missing configuration file: pf.conf.

---

You have two subnets, 192.168.0/24 (outer), and 192.168.1/24 (inner), and packet forwarding enabled. That would be fine, if either 1 or 2 were true, but not both:

  1. Your ISP's router (your defined "cable modem") has a routing table that includes a route to the 192.168.1/24 network through 192.168.0.2, your OpenBSD device.
  2. Your OpenBSD router uses NAT. (If NAT is used, that would be provisioned in your missing pf.conf)
Here are three problems I can see at a glance. You may have more.

  • You have added an incorrect route. Your !route command in hostname.em0 routes traffic destined for your inner network 192.168.1/24, back at your ISP's gateway at 192.168.0.1. That's not where it is. Your 192.168.1/24 network is attached to em1. I recommend removing this incorrect route.
  • You bridged your NICs. Bridging puts the NICs into the same Ethernet. But they are still separate subnets. I recommend removing this incorrect bridge.
  • Your Linux workstation appears to have an unreachable default route: 192.168.1.1 is undefined. I recommend correcting your Linux default route.
Here's a slightly different diagram of the topology.

[ISP router] 192.168.0.1 - 192.168.0.2 [OpenBSD] 192.168.1.2 - 192.168.1.21 [Linux]

Either the ISP router needs a route added to reach 192.168.1/24 addresses, or you must use NAT. Your Linux system must route through its only gateway, the OpenBSD router at 192.168.1.2.

---

Lastly, I note a reference to AFS in your rc.conf.local. AFS goop was removed from rc(8) at OpenBSD 5.3. The configuration record does no harm, it is being ignored. You can safely remove it.

Last edited by jggimi; 17th April 2016 at 05:35 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default

@jggimi,

Thanks for the help and quick reply. I think it was really helpful. I understand a bit better some of the concepts. I got really confused because most everybody seem to be configuring for a bridge. So after the update, when I saw it didn't work, i followed the rest of the herd, but in my case that didn't work and gave so much grief.

I removed the bridge0 interface and setup the pf.conf file in it I have a very simple setup. However, after the changes, removing the bridge and with the new pf.conf, my openbsd router cannot even ping to the internet. I've rebooted all machines several times.

Why is everybody mostly anyway seem to be using a bridge instead of NAT? I figure that NAT is more secure because you can control it in the firewall and apparently the bridge will pass all packets to/from both interfaces. So in bridge mode... can you still filter packets with pf? I'm really puzzled about this.. if that's not the secure way, why do they advise to use the bridge, what would be the purpose of that for a secure router?

I was having a lot of trouble also, with my linux machine after the changes, I can't use it when on the switch. I have it now directly connected to the cable modem so I can use the internet. The wife has been hysterical these last couple of weeks with the internet on and off, so I also had to put her on the cable modem diet.

I thought I was sort of mildly adept at networking, and I can see that it's so far from the truth, I need to go back to some basics, or perhaps something is wrong with my new modem or hardware, hard to tell.

Can you suggest a pf.conf that would achieve what I'm trying to do? Also, feel free to suggest even a whole new design, mine might be just wrong. For example, is the two subnet configuration something common?
Code:
pf.conf
set skip on lo
block return	# block stateless traffic
pass		# establish keep-state
pass out on em0 inet from em1:network to any nat-to em0

Last edited by ocicat; 18th April 2016 at 12:26 AM. Reason: Please use [code] & [/code] tags when posting pseudo-contents of configuration files.
Reply With Quote
  #4   (View Single Post)  
Old 18th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,730
Default

Quote:
Originally Posted by Nivekg View Post
.... I got really confused because most everybody seem to be configuring for a bridge.
I don't know who "most everybody" is, but what *you* need to do is configure *your* network topology to meet your requirements. And a bridge (combining physical Ethernets into a single Ethernet) with two distinct IP subnets adds no value, as you had depicted in your first post. If that's confusing, then step back, and consider what it is you want to accomplish by inserting OpenBSD between your Linux platform and your ISP's router. I assume its to eventually build a full PF configuration, for packet filtering or bandwidth shaping, or both. But only you know what it is you want to accomplish.
For example, you were already using NAT in your environment - your ISP's router (which is apparently integrated with the cable modem) provides you with the 192.168.0/24 subnet.

This is a subnet within a range of addresses that can only be used for private networks, and cannot be routed over the Internet. (There are uncounted millions of private networks using addresses in the 192.168/16 address range, and using NAT to reach the Internet.)

All of your devices on all of your networks, once you get them working -- will share a single Internet facing IP address through the ISP's router. Whether you keep NAT provisioned in PF, or not. (And yes, with both the ISP's router and your OpenBSD router deploying NAT, you would have two address translations for every packet between the Linux system and the Internet.)
Quote:
So after the update, when I saw it didn't work, i followed the rest of the herd, but in my case that didn't work and gave so much grief.
You have been misinformed. Bridging, while sometimes used, is a relatively infrequently used tool. Packet forwarding is far more common. So, if you are reading 3rd party "how to" documents, and assuming these are common or best practices, that's often an incorrect assumption. Be very wary of anything you find on the Internet. Even things you find here on this forum. We're just users. Only official documentation (the OpenBSD FAQ, INSTALL.<arch> files, man pages, etc.) content is supported.

Most 3rd party how-to documents are written by newer users who may not have complete understanding of the process they are documenting, or the guides do not consider all possible use-cases, or the guides are out-of-date. Or some combination of the three.

I've written a few of these 3rd-party how-tos. One that I wrote for the OpenBSD Journal was reviewed by a half-dozen developer/editors before it was published, and yet it was out-of-date and no longer valid within a single year's time. OpenBSD evolves, and is a moving target.

Do 3rd party how-tos have value? Yes, *if* you read them with the understanding they may not be correct, clear, or applicable.

When Peter Hansteen presents his PF Tutorials, he starts with a slide titled, This is not a HOWTO which contains a pledge. He asks everyone in the audience to recite the text of the pledge out loud. It's fun to see, but its an important message.

So when it comes to networking, please try to stick with the OpenBSD FAQ chapter on Networking, if you can, and use it as your primary guide. This is still Chapter 6, though the current changes to implement CSS on the website have the chapters unnumbered on the index page. And within, you'll find a discussion of bridge use in FAQ 6.6, where an example shows a bridge between two types of Ethernets. I use bridges, yes, but to interconnect Ethernets when that is actually needed. And while bridging is used, it is not ubiquitous.

Generally, the only bridge use I have seen in 3rd-party "set up a router" how-tos are for computers with a string of NICs, and the authors usually do this to make to make the computers' string of NICs behave something like a router with an integrated switch, such as your ISP's router likely has. But that artificial "turn my computer with a string of NICs into a switch-like device" limits your ability to manage packet filtering or traffic shaping. Thiis is because configuring packet filtering with bridged Ethernets is more complex than with separate networks.
Quote:
I removed the bridge0 interface and setup the pf.conf file in it I have a very simple setup. However, after the changes, removing the bridge and with the new pf.conf, my openbsd router cannot even ping to the internet. I've rebooted all machines several times.
In your first post, you assigned a static address to both NICs (em0:192.168.0.2/24, em1:192.168.1.2/24) and a gateway (default route) to the ISP's router at 192.168.0.1. That's three files: /etc/hostname.em0, /etc/hostname.em1, and /etc/mygate. If these configurations are unchanged, and if they were working before, then logic states these provisions are still correct. Since I don't see any obvious flaw with your PF configuration (other than a block rule that will never apply to any packets, because the subsequent pass rule apples to all traffic), I would test your network.

Can you ping(8) the ISP's router from OpenBSD? There's no routing involved, this is a ping on a single Ethernet segment and single IP subnet.

Can you ping() the Linux platform? Again, there is no routing involved.

If these fail, look to your ifconfig output. Are both em0 and em1 shown as active? If they are, did you accidentally swap cables?

Look to your routing table. Routing confused you, based on your first post. So here's a simple way of looking at routing of IP traffic.
  1. If a packet is destined for an address on the subnet, no routing applies.
  2. If a packet is destined for an address somewhere else, the sending computer needs to know the address of the router on the subnet to send the packet to for routing elsewhere.
  3. A routing table entry has two parts: a) the range of addresses the router manages, and b) the address of the router on the local subnet.
A default route -- the most common occurrence -- routes all packets headed elsewhere.

And all routing tables only need to have the range of applicable addresses, and the address of the next router.

So your Linux box only needs to have a single router entry, a default route of 192.168.1.2 -- the address of the OpenBSD router on its subnet.

Your OpenBSD box will have multiple routes. Its default route, the address of the ISP's router at 192.168.0.1, and the MAC addresses of any devices its talked to on the 192.168.1/24 subnet, which it knows it can reach directly through em1 due to the IP address and netmask setting for that NIC.

If you are still at a loss, post the output of $ ifconfig -A, which will be the provisioning and state of all NICs, and $ route -n show -inet which will be the state of the routing table. If you need to post them, or any other console output or configuration file info, please wrap each in [code] and [/code] tags for readability. You may not have noticed, but ocicat has edited both of your posts to add these for clarity.

Last edited by jggimi; 18th April 2016 at 02:26 AM. Reason: typos
Reply With Quote
  #5   (View Single Post)  
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default

@jggimi,

Looks like, it's working. Your help was very valuable, I got to learn a few things... it turns out I was doing something not very smart. In the heat of battle, I was trying frantically different things, one of them was to switch the ethernet cables, so that em0 (the external interface) was going to the switch, and em1 (internal) to the internet.

After some adjustments and removal of the bridge0 and, it's now working the way I was expecting.

I still have to test a few more things, etc... I guess I was too lazy to take apart the computer to inspect the double nic lan card, but now I know why it wasn't working...

It's working plenty fast now...

Thanks again.
Reply With Quote
  #6   (View Single Post)  
Old 18th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,730
Default

Cable swap. I understand. My favorite man pages, scan_ffs(8), has a wonderful "how-to" included. Step 1 is why it's my favorite:
Quote:
  1. Panic. You usually do so anyways, so you might as well get it over with. Just don't do anything stupid. Panic away from your machine. Then relax, and see if the steps below won't help you out.
Glad to know you've got things working, again!
Reply With Quote
  #7   (View Single Post)  
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default

Ok, things are back to normal, got all the computers behind the router. Just in case someone runs into this, here is a list of things that might be useful. I still have a bit of work to do as far as security and networking, etc..., but so far the network has:
1) openbsd router
2) NAT using pf
3) dns cache using unbound
4) web cache using squid

System Design:
[ISP router] 192.168.0.1 -[nic1/em0] 192.168.0.2 [OpenBSD] [nic2/em1] 192.168.1.2 - [Switch] - 192.168.1.21 [Linux] + other computers, printer, etc...

NOTE: make sure that the lan cable from em0 goes to the ISP router/cable modem, you might have to physically inspect the network cards, or in my case a dual lan nic.

OPENBSD

# cat sysctl.conf
Code:
net.inet.ip.forwarding=1
# cat rc.conf.local
Code:
check_quotas=NO
pf=YES
pf_rules=/etc/pf.conf
unbound=YES
unbound_flags=
apmd_flags=YES
# cat resolv.conf
Code:
nameserver 127.0.0.1
# cat rc.local
Code:
if [ -x /usr/local/sbin/squid ]; then
    echo -n ' squid'
    /usr/local/sbin/squid
fi
# cat mygate
Code:
192.168.0.1
# cat hosts
Code:
127.0.0.1       localhost
::1             localhost
192.168.1.2     bsdrouter bsdrouter.domain.net
192.168.0.2     bsdrouter bsdrouter.domain.net
192.168.1.21    linuxcomputer linuxcomputer.domain.net
# cat hostname.em0
Code:
inet 192.168.0.2 255.255.255.0
# cat hostname.em1
Code:
inet 192.168.1.2 255.255.255.0
# cat pf.conf
Code:
block return    # block stateless traffic
pass            # establish keep-state

ext_if="em0"
int_if="em1"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 }

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
match log on $int_if all scrub (random-id min-ttl 64 reassemble tcp max-mss 1440)

block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>

# Redirect www to our transparent squid proxy.
pass in quick on $int_if proto tcp from $ext_if to any port { www } divert-to 127.0.0.1 port 3129
pass out quick from 127.0.0.1 divert-reply

pass out on $ext_if inet from $int_if:network to any nat-to $ext_if
# route show -inet
Code:
Routing tables
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.0.1        UGS        1     4697     -     8 em0  
loopback           localhost          UGRS       0        0 32768     8 lo0  
localhost          localhost          UHl        1      202 32768     1 lo0  
192.168.0/24       bsdrouter             UC         1       58     -     4 em0  
192.168.0.1        d4:04:cd:fd:23:eb  UHLc       1      257     -     4 em0  
bsdrouter             00:15:17:d7:81:52  UHLl       0     1487     -     1 em0  
192.168.0.255      bsdrouter             UHb        0        0     -     1 em0  
192.168.1/24       bsdrouter             UC         3       18     -     4 em1  
bsdrouter             00:15:17:d7:81:53  UHLl       0      361     -     1 em1  
linuxcomputer               00:24:8c:7c:5f:53  UHLc       2     1792     -     4 em1  
192.168.1.255      bsdrouter             UHb        0        2     -     1 em1  
base-address.mcast localhost          URS        0        0 32768     8 lo0
LINUX

linuxcomputer:/etc# cat network/interfaces
Code:
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.1.21
        netmask 255.255.255.0
        gateway 192.168.1.2
linuxcomputer:/etc# cat resolv.conf
Code:
nameserver 192.168.1.2
linuxcomputer:/etc# route
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         bsdrouter          0.0.0.0         UG    0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

You might have to reboot all systems, including the cable modem, because some modems cache the connections, and that could be bad. Also, there's a chance that rebooting might not reset the routing tables for some reason, apparently it didn't in my case, so doing:
Code:
route flush
in the bsd router machine should get things as expected.

if something goes wrong you could do tcpdump to see what kind of activity is going on, or not.
Reply With Quote
  #8   (View Single Post)  
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default

Thanks for all your help... I'm glad that these systems are as reliable as they are, but security can sometimes be inconvenient, but that's the nature of it.
Reply With Quote
  #9   (View Single Post)  
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Default

Quote:
Originally Posted by jggimi View Post
I don't know who "most everybody" is, but what *you* need to do is configure *your* network topology to meet your requirements. And a bridge (combining physical Ethernets into a single Ethernet) with two distinct IP subnets adds no value, as you had depicted in your first post. If that's confusing, then step back, and consider what it is you want to accomplish by inserting OpenBSD between your Linux platform and your ISP's router. I assume its to eventually build a full PF configuration, for packet filtering or bandwidth shaping, or both. But only you know what it is you want to accomplish.
For example, you were already using NAT in your environment - your ISP's router (which is apparently integrated with the cable modem) provides you with the 192.168.0/24 subnet.

This is a subnet within a range of addresses that can only be used for private networks, and cannot be routed over the Internet. (There are uncounted millions of private networks using addresses in the 192.168/16 address range, and using NAT to reach the Internet.)

All of your devices on all of your networks, once you get them working -- will share a single Internet facing IP address through the ISP's router. Whether you keep NAT provisioned in PF, or not. (And yes, with both the ISP's router and your OpenBSD router deploying NAT, you would have two address translations for every packet between the Linux system and the Internet.)
You have been misinformed. Bridging, while sometimes used, is a relatively infrequently used tool. Packet forwarding is far more common. So, if you are reading 3rd party "how to" documents, and assuming these are common or best practices, that's often an incorrect assumption. Be very wary of anything you find on the Internet. Even things you find here on this forum. We're just users. Only official documentation (the OpenBSD FAQ, INSTALL.<arch> files, man pages, etc.) content is supported.

Most 3rd party how-to documents are written by newer users who may not have complete understanding of the process they are documenting, or the guides do not consider all possible use-cases, or the guides are out-of-date. Or some combination of the three.

I've written a few of these 3rd-party how-tos. One that I wrote for the OpenBSD Journal was reviewed by a half-dozen developer/editors before it was published, and yet it was out-of-date and no longer valid within a single year's time. OpenBSD evolves, and is a moving target.

Do 3rd party how-tos have value? Yes, *if* you read them with the understanding they may not be correct, clear, or applicable.

When Peter Hansteen presents his PF Tutorials, he starts with a slide titled, This is not a HOWTO which contains a pledge. He asks everyone in the audience to recite the text of the pledge out loud. It's fun to see, but its an important message.

So when it comes to networking, please try to stick with the OpenBSD FAQ chapter on Networking, if you can, and use it as your primary guide. This is still Chapter 6, though the current changes to implement CSS on the website have the chapters unnumbered on the index page. And within, you'll find a discussion of bridge use in FAQ 6.6, where an example shows a bridge between two types of Ethernets. I use bridges, yes, but to interconnect Ethernets when that is actually needed. And while bridging is used, it is not ubiquitous.

Generally, the only bridge use I have seen in 3rd-party "set up a router" how-tos are for computers with a string of NICs, and the authors usually do this to make to make the computers' string of NICs behave something like a router with an integrated switch, such as your ISP's router likely has. But that artificial "turn my computer with a string of NICs into a switch-like device" limits your ability to manage packet filtering or traffic shaping. Thiis is because configuring packet filtering with bridged Ethernets is more complex than with separate networks.
In your first post, you assigned a static address to both NICs (em0:192.168.0.2/24, em1:192.168.1.2/24) and a gateway (default route) to the ISP's router at 192.168.0.1. That's three files: /etc/hostname.em0, /etc/hostname.em1, and /etc/mygate. If these configurations are unchanged, and if they were working before, then logic states these provisions are still correct. Since I don't see any obvious flaw with your PF configuration (other than a block rule that will never apply to any packets, because the subsequent pass rule apples to all traffic), I would test your network.

Can you ping(8) the ISP's router from OpenBSD? There's no routing involved, this is a ping on a single Ethernet segment and single IP subnet.

Can you ping() the Linux platform? Again, there is no routing involved.

If these fail, look to your ifconfig output. Are both em0 and em1 shown as active? If they are, did you accidentally swap cables?

Look to your routing table. Routing confused you, based on your first post. So here's a simple way of looking at routing of IP traffic.
  1. If a packet is destined for an address on the subnet, no routing applies.
  2. If a packet is destined for an address somewhere else, the sending computer needs to know the address of the router on the subnet to send the packet to for routing elsewhere.
  3. A routing table entry has two parts: a) the range of addresses the router manages, and b) the address of the router on the local subnet.
A default route -- the most common occurrence -- routes all packets headed elsewhere.

And all routing tables only need to have the range of applicable addresses, and the address of the next router.

So your Linux box only needs to have a single router entry, a default route of 192.168.1.2 -- the address of the OpenBSD router on its subnet.

Your OpenBSD box will have multiple routes. Its default route, the address of the ISP's router at 192.168.0.1, and the MAC addresses of any devices its talked to on the 192.168.1/24 subnet, which it knows it can reach directly through em1 due to the IP address and netmask setting for that NIC.

If you are still at a loss, post the output of $ ifconfig -A, which will be the provisioning and state of all NICs, and $ route -n show -inet which will be the state of the routing table. If you need to post them, or any other console output or configuration file info, please wrap each in [code] and [/code] tags for readability. You may not have noticed, but ocicat has edited both of your posts to add these for clarity.
Lesson learned (I hope for long) sometimes trying to save time, when you're in a hurry, can have these effects.
Reply With Quote
Old 18th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,730
Default

You're still eating from bowls of copypasta. Both in rc(8) provisioning, and in your pf.conf.

rc:

1. "unbound=YES" is meaningless and will be ignored
2. There is an rc.d(8) script for squid, you can start it from settings in /etc/rc.conf.local and you do not need an rc.local file at all. An additional advantage to using rc.d(8) scripts is that they are also used at shutdown, while rc.local is not.

Since the advent of the rcctl(8) utility, we no longer need to edit rc.conf.local manually. To add the squid daemon to rc.conf.local, all you need is # rcctl enable squid. To start it, without rebooting, all you need is # rcctl start squid. See the rcctl(8) man page, it's a very handy tool.

PF:

Just to pick on you some more ... Do you know why you are using a maximum TCP segment size of 1440? If you don't, please read Peter's Pledge out loud.
Reply With Quote
Old 18th April 2016
Nivekg Nivekg is offline
Real Name: Kevin Guerra
kevingnet
 
Join Date: Apr 2016
Location: Santa Clara
Posts: 8
Exclamation

Quote:
Originally Posted by jggimi View Post
You're still eating from bowls of copypasta. Both in rc(8) provisioning, and in your pf.conf.

rc:

1. "unbound=YES" is meaningless and will be ignored
2. There is an rc.d(8) script for squid, you can start it from settings in /etc/rc.conf.local and you do not need an rc.local file at all. An additional advantage to using rc.d(8) scripts is that they are also used at shutdown, while rc.local is not.

Since the advent of the rcctl(8) utility, we no longer need to edit rc.conf.local manually. To add the squid daemon to rc.conf.local, all you need is # rcctl enable squid. To start it, without rebooting, all you need is # rcctl start squid. See the rcctl(8) man page, it's a very handy tool.

PF:

Just to pick on you some more ... Do you know why you are using a maximum TCP segment size of 1440? If you don't, please read Peter's Pledge out loud.
It's cool... I actually did read the pledge, however, I still have quite a bit of confusion from all the sleep deprivation the last 3 weeks or so. I actually did read about the segment size and it did make sense while I was reading the whole article, but at the moment I don't really have an answer or even remember much.

I'm still working on revising the configuration, I'll make sure that what's in there it's sound, as much as I'm able. After a while of use, a few weeks or so, the next plan would be to... wait for this.... harden the system....
Reply With Quote
Old 18th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,730
Default



No worries. And I mean that. With OpenBSD, there isn't anything to "harden." But if you do have questions in those areas, be sure to start a new thread. Daemonforums prefers one subject (or even one question) per thread, to simplify searching.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New Cable Modem/BSD Router Problem Dr-D OpenBSD General 11 2nd April 2012 06:33 PM
Multiple serial consoles via null modem cable or serial console server J65nko General Hardware 0 16th January 2010 12:01 AM
best ADSL+2 modem and wirless-N router (all in one)? zorelina General Hardware 1 28th October 2009 12:43 AM
Cable modem + router + FreeBSD Beastie FreeBSD General 2 24th June 2009 07:58 AM
Cable modem question whispersGhost FreeBSD General 2 24th May 2008 08:11 PM


All times are GMT. The time now is 08:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick