DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th April 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default Soekris - home network

Problem is that I can't get Internet on Debian PC or WIFI clients

Here is my setup:

Code:
# pfctl -d                                                                      
pfctl: pf not enabled
Code:
# sysctl net.inet.ip.forwarding=1                                               
net.inet.ip.forwarding: 1 -> 1
Code:
# cat dhcpd.conf            
subnet 10.10.10.0 netmask 255.255.255.0 {  
        option routers 192.168.2.1;
        range 10.10.10.90 10.10.10.99;                                                    
}
Hostnames
vr0 is connected to ADSL router with IP 192.168.1.1
Code:
# cat hostname.vr0                                                              
#inet 192.168.1.11 255.255.255.0 NONE                                           
dhcp
Code:
# cat hostname.vr1                                                              
inet 192.168.2.1 255.255.255.0 NONE
Code:
# cat hostname.ath0                                                             
inet 10.10.10.1 255.255.255.0                                                   
mediaopt hostap                                                                 
nwid benky                                                                      
nwkey 12345
Debian PC
Code:
# eth0 settings
auto eth0
allow-hotplug eth0
iface eth0 inet static
	address 192.168.2.22
	netmask 255.255.255.0
	gateway 192.168.2.1
Routes and ifconfig
Code:
# route show -inet                                                              
Routing tables                                                                  
                                                                                
Internet:                                                                       
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface   
default            sx763.sx76x.gigase UGS        0        5     -     8 vr0     
10.10.10/24        link#5             UC         0        0     -     4 ath0    
10.10.10.1         00:12:bf:60:80:32  UHLl       0        0     -     1 lo0     
10.10.10.255       link#5             UHLb       0        0     -     1 ath0    
loopback           localhost          UGRS       0        0 32768     8 lo0     
localhost          localhost          UHl        1        0 32768     1 lo0     
192.168.1/24       link#1             UC         1        0     -     4 vr0     
sx763.sx76x.gigase c0:d0:44:66:bb:40  UHLc       3      119     -     4 vr0     
00-00-24-cc-54-bc. 00:00:24:cc:54:bc  UHLl       0        0     -     1 lo0     
192.168.1.255      link#1             UHLb       0        0     -     1 vr0     
192.168.2/24       link#2             UC         1        0     -     4 vr1     
192.168.2.1        00:00:24:cc:54:bd  HLl        0        0     -     1 lo0     
192.168.2.22       bc:5f:f4:d9:95:d1  UHLc       0        2     -     4 vr1     
192.168.2.255      link#2             UHLb       0        0     -     1 vr1     
base-address.mcast localhost          URS        0        0 32768     8 lo0
Code:
# ifconfig                                                                     
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        priority: 0
        groups: lo
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:cc:54:bc
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.244 netmask 0xffffff00 broadcast 192.168.1.255
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500                          
        lladdr 00:00:24:cc:54:bd                                                          
        priority: 0                                                                       
        media: Ethernet autoselect (100baseTX full-duplex)                                
        status: active                                                                    
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255                       
vr2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500                                     
        lladdr 00:00:24:cc:54:be                                                          
        priority: 0                                                                       
        media: Ethernet autoselect (none)                                                 
        status: no carrier                                                                
vr3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500                                     
        lladdr 00:00:24:cc:54:bf                                                          
        priority: 0                                                                       
        media: Ethernet autoselect (none)                                                 
        status: no carrier                                                                
ath0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500              
        lladdr 00:12:bf:60:80:32                                                          
        priority: 4                                                                       
        groups: wlan                                                                      
        media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)                  
        status: active                                                                    
        ieee80211: nwid benky chan 1 bssid 00:12:bf:60:80:32 nwkey 12345                  
        inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255                         
enc0: flags=0<>                                                                           
        priority: 0                                                                       
        groups: enc                                                                       
        status: active                                                                    
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192                                           
        priority: 0                                                                       
        groups: pflog
Reply With Quote
  #2   (View Single Post)  
Old 7th April 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I needed to look no further than this:
Quote:
Originally Posted by benky View Post
Code:
# pfctl -d                                                                      
pfctl: pf not enabled
Your home network shares a single "real" IP address on the Internet. Your router requires NAT - Network Address Translation. With OpenBSD, NAT is provisioned via PF.

See the Network Address Translation chapter of the PF User's Guide.

Last edited by jggimi; 7th April 2015 at 10:25 AM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 7th April 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

thank you, my intention was first to built the basic connections between all interfaces and local network to Internet. Immediately after setting connections my second step is configuring PF.

Quote:
So to get it work it needs to be done with PF NAT?
simple rule
Code:
pass out on vr0 inet from vr1:network to any nat-to vr0
need to figure rule for ath0 wifi.

Is it possible to get it to work without it? Something like bridge or defining new route?

Last edited by benky; 7th April 2015 at 03:19 PM. Reason: Solved :)
Reply With Quote
  #4   (View Single Post)  
Old 7th April 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,295
Default

Quote:
Originally Posted by benky View Post
Is it possible to get it to work without it?
Your internal subnets are all using non-routable private network addresses. These subnets will not be able to communicate in the public namespace. This is the situation necessitating NAT, & was the reason it was implemented.

For more details, study RFC 1918.
Reply With Quote
  #5   (View Single Post)  
Old 7th April 2015
benky benky is offline
Port Guard
 
Join Date: Dec 2014
Location: Croatia
Posts: 14
Default

Quote:
Originally Posted by jggimi View Post
I needed to look no further than this:Your home network shares a single "real" IP address on the Internet. Your router requires NAT - Network Address Translation. With OpenBSD, NAT is provisioned via PF.

See the Network Address Translation chapter of the PF User's Guide.
Thank you!
Reply With Quote
  #6   (View Single Post)  
Old 7th April 2015
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

Quote:
Originally Posted by benky View Post
Is it possible to get it to work without it?
Maybe... but you are dependent on that ADSL modem and its capabilities. This is because your ADSL modem does NAT also. The subnet it provisions your OpenBSD system on, with DHCP, is also an RFC 1918 subnet: 192.168.1/24.

If you did not use NAT in OpenBSD, you would need to add one or more static routes (e.g: 10/8) to the modem, so that it "knows" that packets destined for your internal networks must be routed to your OpenBSD system. It's NAT capabilities would also need to encompass those subnets.

The best practice for these environments is to provision the ADSL modem in "bridge mode", so that your "real" Internet address is exposed and assigned to the OpenBSD router. In this way, only one layer of NAT is needed. How that is done depends on the make/model of device and its provisioning capabilities. My last VDSL modem had a "SuperDMZ" mode which was similar, but not equivalent, to a true bridged operation.

But you can always retain multiple NAT layers, and not touch the ADSL modem's provisioning.

Here is a two-line, pass-everything PF configuration that includes NAT for your configuration, where vr0 is your egress NIC. I haven't tested it.
Code:
match out on vr0 from !vr0:network to any nat-to (vr0)
pass
Any traffic directed outward on vr0 that does not originate from its subnet will be NATted. If the assigned address of the vr0 NIC changes due to the dynamic nature of DHCP, the rule will self modify. No packets will ever be blocked.

If these two rules work on the 192.168.1/24 subnet, they will work on a "real" Internet facing subnet also. However, this ruleset is NOT best practice, and is suitable for testing only. That is because it filters nothing.

Last edited by jggimi; 7th April 2015 at 04:39 PM. Reason: typo
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Soekris 5501-70 PXE install benky OpenBSD Installation and Upgrading 1 30th March 2015 09:13 PM
Soekris experiences Carpetsmoker General Hardware 42 21st August 2009 01:52 PM
soekris help revzalot OpenBSD Installation and Upgrading 6 17th December 2008 07:40 PM
Soekris Help revzalot General Hardware 2 27th August 2008 01:35 PM
Resources for Home Network Design and Implementation JMJ_coder General software and network 11 14th July 2008 05:31 AM


All times are GMT. The time now is 06:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick