|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
routing and ARP questions
Hi there
I'm still trying to set up my network. The devices that concern me at this stage in the set-up that i want are: Code:
---|LAN|---|switch|---|OpenBSD|---|switch|------|ADSL/router| Here is the output of netstat -rn on OpenBSD: I Code:
nternet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.1.254 UGS 0 0 - 8 xl0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 0 33200 4 lo0 192.168.1/24 link#1 UC 1 0 - 4 xl0 192.168.1.66 127.0.0.1 UGHS 0 0 33200 8 lo0 192.168.1.254 00:24:17:f7:d5:88 UHLc 1 41 - 4 xl0 192.168.2/24 link#2 UC 1 0 - 4 xl1 192.168.2.77 34:15:9e:2e:0b:ac UHLc 0 23 - 4 xl1 224/4 What i'm trying to establish is whether the border router/ADSL box(which is a home router) Won't allow anything from interfaces that are on different subnets to it's internal interface, or whether i just haven't configured routing properly on OpenBSD. A tcpdump sniff of the OpenBSD boxes external interface, while i'm trying to ping the border router from the LAN just revealed that OpenBSD's external interface was sending the icmp echo packets out. The only other thing mentioned in this sniffing session was that the ADSL/border router did an ARP request for the host on the LAN that pinged it. No reply was received. I can ping either the external or internal interface on the OpenBSD box from hosts on the LAN. I just need to establish whether it's the ADSL box/border router that is refusing to deal with packets that have source I.Ps that are not on the same subnet as it's internal interface/dhcp range or whether there is anything i can do on OpenBSD to improve the situation?. btw when i did: Code:
#route add 192.168.2.77 192.168.2.12 Thank you for your time and any replies. |
|
|||
Sorry i forgot to say. 192.168.2.77 is the I.P of the ping host on the LAN.192.168.2.12 is the internal interface on the OpenBSD box.
|
|
|||
I just tried putting OpenBSD's internal interface and the LAN host's interface on 192.168.1.*. I don't think OpenBSD liked it. I couldn't ping OpenBSD's internal or external interface from the LAN. Is OpenBSD supposed to be able to have two interfaces on the same subnet and still route in this way?.
|
|
|||
Is there any way to get OpenBSD to route packets from 192.168.1.* when both it's interfaces are on 192.168.1.*?. I think that may be the only way to satisfy the ADSL box/router. When i did a tcpdump sniff of the OpenBSD's internal interface, while pinging from the LAN host(192.168.1.247), when both it's interfaces were on 192.168.1.* then an ARP request to tell the LAN host the MAC address of OpenBSD's internal interface was never answered. How do i get OpenBSD to be able to have both it's interfaces on 192.168.1.*. This is not really OpenBSD's fault i think it's the ADSL/border router forcing me into an unusual position.
Thank you for any suggestions |
|
||||
Just to be more helpful, here's how IP routing works, from a high level perspective:
Your ISP will not route those packets to the Internet, of course, as they are part of the RFC 1918 address pool, used in private networks. |
|
|||
Quite a lot of people use the NAT routers provided by their ISP, but that sort of makes OpenBSD redundant.. for ADSL you should look into switching the modem to bridged mode and use one of OpenBSD's PPPoE clients instead, that way you get assigned a public address and control the topology in greater detail.
|
|
||||
It's not entirely redundant though. Even in the topology described by unixjingleman, the "outer" subnet could be used for "DMZ" servers, that have very strict rules on inbound traffic (say, from an "outer" web server to an inner DB engine).
The OpenBSD platform can be used for traffic shaping in and out of the "inner" subnet. (No, I don't have an ADSL modem.) |
|
|||
But it is overkill for a simple network.. it makes little sense to use it as a transparent filter like that, you might as well consolidate the NAT and firewall onto one system, preferably something more manageable than the ISP brick.
That's one reason I dislike DSL providers though, they eliminated the PPP dailers and merged the modem with a SOHO router.. effectively forcing NAT on people. My cable modem assigns public IP's using DHCP. Last edited by BSDfan666; 19th January 2011 at 08:20 PM. |
|
||||
Perhaps. As I said, I don't have ADSL, and if I did, would still want an exposed address and more complete control.
My VDSL modem (3-Wire, meh) provides a "SuperDMZ" mode to provide the exposed address to the inner router. It does not operate as a bridge, and offers a bunch of firewall-ish capabilities which I have disabled. I leave the outer subnet for IPTV traffic to the set top boxes, the inner subnets are for servers, workstations, game consoles, mobile phones, and other family TCP/IP traffic. Edited to add: To be clear, the VDSL box doesn't have a bridge mode available. In "SuperDMZ" mode, it remains a NAT router and forwards all packets that aren't associated with an existing state table entry to the DMZ host, which uses the exposed IP address. Since I don't have a bridge, I let the IPTV boxes have their own RFC 1918 subnet, sharing their switched Ethernet with the "outer" NIC of my bastion OpenBSD router, so that IPTV traffic doesn't transit any of my own systems -- I did not want to have to shape it. The webserver in my .sig is behind several NATs. From this ISP, IPTV and VOIP traffic come through a private IP network, not the Internet, that traffic comes from a nearby point of presence. The VOIP packets are converted to analog POTS twisted pair by the 3-Wire router, and go to household wired phones. Last edited by jggimi; 19th January 2011 at 09:34 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Loose UDP routing? | spiller37 | OpenBSD Security | 4 | 31st July 2009 11:10 PM |
double nat routing | giagni | General software and network | 5 | 22nd May 2009 07:10 PM |
Firewall routing | Magoo | FreeBSD General | 9 | 4th November 2008 04:39 PM |
Routing and routing some more! | Weaseal | FreeBSD General | 1 | 19th August 2008 01:39 PM |
OpenBSD and routing | cchapman | OpenBSD General | 5 | 25th July 2008 05:55 PM |