DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default NAT router

I am following guide for setting up router at: http://www.bsdnow.tv/tutorials/openbsd-router

I have a intel 4 port nic.
OpenBSD 6.0.
It gets dhcp adresse at em0, and from the OpenBSD box i can ping the world.
But from other computer I cant ping the LAN side : 192.168.0.1

What can i change to make it work?

hostname.em0
Code:
dhcp
hostname.em1
Code:
up
hostname.vether0
Code:
inet 192.168.0.1 255.255.255.0 192.168.0.255
hostname.brigde0
Code:
add vether0
add em1
add em2
add em3
blocknonip vether0
blocknonip em1
blocknonip em2
blocknonip em3
up




CMND: ifconfig:
Code:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 7 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:18
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.210 netmask 0xffffff00 broadcast 192.168.1.255
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:19
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause)
        status: active
em2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:20
        index 3 priority 0 llprio 3
        media: Ethernet autoselect (none)
        status: no carrier
em3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:21
        index 4 priority 0 llprio 3
        media: Ethernet autoselect (none)
        status: no carrier
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr c0:3f:d5:ee:9d:0b
        index 5 priority 0 llprio 3
        media: Ethernet autoselect (none)
        status: no carrier
enc0: flags=0<>
        index 6 priority 0 llprio 3
        groups: enc
        status: active
vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr fe:e1:ba:d0:80:cb
        index 8 priority 0 llprio 3
        groups: vether
        media: Ethernet autoselect
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
bridge0: flags=41<UP,RUNNING>
        index 9 llprio 3
        groups: bridge
        priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
        vether0 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
                port 8 ifpriority 0 ifcost 0
        em1 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
                port 2 ifpriority 0 ifcost 0
        em2 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
                port 3 ifpriority 0 ifcost 0
        em3 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
                port 4 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
        index 10 priority 0 llprio 3
        groups: pflog

/etc/dhcpd.conf
Code:
option domain-name-servers 192.168.0.1;
subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.1;
    range 192.168.0.4 192.168.0.254;
    host meimei {
        fixed-address 192.168.0.2;
        hardware ethernet 00:00:00:00:00:00;
        }
    host suigintou {
        fixed-address 192.168.0.3;
        hardware ethernet 11:11:11:11:11:11;
        }
}
Reply With Quote
  #2   (View Single Post)  
Old 26th October 2016
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

What does your pf.conf look like?

Are the clients getting the correct IP and gateway set by the DHCP server?
Reply With Quote
  #3   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

pf.conf
Code:
# cat /etc/p
passwd     pf.os      pkg.conf   ppp/       pulse/
pf.conf    pkcs11/    polkit-1/  protocols  pwd.db
# cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

int_if="{ vether0 em1 em2 em3 }"
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
        10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \
        198.51.100.0/24, 203.0.113.0/24, \
        169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for (egress)
block in quick on egress from { $broken no-route urpf-failed } to any
block in quick inet6 all
block return out quick inet6 all
block return out quick log on egress proto { tcp udp } from any to any
port 53
block return out quick log on egress from any to { no-route $broken }
block in all
pass out quick inet keep state
pass in on $int_if inet
pass in on $int_if inet proto { tcp udp } from any to ! 192.168.0.1 port
53 rdr-to 192.168.0.1
pass in on egress inet proto tcp to (egress) port 222 rdr-to 192.168.0.2
pass in on egress inet proto tcp from any to (egress) port 2222
(Update: Found a 192.168.1.1 adress, removed and changed to 192.168.0.1)

Lan clients does not get DHCP offer from Openbsd Router box.

Last edited by psypro; 27th October 2016 at 03:15 PM.
Reply With Quote
  #4   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16

Does that break my 192.168.0.* network?
Reply With Quote
  #5   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Still does not work, trying simpler. If I can get simple to work, I can get more advance later. Please advice.

Will this simple pf allow NAT?

pf.conf
Code:
pass all
pass inet proto tcp from em1:network to any port $ports
(found a typo, still error)

Last edited by psypro; 27th October 2016 at 04:16 PM.
Reply With Quote
  #6   (View Single Post)  
Old 27th October 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

psypro, your internal LAN is on bridge0, and that is what your LAN rules should be using.

Your rules do not mention bridge0, instead, they combine the underlying em1-em3 and vether0.

You can prove this by running tcpdump(8) with the pflog0 pseudo-NIC. I expect you will see packets being blocked by your block in all rule, because these packets arrive on bridge0, so none of your pass rules match.
Reply With Quote
  #7   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Still does not work. My OpenBSD router can ping internett trough em0. My OpenBSD router can ping itself at 192.168.0.1 (em1) but pc trying to reach em1 cant ping 192.168.0.1 when I set the pc to 192.168.0.3.

Thank you for your replay. Will post more right away.

/etc/hostname.brigde0
Code:
 cat /etc/hostname.bridge0

add em1
add em2
add em3
blocknonip vether0
blocknonip em1
blocknonip em2
blocknonip em3
up
Code:
# cat /etc/hostname.em0
dhcp
# cat /etc/hostname.em1
up
inet 192.168.0.1 255.255.255.0 192.168.0.255
Code:
# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:18
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.210 netmask 0xffffff00 broadcast 192.168.1.255
Code:
# ifconfig em1
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:18:10:19
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
Code:
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip.redirect=0
kern.bufcachepercent=50
net.inet.ip.ifq.maxlen=1024
net.inet.tcp.mssdflt=1440
kern.securelevel=2

Last edited by psypro; 27th October 2016 at 04:42 PM.
Reply With Quote
  #8   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Jiggim.

What would be the simple thing to put inside pf.conf to make it work?
I now focus only at getting em0 internet facing port and em1 lan facing port to work.

Should I add em0 to the brigde? what do you try to tell me?

I have read the Absolute OpenBSD Handbook although a month ago. And found several different OpenBSD tutorials.

https://home.nuug.no/~peter/pf/en/long-firewall.html
https://www.openbsd.org/faq/pf/config.html
http://www.bsdnow.tv/tutorials/openbsd-router

They all are slightly different.
Reply With Quote
  #9   (View Single Post)  
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Would this work for NAT?
pass in all em1
pass out all em1
pass in all em0
pass out all em0

nat on em0 from em1

Last edited by psypro; 27th October 2016 at 04:45 PM.
Reply With Quote
Old 27th October 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Do not assign multiple IP addresses to the NICs on your bridge.

The purpose of a bridge is to combine multiple physical Ethernet segments into a single logical Ethernet. Think of it this way ... when you bridge 3 of your NICs together, they will behave something like, but not completely like an Ethernet switch.

Here is a logical picture of an Ethernet switch. These six devices each have their own IP address assignments, and their Ethernet cables each connect to an individual port on the switch. The switch interconnects them. It does not have any IP addresses of its own:
Code:
{Device A} {Device B} {device C}
    |             |        |
  [Ethernet hub or Ethernet switch]
    |             |        |
{Device D} { Device E} {Device F}
When you bridge NICs together, the bridge acts like a switch.

The reason that you see "how to" guides include vether(4) psuedo devices is to use the vether device for a single permanent IP address assignment to the cluster of NICs, so that OpenBSD can act more like a real Ethernet switch, and still communicate with the Ethernet over a single IP.
Code:
{Device A} {Device B} {device C}
    |             |        |
  [OpenBSD bridge0 and bridged NICs.  ]
    |             |        |
{Device D} { Device E} {vether0 acting as device F}
This permits the NICs to act as if they are ports on a switch - they do not have IP address assignments, and can be moved from port to port. And it permits OpenBSD to have a permanent address on the Ethernet -- via the vether0 device.

Last edited by jggimi; 27th October 2016 at 04:51 PM. Reason: clarity
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Ok, so I should renable the hostname.vether0 so em1, em2, and em3 works as switch ports.
Done.
Removed ip from em1

Code:
# cat /etc/hostname.bridge0
add vether0
add em1
add em2
add em3
blocknonip vether0
blocknonip em1
blocknonip em2
blocknonip em3
up
# cat /etc/hostname.em0
dhcp
# cat /etc/hostname.em1
up
# cat /etc/hostname.em2
up
# cat /etc/hostname.em3
up
# cat /etc/hostname.vether0
inet 192.168.0.1 255.255.255.0 192.168.0.255
I use 192.168.1.1 for "production" I want to use 192.168.0.1 for testing.
(Updated Clarified I meant removed ip from em1)

Ok?

I reboot.

I can ping 192.168.0.1 from innside ssh to OpenBSD router. From Windows pc, connected to a swith, and switch connceted to em1 at OpenBSD router no ping. Windows pc get no respnse at pinging 192.168.0.1, OpenBSD router get no ping respons at ping 192.168.0.3

tryig new pf.conf based on bsdnow tutorial:

Code:
int_if="{ vether0 em1 em2 em3 }"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for (egress)
block in quick on egress from { $broken no-route urpf-failed } to any
block in quick inet6 all
block return out quick inet6 all
block return out quick log on egress proto { tcp udp } from any to any port 53
block return out quick log on egress from any to { no-route $broken }
block in all
pass out quick inet keep state
pass in on $int_if inet
pass in on $int_if inet proto { tcp udp } from any to ! 192.168.0.1 port 53 rdr-to 192.168.0.1

Last edited by psypro; 27th October 2016 at 05:19 PM.
Reply With Quote
Old 27th October 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

As you are, as we say, "building your airplane while flying it," it is difficult to know exactly what you are doing, or what state things might be in.
Quote:
Originally Posted by psypro View Post
....From Windows pc, connected to a swith, and switch connceted to em1 at OpenBSD router no ping.
??
Since you already have a switch, why are you attempting to turn your OpenBSD system into a switch, too?

Start small. Start simple. Use one NIC for your external network (em0), and use only a second NIC (em1) for your internal network.

1. Eliminate bridge(4) and vether(4) from your configuration.

2. Plug your switch into em1. Plug your workstations into the switch.

3. Assign em1 an IP address and netmask in /etc/hostname.em1:
Code:
inet 192.168.0.1/24
The topology would be something like this:

{internet} - [external gateway] - 192.168.1/24 network - [OpenBSD] - 192.168.0/24 network - [switch] - [one or more workstations]
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Yes, back to starting simple. Good idea.

Code:
# rm /etc/hostname.bridge0
# rm /etc/hostname.vether0
Code:
# cat /etc/hostname.em1

up
inet 192.168.0.1/24
Trying get different pc at the switch to ping each other, will report back, when I know more. So fare I got Windows and Ubuntu talking. 192.168.0.3 and 192.168.0.5

Last edited by psypro; 27th October 2016 at 05:58 PM.
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Ping now works from

OpenBSD to Ubuntu
OpenBSD to windows.

But windows and ubuntu cant ping OpenBSD, I guess due to pf.

I got DHCP offer from OpenBSD router.

But NAT is still not working... I guess it has something to do with pf.conf.
I changed from em1 for lan side, to re0 (mainboard nic)
Reply With Quote
Old 27th October 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You are testing. Start simple. Start small. Make a one line pf.conf file that just provides NAT. (Without any block rules, the default is pass all)

Last edited by jggimi; 27th October 2016 at 07:02 PM. Reason: typo
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Nr1 : pass all
It will not do nat? So I will need some more aswell.

Nr2 : pfctl -sr
Code:
# pfctl -sr
# block drop all
ksh: block: not found
# pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
ksh: pass: not found
# pass out inet6 proto ipv6-icmp all icmp6-type routersol
ksh: pass: not found
# pass out inet6 proto udp from any port = 546 to any port = 547
ksh: pass: not found
# pass out inet proto icmp all icmp-type echoreq
ksh: pass: not found
# pass out inet proto udp from any port = 68 to any port = 67
ksh: pass: not found
# pass out proto tcp from any to any port = 53 flags S/SA
ksh: pass: not found
# pass out proto udp from any to any port = 53
ksh: pass: not found
# pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
ksh: pass: not found
# pass in inet6 proto ipv6-icmp all icmp6-type routeradv
ksh: pass: not found
# pass in inet6 proto udp from any port = 547 to any port = 546
ksh: pass: not found
# pass in proto tcp from any to any port = 22 flags S/SA
ksh: pass: not found
# pass in inet proto udp from any port = 67 to any port = 68
ksh: pass: not found
# pass on lo0 all flags S/SA
ksh: pass: not found
# pass in proto carp all keep state (no-sync)
ksh: syntax error: `(' unexpected
# pass out proto carp all !received-on any keep state (no-sync)
ksh: syntax error: `(' unexpected
# #
Indicates that my rules are not loaded from /etc/pf.conf

Nr3: pfctl -d

Code:
# pfctl -d
pfctl: DIOCSTOP: Operation not permitted
It seems something is wrong with pf?

this is my current pf.conf
Code:
# cat /etc/pf.conf
int_if="re0"
ext_if="em0"
localnet = $int_if:network
match out on $ext_if from $localnet nat-to ($ext_if)
pass all
pass inet proto tcp from { self, $localnet }
This setup is taken from the autor of the book of pf. Peter N. M. Hansteen. With block all modifed to pass all as recomende in this test. https://home.nuug.no/~peter/pf/no/gwsimplesetup.html
(I had writen a typo nat to, changed now to nat-to) Still same error.

Last edited by psypro; 27th October 2016 at 08:05 PM.
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Kernel security mode 2

2 Highly secure mode
all effects of securelevel 1
raw disk devices are always read-only whether mounted or not
settimeofday(2) and clock_settime(2) may not set the time backwards or close to overflow
pf(4) filter and NAT rules may not be altered
Reply With Quote
Old 27th October 2016
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

securelevel 2 is designed to make it difficult or impossible to make most provisioning changes without first shutting down the system. It is known as a "sysadmin prevention tool" more than an aid to security.
Reply With Quote
Old 27th October 2016
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

hehe, 5 hours work. Now NAT is working.
When I first figured out pf.conf was not taking affect, progress was made fast.
Thanks for the help and motivation.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help me setup my new router Sonya FreeBSD General 8 16th July 2013 11:33 AM
DSL Router Zvrk NetBSD General 1 18th June 2009 01:21 PM
Using OpenBSD as a second router paran0iaX OpenBSD Security 32 20th March 2009 04:51 AM
Good router terryd General software and network 10 9th February 2009 09:31 PM
D-link (DI-524) router c0mrade General software and network 3 26th January 2009 08:14 AM


All times are GMT. The time now is 11:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick