I am trying to get a wireless router running, it was already configured as a NAT with two interfaces one for the Internet and for the LAN. I added an atheros based wireless adapter, and tried setting it up. I tried using a bridge of a virtual ethernet device with the IP (vether0), and the devices for the local network (fxp0, athn0). This didn't work, and the vether device was stuck on a 10M type of media. I don't think that works when the media is different on the two other adapters. DHCP wasn't working on vether0 like it should, so something was wrong, probably the media thing.
So I decided another strategy of having two subnets, so I set things up as follows...
Code:
menger:root # cat /etc/hostname.fxp0
inet 192.168.0.1 255.255.255.0 192.168.0.255
up
menger:root # cat /etc/hostname.athn0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey Nintendo64 wpaprotos wpa2
I set up dhcpd.conf to provide addresses for these subnets, with the right default route and a static route between them.
Code:
menger:root # cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#guide to this pf.conf...
# queues: 34, matches: 80, everything else: 88
#interfaces
int_if="fxp0"
wifi_if="athn0"
ext_if="pppoe0"
#networks
lan_net="192.168.0.0/24"
wifi_net="192.168.1.0/24"
#hosts
menger="{ 192.168.0.1, 192.168.1.1 }"
weiner="192.168.0.2"
wifiweiner="192.168.1.2"
fekete="192.168.0.3"
mises="10.0.0.10"
#host port forwarding
weiner_ports = "{ 8333 }"
wweiner_ports = "{ 54874 }"
fekete_ports = "{ 17001, 39191, 5938, 2022 }"
mises_ports = "{ 3022 }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, 2022, 3022 }"
im_ports = "{ 1863, 5190, 5222, 8444 }"
game_ports = "{ 27000:27050, 4380 }"
altq on $ext_if cbq bandwidth 1080Kb queue { std, ssh_im, dns, game }
queue std on $ext_if bandwidth 500Kb cbq(default borrow)
queue ssh_im on $ext_if bandwidth 200Kb priority 3 cbq(red)
queue dns on $ext_if bandwidth 25Kb priority 4
queue game on $ext_if bandwidth 255Kb priority 5 cbq(red)
altq on $int_if cbq bandwidth 100Mb queue { lan, int }
queue lan on $int_if bandwidth 92Mb cbq(default)
queue int on $int_if bandwidth 7000Kb { std, ssh_im, dns, game }
queue std on $int_if bandwidth 6000Kb cbq(borrow)
queue ssh_im on $int_if bandwidth 200Kb priority 4
queue dns on $int_if bandwidth 200Kb priority 5
queue game on $int_if bandwidth 600Kb priority 6 cbq(red)
altq on $wifi_if cbq bandwidth 54Mb queue { lan, int }
queue lan on $wifi_if bandwidth 46Mb cbq(default)
queue int on $wifi_if bandwidth 500Kb { std, ssh_im, dns}
queue std on $wifi_if bandwidth 400Kb cbq(borrow)
queue ssh_im on $wifi_if bandwidth 50Kb priority 4
queue dns on $wifi_if bandwidth 50Kb priority 5
set skip on lo
# this is the squid proxy line
#pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128
#pass in quick on $int_if inet proto tcp from !$mises to any port 80 rdr-to $mises port 3128
#pass out quick on $int_if inet proto tcp to $mises port 3128 \
received-on $int_if nat-to $int_if
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on $wifi_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#match out on egress inet from $int_if to any nat-to (egress:0)
#match out on egress inet from $wifi_if to any nat-to (egress:0)
pass # to establish keep-state
block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log
pass out quick
match inet proto { tcp udp } queue(std)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im)
match inet proto udp to port $game_ports queue game
match inet from $menger queue lan
match inet to $menger queue lan
antispoof quick for { lo $int_if $wifi_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
pass in on egress inet proto { tcp udp } to (egress) port $weiner_ports rdr-to $weiner
pass in on egress inet proto { tcp udp } to (egress) port $wweiner_ports rdr-to $wweiner
pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete
pass in on egress inet proto { tcp udp } to (egress) port $mises_ports rdr-to $mises
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if
I am aware some of the macros in my pf.conf are unused, but they might become handy.
14th June 2013
Routing between two subnets, routes not working.
Similar Threads
Threaded Mode