DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th June 2013
KintaroBC KintaroBC is offline
New User
 
Join Date: Jul 2011
Posts: 7
Default Routing between two subnets, routes not working.

I am trying to get a wireless router running, it was already configured as a NAT with two interfaces one for the Internet and for the LAN. I added an atheros based wireless adapter, and tried setting it up. I tried using a bridge of a virtual ethernet device with the IP (vether0), and the devices for the local network (fxp0, athn0). This didn't work, and the vether device was stuck on a 10M type of media. I don't think that works when the media is different on the two other adapters. DHCP wasn't working on vether0 like it should, so something was wrong, probably the media thing.

So I decided another strategy of having two subnets, so I set things up as follows...
Code:
menger:root # cat /etc/hostname.fxp0                                                                   
inet 192.168.0.1 255.255.255.0 192.168.0.255
up
menger:root # cat /etc/hostname.athn0                                                                  
inet 192.168.1.1 255.255.255.0 192.168.1.255
up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey Nintendo64 wpaprotos wpa2
I set up dhcpd.conf to provide addresses for these subnets, with the right default route and a static route between them.

Code:
  
menger:root # cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#guide to this pf.conf...
# queues: 34, matches: 80, everything else: 88

#interfaces
int_if="fxp0"
wifi_if="athn0"
ext_if="pppoe0"

#networks
lan_net="192.168.0.0/24"
wifi_net="192.168.1.0/24"

#hosts
menger="{ 192.168.0.1, 192.168.1.1 }"
weiner="192.168.0.2"
wifiweiner="192.168.1.2"
fekete="192.168.0.3"
mises="10.0.0.10"

#host port forwarding
weiner_ports = "{ 8333 }"
wweiner_ports = "{ 54874 }"
fekete_ports = "{ 17001, 39191, 5938, 2022 }"
mises_ports = "{ 3022 }"

#other
tcp_services="{ 22 }"
icmp_types="echoreq"    

#queue ports
ssh_ports = "{ 22, 2022, 3022 }"
im_ports = "{ 1863, 5190, 5222, 8444 }"
game_ports = "{ 27000:27050, 4380 }"

altq on $ext_if cbq bandwidth 1080Kb queue { std, ssh_im, dns, game }
queue std on $ext_if bandwidth 500Kb cbq(default borrow)
queue ssh_im on $ext_if bandwidth 200Kb priority 3 cbq(red)
queue dns on $ext_if bandwidth 25Kb priority 4
queue game on $ext_if bandwidth 255Kb priority 5 cbq(red)

altq on $int_if cbq bandwidth 100Mb queue { lan, int }
queue lan on $int_if            bandwidth 92Mb cbq(default)
queue int on $int_if            bandwidth 7000Kb { std, ssh_im, dns, game }
 queue std on $int_if           bandwidth 6000Kb cbq(borrow)
 queue ssh_im on $int_if        bandwidth 200Kb priority 4
 queue dns on $int_if           bandwidth 200Kb priority 5
 queue game on $int_if          bandwidth 600Kb priority 6 cbq(red)

altq on $wifi_if cbq bandwidth 54Mb queue { lan, int }
queue lan on $wifi_if           bandwidth 46Mb cbq(default)
queue int on $wifi_if           bandwidth 500Kb { std, ssh_im, dns}
 queue std on $wifi_if          bandwidth 400Kb cbq(borrow)
 queue ssh_im on $wifi_if       bandwidth 50Kb priority 4
 queue dns on $wifi_if          bandwidth 50Kb priority 5

set skip on lo

# this is the squid proxy line
#pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128
#pass in quick on $int_if inet proto tcp from !$mises to any port 80 rdr-to $mises port 3128
#pass out quick on $int_if inet proto tcp to $mises port 3128 \
        received-on $int_if nat-to $int_if

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass in quick on $wifi_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#match out on egress inet from $int_if to any nat-to (egress:0)
#match out on egress inet from $wifi_if to any nat-to (egress:0)

pass            # to establish keep-state

block in quick from urpf-failed to any  # use with care

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

block in log
pass out quick

match inet proto { tcp udp } queue(std)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im)
match inet proto udp to port $game_ports queue game
match inet from $menger queue lan
match inet to $menger queue lan

antispoof quick for { lo $int_if $wifi_if }

pass in on egress inet proto tcp from any to (egress) \
        port $tcp_services

#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151

#nat port redirects
pass in on egress inet proto { tcp udp } to (egress) port $weiner_ports rdr-to $weiner
pass in on egress inet proto { tcp udp } to (egress) port $wweiner_ports rdr-to $wweiner
pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete
pass in on egress inet proto { tcp udp } to (egress) port $mises_ports rdr-to $mises

pass in inet proto icmp all icmp-type $icmp_types

pass in on $int_if
pass in on $wifi_if
I am aware some of the macros in my pf.conf are unused, but they might become handy.

Last edited by KintaroBC; 14th June 2013 at 10:38 AM.
Reply With Quote
  #2   (View Single Post)  
Old 14th June 2013
KintaroBC KintaroBC is offline
New User
 
Join Date: Jul 2011
Posts: 7
Default

I just got the wifi subnet receiving the right default route by adding "option routers 192.168.0.1, 192.168.1.1" at the top of the file above and outside of the subnet blocks.

I still do not know how to forward packets with pf from 192.168.0.1/24 and 192.168.1.1/24 and visa-versa. I've been doing a lot of Googling and reading of the pf FAQ with no clues.
Reply With Quote
  #3   (View Single Post)  
Old 14th June 2013
thirdm thirdm is offline
Spam Deminer
 
Join Date: May 2009
Posts: 248
Default

Networking's not really my thing, but why are you talking about pf here? Don't you just have to let the kernel forward packets using normal routing? i.e. turn on some sysctrl to allow ip forwarding. Okay, let me look that up: net.inet.ip.forwarding.

I'd disable pf while you're trying to get this going, then turn it back on when you have packets moving, you know, to remove complicating factors.
Reply With Quote
  #4   (View Single Post)  
Old 14th June 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You don't need pf to route packets between networks, you need the appropiate routes. Using the following simple network:
Code:
      10.2.2.100
          |
          |
+---------|---------+
|    10.2.2.1/24    |
|                   |
|       router      |
|                   |
|  192.168.44.1/24  |
+---------|---------+
          |
          |
          |
    192.168.44.100
  • If host 192.68.44.100 wants to communicate with host 10.2.2.100 it needs a route to the 10.2.2.0/24 network:

    Code:
    # route add -net 10.2.2.0/24 192.168.44.1
    add net 10.2.2.0/24: gateway 192.168.44.1
    Or # route add default 192.168.44.1 if there are not any other networks.
  • If host 10.2.2.100 wants to answer packets to host 192.168.44.100 it needs a route to the 192.168.44.0/24 network:

    Code:
    # route add -net 192.168.44.0/24 10.2.2.1
    add net 192.168.44.0/24: gatewary 10.2.2.1
    Or # route add default 10.2.2.1 if there are not any other networks

How do the routing tables on the hosts on your 192.168.1.0/24 and 192.168.0.0/24 network look like?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 14th June 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome!
  1. The vether(4) driver was developed to solve a unique problem for one particular facility that required BGP peering. I believe it to be a needless complexity for your situation.
  2. I don't think you need anything more than a default route, which I explain below. I agree with thirdm that you may not have turned on packet forwarding, which is required to route packets between networks. You might also have tangled yourself up in a PF configuration that appears to have been originally copied/pasted from others. I especially like the comment "# use with care" embedded therein.
To route IP packets, all that a computer needs is the address of the next gateway. For a single subnet with only one router, such as in a residence or small business, every device on the subnet only needs to know the address of that single gateway router. The default route is the address of the router to use when there are no specific routes defined. For example, if I have a single network at 10.0.0/24 and a single router on that subnet at 10.0.0.1, I configure all the devices on that subnet with a default route of 10.0.0.1. Each computer's network stack will route anything destined for other subnets through that default route.

In your case, you have three subnets: 192.168.0/24 on fxp0, 192.168.1/24 on athn0, and whatever Internet subnet is used for pppoe0, for egress.

All three subnets share the same router, with three IP addresses: 192.168.0.1, 192.168.1.1, and your Internet address. Each subnet can reach anywhere: to/from the Internet, or the other local subnet, by routing through this single router. The 192.168.0 devices need a default route of 192.168.0.1, and the 192.168.1 devices need a default route of 192.168.1.1.

Additional routes would only be needed if you had additional routers. You don't.

Let's pretend for a moment that you had a different architecture, one with multiple routers, such as:

{Internet} - [Firewall A] - {DMZ servers} - [Firewall B] - {everything else}

The DMZ server subnet has two routers. Those servers need two routes: a default route through Firewall A to the Internet, and a specific route through Firewall B to that inner subnet. Firewall A also needs two routes -- a default route through the ISP, and a specific route to the inner subnet.

Without adding a specific (sometimes called static) route, those packets would be shipped to the default route, which would be to the wrong router.

---

I hope this helps.

Last edited by jggimi; 14th June 2013 at 04:59 PM. Reason: typo, clarity
Reply With Quote
  #6   (View Single Post)  
Old 14th June 2013
KintaroBC KintaroBC is offline
New User
 
Join Date: Jul 2011
Posts: 7
Default

I got it working.

The main problem was that Windows 8 does not do ICMP echo by default, thanks Microsoft. Windows ate my time. I should have noticed that I wasn't getting no route to host, but I had a big one the night before (I got smashingly drunk).
Reply With Quote
  #7   (View Single Post)  
Old 15th June 2013
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default

I don't know if everyone gets a cool avatar like jggimi, but I think you should get a dos equis meme. I don't always botch my network config, but when I do, I'm smashingly drunk.
Reply With Quote
  #8   (View Single Post)  
Old 19th June 2013
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Not many here have avatars...not sure why.

And the easiest way to deal with Windows is to assign each Windows box it's own private /30 on your network and be done with it =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #9   (View Single Post)  
Old 17th March 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by J65nko View Post
You don't need pf to route packets between networks, you need the appropiate routes. Using the following simple network:
Code:
      10.2.2.100
          |
          |
+---------|---------+
|    10.2.2.1/24    |
|                   |
|       router      |
|                   |
|  192.168.44.1/24  |
+---------|---------+
          |
          |
          |
    192.168.44.100
  • If host 192.68.44.100 wants to communicate with host 10.2.2.100 it needs a route to the 10.2.2.0/24 network:

    Code:
    # route add -net 10.2.2.0/24 192.168.44.1
    add net 10.2.2.0/24: gateway 192.168.44.1
    Or # route add default 192.168.44.1 if there are not any other networks.
  • If host 10.2.2.100 wants to answer packets to host 192.168.44.100 it needs a route to the 192.168.44.0/24 network:

    Code:
    # route add -net 192.168.44.0/24 10.2.2.1
    add net 192.168.44.0/24: gatewary 10.2.2.1
    Or # route add default 10.2.2.1 if there are not any other networks

How do the routing tables on the hosts on your 192.168.1.0/24 and 192.168.0.0/24 network look like?
You just saved me from BS-ing with a PF rules on our VPN gateway for the past two hours. Very, very useful post. I took a clue from your post and added one line to /etc/openvpn/server.conf to make it work.

Code:
push "route 192.168.2.0 255.255.255.0"

Last edited by Oko; 18th March 2014 at 04:08 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing through subnets Pjoter OpenBSD Installation and Upgrading 5 5th October 2011 08:33 AM
HOWTO: multiple default routes vermaden Guides 2 14th April 2010 09:56 AM
Mouse:X (not-working) and tty-Console (working), in 8.0 ykt FreeBSD General 1 22nd December 2009 12:26 PM
dhcpd and multiple subnets vdubjunkie OpenBSD General 5 11th March 2009 11:02 PM
Routing and routing some more! Weaseal FreeBSD General 1 19th August 2008 01:39 PM


All times are GMT. The time now is 07:26 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick