|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Routing/NAT problem setting up home wireless router on Alix board
I'm trying to set up an alix 2d13 box as a wireless home router with openbsd to replace an off the shelf linksys box. I've been stuck for nearly a week trying to figure out why it won't do nat properly. I'm trying to nat all traffic coming through a (second) wireless interface (urtwn0) into a local bridge. urtwn0 can connect to the internet fine through a blackberry wifi hotspot, but the internal network cannot see the internet, nor the blackberry ip address (though it can ping the urtwn0 address fine).
The current set up is as follows (I'll paste ifconfig and other details to pastebin if anyone wants them): Code:
##### CONF FILES ON ALIX BOARD ##### /etc/hostname.vether0 inet 192.168.1.1 255.255.255.0 192.168.1.255 up /etc/hostname.bridge0 add vether0 add vr1 add vr2 add ath0 up /etc/hostname.vr1 up /etc/hostname.vr2 up /etc/hostname.ath0 mediaopt hostap nwid alix wpakey xxxxxxxxxx up /etc/sysctl.conf net.inet.ip.forwarding=1 Code:
# note - I'm never entirely sure what to put for a domain name when I don't have one and am behind an adsl or other link option domain-name "example.net"; # note - I'm not even bothering with dns yet, so these don't really count, but are set to the values the blackberry gives urtwn0 in resolv.conf option domain-name-servers 10.0.0.2, 10.0.0.3; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.5 192.168.1.100; option subnet-mask 255.255.255.0; } # note - I've tried many different variations and sugggestions. I don't think it's a pf problem, but I may be wrong. Code:
set skip on lo ext_if = "urtwn0" int_if = "vether0" localnet = $int_if:network match out on $ext_if from $int_if nat-to ($ext_if) block all pass from { lo0, $localnet } ############################# # From my laptop:
# From the alix board
Things I've tried:
##### DIAGNOSTICS #### on alix board: Code:
# route -n show -inet Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.0.0.1 UGS 0 0 - 12 urtwn0 10.0.0/24 link#7 UC 3 0 - 4 urtwn0 10.0.0.1 48:9d:24:6b:41:4a UHLc 1 225 - 4 urtwn0 10.0.0.2 48:9d:24:6b:41:4a UHLc 0 11 - 4 urtwn0 10.0.0.3 48:9d:24:6b:41:4a UHLc 0 12 - 4 urtwn0 10.0.0.100 127.0.0.1 UGS 0 1 33192 8 lo0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 2 1 33192 4 lo0 192.168/16 link#8 UC 3 0 - 4 vether0 192.168.1.7 00:1b:77:41:8e:75 UHLc 1 162 - 4 vether0 192.168.1.9 48:9d:24:6b:41:4a UHLc 1 1 - 4 vether0 192.168.1.115 b8:27:eb:20:77:53 UHLc 0 142 - 4 vether0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 Code:
# route -n show -inet Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 192.168.1.1 UGS 0 250 - 12 wpi0 127/8 127.0.0.1 UGRS 0 0 33192 8 lo0 127.0.0.1 127.0.0.1 UH 2 0 33192 4 lo0 192.168.1/24 link#2 UC 1 0 - 4 wpi0 192.168.1.1 fe:e1:ba:d0:47:57 UHLc 2 82 - 4 wpi0 192.168.1.7 127.0.0.1 UGS 0 0 33192 8 lo0 224/4 127.0.0.1 URS 0 0 33192 8 lo0 # ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 56 data bytes --- 10.0.0.1 ping statistics --- 69 packets transmitted, 0 packets received, 100.0% packet loss Thanks Last edited by J65nko; 17th November 2013 at 11:52 AM. Reason: [code] and [/code] tags ;) |
|
|||
My suggestion is to get rid of the bridge and just deal with 3 different networks
For example subnet the 10.0.0.0/8 network into 10.10.22.0/24 for the wired lan clients and 10.10.99/24 for the wireless ones. Re: NAT If you are changing or renumbering the internal network clients (wired and wireless) you can use the following match rule to perform foolproof Network Address Translation: Code:
# ---- external/egress interface match out inet from ! egress to any nat-to (egress) Likewise you could assign the urtwn0 interface to the group wireless and the other NIC to group wired. A sample /etc/hostname/urtwn0 Code:
inet 10.10.99.1 255.255.255.0 NONE group wired In the beginning it is easier to filter just on the external interface. You can either use skip on .. or pass quick on .. Get things working first. Later on, when everything is working, you always add filtering on the internal interfaces.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Hello, and welcome to daemonforums, ritter_k.
This is the third or fourth time I've seen people attempting to bridge(4) with a vether(4) pseudo device, and reporting problems with them on this forum. I don't know the source "howto" you or they have been using, but as with J65nko, I recommend avoiding this because it is a needless complication. The vether(4) driver was developed to address a highly specific need: to operate a Border Gateway Protocol peer from a residence in Canada. If you're not doing this, you should be able to function without vether(4). I happen to operate a pair of Alix 2d13 platforms with OpenBSD. I have no bridge defined. My wired NAT rule looks like this -- the parentheses are used because the IP address is dynamic: Code:
match out on $external_nic from !(external_nic) nat-to (external_nic) Code:
match out on $tether_nic from !($tether_nic) nat_to ($tether_nic) The urtwn(4) device is not normally installed and used in an Alix; the NAT rule and urtwn firmware are in place only in the event it is needed to circumvent an ISP outage. It is normally used with another platform. Last edited by jggimi; 17th November 2013 at 03:05 PM. Reason: urtwn clarity |
|
|||
Wow, that's quite a specific origin for vether! I can't remember the exact source - I've read so much over the last week - but I think the initial suggestion to create a bridge came from irc. The motive was that I wanted to only have one ip address that spanned all interfaces, for ease of administration (and to emulate the off the shelf linksys router). Ifconfig allows you to assign the same ip to all interfaces, but only seems to use the first assigned, so I tried creating a trunk (I know, I know, I'm a complete beginner with networks and was clutching at straws). That didn't work, hence the bridge, which did exactly what I wanted - i.e. all devices talk to one one host ip and are connected to each other through it.
I'm glad to see you've got yours all working through the urtwn link to a mobile phone - at least now I know it can be done. It's always disheartening when you're banging your head against a brick wall to do something you're not even sure is possible Thanks for the warm welcome and quick assistance. I will try both your suggestions |
|
|||
woohoo, I can finally ping the outside world from my laptop! I've disabled everything except the ath0 and urtwn0 and changed the pf nat rule to the suggested
Code:
match out on $tether_nic from !($tether_nic) nat_to ($tether_nic) Now, with a working base, I can feel much more confident that I can work my way up to what I want from here. With regards to the single ip address for all interfaces, what would be the best way to achieve this? Before I even learned of bridges and trunks, I was going to implement it in pf, but it seems like it should be lower level than that. Also, jggimi, when you switch to urtwn, do you manually change the dns servers in dhcpd.conf? Doesn't matter too much at the minute as I'm planning to implement a dns caching server and learning all about dns once I've got my main setup correct Thanks very much for all your help. |
|
|||
OK, so as I understand it, the bridge does what I want (I really would prefer a single ip for administrative tasks, though there's probably other ways of doing it). The problem with a bridge is that it needs an ip, and for that, you need vether. At least, that's what I got from the faqs, which is why I went down that path to begin with:
(can't post urls - but search for vether in faq6) ...and here was me thinking the faqs were gospel... The problem with my current set up (treating wireless and wired as separate subnets) is that while all devices connected to the ath0 interface can talk to each other and to the internet, they can't see the ethernet interfaces or anything connected to them. More work to do... Thanks again for your help |
|
||||
Thank you for pointing me to the FAQ. It states, "...but we cannot use a physical interface as the link might be down, in which case the address would not be reachable." When I used bridges, this was never an issue; I just assigned an IP address to one of the NICs. This was also long before the availability of vether(4). And also, the individual segments were never expected to be down.
My pair of Alix 2d13s are configured without bridge(4), though I do have a bridge -- for WiFi.
Last edited by jggimi; 17th November 2013 at 08:03 PM. Reason: clarity for ifstated |
|
||||
You asked,
Quote:
|
|
|||
Thanks for posting that, I enjoy seeing others setups. You have any general recommendations for good brands of switch (second hand is fine) for a home environment like this? As for the modem, i've bought a draytek vigor 120 adsl modem (the only true ethernet modem I could fine) to connect my alix box up to the internet, but unfortunately with where I live I'll never have the connection speed required to do fun things like serving up images - my upload speed is appauling.
Anyway, the good news folks is that I've reimplemented the bridge and the vether device, and it now all works exactly as I'd hoped. For anyone from the future stumbling upon this post, the magic was in modifying the pf.conf, which is now: Code:
set skip on lo ext_if = "urtwn0" match out on $ext_if from !($ext_if) nat-to ($ext_if) pass all Now, I'm chuffed to bits as I can get back to reading the Book of PF and learning how to secure this thing. Thanks so much for all your help |
|
|||
As a preventative measure to counteract spam, we disable the posting of links for all newcomers with less than five posts. At the time of writing, you now have five messages posted, so you should now be able to post active URL's.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PC Engines Alix 2d13 board | J65nko | General Hardware | 3 | 20th January 2013 12:43 AM |
Problem setting up a multiport router!! | npumcrisz | OpenBSD General | 2 | 1st April 2012 03:06 PM |
How secure are wireless home networks? | JMJ_coder | General software and network | 37 | 18th April 2011 04:04 PM |
how to config PF as router and source based routing | kivi_kmitl | OpenBSD Security | 0 | 4th May 2010 08:06 AM |
getting and setting time from router | michaelrmgreen | General software and network | 1 | 5th February 2009 01:58 PM |