DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default External Ips

Hello

I have ADSL modem with 4 address on my own use. I am using openbsd and PF and i would like to assign this 4 address to some local hosts. I dont want to use binat. I want to assign public ips to the host behind the server

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 13th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Configure your OBSD firewall as a transparent bridge, having no IP addresses. Let the hosts use DHCP to get the addresses from the ADSL modem.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 13th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

There are several possible alternatives that don't use binat, such as:

  • Place your local hosts on a separate Ethernet and NIC, which you bridge with your external NIC:
    Code:
    [internet]---[external NIC]-[OpenBSD]-[NAT addressed private network]
                                      |
                                      |
                             [exposed NIC]
  • A classic dual firewall with DMZ, though typically, the DMZ is on a private subnet with exposed servers and/or ports:
    Code:
    [internet]---[FW1]---{DMZ servers}---[FW2]--{private net}
What's wrong with binat?
Reply With Quote
  #4   (View Single Post)  
Old 13th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default

Hi

J65nko but this router is also making nat, queue, and filtering traffic for other computers. Only for few computers i would like to assign this external address... Is there any way ? proxy arp or smth?

PS: I cant add another nic


Thanks for help
Reply With Quote
  #5   (View Single Post)  
Old 14th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

There is an example of proxy arp configuration in the arp man page

But I would advise to get another box that you can equip with 3 NICs (external, DMZ and internal)

If you have servers with a public address in your local LAN, those servers, if compromised, can be used to launch an attack against the complete local LAN.

By placing the servers/hosts inside a DMZ these servers still could be compromised, but not used as a base for attacking your internal network.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #6   (View Single Post)  
Old 14th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default

Hi !

J65nko, so what if change my ISP and i get from him 2 C class for example xx.xx.xx.1-254 and xx.xx.xy.1-254. Then if i want to assign address to my users i must make binat ?

Thanks
Reply With Quote
  #7   (View Single Post)  
Old 14th November 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by zomo View Post
...i get from him 2 C class for example xx.xx.xx.1-254 and xx.xx.xy.1-254.
Entire Class C networks are no longer allocated due to address depletion, unless a significant amount of money is exchanged. For home usage, the price would be astronomical, & far from practical.
Reply With Quote
  #8   (View Single Post)  
Old 14th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default

Ocicat, i am asking about way to assign public ip address for users, without binat, that was only example.

thanks
Reply With Quote
  #9   (View Single Post)  
Old 14th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If your users use OpenBSD and have a 'bge' NIC you create a proper "/etc/hostname.bge0" file.
Code:
$cat /etc/hostname.bge0
#dhcp NONE NONE NONE 
inet 192.168.222.20 255.255.255.0 NONE
!ifconfig bge0 media 100baseTX mediaopt full-duplex
See hostname.if(5)

Or you set up a local DHCP server

But I still don't understand why you insist on using public IP addresses
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 14th November 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

And I don't understand what's wrong with binat, which seems to be a solution designed for this sort of problem.
Reply With Quote
Old 19th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default

OK

I tried to make arp proxy wihout any results. I have got from my ISP class with prefix /29, one address is reserved for network, one for modem and one for broadcast, so i have from 8 address 5 for my own use. I divided my class /29 to two class /30. One i leaft on external interface for nat users behind the router and second assigned to internal interface as alias.
like J65nko said, i looked up to the manual for setup arp proxy and i add:

Code:
arp -s 204.1.2.3 00:90:27:bb:cc:dd pub
Computer with assigned ip from second class was unable to connect outside... ? Someone have similiar situation to my, or someone try to use arp proxy on openbsd ?
Reply With Quote
Old 19th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Unfortunately I am not able to try arp proxy.

My computer lab boxes except one, are still unpacked in the garage. Buying a house and a garden, both unmaintained for more then 3 years, probably is something I shouldn't have done
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 20th November 2008
zomo zomo is offline
Port Guard
 
Join Date: Sep 2008
Posts: 25
Default

Ok, someone else try to set it
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mounting external XFS HDD rativid OpenBSD General 5 3rd September 2010 02:31 PM
PF NAT and 2 external nic´s Calderon FreeBSD Security 20 9th September 2009 12:46 PM
Router for external IP's bichumo General software and network 11 22nd July 2008 03:07 AM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM
ssh/external access jwhal OpenBSD General 11 21st May 2008 07:19 PM


All times are GMT. The time now is 02:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick