DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th January 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Default Need help with NAT setup

Hello!

Im having trouble getting internet access from a laptop to the internet. I can connect to the server (ie. my router) via WLAN with DHCP without any problem, but when I try to read a web page nothing happens.

The server handling this routing is using OpenBSD v4.4. The laptop is connecting to the server via the ral0 interface and the server should redirect the trafic to nfe0 (connected to the intenet).

At this point I have three things to verify before I try something else. So my questions are...

Question 1) Should this PF-rule work for me?:
Code:
nat pass log on nfe0 from ral0:network to any -> (nfe0)
Question 2) In order to do this NAT, is it required to also create a bridge? Like:
Code:
ifconfig bridge0 create
brconfig bridge0 add ral0 add nfe0 up
Question 3) Should the domain-name-servers setting in dhcpd.conf point to my DNS given by my ISP? I mean, I must change the default settings in dhcpd.conf to:
Code:
option domain-name-servers <MY-DNS1-IP>, <MY-DNS2-IP>;
...right?


-Cheers!
/Quaxo
Reply With Quote
  #2   (View Single Post)  
Old 25th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Quaxo View Post
I can connect to the server (ie. my router) via WLAN with DHCP without any problem, but when I try to read a web page nothing happens.
Before examining PF rules in detail, check first to see if sysctl net.inet.ip.forwarding is set to 1. IPv4 packets will not be routed without this.
Quote:
Should this PF-rule work for me?
It looks fine, except that the "pass" may not do what you expect it to, and there may be additional filter rules needed. The NAT section of the PF User's Guide reminds us (highlight mine):
...since translation occurs before filtering, the filter engine will see the translated packet with the translated IP address and port...
Quote:
In order to do this NAT, is it required to also create a bridge?
No.
Quote:
Should the domain-name-servers setting in dhcpd.conf point to my DNS given by my ISP?
This is unrelated to NAT. You will want to provide DHCP users with the appropriate configuration. At minimum, this is an IP address, a netmask, a default route. While DNS servers may be optional in a private network with no Internet access, they aren't optional for Internet use.

I strongly recommend you add the log keyword to every PF rule that permits it, so that you can see exactly what rules pass and block. You do this with tcpdump(8) and the pflog(4) pseudo device.

Last edited by jggimi; 25th January 2009 at 05:31 PM.
Reply With Quote
  #3   (View Single Post)  
Old 25th January 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Default

Thanks a lot for your help so far

Quote:
Originally Posted by jggimi View Post
Before examining PF rules in detail, check first to see if sysctl net.inet.ip.forwarding is set to 1. IPv4 packets will not be routed without this.
Oh right!, the sysctl. Sorry but I forgot to mention that I did set it to 1 using "sysctl net.inet.ip.forwarding=1" (or something like that) and the output from sysctl confirmed the change. I have also changed the configuration file in /etc/sysctl.conf.

Quote:
Originally Posted by jggimi View Post
It looks fine, except that the "pass" may not do what you expect it to, and there may be additional filter rules needed. ...
About the PF-rule. Hmm...then im not following here. I thought "pass" ment that I didnt need to set any other rules. For the case of testing I added "pass log quick all" but I got nothing in the log. Any ideas here?

Quote:
Originally Posted by jggimi View Post
No.
Ok, so I wont need a bridge here. Then ill remove it.

Quote:
Originally Posted by jggimi View Post
This is unrelated to NAT. You will want to provide DHCP users with the appropriate configuration. At minimum, this is an IP address, a netmask, a default route. While DNS servers may be optional in a private network with no Internet access, they aren't optional for Internet use.
Hehe, true. The reason I mentioned it was that I thought that maybe the server (router) must act like a "DNS proxy" or something. So my dhcpd should be ok as it is then.


(EDIT)
This is weird...When using "pass log quick all" and doing a ssh from the laptop to the server I get a connection but nothing is shown in the PF-log.


/Quaxo

Last edited by Quaxo; 25th January 2009 at 07:32 PM.
Reply With Quote
  #4   (View Single Post)  
Old 25th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by Quaxo View Post
...I did set it to 1 using "sysctl net.inet.ip.forwarding=1" (or something like that) and the output from sysctl confirmed the change. I have also changed the configuration file in /etc/sysctl.conf.
You can confirm it, if you like, with something similar to:
  • $ sysctl -a | grep forward
Quote:
...I thought "pass" ment that I didnt need to set any other rules.
You won't know, for sure, what is happening, until you log all rules and test the results. Some people only log block rules, but when diagnosing PF, I prefer to log all rules, so I can determine which rules are effective in which circumstance.
Quote:
...I thought that maybe the server (router) must act like a "DNS proxy" or something...
Only if you set up a local DNS server on it. And then, you'd update your dhcpd.conf accordingly.
If you are interested in caching DNS locally, and managing your local hosts via DNS, note that BIND v9 is built-in to OpenBSD. The daemon is named(8). It has a fairly complex configuration. You will want more documentation than just the man page. (There are other DNS engines available, too.)
Quote:
This is weird...When using "pass log quick all" and doing a ssh from the laptop to the server I get a connection but nothing is shown in the PF-log.
"Sounds" like one of three things is happening:
  1. Perhaps an unlogged rule is in effect (such as your "nat pass") I'll guess this is the reaon. This is my third hint to LOG ALL RULES.
  2. Perhaps you are not using tcpdump correctly
  3. Perhaps pflog0 is not configured properly
Reply With Quote
  #5   (View Single Post)  
Old 26th January 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Default

This is now my set up...
Code:
/root# pfctl -sn
nat on nfe0 from ! (nfe0) to any -> (nfe0) round-robin
/etc# pfctl -sr
block return log all
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = ntp keep state
pass out log quick on nfe0 inet proto udp from 192.168.0.154 to <hidden-ip> port = domain keep state
pass in log quick on nfe0 inet proto udp from <hidden-ip> port = domain to 192.168.0.154 keep state
pass in log on nfe0 inet proto tcp from 192.168.0.102 to 192.168.0.154 port = ssh flags S/SA modulate state
If I try to open a web page on my laptop I see nothing in the log (tcpdump -n -e -ttt -i pflog0). "pfctl -ss" ouput shows only my three SSH connections from my workstation to the server and nothing about the laptop doing DNS or whatever. pflog0 seems to be working for other stuff anyway (I can see incomming connection attempts from random people).

Any more ideas? Would it help to see ifconfig and stuff?

/Quaxo
Reply With Quote
  #6   (View Single Post)  
Old 27th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I don't see any ral0 NIC/network rules. But then, you're showing output from pfctl, not pf.conf.

I can tell two things from this pfctl output:
  1. You are not logging your nat rules, so you are missing seeing that activity.
  2. All rules, except the block all, are nfe0 specific. I dont' see any rules for ral0. Your block all should kick in, unless you are still running an unseen nat pass. I don't know if pfctl -sn shows nat pass, as I do not run it and cannot test it at the moment.
Reply With Quote
  #7   (View Single Post)  
Old 27th January 2009
Quaxo Quaxo is offline
Port Guard
 
Join Date: Jun 2008
Posts: 29
Default

...I figured "block return log all" would add notes to the pflog no matter what so therefore no need for more PF-rules.

However I found the problem!

It was actually in dhcpd.conf. I didnt set the "option routers" correctly. It was still on the default setting (192.168.1.1) while the ral0 was on IP 192.168.1.34. So now it works great! This was ofcourse impossible for you to see since I have never posted these data


Thanks alot for your time anyway
/Quaxo
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
problem on setup!! josue Other OS 6 24th June 2008 05:29 AM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM
postfix setup Demodog General software and network 12 11th June 2008 07:43 PM
IP Printer Setup kjemison FreeBSD General 4 2nd June 2008 02:35 PM


All times are GMT. The time now is 10:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick