|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
I.P addressing confusion
I'm wanting to set up a network. I'm still confused as to how to set it up. I think the easiest design is to have a switch on my border router. On this switch will be the servers. Also attached to this switch will be an OpenBSD box. This will be a dedicated firewall. On it will be another switch. And the machines on the internal network will be attached to this switch. In the book "building Internet firewalls"(o'reilly) this set up is described as a screened subnet architecture. However the external interface on the OpenBSD dedicated firewall will have to get it's I.P via dhcp (192.168.1.*) from the border router. That or it can be a static I.P on the same subnet as the border routers dhcp range 192.168.1.*(but outside the dhcp range) but that would be trickier. The internal interface of this dedicated firewall would be static and on a different subnet as the external interface (192.168.2.*). Then this internal interface could give out I.Ps to the internal network that are on 192.168.2.*. If it did N.A.T for packets from the internal network. But then N.A.T would be being done twice; once by the OpenBSD dedicated firewall and once on the border router, before going off to the net.
Or is it a better approach to NOT do N.A.T on the OpenBSD firewall and have all I.Ps on the whole network assigned as static(outside of the border router's dhcp range, but all on the same subnet(192.168.1.*))?. Basically is there any point in the OpenBSD box doing dhcp and N.A.T for hosts on the internal network?. I guess the answer is no. But i just wanted to hear your opinions, if you have the time. The border router is a home router. I wanted to have a normal triple-homed dedicated firewall and put it in the border router's DMZ but it proved unpredictable and tricky. So i just wondered what the best I.P addressing scheme would be for my newer way. Thank you for your time. And fare ye well |
|
|||
I have the following setup
Code:
I N T E R N E T | | | -------------|--------------- 85.xxx.xxx.xxx external interface Speedtouch Router internal interface 10.0.0.138 -------------|--------------- | | -------------|--------------- 10.0.0.200 external interface OpenBSD Firewall internal interface 192.168.0.1/24 -------------|--------------- | | ---|--- switch ---|--- | | -------------|--------------- 192.168.0.10/24 Desktop ----------------------------- Because the Speedtouch router only knows the 10.0.0.0 network it has to be told that incoming packets (the replies) for the 192.168.0.0 network have to be sent to the 10.0.0.200 interface. In other words, this 10.0.0.200 interface is the gateway for the 192.168.0.0 network. On the Speedtouch I added the following static route: Code:
Destination Source Gateway Intf 192.168.0.0/24 10.0.0.138/32 10.0.0.200 eth0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
The border router is just a home router. It's not very configurable. erm why wouldn't just assigning a static internal I.P address for hosts on the internal network work? and have all interfaces on the same subnet(192.168.1.*), just only the OpenBSD dedicated firewall's external interface get it's I.P via dhcp from the border router. I think with the border router that i've got at the moment i have to either do this or hope that it does N.A.T and routing for hosts on another private subnet i.e 192.168.2.*. And either do N.A.T twice or just try using the different subnets anyhow. It's just a home router though.
Thank you very much for your reply. |
|
|||
Quote:
|
|
|||
The border router has it's own firewall. The OpenBSD box was going to be just the firewall for the internal network. So i have a firewall protecting the servers(on the border router) and a firewall protecting the internal network. The OpenBSD box would just separate the internal network from the perimeter network and control access between these two areas. Like i say i tried to have the OpenBSD box as a triple-homed box that was in the border router's DMZ but this proved too tricky, due to the fact that the border router is just a home router.
What i needed to know is: Is it alright to have all interfaces apart from the OpenBSD dedicated firewall's external interface configured as static internal addresses that are all on the same subnet as the border router's internal interface(192.168.1.*) but are outside of the dhcp range(addresses that the border router gives out)?. Or should i assign a static internal I.P address for the OpenBSD box's internal interface that is on a different subnet to it's external interface(192.168.2.*) and then have this internal interface do dhcp and N.A.T for the internal network and give out addresses to the internal network that are on the 192.168.2.* subnet?. So should i do: Code:
192.168.2.10 192.168.1.67 192.168.1.254 (int interface) (ext interface) (internal interface) |--------------| |border router | -----|--------------| OpenBSD |----------------|---------------|----------------| | |--------------| | 192.168.2.20 | internal host servers on 192.168.1.* The diagram is slightly simplified. Obviously switches are involved(the servers and the OpenBSD box are on a switch that is attached to the border router. The internal host(s) are on a switch that is attached to the OpenBSD firewall box). Also i'm very sorry to keep bothering you all. I really am very grateful for all the help i'm getting. I understand if you don't want to help me any further. Thank you for your time and replies. Regards unixjingleman |
|
|||
The diagram doesn't look anything like it did when i drew it. I'm sorry i don't know why this is. It is meant to indicate that the border router's internal interface has an I.P of 192.168.1.254. The OpenBSD box is supposed to have an external I.P of 192.168.1.67. And an internal address of 192.168.2.10.
|
|
|||
Right so having all the interfaces in the whole network on 192.168.1.* and static/outside of the dhcp range of the border router is alright. O.K please ignore my previous posts. That's all i wanted to know. Sorry to keep bothering you. Just ignore. I'll get on with building the network now. Unless there are any further points?. Does pf do N.A.T by default?.
Thank you so much for all the advice. It must be trying helping n00bs?. |
|
|||
Studying the PF User's Guide & the section on NAT will be highly worth your time.
Quote:
The alternative is to attach a diagram created by some other means, but attachments take more time of potential responders. If your goal is for people to respond, making sure that messages have all information clearly presented upon first viewing helps. Personally, I don't care for attachments. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Maildir and courier imap confusion | pca | General software and network | 0 | 4th February 2010 01:02 PM |
ip alias confusion | hamba | FreeBSD General | 2 | 5th June 2008 10:23 AM |
Install confusion | delboy | FreeBSD Ports and Packages | 2 | 25th May 2008 09:20 PM |