|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Trying to understand routing with openbsd
Hi guys, i am looking for help understanding a couple of things.
My network Open BSD box serving as a router/gateway to internet with IPs below +-----+ | em0 |---> ISP +-----+ +-----+ | em1 |---> 192.168.1.1 (Wired LAN) +-----+ +-----+ | em2 |---> 192.168.2.1 (Wireless AP) +-----+ Code:
root ~ # cat /etc/hostname.em1 inet 192.168.1.1 255.255.255.0 NONE #!route add -net 192.168.1.0/24 192.168.1.1 #!route add -net 192.168.2.0/24 192.168.2.1 root ~ # cat /etc/hostname.ural0 inet 192.168.2.1 255.255.255.0 NONE autoselect mode 11g mediaopt hostap nwid an0nym0us chan 11 wpa wpaprotos wpa2 wpaakms psk wpapsk lol root ~ # cat /etc/sysctl.conf |grep net.inet.ip.forwarding net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets root ~ # pfctl -sr anchor "miniupnpd" all match out log on egress inet from ! (egress) to any nat-to (egress:0) round-robin block drop in log quick on ! em1 inet from 192.168.1.0/24 to any block drop in log quick inet from 192.168.1.1 to any block drop in log quick on ! em0 from (em0:network) to any block drop in log quick from (em0) to any block drop in log quick on re0 inet6 from fe80::e291:f5ff:fe20:3eb0 to any pass out quick all flags S/SA keep state pass in quick all flags S/SA keep state random client 192.168.2.24 (connected to wireless ap) is unable to ping random client 192.168.1.100 (connected to switch on em1). I added the commented static routes in hostname.em1 and still same problem. one thing i noticed when i did a tcpdump on the openbsd box is that i got this. dont know if i is the reason. Code:
root ~ # tcpdump -n -vvv -i re0 host 192.168.1.100 tcpdump: listening on re0, link-type EN10MB 21:17:15.985288 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:10) (ttl 63, id 46271, len 84, bad cksum 0! differs by 421d) 21:17:16.994790 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:11) (ttl 63, id 65157, len 84, bad cksum 0! differs by f856) 21:17:16.995493 arp who-has 192.168.2.24 tell 192.168.1.100 21:17:17.987041 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:12) (ttl 63, id 37534, len 84, bad cksum 0! differs by 643e) 21:17:17.995391 arp who-has 192.168.2.24 tell 192.168.1.100 21:17:18.995221 arp who-has 192.168.2.24 tell 192.168.1.100 Code:
root ~ # tcpdump -vvvttt host 192.168.2.24 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:00:00.000000 IP (tos 0x0, ttl 63, id 27416, offset 0, flags [none], proto ICMP (1), length 84) 192.168.2.24 > 192.168.1.100: ICMP echo request, id 3621, seq 78, length 64 00:00:00.003411 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.2.24 tell 192.168.1.100, length 28 00:00:00.997995 IP (tos 0x0, ttl 63, id 36710, offset 0, flags [none], proto ICMP (1), length 84) 192.168.2.24 > 192.168.1.100: ICMP echo request, id 3621, seq 79, length 64 Can it be PF? since i am still a noob with PF so i have allowed all in and out just to make sure it is not because of PF. pass out quick pass in quick by the way how will you check specific packets dropped by PF? do a tcpdump on pflog? Thanks in advance Last edited by badguy; 17th September 2011 at 01:45 AM. |
|
||||
Quote:
|
|
||||
More on routing:
{internet} - [Firewall A] - DMZ Web servers 10.1.1/24 - [Firewall B] - DBs and Users 192.168.1/24 Firewall A also needs a route to the inner subnet, not just the DMZ servers. That's if Firewall B is not using NAT -- it typically would not be. If Firewall B is using NAT, however, then the inner subnet's traffic is all translated into Firewall B's address on the 10.1.1 network. Isn't networking fun? There are so many things to misconfigure. |
|
|||
Quote:
Quote:
Quote:
Secondly from the router perspective, if Firewall A has 2 NIC cards, that go to both gateways, will there be a need for static routes? In my scenario for instance my BSD router knows how to reach re0(em1) and ural0(em2) so there is no need for static routes on the router. if it had to reach a subnet that was not directly connected to it, it will then need a static route to that subnet. also the hosts on my wired and wireless subnets do not need static routes as long as they can reach their default gateway. did i get this twisted up? |
|
||||
Quote:
# route add default <address of ISP's gateway router> # route add 192.168.1/24 <address of FW B on 10.1.1 net> And we configure Firewall B with one default route: # route add default <address of FW A on 10.1.1 net> Are you asking do we need to do anything with Firewall B if there is a change in the DMZ or in the ISP's addressing? Not so long as Firewall A's IP address doesn't change. For routing tables, the only addresses needed are the addresses of the adjacent router(s). Quote:
Quote:
Quote:
In the case of Firewall A, it needs two routes because the 192.168.1 subnet can't be reached through the default route, which goes to the ISP. |
|
||||
Quote:
|
|
|||
Appreciate the explanation sir.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD: equal-cost multipath routing | Lexus45 | OpenBSD General | 0 | 31st August 2010 08:13 AM |
please help me understand wpa settings | gosha | OpenBSD General | 1 | 14th July 2009 11:37 AM |
How understand someone connect to my BOX with VNC | mfaridi | OpenBSD Security | 8 | 21st November 2008 12:24 AM |
Routing and routing some more! | Weaseal | FreeBSD General | 1 | 19th August 2008 01:39 PM |
OpenBSD and routing | cchapman | OpenBSD General | 5 | 25th July 2008 05:55 PM |