|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
Obtaining multiple IPs from ISP via DHCP
I've been trying to do this for some time now.
So from what I have gathered what I need is virtual interfaces with different MAC addresses bridged to the physical interface. I think I have accomplished that much. Code:
gateway# ifconfig nfe0 nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:14:2a:19:c4:a5 inet 216.232.236.243 netmask 0xfffff000 broadcast 216.232.239.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active gateway# ifconfig ngeth0 ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:5c:16:10:dd:79 inet 207.6.112.184 netmask 0xfffff000 broadcast 207.6.127.255 gateway# Went something like this: Code:
ngctl mkpeer . eiface hook ether ifconfig ngeth0 up ngctl mkpeer ngeth0: bridge lower link0 ngctl name ngeth0:lower mybridge ngctl connect nfe0: mybridge: lower link1 ngctl connect nfe0: mybridge: upper link2 ngctl connect ngeth0: mybridge: upper link3 ngctl msg nfe0: setautosrc 0 ifconfig ngeth0 link 00:5c:16:10:dd:79 dhclient ngeth0 Here is my pf.conf: Code:
ext1="nfe0" ext2="ngeth0" int1="rl0" pc1="10.0.0.2" pc2="10.0.0.3" set skip on lo # nat/rdr binat on $ext1 from $pc1 to any -> $ext1 nat on $ext2 from !($ext2) -> ($ext2:0) rdr-anchor "miniupnpd" # Hamachi rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1 # Xbox Live rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2 anchor "miniupnpd" Last edited by dextro; 19th December 2008 at 09:17 PM. |
|
|||
If you ISP gives you a netblock, they are usually fixed.
You can just assign the first IP as normal to the NIC, the remaining IPs you assign as alias with a 255.255.255.255 netmask. Code:
# ifconfig re0 11.1.1.1 netmask 255.255.255.248 # ifconfig re0 re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:19:db:47:b0:4c media: Ethernet autoselect (none) status: no carrier inet6 fe80::219:dbff:fe47:b04c%re0 prefixlen 64 scopeid 0x2 inet 11.1.1.1 netmask 0xfffffff8 broadcast 11.1.1.7 # ifconfig re0 alias 11.1.1.2 netmask 255.255.255.255 # ifconfig re0 alias 11.1.1.3 netmask 255.255.255.255 # ifconfig re0 alias 11.1.1.4 netmask 255.255.255.255 # ifconfig re0 alias 11.1.1.5 netmask 255.255.255.255 # ifconfig re0 alias 11.1.1.6 netmask 255.255.255.255 # ifconfig re0 re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:19:db:47:b0:4c media: Ethernet autoselect (none) status: no carrier inet6 fe80::219:dbff:fe47:b04c%re0 prefixlen 64 scopeid 0x2 inet 11.1.1.1 netmask 0xfffffff8 broadcast 11.1.1.7 inet 11.1.1.2 netmask 0xffffffff broadcast 11.1.1.2 inet 11.1.1.3 netmask 0xffffffff broadcast 11.1.1.3 inet 11.1.1.4 netmask 0xffffffff broadcast 11.1.1.4 inet 11.1.1.5 netmask 0xffffffff broadcast 11.1.1.5 inet 11.1.1.6 netmask 0xffffffff broadcast 11.1.1.6
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
They're not static, they have to be obtained with DHCP.
|
|
|||
Sorry J65nko, I have a cable modem like that.. and like dextro.. statically assigning addresses doesn't work as expected.
I've never worked with FreeBSD/netgraph before, but that appears to offer the necessary functionality.. spoofing multiple MAC addresses on 1 interface. I would also be interested in alternate solutions to this problem.. preferably something better then installing additional interfaces. |
|
|||
From man dhcpd.conf
Code:
The fixed-address declaration fixed-address address [, address ... ]; The fixed-address declaration is used to assign one or more fixed IP addresses to a client. It should only appear in a host declaration. If more than one address is supplied, then when the client boots, it will be assigned the address that corresponds to the network on which it is booting. If none of the addresses in the fixed-address state- ment are valid for the network to which the client is connected, that client will not match the host declaration containing that fixed- address declaration. Each address in the fixed-address declaration should be either an IP address or a domain name that resolves to one or more IP addresses. A bit earlier in the same man page Code:
SPAWNING CLASSES It is possible to declare a spawning class. A spawning class is a class that automatically produces subclasses based on what the client sends. The reason that spawning classes were created was to make it possible to create lease-limited classes on the fly. The envisioned application is a cable-modem environment where the ISP wishes to pro- vide clients at a particular site with more than one IP address, but does not wish to provide such clients with their own subnet, nor give them an unlimited number of IP addresses from the network segment to which they are connected. Many cable modem head-end systems can be configured to add a Relay Agent Information option to DHCP packets when relaying them to the DHCP server. These systems typically add a circuit ID or remote ID option that uniquely identifies the customer site. To take advantage of this, you can write a class declaration as follows: class "customer" { spawn with option agent.circuit-id; lease limit 4; } Now whenever a request comes in from a customer site, the circuit ID option will be checked against the class's hash table. If a subclass is found that matches the circuit ID, the client will be classified in that subclass and treated accordingly. If no subclass is found match- ing the circuit ID, a new one will be created and logged in the dhcpd.leases file, and the client will be classified in this new class. Once the client has been classified, it will be treated according to the rules of the class, including, in this case, being subject to the per-site limit of four leases. The use of the subclass spawning mechanism is not restricted to relay agent options - this particular example is given only because it is a fairly straightforward one. It could be interesting to use tcpdump to wiretap the DHCP traffic Code:
# tcpdump -eni nfe0 -s1500 -w dhcp.dump Read the dump with Code:
# tcpdump -envv -s1500 -r dhcpd.dump BTW how does your netstat -rn output look like after having received leases for nfe as well as ngeth0?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Code:
gateway# netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 216.232.224.254 UGS 0 771074 nfe0 10.0.0.0/24 link#2 UC 0 0 rl0 10.0.0.2 00:17:31:b2:31:1d UHLW 1 44602500 rl0 804 127.0.0.1 127.0.0.1 UH 0 295 lo0 207.6.112.0/20 link#5 UC 0 0 ngeth0 207.6.112.254 link#5 UHLW 1 0 ngeth0 216.232.224.0/20 link#1 UC 0 0 nfe0 216.232.224.254 00:90:1a:a0:3d:ce UHLW 2 0 nfe0 6 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:4::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 gateway# ifconfig nfe0 nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:14:2a:19:c4:a5 inet 216.232.236.243 netmask 0xfffff000 broadcast 216.232.239.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active gateway# ifconfig ngeth0 ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:5c:16:10:dd:79 inet 207.6.112.184 netmask 0xfffff000 broadcast 207.6.127.255 gateway# dhclient nfe0 DHCPREQUEST on nfe0 to 255.255.255.255 port 67 DHCPACK from 216.232.224.254 bound to 216.232.236.243 -- renewal in 3600 seconds. gateway# dhclient ngeth0 DHCPREQUEST on ngeth0 to 255.255.255.255 port 67 DHCPACK from 207.6.112.254 bound to 207.6.112.184 -- renewal in 3600 seconds. gateway# ping -S 216.232.236.243 72.14.207.104 PING 72.14.207.104 (72.14.207.104) from 216.232.236.243: 56 data bytes 64 bytes from 72.14.207.104: icmp_seq=0 ttl=244 time=119.186 ms ^C --- 72.14.207.104 ping statistics --- 2 packets transmitted, 1 packets received, 50.0% packet loss round-trip min/avg/max/stddev = 119.186/119.186/119.186/0.000 ms gateway# ping -S 207.6.112.184 72.14.207.104 PING 72.14.207.104 (72.14.207.104) from 207.6.112.184: 56 data bytes 64 bytes from 72.14.207.104: icmp_seq=0 ttl=244 time=121.193 ms ^C --- 72.14.207.104 ping statistics --- 2 packets transmitted, 1 packets received, 50.0% packet loss round-trip min/avg/max/stddev = 121.193/121.193/121.193/0.000 ms gateway# Code:
nat on ngeth0 from !(ngeth0) -> (ngeth0:0) Code:
nat on nfe0 from !(nfe0) -> (nfe0:0) Last edited by dextro; 21st December 2008 at 05:12 AM. |
|
|||
Code:
<?php function g($url, $opts = array()) { if ( !isset($opts['ua']) ) $opts['ua'] = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4'; $ch = curl_init(); curl_setopt($ch, CURLOPT_FAILONERROR, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, $opts['ua']); if ( isset($opts['bind']) ) curl_setopt($ch, CURLOPT_INTERFACE, $opts['bind']); if ( !($cr = curl_exec($ch)) ) printf("<p>g() failed: url={$url}; curl_errno()=%d; curl_eror()=%s;</p>", curl_errno($ch), curl_error($ch)); curl_close($ch); return $cr; } echo '216.232.236.243 => ' . g('http://94.75.205.177/ip.php', array('bind' => '216.232.236.243')) . "\n"; echo '207.6.112.184 => ' . g('http://94.75.205.177/ip.php', array('bind' => '207.6.112.184')) . "\n"; echo 'nfe0 => ' . g('http://94.75.205.177/ip.php', array('bind' => 'nfe0')) . "\n"; echo 'ngeth0 => ' . g('http://94.75.205.177/ip.php', array('bind' => 'ngeth0')) . "\n"; ?> Code:
gateway# php w.php 216.232.236.243 => 216.232.236.243 207.6.112.184 => 216.232.236.243 nfe0 => 216.232.236.243 ngeth0 => 216.232.236.243 gateway# |
|
|||
What are you are trying to accomplish with those multiple IP addresses? For what do you need those addresses, and how many IPs is your ISP giving you?
The big unkown is your network topology. How does that look like?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
/clear
My ISP allows me 2 dynamic IPs, as far as I can tell I have to obtain them via DHCP so I have to use a different MAC in the DHCP request which makes a problem when I am trying to do it on 1 NIC. One machine on my network needs full access over its own IP and the rest of the network will share second. nat on $ip2 from !($ip2) -> ($ip2:0) binat on $ip1 from $pc1 to any -> $ip1 Someone actually recommended I go modem -> switch -> 2 cat5 -> router with 3 nic -> switch -> network currently it looks like modem -> router -> switch -> network |
|
|||
Code:
INTERNET | | modem | | -------|------------ external D M FBSD Z--------------- Server router n i c internal -------|------------ | | | switch internal Lan The DMZ nic gets the second IP address through DHCP. The server nic can have a private 10.x.x.x address directly connected to the DMZ nic. This is possible, you only need to specify the -interface modifier when you add the default route on the server.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I know how to setup my network, my problem is getting both IPs to work on the box as the same time so I can configure PF.
Code:
gateway# ifconfig nfe0 link 00:5c:16:10:dd:79 gateway# dhclient nfe0 DHCPREQUEST on nfe0 to 255.255.255.255 port 67 DHCPREQUEST on nfe0 to 255.255.255.255 port 67 DHCPDISCOVER on nfe0 to 255.255.255.255 port 67 interval 5 DHCPOFFER from 75.153.0.254 DHCPREQUEST on nfe0 to 255.255.255.255 port 67 DHCPACK from 75.153.0.254 bound to 75.153.5.9 -- renewal in 3600 seconds. gateway# ifconfig nfe0 inet alias 216.232.236.243 netmask 255.255.255.255 gateway# ifconfig nfe0 nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:5c:16:10:dd:79 inet 75.153.5.9 netmask 0xfffff000 broadcast 75.153.15.255 inet 216.232.236.243 netmask 0xffffffff broadcast 216.232.236.243 media: Ethernet autoselect (100baseTX <full-duplex>) status: active gateway# ping -S 75.153.5.9 64.233.187.104 PING 64.233.187.104 (64.233.187.104) from 75.153.5.9: 56 data bytes 64 bytes from 64.233.187.104: icmp_seq=0 ttl=241 time=121.223 ms 64 bytes from 64.233.187.104: icmp_seq=1 ttl=241 time=121.596 ms 64 bytes from 64.233.187.104: icmp_seq=2 ttl=241 time=121.255 ms 64 bytes from 64.233.187.104: icmp_seq=3 ttl=241 time=121.421 ms 64 bytes from 64.233.187.104: icmp_seq=4 ttl=241 time=121.556 ms 64 bytes from 64.233.187.104: icmp_seq=5 ttl=241 time=121.732 ms 64 bytes from 64.233.187.104: icmp_seq=6 ttl=241 time=121.886 ms ^C --- 64.233.187.104 ping statistics --- 7 packets transmitted, 7 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 121.223/121.524/121.886/0.225 ms gateway# ping -S 216.232.236.243 64.233.187.104 PING 64.233.187.104 (64.233.187.104) from 216.232.236.243: 56 data bytes ^C --- 64.233.187.104 ping statistics --- 30 packets transmitted, 0 packets received, 100.0% packet loss gateway# Code:
01:00:56.994012 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 0, length 64 01:00:57.115131 IP 64.233.187.104 > 75.153.5.9: ICMP echo reply, id 49902, seq 0, length 64 01:00:57.995022 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 1, length 64 01:00:58.116580 IP 64.233.187.104 > 75.153.5.9: ICMP echo reply, id 49902, seq 1, length 64 01:00:58.996762 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 2, length 64 01:01:39.388473 IP 216.232.236.243 > 64.233.187.104: ICMP echo request, id 50926, seq 28, length 64 01:01:39.507437 IP 64.233.187.104 > 216.232.236.243: ICMP echo reply, id 50926, seq 28, length 64 01:01:40.390209 IP 216.232.236.243 > 64.233.187.104: ICMP echo request, id 50926, seq 29, length 64 01:01:40.508135 IP 64.233.187.104 > 216.232.236.243: ICMP echo reply, id 50926, seq 29, length 64 |
|
|||
Okay, the following creates a virtual interface named ngeth0 and bridges it with nfe0 (my modem nic)
Code:
ngctl mkpeer . eiface hook ether ifconfig ngeth0 up ngctl mkpeer ngeth0: bridge lower link0 ngctl name ngeth0:lower mybridge ngctl connect nfe0: mybridge: lower link1 ngctl connect nfe0: mybridge: upper link2 ngctl connect ngeth0: mybridge: upper link3 ngctl msg nfe0: setautosrc 0 ngctl msg nfe0: setpromisc 1 ifconfig ngeth0 link 00:5c:16:10:dd:79 dhclient ngeth0 Moving on, everything seems to work great except when I try and use ngeth0 it just uses nfe0 IP. Code:
gateway# ping -S 216.232.234.205 google.ca PING google.ca (64.233.161.104) from 216.232.234.205: 56 data bytes 64 bytes from 64.233.161.104: icmp_seq=0 ttl=245 time=130.315 ms 64 bytes from 64.233.161.104: icmp_seq=1 ttl=245 time=129.767 ms ^C --- google.ca ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 129.767/130.041/130.315/0.274 ms gateway# ping -S 216.232.253.26 google.ca PING google.ca (64.233.187.104) from 216.232.253.26: 56 data bytes 64 bytes from 64.233.187.104: icmp_seq=0 ttl=246 time=117.465 ms 64 bytes from 64.233.187.104: icmp_seq=1 ttl=246 time=118.204 ms ^C --- google.ca ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 117.465/117.834/118.204/0.370 ms gateway# Code:
16:15:50.372500 IP d216-232-234-205.bchsia.telus.net > od-in-f104.google.com: ICMP echo request, id 36101, seq 0, length 64 16:15:50.502758 IP od-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 36101, seq 0, length 64 16:15:51.374205 IP d216-232-234-205.bchsia.telus.net > od-in-f104.google.com: ICMP echo request, id 36101, seq 1, length 64 16:15:51.503924 IP od-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 36101, seq 1, length 64 16:15:53.133567 IP d216-232-234-205.bchsia.telus.net > jc-in-f104.google.com: ICMP echo request, id 21409, seq 0, length 64 16:15:53.250960 IP jc-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 21409, seq 0, length 64 16:15:54.135215 IP d216-232-234-205.bchsia.telus.net > jc-in-f104.google.com: ICMP echo request, id 21409, seq 1, length 64 16:15:54.253380 IP jc-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 21409, seq 1, length 64 Code:
gateway# ifconfig nfe0 nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether 00:14:2a:19:c4:a5 inet 216.232.234.205 netmask 0xfffff000 broadcast 216.232.239.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active gateway# ifconfig ngeth0 ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 ether 00:5c:16:10:dd:79 inet 216.232.253.26 netmask 0xfffff000 broadcast 216.232.255.255 gateway# |
|
|||
Weren't you using NAT? And leaving out the command you used to get the tcpdump also doesn't help.
If you want to see what is going on with your pings: disable NAT, use a simple pf.conf with a default block log all and only passing out ICMP stateful, and for your tcpdump commands use -n to disable name lookups and -e to see the link level or MAC address.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
NAT will come when I can get both IPs working...
The problem is, it uses nfe0 main IP for all outgoing traffic, I need to stop this behavior... |
|
||||
I think the problem is that you only have one default gateway on this system, and that is on the first interface. So all traffic should be doing what it's doing- nothing's broken or misconfigured.
If this is the case, I would recommend PF NAT redirection outbound that sources the second interface's internal addressing to flow back out the second interface, if that hasn't been done already. In fact, if you still have it as- nat on $ext2 from !($ext2) -> ($ext2:0) then perhaps binat or an rdr would help?
__________________
Network Firefighter |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DHCP Cable Connection Fail | fmgil | OpenBSD General | 4 | 1st September 2009 05:18 PM |
W2K DHCP Issue | DrJ | Other OS | 4 | 25th May 2009 07:19 PM |
problem on my end or someone leaking dhcp? | Calderon | FreeBSD Security | 4 | 24th February 2009 12:31 PM |
obtain 2 ips via dhcp | dextro | FreeBSD General | 2 | 6th February 2009 04:56 AM |
DHCP Server | WeakSauceIII | OpenBSD General | 1 | 25th September 2008 03:34 AM |