Intel PRO/1000 Dual Port Server Adapter

[joker72]

Has anyone had any luck using the Intel PRO/1000 Dual Port Server Adapter for a SOHO router/firewall with OpenBSD or know if it should work?

I can ping the internet and internal network from the machine and ping the machine from the internal network but can't ping the internet from the internal network.

net.inet.ip.forwarding = 1 is set.

[TronDD]

Do you have NAT set up in pf?

What is the contents of your pf.conf?

[joker72]

I disabled PF in order to confirm the card worked. I was then going to move onto PF rules afterwards.

pfctl -d
pfctl -F

Could this still be my problem?

Thanks.

[TronDD]

Yeah. NAT is an active process. It doesn't just work. Pf has to be enabled to perform the address translations.

Get pf set up with something simple to verify it'll work. THen you can buld up your ruleset, or if there is still a problem, it'll be a minimal ruleset to debug.

[joker72]

Will do tonight and give an update.

Thanks for your help.

[jggimi]

Hello and welcome!

Private network addresses (192.168.x.x, 10.x..x.x, others ...) are not usable on the Internet.
There's no way for any Internet server to address your computer at 192.168.1.100, because there are millions of computers using that same address.

Network Address Translation ("NAT") is the mechanism we use to interconnect those private networks with the Internet.

For OpenBSD, NAT is provisioned with PF.

http://www.openbsd.org/faq/pf/nat.html

[LeFrettchen]

Welcome joker72

[joker72]

Thanks for the welcomes guys. Really glad to be with the group.

My pf.conf file is as follows:

Code:

Extif = "em0"
Intif = "em1"

PrivNet = "192.168.1.0/24"

match out log on $Extif from $PrivNet to any received on $Intif tag EGRESS nat-to ($Extif:0)

I admit this pf.conf file was pirated.

With this enabled I am able to ping em0 through em1 from the internal network but do not get a response when pinging 8.8.8.8 from within the internal network (as opposed to no route to destination). Pings from the router/FW machine work as expected.

Also tried below where XXX.XXX.XXX.XXX = External/Public IP per the link provided by jggimi with same results as above.

Code:

PrivNet = "192.168.1.0/24"

pass out on em0 from $PrivNet to any nat-to XXX.XXX.XXX.XXX

Thanks!

[joker72]

Gonna give this a read over the weekend.

http://home.nuug.no/~peter/pf/en/

I'll post my resolution if I am able to come up with one.

Thanks.

[jggimi]

The chapter of the PF User's Guide that I linked above will also be helpful. But Peter's tutorial (and his book) are wonderful, too. His Pledge of the Network Admin at the beginning of his tutorial is pointed right at your configuration.

[ibara]

Peter's a friend, he's great so definitely +1 on all his work.
However, if you're looking for a simple SOHO router setup, you kinda can't beat the OpenBSD FAQ: https://www.openbsd.org/faq/pf/example1.html

[joker72]

So the Intel PRO/1000 Dual Port Server Adapter does work with OpenBSD 6.1. Now I just need to get name resolution working for my clients. This post was executed through my new OpenBSD SOHO router/firewall. Just to get things moving I pirated from the example from the OpenBSD FAQ but I understand it for the most part.

Code:

int_if="em1"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
	 	   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
	 	   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
	 	   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on $int_if inet

I have not opened up any ports yet,

The issue I was having with the internal network not being able to successfully ping the internet (8.8.8.8) seems to have been caused by using the subnet mask provided by my ISP. They suggested to use 255.255.255.252 which worked on my Netgear router. When I changed it to 255.255.255.0 it works. I had these same results when playing with PFSense over the weekend.

Anyway, thanks for the encouragement.

Any hints on getting name resolution for the clients working would be greatly appreciated. I'm looking into unbound but get a syntax error when I change the config file by as little as deleting a #.

[ibara]

For completeness, there are several NICs named "Intel PRO/1000 Dual Port Server Adapter," all of which are explicitly named in the em(4) man page:

Code:

Intel PRO/1000MT Dual Port Server Adapter (PWLA8492MT)
Intel PRO/1000MF Dual Port Server Adapter (SX Fiber) (PWLA8492MF)
Intel PRO/1000PT Dual Port Server Adapter
Intel PRO/1000PF Dual Port Server Adapter (SX Fiber)
Intel PRO/1000ET Dual Port Server Adapter

FWIW, any Intel Gigabit adapter you can find ought to work (and if it's a 10/100 NIC, it'll work with fxp(4) and if it's a 10G NIC, it'll work with ix(4) or ixgb(4)).

As to name resolution, everything you need is on that page I posted earlier. Follow the DHCP and DNS instructions, or simply pirate them if you'd like. They work.

Mine looks like this:

Code:

# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
        interface: 10.0.0.1
        interface: 127.0.0.1
        access-control: 10.0.0.0/8 allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes

forward-zone:
        name: "."
        forward-addr: 209.18.47.62      # Spectrum DNS
        forward-addr: 209.18.47.61      # Spectrum DNS
        forward-addr: 8.8.8.8           # Google DNS
        forward-addr: 8.8.4.4           # Google DNS

[joker72]

Thanks ibara. I'm going to spend some time studying the man pages from a high level now. Never would have guessed that that would have been in the man pages. You guys will have me up to speed in no time.

Thanks again.

[ibara]

All the section 4 pages have a list of hardware (often non-exhaustive but pretty good) that works with the driver to get people started.

There is also the NYC*BUG dmesgd service, where *BSD users submit their machine dmesgs. You can search dmesgs for anything you'd like.
http://dmesgd.nycbug.org/
(Usual disclaimer: I am one of the people who runs NYC*BUG.)