DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th September 2011
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default Trying to understand routing with openbsd

Hi guys, i am looking for help understanding a couple of things.

My network
Open BSD box serving as a router/gateway to internet with IPs below
+-----+
| em0 |---> ISP
+-----+
+-----+
| em1 |---> 192.168.1.1 (Wired LAN)
+-----+
+-----+
| em2 |---> 192.168.2.1 (Wireless AP)
+-----+

Code:
root ~ # cat /etc/hostname.em1                                                                                                                                                        
inet 192.168.1.1 255.255.255.0 NONE
#!route add -net 192.168.1.0/24 192.168.1.1
#!route add -net 192.168.2.0/24 192.168.2.1

root ~ # cat /etc/hostname.ural0                                                                                                                                                       
inet 192.168.2.1 255.255.255.0 NONE autoselect mode 11g mediaopt hostap nwid an0nym0us chan 11 wpa wpaprotos wpa2 wpaakms psk wpapsk lol 

root ~ # cat /etc/sysctl.conf |grep net.inet.ip.forwarding 
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets

root ~ # pfctl -sr                                                                                                                                                                     
anchor "miniupnpd" all
match out log on egress inet from ! (egress) to any nat-to (egress:0) round-robin
block drop in log quick on ! em1 inet from 192.168.1.0/24 to any
block drop in log quick inet from 192.168.1.1 to any
block drop in log quick on ! em0 from (em0:network) to any
block drop in log quick from (em0) to any
block drop in log quick on re0 inet6 from fe80::e291:f5ff:fe20:3eb0 to any
pass out quick all flags S/SA keep state
pass in quick all flags S/SA keep state
The problem.
random client 192.168.2.24 (connected to wireless ap) is unable to ping random client 192.168.1.100 (connected to switch on em1). I added the commented static routes in hostname.em1 and still same problem.

one thing i noticed when i did a tcpdump on the openbsd box is that i got this. dont know if i is the reason.

Code:
root ~ # tcpdump -n -vvv -i re0 host 192.168.1.100         
tcpdump: listening on re0, link-type EN10MB
21:17:15.985288 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:10) (ttl 63, id 46271, len 84, bad cksum 0! differs by 421d)
21:17:16.994790 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:11) (ttl 63, id 65157, len 84, bad cksum 0! differs by f856)
21:17:16.995493 arp who-has 192.168.2.24 tell 192.168.1.100
21:17:17.987041 192.168.2.24 > 192.168.1.100: icmp: echo request (id:c624 seq:12) (ttl 63, id 37534, len 84, bad cksum 0! differs by 643e)
21:17:17.995391 arp who-has 192.168.2.24 tell 192.168.1.100
21:17:18.995221 arp who-has 192.168.2.24 tell 192.168.1.100
and on the 192.168.1.100 host i get

Code:
root ~ # tcpdump -vvvttt host 192.168.2.24
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.000000 IP (tos 0x0, ttl 63, id 27416, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.24 > 192.168.1.100: ICMP echo request, id 3621, seq 78, length 64
00:00:00.003411 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.2.24 tell 192.168.1.100, length 28
00:00:00.997995 IP (tos 0x0, ttl 63, id 36710, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.2.24 > 192.168.1.100: ICMP echo request, id 3621, seq 79, length 64

Can it be PF? since i am still a noob with PF so i have allowed all in and out just to make sure it is not because of PF.

pass out quick
pass in quick

by the way how will you check specific packets dropped by PF? do a tcpdump on pflog?

Thanks in advance

Last edited by badguy; 17th September 2011 at 01:45 AM.
Reply With Quote
  #2   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It looks like your netmasks. It's does not appear to be routing, and it is probably not PF.
Code:
arp who-has 192.168.2.24 tell 192.168.1.100
It looks like OpenBSD thinks these are on the same subnet. They are not, you have two NICs for local LANs, and these should be on separate subnets, with packets routhing through your OpenBSD router. Check to make sure you have correct netmasks defined for em1 and ... re0, which I think you meant instead of "em2".

If the netmasks are correct, did you define a bridge(4) device?

---

Routing works the same on OpenBSD as on any other system with a TCP/IP protocol stack; it's just that mis-configurations (usually in PF) often look like routing problems, because systems can't reach each other.

Just to aid your understanding -- routing tables are only used when departing one's own subnet. Most commonly there is only one router on a subnet, so only a default route is added, which points to the "gateway" that then routes packets onward. On OpenBSD, the mygate(5) file is used by netstart(8) to set a single default route if DHCP is not used.

You need more than a default route only when there are at least two routers on a subnet. In those cases, a default route won't be sufficient. Here's a common example -- a tiered set of firewalls. The DMZ subnet here has two routers:

{internet} - [Firewall A] - DMZ Web servers 10.1.1/24 - [Firewall B] - DBs and Users 192.168.1/24

Systems on the DMZ have a default route of Firewall A, but they also need a route for the 192.168.1 subnet, pointing to Firewall B. With just a default route, they would point packets destined for the inner platforms through Firewall A, and that's the wrong direction.

For those behind Firewall B, they only need a single default route -- because all outgoing packets go through B.

---

A pf.conf(5) file is much easier to read than pfctl(8) rules list. I would have prefered that, but here's what I see in your block and pass rules from pfctl:
  • All these rules are "quick". The first matching rule will apply to all packets.
Code:
block drop in log quick on ! em1 inet from 192.168.1.0/24 to any
This appears to be an antispoof for 192.168.1/24 on em1.
Code:
block drop in log quick inet from 192.168.1.1 to any
Any unsolicited packets from 192.168.1.1 will be blocked.
Code:
block drop in log quick on ! em0 from (em0:network) to any
This appears to be an antispoof for em0.
Code:
block drop in log quick from (em0) to any
Any unsolicited packets from em0, a dynamically addressed network, will be blocked.
Code:
block drop in log quick on re0 inet6 from fe80::e291:f5ff:fe20:3eb0 to any
Any unsolicited packets from that IPv6 address will be blocked.
Code:
pass out quick all flags S/SA keep state
pass in quick all flags S/SA keep state
Anything not blocked above will be passed; establish a state table entry if the protocol allows, with default timeouts for stateless protocols, eliminating further rule analysis while the state table entry exists.
Reply With Quote
  #3   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
by the way how will you check specific packets dropped by PF? do a tcpdump on pflog?
Absolutely. # tcpdump -neti pflog0 or # tcpdump -netr /var/log/pflog are typical. You are only logging your blocked packets, so you will not see passed packets establish state tables. I log both, so I can use action block or action pass as desired. The rule numbers in the output will match the numbers from # pfctl -vs rules output.
Reply With Quote
  #4   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

More on routing:

{internet} - [Firewall A] - DMZ Web servers 10.1.1/24 - [Firewall B] - DBs and Users 192.168.1/24

Firewall A also needs a route to the inner subnet, not just the DMZ servers. That's if Firewall B is not using NAT -- it typically would not be. If Firewall B is using NAT, however, then the inner subnet's traffic is all translated into Firewall B's address on the 10.1.1 network.

Isn't networking fun? There are so many things to misconfigure.
Reply With Quote
  #5   (View Single Post)  
Old 17th September 2011
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Quote:
It looks like your netmasks. It's does not appear to be routing, and it is probably not PF.
You my friend are very brilliant sir.

Quote:
Isn't networking fun? There are so many things to misconfigure.
sure once i get a good grip of this and i do less of try and error i am moving to RIPD(8)

Quote:
You need more than a default route only when there are at least two routers on a subnet. In those cases, a default route won't be sufficient. Here's a common example -- a tiered set of firewalls. The DMZ subnet here has two routers:

{internet} - [Firewall A] - DMZ Web servers 10.1.1/24 - [Firewall B] - DBs and Users 192.168.1/24

Systems on the DMZ have a default route of Firewall A, but they also need a route for the 192.168.1 subnet, pointing to Firewall B. With just a default route, they would point packets destined for the inner platforms through Firewall A, and that's the wrong direction.
Agreed, however I believe this is from the client perspective. What if Firewall A is a router that can forward packets and knows how to reach 10.1.1/24 & 192.168.1/24 subnet? will that change? after-all my gateway know where to send that packet to so why should i bother?

Secondly from the router perspective, if Firewall A has 2 NIC cards, that go to both gateways, will there be a need for static routes?

In my scenario for instance my BSD router knows how to reach re0(em1) and ural0(em2) so there is no need for static routes on the router. if it had to reach a subnet that was not directly connected to it, it will then need a static route to that subnet. also the hosts on my wired and wireless subnets do not need static routes as long as they can reach their default gateway. did i get this twisted up?
Reply With Quote
  #6   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Originally Posted by badguy View Post
What if Firewall A is a router that can forward packets and knows how to reach 10.1.1/24 & 192.168.1/24 subnet? will that change? after-all my gateway know where to send that packet to so why should i bother?
We configure Firewall A with two routes, a default to the Internet, and a route to the inner network:

# route add default <address of ISP's gateway router>
# route add 192.168.1/24 <address of FW B on 10.1.1 net>

And we configure Firewall B with one default route:

# route add default <address of FW A on 10.1.1 net>

Are you asking do we need to do anything with Firewall B if there is a change in the DMZ or in the ISP's addressing? Not so long as Firewall A's IP address doesn't change. For routing tables, the only addresses needed are the addresses of the adjacent router(s).
Quote:
Secondly from the router perspective, if Firewall A has 2 NIC cards, that go to both gateways, will there be a need for static routes?
Firewall A needs two routing table entries, whether static, or whether supplied by a routing service. It needs to know the addresses of both adjacent routers to itself.
Quote:
In my scenario for instance my BSD router knows how to reach re0(em1) and ural0(em2) so there is no need for static routes on the router.
You actually do have one route -- a default route, via your ISP. The router's address may be provided for you to provision manually (static), or, it may be provided by DHCP (dynamic). While DHCP can be used to change router IP addresses, it is not router configuration software.
Quote:
if it had to reach a subnet that was not directly connected to it, it will then need a static route to that subnet. also the hosts on my wired and wireless subnets do not need static routes as long as they can reach their default gateway. did i get this twisted up?
You are pretty close. Think of it this way, the default route is to EVERY address either not on the local subnet or not defined in its own route. So if the address you're trying to reach isn't on the local subnet, and also can't be reached through your default route -- you'll need to add another route.

In the case of Firewall A, it needs two routes because the 192.168.1 subnet can't be reached through the default route, which goes to the ISP.
Reply With Quote
  #7   (View Single Post)  
Old 17th September 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
i am moving to RIPD(8)
ripd(8), and its IPv6 counterpart route6d(8), are just two of the routing configuration daemons available with OpenBSD. Don't forget dvmrpd(8), ospfd(8), and bgpd(8). There are more in the ports tree.
Reply With Quote
  #8   (View Single Post)  
Old 18th September 2011
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Appreciate the explanation sir.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD: equal-cost multipath routing Lexus45 OpenBSD General 0 31st August 2010 08:13 AM
please help me understand wpa settings gosha OpenBSD General 1 14th July 2009 11:37 AM
How understand someone connect to my BOX with VNC mfaridi OpenBSD Security 8 21st November 2008 12:24 AM
Routing and routing some more! Weaseal FreeBSD General 1 19th August 2008 01:39 PM
OpenBSD and routing cchapman OpenBSD General 5 25th July 2008 05:55 PM


All times are GMT. The time now is 04:02 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick