DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default Trunking your wireless adapter with a pf example

The title for this thread is a bit hopeful. I have a gateway machine that has a wired interface to an ISP, a wireless interface to a different ISP, and a wired interface to my LAN.
Code:
                         -ral0 --- {wireless ISP}
{LAN} --- em0-{machine}-|
                         -re0  --- {wired ISP}
Following Trunking your wireless adapter, except using trunk(4) loadbalance rather than failover seems fairly straightforward. However, I am a pf lightweight. I've been using the example in Building a Router as a basic configuration without the wireless card activated. What would an /etc/pf.conf look like in a setup that has the two external interfaces trunk0'ed? (This machine is also running dhcpd and unbound if that matters).
Reply With Quote
  #2   (View Single Post)  
Old 22nd August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You cannot trunk this connection. The two external interfaces are going to two different ISPs.

Trunks are used to combine multiple links between two end points.
Reply With Quote
  #3   (View Single Post)  
Old 22nd August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

Quote:
Originally Posted by jggimi View Post
You cannot trunk this connection. The two external interfaces are going to two different ISPs.

Trunks are used to combine multiple links between two end points.
That's important information, thanks. I didn't see any mention of that constraint in the FAQ or the manual page.

I suppose an alternative might be to try an Equal-cost multipath routing setup. Could someone describe what's happening in the example in the FAQ?
Reply With Quote
  #4   (View Single Post)  
Old 22nd August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by hanzer View Post
That's important information, thanks. I didn't see any mention of that constraint in the FAQ or the manual page.
I'm sorry you were confused. It's implied, but is not explicit, in the first sentence of the trunk(4) man page.
Quote:
The trunk interface allows aggregation of multiple network interfaces as one virtual trunk interface.
The key word is aggregation. All links in the trunk share the same IP address at each end. Both ends need to use the same trunking mechanism, too. As an analogy, consider each physical connection like a guitar string, and the trunk the guitar neck.
Quote:
I suppose an alternative might be to try an Equal-cost multipath routing setup.
Well, perhaps, but your "cost" will not be equal, as your wired service is likely to have significantly different bandwidth and latency than your wireless service.
Quote:
Could someone describe what's happening in the example in the FAQ?
  • Multipath routing is set in options by manually issuing route(8) commands.
  • Verification of multiple default routes is performed.
  • The route commands are added to the hostname.if(5) files and the single static default route set by mygate(5) is removed.
  • Multipath routing is enabled in the kernel by sysctl(8) and sysctl.conf(5), as the route commands shown above won't actually work until this is enabled.
If your two ISPs' bandwidth is significantly different, you might consider something simple, such as active/passive ISP connections with automatic failover and recovery using ifstated(8).
Reply With Quote
  #5   (View Single Post)  
Old 22nd August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I see what might have confused you. The failover trunk. This isn't actually an aggregation, no trunk is actually in use at both ends. Instead, the trunk() pseudo-NIC used to transition one IP address between two interfaces, such as in the man page example where a workstation is configured with wired and wireless interfaces that share the same IP address, and switch back and forth on the same local network.

Your wired/wireless connections are not on a single network, so this mechanism cannot be used.
Reply With Quote
  #6   (View Single Post)  
Old 22nd August 2017
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
just passing through
 
Join Date: Oct 2013
Location: EST USA
Posts: 314
Default

It seems that simply enabling multipath is sufficient:
/etc/sysctl.conf
Code:
                                                                                                                               
net.inet.ip.forwarding=1
net.inet.ip.multipath=1
The hostname.if(5) need not have an explicit "!route add -mpath default x.x.x.x" line. (I've realized x.x.x.x is the address of the gateway - that wasn't entirely clear to me in the example). In my case, the gateway address for re0 is static and easy enough to discover but the ral0 interface receives a dynamic address and its gateway isn't always the same. Conveniently, enabling multipath seems to be sufficient to automatically set up the routes with the dynamic addresses.

$ netstat -rn | grep default
Code:
      
default            10.0.0.1           UGS        5    54150     -     8 re0  
default            192.168.48.1       UGS        0        0     -    12 ral0
I am still a bit unsure of how to handle this situation in the firewall configuration.

$ doas cat /etc/pf.conf
Code:
int_if="em0"
table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on $int_if inet
pass in on egress inet proto tcp from any to (egress) port 55666 rdr-to 192.168.0.3 port 55666
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
While I get the semantic gist of "egress", I am unaware of the specific constraints and requirements on its use in the configuration file.

Last edited by hanzer; 22nd August 2017 at 02:00 PM.
Reply With Quote
  #7   (View Single Post)  
Old 22nd August 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by hanzer View Post
It seems that simply enabling multipath is sufficient...
I didn't know that; I've never used mpath in production, and my last testing of it was probably a decade ago.
Quote:
...While I get the semantic gist of "egress", I am unaware of the specific constraints and requirements on its use in the configuration file.
What I know comes from man page reading. The pf.conf(5) man page states that on interface applies to an interface or to an interface group. I expect that each time an "on egress" rule is evaluated, it will evaluate against the current members of the group. The group consists of NICs which participate in the default routes.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
USB WiFi adapter? dirty_hammer General Hardware 2 5th January 2016 08:29 PM
Need assistance for Broadcom 432AGN wireless internal adapter BJwojnowski FreeBSD General 7 24th October 2011 11:00 PM
Bonding and trunking mcormie OpenBSD General 0 25th March 2009 10:56 PM
USB wireless network adapter, ndis problem ronaldmcdonald9 FreeBSD General 5 9th July 2008 07:50 AM
How to make it work with VLAN-trunking? Seb74 OpenBSD Security 4 28th June 2008 02:08 PM


All times are GMT. The time now is 08:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick