Bind NIC/MAC to interface name

[lars_d]

Hello,

I 'am new to openbsd (5.4), I have a little experience with linux and want to make my new firewall with bsd and pf.

Under linux there was the possibility to bind a MAC Address with /etc/udev/rules.d/70-persistent-net.rules to a interface name.

Do you know where I can find this in openbsd or how I can do this?

thank you

kind regards

Lars

[IdOp]

Hello and welcome to daemonforums!

While I'm anything but an expert on OpenBSD, to the best of my knowledge it's not possible to rename a network interface in the way you ask about. If this seems to be causing a significant difficulty for your application, perhaps if you provided more specific details someone could help you to solve the problem within the available capabilities.

[ocicat]

Quote:

Originally Posted by lars_d

Under linux there was the possibility to bind a MAC Address with /etc/udev/rules.d/70-persistent-net.rules to a interface name.

Welcome!

The lladdr option in ifconfig(8) may be what you are searching for...

Quote:

I 'am new to openbsd (5.4)...

Recognize that OpenBSD 5.6 has recently been released 1 November, & with this release, public support for OpenBSD 5.4 has officially ended. You are free to continue using 5.4, but you should have a specific reason for doing so as the community no longer has any public obligation. If you are new to OpenBSD, updating or simply installing version 5.6 now may save you time & aggravation in the long run. More information on OpenBSD's release schedule can be found in Section 5.1 of the official FAQ.

[scottro]

I will add that under Linux, this can make it problematic when moving a drive to a new machine. For example, in FreeBSD (I realize you're discussing open, but I think it's similar), the name depends upon the brand of NIC, for example, I think Broadcom is bge (I could be wrong, but let's say that's true.) If I move the drive to new hardware, it should boot and any complex network configs should remain in place--if it's a non-Broadcom NIC, I'll rename it from bge0 to whatever.

In contrast, if you move a drive from a RedHat based machine to a new machine, networking will have to be redone in udev and /etc/sysconfig/networking-scripts (or it will create new devices) The binding of the name to the MAC (and, these days, in CentOS and Fedora, at least, a long UUID), is not an advantage to the sysadmin in my less than humble opinion.

[lars_d]

Hi,

thank you for the answers/welcome.

The lladdr option could be a solution, I will check this.

I have the following situation:
3 external Interfaces (MAC/IP) and one to the dmz. All interfaces are from the same manufacturer.
The rules are very different for each interface, I have to be sure that for example fxp3 will be always fxp3.
But if I remove one of these cards, a renumbering will happen.
Example:
If I remove fxp2 than fxp3 will get fxp2 which is not good.

The rules for fxp2 will than be on the interface which should be fxp3 :-(

Maybe I configured something wrong, but in my Openbsd installation the interface names are numbered through hardware order.

[jggimi]

Hello, and welcome!

Quote:

Originally Posted by lars_d

Maybe I configured something wrong, but in my Openbsd installation the interface names are numbered through hardware order.

That is how the interfaces are assigned. If you remove one of the NICs in the hardware discovery sequence, renumbering will occur. The infrastructure support team (which, for a small infrastructure, may only be you) needs to be aware, and if physical restructuring is performed, adjustments to network provisioning files may be needed.

We manage this through awareness, through the use of the ifconfig(8) description option in hostname.if(5) files, and through the use of macros in pf.conf(5) and other network provisioning files.

[IdOp]

The lladdr option of ifconfig is for changing the MAC address. I don't think that's what the OP wanted to do, rather he wanted a given NIC (with a given MAC) to be assigned an interface name of his choice, without that assignment changing under certain hardware changes.

[ocicat]

Quote:

Originally Posted by IdOp

...rather he wanted a given NIC (with a given MAC) to be assigned an interface name of his choice, without that assignment changing under certain hardware changes.

I agree with you IdOp, as this was born out in subsequent responses. As jggimi has summarized, judicious use of interface groups & how these groups are managed in pf.conf(5) is likely what lars_d needs to further investigate.

[jggimi]

But I didn't recommend interface groups. I should have, but I'd forgotten about them completely.

[random_seed]

Hi lars_d,

As Ocicat suggested, I think that the best way to prevent issues with pf and interface renaming is to use the group feature offered by ifconfig(8). You will find all details in the manpage.

But to summarize, this feature allows you to place each of your NIS in one or more groups (ie. dmz, priv, etc), then you just have to use this group name in your pf.conf ruleset instead of the regular interface name.

So it's not exactly the same thing as the Linux relation between the mac address and the OS's interface name, but it's far more powerfull !
I use it everyday in order to easily export my ruleset onto different systems.

[lars_d]

Hi,

thanks for the answers and point to group and ifconfig(8). What I read for now is that "the group function" is meant to be to bundle interfaces of a specific type to a group.

Maybe not what I need, because to my shame I have forgot to mention a few facts:

My ISP do provide me static IP's through DHCP with MAC Address conjunction.

So I want to serve two external DNS namesserver with 2 diffrent IP's and also my webserver to the internet with another IP.

All servers are in a DMZ, so my plan was to use as external firewall a bsd machine with 4 interfaces 3 external and one internal (DMZ). But my latest guess was that I will need more internal interface in case of difficult routing or more firewall machines. Another point....

For interface groups:
For me it is still not clear how I can be sure that an interface (for example fxp2) is not exchanged with another MAC/IP due to the fact of renumbering, even if it belongs to a group?

So if MAC/IP 1 on fxp2 belongs to group DNS1 and MAC/IP 2 on fxp3 belogns to group DNS2, how can I be sure that if I remove fxp2 from the machine, that fxp3 will not get fxp2 and belongs than to group DNS1?

OK not a problem if DNS1 and DNS2 provide the same namespace but if not...

Is awareness or the lladdr option the only solution?

Maybe I missed the point in the manpage of ifconfig.

kind regards

[jggimi]

Quote:

Originally Posted by lars_d

So I want to serve two external DNS namesserver with 2 diffrent IP's and also my webserver to the internet with another IP.

If I understand this, you plan to have at least three external-facing, unique IP addresses, using two NICs and DHCP services from your ISPs. I'm not sure how you would arrive at three IP addresses with two NICs running dhclient(8). Typically you assign multiple addresses to a NIC with the ifconfing(8) alias option, as part of assigning a static base address.

Quote:

All servers are in a DMZ, so my plan was to use as external firewall a bsd machine with 4 interfaces 3 external and one internal (DMZ). But my latest guess was that I will need more internal interface in case of difficult routing or more firewall machines.

Why aren't you deploying switches? You're building networks, you should not need a NIC on your router for every server or workstation attachment. If you happen to use switches that support VLANs (802.1Q), this would allow you to devise logical subnetworks as needed. They could have different quality of service requirements, such as for IPTV or VOIP.

Your idea of two firewalls is fairly common. Those solutions often look something like this:

Code:

{Internet} - [fw1] - [DMZ servers] - [fw2] - [inner servers/workstations]

I would deploy at minimum two switches in that example. 1) Interconnecting the DMZ servers and the two firewalls, and 2) interconnecting fw2 and the inner platforms. Each firewall requires only two NICs. Servers and workstations only require one.

And of course, fw1 would need a static route added to reach the inner subnet. The DMZ servers do not require the route added to their routing tables, but it would reduce traffic on the DMZ if they also had that route added, since they would otherwise have to route their traffic to the inner network through fw1 first.

Quote:

For me it is still not clear how I can be sure that an interface (for example fxp2) is not exchanged with another MAC/IP due to the fact of renumbering, even if it belongs to a group?

If you physically modify your fleet of NICs, causing renumbering, you would need to revise your group assignments. But in that case you would only need to modify your hostname files. All other provisioning would be by group, and those files could remain unchanged.

[jggimi]

My home network has two firewalls and three switches, with a single ISP.

The ISP's gateway is connected to the outer switch:

Code:

{Internet} [DOCSIS 3.0 modem]- [outer switch]

Both firewalls are connected to the outer switch, to each other for heartbeat and synchronization, and to the inner switch; they are little Alix platforms with three NICs.

Code:

[outer switch] - {firewalls} - [inner switch]

There is a third switch providing services to a group of entertainment devices in the living room, with a single Ethernet cable connected to the inner switch.

Code:

[inner-switch] - {workstations and WiFi AP} - [living room switch] - {TV, media players}

The firewalls provide a high availability solution. carp(4) is used on the inner network, the outer network connection is master/slave managed by ifstated(8), and the two firewalls synchronize DHCP server and PF states with dhcpd(8) -Y/-y options and pfsync(4).