|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
NAT router
I am following guide for setting up router at: http://www.bsdnow.tv/tutorials/openbsd-router
I have a intel 4 port nic. OpenBSD 6.0. It gets dhcp adresse at em0, and from the OpenBSD box i can ping the world. But from other computer I cant ping the LAN side : 192.168.0.1 What can i change to make it work? hostname.em0 Code:
dhcp Code:
up Code:
inet 192.168.0.1 255.255.255.0 192.168.0.255 Code:
add vether0 add em1 add em2 add em3 blocknonip vether0 blocknonip em1 blocknonip em2 blocknonip em3 up CMND: ifconfig: Code:
# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 7 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:18 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.1.210 netmask 0xffffff00 broadcast 192.168.1.255 em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:19 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active em2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:20 index 3 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier em3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:21 index 4 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr c0:3f:d5:ee:9d:0b index 5 priority 0 llprio 3 media: Ethernet autoselect (none) status: no carrier enc0: flags=0<> index 6 priority 0 llprio 3 groups: enc status: active vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr fe:e1:ba:d0:80:cb index 8 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 bridge0: flags=41<UP,RUNNING> index 9 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp vether0 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 8 ifpriority 0 ifcost 0 em1 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 2 ifpriority 0 ifcost 0 em2 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 3 ifpriority 0 ifcost 0 em3 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 4 ifpriority 0 ifcost 0 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 index 10 priority 0 llprio 3 groups: pflog /etc/dhcpd.conf Code:
option domain-name-servers 192.168.0.1; subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; range 192.168.0.4 192.168.0.254; host meimei { fixed-address 192.168.0.2; hardware ethernet 00:00:00:00:00:00; } host suigintou { fixed-address 192.168.0.3; hardware ethernet 11:11:11:11:11:11; } } |
|
|||
What does your pf.conf look like?
Are the clients getting the correct IP and gateway set by the DHCP server? |
|
|||
pf.conf
Code:
# cat /etc/p passwd pf.os pkg.conf ppp/ pulse/ pf.conf pkcs11/ polkit-1/ protocols pwd.db # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf int_if="{ vether0 em1 em2 em3 }" broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \ 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \ 198.51.100.0/24, 203.0.113.0/24, \ 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32" set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for (egress) block in quick on egress from { $broken no-route urpf-failed } to any block in quick inet6 all block return out quick inet6 all block return out quick log on egress proto { tcp udp } from any to any port 53 block return out quick log on egress from any to { no-route $broken } block in all pass out quick inet keep state pass in on $int_if inet pass in on $int_if inet proto { tcp udp } from any to ! 192.168.0.1 port 53 rdr-to 192.168.0.1 pass in on egress inet proto tcp to (egress) port 222 rdr-to 192.168.0.2 pass in on egress inet proto tcp from any to (egress) port 2222 Lan clients does not get DHCP offer from Openbsd Router box. Last edited by psypro; 27th October 2016 at 03:15 PM. |
|
|||
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16
Does that break my 192.168.0.* network? |
|
|||
Still does not work, trying simpler. If I can get simple to work, I can get more advance later. Please advice.
Will this simple pf allow NAT? pf.conf Code:
pass all pass inet proto tcp from em1:network to any port $ports Last edited by psypro; 27th October 2016 at 04:16 PM. |
|
|||
Still does not work. My OpenBSD router can ping internett trough em0. My OpenBSD router can ping itself at 192.168.0.1 (em1) but pc trying to reach em1 cant ping 192.168.0.1 when I set the pc to 192.168.0.3.
Thank you for your replay. Will post more right away. /etc/hostname.brigde0 Code:
cat /etc/hostname.bridge0 add em1 add em2 add em3 blocknonip vether0 blocknonip em1 blocknonip em2 blocknonip em3 up Code:
# cat /etc/hostname.em0 dhcp # cat /etc/hostname.em1 up inet 192.168.0.1 255.255.255.0 192.168.0.255 Code:
# ifconfig em0 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:18 index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.1.210 netmask 0xffffff00 broadcast 192.168.1.255 Code:
# ifconfig em1 em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:18:10:19 index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 Code:
# cat /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.redirect=0 kern.bufcachepercent=50 net.inet.ip.ifq.maxlen=1024 net.inet.tcp.mssdflt=1440 kern.securelevel=2 Last edited by psypro; 27th October 2016 at 04:42 PM. |
|
|||
Jiggim.
What would be the simple thing to put inside pf.conf to make it work? I now focus only at getting em0 internet facing port and em1 lan facing port to work. Should I add em0 to the brigde? what do you try to tell me? I have read the Absolute OpenBSD Handbook although a month ago. And found several different OpenBSD tutorials. https://home.nuug.no/~peter/pf/en/long-firewall.html https://www.openbsd.org/faq/pf/config.html http://www.bsdnow.tv/tutorials/openbsd-router They all are slightly different. |
|
|||
Would this work for NAT?
pass in all em1 pass out all em1 pass in all em0 pass out all em0 nat on em0 from em1 Last edited by psypro; 27th October 2016 at 04:45 PM. |
|
||||
Do not assign multiple IP addresses to the NICs on your bridge.
The purpose of a bridge is to combine multiple physical Ethernet segments into a single logical Ethernet. Think of it this way ... when you bridge 3 of your NICs together, they will behave something like, but not completely like an Ethernet switch. Here is a logical picture of an Ethernet switch. These six devices each have their own IP address assignments, and their Ethernet cables each connect to an individual port on the switch. The switch interconnects them. It does not have any IP addresses of its own: Code:
{Device A} {Device B} {device C} | | | [Ethernet hub or Ethernet switch] | | | {Device D} { Device E} {Device F} The reason that you see "how to" guides include vether(4) psuedo devices is to use the vether device for a single permanent IP address assignment to the cluster of NICs, so that OpenBSD can act more like a real Ethernet switch, and still communicate with the Ethernet over a single IP. Code:
{Device A} {Device B} {device C} | | | [OpenBSD bridge0 and bridged NICs. ] | | | {Device D} { Device E} {vether0 acting as device F} Last edited by jggimi; 27th October 2016 at 04:51 PM. Reason: clarity |
|
|||
Ok, so I should renable the hostname.vether0 so em1, em2, and em3 works as switch ports.
Done. Removed ip from em1 Code:
# cat /etc/hostname.bridge0 add vether0 add em1 add em2 add em3 blocknonip vether0 blocknonip em1 blocknonip em2 blocknonip em3 up # cat /etc/hostname.em0 dhcp # cat /etc/hostname.em1 up # cat /etc/hostname.em2 up # cat /etc/hostname.em3 up # cat /etc/hostname.vether0 inet 192.168.0.1 255.255.255.0 192.168.0.255 (Updated Clarified I meant removed ip from em1) Ok? I reboot. I can ping 192.168.0.1 from innside ssh to OpenBSD router. From Windows pc, connected to a swith, and switch connceted to em1 at OpenBSD router no ping. Windows pc get no respnse at pinging 192.168.0.1, OpenBSD router get no ping respons at ping 192.168.0.3 tryig new pf.conf based on bsdnow tutorial: Code:
int_if="{ vether0 em1 em2 em3 }" set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for (egress) block in quick on egress from { $broken no-route urpf-failed } to any block in quick inet6 all block return out quick inet6 all block return out quick log on egress proto { tcp udp } from any to any port 53 block return out quick log on egress from any to { no-route $broken } block in all pass out quick inet keep state pass in on $int_if inet pass in on $int_if inet proto { tcp udp } from any to ! 192.168.0.1 port 53 rdr-to 192.168.0.1 Last edited by psypro; 27th October 2016 at 05:19 PM. |
|
||||
As you are, as we say, "building your airplane while flying it," it is difficult to know exactly what you are doing, or what state things might be in.
Quote:
Since you already have a switch, why are you attempting to turn your OpenBSD system into a switch, too? Start small. Start simple. Use one NIC for your external network (em0), and use only a second NIC (em1) for your internal network. 1. Eliminate bridge(4) and vether(4) from your configuration. 2. Plug your switch into em1. Plug your workstations into the switch. 3. Assign em1 an IP address and netmask in /etc/hostname.em1: Code:
inet 192.168.0.1/24 {internet} - [external gateway] - 192.168.1/24 network - [OpenBSD] - 192.168.0/24 network - [switch] - [one or more workstations] |
|
|||
Yes, back to starting simple. Good idea.
Code:
# rm /etc/hostname.bridge0 # rm /etc/hostname.vether0 Code:
# cat /etc/hostname.em1 up inet 192.168.0.1/24 Last edited by psypro; 27th October 2016 at 05:58 PM. |
|
|||
Ping now works from
OpenBSD to Ubuntu OpenBSD to windows. But windows and ubuntu cant ping OpenBSD, I guess due to pf. I got DHCP offer from OpenBSD router. But NAT is still not working... I guess it has something to do with pf.conf. I changed from em1 for lan side, to re0 (mainboard nic) |
|
|||
Nr1 : pass all
It will not do nat? So I will need some more aswell. Nr2 : pfctl -sr Code:
# pfctl -sr # block drop all ksh: block: not found # pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol ksh: pass: not found # pass out inet6 proto ipv6-icmp all icmp6-type routersol ksh: pass: not found # pass out inet6 proto udp from any port = 546 to any port = 547 ksh: pass: not found # pass out inet proto icmp all icmp-type echoreq ksh: pass: not found # pass out inet proto udp from any port = 68 to any port = 67 ksh: pass: not found # pass out proto tcp from any to any port = 53 flags S/SA ksh: pass: not found # pass out proto udp from any to any port = 53 ksh: pass: not found # pass in inet6 proto ipv6-icmp all icmp6-type neighbradv ksh: pass: not found # pass in inet6 proto ipv6-icmp all icmp6-type routeradv ksh: pass: not found # pass in inet6 proto udp from any port = 547 to any port = 546 ksh: pass: not found # pass in proto tcp from any to any port = 22 flags S/SA ksh: pass: not found # pass in inet proto udp from any port = 67 to any port = 68 ksh: pass: not found # pass on lo0 all flags S/SA ksh: pass: not found # pass in proto carp all keep state (no-sync) ksh: syntax error: `(' unexpected # pass out proto carp all !received-on any keep state (no-sync) ksh: syntax error: `(' unexpected # # Nr3: pfctl -d Code:
# pfctl -d pfctl: DIOCSTOP: Operation not permitted this is my current pf.conf Code:
# cat /etc/pf.conf int_if="re0" ext_if="em0" localnet = $int_if:network match out on $ext_if from $localnet nat-to ($ext_if) pass all pass inet proto tcp from { self, $localnet } (I had writen a typo nat to, changed now to nat-to) Still same error. Last edited by psypro; 27th October 2016 at 08:05 PM. |
|
|||
Kernel security mode 2
2 Highly secure mode all effects of securelevel 1 raw disk devices are always read-only whether mounted or not settimeofday(2) and clock_settime(2) may not set the time backwards or close to overflow pf(4) filter and NAT rules may not be altered |
|
|||
hehe, 5 hours work. Now NAT is working.
When I first figured out pf.conf was not taking affect, progress was made fast. Thanks for the help and motivation. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help me setup my new router | Sonya | FreeBSD General | 8 | 16th July 2013 11:33 AM |
DSL Router | Zvrk | NetBSD General | 1 | 18th June 2009 01:21 PM |
Using OpenBSD as a second router | paran0iaX | OpenBSD Security | 32 | 20th March 2009 04:51 AM |
Good router | terryd | General software and network | 10 | 9th February 2009 09:31 PM |
D-link (DI-524) router | c0mrade | General software and network | 3 | 26th January 2009 08:14 AM |