DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th November 2013
ritter_k ritter_k is offline
New User
 
Join Date: Nov 2013
Posts: 5
Default Routing/NAT problem setting up home wireless router on Alix board

I'm trying to set up an alix 2d13 box as a wireless home router with openbsd to replace an off the shelf linksys box. I've been stuck for nearly a week trying to figure out why it won't do nat properly. I'm trying to nat all traffic coming through a (second) wireless interface (urtwn0) into a local bridge. urtwn0 can connect to the internet fine through a blackberry wifi hotspot, but the internal network cannot see the internet, nor the blackberry ip address (though it can ping the urtwn0 address fine).

The current set up is as follows (I'll paste ifconfig and other details to pastebin if anyone wants them):

Code:
##### CONF FILES ON ALIX BOARD #####
/etc/hostname.vether0
inet 192.168.1.1 255.255.255.0 192.168.1.255
up

/etc/hostname.bridge0
add vether0
add vr1
add vr2
add ath0
up

/etc/hostname.vr1
up

/etc/hostname.vr2
up

/etc/hostname.ath0
mediaopt hostap
nwid alix
wpakey xxxxxxxxxx
up

/etc/sysctl.conf
net.inet.ip.forwarding=1
/etc/dhcpd.conf
Code:
# note - I'm never entirely sure what to put for a domain name when I don't have one and am behind an adsl or other link
option domain-name "example.net";
# note - I'm not even bothering with dns yet, so these don't really count, but are set to the values the blackberry gives urtwn0 in resolv.conf
option domain-name-servers 10.0.0.2, 10.0.0.3;
subnet 192.168.1.0 netmask 255.255.255.0 {
 option routers 192.168.1.1;
 range 192.168.1.5 192.168.1.100;
 option subnet-mask 255.255.255.0;
}
/etc/pf.conf
# note - I've tried many different variations and sugggestions. I don't think it's a pf problem, but I may be wrong.
Code:
set skip on lo
ext_if = "urtwn0"
int_if = "vether0"
localnet = $int_if:network 
match out on $ext_if from $int_if nat-to ($ext_if)
block all
pass from { lo0, $localnet }

#############################
So, to summarise what happens when I turn it all on:
# From my laptop:
  • I can connect over wifi/ethernet to the alix board and get an ip via dhcp.
  • I can ping/ssh all connected devices on 192.168.1/24 - e.g. a raspberry pi connected via ethernet
  • I can ping the urtwn0 interface on the alix board at 10.0.0.100
  • I cannot ping the blackberry itself at 10.0.0.1, or any ip address on the internet.
    note here, ping doesn't give me a "no route to host" - it just hangs at e.g. PING 10.0.0.1 (10.0.0.1): 56 data bytes

# From the alix board
  • I can ping/ssh all connected devices on 192.168.1/24
  • I can also ping the blackberry itself at 10.0.0.1
  • I can access the internet completely normally

Things I've tried:
  • getting rid of the bridge and changing all config so there's just an ethernet connection and urtwn0, with pf changed accordingly. made no difference.
  • numerous pf changes, including getting rid of block statements and turning off entirely. made no difference
  • manually entering routes to the device. I only half guessed at this since I don't understand routing as well as I wish I did. made no difference

##### DIAGNOSTICS #### on alix board:
Code:
# route -n show -inet
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            10.0.0.1           UGS        0        0     -    12 urtwn0
10.0.0/24          link#7             UC         3        0     -     4 urtwn0
10.0.0.1           48:9d:24:6b:41:4a  UHLc       1      225     -     4 urtwn0
10.0.0.2           48:9d:24:6b:41:4a  UHLc       0       11     -     4 urtwn0
10.0.0.3           48:9d:24:6b:41:4a  UHLc       0       12     -     4 urtwn0
10.0.0.100         127.0.0.1          UGS        0        1 33192     8 lo0
127/8              127.0.0.1          UGRS       0        0 33192     8 lo0
127.0.0.1          127.0.0.1          UH         2        1 33192     4 lo0
192.168/16         link#8             UC         3        0     -     4 vether0
192.168.1.7        00:1b:77:41:8e:75  UHLc       1      162     -     4 vether0
192.168.1.9        48:9d:24:6b:41:4a  UHLc       1        1     -     4 vether0
192.168.1.115      b8:27:eb:20:77:53  UHLc       0      142     -     4 vether0
224/4              127.0.0.1          URS        0        0 33192     8 lo0
on laptop:
Code:
# route -n show -inet
Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.1.1        UGS        0      250     -    12 wpi0
127/8              127.0.0.1          UGRS       0        0 33192     8 lo0
127.0.0.1          127.0.0.1          UH         2        0 33192     4 lo0
192.168.1/24       link#2             UC         1        0     -     4 wpi0
192.168.1.1        fe:e1:ba:d0:47:57  UHLc       2       82     -     4 wpi0
192.168.1.7        127.0.0.1          UGS        0        0 33192     8 lo0
224/4              127.0.0.1          URS        0        0 33192     8 lo0

# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
--- 10.0.0.1 ping statistics ---
69 packets transmitted, 0 packets received, 100.0% packet loss
Hopefully this is enough that you can understand what I'm trying to do and help if possible. If any clarification is needed, let me know.
Thanks

Last edited by J65nko; 17th November 2013 at 11:52 AM. Reason: [code] and [/code] tags ;)
Reply With Quote
  #2   (View Single Post)  
Old 17th November 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

My suggestion is to get rid of the bridge and just deal with 3 different networks
  • external interface network
  • wired interface network
  • wireless interface network

For example subnet the 10.0.0.0/8 network into 10.10.22.0/24 for the wired lan clients and 10.10.99/24 for the wireless ones.

Re: NAT
If you are changing or renumbering the internal network clients (wired and wireless) you can use the following match rule to perform foolproof Network Address Translation:
Code:
# ---- external/egress interface
match out inet from ! egress to any  nat-to (egress)
Note that I use the interface group egress here instead of the interface device name.

Likewise you could assign the urtwn0 interface to the group wireless and the other NIC to group wired.
A sample /etc/hostname/urtwn0
Code:
inet       10.10.99.1  255.255.255.0 NONE group wired
RE: pf.conf
In the beginning it is easier to filter just on the external interface. You can either use skip on .. or pass quick on .. Get things working first.
Later on, when everything is working, you always add filtering on the internal interfaces.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 17th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Hello, and welcome to daemonforums, ritter_k.

This is the third or fourth time I've seen people attempting to bridge(4) with a vether(4) pseudo device, and reporting problems with them on this forum. I don't know the source "howto" you or they have been using, but as with J65nko, I recommend avoiding this because it is a needless complication. The vether(4) driver was developed to address a highly specific need: to operate a Border Gateway Protocol peer from a residence in Canada. If you're not doing this, you should be able to function without vether(4).

I happen to operate a pair of Alix 2d13 platforms with OpenBSD. I have no bridge defined. My wired NAT rule looks like this -- the parentheses are used because the IP address is dynamic:
Code:
match out on $external_nic from !(external_nic) nat-to (external_nic)
I have a urtwn(4) USB-to-WiFi device which I can plug in and use as an egress device during those times when my primary wired ISP becomes inoperative, using a smartphone acting as a WiFi router. It's NAT rule looks like this:
Code:
match out on $tether_nic from !($tether_nic) nat_to ($tether_nic)
Edited to add:

The urtwn(4) device is not normally installed and used in an Alix; the NAT rule and urtwn firmware are in place only in the event it is needed to circumvent an ISP outage. It is normally used with another platform.

Last edited by jggimi; 17th November 2013 at 03:05 PM. Reason: urtwn clarity
Reply With Quote
  #4   (View Single Post)  
Old 17th November 2013
ritter_k ritter_k is offline
New User
 
Join Date: Nov 2013
Posts: 5
Default

Wow, that's quite a specific origin for vether! I can't remember the exact source - I've read so much over the last week - but I think the initial suggestion to create a bridge came from irc. The motive was that I wanted to only have one ip address that spanned all interfaces, for ease of administration (and to emulate the off the shelf linksys router). Ifconfig allows you to assign the same ip to all interfaces, but only seems to use the first assigned, so I tried creating a trunk (I know, I know, I'm a complete beginner with networks and was clutching at straws). That didn't work, hence the bridge, which did exactly what I wanted - i.e. all devices talk to one one host ip and are connected to each other through it.

I'm glad to see you've got yours all working through the urtwn link to a mobile phone - at least now I know it can be done. It's always disheartening when you're banging your head against a brick wall to do something you're not even sure is possible

Thanks for the warm welcome and quick assistance. I will try both your suggestions
Reply With Quote
  #5   (View Single Post)  
Old 17th November 2013
ritter_k ritter_k is offline
New User
 
Join Date: Nov 2013
Posts: 5
Default

woohoo, I can finally ping the outside world from my laptop! I've disabled everything except the ath0 and urtwn0 and changed the pf nat rule to the suggested
Code:
match out on $tether_nic from !($tether_nic) nat_to ($tether_nic)
and a reboot.
Now, with a working base, I can feel much more confident that I can work my way up to what I want from here.

With regards to the single ip address for all interfaces, what would be the best way to achieve this? Before I even learned of bridges and trunks, I was going to implement it in pf, but it seems like it should be lower level than that.

Also, jggimi, when you switch to urtwn, do you manually change the dns servers in dhcpd.conf? Doesn't matter too much at the minute as I'm planning to implement a dns caching server and learning all about dns once I've got my main setup correct

Thanks very much for all your help.
Reply With Quote
  #6   (View Single Post)  
Old 17th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

A bridge(4) iinterconnects different hardware media so that the attached segments can behave as if they were a single network segment. There are valid reasons to bridge multiple segments, and if you lack a switch you may have a valid reason to bridge your NICs.

My Alix boxes are connected to switches; so I have no need or desire to bridge.

As you have noted, only a single NIC's IP address is utilized when you bridge(4). As each NIC is on a separate network, all three will have unique MAC addresses. This is somewhat different from the Linksys box you replaced, which only had a single MAC address for the unshielded twisted pair segment. The Linksys platform contained an integrated switch.
Reply With Quote
  #7   (View Single Post)  
Old 17th November 2013
ritter_k ritter_k is offline
New User
 
Join Date: Nov 2013
Posts: 5
Default

OK, so as I understand it, the bridge does what I want (I really would prefer a single ip for administrative tasks, though there's probably other ways of doing it). The problem with a bridge is that it needs an ip, and for that, you need vether. At least, that's what I got from the faqs, which is why I went down that path to begin with:
(can't post urls - but search for vether in faq6)

...and here was me thinking the faqs were gospel...

The problem with my current set up (treating wireless and wired as separate subnets) is that while all devices connected to the ath0 interface can talk to each other and to the internet, they can't see the ethernet interfaces or anything connected to them.

More work to do...

Thanks again for your help
Reply With Quote
  #8   (View Single Post)  
Old 17th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Thank you for pointing me to the FAQ. It states, "...but we cannot use a physical interface as the link might be down, in which case the address would not be reachable." When I used bridges, this was never an issue; I just assigned an IP address to one of the NICs. This was also long before the availability of vether(4). And also, the individual segments were never expected to be down.

My pair of Alix 2d13s are configured without bridge(4), though I do have a bridge -- for WiFi.
  • The vr0 NICs are connected to a switch which is connected to a DOCSIS3 cable modem. The ISP requires a DHCP lease, which prevents the use of carp(4) on this network. The master firewall maintains the lease, and the master/slave switchover is via ifstated(8), which is driven by changes in state of carp(4) on vr1, and switches MAC addresses and reestablishes the lease on failure of the master.
  • The vr1 NICs are connected to a second switch, and use carp(4) for redundancy. This is the home network, and there is a WiFi bridge attached to this switch.
  • The vr2 NICs are directly interconnected, and are used for pfsync(4) and dhcpd(8) sync.
From left to right: switch, cable modem, Alixes, switch, WiFi Bridge. This image is being served to you from one of the two Alixes.

Last edited by jggimi; 17th November 2013 at 08:03 PM. Reason: clarity for ifstated
Reply With Quote
  #9   (View Single Post)  
Old 17th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You asked,
Quote:
... when you switch to urtwn, do you manually change the dns servers in dhcpd.conf?
No, as I use net/unbound as a local and caching DNS server, and use Google's 8.8.8.8 and 4.4.4.4 domain servers as my forward zone. The unbound server(s) continue to operate in the Alix platforms.
Reply With Quote
Old 17th November 2013
ritter_k ritter_k is offline
New User
 
Join Date: Nov 2013
Posts: 5
Default

Thanks for posting that, I enjoy seeing others setups. You have any general recommendations for good brands of switch (second hand is fine) for a home environment like this? As for the modem, i've bought a draytek vigor 120 adsl modem (the only true ethernet modem I could fine) to connect my alix box up to the internet, but unfortunately with where I live I'll never have the connection speed required to do fun things like serving up images - my upload speed is appauling.

Anyway, the good news folks is that I've reimplemented the bridge and the vether device, and it now all works exactly as I'd hoped. For anyone from the future stumbling upon this post, the magic was in modifying the pf.conf, which is now:
Code:
set skip on lo
ext_if = "urtwn0"
match out on $ext_if from !($ext_if) nat-to ($ext_if)
pass all
So, it was a pf problem all along...
Now, I'm chuffed to bits as I can get back to reading the Book of PF and learning how to secure this thing.

Thanks so much for all your help
Reply With Quote
Old 17th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

No specific recommendations on small unmanaged switches -- I'm using two different brands as they were what was available to me when I set the infrastructure up.
Reply With Quote
Old 17th November 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by ritter_k View Post
(can't post urls - but search for vether in faq6)
As a preventative measure to counteract spam, we disable the posting of links for all newcomers with less than five posts. At the time of writing, you now have five messages posted, so you should now be able to post active URL's.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PC Engines Alix 2d13 board J65nko General Hardware 3 20th January 2013 12:43 AM
Problem setting up a multiport router!! npumcrisz OpenBSD General 2 1st April 2012 03:06 PM
How secure are wireless home networks? JMJ_coder General software and network 37 18th April 2011 04:04 PM
how to config PF as router and source based routing kivi_kmitl OpenBSD Security 0 4th May 2010 08:06 AM
getting and setting time from router michaelrmgreen General software and network 1 5th February 2009 01:58 PM


All times are GMT. The time now is 05:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick