|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
|||
Trouble after changing static IP to dynamic IP on OpenBSD gateway
Hello forum!
After several years of faithful service I had to change my OpenBSD 3.8 gateway from using a static IP to using a dynamic IP since my ISP stopped providing static IPs. I didn't think much about it and when the day of the changeover came I edited /etc/hostname.vr1 and made it contain "dhcp" instead of the ip and sub mask used so far expecting the transition to be smooth. (this should be enough to convince you that I'm too naive to run around without supervision ...) To my great surprise the new setup didn't work. Now I have spent a couple of days trying to sort this out without success while trying to cope with the mounting frustration of a wife, a teen daughter and a tween ditto. I really need assistance sorting this out… Symptoms are: From the OpenBSD gateway I can ping the default gateway (and all other external addresses). From computers on the subnet I can ping the internal interface (192.168.1.1) and the external interface but not the default gateway! I.e. no internet access for the Snapchat addicts… Some (hopefully relevant) info: Code:
$ ifconfig -A lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:40:63:ef:9a:ef media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::240:63ff:feef:9aef%vr0 prefixlen 64 scopeid 0x1 vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:40:63:ef:9a:ee groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::240:63ff:feef:9aee%vr1 prefixlen 64 scopeid 0x2 inet 85.224.177.158 netmask 0xfffffc00 broadcast 85.224.179.255 xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:60:97:9f:f6:5d media: Ethernet autoselect (none) status: no carrier pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 enc0: flags=0<> mtu 1536 Code:
$ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 85.224.176.1 UGS 6 28584 - vr1 85.224.176/22 link#2 UC 1 0 - vr1 85.224.176.1 00:26:cb:39:a3:00 UHLc 2 31 - vr1 85.224.177.158 127.0.0.1 UGHS 0 0 33224 lo0 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 25 2734 33224 lo0 192.168.1/24 link#1 UC 4 0 - vr0 192.168.1.1 00:40:63:ef:9a:ef UHLc 0 210 - lo0 192.168.1.36 5c:f6:dc:2d:3b:e0 UHLc 1 2092 - vr0 192.168.1.38 f0:b4:79:1f:45:47 UHLc 5 1465 - vr0 192.168.1.56 00:12:ab:1b:c5:66 UHLc 0 14 - vr0 224/4 127.0.0.1 URS 0 947 33224 lo0 Internet6: Destination Gateway Flags Refs Use Mtu Interface ::/104 ::1 UGRS 0 0 - lo0 ::/96 ::1 UGRS 0 0 - lo0 ::1 ::1 UH 15 1 33224 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 - lo0 ::224.0.0.0/100 ::1 UGRS 0 0 - lo0 ::255.0.0.0/104 ::1 UGRS 0 0 - lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 - lo0 2002::/24 ::1 UGRS 0 0 - lo0 2002:7f00::/24 ::1 UGRS 0 0 - lo0 2002:e000::/20 ::1 UGRS 0 0 - lo0 2002:ff00::/24 ::1 UGRS 0 0 - lo0 fe80::/10 ::1 UGRS 0 0 - lo0 fe80::%vr0/64 link#1 UC 0 0 - vr0 fe80::240:63ff:feef:9aef%vr0 00:40:63:ef:9a:ef UHL 0 0 - lo0 fe80::%vr1/64 link#2 UC 0 0 - vr1 fe80::240:63ff:feef:9aee%vr1 00:40:63:ef:9a:ee UHL 0 0 - lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 - lo0 fe80::1%lo0 link#6 UHL 0 0 - lo0 fec0::/10 ::1 UGRS 0 0 - lo0 ff01::/16 ::1 UGRS 0 0 - lo0 ff01::%vr0/32 link#1 UC 0 0 - vr0 ff01::%vr1/32 link#2 UC 0 0 - vr1 ff01::%lo0/32 ::1 UC 0 0 - lo0 ff02::/16 ::1 UGRS 0 0 - lo0 ff02::%vr0/32 link#1 UC 0 0 - vr0 ff02::%vr1/32 link#2 UC 0 0 - vr1 ff02::%lo0/32 ::1 UC 0 0 - lo0 Thanks in advance for any and all support with solving this before I get eaten alive! // Magnus Last edited by magrin; 4th April 2014 at 09:06 PM. |
|
|||
Thanks, I'l try your suggestion to surround the interface with parenthesis. In the mean time, here is my pf.conf in its current state...
Code:
$ sudo cat /etc/pf.conf # MACROS ext_if="vr1" int_if="vr0" # 22 ssh # 25 smtp # 113 ident # 443 https # 587 smtp # 993 imaps tcp_services="{ 22, 25, 443, 587, 993 }" icmp_types="echoreq" # OPTIONS set block-policy return set loginterface $int_if set skip on lo # NORMALIZATION scrub in # NAT nat on $ext_if from !$ext_if to any -> $ext_if nat-anchor "ftp-proxy/*" # REDIRECTION rdr-anchor "ftp-proxy/*" rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 #rdr on $ext_if proto tcp from any to $ext_if port 8080 -> 127.0.0.1 port 22 # utorrent rdr on $ext_if proto tcp from any to any port 52007 -> 192.168.1.35 port 52007 rdr on $ext_if proto udp from any to any port 52007 -> 192.168.1.35 port 52007 pass in quick on $ext_if proto tcp from any to any port 52007 flags S/SA keep state pass in quick on $ext_if proto udp from any to any port 52007 # FILTER RULES block in pass out keep state anchor "ftp-proxy/*" antispoof quick for { lo $int_if } pass in on $ext_if inet proto tcp from any to $ext_if \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in quick on $int_if |
|
||||
Your PF configuration looks OK for a static egress, from a check by eyes and with no real remaining knowledge of the particulars of the PF syntax from nine years ago. (This is my way of politely saying I may not have any real clue if there is something else wrong with it.)
If revising the NAT rule for dynamic egress does not solve the problem, I would double check your IP forwarding sysctl, which is the only other thing I can think of. If you wish to stay with -release 3.8, you might benefit from keeping a local copy of the OpenBSD Project webite as it existed when your OS was released: $ cvs -d <pick your AnonCVS root> get -D 2005/11/02 www or perhaps retain only the PF Users Guide web pages: $ cvs -d <pick your AnonCVS root> get -D 2005/11/02 www/faq/pf
Last edited by jggimi; 4th April 2014 at 11:12 PM. Reason: typo |
|
|||
Changing the NAT rule as you suggested made the trick!
Code:
# NAT nat on $ext_if from !$ext_if to any -> ($ext_if) No doubt you saved me a weekend of hacking trying to sort the issue - thank you!! // Magnus |
|
||||
Great!
Now that your system is once again operational ... Please consider moving off of 3.8. OpenBSD 5.5 will be released in several weeks -- on or before May 1 of this year. You could upgrade, but I think it would be much easier to reinstall, because you've missed 17 releases. Much has changed. Much has been improved, and that includes security fixes that are not available for your release. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway | wesley | Guides | 1 | 15th July 2013 04:38 PM |
Trouble changing the resolution in X | EnigmaticFellow | FreeBSD General | 6 | 5th January 2013 05:18 PM |
Setting up OpenBSD as a ssh gateway | dbach | OpenBSD General | 6 | 12th January 2012 05:30 PM |
openBSD IPSEC gateway w/WINDOWS XP roadwarrior | s2scott | OpenBSD Security | 7 | 13th January 2009 11:01 AM |
dhcpd problems... dynamic and static leases present | edhunter | FreeBSD General | 7 | 16th May 2008 02:34 PM |