|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Routing between two subnets, routes not working.
I am trying to get a wireless router running, it was already configured as a NAT with two interfaces one for the Internet and for the LAN. I added an atheros based wireless adapter, and tried setting it up. I tried using a bridge of a virtual ethernet device with the IP (vether0), and the devices for the local network (fxp0, athn0). This didn't work, and the vether device was stuck on a 10M type of media. I don't think that works when the media is different on the two other adapters. DHCP wasn't working on vether0 like it should, so something was wrong, probably the media thing.
So I decided another strategy of having two subnets, so I set things up as follows... Code:
menger:root # cat /etc/hostname.fxp0 inet 192.168.0.1 255.255.255.0 192.168.0.255 up menger:root # cat /etc/hostname.athn0 inet 192.168.1.1 255.255.255.0 192.168.1.255 up media autoselect mode 11g mediaopt hostap nwid KintaroABODE chan 11 wpa wpakey Nintendo64 wpaprotos wpa2 Code:
menger:root # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $ # # See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. #guide to this pf.conf... # queues: 34, matches: 80, everything else: 88 #interfaces int_if="fxp0" wifi_if="athn0" ext_if="pppoe0" #networks lan_net="192.168.0.0/24" wifi_net="192.168.1.0/24" #hosts menger="{ 192.168.0.1, 192.168.1.1 }" weiner="192.168.0.2" wifiweiner="192.168.1.2" fekete="192.168.0.3" mises="10.0.0.10" #host port forwarding weiner_ports = "{ 8333 }" wweiner_ports = "{ 54874 }" fekete_ports = "{ 17001, 39191, 5938, 2022 }" mises_ports = "{ 3022 }" #other tcp_services="{ 22 }" icmp_types="echoreq" #queue ports ssh_ports = "{ 22, 2022, 3022 }" im_ports = "{ 1863, 5190, 5222, 8444 }" game_ports = "{ 27000:27050, 4380 }" altq on $ext_if cbq bandwidth 1080Kb queue { std, ssh_im, dns, game } queue std on $ext_if bandwidth 500Kb cbq(default borrow) queue ssh_im on $ext_if bandwidth 200Kb priority 3 cbq(red) queue dns on $ext_if bandwidth 25Kb priority 4 queue game on $ext_if bandwidth 255Kb priority 5 cbq(red) altq on $int_if cbq bandwidth 100Mb queue { lan, int } queue lan on $int_if bandwidth 92Mb cbq(default) queue int on $int_if bandwidth 7000Kb { std, ssh_im, dns, game } queue std on $int_if bandwidth 6000Kb cbq(borrow) queue ssh_im on $int_if bandwidth 200Kb priority 4 queue dns on $int_if bandwidth 200Kb priority 5 queue game on $int_if bandwidth 600Kb priority 6 cbq(red) altq on $wifi_if cbq bandwidth 54Mb queue { lan, int } queue lan on $wifi_if bandwidth 46Mb cbq(default) queue int on $wifi_if bandwidth 500Kb { std, ssh_im, dns} queue std on $wifi_if bandwidth 400Kb cbq(borrow) queue ssh_im on $wifi_if bandwidth 50Kb priority 4 queue dns on $wifi_if bandwidth 50Kb priority 5 set skip on lo # this is the squid proxy line #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1 port 3128 #pass in quick on $int_if inet proto tcp from !$mises to any port 80 rdr-to $mises port 3128 #pass out quick on $int_if inet proto tcp to $mises port 3128 \ received-on $int_if nat-to $int_if # filter rules and anchor for ftp-proxy(8) anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass in quick on $wifi_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # anchor for relayd(8) #anchor "relayd/*" #nat rule for all interfaces match out on egress inet from !(egress:network) to any nat-to (egress:0) #match out on egress inet from $int_if to any nat-to (egress:0) #match out on egress inet from $wifi_if to any nat-to (egress:0) pass # to establish keep-state block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 block in log pass out quick match inet proto { tcp udp } queue(std) match inet proto { tcp udp } to port domain queue dns match inet proto tcp to port $ssh_ports queue(std, ssh_im) match inet proto tcp to port $im_ports queue(ssh_im) match inet proto udp to port $game_ports queue game match inet from $menger queue lan match inet to $menger queue lan antispoof quick for { lo $int_if $wifi_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #FTP pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port > 49151 #nat port redirects pass in on egress inet proto { tcp udp } to (egress) port $weiner_ports rdr-to $weiner pass in on egress inet proto { tcp udp } to (egress) port $wweiner_ports rdr-to $wweiner pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports rdr-to $fekete pass in on egress inet proto { tcp udp } to (egress) port $mises_ports rdr-to $mises pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if pass in on $wifi_if Last edited by KintaroBC; 14th June 2013 at 10:38 AM. |
|
|||
I just got the wifi subnet receiving the right default route by adding "option routers 192.168.0.1, 192.168.1.1" at the top of the file above and outside of the subnet blocks.
I still do not know how to forward packets with pf from 192.168.0.1/24 and 192.168.1.1/24 and visa-versa. I've been doing a lot of Googling and reading of the pf FAQ with no clues. |
|
|||
Networking's not really my thing, but why are you talking about pf here? Don't you just have to let the kernel forward packets using normal routing? i.e. turn on some sysctrl to allow ip forwarding. Okay, let me look that up: net.inet.ip.forwarding.
I'd disable pf while you're trying to get this going, then turn it back on when you have packets moving, you know, to remove complicating factors. |
|
|||
You don't need pf to route packets between networks, you need the appropiate routes. Using the following simple network:
Code:
10.2.2.100 | | +---------|---------+ | 10.2.2.1/24 | | | | router | | | | 192.168.44.1/24 | +---------|---------+ | | | 192.168.44.100
How do the routing tables on the hosts on your 192.168.1.0/24 and 192.168.0.0/24 network look like?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Hello, and welcome!
In your case, you have three subnets: 192.168.0/24 on fxp0, 192.168.1/24 on athn0, and whatever Internet subnet is used for pppoe0, for egress. All three subnets share the same router, with three IP addresses: 192.168.0.1, 192.168.1.1, and your Internet address. Each subnet can reach anywhere: to/from the Internet, or the other local subnet, by routing through this single router. The 192.168.0 devices need a default route of 192.168.0.1, and the 192.168.1 devices need a default route of 192.168.1.1. Additional routes would only be needed if you had additional routers. You don't. Let's pretend for a moment that you had a different architecture, one with multiple routers, such as: {Internet} - [Firewall A] - {DMZ servers} - [Firewall B] - {everything else} The DMZ server subnet has two routers. Those servers need two routes: a default route through Firewall A to the Internet, and a specific route through Firewall B to that inner subnet. Firewall A also needs two routes -- a default route through the ISP, and a specific route to the inner subnet. Without adding a specific (sometimes called static) route, those packets would be shipped to the default route, which would be to the wrong router. --- I hope this helps. Last edited by jggimi; 14th June 2013 at 04:59 PM. Reason: typo, clarity |
|
|||
I got it working.
The main problem was that Windows 8 does not do ICMP echo by default, thanks Microsoft. Windows ate my time. I should have noticed that I wasn't getting no route to host, but I had a big one the night before (I got smashingly drunk). |
|
||||
Not many here have avatars...not sure why.
And the easiest way to deal with Windows is to assign each Windows box it's own private /30 on your network and be done with it =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Routing through subnets | Pjoter | OpenBSD Installation and Upgrading | 5 | 5th October 2011 08:33 AM |
HOWTO: multiple default routes | vermaden | Guides | 2 | 14th April 2010 09:56 AM |
Mouse:X (not-working) and tty-Console (working), in 8.0 | ykt | FreeBSD General | 1 | 22nd December 2009 12:26 PM |
dhcpd and multiple subnets | vdubjunkie | OpenBSD General | 5 | 11th March 2009 11:02 PM |
Routing and routing some more! | Weaseal | FreeBSD General | 1 | 19th August 2008 01:39 PM |