DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th May 2019
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,586
Default Virtual Machine

At this moment I am installing OpenBSD 6.5 in a VM on OpenBSD 6.4-stable. Just followed the directions in https://www.openbsd.org/faq/faq16.html

I was using bsd.rd only to boot the VM with. Initially the install program could not download the installation file sets because I forgot 2 things which are clearly described under :Option 2 - NAT for the VMs:
  1. Enable IP forwarding
    First manually to prevent rebooting ....:
    Code:
    hp_server# sysctl net.inet.ip.forwarding=1
    net.inet.ip.forwarding: 0 -> 1
    Then modify /etc/sysctl.conf
    Code:
    hp_server# cat /etc/sysctl.conf
    machdep.allowaperture=1
    net.inet.ip.forwarding=1
  2. Modify my workstation pf.conf to allow NAT for the 100.64.0.0/10 shared address space:
    Code:
    dns_server = '8.8.8.8'
    match out on egress from 100.64.0.0/10 to any nat-to (egress)
    pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
            rdr-to $dns_server port domain

In the mean time that I write this the sets have been downloaded and installed ....
Code:
Get/Verify SHA256.sig   100% |**************************|  2141       00:00    
Signature Verified
Get/Verify bsd          100% |**************************| 15163 KB    00:38    
Get/Verify bsd.rd       100% |**************************|  9984 KB    00:30    
Get/Verify base65.tgz   100% |**************************|   190 MB    10:34    
Get/Verify comp65.tgz   100% |**************************| 71916 KB    02:53    
Get/Verify man65.tgz    100% |**************************|  7385 KB    00:17    
Installing bsd          100% |**************************| 15163 KB    00:00    
Installing bsd.rd       100% |**************************|  9984 KB    00:00    
Installing base65.tgz   100% |**************************|   190 MB    00:30    
Extracting etc.tgz      100% |**************************|   260 KB    00:00    
Installing comp65.tgz   100% |**************************| 71916 KB    00:33    
Installing man65.tgz    100% |**************************|  7385 KB    00:03    
Location of sets? (disk http or 'done') [done]
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 7th May 2019
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 154
Default

Quote:
Originally Posted by J65nko View Post
Code:
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
        rdr-to $dns_server port domain
^ You don't need this line to let the VM use Google's DNS, it already has access to the interweb in general from the preceding line.

I have Arch & Debian VM's running that ask Quad9 for addresses and they work without that line (and connect with systemd-networkd, which is amusing).
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
  #3   (View Single Post)  
Old 7th May 2019
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,586
Default

In my VM I have:
Code:
vm_j65# cat /etc/resolv.conf
# Generated by vio0 dhclient
nameserver 100.64.1.2
lookup file bind
To see whether you are right I commented out that second line, but after I reloaded the rules of my desktop hosting the VM, the VM could not resolve anymore:
Code:
vm_j65# dig www.google.com          

; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options:  printcmd
;; connection timed out; no servers could be reached
However if I specify a name server it does:
Code:
vm_j65# dig www.google.com @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.google.com @8.8.8.8
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10672
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         6       IN      A       172.217.168.228

;; Query time: 10 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May  7 22:47:59 2019
;; MSG SIZE  rcvd: 48
So I think I really need that line .....
You may not need it because, I assume, you speifically configured your VMs to use the Quad9 name servers instead of the default OpenBSD VM on 100.64.1.2 that I have.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 7th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,868
Default

I use rebound(8) to provide DNS services to my guests. It makes for a very simple pf.conf:
Code:
# NAT any virtual machines
match out on egress from 100.64.0.0/10 to any nat-to (egress)

pass log all

# route domain requests from virtual machines to rebound(8)
pass in log proto udp from 100.64.0.0/10 to (self) port domain rdr-to localhost
Reply With Quote
  #5   (View Single Post)  
Old 8th May 2019
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bloaty McBloatFace
 
Join Date: Dec 2015
Location: London
Posts: 154
Default

Quote:
Originally Posted by J65nko View Post
You may not need it because, I assume, you speifically configured your VMs to use the Quad9 name servers instead of the default OpenBSD VM on 100.64.1.2 that I have.
Yes, that's right.

But why not just configure your VM to use 8.8.8.8 directly?
Code:
# /etc/dhclient.conf
supersede domain-name-servers 8.8.8.8;
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
  #6   (View Single Post)  
Old 8th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,868
Default

Quote:
Originally Posted by Head_on_a_Stick View Post
But why not just configure your VM to use 8.8.8.8 directly?
In my case, because I want the guests to be able to resolve local names from local unbound(8) nameservers.
Reply With Quote
  #7   (View Single Post)  
Old 8th May 2019
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,586
Default

This was my first attempt to run an OpenBSD VM. And I told it to boot the 6.5 bsd.rd installer. Because the install got stuck at downloading the installation file sets, exactly following the FAQ's suggestion to modify the firewall rules seemed to be the fastest was to get the install going again ;-)
Code:
# vmctl start "OpenBSD_65" -b /home/adriaan/Downloads/bsd.rd \
-m 1G -L -c -i1--d//home2/vm_disk
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 9th May 2019
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,586
Default

Quote:
Originally Posted by jggimi View Post
I use rebound(8) to provide DNS services to my guests. It makes for a very simple pf.conf:
Code:
[trim]
# route domain requests from virtual machines to rebound(8)
pass in log proto udp from 100.64.0.0/10 to (self) port domain rdr-to localhost
Name servers uses UDP by default but in some cases they switch to TCP. So IMHO your rule should be :
Code:
# route domain requests from virtual machines to rebound(8)
pass in log proto { udp, tcp} from 100.64.0.0/10 to (self) port domain \
           rdr-to localhost
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 9th May 2019
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,868
Default

You're right. I don't do zone transfers, so haven't had any trouble, but any request or response over 512 bytes will use TCP.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
KVM Virtual Machine network configuration J65nko Other BSD and UNIX/UNIX-like 3 2nd December 2014 06:00 AM
Networking on virtual machine satimis General software and network 4 29th November 2008 02:16 PM
USB support in virtual machine? Sunnz OpenBSD Packages and Ports 2 16th November 2008 04:00 AM
highly secure virtual machine uptonm OpenBSD Security 26 28th July 2008 10:10 PM
Extract ISO under OpenVZ virtual machine stukov Other BSD and UNIX/UNIX-like 1 14th May 2008 09:46 PM


All times are GMT. The time now is 01:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick