DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default routing and ARP questions

Hi there
I'm still trying to set up my network. The devices that concern me at this stage in the set-up that i want are:

Code:
---|LAN|---|switch|---|OpenBSD|---|switch|------|ADSL/router|
So OpenBSD will hopefully be a firewall/rouer for the internal LAN.
Here is the output of netstat -rn on OpenBSD:
I
Code:
nternet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            192.168.1.254      UGS        0        0     -     8 xl0  
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         2        0 33200     4 lo0  
192.168.1/24       link#1             UC         1        0     -     4 xl0  
192.168.1.66       127.0.0.1          UGHS       0        0 33200     8 lo0  
192.168.1.254      00:24:17:f7:d5:88  UHLc       1       41     -     4 xl0  
192.168.2/24       link#2             UC         1        0     -     4 xl1  
192.168.2.77       34:15:9e:2e:0b:ac  UHLc       0       23     -     4 xl1  
224/4
xl0 is the external interface.xl1 is the internal interface. I have routing turned on in /etc/sysctl.conf.
What i'm trying to establish is whether the border router/ADSL box(which is a home router) Won't allow anything from interfaces that are on different subnets to it's internal interface, or whether i just haven't configured routing properly on OpenBSD.
A tcpdump sniff of the OpenBSD boxes external interface, while i'm trying to ping the border router from the LAN just revealed that OpenBSD's external interface was sending the icmp echo packets out. The only other thing mentioned in this sniffing session was that the ADSL/border router did an ARP request for the host on the LAN that pinged it. No reply was received. I can ping either the external or internal interface on the OpenBSD box from hosts on the LAN. I just need to establish whether it's the ADSL box/border router that is refusing to deal with packets that have source I.Ps that are not on the same subnet as it's internal interface/dhcp range or whether there is anything i can do on OpenBSD to improve the situation?.
btw when i did:
Code:
#route add 192.168.2.77 192.168.2.12
the situation was the same. I couldn't ping the border router from the LAN.
Thank you for your time and any replies.
Reply With Quote
  #2   (View Single Post)  
Old 18th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

Sorry i forgot to say. 192.168.2.77 is the I.P of the ping host on the LAN.192.168.2.12 is the internal interface on the OpenBSD box.
Reply With Quote
  #3   (View Single Post)  
Old 18th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

I just tried putting OpenBSD's internal interface and the LAN host's interface on 192.168.1.*. I don't think OpenBSD liked it. I couldn't ping OpenBSD's internal or external interface from the LAN. Is OpenBSD supposed to be able to have two interfaces on the same subnet and still route in this way?.
Reply With Quote
  #4   (View Single Post)  
Old 18th January 2011
unixjingleman unixjingleman is offline
Fdisk Soldier
 
Join Date: Jan 2011
Posts: 70
Thanked 0 Times in 0 Posts
Default

Is there any way to get OpenBSD to route packets from 192.168.1.* when both it's interfaces are on 192.168.1.*?. I think that may be the only way to satisfy the ADSL box/router. When i did a tcpdump sniff of the OpenBSD's internal interface, while pinging from the LAN host(192.168.1.247), when both it's interfaces were on 192.168.1.* then an ARP request to tell the LAN host the MAC address of OpenBSD's internal interface was never answered. How do i get OpenBSD to be able to have both it's interfaces on 192.168.1.*. This is not really OpenBSD's fault i think it's the ADSL/border router forcing me into an unusual position.
Thank you for any suggestions
Reply With Quote
  #5   (View Single Post)  
Old 18th January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

Sigh.

As far as your ADSL router is concerned, it doesn't know how to route to the inner network, 192.168.2/24. You will need to add a route to that device, using the OpenBSD as the router. Think: more than a point-to-point connection requires a routing table entry. The ADSL router doesn't know about the 192.168.2/24 network, yet.

1) Never put two NICs on the same subnet from a single host. It is weak topology, fraught with more problems than it can possibly solve.

2) With this configuration, you have three choices (at least):

Choice A) add a route on the ADSL box to the inner network, using the OpenBSD box as the router.

Choice B) Convert the OpenBSD box to a NAT router, so all inner devices will have their addresses translated to the OpenBSD's single network address.

Choice C) Run the OpenBSD box as a firewall bridge, with all devices on the same subnet.

---

I recommend Option A.
Reply With Quote
  #6   (View Single Post)  
Old 19th January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

Just to be more helpful, here's how IP routing works, from a high level perspective:
  • All routes are defined as the path to the next address in the chain, no further.

    If the physical route from A to Z runs through the alphabet, A only needs to know that to get to Z, it sends packets to B. The routing table in B will point to C, and so on.
  • Any undefined route will use the "default" route, assuming one has been set up.

    For a typical Small Office / Home Office / Residential network (SOHO), the default route will point to a "gateway" router at the ISP, so that every possible subnet not defined locally -- all of the Internet -- gets routed outward.
With this as background, your ADSL router assumed that subnet 192.168.2/24 got routed through your ISP.
Your ISP will not route those packets to the Internet, of course, as they are part of the RFC 1918 address pool, used in private networks.
Reply With Quote
  #7   (View Single Post)  
Old 19th January 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quite a lot of people use the NAT routers provided by their ISP, but that sort of makes OpenBSD redundant.. for ADSL you should look into switching the modem to bridged mode and use one of OpenBSD's PPPoE clients instead, that way you get assigned a public address and control the topology in greater detail.
Reply With Quote
  #8   (View Single Post)  
Old 19th January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

It's not entirely redundant though. Even in the topology described by unixjingleman, the "outer" subnet could be used for "DMZ" servers, that have very strict rules on inbound traffic (say, from an "outer" web server to an inner DB engine).

The OpenBSD platform can be used for traffic shaping in and out of the "inner" subnet.

(No, I don't have an ADSL modem.)
Reply With Quote
  #9   (View Single Post)  
Old 19th January 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

But it is overkill for a simple network.. it makes little sense to use it as a transparent filter like that, you might as well consolidate the NAT and firewall onto one system, preferably something more manageable than the ISP brick.

That's one reason I dislike DSL providers though, they eliminated the PPP dailers and merged the modem with a SOHO router.. effectively forcing NAT on people.

My cable modem assigns public IP's using DHCP.

Last edited by BSDfan666; 19th January 2011 at 08:20 PM.
Reply With Quote
Old 19th January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

Perhaps. As I said, I don't have ADSL, and if I did, would still want an exposed address and more complete control.

My VDSL modem (3-Wire, meh) provides a "SuperDMZ" mode to provide the exposed address to the inner router. It does not operate as a bridge, and offers a bunch of firewall-ish capabilities which I have disabled. I leave the outer subnet for IPTV traffic to the set top boxes, the inner subnets are for servers, workstations, game consoles, mobile phones, and other family TCP/IP traffic.

Edited to add:

To be clear, the VDSL box doesn't have a bridge mode available. In "SuperDMZ" mode, it remains a NAT router and forwards all packets that aren't associated with an existing state table entry to the DMZ host, which uses the exposed IP address.

Since I don't have a bridge, I let the IPTV boxes have their own RFC 1918 subnet, sharing their switched Ethernet with the "outer" NIC of my bastion OpenBSD router, so that IPTV traffic doesn't transit any of my own systems -- I did not want to have to shape it.

The webserver in my .sig is behind several NATs.
From this ISP, IPTV and VOIP traffic come through a private IP network, not the Internet, that traffic comes from a nearby point of presence. The VOIP packets are converted to analog POTS twisted pair by the 3-Wire router, and go to household wired phones.



Last edited by jggimi; 19th January 2011 at 09:34 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Loose UDP routing? spiller37 OpenBSD Security 4 31st July 2009 11:10 PM
double nat routing giagni General software and network 5 22nd May 2009 07:10 PM
Firewall routing Magoo FreeBSD General 9 4th November 2008 04:39 PM
Routing and routing some more! Weaseal FreeBSD General 1 19th August 2008 01:39 PM
OpenBSD and routing cchapman OpenBSD General 5 25th July 2008 05:55 PM


All times are GMT. The time now is 03:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick