DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th April 2014
magrin magrin is offline
Real Name: Magnus
New User
 
Join Date: Apr 2014
Location: Göteborg, Sweden
Posts: 3
Thanked 0 Times in 0 Posts
Default Trouble after changing static IP to dynamic IP on OpenBSD gateway

Hello forum!

After several years of faithful service I had to change my OpenBSD 3.8 gateway from using a static IP to using a dynamic IP since my ISP stopped providing static IPs.

I didn't think much about it and when the day of the changeover came I edited /etc/hostname.vr1 and made it contain "dhcp" instead of the ip and sub mask used so far expecting the transition to be smooth. (this should be enough to convince you that I'm too naive to run around without supervision ...)

To my great surprise the new setup didn't work.

Now I have spent a couple of days trying to sort this out without success while trying to cope with the mounting frustration of a wife, a teen daughter and a tween ditto. I really need assistance sorting this out…

Symptoms are:

From the OpenBSD gateway I can ping the default gateway (and all other external addresses).
From computers on the subnet I can ping the internal interface (192.168.1.1) and the external interface but not the default gateway! I.e. no internet access for the Snapchat addicts…

Some (hopefully relevant) info:

Code:
$ ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:40:63:ef:9a:ef
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::240:63ff:feef:9aef%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:40:63:ef:9a:ee
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::240:63ff:feef:9aee%vr1 prefixlen 64 scopeid 0x2
        inet 85.224.177.158 netmask 0xfffffc00 broadcast 85.224.179.255
xl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:60:97:9f:f6:5d
        media: Ethernet autoselect (none)
        status: no carrier
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
enc0: flags=0<> mtu 1536
Code:
$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu  Interface
default            85.224.176.1       UGS         6    28584      -   vr1
85.224.176/22      link#2             UC          1        0      -   vr1
85.224.176.1       00:26:cb:39:a3:00  UHLc        2       31      -   vr1
85.224.177.158     127.0.0.1          UGHS        0        0  33224   lo0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH         25     2734  33224   lo0
192.168.1/24       link#1             UC          4        0      -   vr0
192.168.1.1        00:40:63:ef:9a:ef  UHLc        0      210      -   lo0
192.168.1.36       5c:f6:dc:2d:3b:e0  UHLc        1     2092      -   vr0
192.168.1.38       f0:b4:79:1f:45:47  UHLc        5     1465      -   vr0
192.168.1.56       00:12:ab:1b:c5:66  UHLc        0       14      -   vr0
224/4              127.0.0.1          URS         0      947  33224   lo0

Internet6:
Destination                        Gateway                        Flags    Refs      Use    Mtu  Interface
::/104                             ::1                            UGRS        0        0      -   lo0
::/96                              ::1                            UGRS        0        0      -   lo0
::1                                ::1                            UH         15        1  33224   lo0
::127.0.0.0/104                    ::1                            UGRS        0        0      -   lo0
::224.0.0.0/100                    ::1                            UGRS        0        0      -   lo0
::255.0.0.0/104                    ::1                            UGRS        0        0      -   lo0
::ffff:0.0.0.0/96                  ::1                            UGRS        0        0      -   lo0
2002::/24                          ::1                            UGRS        0        0      -   lo0
2002:7f00::/24                     ::1                            UGRS        0        0      -   lo0
2002:e000::/20                     ::1                            UGRS        0        0      -   lo0
2002:ff00::/24                     ::1                            UGRS        0        0      -   lo0
fe80::/10                          ::1                            UGRS        0        0      -   lo0
fe80::%vr0/64                      link#1                         UC          0        0      -   vr0
fe80::240:63ff:feef:9aef%vr0       00:40:63:ef:9a:ef              UHL         0        0      -   lo0
fe80::%vr1/64                      link#2                         UC          0        0      -   vr1
fe80::240:63ff:feef:9aee%vr1       00:40:63:ef:9a:ee              UHL         0        0      -   lo0
fe80::%lo0/64                      fe80::1%lo0                    U           0        0      -   lo0
fe80::1%lo0                        link#6                         UHL         0        0      -   lo0
fec0::/10                          ::1                            UGRS        0        0      -   lo0
ff01::/16                          ::1                            UGRS        0        0      -   lo0
ff01::%vr0/32                      link#1                         UC          0        0      -   vr0
ff01::%vr1/32                      link#2                         UC          0        0      -   vr1
ff01::%lo0/32                      ::1                            UC          0        0      -   lo0
ff02::/16                          ::1                            UGRS        0        0      -   lo0
ff02::%vr0/32                      link#1                         UC          0        0      -   vr0
ff02::%vr1/32                      link#2                         UC          0        0      -   vr1
ff02::%lo0/32                      ::1                            UC          0        0      -   lo0
Based on the symptoms I'd guess that there is a problem with routing as opposed to the PF setup but I simply can't figure out what to do about it. I'd be more than happy to provide PF configuration as well as shoe size to sort this issue, just let me know what I can do to help you help me!

Thanks in advance for any and all support with solving this before I get eaten alive!

// Magnus

Last edited by magrin; 4th April 2014 at 09:06 PM.
Reply With Quote
  #2   (View Single Post)  
Old 4th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,886
Thanked 214 Times in 189 Posts
Default

Hello, and welcome!

OpenBSD 3.8 support ended on November 1, 2006. It is doubtful you will be able to obtain a great deal of support for a system that is so old, but we will still try to help.

It is my assumption that your PF configuration needs to be revised. At your version of the OS, a typical NAT rule for static use might have looked something like:

nat on vr1 from vr0:network to any -> vr1

This will only work properly when the address has already been established at PF load time. Under DHCP, you need to modify the rule. Parentheses are needed to inform PF to revise the rule whenever the address is changed.

nat on vr1 from vr0:network to any -> (vr1)

---

I don't know if this will resolve your issue, since this is just a guess regarding your problem.
Reply With Quote
  #3   (View Single Post)  
Old 4th April 2014
magrin magrin is offline
Real Name: Magnus
New User
 
Join Date: Apr 2014
Location: Göteborg, Sweden
Posts: 3
Thanked 0 Times in 0 Posts
Default

Thanks, I'l try your suggestion to surround the interface with parenthesis. In the mean time, here is my pf.conf in its current state...

Code:
$ sudo cat /etc/pf.conf
# MACROS
ext_if="vr1"
int_if="vr0"

# 22  ssh
# 25  smtp
# 113 ident
# 443 https
# 587 smtp
# 993 imaps
tcp_services="{ 22, 25, 443, 587, 993 }"
icmp_types="echoreq"

# OPTIONS
set block-policy return
set loginterface $int_if
set skip on lo

# NORMALIZATION
scrub in

# NAT
nat on $ext_if from !$ext_if to any -> $ext_if
nat-anchor "ftp-proxy/*"

# REDIRECTION
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $ext_if proto tcp from any to $ext_if port 8080 -> 127.0.0.1 port 22

# utorrent
rdr on $ext_if proto tcp from any to any port 52007 -> 192.168.1.35 port 52007
rdr on $ext_if proto udp from any to any port 52007 -> 192.168.1.35 port 52007
pass in quick on $ext_if proto tcp from any to any port 52007 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 52007

# FILTER RULES
block in
pass out keep state

anchor "ftp-proxy/*"

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to $ext_if \
  port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
Reply With Quote
  #4   (View Single Post)  
Old 4th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,886
Thanked 214 Times in 189 Posts
Default

Your PF configuration looks OK for a static egress, from a check by eyes and with no real remaining knowledge of the particulars of the PF syntax from nine years ago. (This is my way of politely saying I may not have any real clue if there is something else wrong with it.)

If revising the NAT rule for dynamic egress does not solve the problem, I would double check your IP forwarding sysctl, which is the only other thing I can think of.

If you wish to stay with -release 3.8, you might benefit from keeping a local copy of the OpenBSD Project webite as it existed when your OS was released:

$ cvs -d <pick your AnonCVS root> get -D 2005/11/02 www

or perhaps retain only the PF Users Guide web pages:

$ cvs -d <pick your AnonCVS root> get -D 2005/11/02 www/faq/pf

Last edited by jggimi; 4th April 2014 at 11:12 PM. Reason: typo
Reply With Quote
  #5   (View Single Post)  
Old 5th April 2014
magrin magrin is offline
Real Name: Magnus
New User
 
Join Date: Apr 2014
Location: Göteborg, Sweden
Posts: 3
Thanked 0 Times in 0 Posts
Default

Changing the NAT rule as you suggested made the trick!

Code:
# NAT
nat on $ext_if from !$ext_if to any -> ($ext_if)
I actually initially ruled this out as the root cause to the issue since I remember reading that it would only make a difference when the lease expires and I'm assigned a new external IP. Reloading the PF ruleset would set things straight in that case but didn't make any difference for me.

No doubt you saved me a weekend of hacking trying to sort the issue - thank you!!

// Magnus
Reply With Quote
  #6   (View Single Post)  
Old 5th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,886
Thanked 214 Times in 189 Posts
Default

Great!

Now that your system is once again operational ...



Please consider moving off of 3.8. OpenBSD 5.5 will be released in several weeks -- on or before May 1 of this year. You could upgrade, but I think it would be much easier to reinstall, because you've missed 17 releases.

Much has changed. Much has been improved, and that includes security fixes that are not available for your release.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway wesley Guides 1 15th July 2013 04:38 PM
Trouble changing the resolution in X EnigmaticFellow FreeBSD General 6 5th January 2013 05:18 PM
Setting up OpenBSD as a ssh gateway dbach OpenBSD General 6 12th January 2012 05:30 PM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
dhcpd problems... dynamic and static leases present edhunter FreeBSD General 7 16th May 2008 02:34 PM


All times are GMT. The time now is 12:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick