DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 5th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,883
Thanked 190 Times in 160 Posts
Default

For posterity, below is a link of another comprehensive paper on IPv4 addressing which is worth study:

http://www.cisco.com/web/about/ac123...addresses.html

Equally highly recommended.

Reply With Quote
Old 6th July 2014
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, etc-Texas
Posts: 47
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by EverydayDiesel View Post
it is working now. i want to thank everyone that helped with this mess.

I will read the doc so i can understand subnet masks better in the future.

Thanks again



Yes and beside the reference to the .pdf for subnetting above .........
an ip calculator is nice to use in your network planning to double check
your assumptions (something like sipcalc )

Last edited by frcc; 6th July 2014 at 01:53 PM. Reason: correct typo
Reply With Quote
Old 6th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default NAT and a routing tutorial

Quote:
Originally Posted by EverydayDiesel View Post
I will read the doc so i can understand subnet masks better in the future.
Assuming your two subnets are now set to /24s...

Your exterior gateway uses NAT. All communication with the outside world share a single IP address a.b.c.d:
Code:
{Internet} - a.b.c.d [gateway] private network 10.1.0.0/24
Your inner subnet is 10.2.0.0/24. It uses NAT also, so that all devices on that subnet appear to originate from the inner router. I don't know its address so I will use 10.1.0.x below.

Using NAT on the inner router is not required. However, to turn off NAT requires changing your routing tables on the 10.1.0.0/24 subnet.

Introduction to routing

In a simple one-router network, each device needs to know three things about their subnet:
  1. Their own IP address
  2. Their netmask, defining the size of their subnet
  3. The address of the gateway router on their subnet for packets that go outside the subnet.
Every time a device has an outbound IP packet, the network stack just compares its own IP address to the destination IP address, using the netmask to determine if the address is inside or outside the subnet.

  • If the destination is inside the subnet, the packet is sent to the destination directly, using the Address Resolution Protocol (ARP) to discover the MAC address of the destination IP device.
  • If the destination is outside the subnet, the packet is sent to the router for forwarding.
In a network with a single router, the routing table in our devices have a single entry, for a default route. Any destination IP address outside the subnet has its packets sent to the default router. Default routes (with a subnet of "everything" or 0.0.0.0/0) are all that are needed.

Now let's look at your network again, and consider the 10.2.0.0/24 network. I don't know the address of its router on the outer 10.1.0.0/24 network, so I have used 10.1.0.x as its address.
Code:
{Internet} - a.b.c.d [gateway] 10.1.0.1 - 10.1.0.x - [gateway] 10.2.0.1 - 10.2.0.33 [device]
If NAT is not used on the inner 10.2.0.0/24 subnet, the devices on the outer 10.1.0.0/24 subnet cannot reach the 10.2.0.0/24 devices unless we add an entry to our routing tables.

Let's look first out the router at 10.1.0.1:

This computer has only a default route somewhere in the a.b.c.d/nn subnet It's inner subnet it knows as 10.1.0.0/24. If it receives a packet destined for 10.2.0.33, it will forward that packet to its default route, in error, as it is somewhere in the a.b.c.d/nn subnet.
The ISP will drop that packet, since none of the IP addresses in RFC 1918 are permitted to be routed on the Internet. This is why we use RFC 1918 addresses on our networks. It prevents us from accidentally sending these packets out on the Internet by mistake.
Let's add a route on the 10.1.0.1 router, pointing to the inner network. I'm using 10.1.0.x because I don't know the address of the inner router on the 10.1.0.0/24 subnet. An entry in the routing table is added in the form <destination subnet> <gateway>:

# route add 10.2.0.0/24 10.1.0.x

Now, packets that come to the outer router for 10.2.0.0/24 addresses will be forwarded to 10.1.0.x for further transmission.

With this one additional entry in the outermost router's table, a device on the 10.1.0.0/24 subnet can reach devices on the 10.2.0.0/24 subnet. But it's inefficient. All packets will be sent to the outer router, which will forward them to the inner router. If you add routing table entries on the devices of the 10.1.0.0/24 network, they can reach the 10.1.0.x router directly, and will not need to involve the outer router at 10.1.0.1 at all.

The innermost network does not need anything added to its routing tables. Packets from 10.2.0.33 will be sent to 10.2.0.1 for further forwarding. If those packets are addressed to devices on the 10.1.0.0/24 subnet, it will send them to the device. If they are destined for the Internet, the inner router will use the address of the router in its default route: 10.1.0.1.

Last edited by jggimi; 6th July 2014 at 02:11 PM. Reason: typos, clarity
Reply With Quote
Old 16th July 2014
EverydayDiesel EverydayDiesel is offline
Shell Scout
 
Join Date: Jan 2009
Posts: 105
Thanked 0 Times in 0 Posts
Default

is openbsd.org down? i was trying to look up the example of how to redirect traffic of non authpf authenticated users to the httpd service running on the local machine
Reply With Quote
Old 16th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

http://www.downforeveryoneorjustme.com/www.openbsd.org says:
Quote:
It's not just you! http://www.openbsd.org looks down from here.
Reply With Quote
Old 16th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,685
Thanked 214 Times in 189 Posts
Default

You can run traceroute(8), or even have network-tools.com run one for you.
Quote:
129.128.5.194 is from Canada(CA) in region North America

TraceRoute from Network-Tools.com to 129.128.5.194 [obsd3.srv.ualberta.ca]
Hop (ms) (ms) (ms) IP Address Host name
1 5 8 0 206.123.64.46 -
2 0 0 0 64.124.196.225 xe-4-2-0.er2.dfw2.us.above.net
3 0 0 0 64.125.20.233 ae7.cr2.dfw2.us.above.net
4 0 10 0 64.125.20.205 ae8.cr1.dfw2.us.above.net
5 43 43 43 64.125.20.202 ae10.cr1.ord2.us.above.net
6 48 43 43 64.125.28.50 ae4.er1.ord7.us.above.net
7 43 43 43 64.125.13.150 above-telus.ord7.us.above.net
8 77 77 77 96.1.222.41 -
9 Timed out Timed out Timed out -
10 77 77 77 129.128.0.20 core1-gsb-asr.backbone.ualberta.ca
11 76 76 76 129.128.0.25 echa-n7k-1-core1.backbone.ualberta.ca
12 Timed out Timed out Timed out -
13 Timed out Timed out Timed out -
14 Timed out Timed out Timed out -
15 Timed out Timed out Timed out -

Trace aborted.

Last edited by jggimi; 16th July 2014 at 02:03 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Access Point varung90 OpenBSD General 1 2nd July 2014 10:26 AM
Google details location services opt-out for Wi-Fi access point owners J65nko News 0 16th November 2011 09:53 AM
problems with wifi access point mayuka OpenBSD General 60 4th February 2010 10:29 AM
Wireless NIC for access point dewarrn1 FreeBSD General 1 15th September 2009 11:01 PM
Configuring a wireless access point Serge FreeBSD General 6 6th June 2008 04:07 PM


All times are GMT. The time now is 03:48 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick