Static and dynamic IP addresses and PF — SOLVED

[mefisto]

Greetings all,

when my OpenBSD laptop is at home, I have a static IP address set in /etc/hostname.if and a gateway in /etc/mygate I also have a local address set in the /etc/resove to enable unbound. In the /etc/pf.conf I define a variable for the interface

Code:

ext_if = if

When I will go on travel, I will have to switch to a DHCP, to be able to connect to the host network. How do I deal with the switch? Is there an automatic or semi-automatic manner of doing it, so that I do not have to load a different /etc/pf.conf and my /etc/resove is not rewritten by the DHCP server?

Kindest regard,

M

[jggimi]

The easiest way is to have a DHCP server on your home network. I use dhcpd(8), as it is built-in. Ethernet MAC addresses can be assigned static IP addresses, so my laptop can have an effective static address even though it is assigned with autoconfiguration.

[J65nko]

This is an example from my dhcpd configuration file, that shows how to assign a fixed IP address.

Code:

        host hercules {
                # Realtek re NIC on AMD64 box
                hardware ethernet 00:19:db:47:b0:4c ;
                fixed-address 192.168.222.20 ;
        }

The hardware ethernet address is displayed by ifconfig(1) as Link Level Address (lladr).
Example from another computer:

Code:

ifconfig bge0           
bge0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr a0:1d:48:97:5b:74
        index 1 priority 0 llprio 3
        groups: egress
        [snip]

[mefisto]

Hi jggimi, J65nko,

thank you very much, that is a very elegant solution.

Can you also advise on the remaining two question, i.e., how d I deal with the identification of the interface in /etc/pf.conf and the /etc.resolv?

Regarding the latter, would something like supersede command in/etc/dhclient.conf work?

Kindest regards,

M

[jggimi]

In PF, an interface that is subject to changing addresses is denoted by surrounding the interface in parentheses, as described in the PF User's Guide and the pf.conf(5) man page. You'll find an example of the egress interface group surrounded by parentheses in /etc/examples/pf.conf, also.

Your resolv.conf(5) configuration should be either fully or semi-automated through dhcpleased(8). I happen to use unwind(8) as a resolver in my laptop, so I only have 3 lines in the file:

Code:

nameserver 127.0.0.1 # resolvd: unwind
lookup file bind
family inet6 inet

The first line is inserted by dhcpleased(8). The second and third lines are my own provisioning. I prefer /etc/hosts to resolve some specific machine names rather than using nameservers for them, and I prefer IPv6 over IPv4 when resolving from nameservers.

[mefisto]

Hi jggimi,

I did not ask the question correctly. I understand how to deal with potentially changing IP address.

However, my question is as follows. In order to facilitate different, at this point, wired interfaces, I have defined a variable in /etc/pf.conf, e.g.,

Code:

ext_if = msk0

I know the name of the interface from the ifconfig command.

If I were to use a dhcp server, as you and J65nko suggested, and change from the static address configured by the dhcp server on the msk0 interface to a dynamic address assigned by the host dhcp server to the e.g., ath0, how do I make the /etc/pf.conf aware that the interface has changed?

Can I do something like

Code:

ext_if = "{ msk0, ath0 }"

Actually, this is not an acceptable solution, what if I waned to use the mks0 as an internal interface.

Thank you for pointing me to the dhcpleased(8) will read about it.

Kindest regards,

M

[jggimi]

There are two methods.

1. Use the egress interface group, mentioned above.
2. Use a trunk(4) pseudo device with the failover protocol, provisioning both your wired and wireless NICs as member interfaces. There is an example of provisioning active roaming between wired and wireless networks with the failover protocol in the trunk(4) man page. If provisioned with a trunk(4), you can define the trunk(4) interface in your filter rule set.

[mefisto]

Hi jggimi,

thank you very much for the suggestion.

I did read about the egress interface, but the definition is rather confusing. From: https://www.openbsd.org/faq/pf/filter.html

Quote:

The egress group, which contains the interface(s) that holds the default route(s).

Thus, let us assume that there are two interfaces. A dhcp server assignes IP address to both interfaces. Which one is "holding the default route"?

Maybe the fail-over is a better approach?

Kindest regards,

M

[jggimi]

If there are two interfaces with default routes -- both interfaces will be members of the egress group. if you create a trunk to manage both interfaces with a single IP address, only the trunk will be a member of the egress group.


Sometimes you can't readily use a failover trunk, such as when wired and wireless are on separate subnets.

[mefisto]

Hi jggimi,

thank you for clarifying the differences.

Kindest regards,

M

P.S. On a slightly different subject, is there a way to amend the thread title, e.g., to SOLVED?

[jggimi]

Edit the top post, then click on "Go Advanced" and you should be able to edit the title.

[mefisto]

Hi jggimi,

thank you, done.

Kindest regards,

M

[jggimi]

It changed the title of the top post...but it didn't change the thread title. I am unsure if we users have the authority to do that.