|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Problem pinging internal nic
Hi,
This is my first post here and my first install of openbsd so please overlook my ignorance. I have setup openbsd desktop with 2 nics, internal and external. I have enabled pf and in sysctl.conf, net.inet.ip.forwarding=1 After I SSH to this openbsd from internet, I can ping any IP on internet, any IP on the internal LAN, and I can resolve by DNS. No problems. However, any PC on the internal LAN cannot ping the internal interface at all even though I have setup static IP with default gateway pointing to internal interface of the openbsd. Thoughts? |
|
|||
Quote:
http://openbsd.org/faq/faq6.html#Setup.if Last edited by ocicat; 31st July 2008 at 06:47 PM. |
|
|||
Hi,
Internal nic from openbsd is connected to internal lan on an HP Procurve switch via ethernet RJ45 straight cable. The subnet is the same. Ping info attached. Here is the ifconfig. I have overwritten the public ips with w.x.y.z I have also included the ping from openbsd to internal address as well as external address. However, when someone from 192.168.101.50 tries to ping 192.168.101.7, request times out. The default gateway on .50 points to .7 I have had the PC rebooted few times. It is as if connection of openbsd is hidden, no mac or arp. lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:09:6b:c3:40:6b groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet w.x.y.z netmask 0xffffffe0 broadcast w.x.y.z inet6 fe80::209:6bff:fec3:406b%fxp0 prefixlen 64 scopeid 0x1 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:30:bd:bb:24:e3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.101.7 netmask 0xffffff00 broadcast 192.168.101.255 inet6 fe80::230:bdff:febb:24e3%rl0 prefixlen 64 scopeid 0x2 xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:50:da:b1:29:4a media: Ethernet autoselect (none) status: no carrier inet 172.16.33.7 netmask 0xffffff00 broadcast 172.16.33.255 inet6 fe80::250:daff:feb1:294a%xl0 prefixlen 64 scopeid 0x3 enc0: flags=0<> mtu 1536 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208 groups: pflog PING 192.168.101.50 (192.168.101.50): 56 data bytes 64 bytes from 192.168.101.50: icmp_seq=0 ttl=128 time=0.296 ms 64 bytes from 192.168.101.50: icmp_seq=1 ttl=128 time=0.133 ms 64 bytes from 192.168.101.50: icmp_seq=2 ttl=128 time=0.131 ms # ping www.cuil.com PING www.cuil.com.akadns.net (67.218.99.201): 56 data bytes 64 bytes from 67.218.99.201: icmp_seq=0 ttl=228 time=107.052 ms 64 bytes from 67.218.99.201: icmp_seq=1 ttl=228 time=112.580 ms 64 bytes from 67.218.99.201: icmp_seq=2 ttl=228 time=122.374 ms |
|
|||
Various comments:
Last edited by ocicat; 31st July 2008 at 07:28 PM. |
|
|||
Hi,
Yes, I didn't realize the formatting and then it was too late. xl0 is supposed to be DMZ but I haven't gotten that far and so its not connected. rl0 is the internal interface. Its configured via hostname.rl0 The internal ping is via IP address only. Code:
# less hostname.rl0 inet 192.168.101.7 255.255.255.0 NONE Pinging 192.168.101.7 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.101.7: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), |
|
|||
Thank you very much for the 2 suggestions. I will turn off the PF first and see and if still no luck, look at the physical cabling/switch.
Will provide update when done. |
|
||||
To put a finer point on it-it can't be the cabling. If you can repeatedly successfully ping in one direction, you are still getting a successful two-way communication, meaning the transmit/receive pairs on the cabling throughout the path are working properly. It might possibly be a switch issue, but I would consider that a very low probability on a managed switch (you'd have to have acl filters on a managed switch that specifically blocked this communication) and close to impossible on an unmanaged switch (unless it's crashing- in which case, reboot it. )
__________________
Network Firefighter Last edited by ai-danno; 4th August 2008 at 02:29 PM. Reason: trying to be more accurate |
|
|||
Thank you for your advice.
I visited the site today and rebooted the box. Noticed in the startup script that it had errors in pf and pf wasn't loaded. Turned off the PF and everything worked. Now I can ping from the firewall as well as from the internal LAN and resolve by DNS. However, I can't browse the internet from the desktop. I use logmein on the desktop and that doesn't connect to its host on the internet either. Thank you in advance. |
|
||||
Sounds like you'll need NAT. If the public interface of the OBSD box is an actual public IP address, then something's going to need to translate the private IP address of your desktop, and that something is going to be the OBSD box.
This, of course, means a return to pf as that's where NAT translation is done in OBSD.
__________________
Network Firefighter |
|
|||
Ok, I will re read the pf man pages and give it a try tomorrow.
|
|
|||
One of the better tutorials on PF is Hansteen's which can be found at the following:
http://home.nuug.no/~peter/pf/ |
|
|||
Hi,
I spent some time going through the tutorial. First I got confused in the single machine setup and then realized what I was doing was setting up a system with 2 network cards so went onto to read the next segment with NAT. However, understanding the example as is, the config doesn't work. I can ping by IP and resolve DNS from any machine on the internal network but can't web browse. Then I stumbled upon another tutorial on the openbsd.org site and read a tiny statement which said, "simplify your life and choose to filter traffic in only one direction." Now I am quite muddled and not even sure what approach to take. |
|
|||
Quote:
Quote:
|
|
|||
Hi, thank you again.
Here is the config: Code:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macros outside = "fxp0" inside = "rl0" dmz = "xl0" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, auth, http, https }" udp_services = "{ domain, ntp }" icmp_types = "{ echoreq, unreach }" local_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }" localnet = $inside:network client_out = "{ ftp-data, ftp, www, pop3s, ssh, domain, pop3, auth, nntp,\ http, https, smtp, 3389 }" # options # scrub scrub in all # nat/rdr nat on $outside from $localnet to any -> $outside #rdr on $outside proto tcp from any to 198.133.219.25 port 3389 -> 192.168.101.11 port 5405 # filter rules block all pass quick inet proto { tcp, udp } to any port $udp_services pass inet proto tcp from $localnet to any port $client_out keep state #pass out proto tcp to any port $tcp_services keep state #pass proto udp to any port $udp_services keep state pass in inet proto tcp from any to any port ssh pass inet proto icmp all icmp-type $icmp_types keep state #pass from { lo0, $localnet } to any keep state #pass inet proto icmp all icmp-type $icmp_types keep state #pass inet proto icmp icmp-type $icmp_types from $localnet to any keep state #pass inet proto icmp icmp-type $icmp_types from any to $outside keep state #pass inet proto tcp from $localnet to any keep state #pass inet proto udp from $localnet to any keep state #pass in inet proto tcp from any to any port ssh #pass quick inet proto { tcp, udp } to any port $udp_services |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Routing internal requests to external IPs | jdude | FreeBSD General | 1 | 9th July 2009 07:25 AM |
Redirect Internal Network to Internal Website | plexter | OpenBSD Security | 12 | 12th February 2009 08:00 PM |
fetchmail: POP3< -ERR internal server error | graudeejs | FreeBSD General | 3 | 19th July 2008 02:02 PM |
NIC with internal cable; how to remove? | TerryP | Off-Topic | 9 | 14th July 2008 06:33 AM |
2 external NIC + 1 internal NIC | AlexV | FreeBSD General | 7 | 4th June 2008 08:18 AM |