DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 31st July 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default Problem pinging internal nic

Hi,

This is my first post here and my first install of openbsd so please overlook my ignorance.

I have setup openbsd desktop with 2 nics, internal and external.

I have enabled pf and in sysctl.conf, net.inet.ip.forwarding=1

After I SSH to this openbsd from internet, I can ping any IP on internet, any IP on the internal LAN, and I can resolve by DNS. No problems.

However, any PC on the internal LAN cannot ping the internal interface at all even though I have setup static IP with default gateway pointing to internal
interface of the openbsd.

Thoughts?
Reply With Quote
  #2   (View Single Post)  
Old 31st July 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by JustDoIt View Post
However, any PC on the internal LAN cannot ping the internal interface at all even though I have setup static IP with default gateway pointing to internal
interface of the openbsd.
Various questions:
  • What kind of cable is being used to connect your gateway to the rest of your internal network? Straight or cross-over? How is the gateway connected to the internal network?
  • Is the internal NIC on the same subnet as the rest of the internal network?
  • What is the output of ifconfig(8)?
Given that you have two NIC's in your system, you will have to configure both. Be sure to have studied Section 6.2.1 of the FAQ:

http://openbsd.org/faq/faq6.html#Setup.if

Last edited by ocicat; 31st July 2008 at 06:47 PM.
Reply With Quote
  #3   (View Single Post)  
Old 31st July 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Hi,

Internal nic from openbsd is connected to internal lan on an HP Procurve switch via ethernet RJ45 straight cable. The subnet is the same. Ping info attached.

Here is the ifconfig. I have overwritten the public ips with w.x.y.z

I have also included the ping from openbsd to internal address as well as external address. However, when someone from 192.168.101.50 tries to ping 192.168.101.7, request times out. The default gateway on .50 points to .7

I have had the PC rebooted few times.

It is as if connection of openbsd is hidden, no mac or arp.

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:09:6b:c3:40:6b
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet w.x.y.z netmask 0xffffffe0 broadcast w.x.y.z
inet6 fe80::209:6bff:fec3:406b%fxp0 prefixlen 64 scopeid 0x1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:bd:bb:24:e3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.101.7 netmask 0xffffff00 broadcast 192.168.101.255
inet6 fe80::230:bdff:febb:24e3%rl0 prefixlen 64 scopeid 0x2
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:da:b1:29:4a
media: Ethernet autoselect (none)
status: no carrier
inet 172.16.33.7 netmask 0xffffff00 broadcast 172.16.33.255
inet6 fe80::250:daff:feb1:294a%xl0 prefixlen 64 scopeid 0x3
enc0: flags=0<> mtu 1536
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
groups: pflog


PING 192.168.101.50 (192.168.101.50): 56 data bytes
64 bytes from 192.168.101.50: icmp_seq=0 ttl=128 time=0.296 ms
64 bytes from 192.168.101.50: icmp_seq=1 ttl=128 time=0.133 ms
64 bytes from 192.168.101.50: icmp_seq=2 ttl=128 time=0.131 ms

# ping www.cuil.com
PING www.cuil.com.akadns.net (67.218.99.201): 56 data bytes
64 bytes from 67.218.99.201: icmp_seq=0 ttl=228 time=107.052 ms
64 bytes from 67.218.99.201: icmp_seq=1 ttl=228 time=112.580 ms
64 bytes from 67.218.99.201: icmp_seq=2 ttl=228 time=122.374 ms
Reply With Quote
  #4   (View Single Post)  
Old 31st July 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Various comments:
  • Wrapping command output with code tags ([code] before, & [/code] afterwards...) preserves indentation. This makes life easier for your readers.
  • It appears that you have three interfaces, fxp0, rl0, & xl0. I'm guessing from your discourse that fxp0 is your external interface. rl0 appears to be on the same subnet as what you mention is your internal network. xl0 doesn't appear to be connected at all. Assuming rl0 is your intended internal interface, how are you configuring this interface? Through /etc/hostname.rl0? If so, post the contents of this file.
  • When you ping internally, are you pinging by IP address or by DNS name? If the latter, you may want to look at your DNS settings.
  • Post the results of pinging the internal interface from one of your internal hosts by IP address.

Last edited by ocicat; 31st July 2008 at 07:28 PM.
Reply With Quote
  #5   (View Single Post)  
Old 31st July 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Hi,

Yes, I didn't realize the formatting and then it was too late.

xl0 is supposed to be DMZ but I haven't gotten that far and so its not connected.

rl0 is the internal interface. Its configured via hostname.rl0

The internal ping is via IP address only.

Code:
# less hostname.rl0
inet 192.168.101.7 255.255.255.0 NONE

Pinging 192.168.101.7 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.101.7:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Reply With Quote
  #6   (View Single Post)  
Old 31st July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,020
Default

The interface appears to be up and active.

It is possible this is a routing problem. On your internal network, issue a "$ route -n show -inet" (or its equivalent on that OS) and see how you might reach the 192.168.101/24 subnet. On the OpenBSD host, issue that command and see what it tells you, too.

It is possibly a misconfigured subnet -- for example, inadvertantly plugging in a cable from the 100/24 subnet and thinking it was a cable belonging to the 101/24 subnet.

Why do I suggest these possibilities? The NIC shows "active" -- meaning the NIC is reporting Ethernet frames are going back and forth. But IP frames don't seem to be moving properly.
Reply With Quote
  #7   (View Single Post)  
Old 2nd August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Turn off pf and try your test again.
__________________
Network Firefighter
Reply With Quote
  #8   (View Single Post)  
Old 2nd August 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 8,020
Default

/me slaps forehead; having missed the obvious.

Great idea, danno!
Reply With Quote
  #9   (View Single Post)  
Old 4th August 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Thank you very much for the 2 suggestions. I will turn off the PF first and see and if still no luck, look at the physical cabling/switch.

Will provide update when done.
Reply With Quote
Old 4th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

To put a finer point on it-it can't be the cabling. If you can repeatedly successfully ping in one direction, you are still getting a successful two-way communication, meaning the transmit/receive pairs on the cabling throughout the path are working properly. It might possibly be a switch issue, but I would consider that a very low probability on a managed switch (you'd have to have acl filters on a managed switch that specifically blocked this communication) and close to impossible on an unmanaged switch (unless it's crashing- in which case, reboot it. )
__________________
Network Firefighter

Last edited by ai-danno; 4th August 2008 at 02:29 PM. Reason: trying to be more accurate
Reply With Quote
Old 9th August 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Thank you for your advice.

I visited the site today and rebooted the box. Noticed in the startup script that it had errors in pf and pf wasn't loaded. Turned off the PF and everything worked. Now I can ping from the firewall as well as from the internal LAN and resolve by DNS.

However, I can't browse the internet from the desktop. I use logmein on the desktop and that doesn't connect to its host on the internet either.

Thank you in advance.
Reply With Quote
Old 9th August 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default

Sounds like you'll need NAT. If the public interface of the OBSD box is an actual public IP address, then something's going to need to translate the private IP address of your desktop, and that something is going to be the OBSD box.

This, of course, means a return to pf as that's where NAT translation is done in OBSD.
__________________
Network Firefighter
Reply With Quote
Old 9th August 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Ok, I will re read the pf man pages and give it a try tomorrow.
Reply With Quote
Old 9th August 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by JustDoIt View Post
Ok, I will re read the pf man pages...
One of the better tutorials on PF is Hansteen's which can be found at the following:

http://home.nuug.no/~peter/pf/
Reply With Quote
Old 18th August 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Hi,

I spent some time going through the tutorial. First I got confused in the single machine setup and then realized what I was doing was setting up a system
with 2 network cards so went onto to read the next segment with NAT.

However, understanding the example as is, the config doesn't work.

I can ping by IP and resolve DNS from any machine on the internal network but can't web browse.

Then I stumbled upon another tutorial on the openbsd.org site and read a tiny statement which said, "simplify your life and choose to filter traffic in only
one direction."

Now I am quite muddled and not even sure what approach to take.
Reply With Quote
Old 18th August 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,319
Default

Quote:
Originally Posted by JustDoIt View Post
I can ping by IP and resolve DNS from any machine on the internal network but can't web browse.
...which implies that you are filtering traffic destined for port 80. This assumes that you can browse when PF is disabled.
Quote:
Now I am quite muddled and not even sure what approach to take.
For us to be able to help, you will need to post your ruleset.
Reply With Quote
Old 19th August 2008
JustDoIt JustDoIt is offline
New User
 
Join Date: Jul 2008
Posts: 8
Default

Hi, thank you again.

Here is the config:

Code:
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# macros
outside = "fxp0"
inside = "rl0"
dmz = "xl0"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s, auth, http, https }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
local_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 }"
localnet = $inside:network
client_out = "{ ftp-data, ftp, www, pop3s,  ssh, domain, pop3, auth, nntp,\
                 http, https, smtp, 3389 }"


# options

# scrub
scrub in all

# nat/rdr
nat on $outside from $localnet to any -> $outside
#rdr on $outside proto tcp from any to 198.133.219.25 port 3389 -> 192.168.101.11 port 5405

# filter rules
block all
pass quick inet proto { tcp, udp } to any port $udp_services
pass inet proto tcp from $localnet to any port $client_out keep state
#pass out proto tcp to any port $tcp_services keep state
#pass proto udp to any port $udp_services keep state
pass in inet proto tcp from any to any port ssh
pass inet proto icmp all icmp-type $icmp_types keep state

#pass from { lo0, $localnet } to any keep state
#pass inet proto icmp all icmp-type $icmp_types keep state

#pass inet proto icmp icmp-type $icmp_types from $localnet to any keep state
#pass inet proto icmp icmp-type $icmp_types from any to $outside keep state
#pass inet proto tcp from $localnet to any keep state
#pass inet proto udp from $localnet to any keep state
#pass in inet proto tcp from any to any port ssh
#pass quick inet proto { tcp, udp } to any port $udp_services
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing internal requests to external IPs jdude FreeBSD General 1 9th July 2009 07:25 AM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
fetchmail: POP3< -ERR internal server error graudeejs FreeBSD General 3 19th July 2008 02:02 PM
NIC with internal cable; how to remove? TerryP Off-Topic 9 14th July 2008 06:33 AM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM


All times are GMT. The time now is 08:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick