Wifi with atheros chipset AR9280

[sws]

Hi,

I am trying to get a wifi access point running on my SOHO-server, OpenBSD 4.8, Netfinity 3000. The server acts as a gateway and firewall to a dsl-router. IP is 192.1687.0.20. Connection to the internet passes through OpenVPN (tun0). The intranet is configured with subnet 192.168.0.0. So nothing really strange there (I hope).

Card TP-Link TL-WN851N is recognized on system bootup:

Quote:

athn0 at pci0 dev 16 function 0 "Atheros AR9280" rev 0x01: irq 11, address 74:ea:3a:f3:05:39
athn0: AR9280 rev 2 (2T2R), ROM rev 16

Configuring device works as well in /etc/hostname.athn0:

Quote:

up media autoselect mediaopt hostap mode 11g chan 11 nwid FreiKINO wpa wpapsk $(wpa-psk FreiKINO password)
inet 192.168.0.50

Device can be seen up and running:
# ifconfig athn0:

Quote:

athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 74:ea:3a:f3:05:39
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid FreiKINO chan 11 bssid 74:ea:3a:f3:05:39 wpapsk xxxxxxxxx wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip
inet6 fe80::76ea:3aff:fef3:539%athn0 prefixlen 64 scopeid 0x2
inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255

To connect devices coming in from the access point I configured a dhcpd server pointing on the wifi device athn0.

My /etc/dhcpd.conf:

Quote:

option domain-name "my.net";
option domain-name-servers xxx.xxx.xxx.xxx;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.20;
range 192.168.0.100 192.168.0.150;
}

But now problems arise:

1. I cannot ping the wifi card. And it doesn't matter if dhcpd is running or not.

Quote:

ping: sendto: Host is down
ping: wrote 192.168.0.50 64 chars, ret=-1
--- 192.168.0.50 ping statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss

2. Every time I start dhcpd

# dhcpd athn0

it tries to give IP-Adresses to every network device on the net. Thus my openvpn connection breaks down and routing dies.

Where is the missing link? Any help appreciated.

Greets,
Sebastian

[sws]

Hi,

here are some logs that might help.

1. When I start dhcpd I get
# tail -f /var/log/messages

Quote:

Mar 10 14:18:03 serv /bsd: arp: attempt to add entry for 192.168.0.110 on ne3 by 2c:d2:e7:5d:ee:bd on athn0
Mar 10 14:18:34 serv last message repeated 5 times

I don't know what this means. Device "ne3" is the internal ethernet card of the SOHO server, the hardware adress belongs to my mobile. I start dhcpd with option athn0
# dhcpd athn0

2. When I try to connect my mobile with the wifi card and attempt to get into the internet:
# tcpdump -i athn0

Quote:

tcpdump: listening on athn0, link-type EN10MB
14:18:03.544506 arp who-has 192.168.0.50 tell 192.168.0.110
14:18:28.899839 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 888e 113:
0103 005f 0200 8a00 1000 0000 0000 0000
0068 80c2 744e 6633 ab4b 91a3 7c4c 2f65
5f63 c4c0 7b89 4b61 3f43 937c dbcd 362e
a100 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 00
14:18:28.907297 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 888e 135:
0103 0075 0201 0a00 0000 0000 0000 0000
0051 5e26 a211 71f9 32e2 ccd6 ecaa 4853
aeb0 2736 b66d 927c 8d76 d284 c85f 4d8e
eb00 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
00e5 94a7 f59d b415 08f5 10c2 4df9 6633
4b00 1630 1401
14:18:28.907690 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 888e 193:
0103 00af 0213 ca00 1000 0000 0000 0000
0168 80c2 744e 6633 ab4b 91a3 7c4c 2f65
5f63 c4c0 7b89 4b61 3f43 937c dbcd 362e
a100 0000 0000 0000 0000 0000 0000 0000
0044 0400 0000 0000 0000 0000 0000 0000
004e fb9a a385 6355 4265 a7df 57af 106c
0200 50b2 3ba8
14:18:28.913429 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 888e 113:
0103 005f 0203 0a00 0000 0000 0000 0000
0100 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
00a6 55f4 3f6d 9882 5bf0 dca1 b7a1 8422
9200 00
14:18:29.118715 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xa0977c1d [|bootp]
14:18:29.121130 192.168.0.50.bootps > 192.168.0.110.bootpc: xid:0xa0977c1d Y:192.168.0.110 S:192.168.0.50 [|bootp] [tos 0x10]
14:18:29.151718 0.0.0.0.bootpc > 255.255.255.255.bootps: xid:0xa0977c1d [|bootp]
14:18:29.154352 192.168.0.50.bootps > 192.168.0.110.bootpc: xid:0xa0977c1d Y:192.168.0.110 S:192.168.0.50 [|bootp] [tos 0x10]
14:18:29.171301 arp who-has 192.168.0.110 tell 0.0.0.0
14:18:29.480352 :: > ff02::1:ff5d:eebd: icmp6: neighbor sol: who has fe80::2ed2:e7ff:fe5d:eebd
14:18:29.480427 :: > ff02::2: icmp6: router solicitation
14:18:30.709891 arp who-has soho.server tell 192.168.0.110
14:18:31.715291 arp who-has soho.server tell 192.168.0.110
14:18:32.715646 arp who-has soho.server tell 192.168.0.110
14:18:33.497189 fe80::2ed2:e7ff:fe5d:eebd > ff02::2: icmp6: router solicitation
14:18:33.732074 arp who-has soho.server tell 192.168.0.110
14:18:34.747433 arp who-has soho.server tell 192.168.0.110
14:18:35.748244 arp who-has soho.server tell 192.168.0.110
14:18:37.522659 fe80::2ed2:e7ff:fe5d:eebd > ff02::2: icmp6: router solicitation
14:18:38.756757 arp who-has soho.server tell 192.168.0.110
14:18:39.772456 arp who-has soho.server tell 192.168.0.110
14:18:40.782082 arp who-has soho.server tell 192.168.0.110
14:18:43.775666 arp who-has soho.server tell 192.168.0.110
14:18:44.076349 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:18:44.791234 arp who-has soho.server tell 192.168.0.110
14:18:45.806167 arp who-has soho.server tell 192.168.0.110
14:18:48.662208 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:18:48.796187 arp who-has soho.server tell 192.168.0.110
14:18:49.807932 arp who-has soho.server tell 192.168.0.110
14:18:50.826026 arp who-has soho.server tell 192.168.0.110
14:18:52.622211 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:18:53.811382 arp who-has soho.server tell 192.168.0.110
14:18:54.829966 arp who-has soho.server tell 192.168.0.110
14:18:55.841922 arp who-has soho.server tell 192.168.0.110
14:18:58.832955 arp who-has soho.server tell 192.168.0.110
14:18:59.847190 arp who-has soho.server tell 192.168.0.110
14:19:00.853934 arp who-has soho.server tell 192.168.0.110
14:19:01.172546 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:19:03.847744 arp who-has soho.server tell 192.168.0.110
14:19:04.863932 arp who-has soho.server tell 192.168.0.110
14:19:05.869064 arp who-has soho.server tell 192.168.0.110
14:19:13.855765 arp who-has soho.server tell 192.168.0.110
14:19:14.879309 arp who-has soho.server tell 192.168.0.110
14:19:15.893451 arp who-has soho.server tell 192.168.0.110
14:19:18.871098 arp who-has soho.server tell 192.168.0.110
14:19:19.891966 arp who-has soho.server tell 192.168.0.110
14:19:20.895981 arp who-has soho.server tell 192.168.0.110
14:19:26.071205 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:20:39.091261 fe80::2ed2:e7ff:fe5d:eebd.546 > ff02::1:2.547:dhcp6 solicit [hlim 1]
14:20:46.081491 arp who-has 192.168.0.50 tell 192.168.0.110

Hope this helps a bit more.

Greets,
Sebastian

[J65nko]

Quote:

P is 192.1687.0.20. Connection to the internet passes through OpenVPN (tun0). The intranet is configured with subnet 192.168.0.0. So nothing really strange there (I hope).

I am not sure whether I understand you correctly,
But if you have both the external interface and internal interface on 192.168.0.0/24 then this is not correct for the BSDs. The external interface needs to be on another subnet than the internal one.

What is the output of

Code:

# ifconfig -A

on the firewall/server?

[sws]

Yes that's right:
the internal device is subnet 192.168.0.0,
the external device is subnet 192.168.178.0

Here are the complete network interfaces (sorry for the bad format):
# ifconfig -A

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:06:29:12:fd:a4
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::206:29ff:fe12:fda4%fxp0 prefixlen 64 scopeid 0x1
        inet 192.168.178.21 netmask 0xffffff00 broadcast 192.168.178.255

athn0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 74:ea:3a:f3:05:39
        priority: 4
        groups: wlan
        media: IEEE802.11 autoselect mode 11g hostap
        status: active
        ieee80211: nwid FreiKINO chan 11 bssid 74:ea:3a:f3:05:39 wpapsk xxxxxxxx  wpaprotos
        wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher tkip
        inet6 fe80::76ea:3aff:fef3:539%athn0 prefixlen 64 scopeid 0x2
        inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255

ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:20:18:3c:12:55
        priority: 0
        media: Ethernet autoselect (10baseT)
        inet 192.168.0.20 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::220:18ff:fe3c:1255%ne3 prefixlen 64 scopeid 0x3

enc0: flags=0<>
        priority: 0
        groups: enc
        status: active

pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
        priority: 0
        groups: pflog

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        priority: 0
        groups: tun
        status: active
        inet 10.0.xx.xx --> 10.0.xx.xx netmask 0xffffffff

Oh and by the way: nat from wifi interface to external interface is activated in pf also (thanks for your hint in the signature )

Greets,
Sebastian

[BSDfan666]

The athn(4) driver has seen a lot of changes since 4.7/4.8, especially in the area of hostap support.

You should try a 4.9-current snapshot or wait for the 4.9 release.

[J65nko]

The ne3 and athn0 still share the same subnet.

Put the athn0 on a 10.0.0.0/24 subnet, adjust the dhcpd.conf accordingly and retry

[sws]

O.K., I changed the IP of athn0 interface to 10.0.0.1 . Now I can ping the interface, so there is some progress.
But the rest stays the same: no connection to the intranet or the internet. But maybe tcpdump gives a hint: the IP from the vpn interface shows up in the logs:

# tcpdump -i athn0

Code:

tcpdump: listening on athn0, link-type EN10MB
17:22:36.121158 arp who-has soho.server tell 10.0.0.10
17:22:36.121240 10.0.xx.xx > 10.0.0.10: icmp: echo request
17:22:37.132500 arp who-has soho.server tell 10.0.0.10
17:22:38.131048 arp who-has soho.server tell 10.0.0.10
17:22:39.146774 arp who-has soho.server tell 10.0.0.10
17:22:40.163006 arp who-has soho.server tell 10.0.0.10
17:22:41.179724 arp who-has soho.server tell 10.0.0.10
17:22:44.164080 arp who-has soho.server tell 10.0.0.10
17:22:45.180205 arp who-has soho.server tell 10.0.0.10
17:22:46.196245 arp who-has soho.server tell 10.0.0.10
17:22:49.184902 arp who-has soho.server tell 10.0.0.10

10.0.xx.xx. is the IP for tun0 interface dynamically given by the openvpn server. Default route of the SOHO server is the external interface towards the dsl box: 192.168.178.1 . IP for "soho.server" is assigned 192.168.0.20 . So maybe there is a routing problem?

@ BSDfan666
I am running 4.8-release. Would an upgrade with the lastest snapshot be sufficiant? Never did this before. Had a look at FAQ 5 already. Should work like an upgrade to the next release without upgrade hints from one release to the other, right? And where do I find info about changes from 4.8-release to 4.9-snapshot?

Greets,
Sebastian

[J65nko]

What is the output of

Code:

$ sysctl -a | grep ip.forward
net.inet.ip.forwarding=0

?

In my case it is off, which is OK for a workstation. For a router you need to turn this on, by uncommenting the following line from /etc/sysctl.conf and reboot:

Code:

#net.inet.ip.forwarding=1       # 1=Permit forwarding (routing) of IPv4 packets

To make things easier to debug you could turn of OpenVPN first, get things working without it first, and then add it again.

[sws]

net.inet.ip.forwarding=1, always was.
Turning off openvpn is an option but here it's 11 pm now so I will try tomorrow .

Till then,
Sebastian

[sws]

I deactivated openvpn but no progress. Smae results (none) and instead of IP from tun0 interface it just says "noname":

Code:

06:21:19.582009 arp who-has serv.kesslar.de tell 10.0.0.10
06:21:19.582089 noname > 10.0.0.10: icmp: echo request
06:21:20.591469 arp who-has serv.kesslar.de tell 10.0.0.10

While trying to connect mobile stops again with message "invalid server name".

I have no more clues so far. For me it seems as a driver problem indeed. Maybe I should try upgrading to newest snapshot.

Greets,
Sebastian

[J65nko]

Some tcpdump tips:

If you add the -e option like in tcpdump -eni re0 then the MAC addresses are shown:

Code:

10:00:07.092146 00:19:db:47:b0:4c ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.11 tell 192.168.222.20
10:00:07.092359 00:08:c7:05:ca:0b 00:19:db:47:b0:4c 0806 60: arp reply 192.168.222.11 is-at 00:08:c7:05:ca:0b

Usually that makes you understand the arp traffic better

By using the -n option you will prevent tcpdump from doing reverse DNS lookups (IP nr -> symbolic name), that will pollute tpcdump's output.
You can increase verbosity by using -vv and by setting the snap length with -s 1500 you can see the complete protocol info.
For example this from a (repeated, forgot the -s 1500 the first time) dhclient request:

Code:

10:25:34.948816 00:20:ed:25:f1:ac ff:ff:ff:ff:ff:ff 0800 342: 192.168.222.249.68 > 255.255.255.255.67: [udp sum ok] xid:0x85375eaa vend-rfc1048 RQ:192.168.222.249 DHCP:REQUEST PR:SM+BR+TZ+DG+DN+NS+HN [tos 0x10] (ttl 16, id 0, len 328)
10:25:34.988618 00:08:c7:05:ca:0b 00:20:ed:25:f1:ac 0800 342: 192.168.222.10.67 > 192.168.222.249.68: [udp sum ok] xid:0x85375eaa Y:192.168.222.249 S:192.168.222.10 vend-rfc1048 DHCP:ACK SID:192.168.222.10 LT:36000 SM:255.255.255.0 DG:192.168.222.10 DN:"utp.xnet" NS:192.168.222.10 [tos 0x10] (ttl 16, id 0, len 328)
10:25:34.995014 00:20:ed:25:f1:ac ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.249 tell 192.168.222.249

For the 10.0.0.0 network the address of you athn0 card,10.0.0.1, should be the default gateway(router). Did you specify that in your dhcpd.conf?
You can check the default route with netstat -rn -f inet

After a mobile client got an IP address through DHCP, it should be able to ping the gateway, and the internal IP address of your server.

[sws]

This is the output of
# tcpdump -eni athn0

Code:

14:34:20.800676 2c:d2:e7:5d:ee:bd ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.255.255.255.67: xid:0x77737a38 [|bootp]
14:34:20.802631 74:ea:3a:f3:05:39 ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.0.0.10 tell 10.0.0.1
14:34:20.803306 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 0800 344: 10.0.0.1.67 > 10.0.0.10.68: xid:0x77737a38 Y:10.0.0.10 S:10.0.0.1 [|bootp] [tos 0x10]
14:34:20.837111 2c:d2:e7:5d:ee:bd ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.255.255.255.67: xid:0x77737a38 [|bootp]
14:34:20.850466 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 0800 344: 10.0.0.1.67 > 10.0.0.10.68: xid:0x77737a38 Y:10.0.0.10 S:10.0.0.1 [|bootp] [tos 0x10]
14:34:20.858804 2c:d2:e7:5d:ee:bd ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.0.0.10 tell 0.0.0.0
14:34:22.345803 2c:d2:e7:5d:ee:bd ff:ff:ff:ff:ff:ff 0806 42: arp who-has 10.0.0.1 tell 10.0.0.10
14:34:22.345883 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 0800 62: 10.0.x.x > 10.0.0.10: icmp: echo request
14:34:22.345947 74:ea:3a:f3:05:39 2c:d2:e7:5d:ee:bd 0806 42: arp reply 10.0.0.1 is-at 74:ea:3a:f3:05:39
14:34:22.350676 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 62: 10.0.0.10 > 10.0.x.x: icmp: echo reply
14:34:23.348435 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 39871+ A? www.google.de. (31)
14:34:23.350165 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 8524+ A? www.google.de. (31)
14:34:27.373638 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 8524+ A? www.google.de. (31)
14:34:31.395775 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 39871+ A? www.google.de. (31)
14:34:31.396804 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 8524+ A? www.google.de. (31)
14:34:35.410839 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 57777+ AAAA? www.google.de. (31)
14:34:36.424462 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 39871+ A? www.google.de. (31)
14:34:36.425046 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 57777+ AAAA? www.google.de. (31)
14:34:40.444990 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 57777+ AAAA? www.google.de. (31)
14:34:44.462768 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 39871+ A? www.google.de. (31)
14:34:44.463526 2c:d2:e7:5d:ee:bd 74:ea:3a:f3:05:39 0800 73: 10.0.0.10.42911 > 195.x.x.x.53: 57777+ AAAA? www.google.de. (31)

10.0.x.x is the gateway via vpn on tun0.
195.x.x.x are dns server.

Quote:

For the 10.0.0.0 network the address of you athn0 card,10.0.0.1, should be the default gateway(router). Did you specify that in your dhcpd.conf?

Yes, did that.

This is the output of
# netstat -rn -f inet

Code:

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.0.x.x           UGS        0     2562     -     8 tun0 
default            192.168.178.1      UGS        0  1067455     -     8 fxp0 
10/8               link#2             UC         1        0     -     4 athn0
10.0.0.10          link#2             UHLc       1        1     -     4 athn0
10.0.x.x/32        10.0.x.x           UGS        0        0     -     8 tun0 
10.0.x.x           10.0.x.x           UH         3        0     -     4 tun0 
82.x.x.x/32        192.168.178.1      UGS        1     5447     -     8 fxp0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         3      112 33200     4 lo0  
128/1              10.0.x.x           UGS        0     2049     -     8 tun0 
192.168.0/24       link#3             UC         1        0     -     4 ne3  
192.168.0.1        1c:6f:65:80:49:a6  UHLc       3   918289     -     4 ne3  
192.168.178/24     link#1             UC         1        0     -     4 fxp0 
192.168.178.1      00:1a:4f:c1:70:51  UHLc       2       15     -     4 fxp0 
192.168.178.21     127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0

10.0.x.x/24 are the IPs for vpn.
82.x.x.x is the IP assigned by openvpn server.
192.168.178.1 is the IP of the dsl box.
192.178.178.21 is the IP of the external interface (via dhcp from dsl box).

Greets,
Sebastian

[J65nko]

So the client gets an IP, can ping the athn0 IP, but does not receive an answer from the nameserver at 195.x.x.x.53.

Try a ping from the wireless client to the 192.168.0.20 (internal net) IP.
Does a tcdpump on that interface (ne3) show the ICMP request? If it doesn't show an ICMP reply, then pf could be blocking it.
With a block log all policy you can see blocked packets with running tcpdump on the pflog0 interface (tcpdump -eni pflog0)

Something similar you can do for the DNS lookup. Follow the transport of the DNS request, by running tcpdump on every interface the packet should arrive on.


BTW If you keep insisting on using OpenVPN, you (and including me) will not be sure, whether we are trying to debug a network/pf issue or an OpenVPN problem. For OpenVPN see the OpenVPN revisited thread.

[sws]

So we have improvements here: I managed to connect to the intranet and the internet with my mobile!

First I took advice to add block log all and checked what was blocking all connections to athn0. I then added a pass in on athn0 in my pf.conf and had instant connection to my intranet.

Second I disabled my external openvpn connection. Like a miracle I had access to the internet as well.

@J65nko
Thanks for your very helpful hints so far.

But... How can I connect to the internet via athn0 AND OpenVPN? I have configured nat from athn0 to the external interface in pf.conf. Is there anything else that is missing?

And there is another problem: my mobile opens on connection with athn0 every website I want. But the following link or any next website I want to open doesn't really work. Either it doesn't open at all or I have to klick a dozen times or more until changes take effect. I don't have another wifi client at hand at the moment. So I cannot check if it is serverside or just my mobile that does not work properly.

Greets,
Sebastian

[J65nko]

Which type of mobile client you want to connect to the Net through OpenVPN? An OpenBSD box?
Do you want to use a VPN service provider like in http://www.daemonforums.org/showthread.php?t=5653 ? Or do you only want to encrypt the wireless traffic from the mobile client to the firewall/server?

Don't make us guess, please be specific

[sws]

1. Description of my intranet:
My SOHO net consisits of a OpenBSD server that serves as a gateway between the intranet and the internet. The internal interface is a ne3 and connects to a switch where all hosts connect from the other side. Internet connections of the hosts are managed by appropriate nat rules in pf. This is internal_interface_1 in pf rules.

The wifi interface is also configured to connect from within the intranet thus its IP is in the private address space with just another subnet. Again nat rules in pf for connections to the internet are established.

On the other side is a ethernet interface fxp0 which connects to a dsl box and from there to the internet. The IP for fxp0 is assigned via dhcp from the dsl box within a different subnet than ne3. This is internal_interface_2 in pf rules.

OpenVPN is realized through tun0 interface. This is the "external" interface in pf rules.

2. Reason to use OpenVPN:
Germans are known to be a bit paranoid about their private data. Despite this fact the german government plans to collect every data from everyone that uses the internet (and telecommunications as well) as a means of fighting terror, so they say. So the ISPs will be obliged to store every data of who was where and when on the internet. This is called "Vorratsdatenspeicherung", kind of data preservation. They have done this before but were stopped by the german Constitutionanl Court. But they will try again soon.

That's why all connections/services from my intranet to the internet are established via OpenVPN to a anonymisation service and are so anonymized and can not be backtraced. And this includes every host on my intranet be it a PC, netbook or cell phone.

I don't have anything to conceal nor am I member of Al Kaida . But these are MY data and belong to me exclusively. Nobody has to have special interest in them. Hope this does not sound too weird

3. Which mobile client:
At the moment I try to connect to the wifi interface with my cell phone, Nokia E52. But it's supposed to work with every device capable of wifi funtionality.

Greets,
Sebastian

[J65nko]

Quote:

On the other side is a ethernet interface fxp0 which connects to a dsl box and from there to the internet. The IP for fxp0 is assigned via dhcp from the dsl box within a different subnet than ne3. This is internal_interface_2 in pf rules.

OpenVPN is realized through tun0 interface. This is the "external" interface in pf rules.

This is confusing

Most people would call the fxp0 interface external, because it faces the public Internet. All interfaces connected to the the internal LAN, are called internal interfaces. In your case ne3 and athn0.

RE: OpenVPN
I only wanted to know whether you were using an OpenVPN service provider or running an OpenVPN server on your firewall.server.


If OpenVPN works for the clients on the wired LAN (those connected to the ne3 NIC), then I don't understand why the OpenVPN clients on the wireless LAN (athn0 interface) have problems connecting.

One possible issue could that both wireless and OpenVPN use the 10/? net
From your previously posted info:

Quote:

10.0.x.x/24 are the IPs for vpn.

and

Code:

$ grep tun0 netstat.sws 
                                       
0/1                10.0.x.x           UGS        0     2562     -     8 tun0 
10.0.x.x/32        10.0.x.x           UGS        0        0     -     8 tun0 
10.0.x.x           10.0.x.x           UH         3        0     -     4 tun0 
128/1              10.0.x.x           UGS        0     2049     -     8 tun0

So the question is which prefix size doest he 10.0.0.0 network have?
One simple way would be to use something like the10.88.0.0/16 network for athn0.

[sws]

Quote:

If OpenVPN works for the clients on the wired LAN (those connected to the ne3 NIC), then I don't understand why the OpenVPN clients on the wireless LAN (athn0 interface) have problems connecting.

This was my thought too. To me it could not be a matter of OpenVPN.

Quote:

One possible issue could that both wireless and OpenVPN use the 10/? net

This was the winning hint! The tun0 gets an IP in 10.0.xx.0 address space. I put athn0 in the 10.0.0.0 address space. Although both nics were in seperate subnets they interfered. So I changed athn0 to 192.168.1.0 and now I can connect to the internet from athn0!

Thanks again for your help!

Quote:

Quote:
On the other side is a ethernet interface fxp0 which connects to a dsl box and from there to the internet. The IP for fxp0 is assigned via dhcp from the dsl box within a different subnet than ne3. This is internal_interface_2 in pf rules.

OpenVPN is realized through tun0 interface. This is the "external" interface in pf rules.
This is confusing

Most people would call the fxp0 interface external, because it faces the public Internet. All interfaces connected to the the internal LAN, are called internal interfaces. In your case ne3 and athn0.

I thought so too. But, hey, it works. I won't touch it

Last thing on my mind: I connect to the wifi interface with my cell phone and the first request works. Every next request, be it a link or a new page, does not. I will search the forum, google a bit and maybe open another thread .

So long,
many thanks,
Sebastian