Hey guys I need some help on a bridge issue. Cable-modem---(sis1)(obsd3.1/ipf-3.4.28 Bridge)(sis0)---(xl1)obsd/ipf nat rtr
Ok, the problem is my openbsd/ipf router, or any device for that matter, cant get a dhcp offer when it request one through the bridge. If I take the bridge out and connect the obsd/nat box directly to the cable modem it gets one just fine but for some reason it will not get one when going through the bridge. The sis1 & sis0 interfaces are the bridge and on the other box ,the ipf/nat rtr, the xl1 interface is the one sending out dhcp bootp request. Here is the config for my bridge: ###Interfaces:(lo0="Loop-Back", sis0="Filtered-Inet", sis1="Dirty-INET",### # # # ###LOOP-BACK### ##needs to be unrestricted for apps to run smoothly pass out quick on lo0 pass in quick on lo0 # # # ###DIRTY-INET & Intrusion Detection ###don't filter if you want IDS to catch all Intrusion attempts### pass in quick on sis1 all pass out quick on sis1 all # ################FILTERED-INET############ # ##############Block, Default Deny######### # block out on sis0 all block in on sis0 all # ##############BLOCKING NON-ROUTABLES (RFC-1918 & MISC.) *SPOOF PROTECTION*############ # ###Block Out### ###out=data from INET### # block out quick on sis0 from any to 192.168.0.0/16 block out quick on sis0 from any to 172.16.0.0/12 block out quick on sis0 from any to 127.0.0.0/8 block out quick on sis0 from any to 10.0.0.0/8 block out quick on sis0 from any to 0.0.0.0/8 block out quick on sis0 from any to 0.0.0.0/7 block out quick on sis0 from any to 169.254.0.0/16 block out quick on sis0 from any to 192.0.2.0/24 block out quick on sis0 from any to 204.152.64.0/23 block out quick on sis0 from any to 224.0.0.0/3 block out quick on sis0 from any to 20.20.20.0/32 block out quick on sis0 from any to 20.20.20.255/32 block out quick on sis0 from 192.168.0.0/16 to any block out quick on sis0 from 172.16.0.0/12 to any block out quick on sis0 from 10.0.0.0/8 to any block out quick on sis0 from 127.0.0.0/8 to any block out quick on sis0 from 0.0.0.0/8 to any block out quick on sis0 from 0.0.0.0/7 to any block out quick on sis0 from 169.254.0.0/16 to any block out quick on sis0 from 192.0.2.0/24 to any block out quick on sis0 from 204.152.64.0/23 to any block out quick on sis0 from 224.0.0.0/3 to any block out quick on sis0 from 20.20.20.0/24 to any block out quick on sis0 from 20.20.20.0/32 to any block out quick on sis0 from 20.20.20.255/32 to any # ###Block In### ###In=data from LAN### # block in quick on sis0 from 192.168.0.0/16 to any block in quick on sis0 from 172.16.0.0/12 to any block in quick on sis0 from 10.0.0.0/8 to any block in quick on sis0 from 127.0.0.0/8 to any block in quick on sis0 from 0.0.0.0/8 to any block in quick on sis0 from 0.0.0.0/7 to any block in quick on sis0 from 169.254.0.0/16 to any block in quick on sis0 from 192.0.2.0/24 to any block in quick on sis0 from 204.152.64.0/23 to any block in quick on sis0 from 224.0.0.0/3 to any block in quick on sis0 from 20.20.20.0/24 to any block in quick on sis0 from any to 20.20.20.0/32 block in quick on sis0 from any to 20.20.20.255/32 block in quick on sis0 from any to 192.168.0.0/16 block in quick on sis0 from any to 172.16.0.0/12 block in quick on sis0 from any to 127.0.0.0/8 block in quick on sis0 from any to 10.0.0.0/8 block in quick on sis0 from any to 0.0.0.0/8 block in quick on sis0 from any to 0.0.0.0/7 block in quick on sis0 from any to 169.254.0.0/16 block in quick on sis0 from any to 192.0.2.0/24 block in quick on sis0 from any to 204.152.64.0/23 block in quick on sis0 from any to 224.0.0.0/3 # # ############Block Malformed packets and OS Fingerprinting############ # ###Block Malformed packets### #OUT# block out quick on sis0 all with short block out quick on sis0 all with opt lsrr block out quick on sis0 all with opt ssrr block out quick on sis0 all with ipopts block out quick on sis0 all with frags #IN# block in quick on sis0 all with short block in quick on sis0 all with opt lsrr block in quick on sis0 all with opt ssrr block in quick on sis0 all with ipopts block in quick on sis0 all with frags # ###Block OS Fingerprinting### # #################################################################### # NMAP protection #################################################################### block out quick on sis0 proto tcp from any to any flags FUP block out quick on sis0 proto tcp from any to any flags SF/SFRA block out quick on sis0 proto tcp from any to any flags /SFRA # ################################################################ # ##############Standard Filters################# # ###Pass OUT### ###note: Pass OUT is incoming from INET on this brdg### # ###Pass IN### ###note: pass IN is incoming from INTERNAL "LAN" on this brdg### pass in quick on sis0 proto tcp from any to any flags S keep state keep frags pass in quick on sis0 proto udp from any to any keep state keep frags pass in quick on sis0 proto icmp from any to any keep state keep frags # ###Block Specific### block out quick on sis0 proto tcp from any to any port = 22 block out quick on sis0 proto tcp from any to any port = 23 # I have even tried flushing the rules on the bridge ipf -Fa and then trying to get a dhcp offer. There are no rules on the nat box currently and like I mentioned it will get a dhcp offer and configure its xl1 interface via the dhcp request when its plugged directly into the cable modem but once its plugged back into the bridge it just will not work. Again the diagram: Inet---sis1(bridge)sis0----xl1(nat box)----to lan I don't think it would have anything to do with it but the bridge does have the following options in its kernel: option IPFILTER_DEFAULT_BLOCK option RANDOM_IP_ID as you can see above I am allowing anything to pass as long as its coming from the lan. ###Pass IN### ###note: pass IN is incoming from INTERNAL "LAN" on this brdg### pass in quick on sis0 proto tcp from any to any flags S keep state keep frags pass in quick on sis0 proto udp from any to any keep state keep frags pass in quick on sis0 proto icmp from any to any keep state keep frags it did this with my small Nortel router too and I had to plug it into the modem directly and once it got its dhcp offer and configured its interface I could reconnect it to the bridge and everything worked fine. thanks in advance for any help.
