Hi there, if i disable pf, it will not work (except when trying from router itself via ssh). Here some output from hostname.ifs and mygate, my routing table. Would be most grateful for any tips that help solving this.
Best regards, D cndlne001'root(~)> cat /etc/hostname.sis0 inet 10.1.3.19 255.255.254.0 NONE cndlne001'root(~)> cat /etc/hostname.sis1 inet 192.168.1.1 255.255.255.0 NONE cndlne001'root(~)> cat /etc/mygate 10.1.3.1 cndlne001'root(~)> route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.1.3.1 UGS 0 3 - 8 sis0 10.1.2/23 link#1 UC 4 0 - 4 sis0 10.1.3.1 00:18:4d:33:e3:df UHLc 1 0 - 4 sis0 10.1.3.7 f4:ce:46:b1:a6:26 UHLc 1 10 - 4 sis0 10.1.3.37 20:cf:30:56:15:80 UHLc 1 107 - 4 sis0 10.1.3.46 1c:af:f7:0e:17:20 UHLc 0 41 - 4 sis0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 1 0 33200 4 lo0 192.168.1/24 link#2 UC 1 0 - 4 sis1 192.168.1.2 00:14:97:02:2b:b2 UHLc 0 41 - 4 sis1 224/4 127.0.0.1 URS 0 0 33200 8 lo0 cndlne001'root(~)> sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:24:ca:a9:f4 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.1.3.19 netmask 0xfffffe00 broadcast 10.1.3.255 inet6 fe80::200:24ff:feca:a9f4%sis0 prefixlen 64 scopeid 0x1 cndlne001'root(~)> ifconfig sis1 sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:24:ca:a9:f5 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::200:24ff:feca:a9f5%sis1 prefixlen 64 scopeid 0x2 cndlne001'root(~)> On May 18, 2011, at 2:29 PM, Aaron Mason wrote: > If you've disabled pf and it doesn't, then yes, possibly. > > If the network is configured like this: > > 192.168.1.0/24]----192.168.1.1(em0)[Router]10.1.0.1(em1)----[10.1.0.0/21 > > Setting the default routes to the required interface on each side > should allow packets to flow freely from end to end. There should be > no need for PF trickery unless you wish to restrict access to certain > machines on either side. > > Your best test is a traceroute. Perform a traceroute from one side to > the other, and see what the last step is before you get a string of > timeouts. > > All said, I see rules in your PF that allow certain ICMP types, but > haven't included the echo response - that's probably why you can't > ping across the router. > > On Wed, May 18, 2011 at 3:29 PM, David Schulz > <mailingli...@ironwhale.com> wrote: >> Basically i am just trying to verify whether i actually do need the match > out >> statements in pf.conf in order for both Sides on each Network Cards to talk > to >> each other. Say i do not, and it should all just work, does the fact that > it >> does not work suggest that i most likely have a routing issue? >> >> best regards, >> D >> >> On May 17, 2011, at 9:29 PM, David Gwynne wrote: >> >>> hey david, >>> >>> pf is run twice on packets going through a box, once before the network >> stack >>> and again as it leaves it. this means you have to allow a packet in one >> side >>> as well as when it goes out the other. >>> >>> dlg >>> >>> On 17/05/2011, at 10:16 PM, David Schulz wrote: >>> >>>> Hi all, >>>> >>>> i have a LAN within a LAN and the setup is as follows: >>>> >>>> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21 >>>> >>>> My goal is to get both Sides talking to each other (lets start with > making >>>> them be able to ping each other). I got it working by using the following >>>> pf.conf, however i thought i should not need to have those match out >>>> statements, because OpenBSD routes packets between interfaces by default >> as >>>> long sysctl net.inet.ip.forwarding=1 is set. >>>> >>>> From inside my OpenBSD Box i can ping Devices on either Side just fine. >> From >>> a >>>> machine sitting on either Side, i can ping the OpenBSD Box just fine. But >> i >>>> simply cannot get Side A Machines to talk to Side B Machines unless i >>>> uncomment the two below match out statements inside my pf.conf. >>>> >>>> If someone could share some insight, id be most thankful. >>>> >>>> regards, >>>> D >>>> >>>> Here my simplified pf.conf which again does not work unless i uncomment >> the >>>> two match out Rules: >>>> ++++++++ pf.conf >>>> int_if="sis0" >>>> ext_if="sis1" >>>> >>>> icmp_types = "{ echoreq, unreach }" >>>> >>>> set require-order yes >>>> set block-policy return >>>> set optimization normal >>>> set loginterface $ext_if >>>> >>>> match in all scrub (no-df) >>>> >>>> set skip on lo >>>> >>>> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if) >>>> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if) >>>> >>>> block log all >>>> >>>> #Simplified for 'making it work purposes' >>>> pass out quick >>>> pass in quick >>>> >>>> antispoof quick for { lo0 $int_if $ext_if } inet >>>> >>>> # allow ICMP >>>> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type >>> $icmp_types >>>> keep state >>>> ++++++++ >>>> >>>> ++++++++ route -n >>>> cndlne001'root(~)> route -n show | grep default >>>> default 10.1.3.1 UGS 0 23106 - 8 >>> sis0 >>>> >>>> cndlne001'root(~)> route -n show | grep 192.168.1 >>>> 192.168.1/24 link#2 UC 2 0 - 4 >>> sis1 >> >> > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse