Put a route !?
2011/5/18 David Schulz <mailingli...@ironwhale.com>
> Hi there,
>
> if i disable pf, it will not work (except when trying from router itself
> via
> ssh). Here some output from hostname.ifs and mygate, my routing table.
> Would
> be most grateful for any tips that help solving this.
>
> Best regards,
> D
>
> cndlne001'root(~)> cat /etc/hostname.sis0
> inet 10.1.3.19 255.255.254.0 NONE
> cndlne001'root(~)> cat /etc/hostname.sis1
> inet 192.168.1.1 255.255.255.0 NONE
> cndlne001'root(~)> cat /etc/mygate
> 10.1.3.1
> cndlne001'root(~)> route -n show
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Mtu Prio
> Iface
> default 10.1.3.1 UGS 0 3 - 8
> sis0
> 10.1.2/23 link#1 UC 4 0 - 4
> sis0
> 10.1.3.1 00:18:4d:33:e3:df UHLc 1 0 - 4
> sis0
> 10.1.3.7 f4:ce:46:b1:a6:26 UHLc 1 10 - 4
> sis0
> 10.1.3.37 20:cf:30:56:15:80 UHLc 1 107 - 4
> sis0
> 10.1.3.46 1c:af:f7:0e:17:20 UHLc 0 41 - 4
> sis0
> 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
> 127.0.0.1 127.0.0.1 UH 1 0 33200 4 lo0
> 192.168.1/24 link#2 UC 1 0 - 4
> sis1
> 192.168.1.2 00:14:97:02:2b:b2 UHLc 0 41 - 4
> sis1
> 224/4 127.0.0.1 URS 0 0 33200 8 lo0
>
> cndlne001'root(~)> sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=1
>
> sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:00:24:ca:a9:f4
> priority: 0
> groups: egress
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 10.1.3.19 netmask 0xfffffe00 broadcast 10.1.3.255
> inet6 fe80::200:24ff:feca:a9f4%sis0 prefixlen 64 scopeid 0x1
> cndlne001'root(~)> ifconfig sis1
> sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:00:24:ca:a9:f5
> priority: 0
> media: Ethernet autoselect (100baseTX full-duplex)
> status: active
> inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> inet6 fe80::200:24ff:feca:a9f5%sis1 prefixlen 64 scopeid 0x2
> cndlne001'root(~)>
>
>
> On May 18, 2011, at 2:29 PM, Aaron Mason wrote:
>
> > If you've disabled pf and it doesn't, then yes, possibly.
> >
> > If the network is configured like this:
> >
> > 192.168.1.0/24]----192.168.1.1(em0)[Router]10.1.0.1(em1)----[10.1.0.0/21
> >
> > Setting the default routes to the required interface on each side
> > should allow packets to flow freely from end to end. There should be
> > no need for PF trickery unless you wish to restrict access to certain
> > machines on either side.
> >
> > Your best test is a traceroute. Perform a traceroute from one side to
> > the other, and see what the last step is before you get a string of
> > timeouts.
> >
> > All said, I see rules in your PF that allow certain ICMP types, but
> > haven't included the echo response - that's probably why you can't
> > ping across the router.
> >
> > On Wed, May 18, 2011 at 3:29 PM, David Schulz
> > <mailingli...@ironwhale.com> wrote:
> >> Basically i am just trying to verify whether i actually do need the
> match
> > out
> >> statements in pf.conf in order for both Sides on each Network Cards to
> talk
> > to
> >> each other. Say i do not, and it should all just work, does the fact
> that
> > it
> >> does not work suggest that i most likely have a routing issue?
> >>
> >> best regards,
> >> D
> >>
> >> On May 17, 2011, at 9:29 PM, David Gwynne wrote:
> >>
> >>> hey david,
> >>>
> >>> pf is run twice on packets going through a box, once before the network
> >> stack
> >>> and again as it leaves it. this means you have to allow a packet in one
> >> side
> >>> as well as when it goes out the other.
> >>>
> >>> dlg
> >>>
> >>> On 17/05/2011, at 10:16 PM, David Schulz wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> i have a LAN within a LAN and the setup is as follows:
> >>>>
> >>>> 192.168.1.0/24 <-- OpenBSD 4.9 Router with 2 NICS --> 10.1.0.0/21
> >>>>
> >>>> My goal is to get both Sides talking to each other (lets start with
> > making
> >>>> them be able to ping each other). I got it working by using the
> following
> >>>> pf.conf, however i thought i should not need to have those match out
> >>>> statements, because OpenBSD routes packets between interfaces by
> default
> >> as
> >>>> long sysctl net.inet.ip.forwarding=1 is set.
> >>>>
> >>>> From inside my OpenBSD Box i can ping Devices on either Side just
> fine.
> >> From
> >>> a
> >>>> machine sitting on either Side, i can ping the OpenBSD Box just fine.
> But
> >> i
> >>>> simply cannot get Side A Machines to talk to Side B Machines unless i
> >>>> uncomment the two below match out statements inside my pf.conf.
> >>>>
> >>>> If someone could share some insight, id be most thankful.
> >>>>
> >>>> regards,
> >>>> D
> >>>>
> >>>> Here my simplified pf.conf which again does not work unless i
> uncomment
> >> the
> >>>> two match out Rules:
> >>>> ++++++++ pf.conf
> >>>> int_if="sis0"
> >>>> ext_if="sis1"
> >>>>
> >>>> icmp_types = "{ echoreq, unreach }"
> >>>>
> >>>> set require-order yes
> >>>> set block-policy return
> >>>> set optimization normal
> >>>> set loginterface $ext_if
> >>>>
> >>>> match in all scrub (no-df)
> >>>>
> >>>> set skip on lo
> >>>>
> >>>> #match out on $int_if from 192.168.1.0/24 to any nat-to ($int_if)
> >>>> #match out on $ext_if from 10.1.0.0/21 to any nat-to ($ext_if)
> >>>>
> >>>> block log all
> >>>>
> >>>> #Simplified for 'making it work purposes'
> >>>> pass out quick
> >>>> pass in quick
> >>>>
> >>>> antispoof quick for { lo0 $int_if $ext_if } inet
> >>>>
> >>>> # allow ICMP
> >>>> pass in quick on { $int_if $ext_if } inet proto icmp all icmp-type
> >>> $icmp_types
> >>>> keep state
> >>>> ++++++++
> >>>>
> >>>> ++++++++ route -n
> >>>> cndlne001'root(~)> route -n show | grep default
> >>>> default 10.1.3.1 UGS 0 23106 -
> 8
> >>> sis0
> >>>>
> >>>> cndlne001'root(~)> route -n show | grep 192.168.1
> >>>> 192.168.1/24 link#2 UC 2 0 -
> 4
> >>> sis1
> >>
> >>
> >
> >
> >
> > --
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
