[[[ My apologies, I accidentally sent this before I'd finished it. ]]]
I have a Protectli box that is the router for my home network. The home
network uses U-Verse to connect to the outside, and has separate
Ethernet networks for servers, wired clients, and Wi-Fi IoT clients.
U-Verse supplies their own box (a "Residential Gateway" or RG) that sits
at the connection points. The RG throws a tantrum if it detects an
internal router or multi-homed devices, so the OpenBSD box is set up as
a transparent filtering bridge so the RG thinks all the devices are
connected directly to it. The OpenBSD box has Ethernet ports for the
U-Verse RG and one for the three internal networks, with pf filtering
the packets. The /etc/hostname.if files provide an IP address for the
interface for the server network and one for the Wi-Fi interface (these
are on different networks). The /etc/hostname.if files for the U-Verse
and wired client Ethernet ports have just a description.
The Protectli was running (I think) OpenBSD 6.2, but suffered a disk
failure and I couldn't find my backup, so I installed a fresh OpenBSD
7.2 on it and added the users and config files (I had current versions
of those). The config files are pretty minimal: /etc/hostname.if files
for the four Ethernet ports and the bridge, /etc/sysctl.conf to set
net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any other
services running on the box (other boxes are used for DHCP, DNS, etc.).
Initially, the server and Wi-Fi Ethernet ports had traffic and packets
were routed between them, but there was no traffic on the wired clients
nor U-Verse Ethernet ports, and no packets got between them. A client on
Wi-Fi could ping a server and vice versa, and other servers could reach
the OpenBSD box. But clients couldn't reach servers, and nothing could
get outside. All interfaces looked right when viewed using ifconfig, and
the bridge looked right (it was up and had the four interfaces). There
were no errors during startup, nor when running netstart.
Changing the /etc/hostname.if files for the U-Verse and client ports to
add an 'inet' line with a dummy IP address made it all start working.
Before, they just had a line with "description" and text.
Questions:
(1) I'd like to understand the interfaces worked without having IP
addresses in OpenBSD 6 but not in OpenBSD 7. They showed as up and as
part of the bridge, but no traffic.
(2) Also, I have several old machines that can no longer SSH into the
OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy way
to get the OpenBSD box to accept connections from older clients?
Presumably I need to enable older key algorithms, but after hunting
through the OpenSSH manual I can't see what I need to do. The packet
rules block access to the OpenBSD box from outside.
Thank you for any help,
--Randall
