On 12 Dec 2022, at 2:31, Zé Loff wrote:
On Sun, Dec 11, 2022 at 04:20:53PM -0800, Randall Gellens wrote:
I have a Protectli box that is the router for my home network. The
home
network uses U-Verse to connect to the outside, and has separate
Ethernet
networks for servers, wired clients, and Wi-Fi IoT clients. U-Verse
supplies
their own box (a "Residential Gateway" or RG) that sits at the
connection
points. The RG throws a tantrum if it detects an internal router or
multi-homed devices, so the OpenBSD box is set up as a transparent
filtering
bridge so the RG thinks all the devices are connected directly to it.
The
OpenBSD box has Ethernet ports for the U-Verse RG and one for the
three
internal networks, with pf filtering the packets. The
/etc/hostname.if files
provide an IP address for the interface for the server network and
one for
the Wi-Fi interface (these are on different networks). The
/etc/hostname.if
files for the U-Verse and wired client Ethernet ports have just a
description.
The Protectli was running (I think) OpenBSD 6.2, but suffered a disk
failure
and I couldn't find my backup, so I installed a fresh OpenBSD 7.2 on
it and
added the users and config files (I had current versions of those).
The
config files are pretty minimal: /etc/hostname.if files for the four
Ethernet ports and the bridge, /etc/sysctl.conf to set
net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any
other
services running on the box (other boxes are used for DHCP, DNS,
etc.).
Initially, the server and Wi-Fi Ethernet ports had traffic and
packets were
routed between them, but there was no traffic on the wired clients
nor
U-Verse Ethernet ports, and no packets got between them. A client on
Wi-Fi
could ping a server and vice versa, and other servers could reach the
OpenBSD box. But clients couldn't reach servers, and nothing could
get
outside. All interfaces looked right when viewed using ifconfig, and
the
bridge looked right (it was up and had the four interfaces). There
were no
errors during startup, nor when running netstart.
Changing the /etc/hostname.if files for the U-Verse and client ports
to add
an 'inet' line with a dummy IP address made it all start working.
Before,
they just had a line with "description" and text.
Questions:
(1) I'd like to understand the interfaces worked without having IP
addresses
in OpenBSD 6 but not in OpenBSD 7. They showed as up and as part of
the
bridge, but no traffic.
Without *at least* the applicable /etc/hostname.* files its hard to
help
you with this. FWIW, I have a 7.1 box with a similar setup that
forwards packets adequately (bridging two vlan interfaces, with no IP
addresses on the parent interfaces, the vlan interfaces or the
bridge).
Below are the /etc/hostname.* files as they are now (working).
Originally, /etc/hostname.em1 and /etc/hostname.3 were:
/etc/hostname.em1 (originally)
description "U-Verse DSL"
/etc/hostname.em3 (originally):
description "Switch for clients"
/etc/hostname.em0 and /etc/hostname.em2 did not need changes.
Here are the files as they are now:
/etc/hostname.em0
inet 192.168.98.1 255.255.255.0 NONE description "to talk to AP"
inet alias 192.168.0.210 255.255.255.0 NONE description "factory
fallback wireless AP"
/etc/hostname.em1
inet 192.168.98.2 255.255.255.0 NONE description "U-Verse DSL"
/etc/hostname.em2
inet 99.111.97.160 255.255.255.240 NONE description "Switch for servers"
/etc/hostname.em3
inet 192.168.98.3 255.255.255.0 NONE description "Switch for clients"
/etc/hostname.em3
inet 192.168.98.3 255.255.255.0 NONE description "Switch for clients"
-bash-5.1$ more /etc/hostname.bridge0
add em0
add em1
add em2
add em3
timeout 0
rule pass in on em1 src ac:5d:10:80:7d:11 tag outside
# pass on em0
# pass on em1
# pass on em2
# pass on em3
up
The "rule pass in" line in the bridge is to add a tag to packets from
the outside, because (at least in OpenBSD 6.2) the pf.conf rules saw the
packets as coming from a different interface, so they weren't treated as
coming from the outside.
(2) Also, I have several old machines that can no longer SSH into the
OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy
way to
get the OpenBSD box to accept connections from older clients?
Presumably I
need to enable older key algorithms, but after hunting through the
OpenSSH
manual I can't see what I need to do. The packet rules block access
to the
OpenBSD box from outside.
RSA was deprecated some time ago. Add
HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms=+ssh-rsa
to /etc/ssh/sshd_config, or, better yet, change the clients' config to
bring them up to speed (I understand it might not be feasible).
Thank you, that worked, I appreciate it. (I know I need to update
openssh on the old machines, but that's a big project, and the protectli
box isn't accessible from the outside.)
--Randall