Forwarding to PF list as well.
--- Begin Message --- Title: RE: OpenBSD Bridge setup with OSPF routed networks behind it - W0ES-I disabled pf and then re-enabled it and now my config works fine - after
I ping the Bridge External Address from a host behind the /28I did notice this in the dmesg probably 50 times on the OpenBSD Bridge.
arplookup: unable to enter address for XXX.XXX.56.211
arpresolve: can't allocate llinfo## This was a result of my reply-to config though.
Everything will work great till a timeout expires. It seems i need to
ping XXX.XXX.43.114 before I can get it to be able to ssh. Any ideas why
arp is giving me a hard time or is this more a proxy-arp needed scenario?
hum - i think I may have just answered my own question.beast.some.net:/home/coldiso% route get XXX.XXX.56.211
route to: XXX.XXX.56.211
destination: XXX.XXX.56.211
gateway: xxx.xxx.43.116
interface: fxp0
flags: <UP,GATEWAY,HOST,DYNAMIC,DONE>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu
0 0 0 0 0 0 0
expire
0Is there a way for me to encourage traffic to the /28 to always use fxp1?
I realize this is a bridge but it is not learning the MAC because it is
separated by the 2514 router which would stop broadcasts of layer2.Interesting if i disable pf i don't have to ping the host first before I
can ssh to it. Now I am really confused.my pf.conf is available at http://www.comnetohio.com/~jasonh/
Thanks for any suggestions.
Jason
On Mon, 9 Jun 2003, Amir Seyavash Mesry wrote:
> I take it this is not a transparent Bridge, as well, I think it would help
> if you posted your pf.conf.
>
> Amir Seyavash Mesry
> [EMAIL PROTECTED]
> LSI Logic Corporation
> http://www.lsilogic.com/
> Raid Support Test Technician
> 6145-D Northbelt Parkway
> Norcross, GA 30071
> 678-728-1211
>
> NOTICE: This communication may contain privileged or other confidential
> information. If you are not the intended recipient, or believe that you have
> received this communication in error, please do not print, copy, retransmit,
> disseminate, or otherwise use the information. Also, please indicate to the
> sender that you have received this communication in error, and delete the
> copy you received. Thank you.
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Jason Houx
> Sent: Monday, June 09, 2003 1:12 PM
> To: [EMAIL PROTECTED]
> Subject: OpenBSD Bridge setup with OSPF routed networks behind it - W0ES -
>
>
>
>
> {2600}---
> | --- /29
> | |
> ---- fxp0 { OpenBSD } fxp1 --|
> { Bridge } |
> eth0 { Cisco 2514 } eth1 --|
> |
> | /28
> More OpenBSD Units
>
>
>
> I am having a problem that I have been unable to fix. The scenario above is
> what my lab looks like. Essentially my workstation lives off the /29 behind
> the fxp1 interface. The OpenBSD Bridge is a 3.3 Generic with pf/altq
> protecting everything behind it. I can ssh to the OpenBSD bridge from my
> workstation because my IP address is on the same /29 as the External Int of
> the Bridge on fxp0, but none of my machines behind the Cisco 2514 on the
> eth1 network /28 can talk directly to the Bridge but can bridge out/in just
> fine. Mind you traffic from the /29 can talk to the
> bridge just fine. Just to clarify anything that comes in from the
> Internet and lands on fxp0 can talk to the Bridge as well.
>
> I see this in my tcpdumps
>
> ## XXX.XXX.56.211 = machine on /28 subnet
> ## xxx.xxx.43.114 = fxp0 IP on Bridge on /29
>
> Jun 09 11:09:48.142206 rule 20/0(match): pass in on fxp0:
> XXX.XXX.56.211.32214 > xxx.xxx.43.114.22: S Jun 09 11:09:48.146181 rule
> 6/0(match): block in on fxp0: xxx.xxx.43.114.22 > XXX.XXX.56.211.32214: S
>
> supporting icmp redirect dumps show this
> Jun 09 11:19:55.824378 : ROU.TER.IP.113 > xxx.xxx.43.114: icmp: redirect
> XXX.XXX.56.211 to net xxx.xxx.43.116
>
>
> This looks to me like a icmp redirect problem because I am seeing the
> External IP of my bridge send the packet right back at the interface with
> destination of the correct machine on the /29.
>
> I at first thought it was a problem with icmp route-redirects on the Bridge
> not being allowed to pass in to tell the Bridge external IP to redirect the
> traffic back out fxp1. After adding
>
> $gw_router = ip of bridge next hop --> Cisco 2600
>
> # ICMP router redirect for multiple networks
> pass in log quick on $br0_if inet proto icmp from $gw_router to any
> icmp-type 5 code 0 keep state queue man1 label "pass icmp redirects from
> gw_router" pass in log quick on $br0_if inet proto icmp from $gw_router to
> any icmp-type 5 code 1 keep state queue man1 label "pass icmp redirects from
> gw_router" pass in log quick on $br0_if inet proto icmp from $gw_router to
> any icmp-type 5 code 2 keep state queue man1 label "pass icmp redirects from
> gw_router" pass in log quick on $br0_if inet proto icmp from $gw_router to
> any icmp-type 5 code 3 keep state queue man1 label "pass icmp redirects from
> gw_router"
>
> This didn't work and I noticed that the block was on xxx.xxx.43.114 coming
> in the fxp0 interface so I put a statement for xxx.xxx.43.114 to allow in on
> fxp0 although this should never happen except in this situation. After
> doing this I see the following when trying to ssh to xxx.xxx.43.114 from a
> IP on the /28 network.
>
> Jun 09 12:09:24.680962 rule 20/0(match): pass in on fxp0:
> XXX.XX.56.211.32148 > xxx.xxx.43.114.22: S Jun 09 12:09:24.700588 rule
> 61/0(match): pass in on fxp0: xxx.xxx.43.114.22 > XXX.XXX.56.211.32148: S
> Jun 09 12:09:30.692264 rule 61/0(match): pass in on fxp0: xxx.xxx.43.114.22
> > XXX.XXX.56.211.32148: S Jun 09 12:09:36.679255 rule 61/0(match): pass in
> on fxp0: xxx.xxx.43.114.22 > XXX.XXX.56.211.32148: S
>
> but It never establishes the connection and I don't see any blocks on pflog0
>
> Seeing how this didn't work I again looked at what was happening and tried
> to add a route on the bridge using the interface as the direction to push
> the /28 network - I assumed this would work like a Cisco { ie static route a
> network out a interface }q
>
> route add XXX.XXX.56.208/28 -interface fxp1
> route: fxp1: bad value
>
> route add XXX.XXX.56.208 -netmask XXX.XXX.XXX.240 -interface fxp1
> route: fxp1: bad value
>
> I am confused now - do I have syntax wrong on this can I not influence a
> route out a interface
> that is just "up"
>
> fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
> address: 00:02:b3:bf:e8:b6
> media: Ethernet 100baseTX full-duplex
> status: active
> inet6 fe80::202:b3ff:febf:e8b6%fxp1 prefixlen 64 scopeid 0x2
>
>
> I even tried this line in my pf.conf
> @13 pass in log quick on fxp0 reply-to fxp1 inet proto tcp from
> XXX.XXX.56.211 to xxx.xxx.43.114 port = ssh keep state
>
> and do see the action hiting that line
>
> Jun 09 12:59:01.243481 rule 13/0(match): pass in on fxp0:
> XXX.XXX.56.211.9681 > xxx.xxx.43.114.22: S
>
> but I still get no connection.
>
>
>
>
> The 2514 can talk directly to the bridge but it knows about both /29 and
> /28
>
> 2514_dual_eth>telnet XXX.XXX.43.114 22
> Trying XXX.XXX.43.114, 22 ... Open
> SSH-1.99-OpenSSH_3.6.1
>
> But a Unit on the other side of the 2514 can't
>
> some.host.name:/etc% telnet XXX.XXX.43.114 22
> Trying XXX.XXX.43.114...
>
>
>
> Any Ideas or anyone have a similar situation and they found a resolution?
>
> TIA
>
> Jason Houx
>
>
>
>
>
>
>
--- End Message ---
