Re: Web Traffic forwarding, PF and NC
Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell
Re: Web Traffic forwarding, PF and NC
On 2008-02-23, Stefan Kell [EMAIL PROTECTED] wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Because the return packets will go straight to the cable modem and won't get un-rdr'ed (i.e. have the original addresses put back on them). You could do this if a) .126 is configured to use .121 as gateway rather than using the cable modem as gateway, and b) there aren't any ICMP redirects affecting things (either they aren't generated, or any which are generated are ignored). It's a bit of a messy setup though, be sure to document it... Other possibilities are to put the webserver on a different subnet and either double-NAT, or add a static route to this on the cable modem. Or one could use a proxy which can write the original address into an HTTP header, and have the webserver log that rather than the packet's source address.
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if=rl1 rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #---
Re: Web Traffic forwarding, PF and NC
Hello, On Sat, 23 Feb 2008, Stuart Henderson wrote: On 2008-02-23, Stefan Kell [EMAIL PROTECTED] wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Because the return packets will go straight to the cable modem and won't get un-rdr'ed (i.e. have the original addresses put back on them). You could do this if a) .126 is configured to use .121 as gateway rather than using the cable modem as gateway, and b) there aren't any ICMP redirects affecting things (either they aren't generated, or any which are generated are ignored). It's a bit of a messy setup though, be sure to document it... Other possibilities are to put the webserver on a different subnet and either double-NAT, or add a static route to this on the cable modem. Or one could use a proxy which can write the original address into an HTTP header, and have the webserver log that rather than the packet's source address. You are right, of course, but I assumed that the OpenBSD machine is acting as a router and has two interfaces so that no other machine is connected directly to the cable modem. If this assumption is wrong than it would not work. Regards Stefan Kell
Re: Web Traffic forwarding, PF and NC
Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if=rl1 rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if=rl1 rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness.
Re: Web Traffic forwarding, PF and NC
Hello, Original-Nachricht Datum: Sat, 23 Feb 2008 21:29:06 + Von: elaconta.com Webmaster [EMAIL PROTECTED] An: Stefan Kell [EMAIL PROTECTED] CC: misc@openbsd.org Betreff: Re: Web Traffic forwarding, PF and NC Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if=rl1 rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness. You need two network interfaces on your OpenBSD machine, different subnets physically: one for cable modem and external interface on OpenBSD, one for your internal network. sysctl is necessary as you have written and you need a nat rule in pf.conf. There are a lot of instructions flowing around in the internet which show you how to do it. Regards Stefan Kell
Re: Web Traffic forwarding, PF and NC
On 2008-02-23, elaconta.com Webmaster [EMAIL PROTECTED] wrote: What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? Yes. But do be aware of the ICMP redirect thing... you can prevent them from being accepted by .126, but you should probably do your own research on this, it is likely to stick in your memory better that way. :-)
Re: Web Traffic forwarding, PF and NC
Stefan Kell wrote: Hello, Original-Nachricht Datum: Sat, 23 Feb 2008 21:29:06 + Von: elaconta.com Webmaster [EMAIL PROTECTED] An: Stefan Kell [EMAIL PROTECTED] CC: misc@openbsd.org Betreff: Re: Web Traffic forwarding, PF and NC Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Stefan Kell wrote: Hello, On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: Greetings ...snip... rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 127.0.0.1 port 5000 ...snip I'm running OpenBSD 3.9 (i386) on both machines. why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4 Regards Stefan Kell Hi I've tried the following configuration but it yields no effect, i.e. when someone tries to view a web page from the outside the web page isn't served. Maybe something is wrong with the config: #--- ext_if=rl1 rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 - 192.168.1.126 port 80 pass out on $ext_if inet all keep state pass in on $ext_if inet all keep state #--- is the OpenBSD machine acting as a router? Or ist the webserver directly connected to the cable modem? Then it cannot work as Stuart Henderson has explained. My setup would use the machine as a router and different subnets and also nat on the external interface. Regards Stefan Kell The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness. You need two network interfaces on your OpenBSD machine, different subnets physically: one for cable modem and external interface on OpenBSD, one for your internal network. sysctl is necessary as you have written and you need a nat rule in pf.conf. There are a lot of instructions flowing around in the internet which show you how to do it. Regards Stefan Kell Okay, i'm going to add a NIC to 192.168.1.121 (i've got some laying around) and do it that way then. Thanks!
Re: Web Traffic forwarding, PF and NC
On Sat, Feb 23, 2008 at 10:58:00PM +0100, Stefan Kell wrote: The webserver (192.168.1.126) is directly connected to the cable modem, as is the 192.168.1.121 server. What service(s) would i need to run on 192.168.1.121 to make it useable as a gateway (router) to 192.168.1.126? Would just: # *sysctl net.inet.ip.forwarding=1* enable it as a router? I would also need some other service, right? Sorry for any noobness. You need two network interfaces on your OpenBSD machine, different subnets physically: one for cable modem and external interface on OpenBSD, one for your internal network. sysctl is necessary as you have written and you need a nat rule in pf.conf. There are a lot of instructions flowing around in the internet which show you how to do it. It should work just fine if you enable forwarding on .121, keep the rdr rule as is and change .126's gateway to point at .121, which will then handle the translation of return packets and pass them through its default route to the cable modem. Disclaimer: I'm tired and on GPRS. -- Jussi Peltola
