Re: pf nat and routing question
Hi, We do exactly the same thing for our wifi network. Users on wifi can *only* use public IP addresses. The solution is easy, you just have to consider where you do your nat'ing; You can't do bin-at, so you will need nat-to and rdr-to rules to make it work. E.g. The following line translates the public IP to the internal IP regardless of whether to connection ingresses the firewall from the outside web, or from your internal wifi network match in proto tcp from any to { $ext_ip_rc5 } port { https } rdr-to $int_ip_lard But the nat-to is only needed on the outside interface match out on { $if_ext } from { $int_ip_lard } to any nat-to $ext_ip_rc5 And so you will need three rules.. Ingress pass rule on the external interface, another ingress pass rule on the wifi interface, and an egress pass rule on the DMZ interface where the server is. If the internal server is on the same LAN as the internal clients that *have to use the public IP address, then an extra nat-to rule is needed. Keep the same ingress rdr-to rule to translate the public to the private, but you will also need an extra nat-to rule as the packet egresses the firewall to make all connection look like they have come from the firewall. This ensure that when the server replies, it replies back to the firewall, who then replies back to the internal client. Without this rule the internal server would just reply to the internal client directly, meaning the firewall only sees the forward traffic and won't be able to update its states properly and things won't work. PS; Make sure to be carful about what internal firewall IP you NAT to, and you need to remember that this limits the number of connections to the internal server, as everyone (from internal) will appear to come from the firewall which has a limited number of source ports... EG; This ensure that if a firewall failover happens (with CARP) that all still works :) pass out on $if_lan from ($if_lan:network) to $server nat-to (carp1) Hope this helps. A On 24 Jun 2015, at 12:16, Marko CupaÄ marko.cu...@mimar.rs wrote: Hi, my setup is actually more complicated, but for purpose of this mail I am going to try and keep it simple. My firewall redirects requests to some service from the Internet to server on private network: pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to $srv-priv Internet hosts can access service without problem via its public IP address. Clients on internal network can access service without problem via its private IP address. Now, I have some clients on internal network who are forbidden communication with private address space, so they need to access service via its public IP address. Unfortunately this does not work. Hopefully someone already had this problem and will be able to point me in the right direction. Regards, -- Marko CupaÄ https://www.mimar.rs/
Re: pf nat and routing question
On Wed, 24 Jun 2015 08:17:15 -0400 Michel Blais mic...@targointernet.com wrote: The solution seem his explain on this link http://www.openbsd.org/faq/pf/rdr.html#reflect On Thu, 25 Jun 2015 14:50:42 +0100 Andy Lemin a...@brandwatch.com wrote: Hi, We do exactly the same thing for our wifi network. Users on wifi can *only* use public IP addresses. The solution is easy, you just have to consider where you do your nat'ing; Michel, Andy, thank you for your suggestions. I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy I'm satisfied with result. Regards, -- Marko Cupać https://www.mimar.rs/
Re: pf nat and routing question
On 25 Jun 2015, at 15:46, Marko Cupać marko.cu...@mimar.rs wrote: On Wed, 24 Jun 2015 08:17:15 -0400 Michel Blais mic...@targointernet.com wrote: The solution seem his explain on this link http://www.openbsd.org/faq/pf/rdr.html#reflect On Thu, 25 Jun 2015 14:50:42 +0100 Andy Lemin a...@brandwatch.com wrote: Hi, We do exactly the same thing for our wifi network. Users on wifi can *only* use public IP addresses. The solution is easy, you just have to consider where you do your nat'ing; Michel, Andy, thank you for your suggestions. I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy I'm satisfied with result. Cool, but you are using a big hammer (not a sledge ;) for a nut.. And your CPU knows the difference. If load is v.small, then irelevant. Regards, -- Marko Cupać https://www.mimar.rs/
pf nat and routing question
Hi, my setup is actually more complicated, but for purpose of this mail I am going to try and keep it simple. My firewall redirects requests to some service from the Internet to server on private network: pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to $srv-priv Internet hosts can access service without problem via its public IP address. Clients on internal network can access service without problem via its private IP address. Now, I have some clients on internal network who are forbidden communication with private address space, so they need to access service via its public IP address. Unfortunately this does not work. Hopefully someone already had this problem and will be able to point me in the right direction. Regards, -- Marko Cupać https://www.mimar.rs/
Re: pf nat and routing question
The solution seem his explain on this link http://www.openbsd.org/faq/pf/rdr.html#reflect Message d'origine De: Marko Cupać Envoyé: mercredi 24 juin 2015 07:21 À: misc@openbsd.org Objet: pf nat and routing question Hi, my setup is actually more complicated, but for purpose of this mail I am going to try and keep it simple. My firewall redirects requests to some service from the Internet to server on private network: pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to $srv-priv Internet hosts can access service without problem via its public IP address. Clients on internal network can access service without problem via its private IP address. Now, I have some clients on internal network who are forbidden communication with private address space, so they need to access service via its public IP address. Unfortunately this does not work. Hopefully someone already had this problem and will be able to point me in the right direction. Regards, -- Marko Cupać https://www.mimar.rs/
Re: Static routing question
On 11/10/14, 2:46 PM, Peter Hessler wrote: As I said before. _This_ _Is_ _Not_ _Possible_. Period. Wellif you're doing bridging on the Linux setup you're trying to replace, but don't realize it, forget to mention that the Cisco actually *does* have an address in the /29 the Free/OpenBSD box lives on twice, and then have a conceptual breakdown between layer 2 and layer 3, you might end up where the OP is. At least that's the conclusion I've tentatively come to given the parallel conversation on freebsd-questions. :-) I think he's trying to do a bump-on-the-wire firewall. Here's OP's network diagram from freebsd-questions, with one correction based on a later clarification: +---+ | Cisco | +-+-+ |if: 189.92.72.9/29 | |em0: 189.92.72.10/255.255.255.248 +-+---+ | FreeBSD | +-+---+ |em1: 189.92.72.11/255.255.255.248 | | +-+--+ | Switch |+-+ ++| MAIL | |---+-+ bnx0: 189.72.92.12/255.255.255.248 Looks like a stereotypical bump-on-the-wire bridging firewall to me. Dante: see http://www.openbsd.org/faq/faq6.html#Bridge And in OpenBSD I'd address only one of the interfaces (or none of them if you wish to increase security by forcing all management to be done from the console). And it's not routing. So don't try to use routes. --Jon Radel j...@radel.com [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Static routing question
Hi This is a part of the output containing the static routes related to *bnx0* , *bnx1 *, i was trying to make a static route for the 189.92.72.11 pointing to *bnx1* but without success, is it possible ? below the routes is the output of ifconfig these interfaces, i'm gonna try a bridge also. Thank all of you for the responses. Regards Dante F. B. Colò default189.92.72.9UGS 5746 674637542 - 8 bnx0 189.92.72.8/29 link#5 UC 30 - 4 bnx0 189.92.72.9f4:0f:1b:20:4b:20 UHLc 10 - 4 bnx0 189.92.72.10 00:10:18:9d:31:84 UHLc 0 42 - 4 lo0 189.92.72.11 link#5 UHLc 01 - 4 bnx0 204.31.112/24 link#2 C 00 - 4 bge1 204.31.112.24/29 link#2 C 10 - 4 bge1 204.31.112.26 00:25:64:3c:de:76 UHLc 0 34 - 4 lo0 224/4 127.0.0.1 URS00 33200 8 lo0 bnx1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:10:18:9d:31:86 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 189.92.72.11 netmask 0xfff8 broadcast 189.92.72.15 bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 lladdr 00:10:18:9d:31:84 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::210:18ff:fe9d:3184%bnx0 prefixlen 64 scopeid 0x5 inet 189.92.72.10 netmask 0xfff8 broadcast 189.92.72.15 On 11/7/14 4:18 AM, rjc wrote: On Thu, Nov 06, 2014 at 04:12:20PM EST, Dante F. B. Colò wrote: Hello everyone Hi Dante, I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1 ***, *bnx0* is attached to a Cisco internet router and *bnx1*** is connected to a switch, both interfaces have public addresses of the same range , *bnx1 *appears has absolutely no communication , i took a look at the static routes and there is a route for the subnet that it goes to *bnx0* , i'm trying to add a static route for the ip address pointing to the***bnx1 *without pass gateway using *-iface* parameter but always returns Network unreachble, someone can help me or give some tips to fix this ? for many here this is probably a nooby question, we also have some firewall Linux boxes that i'm gonna migrate to openbsd but first i have to solve this. First and foremost, if you ask any questions regarding networking, you should include the content of: /etc/hostname.bnx{0,1} /etc/mygate # if it exists and you're not using DHCP Please also include the output of: router show and any commands exactly as you enter them. That would be a good place to start - BTW, this information should have been included in the first email. Regards, rjc P.S. 4.9? Isn't it time to upgrade? ;^)
Re: Static routing question
As I said before. _This_ _Is_ _Not_ _Possible_. Period. On 2014 Nov 10 (Mon) at 17:30:50 -0200 (-0200), Dante F. B. Col? wrote: :Hi : :This is a part of the output containing the static routes related to :*bnx0* , *bnx1 *, i was trying to make a static route for the :189.92.72.11 pointing to *bnx1* but without success, is it possible ? No. You CANNOT do that. :bnx1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 : lladdr 00:10:18:9d:31:86 : priority: 0 : media: Ethernet autoselect (1000baseT full-duplex) : status: active : inet 189.92.72.11 netmask 0xfff8 broadcast 189.92.72.15 : :bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 : lladdr 00:10:18:9d:31:84 : priority: 0 : groups: egress : media: Ethernet autoselect (1000baseT full-duplex) : status: active : inet6 fe80::210:18ff:fe9d:3184%bnx0 prefixlen 64 scopeid 0x5 : inet 189.92.72.10 netmask 0xfff8 broadcast 189.92.72.15 : -- You have acquired a scroll entitled 'irk gleknow mizk'(n).--More-- This is an IBM Manual scroll.--More-- You are permanently confused. -- Dave Decot
Re: Static routing question
On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote: I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses This usually gets mentioned, so I'll go ahead and bring this to your attention. OpenBSD 4.9 is long unsupported. There have been many releases since then, so I'd highly suggest a fresh install of 5.6 if you are able.
Re: Static routing question
That is not supported. You MUST NOT have IPs in the same range on different interfaces. You can assign some /32s (or /128 if you are using IPv6) to a lo1 on the system, but that may not be what you want. On 2014 Nov 06 (Thu) at 19:12:20 -0200 (-0200), Dante F. B. Col?? wrote: :Hello everyone : :I'm trying to setup some static routes on a openbsd 4.9 box for some :public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1 :***, *bnx0* is attached to a Cisco internet router and *bnx1*** is :connected to a switch, both interfaces have public addresses of the :same range , *bnx1 *appears has absolutely no communication , i took a :look at the static routes and there is a route for the subnet that it :goes to *bnx0* , i'm trying to add a static route for the ip address :pointing to the***bnx1 *without pass gateway using *-iface* parameter :but always returns Network unreachble, someone can help me or give :some tips to fix this ? for many here this is probably a nooby question, :we also have some firewall Linux boxes that i'm gonna migrate to openbsd :but first i have to solve this. : :Best Regards :Dante F. B. Col?? : -- Those who educate children well are more to be honored than parents, for these only gave life, those the art of living well. -- Aristotle
Re: Static routing question
On 2014-11-07, li...@ggp2.com li...@ggp2.com wrote: On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote: I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses This usually gets mentioned, so I'll go ahead and bring this to your attention. Yes, it usually does, and often by people who just pick up on that one point.. OpenBSD 4.9 is long unsupported. There have been many releases since then, so I'd highly suggest a fresh install of 5.6 if you are able. It is absolutely correct that 4.9 is long unsupported, but running 5.6 or -current is going to make no difference to the problem that Dante described. phessler has it right; I have one thing to add though, this might be a situation where a bridge(4) can help.
Re: Static routing question
On 2014-11-07, li...@ggp2.com li...@ggp2.com wrote: On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote: I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses This usually gets mentioned, so I'll go ahead and bring this to your attention. Yes, it usually does, and often by people who just pick up on that one point.. OpenBSD 4.9 is long unsupported. There have been many releases since then, so I'd highly suggest a fresh install of 5.6 if you are able. It is absolutely correct that 4.9 is long unsupported, but running 5.6 or -current is going to make no difference to the problem that Dante described. phessler has it right; I have one thing to add though, this might be a situation where a bridge(4) can help. When someone submits a bug report regarding an old release, we can go around and around in circles finding out if it is still valid. Or we can shotcut the problem, since there aren't enough people to verify things. Since I value my sanity, I saw that report, and I ignored it.
Static routing question
Hello everyone I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1 ***, *bnx0* is attached to a Cisco internet router and *bnx1*** is connected to a switch, both interfaces have public addresses of the same range , *bnx1 *appears has absolutely no communication , i took a look at the static routes and there is a route for the subnet that it goes to *bnx0* , i'm trying to add a static route for the ip address pointing to the***bnx1 *without pass gateway using *-iface* parameter but always returns Network unreachble, someone can help me or give some tips to fix this ? for many here this is probably a nooby question, we also have some firewall Linux boxes that i'm gonna migrate to openbsd but first i have to solve this. Best Regards Dante F. B. Colò
Re: Static routing question
On Thu, Nov 06, 2014 at 04:12:20PM EST, Dante F. B. Colò wrote: Hello everyone Hi Dante, I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1 ***, *bnx0* is attached to a Cisco internet router and *bnx1*** is connected to a switch, both interfaces have public addresses of the same range , *bnx1 *appears has absolutely no communication , i took a look at the static routes and there is a route for the subnet that it goes to *bnx0* , i'm trying to add a static route for the ip address pointing to the***bnx1 *without pass gateway using *-iface* parameter but always returns Network unreachble, someone can help me or give some tips to fix this ? for many here this is probably a nooby question, we also have some firewall Linux boxes that i'm gonna migrate to openbsd but first i have to solve this. First and foremost, if you ask any questions regarding networking, you should include the content of: /etc/hostname.bnx{0,1} /etc/mygate # if it exists and you're not using DHCP Please also include the output of: router show and any commands exactly as you enter them. That would be a good place to start - BTW, this information should have been included in the first email. Regards, rjc P.S. 4.9? Isn't it time to upgrade? ;^)
hostname.if routing question
I am having trouble figuring out how I should configure a physical interface and a carp virtual interface where the carp IP will serve as a default route for hosts on the network and also hold some aliases for server re-directs. From what I have seen the routes built at startup home the route for the network on the interface that is configured with the actual network mask so: /etc/hostname.em0 inet A.B.C.14 255.255.255.240 A.B.C.15 rdomain 2 /etc/hostname.carp0 vhid 9 pass rdomain 2 inet A.B.C.1 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.3 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.4 255.255.255.255 A.B.C.15 rdomain 2 Will put the A.B.C.0/28 entry in table 2 to: A.B.C.0/28 link#1 UC 0 0 - 4 em0 Changing the masks so carp0 has the open mask on its first ip and em0 is all 1s yields: A.B.C.0/28 link#9 UC 0 0 - 4 carp0 Is it better for that to be on carp0 instead of em0, given that carp0 will be the router for that network?
IPSEC/ISAKMPD routing question
Hello, I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line like: ike active esp tunnel from my_internal_net to his_internal_net peer his_gateway_address main_mode_parameters quick_mode_parameters preshared_key My isakmpd.policy file is # cat /etc/isakmpd/isakmpd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; Every thing works fine. But today, one of the remote_gateways was replaced by a misconfigured new one, leading to the following phase-2 packet: 13:29:01.098526 remote_gateway_ip.500 my_gateway_ip.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 70de03ee348066c9-76aabe706bed52c2 msgid: 301c68c8 len: 300 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xcb2d2b94 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = TUNNEL attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1, len 328) Please note that both ID parameters in this packet are 0.0.0.0. This lead to a routing entry ( made by isakmpd, I suppose ): # netstat -rn | grep his_ip default0 default0 0 remote_gateway_ip/esp/use/in default0 default0 0 remote_gateway_ip/esp/require/out This route virtually disconnected my gateway from the external and from the internal network, no ping to any address was successful. I would like to ask: 1. Is it true, that isakmpd is supposed to accept any ID parameter of type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, even when it is the 'default' route? 2. What would I have to change to only accept those remote network Ids that are configured in ipsec.conf? Thanks
Re: IPSEC/ISAKMPD routing question
2011/1/10, Christoph Leser le...@sup-logistik.de: Hello, I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line like: ike active esp tunnel from my_internal_net to his_internal_net peer his_gateway_address main_mode_parameters quick_mode_parameters preshared_key My isakmpd.policy file is # cat /etc/isakmpd/isakmpd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; Every thing works fine. But today, one of the remote_gateways was replaced by a misconfigured new one, leading to the following phase-2 packet: 13:29:01.098526 remote_gateway_ip.500 my_gateway_ip.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 70de03ee348066c9-76aabe706bed52c2 msgid: 301c68c8 len: 300 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xcb2d2b94 payload: TRANSFORM len: 32 transform: 1 ID: AES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 attribute ENCAPSULATION_MODE = TUNNEL attribute KEY_LENGTH = 128 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 20 payload: KEY_EXCH len: 132 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 1, len 328) Please note that both ID parameters in this packet are 0.0.0.0. This lead to a routing entry ( made by isakmpd, I suppose ): # netstat -rn | grep his_ip default0 default0 0 remote_gateway_ip/esp/use/in default0 default0 0 remote_gateway_ip/esp/require/out This route virtually disconnected my gateway from the external and from the internal network, no ping to any address was successful. I would like to ask: 1. Is it true, that isakmpd is supposed to accept any ID parameter of type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, even when it is the 'default' route? 2. What would I have to change to only accept those remote network Ids that are configured in ipsec.conf? Thanks -- Martin PelikC!n, Steadynet E-mail: martin.peli...@gmail.com, gpg key 0x7176E4C9 Tel: +420 724 818 573 Jabber: sztor...@jabber.cz web: http://cap.potazmo.cz/
Re: IPSEC/ISAKMPD routing question
2011/1/10, Christoph Leser le...@sup-logistik.de: I would like to ask: 1. Is it true, that isakmpd is supposed to accept any ID parameter of type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, even when it is the 'default' route? Yes, some people want all their traffic through encrypted tunnel. I used to bring IPv6 to places where people were ignoring it -- exactly this way. You might want to specify it in your policy file, like: remote_filter != 000.000.000.000-255.255.255.255 or remote_filter_type != IPv4 subnet 2. What would I have to change to only accept those remote network Ids that are configured in ipsec.conf? The above, or more specific. Sorry for the previous empty reply, I'll finally try to learn how to use an email client. -- Martin Pelikan
routing question: 2 mail servers sending from their own IPs
Hi folks, I'm running into a bit of a routing gotcha getting two mail servers to send mail out using their own respective IP addresses. (While this involves postfix, this is not a postfix support question, it's a routing question) What I'm trying to accomplish is this: - two autonomous domains, each with their own mail server instance (postfix in this case) so that one domain never 'mentions' the other domain. Using one instance of postfix to relay for the 2nd domain is not an option, as domain1.com will be shown in the headers when mail is from domain2.com. The reason is that 2nd domain is a business entity and should not be associated in any way with the first. The setup (which works fine): - the two domains have their own external IPs, dns-wise. - two instances of postfix listen on their respective external IPs taking mail for their domains (set in master.cf) - postfix acts as a mail gateway on the firewall, which shuffles mail to either of two instances of postfix on an internal mail server - 5 (non-contiguous) IPs are assigned to me by ADSL, so I have one physical connection, with 1 'main' IP and 4 aliases. That works fine and dandy: two independent domains. I should mention that (some) internal traffic, depending on its origin, is NAT'd out with pf on those aliases, appearing to come from independent networks. The problem: - mail sent out via either instance of postfix, regardless of the master.cf setting, go out on the 'main' IP, such that mail headers appear like such: Received: from mail.domain2.com (erratic.ca [75.119.251.119]) The goal: I'd prefer it to read .. from mail.domain2.com (domain2.com [a.b.c.d]) The untouched firewall routing table looks like this: Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default206.248.154.122UGS322803 56410450 - 8 tun0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 (snipping a bunch of lo0 stuff) 192.168.0/24 link#1 UC 10 - 4 nfe0 192.168.0.200:0d:60:91:5d:a4 UHLc 143271 - 4 nfe0 192.168.1/24 link#5 UC 20 - 4 sk0 192.168.1.200:19:5b:68:91:20 UHLc 1 7177 - 4 sk0 192.168.1.300:10:c6:b5:c1:72 UHLc 4 136762 - 4 sk0 192.168.2/24 link#5 UC 10 - 4 sk0 192.168.2.1127.0.0.1 UGHS 00 33200 8 lo0 192.168.3/24 link#5 UC 00 - 4 sk0 192.168.3.1127.0.0.1 UGHS 00 33200 8 lo0 206.248.154.12275.119.251.119 UH 10 1492 4 tun0 224/4 127.0.0.1 URS00 33200 8 lo0 I've tried this: # route add 206.248.154.122 a.b.c.d but my routing-fu is not strong. That command gives all of the above, plus this: 206.248.154.122a.b.c.dUGHS 00 - 8 tun0 Of course, sending mails from domain2.com still appears from erratic.ca. Any suggestions? Clear as mud? The firewall does not have an /etc/mygate set, and is OpenBSD 4.6-current (GENERIC) #7: Sat Jan 23 16:34:02 EST 2010, but I don't think a dmesg is of much use here. Unrelated question: can smtpd handle this kind of funkiness? I'd like to switch to smtpd eventually if it can, but that's another project for another day. Thanks! -- - RSM www.erratic.ca
Re: routing question: 2 mail servers sending from their own IPs
On Sat, Mar 27, 2010 at 1:02 AM, Scott McEachern sc...@erratic.ca wrote: Hi folks, I'm running into a bit of a routing gotcha getting two mail servers to send mail out using their own respective IP addresses. (While this involves postfix, this is not a postfix support question, it's a routing question) I don't see anything about routing in your question. What I see is an issue involving the binding of the client-side of TCP connections. ... The setup (which works fine): - the two domains have their own external IPs, dns-wise. - two instances of postfix listen on their respective external IPs taking mail for their domains (set in master.cf) - postfix acts as a mail gateway on the firewall, which shuffles mail to either of two instances of postfix on an internal mail server - 5 (non-contiguous) IPs are assigned to me by ADSL, so I have one physical connection, with 1 'main' IP and 4 aliases. ... The problem: - mail sent out via either instance of postfix, regardless of the master.cf setting, go out on the 'main' IP, such that mail headers appear like such: Received: from mail.domain2.com (erratic.ca [75.119.251.119]) The goal: I'd prefer it to read .. from mail.domain2.com (domain2.com [a.b.c.d]) You need to configure the postfix for domain2.com to explicitly bind() to the IP address of a.b.c.d and not use the default for the host. (You might think but I've configured this postfix instance to only listen on IP A.B.C.D, why isn't it sending from that IP?. The answer is because, in general, such a restriction is *not* correct behavior for MTAs, and therefore is not the default for postfix.) Philip Guenther
Re: routing question: 2 mail servers sending from their own IPs
Check into smtp_bind_address in Postfix. If you're still having issues, binat rather than rdr to internal IPs so connections will originate properly. Without seeing your pf.conf or master.cf, this is a guess, but I think these tips should lead you in the right direction. ...master.cf: smtp ... smtp -o smtp_bind_address=11.22.33.44 On 3/27/10 3:02 AM, Scott McEachern wrote: Hi folks, I'm running into a bit of a routing gotcha getting two mail servers to send mail out using their own respective IP addresses. (While this involves postfix, this is not a postfix support question, it's a routing question) What I'm trying to accomplish is this: - two autonomous domains, each with their own mail server instance (postfix in this case) so that one domain never 'mentions' the other domain. Using one instance of postfix to relay for the 2nd domain is not an option, as domain1.com will be shown in the headers when mail is from domain2.com. The reason is that 2nd domain is a business entity and should not be associated in any way with the first. The setup (which works fine): - the two domains have their own external IPs, dns-wise. - two instances of postfix listen on their respective external IPs taking mail for their domains (set in master.cf) - postfix acts as a mail gateway on the firewall, which shuffles mail to either of two instances of postfix on an internal mail server - 5 (non-contiguous) IPs are assigned to me by ADSL, so I have one physical connection, with 1 'main' IP and 4 aliases. That works fine and dandy: two independent domains. I should mention that (some) internal traffic, depending on its origin, is NAT'd out with pf on those aliases, appearing to come from independent networks. The problem: - mail sent out via either instance of postfix, regardless of the master.cf setting, go out on the 'main' IP, such that mail headers appear like such: Received: from mail.domain2.com (erratic.ca [75.119.251.119]) The goal: I'd prefer it to read .. from mail.domain2.com (domain2.com [a.b.c.d]) The untouched firewall routing table looks like this: Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default206.248.154.122UGS322803 56410450 - 8 tun0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 (snipping a bunch of lo0 stuff) 192.168.0/24 link#1 UC 10 - 4 nfe0 192.168.0.200:0d:60:91:5d:a4 UHLc 143271 - 4 nfe0 192.168.1/24 link#5 UC 20 - 4 sk0 192.168.1.200:19:5b:68:91:20 UHLc 1 7177 - 4 sk0 192.168.1.300:10:c6:b5:c1:72 UHLc 4 136762 - 4 sk0 192.168.2/24 link#5 UC 10 - 4 sk0 192.168.2.1127.0.0.1 UGHS 00 33200 8 lo0 192.168.3/24 link#5 UC 00 - 4 sk0 192.168.3.1127.0.0.1 UGHS 00 33200 8 lo0 206.248.154.12275.119.251.119 UH 10 1492 4 tun0 224/4 127.0.0.1 URS00 33200 8 lo0 I've tried this: # route add 206.248.154.122 a.b.c.d but my routing-fu is not strong. That command gives all of the above, plus this: 206.248.154.122a.b.c.dUGHS 00 - 8 tun0 Of course, sending mails from domain2.com still appears from erratic.ca. Any suggestions? Clear as mud? The firewall does not have an /etc/mygate set, and is OpenBSD 4.6-current (GENERIC) #7: Sat Jan 23 16:34:02 EST 2010, but I don't think a dmesg is of much use here. Unrelated question: can smtpd handle this kind of funkiness? I'd like to switch to smtpd eventually if it can, but that's another project for another day. Thanks! -- James M. Shupe shu...@gridexec.com RHCE Certified Plain text preferred 1.903.522.3425 This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.903.522.3425 and destroy the original message. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: routing question: 2 mail servers sending from their own IPs
James Shupe wrote: Check into smtp_bind_address in Postfix. If you're still having issues, binat rather than rdr to internal IPs so connections will originate properly. Without seeing your pf.conf or master.cf, this is a guess, but I think these tips should lead you in the right direction. ...master.cf: smtp ... smtp -o smtp_bind_address=11.22.33.44 Thank-you James and Philip, problem solved! Between using inet_interfaces in main.cf and a.b.c.d:smtp... in master.cf, I figured it was covered, but I was wrong. The smtp_bind_address works like a charm, which I didn't see when searching for multiple instances of postfix. I did find it rather odd that I'd have to use routing. I thought it was like using a sledgehammer to solve a thumbtack problem, when it was just a leaky screwdriver. -- - RSM www.erratic.ca
Re: Routing question with 2 external lines.
On 2009-12-06, Alastair Johnson att...@googlemail.com wrote: rdr pass on $ext_if1 proto tcp from $supplierIP to $CARP_ip_line1 port 443 - 10.0.0.50 port 443 rdr pass on $ext_if2 proto tcp from $supplierIP to $CARP_ip_line2 port 443 - 10.0.0.50 port 443 This works like 'pass quick' without reply-to. Remove 'pass' and you'll get the other rules into play.. I have tried separating the pass rule and adding a reply-to but that doesnt seem to work either: pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from $supplierIP to $CARP_ip_line1 port 443 keep state pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from $supplierIP to $CARP_ip_line2 port 443 keep state These need to use the translated, not external, addresses. If you still have problems use 'pass in log' and check with tcpdump on pflog0 that the packets actually match the rules. route-to/reply-to were broken for a while, I *think* they were ok in 4.6 but not certain. They do definitely work in -current.
Routing question with 2 external lines.
We have 2 internet lines with 2 different and equally unreliable Internet providers. We have 2 PF firewalls running 4.6 RELEASE arranged in a failover configuration using CARP/pfsync. Each firewall is therefore connected to each router and to our internal network as well as a crossover cable between them for the pfsync. I would like one of our internal servers to be reachable by certain remote people. Given the unreliability of each line I would like a remote person to be able to target the CARP address of either external connection and RDR traffic through to the internal server. Sounds simple and it half works. It only works for whichever line the firewall's default route is pointing towards. Traffic always returns along the default route even if it originates from down the other external line, even if I use reply-to and even if I keep-state and even if I set policy if-bound Is this by design? do I ask the conceptually impossible? it doesnt seem unreasonable - not everyone has high quality lines. I have the following: rdr pass on $ext_if1 proto tcp from $supplierIP to $CARP_ip_line1 port 443 - 10.0.0.50 port 443 rdr pass on $ext_if2 proto tcp from $supplierIP to $CARP_ip_line2 port 443 - 10.0.0.50 port 443 The problem is that replies only get back down the line that is set as default gateway. if the default gateway is down line 1 then an incoming packet coming down line 2 will sucessfully get in to the fw, pass the fw, go to the internal server, come back to the fw but then try to go out down line 1. I have tried separating the pass rule and adding a reply-to but that doesnt seem to work either: pass in on $ext_if1 reply-to ($ext_if1 $isp_gw_ip_1) proto tcp from $supplierIP to $CARP_ip_line1 port 443 keep state pass in on $ext_if2 reply-to ($ext_if2 $isp_gw_ip_2) proto tcp from $supplierIP to $CARP_ip_line2 port 443 keep state I still cant get traffic to return down the interface it arrived on unless its the same as the default route. I have to set a default route because I NAT for internal workstations doing general web browsing. Happy to send a dmesg is it would be useful. Many thanks, Alastair Johnson
Re: nat,ipsec,pf,routing question
the lo1 hack is no longer needed here; read OUTGOING NETWORK ADDRESS TRANSLATION in ipsec.conf(5). On 2009-10-29, Christoph Leser le...@sup-logistik.de wrote: I'm sure I have seen the answer to my question here on the list some time ago, but I'm too stupid to find it again: In what order are the following operations performed on an IP packet a. IPSEC ( decides whether a packet matches an IPSEC flow ) b. normal kernel routing c. NAT d. packet filtering ( block/pass commands in pf.conf ) The reason I ask is that I failed to setup NAT for a IPSEC tunnel as described in http://marc.info/?l=openbsd-pfm=115875312200995w=2 As far as I understand, this can only work if NAT ( on lo1 ) is performed before IPSEC checks for matching flows. Has this order been changed in OBSD4 ( the above post from 2006 refers to OBSD 3.8 ). There is a newer posting on the same issue at http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html, suggesting essentially the same procedure. Regards Christoph
nat,ipsec,pf,routing question
I'm sure I have seen the answer to my question here on the list some time ago, but I'm too stupid to find it again: In what order are the following operations performed on an IP packet a. IPSEC ( decides whether a packet matches an IPSEC flow ) b. normal kernel routing c. NAT d. packet filtering ( block/pass commands in pf.conf ) The reason I ask is that I failed to setup NAT for a IPSEC tunnel as described in http://marc.info/?l=openbsd-pfm=115875312200995w=2 As far as I understand, this can only work if NAT ( on lo1 ) is performed before IPSEC checks for matching flows. Has this order been changed in OBSD4 ( the above post from 2006 refers to OBSD 3.8 ). There is a newer posting on the same issue at http://archives.neohapsis.com/archives/openbsd/2008-12/1110.html, suggesting essentially the same procedure. Regards Christoph
Re: carp / routing question (multiple lines)
On 2008-06-26, openbsd misc [EMAIL PROTECTED] wrote: - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any Outbound packet - normal routing table lookup based on the *destination* address - if the routing table says it should use $ext_if1, this rule will examine the *source* address, if the address is that of $ext_if2 it will not actually leave on $ext_if1 but will instead leave on $ext_if2 with the nexthop set to $ext_gw2. pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Same as above with different addresses/interfaces. You also need NAT rules, such that traffic to certain ports is rewritten with the source address of one or other connection. This is where you do the classification, and this is what you need to change when one of the connections is down. - the other line should be used if one is down (how to do that with pf?) You need more than just PF for that; you could use ifstated to monitor the connections and use pfctl(8) to load the correct rules. One option is to maintain two complete pf.conf and switch between them, but it's inevitable that sometime they will get out of sync. It's better to use an anchor - search for the word anchor in pf.conf(5) and pfctl(8) to read about them. That way, you can use a single main ruleset, and use a separate file holding the NAT rules; using pfctl -a somename -f somefile you can switch between one and another file depending on which link is up.
carp / routing question (multiple lines)
Hello, I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Every connect should find his way back the same way (same route, using the ip-address the SYN came to). Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? I hope someone understand my english ;-) and can give me some links / documentation / examples ... Thanks and regards Hagen Volpers
Re: carp / routing question (multiple lines)
On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote: I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant log in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
Re: carp / routing question (multiple lines)
Hello, I totally agree, that's why I wrote to mailing list and not copied the example ;-) It's not the first time I'm working with pf, but the first time with two external connections. Thanks for the link, I missed that because of the topic (I'm not looking for load balancing). But I didn't find out how to set this up correctly: - normaly the choosen link is rule (pf) based - the other line should be used if one is down (how to do that with pf?) - how must I read the route-to / reply-to syntax? for example: pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Till now I wasn't able to get into that, still looking for the click-aha-effect ;-) Thanks for your help. Regards Hagen Volpers -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Stuart Henderson Gesendet: Donnerstag, 26. Juni 2008 01:47 An: misc@openbsd.org Betreff: Re: carp / routing question (multiple lines) On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote: I hope I can avoid try'n error this way ;-) I have two firewall systems with carp enabled (running obsd 4.3). These gateways have two internet connections (dsl 6000 and symmetric 4000 provided by a router with an /29 transport net). The symmetric line should be used for vpn and vor mail and http(s) if the dsl line is not available. I tried to google about this topic, but I didn't find much helpful. Someone mentioned http://marc.info/?l=openbsd-miscm=120665186412690w=2 yesterday. Looks like a good starting point because the pf.conf manpage doesn't say much about route-to and reply-to syntax. Try http://www.openbsd.org/faq/pf/pools.html#outgoing for an introduction, the syntax of route-to and reply-to is given in the BNF section at the bottom of pf.conf(5) - everyone writing PF configuration files should learn how to read this section. Everyone copying-and-pasting PF configs from samples really should too... You should also get acquainted with running tcpdump on different interfaces, including pflog0 (with the relevant log in PF rules), it's very useful when you need to debug PF and in particular any complicated NAT/route-to configuration. Does someone have a link for me how to set the correct routes and pf-rules? The symmetric line should be set as default route with a higher metric but the source ip should be the carp ip if used. You set the source address of outgoing packets with NAT rules. You direct packets out the relevant interface with route-to. And you direct return packets for an *incoming* connection with reply-to. Forget metrics/route priority for now, that won't help you direct packets out of one or other connection based on port number, you need PF rules to classify traffic if you want that. I think my biggest problem is carp, because I don't know how to set up pf corretly with carp in use. As you know pf uses the phisical interface, not the virtual interface, so I think I have to define the source ip, too? Where you have to define an interface, use the physical interface (vlan/trunk count as physical interface for this purpose). Where you have to specify an address, use whichever is correct for what you're trying to do, carp/physical/both.
Re: bgp routing question
On 25/03/2008, Fridiric Pli [EMAIL PROTECTED] wrote: Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. any clue or example ? many thanks, FP I believe you can use local pref to influence outbound traffic. http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.html# wp1020583 -- -Lawrence
Re: bgp routing question
On Tue, Mar 25, 2008 at 4:31 PM, Fridiric Pli [EMAIL PROTECTED] wrote: Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. I dont think you can use BGP to direct traffic based on scr network. You might using virtual routing tables, pf route-to and/or tagging ?
bgp routing question
Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. any clue or example ? many thanks, FP
Re: bgp routing question
another routing problem ist that now the ibpg routes get insertet but also announcend to the ebgp peer since its the same as and i announce self to the ebgp peers. problems is now that the network is somewhere else, but announced so i have created a routing loop. do i have to use static routes or is there a way to configure stuff like that in bgpd? thx in advance, erich. Erich schrieb: do i have to restart bgpd in order to get ipsec esp ike for a session / nei working or is a reload and nei up/down enough? i got Oct 20 13:21:23 router-mt-1 isakmpd[13070]: dropped message from xx.xx.xx.xx port 500 due to notification type NO_PROPOSAL_CHOSEN and responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 59caa34e: xxx.xxx.xxx.xxx, responder id 50be811a: xx.xx.xxx.xxx isakmpd is running with -Ka like suggested in man bgpd.conf and keys have been copied to each side. do i have anything forgotten? Erich schrieb: yes thx guys, it worked :) Claudio Jeker schrieb: On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote: i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Make sure the nexthop is either reachable via a static route or have a look at nexthop qualify via erich
Re: bgp routing question
On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote: another routing problem ist that now the ibpg routes get insertet but also announcend to the ebgp peer since its the same as and i announce self to the ebgp peers. problems is now that the network is somewhere else, but announced so i have created a routing loop. do i have to use static routes or is there a way to configure stuff like that in bgpd? You need a filter for that. Just deny the prefix on the other router. -- :wq Claudio
Re: bgp routing question
Claudio Jeker schrieb: On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote: another routing problem ist that now the ibpg routes get insertet but also announcend to the ebgp peer since its the same as and i announce self to the ebgp peers. problems is now that the network is somewhere else, but announced so i have created a routing loop. do i have to use static routes or is there a way to configure stuff like that in bgpd? You need a filter for that. Just deny the prefix on the other router. the other router is not under my control, so i would have to ask them to adjust their filters, isnt there another way? erich
Re: bgp routing question
On Fri, Feb 29, 2008 at 03:23:27PM +0100, Erich wrote: Claudio Jeker schrieb: On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote: another routing problem ist that now the ibpg routes get insertet but also announcend to the ebgp peer since its the same as and i announce self to the ebgp peers. problems is now that the network is somewhere else, but announced so i have created a routing loop. do i have to use static routes or is there a way to configure stuff like that in bgpd? You need a filter for that. Just deny the prefix on the other router. the other router is not under my control, so i would have to ask them to adjust their filters, isnt there another way? You can also deny incomming prefixes. Read the bgpd.conf man page section about filtering for more information. -- :wq Claudio
Re: bgp routing question
* Erich [EMAIL PROTECTED] [2008-02-28 08:20]: i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? well, check nexthop validity... bgpctl show nexthop -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: bgp routing question
On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote: i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Make sure the nexthop is either reachable via a static route or have a look at nexthop qualify via. -- :wq Claudio
Re: bgp routing question
yes thx guys, it worked :) Claudio Jeker schrieb: On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote: i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Make sure the nexthop is either reachable via a static route or have a look at nexthop qualify via erich
Re: bgp routing question
do i have to restart bgpd in order to get ipsec esp ike for a session / nei working or is a reload and nei up/down enough? i got Oct 20 13:21:23 router-mt-1 isakmpd[13070]: dropped message from xx.xx.xx.xx port 500 due to notification type NO_PROPOSAL_CHOSEN and responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 59caa34e: xxx.xxx.xxx.xxx, responder id 50be811a: xx.xx.xxx.xxx isakmpd is running with -Ka like suggested in man bgpd.conf and keys have been copied to each side. do i have anything forgotten? Erich schrieb: yes thx guys, it worked :) Claudio Jeker schrieb: On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote: i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Make sure the nexthop is either reachable via a static route or have a look at nexthop qualify via erich
Re: bgp routing question
* Erich [EMAIL PROTECTED] [2008-02-28 14:06]: do i have to restart bgpd in order to get ipsec esp ike for a session / nei working or is a reload and nei up/down enough? config reload and clearing the affected neighbor session is enough. I have done that in testing many times successfully. i got Oct 20 13:21:23 router-mt-1 isakmpd[13070]: dropped message from xx.xx.xx.xx port 500 due to notification type NO_PROPOSAL_CHOSEN and responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 59caa34e: xxx.xxx.xxx.xxx, responder id 50be811a: xx.xx.xxx.xxx isakmpd is running with -Ka like suggested in man bgpd.conf and keys have been copied to each side. now that is a problem for the isakmpd masochists ;) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: bgp routing question
i now have a session i turned on update loging ob bpgd but the routes do not get inserted. any ideas? AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where the network is, yes pingable) Erich schrieb: Claudio Jeker schrieb: On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote: hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. You need an iBGP sessions between the two routers. This is the only way the two routers will accept the routes/as pathes of the other one. For eBGP sessions loop free AS pathes are enforced. ah ok, thx so far :) and it shouldnt be an issue if those ibgp sessions are going over serval hops? erich
bgp routing question
hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. erich
Re: bgp routing question
sure.. my fault, just assume the networks are right. and this is not my problem ;) Alexander Hall schrieb: Erich wrote: hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. 123.123.124.0/24 would not lie within the 123.123.123.0/23 network (and nor would 23.123.124.0/24, of course :). I guess this is not your problem, though. (And I am not in any position to help you with BGPD issues). /Alexander
Re: bgp routing question
On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote: hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. You need an iBGP sessions between the two routers. This is the only way the two routers will accept the routes/as pathes of the other one. For eBGP sessions loop free AS pathes are enforced. -- :wq Claudio
Re: bgp routing question
Claudio Jeker schrieb: On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote: hi, is there a way to announce the same AS an different locations? lets say 123.123.123.0/23 is mine and i want to have 123.123.123.0/24 @location1 and 23.123.124.0/24 @location2, right now i have the problem that the bgpd seems to drop the routes to each other, means the networks are reachable from everywhere, so it seems to work, but they cannot reach each other.. You need an iBGP sessions between the two routers. This is the only way the two routers will accept the routes/as pathes of the other one. For eBGP sessions loop free AS pathes are enforced. ah ok, thx so far :) and it shouldnt be an issue if those ibgp sessions are going over serval hops? erich
routing question
Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? TIA Paolo
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? One possible issue is that the default config for OpenVPN uses unroutable addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -END PGP SIGNATURE-
Re: routing question
On 2007/09/03 17:15, Paolo Supino wrote: I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? Probably, a route on the OpenVPN clients to the branch office network. You can push this from the central OpenVPN box.
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 3:28 PM, Paolo Supino wrote: Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. Per Stuart's suggestion, check your VPN clients' routing tables with netstat -f inet -nr | more and determine whether they have a path to your main office. Same thing for servers at the main office trying to reach the VPN clients. traceroute might be helpful (or might not; lots of places filter ICMP). dn iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco +W9hUUKEAvhqCZM9ktKErd4= =h5aK -END PGP SIGNATURE-
Re: routing question
Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. TIA Paolo David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? One possible issue is that the default config for OpenVPN uses unroutable addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -END PGP SIGNATURE-
Re: routing question
Hi David I do push the route to the OpenVPN clients and I do have the route back on the servers in the main office. To be sure I ran a sniffer on a server in the main office to see if any traffic reaches the server from the VPN client and the sniffer showed nothing reached the server. It's not a firewalling issue in either the main or branch offices as the same type of traffic (ping in this case) worked fine from a desktop in the branch office. TIA Paolo David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 3:28 PM, Paolo Supino wrote: Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. Per Stuart's suggestion, check your VPN clients' routing tables with netstat -f inet -nr | more and determine whether they have a path to your main office. Same thing for servers at the main office trying to reach the VPN clients. traceroute might be helpful (or might not; lots of places filter ICMP). dn iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco +W9hUUKEAvhqCZM9ktKErd4= =h5aK -END PGP SIGNATURE-
Re: routing question
On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: routing question
Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: routing question
On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote: Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ I don't know your setup because you didn't explain it fully but what I showed you works for my client. Let's make a symbolic ipsec.conf out of what I have shown you: ike esp from $OpenVPNlan to $HOlan peer $HOfirewall ike esp from $Branchlan to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOfirewall You cannot use macros like that but perhaps it makes it clearer. In our case we have servers on both office LANs and the roadies using OpenVPN need to be able to get to both. You will have to trim and tweak your rules to suit your own variation but think about this. Regular route table entries have no influence on what happens with IPsec and do not need to. IPsec configuration sets up flows and then the packets know how to get to their target. If they don't have a flow path, they won't know how and will be routed out to the cloud via the default gateway and then get lost. Rod/ Hint. Read this: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: routing question (solved)
Hi RW I found the problem :-) My OpenVPN setup is OK. My ipsecctl.conf was almost perfect: I setup the flow from my OpenBSD box (the branch office) to be passive ... duh!!! ;-) Now that it has been converted to dynamic the tunnel gets setup if the OpenVPN client initiates traffic :-) TIA Paolo RW wrote: On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote: Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ I don't know your setup because you didn't explain it fully but what I showed you works for my client. Let's make a symbolic ipsec.conf out of what I have shown you: ike esp from $OpenVPNlan to $HOlan peer $HOfirewall ike esp from $Branchlan to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOfirewall You cannot use macros like that but perhaps it makes it clearer. In our case we have servers on both office LANs and the roadies using OpenVPN need to be able to get to both. You will have to trim and tweak your rules to suit your own variation but think about this. Regular route table entries have no influence on what happens with IPsec and do not need to. IPsec configuration sets up flows and then the packets know how to get to their target. If they don't have a flow path, they won't know how and will be routed out to the cloud via the default gateway and then get lost. Rod/ Hint. Read this: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
IP Routing Question.
Dear All. I have one simple question. If my ISP assign one point to point ip address and one full subnet mask address (/28), can i have those in one my ethernet interface ? If it's possible, is there any network routing problem ? FYI , i have one private network and DMZ . regards Beastie
routing question
Greets I have a scenario that is simple but I am having trouble getting my head around. Inside a 192.168.10/24 network there exists a 10.4.6/24 network for VOIP. Everthing works fine. The issue I have is setting up a route for a third party VOIP management company who wants to access the VOIP control center via an SSL interface from the Internet thru the firewall to the VOIP control center. All of the data traffic on the data LAN has the router address of 192.168.10.1. The data side of the vlan router is 192.168.10.16 and the VOIP side on the vlan router is 10.4.6.253. To access the VOIP network one must go thru the 192.168.10.16 interface of he vlan router. Adding a route to a workstation on the 192.168.10 network to the 10.4.6 network using the 192.168.10.16 interface as the gateway works fine, thus allowing access to the SSL web interface. Adding a route on the firewall to the 10.4.6 network thru the 192.168.10.16 interface allows internal workstations to access the SSL web interface. The root of the problem I have is getting traffic from the Internet to the 10.4.6 SSL web interface thru the 192.168.10.16 interface of the vlan router. Anyone have experiece on this one? Bob D
Re: routing question
Good day, I have seen similar problems before. You must be doing some sort of proxying or NAT to allow Internet sites to communicate with hosts on the 192.168.10/24 subnet, right? So the site on the Internet has to have a path back to a NAT'ed or Proxied service through the 192.168.10/24 subnet in order to get to the VoIP Control Center at 10.4.6.200/32 (or whatever happens to be the IP address of that host). Hope this helps, Vijay -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob DeBolt Sent: December 14, 2005 11:51 AM To: misc@openbsd.org Subject: routing question Greets I have a scenario that is simple but I am having trouble getting my head around. Inside a 192.168.10/24 network there exists a 10.4.6/24 network for VOIP. Everthing works fine. The issue I have is setting up a route for a third party VOIP management company who wants to access the VOIP control center via an SSL interface from the Internet thru the firewall to the VOIP control center. All of the data traffic on the data LAN has the router address of 192.168.10.1. The data side of the vlan router is 192.168.10.16 and the VOIP side on the vlan router is 10.4.6.253. To access the VOIP network one must go thru the 192.168.10.16 interface of he vlan router. Adding a route to a workstation on the 192.168.10 network to the 10.4.6 network using the 192.168.10.16 interface as the gateway works fine, thus allowing access to the SSL web interface. Adding a route on the firewall to the 10.4.6 network thru the 192.168.10.16 interface allows internal workstations to access the SSL web interface. The root of the problem I have is getting traffic from the Internet to the 10.4.6 SSL web interface thru the 192.168.10.16 interface of the vlan router. Anyone have experiece on this one? Bob D
Re: openvpn to ipsec routing question
Christoph Leser wrote: Hello, the question is about how to route traffic from an openvpn tunnel to an ipsec tunnel. This is my setup: The OpenBSD gateway has an internal (10.0.1.1/24 ) and external (x.x.x.x/30) interface. The internal net is NAT'ed to the external interface to provide internet access to hosts on the internal net. Through the external interface an ipsec SA ( security association ) is established ( tunnel mode ) between my internal net ( 10.0.1/24 ) and another local net of a remote site ( 10.0.2/24 ). So hosts on the internal net can reach hosts on the internet (being NAT'ed ) as well as hosts on the remote private net 10.0.2/24 ( not being NAT'ed ). Now I have setup an openvpn server on this box. This openvpn server gives out addresses from yet another net ( 10.0.3/24 ) to the connected clients. Connections from openvpn clients are NAT'Ed to the internal interface to make them appear as being directly attached to the local private net ( 10.0.1/24 ). So far, it works. Now I want the clients on the openvpn subnet ( 10.0.3/24 ) to get access to the remote side of the ipsec sa ( 10.0.2/24 ). Here is an excerpt of my ipconfig and routing table # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:43:07:20 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 inet6 fe80::2a0:c9ff:fe43:720%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:30:b3:34 media: Ethernet autoselect (10baseT) status: active inet x.x.x.254 netmask 0xfffc broadcast x.x.x.255 inet6 fe80::2a0:c9ff:fe30:b334%fxp1 prefixlen 64 scopeid 0x2 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet 10.0.3.1 -- 10.0.3.2 netmask 0x # netstat -rn Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface defaultx.x.x.254 UGS11 1211734 - fxp1 10.0.3/24 10.0.3.2 UGS 031900 - tun0 10.0.3.2 10.0.3.1 UH 10 - tun0 x.x.x.x/30 link#2 UC 10 - fxp1 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 392 33224 lo0 10.0.1/24 link#1 UC 110 - fxp0 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.2/24 0 10.0.1/24 0 0 y.y.y.y/50/use/in 10.0.1/24 0 10.0.2/24 0 0 y.y.y.y/50/require/out where x.x.x.x is the external address of my box, y.y.y.y is the external address of the remote side of the ipsec tunnel. I expected this to be sufficient for the routing from 10.0.3/24 to 10.0.2/24. But it is not. Using tcpdump I see that packets entering the gateway via the openvpn tun0 interface destined to some host on 10.0.2/24 do not get routed to the ipsec tunnel but are routed directly to the external interface, i.e. a packet with source ip = 10.0.3.10 and destination ip 10.0.2.1 is routed as is to the external interface. I assume that the route through the IPSEC SA is not taken into account, as the packet to be routed is not from the internal interface. If there were a way to source-nat the packet when it comes in via the tun interface, i.e. before the routing is done, maybe all would be fine. But I don't know a way to achieve this. The straight forward solution to setup another ipsec tunnel between 10.0.2/24 and 10.0.3/24 is out of reach due to weird administrative constraints. Any suggestions? Thanks Christoph Try something like... (This was goofy the first time I did it, at least it didn't quite make since to me..) route add -net 10.0.2.0/24 10.0.1.1 This will tell the local OS where to send traffic for the 10.0.2.0/24 network, where as isakmpd only will processes traffic inbound to match an SA. (as far as I can tell). Give it a shot, it should work... -Dave
Re: openvpn to ipsec routing question
On Tue, Nov 22, 2005 at 08:31:13PM +0100, Christoph Leser wrote: Hello, the question is about how to route traffic from an openvpn tunnel to an ipsec tunnel. This is my setup: The OpenBSD gateway has an internal (10.0.1.1/24 ) and external (x.x.x.x/30) interface. The internal net is NAT'ed to the external interface to provide internet access to hosts on the internal net. Through the external interface an ipsec SA ( security association ) is established ( tunnel mode ) between my internal net ( 10.0.1/24 ) and another local net of a remote site ( 10.0.2/24 ). So hosts on the internal net can reach hosts on the internet (being NAT'ed ) as well as hosts on the remote private net 10.0.2/24 ( not being NAT'ed ). Now I have setup an openvpn server on this box. This openvpn server gives out addresses from yet another net ( 10.0.3/24 ) to the connected clients. Connections from openvpn clients are NAT'Ed to the internal interface to make them appear as being directly attached to the local private net ( 10.0.1/24 ). So far, it works. Now I want the clients on the openvpn subnet ( 10.0.3/24 ) to get access to the remote side of the ipsec sa ( 10.0.2/24 ). Here is an excerpt of my ipconfig and routing table # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:43:07:20 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 inet6 fe80::2a0:c9ff:fe43:720%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:30:b3:34 media: Ethernet autoselect (10baseT) status: active inet x.x.x.254 netmask 0xfffc broadcast x.x.x.255 inet6 fe80::2a0:c9ff:fe30:b334%fxp1 prefixlen 64 scopeid 0x2 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet 10.0.3.1 -- 10.0.3.2 netmask 0x # netstat -rn Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface defaultx.x.x.254 UGS11 1211734 - fxp1 10.0.3/24 10.0.3.2 UGS 031900 - tun0 10.0.3.2 10.0.3.1 UH 10 - tun0 x.x.x.x/30 link#2 UC 10 - fxp1 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 392 33224 lo0 10.0.1/24 link#1 UC 110 - fxp0 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.2/24 0 10.0.1/24 0 0 y.y.y.y/50/use/in 10.0.1/24 0 10.0.2/24 0 0 y.y.y.y/50/require/out where x.x.x.x is the external address of my box, y.y.y.y is the external address of the remote side of the ipsec tunnel. I expected this to be sufficient for the routing from 10.0.3/24 to 10.0.2/24. But it is not. Using tcpdump I see that packets entering the gateway via the openvpn tun0 interface destined to some host on 10.0.2/24 do not get routed to the ipsec tunnel but are routed directly to the external interface, i.e. a packet with source ip = 10.0.3.10 and destination ip 10.0.2.1 is routed as is to the external interface. I assume that the route through the IPSEC SA is not taken into account, as the packet to be routed is not from the internal interface. If there were a way to source-nat the packet when it comes in via the tun interface, i.e. before the routing is done, maybe all would be fine. But I don't know a way to achieve this. The straight forward solution to setup another ipsec tunnel between 10.0.2/24 and 10.0.3/24 is out of reach due to weird administrative constraints. Any suggestions? I'm not certain about what to do about the routing, but I'm fairly certain that all your problems would be easily solved if you would just use 10.0.0.0/25 for your internal hosts, and 10.0.0.128/25 for your OpenVPN'ed hosts. Of course, this would require some reconfiguring on the clients/DHCP server/whatever, but it should work. Especially since anything but the router already expects to find OpenVPN clients on 10.0.0.0/24. Otherwise, I see a route-to option in pf.conf(5), which might be used for explicitly sending packets over encap0... of course, you'd still need to do NAT or weird stuff would happen, but this might at
openvpn to ipsec routing question
Hello, the question is about how to route traffic from an openvpn tunnel to an ipsec tunnel. This is my setup: The OpenBSD gateway has an internal (10.0.1.1/24 ) and external (x.x.x.x/30) interface. The internal net is NAT'ed to the external interface to provide internet access to hosts on the internal net. Through the external interface an ipsec SA ( security association ) is established ( tunnel mode ) between my internal net ( 10.0.1/24 ) and another local net of a remote site ( 10.0.2/24 ). So hosts on the internal net can reach hosts on the internet (being NAT'ed ) as well as hosts on the remote private net 10.0.2/24 ( not being NAT'ed ). Now I have setup an openvpn server on this box. This openvpn server gives out addresses from yet another net ( 10.0.3/24 ) to the connected clients. Connections from openvpn clients are NAT'Ed to the internal interface to make them appear as being directly attached to the local private net ( 10.0.1/24 ). So far, it works. Now I want the clients on the openvpn subnet ( 10.0.3/24 ) to get access to the remote side of the ipsec sa ( 10.0.2/24 ). Here is an excerpt of my ipconfig and routing table # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:43:07:20 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255 inet6 fe80::2a0:c9ff:fe43:720%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 address: 00:a0:c9:30:b3:34 media: Ethernet autoselect (10baseT) status: active inet x.x.x.254 netmask 0xfffc broadcast x.x.x.255 inet6 fe80::2a0:c9ff:fe30:b334%fxp1 prefixlen 64 scopeid 0x2 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 2020 enc0: flags=0 mtu 1536 tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet 10.0.3.1 -- 10.0.3.2 netmask 0x # netstat -rn Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface defaultx.x.x.254 UGS11 1211734 - fxp1 10.0.3/24 10.0.3.2 UGS 031900 - tun0 10.0.3.2 10.0.3.1 UH 10 - tun0 x.x.x.x/30 link#2 UC 10 - fxp1 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 1 392 33224 lo0 10.0.1/24 link#1 UC 110 - fxp0 224/4 127.0.0.1 URS 00 33224 lo0 Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.2/24 0 10.0.1/24 0 0 y.y.y.y/50/use/in 10.0.1/24 0 10.0.2/24 0 0 y.y.y.y/50/require/out where x.x.x.x is the external address of my box, y.y.y.y is the external address of the remote side of the ipsec tunnel. I expected this to be sufficient for the routing from 10.0.3/24 to 10.0.2/24. But it is not. Using tcpdump I see that packets entering the gateway via the openvpn tun0 interface destined to some host on 10.0.2/24 do not get routed to the ipsec tunnel but are routed directly to the external interface, i.e. a packet with source ip = 10.0.3.10 and destination ip 10.0.2.1 is routed as is to the external interface. I assume that the route through the IPSEC SA is not taken into account, as the packet to be routed is not from the internal interface. If there were a way to source-nat the packet when it comes in via the tun interface, i.e. before the routing is done, maybe all would be fine. But I don't know a way to achieve this. The straight forward solution to setup another ipsec tunnel between 10.0.2/24 and 10.0.3/24 is out of reach due to weird administrative constraints. Any suggestions? Thanks Christoph
routing question
My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED]
Re: routing question
On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. In this case, you need to create (not your ISP) a default gateway for your new 207.246.198.216/29 network on your border router, so alias 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any way you see fit. --- Todd M. Boyer, CISSP President AutumnTECH, LLC [EMAIL PROTECTED] http://www.AutumnTECH.com AutumnTECH Manufactures Entire Network Protection Appliances that Identify Spam and Sanitize Dangerous E-mail Content ---
Re: routing question
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED] Hi John, I've been doing the ADSL with a routed /29 for servers in addition to having a NATted LAN behind the same firewall. You can probably use some of the tricks I get up to to conserve addresses. Let us know what modem you are using, whether you are doing PPPoE or PPPoA or whatever and I'll tailor my reply to suit. You can get into lots of frustration by taking obvious approaches to this problem, only to find that they result in more problems rather than solutions. I don't see why you need all of that pain. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: routing question
On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. In this case, you need to create (not your ISP) a default gateway for your new 207.246.198.216/29 network on your border router, so alias 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any way you see fit. Well that was simple enough, takes a couple extra rules in pf on OBSD #1, but otherwise works. Thanks.
Re: routing question
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED] Hi John, I've been doing the ADSL with a routed /29 for servers in addition to having a NATted LAN behind the same firewall. You can probably use some of the tricks I get up to to conserve addresses. JB: My thoughts were to not be behind the firewall with box #2, but 'next' to it. But I'm open to all alternative methods. Having multiple options is always a good thing. Let us know what modem you are using, whether you are doing PPPoE or PPPoA or whatever and I'll tailor my reply to suit. You can get into lots of frustration by taking obvious approaches to this problem, only to find that they result in more problems rather than solutions. JB: The dsl modem is a straight bridge. No PPPoE or PPPoA. What goes in the front comes out the back. I have a single static IP on a /24 network with a normal gateway address - plus these 8 additional IP's they are now sending down my wire. I don't see why you need all of that pain. JB: I appreciate that... (sometimes a little pain can be a good thing, especially if something new is learned) From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: routing question - why one way?
Sorry for the confusion... I will try to summarize... I have a machine on each side of a router I am building (3.7). One one side it is a firewall connected to the internet (192.168.0.2/24) On the other side it is a linux notebook (10.4.50.1/16) From linux I can ping any interface on the router But I cannot ping the firewall (packets just lost) From the firewall, I can ping any interface on the router and also the linux notebook. I have IP forwarding enabled, and do NOT have PF running. # sysctl -a | grep forward net.inet.ip.forwarding=1 The whole shebangs default gateway's head out through the firewall. I added the route into the firewall so it could find the 10.4.0.0 network. A traceroute from the firewall to the notebook shows 1 192.168.0.4 (192.168.0.4) 2.219 ms 0.320 ms 0.276 ms 2 10.4.50.1 (10.4.50.1) 0.429 ms 0.513 ms 0.376 ms A traceroute from the notebook to the firewall shows 1 10.4.0.1 (10.4.0.1) 0.136 ms 0.070 ms 0.061 ms 2 * * * 3 * * * 4 * * * etc, etc... What baffles me is that it seems as though the packets are not finding thier way back once they get to the router (10.4.0.1) but the machine I am pinging is along the default route, and that machine can find its way to the notebook. I can also ping the 192.168.0.4 from the notebook, so it knows how to get to that segment, it seems to be not forwarding though. This is the routers table: Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.0.2UGS 0 841 - em0 10.2/16link#2 UC 00 - em1 10.3/16link#3 UC 00 - em2 10.4/16 link#4 UC 00 - em3 10.4.50.1 00:02:a5:6c:59:2f UHLc06 - em3 10.5/16link#5 UC 00 - em4 10.6/16link#7 UC 00 - em6 10.7/16link#8 UC 0 0 - em7 loopback localhost UGRS 00 33224 lo0 localhost localhost UH 0 604 33224 lo0 192.168.0/24 link#1 UC 00 - em0 192.168.0.2 00:60:97:5b:72:45 UHLc0 252 - em0 192.168.0.500:01:e6:81:c7:05 UHLc02 - em0 192.168.0.198 00:0b:cd:07:8f:45 UHLc0 1520 - em0 BASE-ADDRESS.MCAST localhost URS 00 33224 lo0 On Wed, 31 Aug 2005 22:50:26 -0700 Bryan Irvine [EMAIL PROTECTED] wrote: That was kind of hard to follow. Can you post traceroutes? --Bryan On 8/31/05, Bill [EMAIL PROTECTED] wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
Re: routing question - why one way?
On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com I'm sure that you know what you mean but what you have stated about the networks and host is ambiguous. Let's see if I guess correctly in phrasing it a little differently. If not you have a better chance to correct the impression. There are 2 private networks: 192.168.0.0/24 10.3.0.0/8 - maybe you use a /24 but /8 is the natural for a 10. network You have 3 hosts: A router with 2 NICs, 192.168.0.4 and 10.3.0.1 One with a NIC = 192.168.0.2 (connected to the router on its 192.168.0.4 NIC) It also has another NIC that connects to the internet (somehow) One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) So far so good? Well really you have 2 routers there. The one you called a router plus the 192.168.0.2 host. The latter will need to have forwarding on as well as the one you called Router in your post. Your first router will need to have its default gateway set to 192.168.0.2 for traffic from the 10. network to get to the 'net. Looking at nststat -rnf inet on your Openbsd boxes might be enlightening and should be posted as a part of your question. The Linux box only needs netstat -rn as it defaults to the inet family. Forget the term segments. It is confusing where you have no segmentation. Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 for purity because you need at least 255.255.192.0 (math done in head at end of day - please check!) to get that third octet (50) covered. Let's see where that gets you. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: routing question - why one way?
On Thu, 01 Sep 2005 02:01:44 -0400, Bill wrote: I will try to summarize... Is it this ?: firewallrouter=linux 192.168.0.2 192.168.0.4 10.4.0.1 10.4.50.1 In your FP it is 10.3.0.0, now it is 10.4.0.0, right ? This is the routers table: Internet: DestinationGatewayFlagsRefs UseMtu Interface default192.168.0.2UGS 0 841 - em0 10.2/16link#2 UC 00 - em1 10.3/16link#3 UC 00 - em2 10.4/16 link#4 UC 00 - em3 10.4.50.1 00:02:a5:6c:59:2f UHLc06 - em3 10.5/16link#5 UC 00 - em4 10.6/16link#7 UC 00 - em6 10.7/16link#8 UC 0 0 - em7 loopback localhost UGRS 00 33224 lo0 localhost localhost UH 0 604 33224 lo0 192.168.0/24 link#1 UC 00 - em0 192.168.0.2 00:60:97:5b:72:45 UHLc0 252 - em0 192.168.0.500:01:e6:81:c7:05 UHLc02 - em0 192.168.0.198 00:0b:cd:07:8f:45 UHLc0 1520 - em0 BASE-ADDRESS.MCAST localhost URS 00 33224 lo0 (This is badly wrapped here for me) This is unclear to me, so you have 7 interfaces. I am not clear on how you route incoming (192.168.0.0) to 10.3.0.0; for example. But maybe I simply don't understand your setup ... ! Uwe
Fw: Re: routing question - why one way?
Begin forwarded message: Date: Thu, 1 Sep 2005 08:09:24 -0400 From: Bill [EMAIL PROTECTED] To: Rod.. Whitworth [EMAIL PROTECTED] Subject: Re: routing question - why one way? On Thu, 01 Sep 2005 16:36:13 +1000 Rod.. Whitworth [EMAIL PROTECTED] wrote: On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux --- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com I'm sure that you know what you mean but what you have stated about the networks and host is ambiguous. Let's see if I guess correctly in phrasing it a little differently. If not you have a better chance to correct the impression. There are 2 private networks: 192.168.0.0/24 10.3.0.0/8 - maybe you use a /24 but /8 is the natural for a 10. network You have 3 hosts: A router with 2 NICs, 192.168.0.4 and 10.3.0.1 One with a NIC = 192.168.0.2 (connected to the router on its 192.168.0.4 NIC) It also has another NIC that connects to the internet (somehow) One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) So far so good? Well really you have 2 routers there. The one you called a router plus the 192.168.0.2 host. The latter will need to have forwarding on as well as the one you called Router in your post. Your first router will need to have its default gateway set to 192.168.0.2 for traffic from the 10. network to get to the 'net. Looking at nststat -rnf inet on your Openbsd boxes might be enlightening and should be posted as a part of your question. The Linux box only needs netstat -rn as it defaults to the inet family. Forget the term segments. It is confusing where you have no segmentation. Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 for purity because you need at least 255.255.192.0 (math done in head at end of day - please check!) to get that third octet (50) covered. Let's see where that gets you. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. Hi Rod, Your rephrasing of my layout is accurate. Routing on the 192.168.0.2 box is fine (the rest of the network on the 192.168.0.0/24 segment can get through there fine. Here is the netstat for the inner router... As you can see I have the default set (I think) to use the 192.168.0.2 Internet: DestinationGatewayFlags Refs UseMtu Interface default192.168.0.2UGS 9 1516 - em0 10.2/16link#2 UC 00 - em1 10.3/16link#3 UC 00 - em2 10.4/16 link#4 UC 10 - em3 10.4.50.1 link#4 UHLc2 30 - em3 10.5/16link#5 UC 00 - em4 10.6/16link#7 UC 00 - em6 10.7/16link#8 UC 0 0 - em7 127/8 127.0.0.1 UGRS 00 33224
Re: routing question - why one way?
On Thursday, September 01, 2005, Bill wrote: Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) This doesn't make sense, Segment B's default gateway is 10.3.0.1 From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set No, I believe ip forwarding is enabled. A diagram of your network is a follows (I believe) 0/0 route to Internet gateway | (Segment A)(Segment B) 192.168.0.2 192.168.0.4 - 10.3.0.1 10.3.50.1 Segment A gets 192.168.0.4 as their default gateway, Segment B gets 10.3.0.1 as their default gateway Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. Not necessary (of course) if Segment A's default gateway is 192.168.0.4 and Segment B is set to 10.3.0.1 So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. Let the router do it's job here I am not sure where the pings are being lost... Probably lost in a 0/0 route, check your gateways. YOU'RE SURE there aren't any other players here in this simple network, correct? Example, is pf, iptables, or other firewall blocking enabled on any of the machines involved? ICMP could be getting lost in an ACL --- Todd M. Boyer, CISSP President AutumnTECH, LLC [EMAIL PROTECTED] http://www.AutumnTECH.com AutumnTECH Manufactures Entire Network Protection Appliances that Identify Spam and Sanitize Dangerous E-mail Content ---
Re: Fw: Re: routing question - why one way?
On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote: Date: Thu, 1 Sep 2005 08:09:24 -0400 From: Bill [EMAIL PROTECTED] To: Rod.. Whitworth [EMAIL PROTECTED] Subject: Re: routing question - why one way? On Thu, 01 Sep 2005 16:36:13 +1000 Rod.. Whitworth [EMAIL PROTECTED] wrote: On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux --- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com I'm sure that you know what you mean but what you have stated about the networks and host is ambiguous. Let's see if I guess correctly in phrasing it a little differently. If not you have a better chance to correct the impression. There are 2 private networks: 192.168.0.0/24 10.3.0.0/8 - maybe you use a /24 but /8 is the natural for a 10. network You have 3 hosts: A router with 2 NICs, 192.168.0.4 and 10.3.0.1 One with a NIC = 192.168.0.2 (connected to the router on its 192.168.0.4 NIC) It also has another NIC that connects to the internet (somehow) One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) So far so good? Well really you have 2 routers there. The one you called a router plus the 192.168.0.2 host. The latter will need to have forwarding on as well as the one you called Router in your post. Your first router will need to have its default gateway set to 192.168.0.2 for traffic from the 10. network to get to the 'net. Looking at nststat -rnf inet on your Openbsd boxes might be enlightening and should be posted as a part of your question. The Linux box only needs netstat -rn as it defaults to the inet family. Forget the term segments. It is confusing where you have no segmentation. Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 for purity because you need at least 255.255.192.0 (math done in head at end of day - please check!) to get that third octet (50) covered. Let's see where that gets you. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. Hi Rod, Your rephrasing of my layout is accurate. Routing on the 192.168.0.2 box is fine (the rest of the network on the 192.168.0.0/24 segment can get through there fine. Here is the netstat for the inner router... As you can see I have the default set (I think) to use the 192.168.0.2 Internet: DestinationGatewayFlags Refs UseMtu Interface default192.168.0.2UGS 9 1516 - em0 10.2/16link#2 UC 00 - em1 10.3/16link#3 UC 00 - em2 10.4/16 link#4 UC 10 - em3 10.4.50.1 link#4 UHLc2 30 - em3 10.5/16link#5 UC 00 - em4 10.6/16link#7 UC 00 - em6 10.7/16link#8 UC 0 0 - em7 127/8 127.0.0.1
Re: Fw: Re: routing question - why one way? - working
On Thu, 01 Sep 2005 23:03:44 +1000 Rod.. Whitworth [EMAIL PROTECTED] wrote: On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote: Date: Thu, 1 Sep 2005 08:09:24 -0400 From: Bill [EMAIL PROTECTED] To: Rod.. Whitworth [EMAIL PROTECTED] Subject: Re: routing question - why one way? On Thu, 01 Sep 2005 16:36:13 +1000 Rod.. Whitworth [EMAIL PROTECTED] wrote: On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux --- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com I'm sure that you know what you mean but what you have stated about the networks and host is ambiguous. Let's see if I guess correctly in phrasing it a little differently. If not you have a better chance to correct the impression. There are 2 private networks: 192.168.0.0/24 10.3.0.0/8 - maybe you use a /24 but /8 is the natural for a 10. network You have 3 hosts: A router with 2 NICs, 192.168.0.4 and 10.3.0.1 One with a NIC = 192.168.0.2 (connected to the router on its 192.168.0.4 NIC) It also has another NIC that connects to the internet (somehow) One with a NIC = 10.3.50.1 (connected to the router NIC 10.3.0.1) So far so good? Well really you have 2 routers there. The one you called a router plus the 192.168.0.2 host. The latter will need to have forwarding on as well as the one you called Router in your post. Your first router will need to have its default gateway set to 192.168.0.2 for traffic from the 10. network to get to the 'net. Looking at nststat -rnf inet on your Openbsd boxes might be enlightening and should be posted as a part of your question. The Linux box only needs netstat -rn as it defaults to the inet family. Forget the term segments. It is confusing where you have no segmentation. Make sure ALL machines on your 10. network have a netmask of 255.0.0.0 for purity because you need at least 255.255.192.0 (math done in head at end of day - please check!) to get that third octet (50) covered. Let's see where that gets you. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. Hi Rod, Your rephrasing of my layout is accurate. Routing on the 192.168.0.2 box is fine (the rest of the network on the 192.168.0.0/24 segment can get through there fine. Here is the netstat for the inner router... As you can see I have the default set (I think) to use the 192.168.0.2 Internet: DestinationGatewayFlags Refs UseMtu Interface default192.168.0.2UGS 9 1516 - em0 10.2/16link#2 UC 00 - em1 10.3/16link#3 UC 00 - em2 10.4/16 link#4 UC 10 - em3 10.4.50.1 link#4 UHLc2 30 - em3 10.5/16link#5
routing question - why one way?
OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com
Re: routing question - why one way?
That was kind of hard to follow. Can you post traceroutes? --Bryan On 8/31/05, Bill [EMAIL PROTECTED] wrote: OBSD 3.7 - new install I am building a router. And I am having a routing problem. I am not doing any packet filtering, NAT or anything... its all strictly private address space nets I also most definately have ip forwarding set in sysctl Right now I have the router installed with two active interfaces... Segment A (192.168.0.4) interface on the router Segment B (10.3.0.1) interface on the router Now I have a machine on each segment also: 192.168.0.2 (Segment A) 10.3.50.1 (Segment B) Segment B has the default gateway set to 192.168.0.2 (192.168.0.2 then passes out to the internet ) From 10.3.50.1 my default gateway on is the 10.3.0.1 (router nic). I can ping any of the other interface cards on the router (there are a few) including the 192.168.0.4 interface on the router. But I cannot ping the 192.168.0.2 machine. * WAIT * I know what you are going to say... but I DO have the ip forwarding set # sysctl -a | grep forward net.inet.ip.forwarding=1 I checked many times since. Now, if I go to the 192.168.0.2 machine, I added a route so it knows where the 10.3.0.0 network is, and I can ping the 10.3.50.1 machine no problem. I can also ping all the other nic's on the router. So the router is forwarding packets. So if the pings can get from 192.168.0.2 to 10.3.50.1, the ping responses from 10.3.50.1 should be able to be returned from the 192.168.0.2 box back no problem. I am not sure where the pings are being lost... if the machine on segment A knows how to reach segment B and can ping it... doesn't that mean the segment B machine essentially can get pings back if it sends them to Segment A? Segment A is its default route. Confused... Any help would be greatly appreciated All the boxes are obsd 3.7 except for the 10.3.50.1 box which is linux -- Bill Chmura Director of Internet Technology Explosivo ITG Wolcott, CT p: 860.621.8693 e: [EMAIL PROTECTED] w. http://www.explosivo.com