Hi,
We do exactly the same thing for our wifi network. Users on wifi can *only*
use public IP addresses.
The solution is easy, you just have to consider where you do your nat'ing;
You can't do bin-at, so you will need nat-to and rdr-to rules to make it
work.
E.g. The following line translates
On Wed, 24 Jun 2015 08:17:15 -0400
Michel Blais mic...@targointernet.com wrote:
The solution seem his explain on this link
http://www.openbsd.org/faq/pf/rdr.html#reflect
On Thu, 25 Jun 2015 14:50:42 +0100
Andy Lemin a...@brandwatch.com wrote:
Hi,
We do exactly the same thing for our
On 25 Jun 2015, at 15:46, Marko Cupać marko.cu...@mimar.rs wrote:
On Wed, 24 Jun 2015 08:17:15 -0400
Michel Blais mic...@targointernet.com wrote:
The solution seem his explain on this link
http://www.openbsd.org/faq/pf/rdr.html#reflect
On Thu, 25 Jun 2015 14:50:42 +0100
Andy Lemin
Hi,
my setup is actually more complicated, but for purpose of this mail I
am going to try and keep it simple.
My firewall redirects requests to some service from the Internet to
server on private network:
pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to
$srv-priv
The solution seem his explain on this link
http://www.openbsd.org/faq/pf/rdr.html#reflect
Message d'origine
De: Marko Cupać
Envoyé: mercredi 24 juin 2015 07:21
À: misc@openbsd.org
Objet: pf nat and routing question
Hi,
my setup is actually more complicated, but for purpose of this mail I
On 11/10/14, 2:46 PM, Peter Hessler wrote:
As I said before.
_This_ _Is_ _Not_ _Possible_.
Period.
Wellif you're doing bridging on the Linux setup you're trying to
replace, but don't realize it, forget to mention that the Cisco actually
*does* have an address in the /29 the Free/OpenBSD
Hi
This is a part of the output containing the static routes related to
*bnx0* , *bnx1 *, i was trying to make a static route for the
189.92.72.11 pointing to *bnx1* but without success, is it possible ?
below the routes is the output of ifconfig these interfaces, i'm gonna
try a bridge
As I said before.
_This_ _Is_ _Not_ _Possible_.
Period.
On 2014 Nov 10 (Mon) at 17:30:50 -0200 (-0200), Dante F. B. Col? wrote:
:Hi
:
:This is a part of the output containing the static routes related to
:*bnx0* , *bnx1 *, i was trying to make a static route for the
:189.92.72.11 pointing to
On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote:
I'm trying to setup some static routes on a openbsd 4.9 box for some
public addresses
This usually gets mentioned, so I'll go ahead and bring this to your
attention.
OpenBSD 4.9 is long unsupported. There have been many
That is not supported. You MUST NOT have IPs in the same range on
different interfaces.
You can assign some /32s (or /128 if you are using IPv6) to a lo1 on the
system, but that may not be what you want.
On 2014 Nov 06 (Thu) at 19:12:20 -0200 (-0200), Dante F. B. Col?? wrote:
:Hello everyone
On 2014-11-07, li...@ggp2.com li...@ggp2.com wrote:
On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote:
I'm trying to setup some static routes on a openbsd 4.9 box for some
public addresses
This usually gets mentioned, so I'll go ahead and bring this to your
attention.
Yes,
On 2014-11-07, li...@ggp2.com li...@ggp2.com wrote:
On Thu, Nov 06, 2014 at 07:12:20PM -0200, Dante F. B. Col?? wrote:
I'm trying to setup some static routes on a openbsd 4.9 box for some
public addresses
This usually gets mentioned, so I'll go ahead and bring this to your
attention.
Yes,
Hello everyone
I'm trying to setup some static routes on a openbsd 4.9 box for some
public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1
***, *bnx0* is attached to a Cisco internet router and *bnx1*** is
connected to a switch, both interfaces have public addresses of the
On Thu, Nov 06, 2014 at 04:12:20PM EST, Dante F. B. Colò wrote:
Hello everyone
Hi Dante,
I'm trying to setup some static routes on a openbsd 4.9 box for some
public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1
***, *bnx0* is attached to a Cisco internet router and
I am having trouble figuring out how I should configure a physical
interface and a carp virtual interface where the carp IP will serve as
a default route for hosts on the network and also hold some aliases
for server re-directs. From what I have seen the routes built at
startup home the route for
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from my_internal_net to his_internal_net peer
his_gateway_address main_mode_parameters quick_mode_parameters
preshared_key
My isakmpd.policy file is
# cat /etc/isakmpd/isakmpd.policy
2011/1/10, Christoph Leser le...@sup-logistik.de:
Hello,
I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
like:
ike active esp tunnel from my_internal_net to his_internal_net peer
his_gateway_address main_mode_parameters quick_mode_parameters
preshared_key
My
2011/1/10, Christoph Leser le...@sup-logistik.de:
I would like to ask:
1. Is it true, that isakmpd is supposed to accept any ID parameter of
type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
even when it is the 'default' route?
Yes, some people want all their traffic
Hi folks, I'm running into a bit of a routing gotcha getting two mail
servers to send mail out using their own respective IP addresses.
(While this involves postfix, this is not a postfix support question,
it's a routing question)
What I'm trying to accomplish is this:
- two autonomous
On Sat, Mar 27, 2010 at 1:02 AM, Scott McEachern sc...@erratic.ca wrote:
Hi folks, I'm running into a bit of a routing gotcha getting two mail
servers to send mail out using their own respective IP addresses. (While
this involves postfix, this is not a postfix support question, it's a
routing
a routing question)
What I'm trying to accomplish is this:
- two autonomous domains, each with their own mail server instance
(postfix in this case) so that one domain never 'mentions' the other
domain. Using one instance of postfix to relay for the 2nd domain is
not an option, as domain1.com
James Shupe wrote:
Check into smtp_bind_address in Postfix. If you're still having issues,
binat rather than rdr to internal IPs so connections will originate
properly. Without seeing your pf.conf or master.cf, this is a guess, but
I think these tips should lead you in the right direction.
On 2009-12-06, Alastair Johnson att...@googlemail.com wrote:
rdr pass on $ext_if1 proto tcp from $supplierIP to $CARP_ip_line1 port 443
- 10.0.0.50 port 443
rdr pass on $ext_if2 proto tcp from $supplierIP to $CARP_ip_line2 port 443
- 10.0.0.50 port 443
This works like 'pass quick' without
We have 2 internet lines with 2 different and equally unreliable Internet
providers.
We have 2 PF firewalls running 4.6 RELEASE arranged in a failover
configuration
using CARP/pfsync. Each firewall is therefore connected to each router and
to our
internal network as well as a crossover cable
the lo1 hack is no longer needed here; read OUTGOING NETWORK
ADDRESS TRANSLATION in ipsec.conf(5).
On 2009-10-29, Christoph Leser le...@sup-logistik.de wrote:
I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:
In what order are
I'm sure I have seen the answer to my question here on the list some
time ago, but I'm too stupid to find it again:
In what order are the following operations performed on an IP packet
a. IPSEC ( decides whether a packet matches an IPSEC flow )
b. normal kernel routing
c. NAT
d. packet filtering
On 2008-06-26, openbsd misc [EMAIL PROTECTED] wrote:
- how must I read the route-to / reply-to syntax?
for example:
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
Outbound packet - normal routing table lookup based on the
*destination* address - if the routing table
Hello,
I hope I can avoid try'n error this way ;-) I have two firewall systems
with carp enabled (running obsd 4.3). These gateways have two internet
connections (dsl 6000 and symmetric 4000 provided by a router with an
/29 transport net).
The symmetric line should be used for vpn and vor mail
On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote:
I hope I can avoid try'n error this way ;-) I have two firewall systems
with carp enabled (running obsd 4.3). These gateways have two internet
connections (dsl 6000 and symmetric 4000 provided by a router with an
/29 transport net).
The
Henderson
Gesendet: Donnerstag, 26. Juni 2008 01:47
An: misc@openbsd.org
Betreff: Re: carp / routing question (multiple lines)
On 2008-06-25, openbsd misc [EMAIL PROTECTED] wrote:
I hope I can avoid try'n error this way ;-) I have two
firewall systems
with carp enabled (running obsd 4.3
On 25/03/2008, Fridiric Pli [EMAIL PROTECTED] wrote:
Hi,
I have an openbsd router with two ebgp peers.
I have serveral prefixes to announce but I would like to know how I could
influence outcoming traffic from each of my prefix.
I did not understand how to use weight, localpref and
On Tue, Mar 25, 2008 at 4:31 PM, Fridiric Pli [EMAIL PROTECTED] wrote:
Hi,
I have an openbsd router with two ebgp peers.
I have serveral prefixes to announce but I would like to know how I could
influence outcoming traffic from each of my prefix.
I did not understand how to use weight,
Hi,
I have an openbsd router with two ebgp peers.
I have serveral prefixes to announce but I would like to know how I could
influence outcoming traffic from each of my prefix.
I did not understand how to use weight, localpref and metric nor filter
rules to do that.
any clue or example ?
many
another routing problem ist that now the ibpg routes get insertet
but also announcend to the ebgp peer since its the same as and
i announce self to the ebgp peers. problems is now that the
network is somewhere else, but announced so i have created a
routing loop. do i have to use static routes or
On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote:
another routing problem ist that now the ibpg routes get insertet
but also announcend to the ebgp peer since its the same as and
i announce self to the ebgp peers. problems is now that the
network is somewhere else, but announced so i have
Claudio Jeker schrieb:
On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote:
another routing problem ist that now the ibpg routes get insertet
but also announcend to the ebgp peer since its the same as and
i announce self to the ebgp peers. problems is now that the
network is somewhere
On Fri, Feb 29, 2008 at 03:23:27PM +0100, Erich wrote:
Claudio Jeker schrieb:
On Fri, Feb 29, 2008 at 02:10:09PM +0100, Erich wrote:
another routing problem ist that now the ibpg routes get insertet
but also announcend to the ebgp peer since its the same as and
i announce self to the ebgp
* Erich [EMAIL PROTECTED] [2008-02-28 08:20]:
i now have a session i turned on update loging ob bpgd but the routes do
not
get inserted. any ideas?
well, check nexthop validity...
bgpctl show nexthop
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote:
i now have a session i turned on update loging ob bpgd but the routes do
not
get inserted. any ideas?
AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where
the network is, yes pingable)
Make sure the nexthop is
yes thx guys, it worked :)
Claudio Jeker schrieb:
On Thu, Feb 28, 2008 at 08:14:09AM +0100, Erich wrote:
i now have a session i turned on update loging ob bpgd but the routes do
not
get inserted. any ideas?
AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where
the
do i have to restart bgpd in order to get ipsec esp ike for a
session / nei working or is a reload and nei up/down enough?
i got
Oct 20 13:21:23 router-mt-1 isakmpd[13070]: dropped message from
xx.xx.xx.xx port 500 due to notification type NO_PROPOSAL_CHOSEN
and
* Erich [EMAIL PROTECTED] [2008-02-28 14:06]:
do i have to restart bgpd in order to get ipsec esp ike for a
session / nei working or is a reload and nei up/down enough?
config reload and clearing the affected neighbor session is enough. I
have done that in testing many times successfully.
i
i now have a session i turned on update loging ob bpgd but the routes do not
get inserted. any ideas?
AS41412: update 123.123.123.0/24 via xxx..xx. ( the router where
the network is, yes pingable)
Erich schrieb:
Claudio Jeker schrieb:
On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich
hi,
is there a way to announce the same AS an different locations?
lets say 123.123.123.0/23 is mine and i want to have
123.123.123.0/24 @location1 and 23.123.124.0/24 @location2,
right now i have the problem that the bgpd seems to drop the routes to
each other, means the networks are
sure.. my fault, just assume the networks are right.
and this is not my problem ;)
Alexander Hall schrieb:
Erich wrote:
hi,
is there a way to announce the same AS an different locations?
lets say 123.123.123.0/23 is mine and i want to have
123.123.123.0/24 @location1 and 23.123.124.0/24
On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote:
hi,
is there a way to announce the same AS an different locations?
lets say 123.123.123.0/23 is mine and i want to have
123.123.123.0/24 @location1 and 23.123.124.0/24 @location2,
right now i have the problem that the bgpd seems to
Claudio Jeker schrieb:
On Tue, Feb 26, 2008 at 09:51:05AM +0100, Erich wrote:
hi,
is there a way to announce the same AS an different locations?
lets say 123.123.123.0/23 is mine and i want to have
123.123.123.0/24 @location1 and 23.123.124.0/24 @location2,
right now i have the problem
Hi
I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable employees that connect
to the branch's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/3/07 2:15 PM, Paolo Supino wrote:
Hi
I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
On 2007/09/03 17:15, Paolo Supino wrote:
I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I want to enable
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/3/07 3:28 PM, Paolo Supino wrote:
Hi David
It's true that all IP addresses are in the 10.x.x.x private address
space that isn't supposed to be routed on the Internet, but in all the
connections over the Internet the only visible addresses
Hi David
It's true that all IP addresses are in the 10.x.x.x private address
space that isn't supposed to be routed on the Internet, but in all the
connections over the Internet the only visible addresses are the
public ones (otherwise the VPNs wouldn't be working): Main and branch
office
Hi David
I do push the route to the OpenVPN clients and I do have the route
back on the servers in the main office. To be sure I ran a sniffer on
a server in the main office to see if any traffic reaches the server
from the VPN client and the sniffer showed nothing reached the server.
It's not
On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote:
Hi
I have a firewall that also acts as a VPN peer for 2 VPNs. One of
the VPNs is IPSEC that connects between the main office and a branch
office. The second VPN is OpenVPN that connects windows based road
warriors to the branch office. I
Hi RW
Except for the branch VPN to the main office subnet (line# 3) I have
the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice
versa on the main office VPN peer). Why do I need to setup a tunnel
between the branch firewall and main office subnet?
TIA
Paolo
RW wrote:
On
On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote:
Hi RW
Except for the branch VPN to the main office subnet (line# 3) I have
the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice
versa on the main office VPN peer). Why do I need to setup a tunnel
between the branch
Hi RW
I found the problem :-) My OpenVPN setup is OK. My ipsecctl.conf
was almost perfect: I setup the flow from my OpenBSD box (the branch
office) to be passive ... duh!!! ;-) Now that it has been converted
to dynamic the tunnel gets setup if the OpenVPN client initiates
traffic :-)
TIA
Dear All.
I have one simple question.
If my ISP assign one point to point ip address and one full subnet
mask address (/28), can i have those in one my ethernet interface ?
If it's possible, is there any network routing problem ?
FYI , i have one private network and DMZ .
regards
Beastie
Greets
I have a scenario that is simple but I am having trouble getting my head
around. Inside a 192.168.10/24 network there exists a 10.4.6/24 network for
VOIP. Everthing works fine.
The issue I have is setting up a route for a third party VOIP management
company who wants to access the
Subject: routing question
Greets
I have a scenario that is simple but I am having trouble getting my head
around. Inside a 192.168.10/24 network there exists a 10.4.6/24 network for
VOIP. Everthing works fine.
The issue I have is setting up a route for a third party VOIP management
company
Christoph Leser wrote:
Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net is NAT'ed to the external interface to provide
On Tue, Nov 22, 2005 at 08:31:13PM +0100, Christoph Leser wrote:
Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net
Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net is NAT'ed to the external interface to provide
internet access to hosts on
My office network has an adsl connection with a single static
ip as follows:
209.145.160.141/24 (gw 209.145.160.1)
I requested additional ip's from my provider and they gave me
8 addresses at:
207.246.198.216/29
They are routing all 8 of these new addresses down my adsl
'pipe'. On my
On Tuesday, September 06, John Brooks wrote:
(209.145.160.141)
OBSD #1 -
\
Switch DSL Modem ISP(209.145.160.1)
/
OBSD #2 -
(207.246.198.220)
I was expecting that 207.246.198.217 would have been set up
as
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote:
My office network has an adsl connection with a single static
ip as follows:
209.145.160.141/24 (gw 209.145.160.1)
I requested additional ip's from my provider and they gave me
8 addresses at:
207.246.198.216/29
They are routing
On Tuesday, September 06, John Brooks wrote:
(209.145.160.141)
OBSD #1 -
\
Switch DSL Modem ISP(209.145.160.1)
/
OBSD #2 -
(207.246.198.220)
I was expecting that 207.246.198.217 would have been
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote:
My office network has an adsl connection with a single static
ip as follows:
209.145.160.141/24 (gw 209.145.160.1)
I requested additional ip's from my provider and they gave me
8 addresses at:
207.246.198.216/29
They
Sorry for the confusion...
I will try to summarize...
I have a machine on each side of a router I am building (3.7).
One one side it is a firewall connected to the internet (192.168.0.2/24)
On the other side it is a linux notebook (10.4.50.1/16)
From linux I can ping any interface on the
On Thu, 1 Sep 2005 01:01:08 -0400, Bill wrote:
OBSD 3.7 - new install
I am building a router. And I am having a routing problem. I am not
doing any packet filtering, NAT or anything... its all strictly private
address space nets I also most definately have ip forwarding set in
sysctl
Right
On Thu, 01 Sep 2005 02:01:44 -0400, Bill wrote:
I will try to summarize...
Is it this ?:
firewallrouter=linux
192.168.0.2 192.168.0.4 10.4.0.1 10.4.50.1
In your FP it is 10.3.0.0, now it is 10.4.0.0, right ?
This is the routers table:
Internet:
Destination
Begin forwarded message:
Date: Thu, 1 Sep 2005 08:09:24 -0400
From: Bill [EMAIL PROTECTED]
To: Rod.. Whitworth [EMAIL PROTECTED]
Subject: Re: routing question - why one way?
On Thu, 01 Sep 2005 16:36:13 +1000
Rod.. Whitworth [EMAIL PROTECTED] wrote:
On Thu, 1 Sep 2005 01:01:08 -0400, Bill
On Thursday, September 01, 2005, Bill wrote:
Right now I have the router installed with two active interfaces...
Segment A (192.168.0.4) interface on the router Segment B
(10.3.0.1) interface on the router
Now I have a machine on each segment also:
192.168.0.2 (Segment A)
10.3.50.1
On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote:
Date: Thu, 1 Sep 2005 08:09:24 -0400
From: Bill [EMAIL PROTECTED]
To: Rod.. Whitworth [EMAIL PROTECTED]
Subject: Re: routing question - why one way?
On Thu, 01 Sep 2005 16:36:13 +1000
Rod.. Whitworth [EMAIL PROTECTED] wrote:
On Thu, 1 Sep 2005 01
On Thu, 01 Sep 2005 23:03:44 +1000
Rod.. Whitworth [EMAIL PROTECTED] wrote:
On Thu, 1 Sep 2005 08:11:28 -0400, Bill wrote:
Date: Thu, 1 Sep 2005 08:09:24 -0400
From: Bill [EMAIL PROTECTED]
To: Rod.. Whitworth [EMAIL PROTECTED]
Subject: Re: routing question - why one way?
On Thu, 01
OBSD 3.7 - new install
I am building a router. And I am having a routing problem. I am not
doing any packet filtering, NAT or anything... its all strictly private
address space nets I also most definately have ip forwarding set in
sysctl
Right now I have the router installed with two active
That was kind of hard to follow.
Can you post traceroutes?
--Bryan
On 8/31/05, Bill [EMAIL PROTECTED] wrote:
OBSD 3.7 - new install
I am building a router. And I am having a routing problem. I am not
doing any packet filtering, NAT or anything... its all strictly private
address space
77 matches
Mail list logo