Hi,

I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
I'm having some difficulty getting a basic 2 NIC setup to work
properly. I've read through the docs and mailing list, but haven't been
able to figure this out. I just want to do a simple setup with one NIC
as the external (internet) interface and have a second internal
(LAN:192.168.1.x) interface to do address translation for the clients
behind the firewall.

I have 2 NICs, recognized by 'ifconfig -a':

dc0: flags=8d43<UP,BROADCAST,RUNNING,PROMISC,OACTIVE,SI MPLEX,MULTICAST>
mtu 1500
address: 00:a0:cc:61:d4:b8
media: Ethernet autoselect (100baseTX)
status: active
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::2a0:ccff:fe61:d4b8%dc0 prefixlen 64 scopeid 0x1
ne3:
flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC ,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
address: 00:e0:29:38:55:27
media: Ethernet autoselect (10baseT)
inet6 fe80::2e0:29ff:fe38:5527%ne3 prefixlen 64 scopeid 0x2
inet 12.234.89.65 netmask 0xfffffe00 broadcast 255.255.255.255

the hostname.if files:
hostname.dc0: inet 192.168.1.100 255.255.255.0 192.168.1.255
hostname.ne3: dhcp NONE NONE NONE

If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
client, I get no return packets; if I try to ping an internal client
from the BSD box, I also receive no return packets. It doesn't appear
to be a hardware problem, since I receive no error messages and I can
see the NIC & hub lights flashing appropriately.

I tried setting up a bridge, also; /etc/bridgename.bridge0:
add dc0
add ne3
up

The output of 'netstat -r' (ipv6 is truncated):

Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 12-234-88-1.client UGS 2 25507 - ne3
12-234-88-0.client link#2 UC 0 0 - ne3
12-234-88-1.client 0:a:8b:6d:90:54 UHL 1 0 - ne3
12-234-89-65.clien localhost UGHS 0 0 33224 lo0
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 6 11254 33224 lo0
192.168.1/24 link#1 UC 0 0 - dc0
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0

/etc/hosts:
::1 localhost.attbi.com localhost
127.0.0.1 localhost.attbi.com localhost
::1 tanuki.attbi.com tanuki
127.0.0.1 tanuki.attbi.com tanuki
127.0.0.1 outside.attbi.com outside
192.168.1.100 inside.attbi.com inside

I have turned on pf, but the pf.conf file just lets everything through
("pass quick all").

Any ideas?

Thanks,
Mitch

On Tue, 02 Sep 2003 13:37:07 -0700, Mitch Zollinger
<ztanuki@netscape.net> said the following:

>Hi,
>
>I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
> I'm having some difficulty getting a basic 2 NIC setup to work
>properly. I've read through the docs and mailing list, but haven't been
>able to figure this out. I just want to do a simple setup with one NIC
>as the external (internet) interface and have a second internal
>(LAN:192.168.1.x) interface to do address translation for the clients
>behind the firewall.
>
>I have 2 NICs, recognized by 'ifconfig -a':
>
>dc0: flags=8d43<UP,BROADCAST,RUNNING,PROMISC,OACTIVE,SI MPLEX,MULTICAST>
>mtu 1500
> address: 00:a0:cc:61:d4:b8
> media: Ethernet autoselect (100baseTX)
> status: active
> inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
> inet6 fe80::2a0:ccff:fe61:d4b8%dc0 prefixlen 64 scopeid 0x1
>ne3:
>flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMIS C,ALLMULTI,SIMPLEX,MULTICAST>
>mtu 1500
> address: 00:e0:29:38:55:27
> media: Ethernet autoselect (10baseT)
> inet6 fe80::2e0:29ff:fe38:5527%ne3 prefixlen 64 scopeid 0x2
> inet 12.234.89.65 netmask 0xfffffe00 broadcast 255.255.255.255
>
>the hostname.if files:
> hostname.dc0: inet 192.168.1.100 255.255.255.0 192.168.1.255
> hostname.ne3: dhcp NONE NONE NONE
>
>If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
>client, I get no return packets; if I try to ping an internal client
>from the BSD box, I also receive no return packets. It doesn't appear
>to be a hardware problem, since I receive no error messages and I can
>see the NIC & hub lights flashing appropriately.

My recommendation is to first solve the lan side (pinging dc0 from
internal client). Once that is done, try to connect just the OpenBSD
box to the internet with a very basic pf ruleset (no nat). Try to
ping ne3 from an internal client to check routing. Finally, you
should increase the ruleset complexity as well as include nat for
internal clients.

Note: You may want to rethink hostname.ne3. I assume you are using
pppoe? When I was doing such a thing all I had was "up" in this file.
I've also never seen "NONE" used more than once but I may be wrong.

mr_scary

In article <1062535426.233919@sj-nntpcache-5>, Mitch Zollinger wrote:
> I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
> I'm having some difficulty getting a basic 2 NIC setup to work
> properly.

The linux setup worked with the same hardware or did you change anything?
Did you change any network cable?

[snip]
> If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
> client, I get no return packets; if I try to ping an internal client
> from the BSD box, I also receive no return packets.

Then it might be a firewall problem, that is, turn off all firewalling
(and NAT and whatnot) rules and see if you can make dc0 work with the
internal network first. Oh, and pull the ne3 plug for the time being.

Once you have a connection there, you can continue with bridges and whatever.

Also check with tcpdump if you can see any packets coming in or going out.
Something like

tcpdump -nes 1500 -i dc0

should tell you if there's anything going on. Try on both sides.


> It doesn't appear
> to be a hardware problem, since I receive no error messages and I can
> see the NIC & hub lights flashing appropriately.

You still might have a hardware problem: maybe one of the network interfaces
on either end of the cable has a broken tx or rx unit. Or maybe your cabling
is /slightly/ wrong. Check for correct wiring _for ethernet_. Using the wrong
pairs might get you lights but no connection. Or maybe a connection but lots
of late colisions or it just won't sync right on 100BaseTX. Just check. :-)


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

In article <1062535426.233919@sj-nntpcache-5>, Mitch Zollinger wrote:
> I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
> I'm having some difficulty getting a basic 2 NIC setup to work
> properly.

The linux setup worked with the same hardware or did you change anything?
Did you change any network cabling?

[snip]
> If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
> client, I get no return packets; if I try to ping an internal client
> from the BSD box, I also receive no return packets.

Then it might be a firewall problem, that is, turn off all firewalling
(and NAT and whatnot) rules and see if you can make dc0 work with the
internal network first. Oh, and pull the ne3 plug for the time being.

Once you have a connection there, you can continue with setting up NAT.

Also check with tcpdump if you can see any packets coming in or going out.
Something like

tcpdump -nes 1500 -i dc0

should tell you if there's anything going on. Try on both sides.


> It doesn't appear
> to be a hardware problem, since I receive no error messages and I can
> see the NIC & hub lights flashing appropriately.

You still might have a hardware problem: maybe one of the network interfaces
on either end of the cable has a broken tx or rx unit. Or maybe your cabling
is /slightly/ wrong. Check for correct wiring _for ethernet_. Using the wrong
pairs might get you lights but no connection. Or maybe a connection but lots
of late colisions or it just won't sync right on 100BaseTX. Just check. :-)


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

Hi,

Thanks for all the input.

>The linux setup worked with the same hardware or did you change >anything?
>Did you change any network cabling?

Yes, the linux setup worked with the exact same cabling & hardware.
Nothing has changed.

>Also check with tcpdump if you can see any packets coming in or going
>out.
>Something like
>
> tcpdump -nes 1500 -i dc0

If I do this from the server (I'm at work & can't access the internal
client right now), I do see packets:

$ tcpdump -nes 1500 -i dc0 &
$ ping 192.168.1.7
06:39:47.028301 0:a0:cc:61:d4:b8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
192.168.1.7 tell 192.168.1.100
06:39:48.030206 0:a0:cc:61:d4:b8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
192.168.1.7 tell 192.168.1.100
06:39:49.040159 0:a0:cc:61:d4:b8 ff:ff:ff:ff:ff:ff 0806 42: arp who-has
192.168.1.7 tell 192.168.1.100
--- 192.168.1.7 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

I've done as you both suggested and tried to isolate the problem. I've
completely turned off the packet filter in rc.conf and removed the
bridgename.bridge0 file. Now I just have two ethernet interfaces.

If I do a 'netstat -rnf inet' after rebooting the machine:
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 12.234.88.1 UGS 0 2 - ne3
12.234.88/23 link#2 UC 0 0 - ne3
12.234.88.1 0:a:8b:6d:90:54 UHL 1 0 - ne3
12.234.89.65 127.0.0.1 UGHS 0 0 33224 lo0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 0 33224 lo0
192.168.1/24 link#1 UC 0 0 - dc0
224/4 127.0.0.1 URS 0 0 33224 lo0

There is no route information for the internal LAN NIC (192.168.1.100)
even though it's reported by ifconfig -a:

dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:cc:61:d4:b8
media: Ethernet autoselect (100baseTX)
status: active
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::2a0:ccff:fe61:d4b8%dc0 prefixlen 64 scopeid 0x1
ne3: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX ,MULTICAST> mtu 1500
address: 00:e0:29:38:55:27
media: Ethernet autoselect (10baseT)
inet6 fe80::2e0:29ff:fe38:5527%ne3 prefixlen 64 scopeid 0x2
inet 12.234.89.65 netmask 0xfffffe00 broadcast 255.255.255.255

Now, if I ping an internal host (192.168.1.7), the ping fails, but the
routing table changes to:

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 12.234.88.1 UGS 0 2 - ne3
12.234.88/23 link#2 UC 0 0 - ne3
12.234.88.1 0:a:8b:6d:90:54 UHL 1 0 - ne3
12.234.89.65 127.0.0.1 UGHS 0 0 33224 lo0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 0 33224 lo0
192.168.1/24 link#1 UC 0 0 - dc0
192.168.1.7 link#1 UHL 0 1 - dc0
224/4 127.0.0.1 URS 0 0 33224 lo0

(Note the entry for 192.168.1.7) I'm interpreting this to mean that
there is no layer2 problem, but there is a layer3 problem with
sending/receiving the ICMP packets.

I've also tried deleting the 192.168.1/24 route and adding the route
with 192.168.1.100 as the gateway, but when I ping I get an arpresolv error:

$ route delete -net 192.168.1
$ route add -net 192.168.1 192.168.1.100
$ ping 192.168.1.7
arpresolv: can't allocate llinfo (in blue reverse text)

And if I ping 192.168.1.100 (the OpenBSD server) from the linux client,
the server throws the following error on the console:

arplookup: unable to enter address for 192.168.1.7 (in blue reverse
text: one message for every ping packet)

I also checked out my /etc/hosts file:

::1 localhost.attbi.com localhost
127.0.0.1 localhost.attbi.com localhost
::1 tanuki.attbi.com tanuki
127.0.0.1 tanuki.attbi.com tanuki
127.0.0.1 outside.attbi.com outside
192.168.1.100 inside.attbi.com inside

I tried commenting out the last line, but that didn't change things.

Any additional ideas?

Thanks again,
zolli


jpd wrote:
> In article <1062535426.233919@sj-nntpcache-5>, Mitch Zollinger wrote:
>
>>I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
>> I'm having some difficulty getting a basic 2 NIC setup to work
>>properly.
>
>
> The linux setup worked with the same hardware or did you change anything?
> Did you change any network cabling?
>
> [snip]
>
>>If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
>>client, I get no return packets; if I try to ping an internal client
>>from the BSD box, I also receive no return packets.
>
>
> Then it might be a firewall problem, that is, turn off all firewalling
> (and NAT and whatnot) rules and see if you can make dc0 work with the
> internal network first. Oh, and pull the ne3 plug for the time being.
>
> Once you have a connection there, you can continue with setting up NAT.
>
> Also check with tcpdump if you can see any packets coming in or going out.
> Something like
>
> tcpdump -nes 1500 -i dc0
>
> should tell you if there's anything going on. Try on both sides.
>
>
>
>> It doesn't appear
>>to be a hardware problem, since I receive no error messages and I can
>>see the NIC & hub lights flashing appropriately.
>
>
> You still might have a hardware problem: maybe one of the network interfaces
> on either end of the cable has a broken tx or rx unit. Or maybe your cabling
> is /slightly/ wrong. Check for correct wiring _for ethernet_. Using the wrong
> pairs might get you lights but no connection. Or maybe a connection but lots
> of late colisions or it just won't sync right on 100BaseTX. Just check. :-)
>
>

On Wed, 03 Sep 2003 11:25:25 -0700, Mitch Zollinger
<ztanuki@netscape.net> said the following:

>I've done as you both suggested and tried to isolate the problem. I've
>completely turned off the packet filter in rc.conf and removed the
>bridgename.bridge0 file. Now I just have two ethernet interfaces.

1. Flush the routing tables on both internal client and (obsd) server.

On obsd: # route flush

2. Use the ifconfig command to reconfigure ethernet settings (address,
netmask, etc) on both client and server.

3. Ping the server from the client and report back with the results.

Mitch Zollinger wrote:
> Hi,
>
> I just replaced Linux with OpenBSD 3.3 on my home NAT server / firewall.
> I'm having some difficulty getting a basic 2 NIC setup to work
> properly. I've read through the docs and mailing list, but haven't been
> able to figure this out. I just want to do a simple setup with one NIC
> as the external (internet) interface and have a second internal
> (LAN:192.168.1.x) interface to do address translation for the clients
> behind the firewall.
>
> I have 2 NICs, recognized by 'ifconfig -a':
>
> dc0: flags=8d43<UP,BROADCAST,RUNNING,PROMISC,OACTIVE,SI MPLEX,MULTICAST>
> mtu 1500
> address: 00:a0:cc:61:d4:b8
> media: Ethernet autoselect (100baseTX)
> status: active
> inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
> inet6 fe80::2a0:ccff:fe61:d4b8%dc0 prefixlen 64 scopeid 0x1
> ne3:
> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC ,ALLMULTI,SIMPLEX,MULTICAST>
> mtu 1500
> address: 00:e0:29:38:55:27
> media: Ethernet autoselect (10baseT)
> inet6 fe80::2e0:29ff:fe38:5527%ne3 prefixlen 64 scopeid 0x2
> inet 12.234.89.65 netmask 0xfffffe00 broadcast 255.255.255.255
>
> the hostname.if files:
> hostname.dc0: inet 192.168.1.100 255.255.255.0 192.168.1.255
> hostname.ne3: dhcp NONE NONE NONE

Broadcast on ne3 does not agree with mask on ne3. Someone suggested you
leave only one 'NONE' in hotname.ne3. That could possibly fix it, but it
may be more the dhcp server.

Likewise, its better not so specify the broadcast entry in your
hostname.if files. The kernel knows how to figure it out correctly.

> If I try to ping the OpenBSD firewall (192.168.1.100) from an internal
> client, I get no return packets; if I try to ping an internal client
> from the BSD box, I also receive no return packets. It doesn't appear
> to be a hardware problem, since I receive no error messages and I can
> see the NIC & hub lights flashing appropriately.
>
> I tried setting up a bridge, also; /etc/bridgename.bridge0:
> add dc0
> add ne3
> up

Undo this, unless you're implementing an ip-free firewall which is not
what the rest of your configs indicate.

> The output of 'netstat -r' (ipv6 is truncated):
>
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Mtu
> Interface
> default 12-234-88-1.client UGS 2 25507 - ne3
> 12-234-88-0.client link#2 UC 0 0 - ne3
> 12-234-88-1.client 0:a:8b:6d:90:54 UHL 1 0 - ne3
> 12-234-89-65.clien localhost UGHS 0 0 33224 lo0
> loopback localhost UGRS 0 0 33224 lo0
> localhost localhost UH 6 11254 33224 lo0
> 192.168.1/24 link#1 UC 0 0 - dc0
> BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0
>
> /etc/hosts:
> ::1 localhost.attbi.com localhost
> 127.0.0.1 localhost.attbi.com localhost
> ::1 tanuki.attbi.com tanuki
> 127.0.0.1 tanuki.attbi.com tanuki
> 127.0.0.1 outside.attbi.com outside
> 192.168.1.100 inside.attbi.com inside
>

Tanuki does not have the right address.
Remove that entry. Put 'tanuki.attbi.com' in /etc/myname instead and let
the address come from dhcp. The same applies to 'outside'. Only
'localhost' makes sense in the 127 address space.

> I have turned on pf, but the pf.conf file just lets everything through
> ("pass quick all").
>
> Any ideas?
>
> Thanks,
> Mitch
>

do you have this sysctl configuration entry?
/etc/sysctl.conf:net.inet.ip.forwarding=1

Thanks for all the input. The problem is solved. After tweaking long
enough to exhaust all the obvious problems , I replaced the NIC &
everything works fine now.

The NIC (a Netgear) is in the supported database, but for some reason it
just did not want to work. I used the exact same cabling / hardware
that worked fine with a Debian installation, but had problems with OBSD.

I just set up packet filter / NAT, but I'm surprised by how small the
ruleset is: 15 lines. (My linux ipchains ruleset was hundreds of lines
long.) I was wondering: am I missing something, or is OpenBSD's
firewall rulesets that much easier to set up?

Thanks again,
zolli

zolli wrote:

> Thanks for all the input. The problem is solved. After tweaking long
> enough to exhaust all the obvious problems , I replaced the NIC &
> everything works fine now.
>
> The NIC (a Netgear) is in the supported database, but for some reason
> it
> just did not want to work. I used the exact same cabling / hardware
> that worked fine with a Debian installation, but had problems with
> OBSD.
>
> I just set up packet filter / NAT, but I'm surprised by how small the
> ruleset is: 15 lines. (My linux ipchains ruleset was hundreds of
> lines
> long.) I was wondering: am I missing something, or is OpenBSD's
> firewall rulesets that much easier to set up?

The latter. I think that the level of abstraction is higher, just like
when you use something like shorewall.

EJ
--
Remove the obvious part (including the dot) for my email address

did you
sysctl net.inet.ip.forwarding=1
and
configure nat in pf ?
instead of bridge-stuff?