Question

Setting up OpenBSD as a router/nat box to replace a Linksys BEFSR41

Asked by: krytical

I have been running my network off a cheap Linksys Router for a few months, and now with the long weekend I had some time to setup my own router/nat box.

The OS for the router/nat box is OpenBSD 3.7 with two network cards installed. I was able to get both installed and running but I am having trouble "getting out" from the workstations when the Linksys router is removed.

When I have the setup going from the Cable Modem -> External NIC on the OpenBSD box (dc0), then from the Internal NIC (dc1) -> Switch -> Workstations, I can not ping the dc1 IP from any workstation. I can SSH into that IP though (don't understand why). The workstations can ping each other too.

When I change the setup to include the Linksys Router inbetween the Cable Modem and the dc0 NIC on the BSD box, it all works? I can ping anything internal and on the web. In this setup, ifconfig shows the default IP scheme used by the Linksys Router for the dc0 NIC, which is "192.168.1.100".

In both cases, I have the workstations pointing to the BSD box for the default gateway. Manually entering the DNS numbers provided by the ISP (comcast.net in this case). Also, in both cases the OpenBSD box can ping all the workstations, and ping outside the network as well.

My pf.conf log has the following line in it:

nat on dc0 from dc1:network to any -> (dc0)

...which from my understanding, should allow everything to pass (just want to get it all working before I even try to "lock it down").

I am giving up on it tonight and will try some more tomorrow. Am I setting some of this up incorrectly perhaps (ok Im sure that I am, haha). Any configurations that would help I can post, and any clarification needed just ask.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-07-04 at 00:21:56ID21479344
Tags

nat

,

openbsd

,

router

Topic

Unix Networking

Participating Experts
1
Points
250
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Linux/OpenBSD as a NT RAS?
    I would like to use a Linux or OpenBSD-Box to dial into a NT-Domain. As far as I know I need PoPToP (Linux PPTP-Server) to do that. Is there an easier way if I just want a user with an windows NT/98 client to dial in, get an ip-adress with dhcp and authenticate into my window...
  2. OpenBSD / Packet Filter / NAT and H.323
    Has anyone got H.323 to work securly thru an OpenBSD Firewall running Packet filter and NAT. I'm the admin of all devices (OpenBSD on a DSL with static IP). It's a Windows box behind the firewall. Many thanks, Michael.
  3. Ctorrent on OpenBSD
    I need help installing the Bittorrent client CTorrent on my OpenBSD machine. When i run the configure script i get this error: /usr/tmp/ctorrent-1.3.2> ./configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... y...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: gheistPosted on 2005-07-04 at 01:37:40ID: 14360821

sysctl -w net.inet.ip.forwarding=1 with matching entry in /etc/sysctl.conf
is first that comes in mind.

next is - enable logging on all block rules (if any)

this might be more accurate, but yours should be of no problem for normal TCP/IP setup.
nat on dc0 from dc1:network to !dc1:network  -> (dc0)
no nat on dc0 from dc1 to !dc1:network  -> (dc0)

Do you need/use dhcp ???

 

by: kryticalPosted on 2005-07-04 at 10:04:19ID: 14363593

I removed the Linksys Router, and ran "sysctl -w net.inet.ip.forwarding=1". The line in the sysctl.conf file for "net.inet.ip.forwarding=1" is uncommented.

I have no blocks set up right now.

I also tested with those rules you posted for the pf.conf file, and commented out the line I had.

I was still unable to get the workstations to connect out the internet, even though the OpenBSD box can. None of the workstations will ping the OpenBSD box in that configuration still.

But for some reason I could not get everything working again when I put the Linksys router back inbetween the Cable Modem and the OBSD box. So right now I am just hooked up straight to the Linksys Router.

I do have the dc0 interface using DHCP however. During boot up, when its setup Cable Modem straight to the dc0 interface, it grabs an IP from a 10.x.x.x address. The IP that it grabs is not my public IP. I have dynamic IP ont he Cable Modem, but its been teh same IP for months now, and that number it finds for dc0 on boot up is not my public IP. But when it does this, I can still get out on the OBSD box.

The IP listed in "ipconfig dc0" when I do this, is 68.32.210.146 where as my public IP is really 69.244.xx.xx.

Should I not be running dchp on dc0 when I am just going straight from the cable modem to the dc0 interface on the OBSD box?

 

by: gheistPosted on 2005-07-04 at 10:25:19ID: 14363714

What is found in /etc/ifconfig.dc0 and /etc/ifconfig.dc1 ???

 

by: kryticalPosted on 2005-07-04 at 10:33:18ID: 14363777

I do not have /etc/ifconfig.dc0 or /etc/ifconfig.dc1 files.

When I am setup without the Linksys router, this is what my ifconfig looks like (after I "ifconfig dc1 172.18.84.1 netmask 255.255.255.0" and bring the dc1 interface up).

edoras# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:5a:43:e2:d0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::204:5aff:fe43:e2d0%dc0 prefixlen 64 scopeid 0x1
        inet 68.32.210.146 netmask 0xffffff00 broadcast 68.32.210.255
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:80:ad:7b:2c:50
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 172.18.84.1 netmask 0xffffff00 broadcast 172.18.84.255
        inet6 fe80::280:adff:fe7b:2c50%dc1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
edoras#

When I have the Linksys router included, the dc0 interface has "inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255" instead of "inet 68.32.210.146 netmask 0xffffff00 broadcast 68.32.210.255"

 

by: gheistPosted on 2005-07-04 at 13:35:33ID: 14364405

...
/etc/hostname.dc0 and so on ...
probably correct by your secription.

Can you get it working via pfctl -f /etc/pf.conf ???



 

by: kryticalPosted on 2005-07-04 at 14:30:55ID: 14364598

I set it back up with the Linksys Router completely removed again. Rconfigured my workstations from dhcp to static IPs.

Rebooted the OBSD box for the heck of it... added the needed "ifconfig dc1 172.18.84.1 netmask 255.255.255.0" and then brought both interfaces back up.

Ran "pfctl -f /etc/pf.conf" and walked back to one of my workstations, and "poof" it was logging onto a messenger service I forgot to turn off. (I love that silent "poof" sound. Greatest sound in the world)

All seems to be working and routing correctly without the Linksys router. I will now setup up all the rest of the workstations again.

Can I ask you some followup questions about this?

1.) Am I supposed to run the pf.conf file manually like this, or is it supposed to be called into play by default on bootup?

2.) I have a /etc/hostname.dc0 but no /etc/hostname.dc1. I am assuming this is because I only had one network device installed during the reinstallation of the OS earlier this weekend. How do I setup the dc1 to have the correct configuration on bootup?

(from the OBSD box)

edoras# cat /etc/hostname.dc0
dhcp NONE NONE NONE
edoras#

(from one of the workstations - this one on windows)

C:\>tracert www.google.com

Tracing route to www.l.google.com [66.102.7.147]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  172.18.84.1
  2     8 ms    10 ms    12 ms  10.67.56.1
  3     7 ms     8 ms     7 ms  68.86.179.1
  4    12 ms    10 ms    12 ms  12.125.99.101

3.) Is that second hop on the 10.x.x.x IP my Cable Modem? It must be since its non-routable, but I'm not certain.

Lastly, I do not spend as much time as I used to on this site years ago... how many points do you really feel this was worth? I will set it accordingly before accepting your answer. Thanks for your assistance.

 

by: gheistPosted on 2005-07-04 at 14:45:11ID: 14364641

I will answer in 10 hours ( have to sleep btw )

 

by: gheistPosted on 2005-07-05 at 00:24:56ID: 14366309

1) no, probably
nat on (dc0) from (dc1:network) to any -> (dc0)
will accomodate ifconfig dc1
2) you have to add hostname.dc1
# media 10baseT
inet 172.18.84.1 netmask 255.255.255.0
to make ifconfig change happen before pf is loaded (??)
3) likely, or somewhere at your provider, refer to cable modem/dsl docs

I guess 250 is more than enough - problem is with normal configuration for personal use...
500 is appropriate if you ask for pf on bridge with -leven gigabit cards ....

 

by: kryticalPosted on 2005-07-05 at 10:42:38ID: 14371330

gheist: thanks. Looking closer at the boot up messages, pf does NOT load, since there is no IP configured for dc1. So when I manually added the IP and netmask, PF was still not running, hence why it worked when I ran (as you suggested) "pfctl -f /etc/pf.conf"  I guess.

So if I add "inet 172.18.84.1 netmask 255.255.255.0" to a file for /etc/hostname.dc1, this will configure the dc1 interface during bootup automatically, allowing pf to run at boot up without error?

I will test this next weekend when I have some time to take the network down again (just in case I screw up and can't fix it again, ahaha)

 

by: gheistPosted on 2005-07-05 at 12:39:02ID: 14372373

probably in addition you must add pf=YES to /etc/rc.conf.local to make pf load automatically at boot
along with mentioned change hostname.dc1, and in /etc/sysctl.conf

for filters in pf.conf:
block log all
pass all on lo0
pass in log on dc0 proto tcp modulate state
.. proto udp
.. inet proto icmp

..out ..
....

and read "man ftp-proxy" to make older ftp clients&servers play nice

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...