Setting up OpenBSD as a router/nat box to replace a Linksys BEFSR41

I have been running my network off a cheap Linksys Router for a few months, and now with the long weekend I had some time to setup my own router/nat box.

The OS for the router/nat box is OpenBSD 3.7 with two network cards installed. I was able to get both installed and running but I am having trouble "getting out" from the workstations when the Linksys router is removed.

When I have the setup going from the Cable Modem -> External NIC on the OpenBSD box (dc0), then from the Internal NIC (dc1) -> Switch -> Workstations, I can not ping the dc1 IP from any workstation. I can SSH into that IP though (don't understand why). The workstations can ping each other too.

When I change the setup to include the Linksys Router inbetween the Cable Modem and the dc0 NIC on the BSD box, it all works? I can ping anything internal and on the web. In this setup, ifconfig shows the default IP scheme used by the Linksys Router for the dc0 NIC, which is "192.168.1.100".

In both cases, I have the workstations pointing to the BSD box for the default gateway. Manually entering the DNS numbers provided by the ISP (comcast.net in this case). Also, in both cases the OpenBSD box can ping all the workstations, and ping outside the network as well.

My pf.conf log has the following line in it:

nat on dc0 from dc1:network to any -> (dc0)

...which from my understanding, should allow everything to pass (just want to get it all working before I even try to "lock it down").

I am giving up on it tonight and will try some more tomorrow. Am I setting some of this up incorrectly perhaps (ok Im sure that I am, haha). Any configurations that would help I can post, and any clarification needed just ask.
LVL 1
kryticalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
sysctl -w net.inet.ip.forwarding=1 with matching entry in /etc/sysctl.conf
is first that comes in mind.

next is - enable logging on all block rules (if any)

this might be more accurate, but yours should be of no problem for normal TCP/IP setup.
nat on dc0 from dc1:network to !dc1:network  -> (dc0)
no nat on dc0 from dc1 to !dc1:network  -> (dc0)

Do you need/use dhcp ???
kryticalAuthor Commented:
I removed the Linksys Router, and ran "sysctl -w net.inet.ip.forwarding=1". The line in the sysctl.conf file for "net.inet.ip.forwarding=1" is uncommented.

I have no blocks set up right now.

I also tested with those rules you posted for the pf.conf file, and commented out the line I had.

I was still unable to get the workstations to connect out the internet, even though the OpenBSD box can. None of the workstations will ping the OpenBSD box in that configuration still.

But for some reason I could not get everything working again when I put the Linksys router back inbetween the Cable Modem and the OBSD box. So right now I am just hooked up straight to the Linksys Router.

I do have the dc0 interface using DHCP however. During boot up, when its setup Cable Modem straight to the dc0 interface, it grabs an IP from a 10.x.x.x address. The IP that it grabs is not my public IP. I have dynamic IP ont he Cable Modem, but its been teh same IP for months now, and that number it finds for dc0 on boot up is not my public IP. But when it does this, I can still get out on the OBSD box.

The IP listed in "ipconfig dc0" when I do this, is 68.32.210.146 where as my public IP is really 69.244.xx.xx.

Should I not be running dchp on dc0 when I am just going straight from the cable modem to the dc0 interface on the OBSD box?
gheistCommented:
What is found in /etc/ifconfig.dc0 and /etc/ifconfig.dc1 ???
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

kryticalAuthor Commented:
I do not have /etc/ifconfig.dc0 or /etc/ifconfig.dc1 files.

When I am setup without the Linksys router, this is what my ifconfig looks like (after I "ifconfig dc1 172.18.84.1 netmask 255.255.255.0" and bring the dc1 interface up).

edoras# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:5a:43:e2:d0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::204:5aff:fe43:e2d0%dc0 prefixlen 64 scopeid 0x1
        inet 68.32.210.146 netmask 0xffffff00 broadcast 68.32.210.255
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:80:ad:7b:2c:50
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 172.18.84.1 netmask 0xffffff00 broadcast 172.18.84.255
        inet6 fe80::280:adff:fe7b:2c50%dc1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
edoras#

When I have the Linksys router included, the dc0 interface has "inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255" instead of "inet 68.32.210.146 netmask 0xffffff00 broadcast 68.32.210.255"
gheistCommented:
...
/etc/hostname.dc0 and so on ...
probably correct by your secription.

Can you get it working via pfctl -f /etc/pf.conf ???



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kryticalAuthor Commented:
I set it back up with the Linksys Router completely removed again. Rconfigured my workstations from dhcp to static IPs.

Rebooted the OBSD box for the heck of it... added the needed "ifconfig dc1 172.18.84.1 netmask 255.255.255.0" and then brought both interfaces back up.

Ran "pfctl -f /etc/pf.conf" and walked back to one of my workstations, and "poof" it was logging onto a messenger service I forgot to turn off. (I love that silent "poof" sound. Greatest sound in the world)

All seems to be working and routing correctly without the Linksys router. I will now setup up all the rest of the workstations again.

Can I ask you some followup questions about this?

1.) Am I supposed to run the pf.conf file manually like this, or is it supposed to be called into play by default on bootup?

2.) I have a /etc/hostname.dc0 but no /etc/hostname.dc1. I am assuming this is because I only had one network device installed during the reinstallation of the OS earlier this weekend. How do I setup the dc1 to have the correct configuration on bootup?

(from the OBSD box)

edoras# cat /etc/hostname.dc0
dhcp NONE NONE NONE
edoras#

(from one of the workstations - this one on windows)

C:\>tracert www.google.com

Tracing route to www.l.google.com [66.102.7.147]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  172.18.84.1
  2     8 ms    10 ms    12 ms  10.67.56.1
  3     7 ms     8 ms     7 ms  68.86.179.1
  4    12 ms    10 ms    12 ms  12.125.99.101

3.) Is that second hop on the 10.x.x.x IP my Cable Modem? It must be since its non-routable, but I'm not certain.

Lastly, I do not spend as much time as I used to on this site years ago... how many points do you really feel this was worth? I will set it accordingly before accepting your answer. Thanks for your assistance.
gheistCommented:
I will answer in 10 hours ( have to sleep btw )
gheistCommented:
1) no, probably
nat on (dc0) from (dc1:network) to any -> (dc0)
will accomodate ifconfig dc1
2) you have to add hostname.dc1
# media 10baseT
inet 172.18.84.1 netmask 255.255.255.0
to make ifconfig change happen before pf is loaded (??)
3) likely, or somewhere at your provider, refer to cable modem/dsl docs

I guess 250 is more than enough - problem is with normal configuration for personal use...
500 is appropriate if you ask for pf on bridge with -leven gigabit cards ....

kryticalAuthor Commented:
gheist: thanks. Looking closer at the boot up messages, pf does NOT load, since there is no IP configured for dc1. So when I manually added the IP and netmask, PF was still not running, hence why it worked when I ran (as you suggested) "pfctl -f /etc/pf.conf"  I guess.

So if I add "inet 172.18.84.1 netmask 255.255.255.0" to a file for /etc/hostname.dc1, this will configure the dc1 interface during bootup automatically, allowing pf to run at boot up without error?

I will test this next weekend when I have some time to take the network down again (just in case I screw up and can't fix it again, ahaha)

gheistCommented:
probably in addition you must add pf=YES to /etc/rc.conf.local to make pf load automatically at boot
along with mentioned change hostname.dc1, and in /etc/sysctl.conf

for filters in pf.conf:
block log all
pass all on lo0
pass in log on dc0 proto tcp modulate state
.. proto udp
.. inet proto icmp

..out ..
....

and read "man ftp-proxy" to make older ftp clients&servers play nice
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.