Setting up OpenBSD as a gateway...

[toz69]

Hi,

I'm having some problems getting OpenBSD working as a gateway/firewall machine for my home LAN. The install went fine, I've ADSL dialing up properly, and the OpenBSD box itself can ping the Internet, ssh, etc.

I've followed a combination of the half dozen tutorials on the Net for using oBSD as a firewall, and have set up a simple pf.conf. However, I can't get the other hosts on the network to access the Inet. It doesn't work, even when I disable PF, so it isn't that. I'm 99% sure that I'm setting up the client machines right: There were working before when pointing to a WinXP machine with the ADSL connection. Using static IPs, 192.168.0.1, speicifying ISP DNS machines, etc.

Obviously, having followed these tutorials, I've toggled the ip.forwarding flag in sysctl.conf, and have double checked it's being set to 1 with the sysctl command. But it just doesn't work!! This is very frustrating, as I feel like I'm so close to having set up my first oBSD machine!

Surely someone out there has been in the same situation as me? Could they people just let me know what silly little thing it was that they (and I) missed...

Many thanks,

Tom.

 

[4ltern4te]

Post your pf.conf and sysctl.conf

 

[dbase77]

Hi,

Can you check if your client using the same subnet mask? And make sure your client gateway set to your openbsd ip. Try ping each other. And you need to setup your firewall (pf) for masquerade (NAT) or something. Example of pf for NAT:

nat on fxp0 from 192.168.0.0/24 to any -> external_ip

fxp0 = NIC
192.168.0.0/24 = network

restart your pf.


Refer to openbsd.org FAQ for more info.

Post here the result.

regards,
feroz

 

[toz69]

Thanks for replying guys!

Firstly, here are my .conf files, as requested:

### sysctl.conf

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0 # 0=disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
#ddb.console=1 # 1=Permit entry of ddb from the console
#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4 # number of nfsio kernel threads
#net.inet.ip.mtudisc=0 # 0=disable tcp mtu discovery
#kern.usercrypto=1 # 1=enable userland use of /dev/crypto
#kern.splassert=2 # 2=enable and verbose error messages.
#machdep.allowaperture=2 # See xf86(4)
#machdep.apmwarn=10 # battery % when apm status messages enabled
#machdep.apmhalt=0 # 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt



#
# Tom's PF config file! 3/2003
#

# Variable declarations

INT="rl0"
EXT="tun0"
LAN="192.168.0.0/24"

BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

scrub in all

nat on $INT from $LAN to any -> 62.49.28.89

pass in all
pass out all


This pf.conf file is after making the change to the nat line you suggested, dbase. Is this line right? 62.49.28.89 is the static IP address my ISP assigns to me. Unless I comment that line out, it will break my ssh connections, etc. I tried swapping it with $EXT, but it doesn't like that either.

What's wrong!?

 

[dbase77]

Hi,

Yup, that look alrite for nat line. Have you reload your pf.conf after making the changes? And try open browser from your client pc. Then on openbsd run pfstat -ss to check your NAT status.

Doest it work? If not try not to use variable on nat line. Make sure you reload pf.conf rules.

Before I forgot, in /etc/rc.conf, have you set pf=YES?

regards,
feroz

 

[toz69]

dbase: I'm reloading the pf rules like this:
pfctl -f /etc/pf.conf -e

Tried getting rid of the variables as well: No dice. I will double check the ISP's static IP later. Unfortunately, my ADSL dial-up script isn't even working right now! A bit of a nightmare. Using ppp -ddial adsl returns "using tun0", but when I ifconfig, it isn't showing 62.49.28.89, etc. anymore.

I will retry the pf.conf stuff when my ADSL is working, then repost! Thanks for your time so far!

 

[dbase77]

HI,

OK, no wonder nothing happen . Anyway to reload pf.conf just run pfctl -f /etc/pf.conf. -e option to enable it, which I presume you already enable it on system startup.

Keep in touch.

regards,
feroz

 

[toz69]

Right! My ADSL connection's starting up fine again, just a temporary glitch. I blame the ISP! Still not having any luck with this blasted connection sharing though. Could someone please confirm that my pf.conf file (above) looks right for the following ifconfig info?

ifconfig gives:
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:20:18:88:5e:9a
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::220:18ff:fe88:5e9a%rl0 prefixlen 64 scopeid 0x1
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1500
inet 62.49.28.89 --> 217.32.64.73 netmask 0xffffffff

I just can't understand why it's not working!! I don't need to have something like gated / routed enabled in my rc.conf file, do I?

--toz

 

[toz69]

Oh, PS:

mygate:
192.168.0.1

myname:
compaq.highland

I assume these are fine, but I figure it can't hurt to post them too!

--toz

 

[dbase77]

Hi,

You dont need to put mygate. Delete that file. You only put mygate if you act as a client.

Post back your result.

Oh yea, post me result of &quot;pfstat -ss&quot;, please?

And from client try ping internet ip. See if you got reply. paste me the result as well.

regards,
feroz

 

[dbase77]

Hi,

wrong command. pfctl -ss is the right one. Paste me the result will ya. Basic firewall script as below. Create firewall.sh and insert below line. chmod 700 firewall.sh.

pass in all
pass out all
nat on rl0 from 192.168.0.0/24 to any -> 62.49.28.89

Run the script and reload your pf.conf by running &quot;pfctl -f /etc/pf.conf&quot;. From client try ping and browse www.

regards,
feroz




regards,
feroz

 

[toz69]

Sorry I've been slow to post back - I've been distracted recently! Right:

I wasn't quite sure what to make of your firewall script. Did you mean to create the file firewall.sh and put the lines &quot;pass in all, pass out all, etc.&quot; inside it, then run it? That's what I did, but it didn't work, as I'd expect!

In case that's not what you meant, I tried loading a pf.conf file with just those three lines in it. (Actually, I had to move the NAT lines above the other two, as otheriwse it gave me bad-form errors. The first time I did this, I was reliefed that starting PF hadn't broken my SSH connection to the firewall. (The OpenBSD box sits under the stairs, and I do everything remotely.) However, later attempts to SSH into the firewall box were failing (until I took out that NAT line.) This seems like a fundamental problem in itself!

With this three line PF ruleset, I tried pinging a Inet IP from a client machine. (Tried my ISP's DNS machine, 158.152.1.43.) Unfortunately, this still didn't work.

One thing that looked interesting: With the NAT config in place, pinging 192.168.0.1 from a client machine sent back replies from 62.49.28.89. I assume this is how it's meant to act when the gateway's working properly with NAT.

Just some extra config stuff, that I'm pretty sure if right. The TCP/IP config from a client (Win XP box):

IP: 192.168.0.1
Subnet Mask: 255.255.255.0
Default gateway: 192.168.0.1 (&quot;Metric&quot; of the gateway set to Automatic)

DNS servers: 158.152.1.43
158.152.1.58

That's about all of it! This is driving me insane! WTF doesn't it work?? Do you think I will need to resort to a complete reload of OpenBSD onto my firewall box?

Thanks,

--toz.

 

[dbase77]

Hi,

My mistake, here the basic firewall script for NAT. Edit your /etc/pf.conf and put below lines.

nat on rl0 from 192.168.0.0/24 to any -> 62.49.28.89
pass in all
pass out all


After that save and reload your pf.conf by issuing:

pfctl -f /etc/pf.conf


Let me know if you have any problem. make sure your LAN is using the sanem netmask. Try ping each other. Then on client pc try browse the internet. Make sure as well on client pc you put in your ISP DNS entry.

OK , it seems that you have wrong ip address of win xp. You cannot use the same ip on the same LAN. Change your winxp ip to 192.168.0.2. IP 192.168.0.1 is your obsd box. No wonder it failed.

regards,
feroz