Following a few unfortunate power events (read: Kapow! Zap!), my
home gateway's disk and power supply gave up the ghost. Well, I
thought, the machine had been runnining linux (debian), and it
really was time to migrate to OpenBSD. It looked like a simple
plan, really:
The gateway machine "skapet"'s main purpose in life is to
enable the machines on the local net 192.168.103.0/24 to
communicate NAT'ed through skapet's inner interface xl1,
on through xl0 which is connected to a Zyxel ADSL 'modem'.
The ISP specified "set up your machine with IP address 194.54.107.19,
netmask 255.255.255.248, default gateway 194.54.107.17". That just
worked, on the previous incarnation.
Now, something has changed: the inside machines can reach "skapet"
(I can log on to 192.168.103.1 from 194.54.103.5 with "ssh 192.168.103.1",
while "ssh bgnett.no" eventually times out. From "skapet", I am
able to log in to my isp bgnett.no with "ssh bgnett.no" (that's
what I'm doing now in fact).
Summing up, both network cards work, packets do not get forwarded.
It appears that I have managed to forget something rather crucial
in order to get the gateway to actually act as a gateway. I hope
the solution is obvious to a fresh set of eyes.
My setup is listed below, the pfctl output at the end is nat status
as viewed with pfctl -ss a few moments after issuing a "ssh bgnett.no"
from 192.168.103.5):
$ ifconfig xl0
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:04:76:22:e3:bc
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 194.54.107.19 netmask 0xfffffff8 broadcast 194.54.107.23
inet6 fe80::204:76ff:fe22:e3bc%xl0 prefixlen 64 scopeid 0x1
$ ifconfig xl1
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:10:5a:86:18:2c
media: Ethernet autoselect (10baseT)
status: active
inet 192.168.103.1 netmask 0xffffff00 broadcast 192.168.103.255
inet6 fe80::210:5aff:fe86:182c%xl1 prefixlen 64 scopeid 0x2
$ cat /etc/hostname.xl0
inet 194.54.107.19 255.255.255.248 NONE
$ cat /etc/hostname.xl1
inet 192.168.103.1 255.255.255.0 NONE
$ cat /etc/mygate
194.54.107.17
$ grep pf /etc/rc.conf
smtpfwdd_flags=NO # for normal use: ""; be sure to configure smtpd(8)
pf=YES # Packet filter / NAT
pf_rules=/etc/pf.conf # Packet filter rules file
pflogd_flags= # add more flags, ie. "-s 256"
$ grep forward /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
$ grep -v # /etc/pf.conf
scrub in all
nat on xl0 from 192.168.103.0/24 to any -> 194.54.107.17
pass in all
pass out all
block in quick on xl0 inet from { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } to any
$ pfctl -ss
tcp 192.168.103.5:32769 -> 194.54.107.17:63438 -> 194.54.96.130:22 SYN_SENT:CLOSED
udp 192.168.103.5:32768 -> 194.54.107.17:63179 -> 198.41.0.4:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:63893 -> 192.112.36.4:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:65274 -> 198.41.0.10:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:55214 -> 192.203.230.10:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:52030 -> 192.33.4.12:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:52833 -> 198.32.64.12:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:65171 -> 192.36.148.17:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:58215 -> 202.12.27.33:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:58304 -> 128.63.2.53:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:60696 -> 128.8.10.90:53 SINGLE:NO TRAFFIC
udp 192.168.103.5:32768 -> 194.54.107.17:62447 -> 192.5.5.241:53 SINGLE:NO TRAFFIC
- Peter (Am I imbecile, blind, utterly dense or something worse)?
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team