[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Beginner's routing problems


It's me again!  I reinstalled OpenBSD 2.7 from the CDs last
night and tried to set it up as a internet gateway again.
I still have the same problem, which is that The OpenBSD box
does not appear to be routing from my internal network to
machines on the internet. The basic network looks like this:

(FreeBSD client)      (OpenBSD 2.7 gateway)        (ISP Unix box)
  darwin                 servus   ---              zzzzzz.demon.co.uk       158.152.x.y        158.152.1.zzz
         de0--lan--dc0                   tun0--ppp--....

(note the .x.y is to protect my vulnerable system)

I have an ethernet network at home, and I'm using 10.x.x.x for
it, and my gateway box has a modem which I use with PPP to
dial my ISP.  I have a fixed IP address for the PPP interface on
my machine, and the ISP's gateway IP is also fixed.

At present, darwin can ping servus ( and can ping its
external interface (158.152.x.y) OK. servus can ping darwin,
and when the PPP link is up, can ping gate.demon.co.uk.  HTTP
and FTP are working fine from servus to the internet, as root
or as a normal user.

What I can't do is ping (or ftp or http) from darwin to a machine
on the internet, e.g. gate.demon.co.uk or beyond.

Here's what I did to set up servus (pretty much what's in the FAQ 6.x
and "Setting up OpenBSD 2.7 as a cable NAT system" on BSDToday.com):

Install OpenBSD 2.7

enable IP forwarding
 - /etc/sysctl.conf: uncomment the #net.inet.ip.forwarding=1 line

enable ipf (needed for ipnat)
 - /etc/rc.conf ipfilter=YES
 - /etc/ipf.rules:
pass in from any to any
pass out from any to any

set up ipnat rules:
 - /etc/ipnat.rules
map ppp0 -> ppp0/32 portmap tcp/udp 1025:60000
map ppp0 -> ppp0/32

set up /etc/ppp/ppp.conf


# ppp -auto demon

# ping gate.demon.co.uk
   -- that works ok!

# ipfstat -io
pass in from any to any
pass out from any to any
 -- so we know IPF is up
 -- now PPP is up, we can run ipnat

# ipnat -CF -f /etc/ipnat.rules

# ipnat -l
List of active MAP/Redirect filters:
map ppp0  -> 158.152.x.y/32  portmap tcp/udp 1025:65000
map ppp0  -> 158.152.x.y/32 

List of active sessions:

 -- so ipnat seems to have found my ppp interface IP ok
 -- and it should handle ICMP (ping) packets 'cause of the second line.

# netstat -rn
Routing tables

Destination    Gateway       Flags  Refs     Use    Mtu  Interface
default UGS      1      248   1500  tun0
10.0.0/24      link#1        UC       0        0   1500  dc0     UGHS     0        0  32972  lo0      link#1        UHL      4       70   1500  dc0
127/8     UGRS     0        0  32972  lo0     UH       3      190  32972  lo0  158.152.x.y   UH       1        0   1500  tun0
224/4     URS      0        0  32972  lo0

 -- looks OK to my untrained eye

 -- now switching to my client FreeBSD machine

# route add default servus

# ping servus 
  -- OK
# ping 158.152.x.y
  -- OK
# ping  (this is gate.demon.co.uk 's IP address
                      as ascertained from the ping above)

  -- no reply, 100% packet loss.
  -- I can see a 'ping'-like flicker on the TX line of the modem,
  -- but no corresponding reply flicker on the RX line, like there
  -- is when ping works.

So there we are.  The ping ICMP packets seem to be being routed through
PPP and out to the modem (an I presume to the ISP's gateway machine) but
they don't seem to be acceptable to the machine being pinged - or if it
is replying, the replies are not reaching my modem...

It seems to me that I must have missed some vital detail in setting up
the 'router' part of my OpenBSD box, or perhaps something on the client
Are there files in /etc/ that I'm missing - I altered or added:

hostname.dc0  (do I need one for ppp0 or tun0?)

do I need a 'gateway' or 'ethers' file?

What tools could I use to see the packets that are going out over ppp?
Are there any diagnostic tools for ipnat beyond '-l'?

Any ideas or questions?



This email and any files transmitted with it are intended solely for the
addressee(s) and may be legally privileged and/or confidential. If you have
received this email in error please destroy it and contact the sender, via
our switchboard on +44 (0)20 7623 8000 or via return e-mail. You should not
copy, forward or use the contents, attachments or information in any way.
Any unauthorised use or disclosure may be unlawful. Dresdner Kleinwort
Benson gives no warranty as to the accuracy or completeness of this email
after it is sent over the Internet and accepts no responsibility for changes
made after it was sent. Any opinion expressed in this email may be personal
to the author and may not necessarily reflect the opinions of the Bank or
its affiliates. They may also be subject to change without notice.

Visit your host, monkey.org