[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.9 router/firewall woes

Hi all,

Firstly apologies if some of you are seeing this for the second time, 
I posted it to comp.unix.bsd.openbsd.misc but the thread has fizzled

I have a BT business ADSL account, this provides a 4 port ethernet
router with a /29 and currently I have 2 machines hooked directly to
it (using Tiny Personal Firewall for safetys sake)

What I want I want is my new OpenBSD 2.9 box to be the only machine
directly connected to the ADSL and a second NIC to be connected to my
LinkSys switch. I want to use ipf and NAT so the windoze boxes are sat
in a 10.0.0/8 subnet and can surf etc from within this. The OpenBSD
box will run headless.

The 2.9 install went fine, I have it connected to the ADSL and the
but I still can't surf from within the 10/8. The 2.9 box has 2 SMC EZ
10/100 NICs in it.

Windows box config is from dhcp on the 2.9 box.

In my paranoia the first 3 octets of the ip address(es) below are
by x.y.z and the domain is mydomain.com.

2.9 box files:


inet x.y.z.46 NONE 


inet NONE 


pass in from any to any
pass out from any to any


# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address

map rl1 -> x.y.z.46/32 portmap tcp/udp 10000:60000
map rl1 -> x.y.z.46/32


#!/bin/sh -
#	$OpenBSD: rc.conf,v 1.57 2001/04/19 04:00:15 deraadt Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO		# for normal use: "-q"
mrouted_flags=NO	# for normal use: "", if activated
			# be sure to enable multicast_router below.
rarpd_flags=NO		# for normal use: "-a"
bootparamd_flags=NO	# for normal use: ""
rbootd_flags=NO		# for normal use: ""
sshd_flags=""		# for normal use: ""
sendmail_flags="-q30m"	# for normal use: "-bd -q30m"
smtpfwdd_flags=NO	# for normal use: "", and no "-bd" above.
named_flags=NO		# for normal use: ""
rdate_flags=NO		# for normal use: name of RFC868 timeserver
timed_flags=NO		# for normal use: ""
ntpdate_flags=NO	# for normal use: NTP server; run before ntpd starts
photurisd_flags=NO	# for normal use: ""
isakmpd_flags=NO	# for normal use: ""
mopd_flags=NO		# for normal use: "-a"
httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))
apmd_flags=NO		# for normal use: ""
dhcpd_flags="-q"	# for normal use: "-q"
rtadvd_flags=NO		# for normal use: list of interfaces
			# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO	# for normal use: ""
			# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO		# for normal use: interface
			# be sure to set net.inet6.ip6.forwarding=0
			# be sure to set net.inet6.ip6.accept_rtadv=1

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO		# for non-inetd use: "-D"

# Set to NO if identd is running out of inetd
identd_flags=NO		# for non-inetd use: "-b -u nobody -elo"

# On some architectures, you must also disable console getty in
xdm_flags=NO		# for normal use: ""

# For enabling console mouse support (i386 architecture only)
moused_flags=NO		# for ps/2 try: "-p /dev/psm0", serial: "-p /dev/cua00"

# set the following to "YES" to turn them on
nfs_server=NO		# see sysctl.conf for nfs client configuration
kerberos_server=NO	# kerberos server. run 'info kth-krb' for assistance.
kerberos_slave=NO	# kerberos slave server.
ipnat=YES		# for "YES" ipfilter must also be "YES"
portmap=YES		# almost always needed
inetd=YES		# almost always needed
lpd=NO			# printing daemons
check_quotas=YES	# NO may be desirable in some YP environments
ntpd=YES		# run ntpd if it exists
afs=NO			# mount and run afs

# Multicast routing configuration
# Please look at /etc/netstart for a detailed description if you change
multicast_host=NO	# Route all multicast packets to a single interface
multicast_router=NO	# A multicast routing daemon will be run, e.g.

# miscellaneous other flags
# only used if the appropriate server is marked YES above
ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=		# "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt		# AMD's mount directory
amd_master=/etc/amd/master	# AMD 'master' map
ipfilter_rules=/etc/ipf.rules	# Rules for IP packet filtering
ipnat_rules=/etc/ipnat.rules	# Rules for Network Address Translation
ipmon_flags=-Ds			# To disable logging, use ipmon_flags=NO
syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
named_user=named		# Named should not run as root unless necessary
named_chroot=/var/named		# Where to chroot named if not empty
afs_mount_point=/afs		# Mountpoint for AFS
afs_device=/dev/xfs0		# Device used by afsd
afsd_flags=-z			# Flags passed to afsd
shlib_dirs=			# extra directories for ldconfig


[ -f ${local_rcconf} ] && . ${local_rcconf} # Do not edit this line


#	$OpenBSD: sysctl.conf,v 1.21 2000/10/23 17:15:47 deraadt Exp $
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding
must be 0)
#net.inet.tcp.rfc1323=0		# 0=disable TCP RFC1323 extensions (for if
tcp is slow)
#net.inet.esp.enable=1		# 1=Enable the ESP IPSec protocol
#net.inet.ah.enable=1		# 1=Enable the AH IPSec protocol
#ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
#ddb.console=1			# 1=Permit entry of ddb from the console
#fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=1	# 1=Encrypt pages that go to swap
#vfs.nfs.iothreads=4		# number of nfsio kernel threads
#net.inet.ip.mtudisc=1		# 1=enable tcp mtu discovery
machdep.allowaperture=1		# 1=permit access to aperture driver
#machdep.apmwarn=10		# battery % when apm status messages enabled
#machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt


#	$OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.

# Network:
# Domain name:		my.domain
# Name servers: and
# Default router:
# Addresses: -
shared-network LOCAL-NET {
	option  domain-name "mydomain.com";
	option  domain-name-servers,;

	subnet netmask {
		option routers;


With this setup and the windoze laptop hooked up to the linksys

The windows box has got its IP etc from DHCP:

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : mydomain.com
        IP Address. . . . . . . . . . . . :
        Subnet Mask . . . . . . . . . . . :
        Default Gateway . . . . . . . . . :

>From the windows box:
I can ping *both* interfaces of the BSD box, but can't ping
www.google.com (Unknown host www.google.com.) or
(googles ip address - Destination host unreachable). I can ssh into the
external nic, but not the local one! Arghhhh!!

>From the bsd box:
I can ping google. I can ping the windows box (on 
I can lynx www.uk.openbsd.org

netstat -nr -f inet shows:

Routing tables

Destination        Gateway            Flags     Refs     Use    Mtu 
default            x.y.z.41           UGS         1       98   1500  
10/8               link#2             UC          0        0   1500  
rl1           UGHS        0        0  32972  
lo0           0:e0:98:8d:d1:c1   UHL         3      160   1500  
127/8              UGRS        0        0  32972  
lo0          UH          3       24  32972  
x.y.z.40/29        link#1             UC          0        0   1500  
x.y.z.41           0:20:6f:8:ba:32    UHL         1        0   1500  
x.y.z.42           0:e0:98:8d:d1:c1   UHL         0        4   1500  
224/4              URS         0        0  32972  

route - n show -inet shows:

Routing tables

Destination      Gateway            Flags 
default          x.y.z.41           UG         link#2             U          UGH         0:e0:98:8d:d1:c1   UH          UG          UH     
x.y.z.40         link#1             U      
x.y.z.41         0:20:6f:8:ba:32    UH     
x.y.z.42         0:e0:98:8d:d1:c1   UH          U      

ifconfig -a inet shows:

lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
	inet netmask 0xff000000 
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
	media: Ethernet autoselect (none)
	status: active
	inet x.y.z.46 netmask 0xfffffff8 broadcast x.y.z.47
	media: Ethernet autoselect (100baseTX full-duplex)
	status: active
	inet netmask 0xff000000 broadcast
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
gre0: flags=8010<POINTOPOINT,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

What gives with rl0 and it's media type from ifconfig?
Have I missed something that routes between the 2 nics? a route add?

Rich (frustrated)

Richard Parker

What rolls down T3s, boosts connect fees, and makes your throughput
Makes it tough to hack, won't get off your back. 
It's logs, logs, logs, logs, logs.

Visit your host, monkey.org