| Author |
Message |
Peter_APIIT
Hyena Member
|
# Posted: 26 Feb 2008 10:36
Hello all respect network administrator, i have set up a openbsd gateway but the wireless connection(gateway) is not detected by client but before this is ok. Can see it widnows but now cannot. I don't know what wrong with it.
I sure my configuration is ok because i didn't edit it.
Another problem now is when oot up to process starting network, previously i did not need to enter ctrl + C to proceeed to DHCP request for rl0 but now i need that. I alos don't know what wrong.
Third problem is from openbsd canno ping to LAN client ip but client can ping to openbsd.
I try router add 176.16.10.11(destination) 176.16.10.1(gateway) return file exists. If this routing is exists, then should be no problem but who come cannot ping from openbsd to client.
I hope you can help me out. becuase my hair has drop until no more hair.
If you all need extra information or configuration, please let me know.
A billion thanks for your help.
|
drl
Hyena Master
 |
# Posted: 26 Feb 2008 21:49
How is your setup ? Is it like this:
<Gateway> -> <OpenBSD box> -> <LAN> ?
For the ping problem, check that your firewall(PF) on OpenBSD is not blocking ICMP on LAN interface. Also check that client has firewall turned off(presume WinXP). Other possible problem might be network cable perhaps ?
If all fails, best guess is to re-setup from scratch again, starting with one client at a time to try to narrow down the problem.
:w!
|
Peter_APIIT
Hyena Member
|
# Posted: 18 Mar 2008 14:24
My network connection is like this
Modem->OpenBSB->Client.
|
Peter_APIIT
Hyena Member
|
# Posted: 18 Mar 2008 14:26
Ping from opensbd-> Client [ok];
Ping from client->openbsd [ok];
This is LAN connection using cable.
|
drl
Hyena Master
|
# Posted: 19 Mar 2008 11:13
How did you solve it ?
:w!
|
Peter_APIIT
Hyena Member
|
# Posted: 20 Mar 2008 07:19
I still cannot solve it because i can ping but cannot browse using LAN connection.
My AP cannot be configure. No idea why.
Previously, i ocnfigre the firewall and other services first rather than configure dhcp first.
This is my mistake due to unavailable experience.
I can pay you money if u can help.
|
drl
Hyena Master
|
# Posted: 22 Mar 2008 05:06
Don't worry about payment. It looks like if you are able to ping both sides but not able to surf the net, it might be because your OpenBSD is not able to forward packets. Did you turn on IP forwarding on the OpenBSD machine and setup NAT ? Secondly are the clients configured to use the proper nameservers ?
:w!
|
eazam
Hyena Member
 |
# Posted: 24 Mar 2008 01:20
can you provide netstat -rn . your current pf rules and your ifconfig output.
it will be easier if you could attach network diagram . :p
|
Peter_APIIT
Hyena Member
|
# Posted: 12 Apr 2008 09:09
Sorry for the delay.
Network Diagram :
Modem->(rl0)OPenBSD(rl1 && ral0)->client
Netstat -rn Output :
Internet
Destination Gateway Flags Refs Use MTU Interface
default 219.93.218.177 UGS 0 343 - tun0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 14 33224 lo0
172.16/12 link#2 UC 1 0 - rl1
172.16.10.5 H.A UHLc 1 71 - rl1
192.168.1/24 link#1 UC 1 0 - rl0
192.168.168.1.1 H.A UHLc 0 9 - rl0
192.168.1.2 127.0.0.1 UGRS 0 2 33224 lo0
219.93.218.177 60.48.176.167 UH 1 0 1492 tun0
224/4 127.0.0.1 URS 0 3 33224 lo0
ifconfig Output :
rl0 - External Interface
rl1 - Internal Interface
ral0 - Wireless Interface
rl0 - dhcp by modem
/etc/hostname.rl0 : dhcp NONE NONE
/etc/hostname.rl1 : inet 172.16.10.1 255.240.0.0 NONE
/etc/hostname.ral0 : inet 192.168.5.1 255.255.0.0 NONE and some other config to be an ap
/etc/pf.conf
block in on ext_if log all
pass out on int_if and wl_if
scrub all
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $wl_if:network to any -> ($ext_if)
Previously, openbsd can ping to client and client can ping to openbsd but now i don't know why cnanot
openbsd cannot ping client anymore.
/etc/dhcpd.conf
subnet 172.16.0.0 netmask 255.240.0.0 {
option routers 172.16.10.1;
range 172.16.10.5.3 172.16.10.5.5;
}
subnet 192.168.0.0 netmask 255.255.0.0{
option routers 192.168.5.;
range 192.168.5.3 192.168.5.5;
}
If you need further information from me, please don't hesitate to tell me.
Thanks for your help.
|
Peter_APIIT
Hyena Member
|
# Posted: 12 Apr 2008 09:11
Did you turn on IP forwarding on the OpenBSD machine and setup NAT ? Secondly are the clients configured to use the proper nameservers ?
I double check the ip forwarding with this command
sysctl inet.ip. = 1 show up is on and true
I got setup NAT.
The client is set up usng proper dns server such as 202.188.0.133 in internet protocol.
Thanks for your help.
|
Peter_APIIT
Hyena Member
|
# Posted: 12 Apr 2008 18:10
I can ping from both way already which is from openbsd to client and client to openbsd.
I cannot ping my external gateway which is 192.168.1.1 but i can ping external interface 192.168.1.2.
Thanks for your help.
|
drl
Hyena Master
|
# Posted: 12 Apr 2008 20:30
Netstat -rn Output :
Internet
Destination Gateway Flags Refs Use MTU Interface
default 219.93.218.177 UGS 0 343 - tun0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 14 33224 lo0
172.16/12 link#2 UC 1 0 - rl1
172.16.10.5 H.A UHLc 1 71 - rl1
192.168.1/24 link#1 UC 1 0 - rl0
192.168.168.1.1 H.A UHLc 0 9 - rl0
192.168.1.2 127.0.0.1 UGRS 0 2 33224 lo0
219.93.218.177 60.48.176.167 UH 1 0 1492 tun0
224/4 127.0.0.1 URS 0 3 33224 lo0
Hi, just wondering why is 192.168.1.2 attach to lo0 instead of rl0 ? If you want both 192.168.1.1 & 192.168.1.2 on rl0, configure IP aliasing on rl0, not on lo0.
/etc/pf.conf
block in on ext_if log all
pass out on int_if and wl_if
You should add a 'pass out' rule for ext_if as well.
:w!
|
eazam
Hyena Member
|
# Posted: 18 Apr 2008 16:10
additional . on the modem it self you can set the route for 172.16.10.0 and
192.168.5.0 point back to your rl0 int
example: on modem
route add -net 172.16.10.0 255.240.0.0 192.168.1.X << your rl0 ip
from what i see that. you didnt nat the connection to your ext_gw. and thats y on the modem it self your have to enable the route point back to your openbsd
|
Peter_APIIT
Hyena Member
|
# Posted: 20 Apr 2008 11:10
Hi, just wondering why is 192.168.1.2 attach to lo0 instead of rl0 ? If you want both 192.168.1.1 & 192.168.1.2 on rl0, configure IP aliasing on rl0, not on lo0.
I don't know why this happen because i just put dhcp NONE NONE in /etc/hostname.rl0.
192.168.1.1 is gateway to modem and 192.168.1.2 is my rl0(external interface address).
Which one is my loopback device ?
Thanks for your concern. I got pass out rule.
I have nat from client to openbsd and u mentioned that i don't have nat from openbsd to modem.
Why this is required since ordinary router doesn't required ?
route add -net 172.16.10.0 255.240.0.0 192.168.1.X << your rl0 ip
My rl0 ip is 192.168.1.2 .
That means route add -net 172.16.10.0 255.240.0.0 192.168.1.1
Since syntax of this command is route add -net destination gateway.
Thanks for your help and clarification.
|
Peter_APIIT
Hyena Member
|
# Posted: 20 Apr 2008 11:20
I probably understand why eazam's mentioned because i have dynamic public ip. Therefore, i doesn't need /etc/mygate.
Any help is greatly appreciated by me and others.
|
drl
Hyena Master
|
# Posted: 20 Apr 2008 12:37
Hi,
Hi, just wondering why is 192.168.1.2 attach to lo0 instead of rl0 ? If you want both 192.168.1.1 & 192.168.1.2 on rl0, configure IP aliasing on rl0, not on lo0.
I don't know why this happen because i just put dhcp NONE NONE in /etc/hostname.rl0.
Ok. I misread this part..
192.168.1.1 is gateway to modem and 192.168.1.2 is my rl0(external interface address).
Which one is my loopback device ?
lo0
Thanks for your concern. I got pass out rule.
I have nat from client to openbsd and u mentioned that i don't have nat from openbsd to modem.
Why this is required since ordinary router doesn't required ?
Only 1 NAT setup is required. From your setup, you are running double-NAT setup which is bad and can break things.(Think end-to-end stuff..)
route add -net 172.16.10.0 255.240.0.0 192.168.1.X << your rl0 ip
My rl0 ip is 192.168.1.2 .
That means route add -net 172.16.10.0 255.240.0.0 192.168.1.1
This would be optional i guess. Might consider running 'routed' to manage routing automatically. Another symptom of your problem I can think of is arp. Could you try 'arp -da' and then try to ping again ? if this does't work, try turning off your switch and on again, run 'arp -da' and do the ping test..
:w!
|
eazam
Hyena Member
|
# Posted: 20 Apr 2008 16:42
modem doesnt recognize your interenal ip. what modem recognize just only 192.168.1.0/24. so in order for your network to ping modem ip. your openbsd has to broadcast the network inside to the modem.
192.168.1.1 is your modem right? or am i wrong?
and what i said to add route is using your webui on the modem :P
correct me if i'm wrong
|
Peter_APIIT
Hyena Member
|
# Posted: 21 Apr 2008 16:16
Only 1 NAT setup is required. From your setup, you are running double-NAT setup which is bad and can break things.(Think end-to-end stuff..)
Where i got double NAT ?
Route add Destination Gateway.
192.168.1.1 is my Modem gateway.
rl0 ip address (external) 192.68.1.2
If i put route add 172.16.10.0 192.168.1.1, then hacker can directly go in to my internal interface already. Modem to internal interface.
As far as i know, even though a hacker can break my external interface,a t least i still have two interface. I think can filter from internal interface.
I not showing off but just hsare knowledge.
I think i just need to put 219.93.218.177 into /eyc/mygate but from netstat -rn and route show.
It show that i have correct default gateway to internet from openbsd.
I gonna to try arp -da nd oruted also.
Another symptom of your problem I can think of is arp.
What is my problem ?
What is the use of arp ?
|
Peter_APIIT
Hyena Member
|
# Posted: 21 Apr 2008 16:18
modem doesnt recognize your interenal ip
Why modem need to recognize my internal ip since i have NAT from internal interface to external. The modem just recognize my externl interface ip and subnet 192168.0.0/24 .
Please correct me if i wrong.
Thanks.
|
drl
Hyena Master
|
# Posted: 21 Apr 2008 18:21
Hi,
From your first post, you seem to be having two problems:
1) dhcp problem
2) AP problem
What use to work now doesn't. Have a look at the log files for anything weird about your setup. You mention it worked previously, what OS/version were you using then ? When you upgraded/reinstalled, were there any issues you should be aware about ? Maybe this link might help. Lastly recheck your configs again, especially for your AP setup / dhcp server. Disable all firewall rules or use a default 'pass all' rule for now.
Regarding double-NAT, you are using double-NAT because:
1) Modem does NAT for OpenBSD
2) OpenBSD does NAT for LAN/AP clients
But ofcourse, this is out of the scope, so sorry about that. Regarding arp, what it does is it flushes the arp table which can sometimes 'solve' ping problems like the one you are having. Either that or your client has a firewall blocking ping.
Hope this helps.
:w!
|
eazam
Hyena Member
|
# Posted: 21 Apr 2008 21:33
i dont think by broadcast your internal ip to modem level will be hack by anyone. coz they still have to go thru openbsd firewall. the routing table just inform where to point when you wanna access the network segment
|
Peter_APIIT
Hyena Member
|
# Posted: 22 Apr 2008 11:12
The acess point is working now because previously i put we cannot put space between sentence for nwid. Therefore, after added "" and it works now.
Shoud i off NAT in modem ?
What shoud i do to diagnose the problem ?
Thnaks for your help.
|
Peter_APIIT
Hyena Member
|
# Posted: 22 Apr 2008 19:26
I don't think i have double NAT since modem is in bridge and not pppoe dialing mode.
Before this, i forget to turn on NAt but after turn on NAT i can ping my modem gateway which is 192.168.1.1 but still cannot browse.
Before turn NAT, i cannot ping 192.168.1.1 but now can already.
What wrong with it ?
Is it related to dns server but i don't have any dns server set up yet.
Thanks for your help.
|
eazam
Hyena Member
|
# Posted: 22 Apr 2008 22:53
ok. can u disable dhcp on modem. configure rl0 using static ip.
and then redial.
|
Peter_APIIT
Hyena Member
|
# Posted: 24 Apr 2008 15:31
What ip shoud i put in /etc/hostname.rl0 :
192.168.1.2 255.255.255.0 NONE NONE
Thanks for your help.
|
drl
Hyena Master
|
# Posted: 24 Apr 2008 17:11
What ip shoud i put in /etc/hostname.rl0 :
inet 192.168.1.2 255.255.255.0 NONE
:w!
|
Peter_APIIT
Hyena Member
|
# Posted: 25 Apr 2008 07:28
I have try but still a same result.
Any idea to solve this. I have can browse from openbsd box but not client.
|
drl
Hyena Master
|
# Posted: 25 Apr 2008 11:45 Edited by: drl
I don't think i have double NAT since modem is in bridge and not pppoe dialing mode.
Ok, this means your OpenBSD box is doing pppoe dialing. For your problem, try changing your Wifi network address 192.168.0.0/16 to 10.10.10.0/24, change also in dhcpd.conf and pf.conf and test again. Because I notice you have setup 192.168.1/24 network to your modem and 192.168/16 for your wireless network. Avoid using /16 class network if it is not necessary.
:w!
|
Peter_APIIT
Hyena Member
|
# Posted: 25 Apr 2008 18:06
OK. I will have a try and come back to here.
I really appreciated you all help.
Why need to avoid /16 subnet mask network ?
I though my modem isn't crash with wireless network.
I not ignore your solution but just need an explanation.
A billion thanks for your help.
|
drl
Hyena Master
|
# Posted: 25 Apr 2008 18:21
Why need to avoid /16 subnet mask network ?
Because /16 class is if your network is really huge. In this case you are just serving wifi clients therefore a /24 class is sufficient.
:w!
|
