Bridge, routing and pf

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bridge, routing and pf

sheda
Hi,

I'm trying to set a bridge on my OpenBSD 3.8 box (seu). The
bridge is made of 2 interfaces: ural0 and vr0. Both ural0 and
vr0 have the same IP address. Here is the configuration:

# cat /etc/hostname.ural0
inet 172.16.199.56 255.240.0.0 NONE mediaopt hostap mode 11g
nwid helloworld chan 7
 #!ifconfig ural0 down
#cat /etc/hostname.vr0
inet 172.16.199.56 255.240.0.0
 #!route add blon blon -interface
# cat /etc/bridgename.bridge0
add vr0
add ural0
 #static vr0 0:d:b4:0:6b:5e
up
# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags Refs Use   Mtu
Interface
default            schiff             UGS      0  28     -  vr0
loopback           localhost          UGRS     0   0 33224  lo0
localhost          localhost          UG       0   0 33224  lo0
172.16/12          link#6             UC       0   0     -  
ural0
blon               link#6             UHLc     0   2     -  
ural0
schiff             00:0d:b4:00:6b:5e  UHLc     0   0     -  
ural0
seu                00:08:d3:03:3e:06  UHLc     0  16     -  lo0
BASE-ADDRESS.MCAST localhost          URS      0   0 33224  lo0

When pf is disabled and I'm trying to ping blon, here is what
can be seen on vr0 after the bridge discovered that blon was on
vr0:

0:8:d3:3:3e:6 0:d:b4:0:6b:5e 0800 98: 172.16.199.256 > 172.16.
27.55: icmp: echo request
0:d:b4:0:6b:5e 0:50:ba:c7:c3:59 0800 98: 172.16.27.55 > 172.16.
199.256: icmp: echo reply

As you can see the source MAC of the echo request is ural0's
MAC address. Here is what brconfig, arp and route are saying:

# brconfig bridge0
bridge0: flags=41<UP,RUNNING>
        Configuration:
                priority 32768 hellotime 2 fwddelay 15 maxage
20
        Interfaces:
                ural0 flags=3<LEARNING,DISCOVER>
                        port 6 ifpriority 128 ifcost 55
                vr0 flags=3<LEARNING,DISCOVER>
                        port 1 ifpriority 128 ifcost 55
        Addresses (max cache: 100, timeout: 240):
                00:0d:b4:00:6b:5e vr0 1 flags=0<>
# arp -a
blon (172.16.27.55) at 00:0d:b4:00:6b:5e on ural0
schiff (172.16.53.254) at 00:0d:b4:00:6b:5e on ural0
seu (172.16.199.56) at 00:08:d3:3e:06 on ural0 static
# route show -inet
Routing tables

Internet:
Destination        Gateway            Flags Refs  Use   Mtu
Interface
default            schiff             UGS      0   93     -  
vr0
loopback           localhost          UGRS     0    0 33224  
lo0
localhost          localhost          UG       0    0 33224  
lo0
172.16/12          link#6             UC       0    0     -  
ural0
blon               00:0d:b4:00:6b:5e  UHLc     0  709     -  
ural0
schiff             00:0d:b4:00:6b:5e  UHLc     0    0     -  
ural0
seu                00:08:d3:03:3e:06  UHLc     0 1048     -  
lo0
BASE-ADDRESS.MCAST localhost          URS      0    0 33224  
lo0

Trying to add a route to blon doesn't solve (route add blon
blon -interface) but using pf solve (pass out on ural0 route-to
vr0).
So my question is what is the best way to staticaly associate
blon to vr0?

thx,

sheda

P.S. If I missed some docs, don't waste your time with this
problem, just point them!

Accidez au courrier ilectronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; til : 08 92 68 13 50 (0,34/mn)

Reply | Threaded
Open this post in threaded view
|

Re: Bridge, routing and pf

Claudio Jeker
On Fri, Mar 10, 2006 at 09:45:41AM +0100, uc.sheda wrote:

> Hi,
>
> I'm trying to set a bridge on my OpenBSD 3.8 box (seu). The
> bridge is made of 2 interfaces: ural0 and vr0. Both ural0 and
> vr0 have the same IP address. Here is the configuration:
>
> # cat /etc/hostname.ural0
> inet 172.16.199.56 255.240.0.0 NONE mediaopt hostap mode 11g
> nwid helloworld chan 7
>  #!ifconfig ural0 down
> #cat /etc/hostname.vr0
> inet 172.16.199.56 255.240.0.0
>  #!route add blon blon -interface
> # cat /etc/bridgename.bridge0
> add vr0
> add ural0
>  #static vr0 0:d:b4:0:6b:5e
> up
> # route show -inet
> Routing tables
>

Don't use the same IP for two interfaces this calls for trouble.
It is enough to add the IP to one interface. I would change the
/etc/hostname.vr0 to just "up". Then only ural0 has an IP assigned in your
bridge setup which is absolutly fine.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Bridge, routing and pf

sheda
In reply to this post by sheda
Just another little detail: I've found in the FAQ (6.6 - Setting up a network bridge
in OpenBSD, Filtering on a bridge) that pf rules have to be based only on one
interface of the bridge. How do I find which interface? Because the example show a
'pass all' on both interfaces... I'm a bit lost about this point.

thx,

sheda.

Accidez au courrier ilectronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; til : 08 92 68 13 50 (0,34/mn)

Reply | Threaded
Open this post in threaded view
|

Re: Bridge, routing and pf

Claudio Jeker
On Fri, Mar 10, 2006 at 01:33:52PM +0100, uc.sheda wrote:
> Just another little detail: I've found in the FAQ (6.6 - Setting up a network bridge
> in OpenBSD, Filtering on a bridge) that pf rules have to be based only on one
> interface of the bridge. How do I find which interface? Because the example show a
> 'pass all' on both interfaces... I'm a bit lost about this point.
>

I think the sentance is a bit confusing. The idea is that you only filter
on one interface but just pass the traffic on the other interface of the
bridge. You need to explicitly pass the traffic if you have a default
block rule.

Traffic flowing through a bridge hits both interfaces and so it is
necessary to add rules for both of them. In most cases you will just
pass all traffic on one interface so you could use "set skip on" to ignore
this interface completely.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: Bridge, routing and pf

sheda
In reply to this post by sheda
Things are more clear for me now, thanks for you help.

sheda.

Accidez au courrier ilectronique de La Poste : www.laposte.net ;
3615 LAPOSTENET (0,34 /mn) ; til : 08 92 68 13 50 (0,34/mn)