OPenBSD 4.1 Generic Stable Gateway Strange Problem

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OPenBSD 4.1 Generic Stable Gateway Strange Problem

peterwkc
Hello to all expect OpenBSD User and developers, i am a student from Malaysia.

I want like to set up openbsd as gateway to my internal network for home network.

Below is situation:

Recently, i have edit some config inside /etc/pf.conf and this let my client ping my ISP dns server and at least it is better than before where my client cannot ping ISP dns server.

Below is the configuration before i did :

Quote:
/etc/hostname.rl0 : dhcp NONE NONE - external Interface
/etc/hostname.rl1 : inet 172.16.10.1 255.255.255.0 - Internal Interface

/etc/dhcpd.conf :

max-lease-time 86400;
option domain-name-servers 202.188.0.133, 202.188.1.5;

subnet 172.16.0.0 netmask 255.240.0.0
{
option routers 172.16.10.1;
option broadcast-address 172.16.10.255;

max-lease-time 86400;
default-lease-time 18000;
range 172.16.10.5 172.16.10.8;
}

host nicholas_tse
{
hardware-ethernet MAC;
fixed-address 172.16.10.10;
}

ifocnifg show correct output from hostname file. pflog0, enc0, tun0 ip is 124.13.124.167.


/etc/pf.conf

ext_if="rl0"
int_If="rl1"
wl_if="ral0"

set block-policy drop
set loginterface rl0
set state-policy floating
set fingerprints /etc/pf.os
set optimization aggressive
set skip on lo0

nat on $ext_if from !($ext_if) to any -> ($ext_if)
pass quick on {lo0, $wl_If, $int_If} all keep state

I don't have /etc/mygate file because i ahve dynamic ip.


Routing table as below :


Destination Gateway Flags Refs Use Mtu Interface
default 219.93.218.177 UGS 9 190 - tun0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 12 33224 lo0
172.16/12 link#2 UC 2 0 - rl0
172.16.10.1 MAC UHLc 0 6 - lo0
172.16.10.10 MAC UHLc 0 0 - rl1
192.168.1/24 link#1 UC 1 0 - rl0
192.168.1.1 127.0.0.1 UGHS 0 0 33224 lo0
219.93.218.177 124.13.127.167 UH 1 0 1472 tun0
224/4 127.0.0.1 URS 0 0 33224 lo0




This /etc/pf.conf not allow my client to ping dns server but after changing configuration as below . My client able to ping the ISP dns server.

After changeing of /etc/pf.conf :

Quote:
ext_if="tun0"
int_if="rl1"
wl_if="ral0"

set block-policy drop
set loginterface rl0
set state-policy floating
set fingerprints /etc/pf.os
set optimization aggressive
set skip on lo0

nat on $ext_if from !(ext_if) to any -> ($ext_if)


#block drop in quick on {$ext_if} all
#block drop in quick on {$ext_if} inet6 all

pass in on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state

pass quick on {$wl_if, $int_if} all keep state

I have disable scrub and antispoof at the moment.






In another forums, someone has suggested another configuration for /etc/pf.conf as below :

What do you think my pf configuration ?

Suggested Configuration by helper by another forum :

Quote:
ext_if="tun0"
int_if="rl1"
wl_if="ral0"
dial_if="rl0"

set block-policy drop
set skip on lo0

nat on $ext_if from !(ext_if) to any -> ($ext_if)

pass quick on {$ext_if, $int_if, $wl_if, $dial_if} all keep state

pass in on $int_if from $int_if:network to any keep state

pass out on $int_if from any to $int_if:network keep state


I have try the suggested pf rules by another forum but still not allow me to browse.


Ping OpenBSD to Client[OK]
Ping Client to OpenBSD[OK]
Ping Client to OpenBSD External Internet IP[OK]
Ping Client to ISP DNS Server[OK] after changing ext_if to tun0
Ping Client to WWW.google.com.my[OK]

Problem is my client cannot browse.

Message from Firefox browser is Unable to Connect.

I really need your help.

Thanks for your help.

A billion thanks for your help.