Routing and forwarding: directly connected computers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Routing and forwarding: directly connected computers

Ernest Stewart
I have a local network with 5 computers:

computer1)
/etc/hostname.re0: 192.168.1.10 0xffffff00
/etc/hostname.re1: 192.168.2.11 0xffff0000
/etc/hostname.re2: 192.168.2.12 0xffff0000
/etc/hostname.re3: 192.168.2.13 0xffff0000
/etc/mygate:
192.168.1.1


computer2)
/etc/hostname.re0: 192.168.1.11 0xffff0000
/etc/hostname.re1: 192.168.2.14 0xffff0000
/etc/mygate:
192.168.2.11

computer3)
/etc/hostname.re0: 192.168.1.12 0xffff0000
/etc/mygate:
192.168.2.12

computer4)
/etc/hostname.re0: 192.168.1.13 0xffff0000
/etc/mygate:
192.168.2.13


computer5)
/etc/hostname.re0: 192.168.1.14 0xffff0000
/etc/mygate:
192.168.2.14


Computer1's physical connections are like this:
re0->ISP router(192.168.1.1)
re1->Computer2 re0
re2->Computer3 re0
re3->Computer4 re0

Computer2's re1 is connected to Computer5's re0.

I want to use static ip adresses (no DHCP) to allow computers communicate with each other and each of them with the Internet.

Before testing PF rules (pfctl -d on both) I do "ping 192.168.2.11" from Computer2, but all packets are lost. I use tcpdump on Computer1 and icmp.request is received but not replied. Then I execute on Computer1:

route add -inet 192.168.1.11/32 192.168.2.11

and tcpdump ON BOTH computers shows icmp.request and icmp.reply, but ping still says 100% packets lost.

1) Why is this little test not working?

2) How should I configure pf.conf (and maybe rc.conf.local with route commands) to allow computers communicate with each other (including Computer1 with Computer5, thru Computer2)? In every information I have found this is automatically done with DHCP, which I won't use, or BGP-4, RIP,OSPF,etc., which I will neither use because these addresses and routes will be static.

Thank you.
Ernest Stewart.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Janne Johansson-3
Den tors 3 sep. 2020 kl 11:39 skrev Ernest Stewart <
[hidden email]>:

> I have a local network with 5 computers:
>
> computer1)
> /etc/hostname.re0: 192.168.1.10 0xffffff00
>

Different netmask here?


> /etc/hostname.re1: 192.168.2.11 0xffff0000
> /etc/hostname.re2: 192.168.2.12 0xffff0000
> /etc/hostname.re3: 192.168.2.13 0xffff0000
> /etc/mygate:
> 192.168.1.1
>
>
> computer2)
> /etc/hostname.re0: 192.168.1.11 0xffff0000
>

..compared to here.


> /etc/hostname.re1: 192.168.2.14 0xffff0000
> /etc/mygate:
> 192.168.2.11
>
> computer3)
> /etc/hostname.re0: 192.168.1.12 0xffff0000
> /etc/mygate:
> 192.168.2.12
>
> computer4)
> /etc/hostname.re0: 192.168.1.13 0xffff0000
> /etc/mygate:
> 192.168.2.13
>
>
> computer5)
> /etc/hostname.re0: 192.168.1.14 0xffff0000
> /etc/mygate:
> 192.168.2.14
>
>
> Computer1's physical connections are like this:
> re0->ISP router(192.168.1.1)
>

Seems like you chose overlapping networks for your "internal" things and
the ISP router network. Don't do that.


> re1->Computer2 re0
> re2->Computer3 re0
> re3->Computer4 re0
>
> Computer2's re1 is connected to Computer5's re0.
>
>
--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Ernest Stewart
I was actually wondering about using netmask 0xffffffff for the external interface. As you noted, they are different networks, I just wanted to be able to use any 192.168/16 ip address in the internal network and use nat-to and rdr-to in Computer1 so every packet going to or from the ISP router comes from or goes to 192.168.1.10 (and block everything else).

But still, that (external connections) is the last thing I am going to test. At the moment not even a ping from two directly connected computers that are actually sending and receiving the packets (according to tcpdump in both computers) seems to work...
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Rafael Possamai-2
In reply to this post by Ernest Stewart
>1) Why is this little test not working?
>
>2) How should I configure pf.conf (and maybe rc.conf.local with route commands) to allow computers >communicate with each other (including Computer1 with Computer5, thru Computer2)? In every information I >have found this is automatically done with DHCP, which I won't use, or BGP-4, RIP,OSPF,etc., which I will neither >use because these addresses and routes will be static.

You can assign a /30 between the router and each computer, they can be adjacent within a larger subnet, but not overlap. Enable forwarding of packets between interfaces, and instead of using NAT, you can have the upstream configure a static route pointing to your subnets, or to a single aggregated subnet that encompasses all of them. If you are manually configuring each device on the network you won't need DHCP.

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Ernest Stewart
I forgot to say, in every computer I have /etc/sysctl.conf with "net.inet.ip.forwarding=1".

And I insist, what shocks me the most is that tcpdump shows in both computers the right icmp packets but ping says 100% packets lost.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Janne Johansson-3
In reply to this post by Ernest Stewart
Den tors 3 sep. 2020 kl 14:55 skrev Ernest Stewart <
[hidden email]>:

> I was actually wondering about using netmask 0xffffffff for the external
> interface. As you noted, they are different networks, I just wanted to be
> able to use any 192.168/16 ip address in the internal network and use
> nat-to and rdr-to in Computer1 so every packet going to or from the ISP
> router comes from or goes to 192.168.1.10 (and block everything else).
>
> But still, that (external connections) is the last thing I am going to
> test. At the moment not even a ping from two directly connected computers
> that are actually sending and receiving the packets (according to tcpdump
> in both computers) seems to work...
>

The setup for computer01 is still weird, it thinks it has 4 interfaces on
the same identical network, because all the nets overlap,  except it
doesn't overlap physically because they are on separate cards. Just grab
any "how to build networks guide" and start using separate network
numbering for separate networks and things will work out better. The fifth
network card which points to your ISP device is smaller, but still inside
those 4 others, which also is a bad choice.

The way comp01 is set up on your first mail makes it equally valid for it
to send out a packet on any of the 5 network cards to try to reach
192.168.1.254 for instance. This is of course not how you set up a box with
5 networks (even if "the network" is just a cable from comp1-re1 to
comp2-re0)

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Janne Johansson-3
In reply to this post by Ernest Stewart
Den tors 3 sep. 2020 kl 17:01 skrev Ernest Stewart <
[hidden email]>:

> I forgot to say, in every computer I have /etc/sysctl.conf with
> "net.inet.ip.forwarding=1".
>
> And I insist, what shocks me the most is that tcpdump shows in both
> computers the right icmp packets but ping says 100% packets lost.
>

This part has far too little detail to be relevant. Sorry.
We can not divine from remote which of the interfaces you listened to, and
what you saw.

--
May the most significant bit of your life be positive.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Brian Brombacher
In reply to this post by Ernest Stewart


> On Sep 3, 2020, at 11:02 AM, Ernest Stewart <[hidden email]> wrote:
>
> I forgot to say, in every computer I have /etc/sysctl.conf with "net.inet.ip.forwarding=1".
>
> And I insist, what shocks me the most is that tcpdump shows in both computers the right icmp packets but ping says 100% packets lost.

You’ve really got to pay attention to the netmasks here.  You’re trying to use multi routing without doing it right.  Your setup is unnecessarily complex, and requires pf rules and additional routing tables to make this work.  Switch to bridges networking if it helps simplify things.

What is the insistence on re-using portions of 192.168.1 addresses on a network with a router of 192.168.2?

You should expand and use more subnets under 192.168.x.


Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Ernest Stewart
On Sep 3, 2020, at 15:07 AM, Brian Brombacher  <[hidden email]> wrote:

"Your setup ... requires pf \rules and additional routing tables to make this work."

And which pf rules and how to establish those routing tables are exactly what I'm asking.

But ok, let's say I reassign addresses so Comp1 re1= 192.168.3.2, Comp2 re0= 192.168.3.127, Comp2 re1 = 192.168.3.128 and Comp5 re0= 192.168.3.129, with all the proper netmasks. That still does not explain why Comp2 is receiving icmp.reply packets but not delivering them to "ping".
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Ernest Stewart
You guys are focusing on the netmasks. Let's consider my setup again BUT with all netmasks at 0xffffffff, so all the forwarding and routing need to be explicitly configured.
Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Theo de Raadt-2
Ernest Stewart <[hidden email]> wrote:

> You guys are focusing on the netmasks. Let's consider my setup again
> BUT with all netmasks at 0xffffffff, so all the forwarding and routing
> need to be explicitly configured.

Oh my. Have you considered hiring a consultant?

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Markus Wernig
In reply to this post by Ernest Stewart
On 9/3/20 5:41 PM, Ernest Stewart wrote:

> And which pf rules and how to establish those routing tables are exactly what I'm asking.
Maybe if you share the output of the ping test from your original mail
we could see what is actually happening.
From your setup I would assume that the IP addresses the hosts are using
for the ping are not what you expect.

best /m

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Ernest Stewart
In reply to this post by Theo de Raadt-2
Theo de Raadt <[hidden email]> wrote:
Oh my. Have you considered hiring a consultant?

Of course. As you have already noticed, I have no idea about how to do what I'm trying to do. But a consultant is out of my budget.

Are you guys saying all I have to do is the following, and packets will automatically be routed correctly?:

computer1)
/etc/hostname.re0: 192.168.1.10 0xffffff00
/etc/hostname.re1: 192.168.2.10 0xffffff00
/etc/hostname.re2: 192.168.3.10 0xffffff00
/etc/hostname.re3: 192.168.4.10 0xffffff00
/etc/mygate:
192.168.1.1


computer2)
/etc/hostname.re0: 192.168.2.11 0xfffffff0
/etc/hostname.re1: 192.168.2.128 0xfffffff0
/etc/mygate:
192.168.2.10

computer3)
/etc/hostname.re0: 192.168.3.11 0xffffff00
/etc/mygate:
192.168.3.10

computer4)
/etc/hostname.re0: 192.168.4.11 0xffffff00
/etc/mygate:
192.168.4.10


computer5)
/etc/hostname.re0: 192.168.2.129 0xfffffff0
/etc/mygate:
192.168.2.128


Computer1's physical connections are like this:
re0->ISP router(192.168.1.1)
re1->Computer2 re0
re2->Computer3 re0
re3->Computer4 re0

Computer2's re1 is connected to Computer5's re0.

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Brian Brombacher
In reply to this post by Ernest Stewart


> On Sep 3, 2020, at 11:44 AM, Ernest Stewart <[hidden email]> wrote:
>
> On Sep 3, 2020, at 15:07 AM, Brian Brombacher  <[hidden email]> wrote:
>
> "Your setup ... requires pf \rules and additional routing tables to make this work."
>
> And which pf rules and how to establish those routing tables are exactly what I'm asking.

Ernest,

You are not providing any justification for your ridiculous demands.

Again: Why are you trying to wire the network with the same and disjoint networks?  You are not getting to the root cause of the problem.  You want to solve a problem that everyone in the thread keeps telling you is not a problem to be solved without CLEAR JUSTIFICATION.

Hire a consultant, as Theo said.  You’re request for help, without proper justification, is not amenable to this mailing list.

-Brian

>
> But ok, let's say I reassign addresses so Comp1 re1= 192.168.3.2, Comp2 re0= 192.168.3.127, Comp2 re1 = 192.168.3.128 and Comp5 re0= 192.168.3.129, with all the proper netmasks. That still does not explain why Comp2 is receiving icmp.reply packets but not delivering them to "ping".

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Brian Brombacher
In reply to this post by Ernest Stewart


>> On Sep 3, 2020, at 12:15 PM, Ernest Stewart <[hidden email]> wrote:
> Theo de Raadt <[hidden email]> wrote:
> Oh my. Have you considered hiring a consultant?
>
> Of course. As you have already noticed, I have no idea about how to do what I'm trying to do. But a consultant is out of my budget.
>
> Are you guys saying all I have to do is the following, and packets will automatically be routed correctly?:
>
> computer1)
> /etc/hostname.re0: 192.168.1.10 0xffffff00
> /etc/hostname.re1: 192.168.2.10 0xffffff00
> /etc/hostname.re2: 192.168.3.10 0xffffff00
> /etc/hostname.re3: 192.168.4.10 0xffffff00
> /etc/mygate:
> 192.168.1.1

Much better.

>
>
> computer2)
> /etc/hostname.re0: 192.168.2.11 0xfffffff0
> /etc/hostname.re1: 192.168.2.128 0xfffffff0
> /etc/mygate:
> 192.168.2.10

You’ll need a route rule on computer1 like this to make computer 5 talk to the rest of the computers:

route add -net 192.168.2.128/28 192.168.2.11

>
> computer3)
> /etc/hostname.re0: 192.168.3.11 0xffffff00
> /etc/mygate:
> 192.168.3.10
>
> computer4)
> /etc/hostname.re0: 192.168.4.11 0xffffff00
> /etc/mygate:
> 192.168.4.10
>
>
> computer5)
> /etc/hostname.re0: 192.168.2.129 0xfffffff0
> /etc/mygate:
> 192.168.2.128
>
>
> Computer1's physical connections are like this:
> re0->ISP router(192.168.1.1)
> re1->Computer2 re0
> re2->Computer3 re0
> re3->Computer4 re0
>
> Computer2's re1 is connected to Computer5's re0.

Reply | Threaded
Open this post in threaded view
|

Re: Routing and forwarding: directly connected computers

Brian Brombacher


> On Sep 3, 2020, at 12:38 PM, Brian Brombacher <[hidden email]> wrote:
>
> 
>
>>>> On Sep 3, 2020, at 12:15 PM, Ernest Stewart <[hidden email]> wrote:
>>> Theo de Raadt <[hidden email]> wrote:
>>> Oh my. Have you considered hiring a consultant?
>>>
>>> Of course. As you have already noticed, I have no idea about how to do what I'm trying to do. But a consultant is out of my budget.
>>>
>>> Are you guys saying all I have to do is the following, and packets will automatically be routed correctly?:
>>>
>>> computer1)
>>> /etc/hostname.re0: 192.168.1.10 0xffffff00
>>> /etc/hostname.re1: 192.168.2.10 0xffffff00
>>> /etc/hostname.re2: 192.168.3.10 0xffffff00
>>> /etc/hostname.re3: 192.168.4.10 0xffffff00
>>> /etc/mygate:
>>> 192.168.1.1
>>
>> Much better.
>>
>>
>>
>> computer2)
>> /etc/hostname.re0: 192.168.2.11 0xfffffff0

One last thing: change Computer 2’s re0 netmask to 0xffffff00

>> /etc/hostname.re1: 192.168.2.128 0xfffffff0
>> /etc/mygate:
>> 192.168.2.10
>
> You’ll need a route rule on computer1 like this to make computer 5 talk to the rest of the computers:
>
> route add -net 192.168.2.128/28 192.168.2.11
>
>>
>> computer3)
>> /etc/hostname.re0: 192.168.3.11 0xffffff00
>> /etc/mygate:
>> 192.168.3.10
>>
>> computer4)
>> /etc/hostname.re0: 192.168.4.11 0xffffff00
>> /etc/mygate:
>> 192.168.4.10
>>
>>
>> computer5)
>> /etc/hostname.re0: 192.168.2.129 0xfffffff0
>> /etc/mygate:
>> 192.168.2.128
>>
>>
>> Computer1's physical connections are like this:
>> re0->ISP router(192.168.1.1)
>> re1->Computer2 re0
>> re2->Computer3 re0
>> re3->Computer4 re0
>>
>> Computer2's re1 is connected to Computer5's re0.