On Tue, Jan 15, 2013 at 4:53 AM, Peter Hessler <[hidden email]> wrote:
> On 2013 Jan 14 (Mon) at 18:36:05 +0100 (+0100), Johan Helsingius wrote:
> :My firewall box has 3 net interfaces:
> :em0 (internal network):
> : inet 172.24.42.254 netmask 0xffffff00 broadcast 172.24.42.255
> :em2 (wifi sandbox):
> : inet 172.24.42.223 netmask 0xffffffc0 broadcast 172.24.42.255
> You can't do that. Make these seperate networks, or bridge em0 and em2
> together (but at that point, simply plug wifi into the internal network
> If a listener nods his head when you're explaining your program, wake
> him up.
Another note, it would be prudent to put your ADSL modems onto each of
their own networks, or better yet (and if you can), run them in
bridge/modem mode and use pppoe(4) to fire up the connection. That
way the firewall is on the outside of the network.
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
> Another note, it would be prudent to put your ADSL modems onto each of
> their own networks, or better yet (and if you can), run them in
> bridge/modem mode and use pppoe(4) to fire up the connection. That
> way the firewall is on the outside of the network.
I did that for a long time, and it is a maintenance hassle
when switching ISP's, or when the ISP changes something.
I prefer to allow the ADSL modems/routers take care of NAT and
other nitty-gritty related to the specific network they connect
to, and use the firewall as a pure firewall.
Turns out the problem had nothing to do with OpenBSD.
For some reason one of the DSM routers (ZyXEL P-2601HN-F1)
needed an explicit static return route, while the other,
(FRITZ!Box Fon WLAN 7360) didn't.
Everything works fine after adding the return route.
Many thanks to everybody who responded!
On 14/01/13 18:36, Johan Helsingius wrote:
> My firewall box has 3 net interfaces:
> em0 (internal network):
> inet 172.24.42.254 netmask 0xffffff00 broadcast 172.24.42.255
> em1 (internet):
> inet 172.24.40.3 netmask 0xfffffc00 broadcast 172.24.43.255
> em2 (wifi sandbox):
> inet 172.24.42.223 netmask 0xffffffc0 broadcast 172.24.42.255
> Attached to em1 I have 2 ADSL modems, 172.24.40.1 and 172.24.40.2
> Default route (set through /etc/mygate) is 172.24.40.1
> The firewall itself ca reach both ADSL modems, but machines on
> the internal network can only reach 172.24.40.1. Here are
> traceroutes from a host inside the em0 network:
> traceroute to 172.24.40.1 (172.24.40.1), 30 hops max, 60 byte packets
> 1 172.24.42.254 (172.24.42.254) 0.598 ms 0.685 ms 0.787 ms
> 2 172.24.40.1 (172.24.40.1) 1.568 ms 1.560 ms 1.719 ms
> traceroute to 172.24.40.2 (172.24.40.2), 30 hops max, 60 byte packets
> 1 172.24.42.254 (172.24.42.254) 1.251 ms 1.243 ms 1.235 ms
> 2 * * *
> This is with pf disabled.
> As the packets do reach the firewall on em0, shouldn't they be
> forwarded to em1? (yes, net.inet.ip.forwarding=1)
> Any advice/ideas/guidance appreciated...
The 172.24.42.254 address you have on em0 is *inside* the
172.24.42.192/26 network you have on em2.
You would need to move that to another address that is in the /24 but
outside the /26. Additionally you would need to add a static route on the
machines in em0's network so that 172.24.42.192/26 is routed to whatever
new address you have for em0 as you have to consider the return path as
well as the forward path.
Basically: supernetting is tricky, it's best avoided unless there's no
other choice - even if you are pretty familiar with networking it's easy
to get wrong.