Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

Michel Behr
Hi - rookie question: I have ADSL internet at home, distributed to local
hosts via a cheap modem/router provided by the ISP. And connected as one of
the network nodes is an old laptop running OpenBSD. I want to use that
laptop as a webserver, ftp server, etc. I can connect to the laptop
internally, from within the local network (192.168.15.11) via http, ssh,
ftp, etc, but I can't see it from external hosts. I already tried different
configurations in the router/modem related to port forwarding, NAT, but
without success, so I'm starting to think that it might be something I'm
missing on OpenBSD network config (PF maybe?).

I tried enabling ip forwarding in sysctl but I still can't see it from
outside hosts.

Specifically, my question would be this: if I can see my laptop from within
the local network, would that be enough to guarantee that I should be able
to detect it externally? If not, what configuration should I be looking to
adjust?

httpd.conf is accepting connections from any IP address, as far as I
understand this:

# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $

#
# Macros
#
ext_addr="*"

#
# Global Options
#
# prefork 3


#
# Servers
#

# A minimal default server
server "default" {
        listen on $ext_addr port 80
        listen on $ext_addr port 8080
        listen on $ext_addr port 50080
        root "/htdocs/"
                directory {
                        no index
                }

                location "*.php" {
                        fastcgi socket "/run/php-fpm.sock"
                }
}

As for ssh_config the only change I made to the default config file was to
include port 50022 (trying to avoid any blocking to port 22 that my ISP
might be enforcing).

Any pointing to the right direction would be appreciated...

Kind regards,

Michel
Reply | Threaded
Open this post in threaded view
|

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

Oliver Marugg
hi

check: which device does nat for you. On that device configure
portforwarding from external to internal, eg external ip:port to your
internal host:port. test it from outside.

ip forwarding on your OpenBSD laptop isnt necessary here, your laptop
doesnt act as a router in your homesetup.

-om


On 19 Jan 2018, at 15:55, Michel von Behr wrote:

> Hi - rookie question: I have ADSL internet at home, distributed to
> local
> hosts via a cheap modem/router provided by the ISP. And connected as
> one of
> the network nodes is an old laptop running OpenBSD. I want to use that
> laptop as a webserver, ftp server, etc. I can connect to the laptop
> internally, from within the local network (192.168.15.11) via http,
> ssh,
> ftp, etc, but I can't see it from external hosts. I already tried
> different
> configurations in the router/modem related to port forwarding, NAT,
> but
> without success, so I'm starting to think that it might be something
> I'm
> missing on OpenBSD network config (PF maybe?).
>
> I tried enabling ip forwarding in sysctl but I still can't see it from
> outside hosts.
>
> Specifically, my question would be this: if I can see my laptop from
> within
> the local network, would that be enough to guarantee that I should be
> able
> to detect it externally? If not, what configuration should I be
> looking to
> adjust?
>
> httpd.conf is accepting connections from any IP address, as far as I
> understand this:
>
> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
>
> #
> # Macros
> #
> ext_addr="*"
>
> #
> # Global Options
> #
> # prefork 3
>
>
> #
> # Servers
> #
>
> # A minimal default server
> server "default" {
>         listen on $ext_addr port 80
>         listen on $ext_addr port 8080
>         listen on $ext_addr port 50080
>         root "/htdocs/"
>                 directory {
>                         no index
>                 }
>
>                 location "*.php" {
>                         fastcgi socket "/run/php-fpm.sock"
>                 }
> }
>
> As for ssh_config the only change I made to the default config file
> was to
> include port 50022 (trying to avoid any blocking to port 22 that my
> ISP
> might be enforcing).
>
> Any pointing to the right direction would be appreciated...
>
> Kind regards,
>
> Michel

Reply | Threaded
Open this post in threaded view
|

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

Johan Mellberg


> 19 jan. 2018 kl. 17:29 skrev Oliver Marugg <[hidden email]>:
>
> hi
>
> check: which device does nat for you. On that device configure portforwarding from external to internal, eg external ip:port to your internal host:port. test it from outside.
>
> ip forwarding on your OpenBSD laptop isnt necessary here, your laptop doesnt act as a router in your homesetup.
>
> -om
>

And, check if your ISP is providing you with a public IP address. If your router’s external address is in one of the RFC1918-defined ranges you will not be able to reach it from the general internet.

>
>> On 19 Jan 2018, at 15:55, Michel von Behr wrote:
>>
>> Hi - rookie question: I have ADSL internet at home, distributed to local
>> hosts via a cheap modem/router provided by the ISP. And connected as one of
>> the network nodes is an old laptop running OpenBSD. I want to use that
>> laptop as a webserver, ftp server, etc. I can connect to the laptop
>> internally, from within the local network (192.168.15.11) via http, ssh,
>> ftp, etc, but I can't see it from external hosts. I already tried different
>> configurations in the router/modem related to port forwarding, NAT, but
>> without success, so I'm starting to think that it might be something I'm
>> missing on OpenBSD network config (PF maybe?).
>>
>> I tried enabling ip forwarding in sysctl but I still can't see it from
>> outside hosts.
>>
>> Specifically, my question would be this: if I can see my laptop from within
>> the local network, would that be enough to guarantee that I should be able
>> to detect it externally? If not, what configuration should I be looking to
>> adjust?
>>
>> httpd.conf is accepting connections from any IP address, as far as I
>> understand this:
>>
>> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
>>
>> #
>> # Macros
>> #
>> ext_addr="*"
>>
>> #
>> # Global Options
>> #
>> # prefork 3
>>
>>
>> #
>> # Servers
>> #
>>
>> # A minimal default server
>> server "default" {
>>        listen on $ext_addr port 80
>>        listen on $ext_addr port 8080
>>        listen on $ext_addr port 50080
>>        root "/htdocs/"
>>                directory {
>>                        no index
>>                }
>>
>>                location "*.php" {
>>                        fastcgi socket "/run/php-fpm.sock"
>>                }
>> }
>>
>> As for ssh_config the only change I made to the default config file was to
>> include port 50022 (trying to avoid any blocking to port 22 that my ISP
>> might be enforcing).
>>
>> Any pointing to the right direction would be appreciated...
>>
>> Kind regards,
>>
>> Michel
>

Reply | Threaded
Open this post in threaded view
|

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

Michael Hekeler
In reply to this post by Michel Behr
Am Fri, 19 Jan 2018 12:55:20 -0200 schrieb Michel von Behr
<[hidden email]>:

> Hi - rookie question: I have ADSL internet at home, distributed to
> local hosts via a cheap modem/router provided by the ISP. And
> connected as one of the network nodes is an old laptop running
> OpenBSD. I want to use that laptop as a webserver, ftp server, etc. I
> can connect to the laptop internally, from within the local network
> (192.168.15.11) via http, ssh, ftp, etc, but I can't see it from
> external hosts. I already tried different configurations in the
> router/modem related to port forwarding, NAT, but without success, so
> I'm starting to think that it might be something I'm missing on
> OpenBSD network config (PF maybe?).
>
> I tried enabling ip forwarding in sysctl but I still can't see it from
> outside hosts.
>
> Specifically, my question would be this: if I can see my laptop from
> within the local network, would that be enough to guarantee that I
> should be able to detect it externally?

No.

You have:
{ WAN (Internet) } <--> { Router } <--> { LAN (192.168.15.0) }

A host in WAN can only see your Router

you have to forward ports from {router} to {lan} but I wouldnt
recommend that.
Maybe read something about networking and NAT and such things to get a
deeper understanding? ;-)

Reply | Threaded
Open this post in threaded view
|

Re: Trying to use OpenBSD as webserver, inside home network (ADSL internet connection)

Michel Behr
In reply to this post by Oliver Marugg
Thank you! I received several answers, mostly in private. I was able to
solve the issue, but it had nothing to do with the OpenBSD machine. Some
brief comments:

1) About DMZ (Demilitarised Zone), I tried configuring the router with and
without putting my OpenBSD laptop in DMZ (unfortunately it didn't change
the results).

2) I'm including PF config here - no change from defaults. I'm assuming for
now I shouldn't bother with PF config in this context, but please let me
know if I'm wrong.

3) What I did was to reset the cheap modem/router to factory settings
(because at a certain point the whole thing was a bit of a chaotic tweaked
mess!), put it in bridge mode, and disabled DHCP. I then connected the
cheap modem to the TP-Link WAN input, and configured PPPoE using the same
config that was being used in the cheap modem/router. It worked like a
charm! :-)

Thanks for the tips anyway!


On Fri, Jan 19, 2018 at 2:29 PM, Oliver Marugg <[hidden email]> wrote:

> hi
>
> check: which device does nat for you. On that device configure
> portforwarding from external to internal, eg external ip:port to your
> internal host:port. test it from outside.
>
> ip forwarding on your OpenBSD laptop isnt necessary here, your laptop
> doesnt act as a router in your homesetup.
>
> -om
>
>
>
> On 19 Jan 2018, at 15:55, Michel von Behr wrote:
>
> Hi - rookie question: I have ADSL internet at home, distributed to local
>> hosts via a cheap modem/router provided by the ISP. And connected as one
>> of
>> the network nodes is an old laptop running OpenBSD. I want to use that
>> laptop as a webserver, ftp server, etc. I can connect to the laptop
>> internally, from within the local network (192.168.15.11) via http, ssh,
>> ftp, etc, but I can't see it from external hosts. I already tried
>> different
>> configurations in the router/modem related to port forwarding, NAT, but
>> without success, so I'm starting to think that it might be something I'm
>> missing on OpenBSD network config (PF maybe?).
>>
>> I tried enabling ip forwarding in sysctl but I still can't see it from
>> outside hosts.
>>
>> Specifically, my question would be this: if I can see my laptop from
>> within
>> the local network, would that be enough to guarantee that I should be able
>> to detect it externally? If not, what configuration should I be looking to
>> adjust?
>>
>> httpd.conf is accepting connections from any IP address, as far as I
>> understand this:
>>
>> # $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49 ajacoutot Exp $
>>
>> #
>> # Macros
>> #
>> ext_addr="*"
>>
>> #
>> # Global Options
>> #
>> # prefork 3
>>
>>
>> #
>> # Servers
>> #
>>
>> # A minimal default server
>> server "default" {
>>         listen on $ext_addr port 80
>>         listen on $ext_addr port 8080
>>         listen on $ext_addr port 50080
>>         root "/htdocs/"
>>                 directory {
>>                         no index
>>                 }
>>
>>                 location "*.php" {
>>                         fastcgi socket "/run/php-fpm.sock"
>>                 }
>> }
>>
>> As for ssh_config the only change I made to the default config file was to
>> include port 50022 (trying to avoid any blocking to port 22 that my ISP
>> might be enforcing).
>>
>> Any pointing to the right direction would be appreciated...
>>
>> Kind regards,
>>
>> Michel
>>
>