Re: ntpd could not parse "pool.ntp.org"

Tue, 16 Aug 2005 07:15:19 -0700 

That all looks fine.
Ping isn't really a great test of network connectivity outside of your own lan anymore. Most sites tend to block ping nowadays as a matter of course. What you can do is usually ping your ISP's router and you can find this from a "traceroute www.google.com" command - the first hop past your adsl router will tend to be your isps router. You can then use this as a ping test. 

One of google's IPs is 66.102.7.99 if you want to test a traceroute.


Can you test your dns lookups now from your openbsd box please? I think 
it'll work as you're not getting the ntpd errors any longer.


Just type "nslookup www.google.com" and see what response you get.


To get your machines behind the openbsd box routing through it we'll 
either need to use nat'ing or get your adsl router to static route all 
192.168.1.x traffic through the openbsd server.



Can you see if you can add static routes on your adsl router? There's 
usually a configuration page somewhere. This is ideally what you should 
do as if you can't we'll be adding in more nat'ing( ie your openbsd box 
will nat once, then your adsl router will nat again - it'll work but 
it's not very elegant)



---nat'ing on openbsd box section only: ignore if you can add the static 
route ----
If not we'll need to add nat to your openbsd box too. Can you edit 
/etc/pf.conf and add:


EXT_IF="rl1"
nat on $EXT_IF from !($EXT_IF) to any -> ($EXT_IF)
pass all

This will set up the openbsd box to nat all internal traffic to it's 
192.168.0.9 address.

Then type "pfctl -ef /etc/pf.conf" to enable it.


At some stage once it's all working I'd suggest putting in some proper 
firewall rules, but for testing the pass all command will be ok.


----end of nat'ing section -----


Your internal PC's will need to be configured with a 192.168.1.x address 
(255.255.255.0 subnet) and a gateway of 192.168.1.3, and dns server IP's 
of 194.224.52.6 and 194.225.52.4


They should then be able to connect to the internet.

Let me know how you get on.

Ta - Nick


Mike Henker wrote:


Ok Nick, ckecking all what you said step by step:

> Can you put your /etc/resolv.conf file back to the one with the ISP's
> dns servers in it first.

Changed to:
lookup file bind
name server 194.224.52.6
name server 194.224.52.4

> Can you confirm if you've got pf enabled or not and if you do can you
> send a copy of your pf.conf file.


 I dont have pf enabled (all inside pf.conf file has a "#" at the 
begining of each line).


> Can you confirm the contents of your /etc/mygate file.

192.168.0.1

> Can you confirm the contents of your /etc/hostname.rl1 and
> /etc/hostname.rl0  files.

hostname.rl0
inet 192.168.1.3 255.255.255.0 NONE

hostname.rl1
inet 192.168.0.9 255.255.255.0 NONE

> Can you also confirm the subnet mask on your adsl router's 192.168.0.1
> address ( it'll probably be something like 255.255.255.0)

Yes I can confirm you the subnet mask is 255.255.255.0


From the firewall with these setting I can ping 192.168.0.1 but cannot 
ping for example http://www.google.com



If it can help the past message that appears the past days saying: 
ntpd could not parse "pool.ntp.org" doesnt appear now.


Please Nick if need more info letme know thanks.

Salutes,
Mike

_________________________________________________________________________
Nick escribis:


It's definitely a DNS issue, although it should be working as your 
resolv.conf file looks good.


Can you check a few things please?


Can you put your /etc/resolv.conf file back to the one with the ISP's 
dns servers in it first.



Can you confirm if you've got pf enabled or not and if you do can you 
send a copy of your pf.conf file.


Can you confirm the contents of your /etc/mygate file.


Can you confirm the contents of your /etc/hostname.rl1 and 
/etc/hostname.rl0  files.



Can you also confirm the subnet mask on your adsl router's 
192.168.0.1 address ( it'll probably be something like 255.255.255.0)




What I'm trying to do is troubleshoot a few things such as if you've 
got firewall rules that will interfere with dns lookups and your 
network settings to see if there's a misstype in there as it should 
be working at the moment.



Once we've the internet working properly on your openbsd box we'll 
then work on getting machines behind it to access through it properly.


Ta - Nick



Mike Henker wrote:


Hi Nick & Greg I was testing all the steps but the problem (and 
remember I m a newbie and perhaps I m wrong) I think is because the 
firewall can t "see" Internet (exactly the rl1 card with ip 
192.168.0.9).


I tried differents options in resolv.conf

1) The one you said (192.168.0.1 is the gateway on the router)
lookup file bind
nameserver 192.168.0.1


Having that in resolv.conf I can ping to 192.168.0.1, to 
192.168.0.9, and also to 192.198.1.3 but dont work DNS lookups or 
pings to machines on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection 
time out; no servers could be reached") or ping 
http://www.google.com (said "ping: unkown host http://www.google.com)



2) Another option I tried is to put into resolv.conf the DNS of my 
ISP (as I saw it in the faqs)


lookup file bind
nameserver 194.224.52.6
nameserver 194.224.52.4


And happens the same I can ping to 192.168.0.1, to 192.168.0.9, and 
also to 192.198.1.3 but dont work DNS lookups or pings to machines 
on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection 
time out; no servers could be reached") or ping 
http://www.google.com (said "ping: unkown host http://www.google.com)



I called to my ISP, a nice girl answer the phone and at first said 
Open...what ?? She said for to be connected to Internet in any OS I 
ll need always 3 parameters:

 The gateway: 192.1668.0.1
 The primary DNS: 194.224.52.6
 The secondary DNS: 194.224.52.4


If it can help if I connect my wife's PC (with windows) with the 3 
parameters the ISP said me (the gateway and the two DNS) she can 
surf on Internet without probs.


I hope all of this info can help you for to detect what s the problem.

Regards,
Mike


_____________________________________________________________________________ 



Greg Thomas escribis:


It looks like Nick's reply has everything covered, most importantly
the requirement of a new route on your router to your 192.168.1.x
network.

Greg

On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:


You re right, Im sorry I wrote an error instead of "192.169.1.x" I 
mean

192.168.1.x


I know what I want to do, the problem is I don t know how to 
configurate

the firewall:

For to ilustrate better the structure is:


Router-OpenBSDFirewall-Hub-Intranet Lan (with some machines 
connected)


Looking nearly:

Router (with gateway 192.168.0.1)

OpenBSD with 2 network cards:
One network card 192.168.0.9 (connected to the router)

One network Card 192.168.1.3 (connected to a HUB) I want to 
connect my
wife's computer and the rest of machines (my home lan) to the hub 
for to

be protected by the OpenBSD firewall, and all the traffic will pass
through the OpenBSD firewall.


I suppose NAT is running on my 192.168.0.1 router because if I 
connect a
machine directly to the router just need 3 parameters for to 
"surf" on

Internet (my ISP give me that info)

The gateway 192.168.0.1
A Primary DNS 194.224.52.6
A secondary DNS 194.224.52.4

Greg the info you need:

My wife computer s 192.168.1.20
My laptop 192.168.1.19
Another machine 192.168.1.18

mygate file has:
192.168.0.1

Results of netstat -rn

Routing tables
Internet:
Destination    Gateway         Flags  Refs  Use  Mtu     Interface
default        192.168.0.1     UGS     0     0    -       rl1
127/8          127.0.0.1       UGRS    0     0    33224   lo0
127.0.0.1      127.0.0.1       UH      1    104   33224   lo0
192.168.0/24   link#2          UC      1     0    -       rl1
192.168.0.1    0:4:76:95:70:bb UHLc    1     0    -       rl1
192.168.1/24   link#1          UC      0     0    -       rl0
224/4          127.0.0.1       URS     0     0    33224   lo0


I suppose I must to put as gateway in the machines connected to 
the hub

the gateway 192.168.1.3 (remember is the network card of the OpenBSD
firewall connected to the Hub)

Salutes,
Mike

Greg Thomas escribis:


This is a basic networking problem.  You need to post MUCH more 
info.

We'll assume NAT is running on your 192.168.0.1 router.

A little drawing of your network with IPs of your workstations,

firewall, and router would help.  Either you have a typo below or 
you

don't understand TCP/IP, see my note below.  Need contents of
etc/mygate.  Results of netstat -rn.

On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:



I checked the file you said and is correct. I think the problem 
is what
you said because if I do a ping and a messages appears saying 
"ping:

unknow host http://www.openbsd.org";


Perhaps giving the maximun info will understand better what I 
want to do.


I installed OpenBSD 3.7


I have a router at home and want to put a firewall between the 
router

and the lan I have at home.

The gateway (on the router is 192.168.0.1)
The OpenBSD firewall I installed has 2 nerwork cards
- 192.168.0.3
- 192.169.1.9

Like the man afterboot says I enabled in /etc/sysctl.conf:

          net.inet.ip.forwarding=1


But seems not to work, because the machines in the intranet (my 
wife
machines has the IP 192.168.1.20 for example) can t exit to 
Internet





You have 192.168.1.x in that last sentence but 192.169.1.x up above.
I assume you mean:


192.168.1.20  <->  192.168.1.9/192.168.0.3  <->  192.168.0.1  
<->  internet


Greg
























					Reply via email to