Something begin to work! Nick after add the static route:
> 192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9
And put my wife PC with the config you said:
> Your PC's 192.168.1.x addresses subnet 255.255.255.0
> DNS servers of 194.224.52.6 and 194.225.52.4
> Default gateway of 192.168.1.3
It works!!
I m trying what Steve Williams said about to try nslookup from the
firewall but doesn t work. I had an idea, I have a linux machine and
used 2 different IPs and the nslookup works without probs, for this
reason I suppose must to be a problem from the firewall, exactly what I
did was:
With the PC with Linux installed:
- I used the IP 192.168.0.50 (conecting the PC directly to the router)
- I used the IP 192.168.1.50 (conecting the PC directly to the hub -the
internal LAN where is also connected my wife's PC)
And with both IP the nslookup works correctly, I can t understand why if
I do the nslookup from the firewall says all the time "connection timed
out; no servers could be reached".
Regards,
Mike
Nick Ryan escribis:
The static route you'll need to add will be for your internal lan eg:
192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9
This'll tell your adsl router that to get to the 192.168.1. network it
needs to go through the 192.168.0.9 interface of your openbsd box. Note
this is outside interface IP address. A quick basic networking
explanation - routers aren't too intelligent. They cannot find devices
with IP addresses outside their ip and subnet mask range - eg your adsl
router will automatically find devices with IP addresses 192.168.0.1 to
254 but to find any other devices with an IP address outside this range
it needs help - this is where static routes and gateways come in. The
gateway address is effectively a default place that the router can go to
to find other IP addresses & devices, but it can be overridden by a
static route. In your case the router doesn't know where the
192.168.1.0/24 network is so it goes to your ISP's router but as it's an
reserved internal range, plus the fact that your ISP doesn't know your
lan - the packets just get timed/dropped out as the ISP's router doesn't
know what to do with them. The static route will point the adsl router
to your openbsd box which as the internal interface is on the
192.168.1.0/24 network it knows where to route the packets.
(Hopefully that makes sense - for a proper in depth explanation, google
terms like mac addresses, arp packets, broadcasts) If it doesn't make
sense let me know and I'll explain it again.
This should allow your adsl router to return packets destined for your
internal lan to the right place.
I've just seen your reply to Diana so we know that pf isn't used. Once
you add this static route to your adsl router your internal PC's should
be able to access the internet.
We've still got the dns resolving issue though. It's all a bit odd and
I'm a bit stumped.
Try the static route on the adsl router & test with a machine on your
internal lan while I try to think what to do next.
Your internal lan pc will need to have a gateway of the 192.168.1.3
address of your openbsd box. Note this is the internal ip address. The
PC will need the DNS addresses from your ISP.
This is how I understand it should be:
ADSL Router
192.168.0.1 subnet 255.255.255.0 Static route 192.168.1.0 255.255.255.0
gateway 192.168.0.9
| | DMZ
|
OpenBSD box
external interface 192.168.0.9 subnet 255.255.255.0
Default gateway in /etc/mygate of 192.168.0.1
DNS servers in /etc/resolv.conf of 194.224.52.6 and 194.225.52.4
internal interface 192.168.1.3 subnet 255.255.255.0
|
| INTERNAL LAN
|
Your PC's 192.168.1.x addresses subnet 255.255.255.0
DNS servers of 194.224.52.6 and 194.225.52.4
Default gateway of 192.168.1.3
Cheers.
Mike Henker wrote:
Answering all the points:
> Just type "nslookup www.google.com" and see what response you get.
connection timed out; no servers could be reached
> One of google's IPs is 66.102.7.99 if you want to test a traceroute.
Traceroute works fine with google's IPs (66.102.7.99) but if I do a
"traceroute www.google.com" says connection timed out; no servers
could be reached
> Just type "nslookup www.google.com" and see what response you get.
says: "connection timed out; no servers could be reached"
> Can you see if you can add static routes on your adsl router?
Yes I can add static routes, I suppose then I must to add 192.168.1.3?
>Your internal PC's will need to be configured with a 192.168.1.x
>address (255.255.255.0 subnet) and a gateway of 192.168.1.3, and dns
>server IP's of 194.224.52.6 and 194.225.52.4
>They should then be able to connect to the internet.
Actually doesn t work I suppose when I add the static route to the
router (192.168.1.3) will work right?
Salutes,
Mike
Nick escribis:
That all looks fine.
Ping isn't really a great test of network connectivity outside of
your own lan anymore. Most sites tend to block ping nowadays as a
matter of course.
What you can do is usually ping your ISP's router and you can find
this from a "traceroute www.google.com" command - the first hop past
your adsl router will tend to be your isps router. You can then use
this as a ping test.
One of google's IPs is 66.102.7.99 if you want to test a traceroute.
Can you test your dns lookups now from your openbsd box please? I
think it'll work as you're not getting the ntpd errors any longer.
Just type "nslookup www.google.com" and see what response you get.
To get your machines behind the openbsd box routing through it we'll
either need to use nat'ing or get your adsl router to static route
all 192.168.1.x traffic through the openbsd server.
Can you see if you can add static routes on your adsl router? There's
usually a configuration page somewhere. This is ideally what you
should do as if you can't we'll be adding in more nat'ing( ie your
openbsd box will nat once, then your adsl router will nat again -
it'll work but it's not very elegant)
---nat'ing on openbsd box section only: ignore if you can add the
static route ----
If not we'll need to add nat to your openbsd box too. Can you edit
/etc/pf.conf and add:
EXT_IF="rl1"
nat on $EXT_IF from !($EXT_IF) to any -> ($EXT_IF)
pass all
This will set up the openbsd box to nat all internal traffic to it's
192.168.0.9 address.
Then type "pfctl -ef /etc/pf.conf" to enable it.
At some stage once it's all working I'd suggest putting in some
proper firewall rules, but for testing the pass all command will be ok.
----end of nat'ing section -----
Your internal PC's will need to be configured with a 192.168.1.x
address (255.255.255.0 subnet) and a gateway of 192.168.1.3, and dns
server IP's of 194.224.52.6 and 194.225.52.4
They should then be able to connect to the internet.
Let me know how you get on.
Ta - Nick
Mike Henker wrote:
Ok Nick, ckecking all what you said step by step:
> Can you put your /etc/resolv.conf file back to the one with the ISP's
> dns servers in it first.
Changed to:
lookup file bind
name server 194.224.52.6
name server 194.224.52.4
> Can you confirm if you've got pf enabled or not and if you do can you
> send a copy of your pf.conf file.
I dont have pf enabled (all inside pf.conf file has a "#" at the
begining of each line).
> Can you confirm the contents of your /etc/mygate file.
192.168.0.1
> Can you confirm the contents of your /etc/hostname.rl1 and
> /etc/hostname.rl0 files.
hostname.rl0
inet 192.168.1.3 255.255.255.0 NONE
hostname.rl1
inet 192.168.0.9 255.255.255.0 NONE
> Can you also confirm the subnet mask on your adsl router's
192.168.0.1
> address ( it'll probably be something like 255.255.255.0)
Yes I can confirm you the subnet mask is 255.255.255.0
From the firewall with these setting I can ping 192.168.0.1 but
cannot ping for example http://www.google.com
If it can help the past message that appears the past days saying:
ntpd could not parse "pool.ntp.org" doesnt appear now.
Please Nick if need more info letme know thanks.
Salutes,
Mike
_________________________________________________________________________
Nick escribis:
It's definitely a DNS issue, although it should be working as your
resolv.conf file looks good.
Can you check a few things please?
Can you put your /etc/resolv.conf file back to the one with the
ISP's dns servers in it first.
Can you confirm if you've got pf enabled or not and if you do can
you send a copy of your pf.conf file.
Can you confirm the contents of your /etc/mygate file.
Can you confirm the contents of your /etc/hostname.rl1 and
/etc/hostname.rl0 files.
Can you also confirm the subnet mask on your adsl router's
192.168.0.1 address ( it'll probably be something like 255.255.255.0)
What I'm trying to do is troubleshoot a few things such as if
you've got firewall rules that will interfere with dns lookups and
your network settings to see if there's a misstype in there as it
should be working at the moment.
Once we've the internet working properly on your openbsd box we'll
then work on getting machines behind it to access through it properly.
Ta - Nick
Mike Henker wrote:
Hi Nick & Greg I was testing all the steps but the problem (and
remember I m a newbie and perhaps I m wrong) I think is because
the firewall can t "see" Internet (exactly the rl1 card with ip
192.168.0.9).
I tried differents options in resolv.conf
1) The one you said (192.168.0.1 is the gateway on the router)
lookup file bind
nameserver 192.168.0.1
Having that in resolv.conf I can ping to 192.168.0.1, to
192.168.0.9, and also to 192.198.1.3 but dont work DNS lookups or
pings to machines on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection
time out; no servers could be reached") or ping
http://www.google.com (said "ping: unkown host http://www.google.com)
2) Another option I tried is to put into resolv.conf the DNS of my
ISP (as I saw it in the faqs)
lookup file bind
nameserver 194.224.52.6
nameserver 194.224.52.4
And happens the same I can ping to 192.168.0.1, to 192.168.0.9,
and also to 192.198.1.3 but dont work DNS lookups or pings to
machines on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection
time out; no servers could be reached") or ping
http://www.google.com (said "ping: unkown host http://www.google.com)
I called to my ISP, a nice girl answer the phone and at first said
Open...what ?? She said for to be connected to Internet in any OS
I ll need always 3 parameters:
The gateway: 192.1668.0.1
The primary DNS: 194.224.52.6
The secondary DNS: 194.224.52.4
If it can help if I connect my wife's PC (with windows) with the 3
parameters the ISP said me (the gateway and the two DNS) she can
surf on Internet without probs.
I hope all of this info can help you for to detect what s the
problem.
Regards,
Mike
_____________________________________________________________________________
Greg Thomas escribis:
It looks like Nick's reply has everything covered, most importantly
the requirement of a new route on your router to your 192.168.1.x
network.
Greg
On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:
You re right, Im sorry I wrote an error instead of "192.169.1.x"
I mean
192.168.1.x
I know what I want to do, the problem is I don t know how to
configurate
the firewall:
For to ilustrate better the structure is:
Router-OpenBSDFirewall-Hub-Intranet Lan (with some machines
connected)
Looking nearly:
Router (with gateway 192.168.0.1)
OpenBSD with 2 network cards:
One network card 192.168.0.9 (connected to the router)
One network Card 192.168.1.3 (connected to a HUB) I want to
connect my
wife's computer and the rest of machines (my home lan) to the
hub for to
be protected by the OpenBSD firewall, and all the traffic will pass
through the OpenBSD firewall.
I suppose NAT is running on my 192.168.0.1 router because if I
connect a
machine directly to the router just need 3 parameters for to
"surf" on
Internet (my ISP give me that info)
The gateway 192.168.0.1
A Primary DNS 194.224.52.6
A secondary DNS 194.224.52.4
Greg the info you need:
My wife computer s 192.168.1.20
My laptop 192.168.1.19
Another machine 192.168.1.18
mygate file has:
192.168.0.1
Results of netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.0.1 UGS 0 0 - rl1
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 104 33224 lo0
192.168.0/24 link#2 UC 1 0 - rl1
192.168.0.1 0:4:76:95:70:bb UHLc 1 0 - rl1
192.168.1/24 link#1 UC 0 0 - rl0
224/4 127.0.0.1 URS 0 0 33224 lo0
I suppose I must to put as gateway in the machines connected to
the hub
the gateway 192.168.1.3 (remember is the network card of the
OpenBSD
firewall connected to the Hub)
Salutes,
Mike
Greg Thomas escribis:
This is a basic networking problem. You need to post MUCH more
info.
We'll assume NAT is running on your 192.168.0.1 router.
A little drawing of your network with IPs of your workstations,
firewall, and router would help. Either you have a typo below
or you
don't understand TCP/IP, see my note below. Need contents of
etc/mygate. Results of netstat -rn.
On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:
I checked the file you said and is correct. I think the
problem is what
you said because if I do a ping and a messages appears saying
"ping:
unknow host http://www.openbsd.org";
Perhaps giving the maximun info will understand better what I
want to do.
I installed OpenBSD 3.7
I have a router at home and want to put a firewall between the
router
and the lan I have at home.
The gateway (on the router is 192.168.0.1)
The OpenBSD firewall I installed has 2 nerwork cards
- 192.168.0.3
- 192.169.1.9
Like the man afterboot says I enabled in /etc/sysctl.conf:
net.inet.ip.forwarding=1
But seems not to work, because the machines in the intranet
(my wife
machines has the IP 192.168.1.20 for example) can t exit to
Internet
You have 192.168.1.x in that last sentence but 192.169.1.x up
above.
I assume you mean:
192.168.1.20 <-> 192.168.1.9/192.168.0.3 <-> 192.168.0.1
<-> internet
Greg
