Congratulations!!
I don't know what else we can try with getting dns lookups to work on
your openbsd box.
We've:
Checked /etc/resolv.conf <--this should have been the likely cause
Checked /etc/hostname.rl1 and rl0 <--subnets are ok
Checked /etc/mygate <--this is the adsl router IP
Checked that pf isn't running <--proved by running pfctl -vvsall
We've not looked in /etc/hosts but its really unlikely this'd be a
problem as we've been testing with different hosts.
Is there anyone else on the mailing list with any suggestions?
We know that the network is routing properly and that the dnsservers
work as other machines are working both through the openbsd and without it.
Cheers - Nick
Mike Henker wrote:
Something begin to work! Nick after add the static route:
> 192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9
And put my wife PC with the config you said:
> Your PC's 192.168.1.x addresses subnet 255.255.255.0
> DNS servers of 194.224.52.6 and 194.225.52.4
> Default gateway of 192.168.1.3
It works!!
I m trying what Steve Williams said about to try nslookup from the
firewall but doesn t work. I had an idea, I have a linux machine and
used 2 different IPs and the nslookup works without probs, for this
reason I suppose must to be a problem from the firewall, exactly what
I did was:
With the PC with Linux installed:
- I used the IP 192.168.0.50 (conecting the PC directly to the router)
- I used the IP 192.168.1.50 (conecting the PC directly to the hub
-the internal LAN where is also connected my wife's PC)
And with both IP the nslookup works correctly, I can t understand why
if I do the nslookup from the firewall says all the time "connection
timed out; no servers could be reached".
Regards,
Mike
Nick Ryan escribis:
The static route you'll need to add will be for your internal lan eg:
192.168.1.0 netmask 255.255.255.0 gateway 192.168.0.9
This'll tell your adsl router that to get to the 192.168.1. network
it needs to go through the 192.168.0.9 interface of your openbsd box.
Note this is outside interface IP address. A quick basic networking
explanation - routers aren't too intelligent. They cannot find
devices with IP addresses outside their ip and subnet mask range - eg
your adsl router will automatically find devices with IP addresses
192.168.0.1 to 254 but to find any other devices with an IP address
outside this range it needs help - this is where static routes and
gateways come in. The gateway address is effectively a default place
that the router can go to to find other IP addresses & devices, but
it can be overridden by a static route. In your case the router
doesn't know where the 192.168.1.0/24 network is so it goes to your
ISP's router but as it's an reserved internal range, plus the fact
that your ISP doesn't know your lan - the packets just get
timed/dropped out as the ISP's router doesn't know what to do with
them. The static route will point the adsl router to your openbsd box
which as the internal interface is on the 192.168.1.0/24 network it
knows where to route the packets.
(Hopefully that makes sense - for a proper in depth explanation,
google terms like mac addresses, arp packets, broadcasts) If it
doesn't make sense let me know and I'll explain it again.
This should allow your adsl router to return packets destined for
your internal lan to the right place.
I've just seen your reply to Diana so we know that pf isn't used.
Once you add this static route to your adsl router your internal PC's
should be able to access the internet.
We've still got the dns resolving issue though. It's all a bit odd
and I'm a bit stumped.
Try the static route on the adsl router & test with a machine on your
internal lan while I try to think what to do next.
Your internal lan pc will need to have a gateway of the 192.168.1.3
address of your openbsd box. Note this is the internal ip address.
The PC will need the DNS addresses from your ISP.
This is how I understand it should be:
ADSL Router
192.168.0.1 subnet 255.255.255.0 Static route 192.168.1.0
255.255.255.0 gateway 192.168.0.9
| | DMZ
|
OpenBSD box
external interface 192.168.0.9 subnet 255.255.255.0
Default gateway in /etc/mygate of 192.168.0.1
DNS servers in /etc/resolv.conf of 194.224.52.6 and 194.225.52.4
internal interface 192.168.1.3 subnet 255.255.255.0
|
| INTERNAL LAN
|
Your PC's 192.168.1.x addresses subnet 255.255.255.0
DNS servers of 194.224.52.6 and 194.225.52.4
Default gateway of 192.168.1.3
Cheers.
Mike Henker wrote:
Answering all the points:
> Just type "nslookup www.google.com" and see what response you get.
connection timed out; no servers could be reached
> One of google's IPs is 66.102.7.99 if you want to test a traceroute.
Traceroute works fine with google's IPs (66.102.7.99) but if I do a
"traceroute www.google.com" says connection timed out; no servers
could be reached
> Just type "nslookup www.google.com" and see what response you get.
says: "connection timed out; no servers could be reached"
> Can you see if you can add static routes on your adsl router?
Yes I can add static routes, I suppose then I must to add 192.168.1.3?
>Your internal PC's will need to be configured with a 192.168.1.x
>address (255.255.255.0 subnet) and a gateway of 192.168.1.3, and
dns >server IP's of 194.224.52.6 and 194.225.52.4
>They should then be able to connect to the internet.
Actually doesn t work I suppose when I add the static route to the
router (192.168.1.3) will work right?
Salutes,
Mike
Nick escribis:
That all looks fine.
Ping isn't really a great test of network connectivity outside of
your own lan anymore. Most sites tend to block ping nowadays as a
matter of course.
What you can do is usually ping your ISP's router and you can find
this from a "traceroute www.google.com" command - the first hop
past your adsl router will tend to be your isps router. You can
then use this as a ping test.
One of google's IPs is 66.102.7.99 if you want to test a traceroute.
Can you test your dns lookups now from your openbsd box please? I
think it'll work as you're not getting the ntpd errors any longer.
Just type "nslookup www.google.com" and see what response you get.
To get your machines behind the openbsd box routing through it
we'll either need to use nat'ing or get your adsl router to static
route all 192.168.1.x traffic through the openbsd server.
Can you see if you can add static routes on your adsl router?
There's usually a configuration page somewhere. This is ideally
what you should do as if you can't we'll be adding in more nat'ing(
ie your openbsd box will nat once, then your adsl router will nat
again - it'll work but it's not very elegant)
---nat'ing on openbsd box section only: ignore if you can add the
static route ----
If not we'll need to add nat to your openbsd box too. Can you edit
/etc/pf.conf and add:
EXT_IF="rl1"
nat on $EXT_IF from !($EXT_IF) to any -> ($EXT_IF)
pass all
This will set up the openbsd box to nat all internal traffic to
it's 192.168.0.9 address.
Then type "pfctl -ef /etc/pf.conf" to enable it.
At some stage once it's all working I'd suggest putting in some
proper firewall rules, but for testing the pass all command will be
ok.
----end of nat'ing section -----
Your internal PC's will need to be configured with a 192.168.1.x
address (255.255.255.0 subnet) and a gateway of 192.168.1.3, and
dns server IP's of 194.224.52.6 and 194.225.52.4
They should then be able to connect to the internet.
Let me know how you get on.
Ta - Nick
Mike Henker wrote:
Ok Nick, ckecking all what you said step by step:
> Can you put your /etc/resolv.conf file back to the one with the
ISP's
> dns servers in it first.
Changed to:
lookup file bind
name server 194.224.52.6
name server 194.224.52.4
> Can you confirm if you've got pf enabled or not and if you do
can you
> send a copy of your pf.conf file.
I dont have pf enabled (all inside pf.conf file has a "#" at the
begining of each line).
> Can you confirm the contents of your /etc/mygate file.
192.168.0.1
> Can you confirm the contents of your /etc/hostname.rl1 and
> /etc/hostname.rl0 files.
hostname.rl0
inet 192.168.1.3 255.255.255.0 NONE
hostname.rl1
inet 192.168.0.9 255.255.255.0 NONE
> Can you also confirm the subnet mask on your adsl router's
192.168.0.1
> address ( it'll probably be something like 255.255.255.0)
Yes I can confirm you the subnet mask is 255.255.255.0
From the firewall with these setting I can ping 192.168.0.1 but
cannot ping for example http://www.google.com
If it can help the past message that appears the past days saying:
ntpd could not parse "pool.ntp.org" doesnt appear now.
Please Nick if need more info letme know thanks.
Salutes,
Mike
_________________________________________________________________________
Nick escribis:
It's definitely a DNS issue, although it should be working as
your resolv.conf file looks good.
Can you check a few things please?
Can you put your /etc/resolv.conf file back to the one with the
ISP's dns servers in it first.
Can you confirm if you've got pf enabled or not and if you do can
you send a copy of your pf.conf file.
Can you confirm the contents of your /etc/mygate file.
Can you confirm the contents of your /etc/hostname.rl1 and
/etc/hostname.rl0 files.
Can you also confirm the subnet mask on your adsl router's
192.168.0.1 address ( it'll probably be something like
255.255.255.0)
What I'm trying to do is troubleshoot a few things such as if
you've got firewall rules that will interfere with dns lookups
and your network settings to see if there's a misstype in there
as it should be working at the moment.
Once we've the internet working properly on your openbsd box
we'll then work on getting machines behind it to access through
it properly.
Ta - Nick
Mike Henker wrote:
Hi Nick & Greg I was testing all the steps but the problem (and
remember I m a newbie and perhaps I m wrong) I think is because
the firewall can t "see" Internet (exactly the rl1 card with ip
192.168.0.9).
I tried differents options in resolv.conf
1) The one you said (192.168.0.1 is the gateway on the router)
lookup file bind
nameserver 192.168.0.1
Having that in resolv.conf I can ping to 192.168.0.1, to
192.168.0.9, and also to 192.198.1.3 but dont work DNS lookups
or pings to machines on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection
time out; no servers could be reached") or ping
http://www.google.com (said "ping: unkown host
http://www.google.com)
2) Another option I tried is to put into resolv.conf the DNS of
my ISP (as I saw it in the faqs)
lookup file bind
nameserver 194.224.52.6
nameserver 194.224.52.4
And happens the same I can ping to 192.168.0.1, to 192.168.0.9,
and also to 192.198.1.3 but dont work DNS lookups or pings to
machines on Internet:
lynx news.bbc.co.uk or nslookup news.bbc.co.uk (said "connection
time out; no servers could be reached") or ping
http://www.google.com (said "ping: unkown host
http://www.google.com)
I called to my ISP, a nice girl answer the phone and at first
said Open...what ?? She said for to be connected to Internet in
any OS I ll need always 3 parameters:
The gateway: 192.1668.0.1
The primary DNS: 194.224.52.6
The secondary DNS: 194.224.52.4
If it can help if I connect my wife's PC (with windows) with the
3 parameters the ISP said me (the gateway and the two DNS) she
can surf on Internet without probs.
I hope all of this info can help you for to detect what s the
problem.
Regards,
Mike
_____________________________________________________________________________
Greg Thomas escribis:
It looks like Nick's reply has everything covered, most
importantly
the requirement of a new route on your router to your 192.168.1.x
network.
Greg
On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:
You re right, Im sorry I wrote an error instead of
"192.169.1.x" I mean
192.168.1.x
I know what I want to do, the problem is I don t know how to
configurate
the firewall:
For to ilustrate better the structure is:
Router-OpenBSDFirewall-Hub-Intranet Lan (with some machines
connected)
Looking nearly:
Router (with gateway 192.168.0.1)
OpenBSD with 2 network cards:
One network card 192.168.0.9 (connected to the router)
One network Card 192.168.1.3 (connected to a HUB) I want to
connect my
wife's computer and the rest of machines (my home lan) to the
hub for to
be protected by the OpenBSD firewall, and all the traffic will
pass
through the OpenBSD firewall.
I suppose NAT is running on my 192.168.0.1 router because if I
connect a
machine directly to the router just need 3 parameters for to
"surf" on
Internet (my ISP give me that info)
The gateway 192.168.0.1
A Primary DNS 194.224.52.6
A secondary DNS 194.224.52.4
Greg the info you need:
My wife computer s 192.168.1.20
My laptop 192.168.1.19
Another machine 192.168.1.18
mygate file has:
192.168.0.1
Results of netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.0.1 UGS 0 0 - rl1
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 104 33224 lo0
192.168.0/24 link#2 UC 1 0 - rl1
192.168.0.1 0:4:76:95:70:bb UHLc 1 0 - rl1
192.168.1/24 link#1 UC 0 0 - rl0
224/4 127.0.0.1 URS 0 0 33224 lo0
I suppose I must to put as gateway in the machines connected
to the hub
the gateway 192.168.1.3 (remember is the network card of the
OpenBSD
firewall connected to the Hub)
Salutes,
Mike
Greg Thomas escribis:
This is a basic networking problem. You need to post MUCH
more info.
We'll assume NAT is running on your 192.168.0.1 router.
A little drawing of your network with IPs of your workstations,
firewall, and router would help. Either you have a typo
below or you
don't understand TCP/IP, see my note below. Need contents of
etc/mygate. Results of netstat -rn.
On 8/15/05, Mike Henker <[EMAIL PROTECTED]> wrote:
I checked the file you said and is correct. I think the
problem is what
you said because if I do a ping and a messages appears
saying "ping:
unknow host http://www.openbsd.org";
Perhaps giving the maximun info will understand better what
I want to do.
I installed OpenBSD 3.7
I have a router at home and want to put a firewall between
the router
and the lan I have at home.
The gateway (on the router is 192.168.0.1)
The OpenBSD firewall I installed has 2 nerwork cards
- 192.168.0.3
- 192.169.1.9
Like the man afterboot says I enabled in /etc/sysctl.conf:
net.inet.ip.forwarding=1
But seems not to work, because the machines in the intranet
(my wife
machines has the IP 192.168.1.20 for example) can t exit to
Internet
You have 192.168.1.x in that last sentence but 192.169.1.x up
above.
I assume you mean:
192.168.1.20 <-> 192.168.1.9/192.168.0.3 <-> 192.168.0.1
<-> internet
Greg
