On Wed, Apr 02, 2025 at 10:44:03AM +0000, otto.cooper wrote: > Reading hostname.if(5) and ifconfig(8) again, I understand that commands in > hostname.if are executed by ifconfig. Of interest here is the ifconfig > command "group"; hostname.if(8) does not say a word about this command, but > it should work. Of special interest here is the group "egress". > hostname.if(5) does not say a word about "egress"; this is not a critique, it > is just a note on the fact. On its turn, ifconfig(8) mentions "egress", > twice, only in reference to the command "group": > > > a group could be used to create a hardware independent pf(4) ruleset (i.e. > > not one based on the names of NICs) using existing (egress, carp, etc.) or > > user-defined groups. > > > The interfaces the default routes point to are members of the "egress" > > interface group. > > Does it work? > > In the following case study, /etc/hostname.ix0 contains the command > "group lan", and ix0 is assigned to group "lan" as a consequence. This > means that the command "group" works in hostname.if. The command does > not work for group "egress" however. Since em0 is wired to the > gateway, em0 is the interface the default route points to, and > therefore it should be assigned to egress. What follows is evidence of > the fact that this does not happen. > > Note that the interface ix0 is wired to the switch, its > /etc/hostname.ix0 puts it in group "lan", it shows up in groups "lan" > correctly, but it also shows up in group "egress" all by itself. You > may say that perhaps the gateway has a wire to the switch as well. You > are correct. The wire is needed because this is how this network works > at this time. The OpenBSD firewall needs to be configured on the > existing network before entering production mode in the existing > network: the only change allowed will be the detachment of the wire > that currently joins the gateway to the switch.
You'll also have to tell all the machines in the LAN that their new gateway is at 192.168.1.6 (or whatever is the address of the firewall's internal interface). Otherwise they'll still be trying to reach 192.168.1.1 and won't be able to do so. Also, note that if the hosts in the LAN are configured by DHCP, you'll need to find a way to relay DHCP traffic between the gateway and the LAN. > > ----------------------------------------------------- > > 192.168.1.1/24 is the LAN > > 192.168.1.1: gateway > 192.168.1.4: em0 wire connected to gateway > 192.168.1.5: em1 down > 192.168.1.6: ix0 wire connected to switch > 192.168.1.7: ix1 down > > > ifconfig > lo0: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST,LRO> mtu 32768 > index 6 priority 0 llprio 3 > groups: lo > inet 127.0.0.1 netmask 0xff000000 > ix0: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LRO> mtu 1500 > lladdr ac:1f:6b:6d:1e:18 > index 1 priority 0 llprio 3 > groups: lan egress > media: Ethernet autoselect (10GSFP+Cu full-duplex,rxpause,txpause) > status: active > inet 192.168.1.6 netmask 0xffffff00 broadcast 192.168.1.255 > ix1: flags=2008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LRO> mtu 1500 > lladdr ac:1f:6b:6d:1e:19 > index 2 priority 0 llprio 3 > groups: lan > media: Ethernet autoselect > status: no carrier > inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255 > em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr ac:1f:6b:6d:1c:88 > index 3 priority 0 llprio 3 > media: Ethernet autoselect (1000baseT full-duplex,rxpause) > status: active > inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255 > em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > lladdr ac:1f:6b:6d:1c:89 > index 4 priority 0 llprio 3 > media: Ethernet autoselect (none) > status: no carrier > inet 192.168.1.5 netmask 0xffffff00 broadcast 192.168.1.255 > enc0: flags=0<> > index 5 priority 0 llprio 3 > groups: enc > status: active > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136 > index 7 priority 0 llprio 3 > groups: pflog > > > netstat -r -n > > Routing tables > > Internet: > Destination Gateway Flags Refs Use Mtu Prio Iface > default 192.168.1.1 UGS 4 74 - 8 ix0 > 224/4 127.0.0.1 URS 0 4 32768 8 lo0 > 127/8 127.0.0.1 UGRS 0 0 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 3 85 32768 1 lo0 > 192.168.1/24 192.168.1.6 UCn 1 97 - 4 ix0 > 192.168.1/24 192.168.1.4 UCPn 0 2 - 4 em0 > 192.168.1/24 192.168.1.5 CPn 0 0 - 4 em1 > 192.168.1/24 192.168.1.7 CPn 0 0 - 4 ix1 > 192.168.1.1 14:49:bc:16:6c:a8 UHLch 1 39 - 3 ix0 > 192.168.1.4 ac:1f:6b:6d:1c:88 UHLl 0 43 - 1 em0 > 192.168.1.5 ac:1f:6b:6d:1c:89 UHLl 0 0 - 1 em1 > 192.168.1.6 ac:1f:6b:6d:1e:18 UHLl 0 7 - 1 ix0 > 192.168.1.7 ac:1f:6b:6d:1e:19 UHLl 0 0 - 1 ix1 > 192.168.1.255 192.168.1.6 UHb 0 642 - 1 ix0 > 192.168.1.255 192.168.1.4 UHPb 0 0 - 1 em0 > 192.168.1.255 192.168.1.5 HPb 0 0 - 1 em1 > 192.168.1.255 192.168.1.7 HPb 0 0 - 1 ix1 > > > route -n get default > > route to: 0.0.0.0 > destination: 0.0.0.0 > mask: 0.0.0.0 > gateway: 192.168.1.1 > interface: ix0 > if address: 192.168.1.6 > priority: 8 (static) > flags: <UP,GATEWAY,DONE,STATIC> > use mtu expire > 74 0 0 > --
