On 2026-06-13 17:14, Kenneth Gober wrote:
On Sat, Jun 13, 2026 at 4:44 PM Aric Gregson <[email protected]>
wrote:
On 2026-06-13 09:34, Kenneth Gober wrote:
>On Fri, Jun 12, 2026 at 10:06 PM Aric Gregson <
[email protected]>
>wrote:
>
>>
>> I am struggling to figure this out and do not know what to try next, so
>> am asking for help. I am missing something simple, no doubt.
>>
>> Setting up a network gateway at home. Ultimately, I want to have a
>> backup internet, with fiber first then cable as a back-up. This is to
>> replace a Unifi solution that I started to use during the pandemic,
>> which maybe is not a good idea given the issues I am already having. :)
>>
>> I am just able to assign addresses, which it is now doing. I can 'ping'
>> and 'host' and ssh into the gateway from the client Openbsd computer. I
>> can also ping and host on the gateway computer running Fuguita (Openbsd
>> 7.9 release). I am able to 'dig @9.9.9.9 openbsd.org' and traceroute -I
>> is working as well. However, I cannot load any web pages and
>> applications, like Profanity, cannot login as they seemingly cannot find
>> the hosting site (conversations.im). Disabling pf does not change this
>> behavior.
>>
>
>Did you enable IP forwarding?
Yes.
In that case I suggest enabling logging. Insert a "match log" rule at the
top
of your ruleset, then observe which rules are being applied to packets
using the following command:
# tcpdump -len -i pflog0
I run this and then tried to load a webpage from the client, tried to do
a pkg_add from the client. I did the same from the gateway (after
installing links).
The pkg_add returns an error:
ftp: connect: No route to host
and links fails to load the page. Same errors on the client.
Stopping the tcpdump command I get this output:
0 packets received by filter
0 packets dropped by kernel
If you need to see how your rules are numbered:
# pfctl -vv -s rules
If packets you expect to be forwarded (passed) are being blocked instead,
it means your pass rules aren't matching for some reason.
You may need to open up your ruleset to allow more destination ports. Or
remove the "port $client_out" entirely. It may be too restrictive.
I think this is true. It turns out that if I disable pf on the gateway,
I can install links via pkg_add and links will load the openbsd webpage.
When I start pf again, pkg_add and links again fail on the gateway.
For whatever reason, turning on and off pf on the gateway does not
affect the behaviour on the client.
I will par down the ruleset, removing the port $client_out when I have
some more time and report back. Hopefully that solves the issue for both
the gateway and the client.
Also confirm that the IP addresses you expect are indeed showing up
in the tables you expect:
# pfctl -vv -t leased_ip_table -T show
It does show the client connected.
Thank you very much!
Aric
