I'm in the process of evaluating whether to transition from a DSL line
over to a cable modem, and until February I'll have both hooked up to
my OpenBSD 3.8 box, which acts as a mail/web/NAT server.
I've got the new cable modem hooked up, it has an IP, and I can ping
its gateway...but using that connection to talk to the rest of the
world is not yet functional. Basically, if I ping the cable modem's IP,
attempt to SSH to it, etc. from the outside world, the packets come
into that interface...and then attempt to go out the interface hooked
to my DSL modem. Since I'm not sure if this is a route table issue or a
PF issue, I'll give my full config here:
* dc0 -- Cable modem at 70.174.128.234, gateway = 70.174.128.1
* fxp0 -- DSL line at 66.92.172.3, gateway = 66.92.172.1
* xl0 -- Internal LAN (192.168.2.0/24)
schnarff.com:~$ route -n show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 66.92.172.1 UGS 0 344118 - fxp0
66.92.172/24 link#3 UC 0 0 - fxp0
66.92.172.1 00:90:1a:40:90:1c UHLc 0 0 - fxp0
66.92.172.3 00:07:e9:82:98:4c UHLc 0 9787 - lo0
66.92.172.50 127.0.0.1 UGHS 0 0 33224 lo0
66.92.172.117 127.0.0.1 UGHS 0 0 33224 lo0
66.92.172.156 127.0.0.1 UGHS 0 2 33224 lo0
70.174.128/23 link#1 UC 0 0 - dc0
70.174.128.1 00:50:57:01:e6:69 UHLc 0 24 - dc0
70.174.128.234 127.0.0.1 UGHS 0 121 33224 lo0
127/8 127.0.0.1 UGRS 0 1 33224 lo0
127.0.0.1 127.0.0.1 UH 0 4892 33224 lo0
192.168.2/24 link#2 UC 0 0 - xl0
192.168.2.5 00:10:dc:5c:8d:9e UHLc 0 25989 - L xl0
192.168.2.255 link#2 UHLc 0 98 - xl0
224/4 127.0.0.1 URS 0 0 33224 lo0
========================================================================
schnarff.com:~$ sudo cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.3 2001/11/16 22:53:24 dhartmei Exp $
#
# See pf.conf(5) for syntax and examples
# pass all packets in and out (these are the implicit first two rules)
ext_if=fxp0
ext_if2=dc0
ext_gw2="70.174.128.1"
int_if=xl0
tcp_ok = "{ 22, 25, 80, 143, 443, 993, 3306 }"
icmp_ok = "{ 8, 11 }"
table <NoRouteForYou> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
224.0.0.0/4, 255.0.0.0/8 }
set block-policy drop
scrub out all no-df
scrub in all
altq on $ext_if priq bandwidth 1000Kb queue {std_out, tcp_ack_out}
queue std_out priq(default)
queue tcp_ack_out priority 6
nat on $ext_if from $int_if:network to any -> 66.92.172.3
# Default Block
block all
# Allow IPv6 traffic
pass in log quick on gif0 inet6 all
pass out log quick on gif0 inet6 all
pass in quick on fxp0 proto 41 all
pass out quick on fxp0 proto 41 all
# Allow Loopback Adapter
pass quick on lo0 all
# Disallow all illegal (i.e. spoofed) packets
block drop in log quick on $ext_if from <NoRouteForYou> to any
block drop out log quick on $ext_if from any to <NoRouteForYou>
# Allow inbound TCP/IP connections to specified ports
pass in log on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_ok flags S/SA keep state
pass in log on $ext_if2 inet proto tcp from any to ($ext_if2) \
port $tcp_ok flags S/SA keep state
# Allow inbound ICMP connections to specified ports
pass in log inet proto icmp all icmp-type $icmp_ok keep state
# Allow traffic within the local network
pass in on $int_if from $int_if:network to any keep state
# Allow firewall to connect to machines on local network
pass out on $int_if from any to $int_if:network keep state
# Allow outbound traffic
pass out log on $ext_if proto tcp all modulate state flags S/SA queue
tcp_ack_out
pass out log on $ext_if2 proto tcp all modulate state flags S/SA queue
tcp_ack_out
pass out log on $ext_if proto { udp, icmp, icmp6 } all keep state
pass out log on $ext_if2 proto { udp, icmp, icmp6 } all keep state
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
========================================================================
It seems to me like the issue is probably the fact that my default
gateway is set to the interface hooked to the DSL line (fxp0), and that
I need appropriate PF or routing table magic to make requests that come
in on the cable modem use its gateway to get back out. Any ideas on how
I can do this?
Thanks,
Alex Kirk
