> Original Message
> On 4/3/25 08:18, Janne Johansson wrote:
>
> > The default route is given by an ip, then the kernel looks up which
> > interface contains the network for which the box can reach this ip in a
> > single hop. If it can, the route is now shown to be over this
Hi,
Your use case is an outlier. Having both interfaces on the same network
is not a standard configuration.
Just quit using the magic word "egress" in your pf.conf and use the
specific interface names.
I went years (I started using OpenBSD 2.6) before I discovered the
"egress" magic word
Original Message
On 4/3/25 08:52, otto.cooper wrote:
> Original Message
> On 4/3/25 08:18, Janne Johansson wrote:
>
> > The default route is given by an ip, then the kernel looks up which
> interface contains the network for which the box can reach t
On Monday, March 31st, 2025 at 6:09 PM, Zé Loff wrote:
> Per this configuration, both interfaces are on 192.168.1.0/24: one is
> .11, the other is .12.
> Since routing seems to work properly, I am assuming this was a copy/paste
> error.
No copy/paste error. Perhaps a real error on my side.
Reading hostname.if(5) and ifconfig(8) again, I understand that commands in
hostname.if are executed by ifconfig. Of interest here is the ifconfig command
"group"; hostname.if(8) does not say a word about this command, but it should
work. Of special interest here is the group "egress". hostname.
> You'll also have to tell all the machines in the LAN that their new
> gateway is at 192.168.1.6 (or whatever is the address of the firewall's
> internal interface). Otherwise they'll still be trying to reach
> 192.168.1.1 and won't be able to do so.
> Also, note that if the hosts in the LAN are
On Mon, Mar 31, 2025 at 05:58:18PM +, otto.cooper wrote:
>
> On Monday, March 31st, 2025 at 5:21 PM, Zé Loff wrote:
>
> > Any particular reason for having two different interfaces on the same
> > subnet, with the same priority? Can you communicate with machines
> > connected to the LAN switc
Since hostname.if executes ifconfig commands, I thought that using the command
"priority" would solve this case study, as some of you suggested. No, it does
not.
```
priority n
Set the interface routing priority to n. n is in the
range of 0 to 15 with smaller numbers being better. The
default
> The easy solution then would be to stick
>
> 192.168.1.1
>
> in /etc/mygate, then run doas sh /etc/netstart or equivalent
Done. No joy.
This is a firewall, I need egress to be on the right interface.
> If you are trying to setup a firewall, Peter Hansteen's "Book of PF" will
> surely help. It is not an absolute requirement, and you can wing it
> just by reading the man pages and asking around for help, but it will
> surely save you some time.
The book is on my desk.
On Monday, March 31st, 2025 at 5:21 PM, Zé Loff wrote:
> Any particular reason for having two different interfaces on the same
> subnet, with the same priority? Can you communicate with machines
> connected to the LAN switch with this setup?
The gateway is on 192.168.1.1, the lan is on 192.168
On Tue, Apr 01, 2025 at 07:09:14AM +, otto.cooper wrote:
> > The gateway is on 192.168.1.1, the lan is on 192.168.0/24. It is just the
> > way it is.
>
> As I said, the above line contains a typing error:
> 192.168.0/24 is the typing error,
> 192.168.1.0/24 is the correct data.
Then all I
> [Apologies to the non-USA readers for the pedantic text.]
Not at all. Nice contrast to much of the bla-bla recently.
Did you set /etc/mygate correctly? AFAIK egress is determined by the default
route.
> This is the result, in the order given by ifconfig:
[...]
> OpenBSD puts ix0 ahead of em0
On Wed, Apr 02, 2025 at 10:44:03AM +, otto.cooper wrote:
> Reading hostname.if(5) and ifconfig(8) again, I understand that commands in
> hostname.if are executed by ifconfig. Of interest here is the ifconfig
> command "group"; hostname.if(8) does not say a word about this command, but
> it s
On Wednesday, April 2nd, 2025 at 5:50 PM, Claudio Jeker
wrote:
> As long as the default route points to ix0 the egress will be in ix0.
This is what I want to understand. Physically, the default route is the
gateway. I am in the firewall, trying to configure a specific interface, to
point at
> I am still stuck with the basic case of one firewall for one ISP, because in
> the PCI bus the interface connecting with the LAN switch (ix0) sits before
> the interface connecting with the gateway (em0), causing obsd to assign ix0
> to egress. Attempts to correct this via hostname have failed
On Thu, Apr 03, 2025 at 06:52:32AM +, otto.cooper wrote:
>
> Original Message
> On 4/3/25 08:18, Janne Johansson wrote:
>
> > The default route is given by an ip, then the kernel looks up which
> > interface contains the network for which the box can reach this ip in a
I tried to avoid this thread by using some in-client muting techniques that
were not absolutely effective, unfortunately.
I think that at some point in the future, the original poster will
discover that displaying extremely limited knowledge of networking and
refusing to take advice, choosing ins
Original Message
On 4/3/25 08:18, Janne Johansson wrote:
> The default route is given by an ip, then the kernel looks up which
> interface contains the network for which the box can reach this ip in a
> single hop. If it can, the route is now shown to be over this interfac
Den ons 2 apr. 2025 kl 19:58 skrev otto.cooper :
> On Wednesday, April 2nd, 2025 at 5:50 PM, Claudio Jeker
> wrote:
> > As long as the default route points to ix0 the egress will be in ix0.
>
> This is what I want to understand. Physically, the default route is the
> gateway. I am in the firewal
Lessons learned are gold.
I am still stuck with the basic case of one firewall for one ISP, because in
the PCI bus the interface connecting with the LAN switch (ix0) sits before the
interface connecting with the gateway (em0), causing obsd to assign ix0 to
egress. Attempts to correct this via h
On Wednesday, April 2nd, 2025 at 5:50 PM, Claudio Jeker
wrote:
> egress works. As long as the default route points to ix0 the egress will be
> in ix0.
egress works in the sense that it is singing it and dancing it all by itself,
because if I start the firewall, egress is the LAN which is su
> The problem is the conflict that occurs naturally when connecting any two
> ISPs.
in my not at all humble opinion, with this topology (each ISP presenting the
same subnet on its client side), I would use multiple firewalls. One per ISP.
Use carp if you want to failover or do fancy tricks
On Wed, Apr 02, 2025 at 07:31:50PM +0200, Janne Johansson wrote:
> Den ons 2 apr. 2025 kl 17:08 skrev otto.cooper :
> >
> > > The interfaces the default routes point to are members of the "egress"
> > > interface group. --- ifconfig(8)
> >
> > Note the plural.
> > If I connect all interfaces to th
I think I am reading it backwards. "The interfaces the default routes point to"
is different than "the interfaces pointing at the default route". The subject
in the sentence is "the default routes".
On Wednesday, April 2nd, 2025 at 5:31 PM, Janne Johansson
wrote:
> Den ons 2 apr. 2025 kl 17:0
Den ons 2 apr. 2025 kl 17:08 skrev otto.cooper :
>
> > The interfaces the default routes point to are members of the "egress"
> > interface group. --- ifconfig(8)
>
> Note the plural.
> If I connect all interfaces to the gateway, only index 1 is promoted to
> egress.
The plural is because ipv4 a
The relevant piece of code seems to be src/sys/net/if.c lines 2912-2966: "add a
group to an interface". This code is for the initiated, as expected. The title
is counterintuitive, because an interface is a physical interface, to be added
to a logical group like egress. So, I am not sure this is
> The interfaces the default routes point to are members of the "egress"
> interface group. --- ifconfig(8)
Note the plural.
If I connect all interfaces to the gateway, only index 1 is promoted to egress.
On all OpenBSD systems around here, the interface with index 1 is the only one
in group egress. It seems that OpenBSD blindly does so, based on what interface
comes first at boot time (and its live connection), which depends on its
position on the PCI bus, which ultimately defines its ifconfig "
Have you looked at rdomains to deal with multiple ISPs providing conflicting
network?
On April 1, 2025 10:57:56 AM MDT, Brian Conway wrote:
>> If I put em0 and em1 on DHCP, and connect each to their own
>> gateway/router, they will get their respective configuration, but this
>> does not solve
> If I put em0 and em1 on DHCP, and connect each to their own
> gateway/router, they will get their respective configuration, but this
> does not solve the problem. Consider the case where both ISPs use
> 192.168.1.1/24: em0 and em1 will get two configurations for apparently
> the same network,
Thank you for the recommendations. I appreciate it.
> Your LAN does *not* have to be in the same network segment as your ISP
> gateway.
Agreed.
The problem is the conflict that occurs naturally when connecting any two ISPs.
> If your ISP changes the configuration of the gateway it provides, o
> Then all I and Peter Hansteen said stand true. Having both interfaces
> on the same subnetwork won't work easily without unnecessarily
> complicated routing "hacks". Simply move one of the sides of the
> network to a different subnet and go from there.
It has been working for 20+ years and n
On Tue, Apr 01, 2025 at 10:32:26AM +, otto.cooper wrote:
> It is only a coincidence that we have two gateways and the LAN
> apparently on the same sub-network. When opening an account with an
> ISP, their gateway/router comes as part of the contract, it is a
> hardware device, and it may have *
On Tue, Apr 01, 2025 at 07:47:09AM +, otto.cooper wrote:
>
> > Then all I and Peter Hansteen said stand true. Having both interfaces
> > on the same subnetwork won't work easily without unnecessarily
> > complicated routing "hacks". Simply move one of the sides of the
> > network to a differ
It is only a coincidence that we have two gateways and the LAN apparently on
the same sub-network. When opening an account with an ISP, their gateway/router
comes as part of the contract, it is a hardware device, and it may have *any*
*non-customizable* RFC-1918 address. One cannot and must not
I think this is the right direction.
On Tuesday, April 1st, 2025 at 8:42 AM, Claudio Jeker
wrote:
> On Tue, Apr 01, 2025 at 07:47:09AM +, otto.cooper wrote:
>
> > > Then all I and Peter Hansteen said stand true. Having both interfaces
> > > on the same subnetwork won't work easily without
On Tue, Apr 01, 2025 at 07:47:09AM +, otto.cooper wrote:
>
> > Then all I and Peter Hansteen said stand true. Having both interfaces
> > on the same subnetwork won't work easily without unnecessarily
> > complicated routing "hacks". Simply move one of the sides of the
> > network to a differ
> > To be precise, I have all editions. The one on my desk is the third
> > edition, 2015.
>
> The book does not answer to the question of how to add or remove an interface
> on egress using hostname.if.
> The book uses egress. If I were to use the book, I would have my LAN on the
> internet. So
> > > > If you are trying to setup a firewall, Peter Hansteen's "Book of PF"
> > > > will
> > > > surely help. It is not an absolute requirement, and you can wing it
> > > > just by reading the man pages and asking around for help, but it will
> > > > surely save you some time.
> > >
> > > The
On Tuesday, April 1st, 2025 at 7:54 AM, otto.cooper
wrote:
> On Tuesday, April 1st, 2025 at 7:52 AM, otto.cooper otto.coo...@proton.me
> wrote:
>
> > > If you are trying to setup a firewall, Peter Hansteen's "Book of PF" will
> > > surely help. It is not an absolute requirement, and you can wi
> The gateway is on 192.168.1.1, the lan is on 192.168.0/24. It is just the way
> it is.
As I said, the above line contains a typing error:
192.168.0/24 is the typing error,
192.168.1.0/24 is the correct data.
This is the current setup.
Gateways
---
192.168.1.1 is the first gateway
On Tuesday, April 1st, 2025 at 7:52 AM, otto.cooper
wrote:
> > If you are trying to setup a firewall, Peter Hansteen's "Book of PF" will
> > surely help. It is not an absolute requirement, and you can wing it
> > just by reading the man pages and asking around for help, but it will
> > surely sa
On Mon, Mar 31, 2025 at 05:58:18PM +, otto.cooper wrote:
>
> On Monday, March 31st, 2025 at 5:21 PM, Zé Loff wrote:
>
> > Any particular reason for having two different interfaces on the same
> > subnet, with the same priority? Can you communicate with machines
> > connected to the LAN switc
Sorry, when you mentioned a typo I thought you were referring to the content of
hostname.if.
The network is 192.168.1.1/24.
On Mon, Mar 31, 2025 at 06:19:08PM +, otto.cooper wrote:
>
> On Monday, March 31st, 2025 at 6:09 PM, Zé Loff wrote:
>
> > Per this configuration, both interfaces are on 192.168.1.0/24: one is
> > .11, the other is .12.
>
> > Since routing seems to work properly, I am assuming this was a co
On Mon, Mar 31, 2025 at 05:58:18PM +, otto.cooper wrote:
>
> On Monday, March 31st, 2025 at 5:21 PM, Zé Loff wrote:
>
> > Any particular reason for having two different interfaces on the same
> > subnet, with the same priority? Can you communicate with machines
> > connected to the LAN switc
On Mon, Mar 31, 2025 at 05:58:18PM +, otto.cooper wrote:
>
> On Monday, March 31st, 2025 at 5:21 PM, Zé Loff wrote:
>
> > Any particular reason for having two different interfaces on the same
> > subnet, with the same priority? Can you communicate with machines
> > connected to the LAN switc
On Monday, March 31st, 2025 at 5:21 PM, Zé Loff zel...@zeloff.org wrote:
> Can you communicate with machines connected to the LAN switch with this setup?
Yes.
On Mon, Mar 31, 2025 at 04:39:47PM +, otto.cooper wrote:
> [Apologies to the non-USA readers for the pedantic text.]
>
> Problem
> ---
>
> In a machine with 4 Ethernet interfaces, OpenBSD sets to egress the wrong
> interface.
>
> This is the initial configuration:
>
> ```
> > cat /etc/
[Apologies to the non-USA readers for the pedantic text.]
Problem
---
In a machine with 4 Ethernet interfaces, OpenBSD sets to egress the wrong
interface.
This is the initial configuration:
```
> cat /etc/hostname.em0
inet 192.168.1.11 255.255.255.0 192.168.1.255
up
> cat /etc/hostname.em
51 matches
Mail list logo
