[Semibug] OpenBSD Firewall help needed

Mark Moellering markmoellering at psyberation.com
Tue Dec 8 17:02:20 EST 2020


Everyone,

I built my own OpenBSD firewall using an Ubiquiti EdgeRouter.

Here is the layout:

The internet comes into the firewall on cnmac1

The internet goes out to on cnmac2 to a Netgear GS608 V2 router

The router connects to a local server and PC on the 192.168.1.xx Where 
xx is 3 or greater

The router connects to a wireless router on 192.168.1.1.  All Devices on 
the wireless network are on 192.168.2.0/24

in my sysctl.conf I have : net.inet.ip.forwarding=1        # 1=Permit 
forwarding (routing) of IPv4 packets


If I try to ping my wireless printer from my PC, I get the following:
PING 192.168.2.115 (192.168.2.115) 56(84) bytes of data.
 From 192.168.1.254 icmp_seq=1 Redirect Host(New nexthop: 1.1.168.192)


the firewall can't see anything on the 192.168.2.0/24 network, nor can 
it ping 192.168.1.1.  I think I am missing something important but no 
idea what


I have included my hostname.cnmac2 file, dhcpd.conf file, the output of 
route show and my hosts file.


Any help is greatly appreciated


Thanks


Mark




Here are my files:

--- hostname.cnmac2 ---

inet 192.168.1.254 255.255.255.0

!route add -inet 192.168.2.0/24 192.168.1.1

--- END ---


--- dhcpd.conf ---

option  domain-name "psyberation.com";
option  domain-name-servers 192.195.36.253, 192.195.36.254, 
208.67.222.222, 208.67.220.220;

subnet 192.168.1.0 netmask 255.255.255.0 {
         option routers 192.168.1.254;
         option domain-name-servers 192.168.1.254;
         range 192.168.1.3 192.168.1.127;

         host Linksys02868 {
                 hardware ethernet c0:56:27:c7:ba:de;
                 fixed-address 192.168.1.1;
                 option domain-name "psyberation.com";
         }

}

--- END ---


Output from: route show

Routing tables

Internet:
Destination                      Gateway            Flags Refs      
Use       Mtu      Prio     Iface
default                            XXX.XX.XXX.X     UGS 5    43850     
-             8        cnmac1
base-address.mcast           localhost          URS 0        0      
32768       8         lo0
127/8                                  localhost UGRS       0        0 
     32768       8         lo0
localhost                             localhost UHhl       1        2 
      32768       1         lo0
XXX.XX.XXX/24              XXX.XX.XXX.X      UCn        1 3014     -     
          4         cnmac1
XXX.XX.XXX.X              cc:4e:24:93:e7:00  UHLch     1 1513     -     
         3         cnmac1
XXX.XX.XXX.XXX         b4:fb:e4:8a:e4:5e   UHLl       0 259      -     
           1         cnmac1
XXX.XX.XXX.X         XXX.XX.XXX.XXX        UHb        0 0          -     
         1         cnmac1
192.168.1/24                       firewall           UCn 6        
0         -               4         cnmac2
192.168.1.1                c0:56:27:c7:ba:de   UHLc       1 25130     
-              3         cnmac2
192.168.1.2                00:0e:08:f1:04:13   UHLc       0 223         
-             3         cnmac2
192.168.1.3                ce0:d5:5e:6c:9f:b0  UHLc       1 8349     
-               3         cnmac2
mercury                    cc0:4a:00:02:c2:a3  UHLc       1 2185     
-                3         cnmac2
mail                           cc0:4a:00:02:c2:a3  UHLc 0      223     
-                3         cnmac2
192.168.1.203          ccc0:4a:00:02:c2:a3  UHLc       0 15     -     
            3         cnmac2
firewall                       cb4:fb:e4:8a:e4:5f  UHLl 0     1533     
-                1         cnmac2

192.168.1.255                     firewall           UHb 0        0    
      -              1         cnmac2

192.168.2/24                   192.168.1.1        UGS 0        0         
-              8             cnmac2



--- hosts file ---

127.0.0.1       localhost
::1             localhost
192.168.1.254   firewall.psyberation.com firewall

192.168.1.200   mercury.psyberation.com  mercury
192.168.1.202   mail.psyberation.com     mail



More information about the Semibug mailing list