[nycbug-talk] OpenBSD PF help

Barry Kominik bkominik at gmail.com
Wed Jun 13 15:06:14 EDT 2007 

> From what I see, you have some machines which don't use your router at
> all.. What interface is the 1.1.1.1 ip assigned to? Is that your
> router or the colo?
>
> -jesse
>

the handoff network is  1.1.1.232/29 connected to bge0
The inside is 2.2.2.224/28 connected to bge1

The networks do not overlap. The firewall machine can access the
internet fine. I get "ping: unknown host xxx.com". A tcp dump on the
south interface, bge1, shows the packets going to the dns server. A
dump on the north side, bge0, shows the request going out and the
response coming back. The response never traverses the router. I have
net.inet.ip.forwarding=1. pf is not running. Does the bge0 need to be
in promiscuous mode in order to process the packets?

$ netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu  Interface
default            1.1.1.233    UGS         9   311171      -   bge0
10.1.1/24          link#1             UC          0        0      -   nfe0
2.2.2.224/28     link#4             UC          4        0      -   bge1
2.2.2.225          00:05:dc:93:38:00  UHLc        0        0      -   bge1
2.2.2.226          00:1b:24:3d:73:5f  UHLc        0     3543      -   lo0
2.2.2.234          00:17:f2:c7:ef:15  UHLc        2     4828      - L bge1
2.2.2.237          00:14:4f:7d:a1:34  UHLc        1      334      -   bge1
 127/8              127.0.0.1          UGRS        0        0  33192   lo0
127.0.0.1          127.0.0.1          UH          1      210  33192   lo0
1.1.1.232/29       link#3             UC          1        0      -   bge0
1.1.1.233          00:05:dc:93:38:00  UHLc        1        0      -   bge0
224/4              127.0.0.1          URS         0        0  33192   lo0

$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING
,MULTICAST> mtu 33192
        groups: lo
         inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:24:3d:73:60
        media: Ethernet 1000baseT full-duplex (none)
        status: no carrier
        inet 10.1.1.1 netmask 0xffffff00 broadcast  10.1.1.255
        inet6 fe80::21b:24ff:fe3d:7360%nfe0 prefixlen 64 scopeid 0x1
nfe1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:24:3d:73:61
        media: Ethernet autoselect (none)
        status: no carrier
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:24:3d:73:5e
        groups: egress
        media: Ethernet 100baseTX full-duplex
        status: active
        inet 1.1.1.235 netmask 0xfffffff8 broadcast 1.1.1.239
        inet6 fe80::21b:24ff:fe3d:735e%bge0 prefixlen 64 scopeid 0x3
bge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:24:3d:73:5f
        media: Ethernet 1000baseT full-duplex (1000baseT full-duplex,master)
        status: active
        inet 2.2.2.226 netmask 0xfffffff0 broadcast  2.2.2.239
        inet6 fe80::21b:24ff:fe3d:735f%bge1 prefixlen 64 scopeid 0x4
pflog0: flags=0<> mtu 33192
enc0: flags=0<> mtu 1536

More information about the talk mailing list