[nycbug-talk] OpenBSD PF help

Barry Kominik bkominik at gmail.com
Wed Jun 13 15:06:14 EDT 2007

> From what I see, you have some machines which don't use your router at
> all.. What interface is the ip assigned to? Is that your
> router or the colo?
> -jesse

the handoff network is connected to bge0
The inside is connected to bge1

The networks do not overlap. The firewall machine can access the
internet fine. I get "ping: unknown host xxx.com". A tcp dump on the
south interface, bge1, shows the packets going to the dns server. A
dump on the north side, bge0, shows the request going out and the
response coming back. The response never traverses the router. I have
net.inet.ip.forwarding=1. pf is not running. Does the bge0 need to be
in promiscuous mode in order to process the packets?

$ netstat -rn -f inet
Routing tables

Destination        Gateway            Flags    Refs      Use    Mtu  Interface
default      UGS         9   311171      -   bge0
10.1.1/24          link#1             UC          0        0      -   nfe0     link#4             UC          4        0      -   bge1          00:05:dc:93:38:00  UHLc        0        0      -   bge1          00:1b:24:3d:73:5f  UHLc        0     3543      -   lo0          00:17:f2:c7:ef:15  UHLc        2     4828      - L bge1          00:14:4f:7d:a1:34  UHLc        1      334      -   bge1
 127/8              UGRS        0        0  33192   lo0          UH          1      210  33192   lo0       link#3             UC          1        0      -   bge0          00:05:dc:93:38:00  UHLc        1        0      -   bge0
224/4              URS         0        0  33192   lo0

$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING
,MULTICAST> mtu 33192
        groups: lo
         inet netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        lladdr 00:1b:24:3d:73:60
        media: Ethernet 1000baseT full-duplex (none)
        status: no carrier
        inet netmask 0xffffff00 broadcast
        inet6 fe80::21b:24ff:fe3d:7360%nfe0 prefixlen 64 scopeid 0x1
nfe1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:24:3d:73:61
        media: Ethernet autoselect (none)
        status: no carrier
        lladdr 00:1b:24:3d:73:5e
        groups: egress
        media: Ethernet 100baseTX full-duplex
        status: active
        inet netmask 0xfffffff8 broadcast
        inet6 fe80::21b:24ff:fe3d:735e%bge0 prefixlen 64 scopeid 0x3
        lladdr 00:1b:24:3d:73:5f
        media: Ethernet 1000baseT full-duplex (1000baseT full-duplex,master)
        status: active
        inet netmask 0xfffffff0 broadcast
        inet6 fe80::21b:24ff:fe3d:735f%bge1 prefixlen 64 scopeid 0x4
pflog0: flags=0<> mtu 33192
enc0: flags=0<> mtu 1536

More information about the talk mailing list