pf, bridge and dhcrelay
From: keme (kemesixtwonullsix_at_start.no)
Date: 05/20/05
- Next message: unbending: "raid array comparison"
- Previous message: M.K.: "3.7 i386 iso torrent"
- Next in thread: Keme: "Re: pf, bridge and dhcrelay"
- Reply: Keme: "Re: pf, bridge and dhcrelay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 20 May 2005 15:23:07 +0200
*Background*
I have a setup to limit network access for students during exams (students
use their own laptops). Bridge interface with packet filtering constitutes
our "filter". PF doesn't forward dhcp request/response, so I need dhcrelay.
I had this setup working OK last year, but after reinstall I can't get it to
work properly.
With the bridge up and pf disabled everything is OK. Everyone behind the
filter can access all resources.
With pf enabled everyone can access allowed resources (printserver), and
other resources are blocked. New clients cannot use anything because they
don't get IP. Assigning static IP helps, but I don't want the mess that
"wild" static IP assignment will create on our network.
Executing "dhcrelay <dhcpserver>" reports listening and sending on all
interfaces.
The "external" interface (server side of the filter) has an IP and netmask
belonging to the network.
The "internal" (filtered client side) interface has a private ip (10.0.0.x).
On the OpenBSD box I get ping response, http and name resolution from the
servers, and no other outside services are available.
A dhcp request from the internal side yields a "send_fallback: no route to
host" message on the OpenBSD console.
*Details*
NICs are 3Com EtherExpress ($int_if, xl0) and CNet ($ext_if, fxp0)
Running OpenBSD 3.5 (GENERIC)
PF rules:
--------
block return on $ext_if all
pass on $ext_if from <Baseservices> to any
pass on $ext_if from any to <Baseservices>
pass on $int_if all
--------
The <Baseservices> table contains the addresses to DHCP, DNS and print
servers.
I also tried limiting the dhcp relaying to one interface, with no
improvement:
dhcrelay -i $int_if <DHCPserver>
*Please help me*
Do I need to set up routes manually?
Is the promiscuous setting of the NICs causing trouble?
(Allowed services are available when working inside OpenBSD, and all traffic
passes OK when pf is disabled. To me this indicates that NICs do their job
and no additional route setup is needed.)
What am I missing?
- Next message: unbending: "raid array comparison"
- Previous message: M.K.: "3.7 i386 iso torrent"
- Next in thread: Keme: "Re: pf, bridge and dhcrelay"
- Reply: Keme: "Re: pf, bridge and dhcrelay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
