On 12 Dec 2022, at 2:31, Zé Loff wrote:
> On Sun, Dec 11, 2022 at 04:20:53PM -0800, Randall Gellens wrote:
>> I have a Protectli box that is the router for my home network. The
>> home
>> network uses U-Verse to connect to the outside, and has separate
>> Ethernet
>> networks for servers, wired clients, and Wi-Fi IoT clients. U-Verse
>> supplies
>> their own box (a "Residential Gateway" or RG) that sits at the
>> connection
>> points. The RG throws a tantrum if it detects an internal router or
>> multi-homed devices, so the OpenBSD box is set up as a transparent
>> filtering
>> bridge so the RG thinks all the devices are connected directly to it.
>> The
>> OpenBSD box has Ethernet ports for the U-Verse RG and one for the
>> three
>> internal networks, with pf filtering the packets. The
>> /etc/hostname.if files
>> provide an IP address for the interface for the server network and
>> one for
>> the Wi-Fi interface (these are on different networks). The
>> /etc/hostname.if
>> files for the U-Verse and wired client Ethernet ports have just a
>> description.
>>
>> The Protectli was running (I think) OpenBSD 6.2, but suffered a disk
>> failure
>> and I couldn't find my backup, so I installed a fresh OpenBSD 7.2 on
>> it and
>> added the users and config files (I had current versions of those).
>> The
>> config files are pretty minimal: /etc/hostname.if files for the four
>> Ethernet ports and the bridge, /etc/sysctl.conf to set
>> net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any
>> other
>> services running on the box (other boxes are used for DHCP, DNS,
>> etc.).
>>
>> Initially, the server and Wi-Fi Ethernet ports had traffic and
>> packets were
>> routed between them, but there was no traffic on the wired clients
>> nor
>> U-Verse Ethernet ports, and no packets got between them. A client on
>> Wi-Fi
>> could ping a server and vice versa, and other servers could reach the
>> OpenBSD box. But clients couldn't reach servers, and nothing could
>> get
>> outside. All interfaces looked right when viewed using ifconfig, and
>> the
>> bridge looked right (it was up and had the four interfaces). There
>> were no
>> errors during startup, nor when running netstart.
>>
>> Changing the /etc/hostname.if files for the U-Verse and client ports
>> to add
>> an 'inet' line with a dummy IP address made it all start working.
>> Before,
>> they just had a line with "description" and text.
>>
>> Questions:
>>
>> (1) I'd like to understand the interfaces worked without having IP
>> addresses
>> in OpenBSD 6 but not in OpenBSD 7. They showed as up and as part of
>> the
>> bridge, but no traffic.
>
> Without *at least* the applicable /etc/hostname.* files its hard to
> help
> you with this. FWIW, I have a 7.1 box with a similar setup that
> forwards packets adequately (bridging two vlan interfaces, with no IP
> addresses on the parent interfaces, the vlan interfaces or the
> bridge).
Below are the /etc/hostname.* files as they are now (working).
Originally, /etc/hostname.em1 and /etc/hostname.3 were:
/etc/hostname.em1 (originally)
description "U-Verse DSL"
/etc/hostname.em3 (originally):
description "Switch for clients"
/etc/hostname.em0 and /etc/hostname.em2 did not need changes.
Here are the files as they are now:
/etc/hostname.em0
inet 192.168.98.1 255.255.255.0 NONE description "to talk to AP"
inet alias 192.168.0.210 255.255.255.0 NONE description "factory
fallback wireless AP"
/etc/hostname.em1
inet 192.168.98.2 255.255.255.0 NONE description "U-Verse DSL"
/etc/hostname.em2
inet 99.111.97.160 255.255.255.240 NONE description "Switch for servers"
/etc/hostname.em3
inet 192.168.98.3 255.255.255.0 NONE description "Switch for clients"
/etc/hostname.em3
inet 192.168.98.3 255.255.255.0 NONE description "Switch for clients"
-bash-5.1$ more /etc/hostname.bridge0
add em0
add em1
add em2
add em3
timeout 0
rule pass in on em1 src ac:5d:10:80:7d:11 tag outside
# pass on em0
# pass on em1
# pass on em2
# pass on em3
up
The "rule pass in" line in the bridge is to add a tag to packets from
the outside, because (at least in OpenBSD 6.2) the pf.conf rules saw the
packets as coming from a different interface, so they weren't treated as
coming from the outside.
>> (2) Also, I have several old machines that can no longer SSH into the
>> OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy
>> way to
>> get the OpenBSD box to accept connections from older clients?
>> Presumably I
>> need to enable older key algorithms, but after hunting through the
>> OpenSSH
>> manual I can't see what I need to do. The packet rules block access
>> to the
>> OpenBSD box from outside.
>
> RSA was deprecated some time ago. Add
>
> HostKeyAlgorithms=+ssh-rsa
> PubkeyAcceptedAlgorithms=+ssh-rsa
>
> to /etc/ssh/sshd_config, or, better yet, change the clients' config to
> bring them up to speed (I understand it might not be feasible).
Thank you, that worked, I appreciate it. (I know I need to update
openssh on the old machines, but that's a big project, and the protectli
box isn't accessible from the outside.)
--Randall
No comments:
Post a Comment