Hello,
Thank you all for the responses, I was starting to think nobody was
going to respond due to the lack of information I could find, so I thank
you all for giving me the time.
I would also like to point out this one thread has split into 3, which
is incredibly confusing, and I hope I have not missed any responses.
> It keeps things simplest to understand if you can use separate physical
> interfaces. If you are already familiar and happy with vlans then that's
> nearly as simple as separate physical interfaces, but if not, then that
> gives you two things to learn at once. Multiple subnets on a single
> network interface is by far more complex and less desirable.
I would go with separate interfaces, but I only have 2 physical
interfaces, and one is needed for WAN, I would be taking a severe hit to
performance if I used an adapter.
I would also like to point out that the OpenBSD router is attached to a
dumb switch, which is where the entire network branches off from.
I would like to highlight I was recommended to use inet aliases, saying
it would be far easier than vlan, although not easier than different
physical interfaces. I was hoping the user which told me this would come
forward, and I severely apologise for forgetting whoever told me this,
because they seemed to know how to get it work easily, but because of my
procrastination, the knowledge has been forgotten.
Also, I didn't choose OpenBSD cause it was easy, I choose it for
security, if I slapped OpenWrt I could be done in seconds, but I want to
learn and I want to use OpenBSD for security, even at the hit of
performance, so I don't care about the complexity, only to know that it
is possible and find out how to do it. I have attempted to find others
with a similar setup without any luck.
> It can be done, but 1) it means that it's possible for hosts on RFC1918
> addresses to reach the routable addresses directly without going via the
> router and vice-versa (which may or may not be a problem), 2) you'll
> need to think about how you want to arrange things if you use DHCP, and
> 3) it complicates things for firewall and nat rules.
1. I do not believe this should be a problem, as far as I am aware this
is routed based on MAC address (Layer 2), but IP addresses are a higher
layer (Layer 3).
2. DHCP is simple, it is only for the private block (192.168.2.1/24)
which devices will use by default, global addresses from the /29 block
is assigned manually, this is because most containers are internal,
which the NAT is just so they can still access the internet, but not
expose themself fully (and before you say "why not use a global
address", IPv4 addresses are expensive and I am lucky to have a /29,
which I will only use on more important containers or virtual machines,
so I hope this makes my weird setup more understandable).
Yes I do have IPv6 as well, which I assign to everything, but
unfortunately the majority of the internet still uses IPv6, so having
global IPv4 is extremely useful.
3. I don't think so, because I specify the "from" address as either from
192.168.2.1/24 or the static block, which clearly distinguishes between
them. Also the "quick" rules are above the NAT, this should pick up and
pass out the traffic respectively before it even gets to NAT, I doubt
this is the issue and I believe it lies within the routing table.
> 217.169.18.56 is a network address (mask it out against the netmask,
> the remaining "host bits" are all zeroes), you cannot use this (or the
> broadcast address) as a host address
>
> $ ipcalc 217.169.18.56/29
> address : 217.169.18.56
> netmask : 255.255.255.248 (0xfffffff8)
> network : 217.169.18.56 /29
> broadcast : 217.169.18.63
> host min : 217.169.18.57
> host max : 217.169.18.62
> hosts/net : 6
Ah my mistake, I totally forgot about the loopback address which would
be 217.169.18.56, this is from my own stupidity.
But in theory, can I assign IPs from the /29 without having a default
gateway from that block, could I put the gateway as the /32 and keep all
6 of the usable IPv4s?
A router does not need 2 IPv4's, only one, so is it possible to keep one
or is it a requirement to have an IPv4 from the block assigned to the
router?
> suggest changing to e.g. 217.169.18.62 (or .57 but then you'll need
> to renumber the other host as well) and changing the default route
> on the other host to the new address.
Yes I will need to fix this.
But the fact remains is, I believe all the addresses are bound to by the
router, nmap'ing all the IPv4s in the block return the ports open by the
router.
> I think you may need something to pass pppoe0's 81.187.86.85 address out as well
Don't worry, this already works fine. The NAT works just fine and
continues to work fine with the additional rules I attached to the
previous email.
I just need help with getting the /29 block working.
> Anyway if you have further problems after fixing the addresses, it would be
> helpful to post more (ideally all) of pf.conf. (btw a mail which is a bit
> large due to showing information direct from the system is usually fine, and
> much better than one which misses some relevant information - usual complaints
> against large mails are where the text is sprawling/incoherent which is
> not the case with your mail here 🙂
So it should be:
inet alias 217.169.18.57 255.255.255.248 217.169.18.63
correct?
> that's not something you should need to add yourself.
I did it for troubleshooting.
Thank you for the help,
--
Polarian
GPG signature: 0770E5312238C760
Website: https://polarian.dev
JID/XMPP: polarian@polarian.dev
No comments:
Post a Comment