Hello,
It has been a good few months since I have posted here, I been
procrastinating the issue I would like help with.
Some may remember me speaking about OpenBSD routing back in January, I
did the first part of it setting up IPv4 (NAT) and IPv6 but I also had a
/29 block of IPv4 addresses which I was also meant to route, but never
actually got around to it.
Someone recommended that I used inet aliases for the extra block instead
of messing with vlans, I do not remember who this was but I think this
is the cause of the problem I am encountering.
So the explanation of the problem:
When I send outbound traffic, say if I curl ifconfig.me (or ifconfig.pro
for IPv6 support), I successfully get back the IP address assigned from
the /29 block (as per usual setup, the first address is the gateway and
the last address is the broadcast). Outbound seems to work fine, but it
is inbound which is the problem. Internally it all works fine, I can ssh
into the address just fine, but externally it does not work as the port
is seemingly unbound to.
I nmap'd the /32 address, the default gateway address from the /29
block, and the assigned /29 address using a external vps, and they all
came back with the exact same ports open, the ports open of the router.
So this obviously means there is a routing issue.
I will give some information which will be useful:
ifconfig -A:
bse0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr dc:a6:32:78:eb:b1
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::dea6:32ff:fe78:ebb1%bse0 prefixlen 64 scopeid 0x1
inet6 2001:8b0:57a:2385::1 prefixlen 64
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet 217.169.18.56 netmask 0xfffffff8 broadcast 217.169.18.63
(Lets hope people don't go probing or flooding the network now -_-)
pf firewall rules for the /29 block:
# Static v4 rules
pass in quick on $wan inet from $staticv4b1 to any keep state
pass in quick on $lan inet from $staticv4b1 to any keep state
pass out quick on $lan inet from any to $staticv4b1 keep state
pass out quick on $wan inet from $staticv4b1 to any keep state
(note: staticv4b1 is declared as 217.169.18.56/29)
(note: I believe it is possible to join the in's and out's using {$wan
$lan}, but optimisations can be done later I just would like this to
work first)
hostname.if file for bse0:
# IPv4
inet 192.168.2.1 255.255.255.0 192.168.2.255
inet alias 217.169.18.56 255.255.255.248 217.169.18.63
(Note: IPv6 has not been shown as not related to this problem)
and the most important one, the routing table :P :
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 81.187.81.187 UGS 9 56083 - 8
pppoe0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
81.187.81.187 81.187.86.85 UHh 1 1 - 8
pppoe0
81.187.86.85 81.187.86.85 UHl 0 722 - 1
pppoe0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0
192.168.2/24 192.168.2.1 UCn 14 0 - 4 bse0
192.168.2.1 dc:a6:32:78:eb:b1 UHLl 0 5569 - 1 bse0
192.168.2.2 e2:1b:81:ac:c7:a1 UHLc 0 13555 - 3 bse0
192.168.2.3 a4:34:d9:78:c5:94 UHLc 0 20006 - 3 bse0
192.168.2.11 00:16:3e:38:e1:e0 UHLc 0 3338 - 3 bse0
192.168.2.15 00:16:3e:e7:6e:d8 UHLc 0 4288 - 3 bse0
192.168.2.17 52:54:00:d3:ec:64 UHLc 0 2476 - 3 bse0
192.168.2.18 00:16:3e:fd:34:cc UHLc 0 680 - 3 bse0
192.168.2.19 00:16:3e:22:c3:58 UHLc 0 1525 - 3 bse0
192.168.2.25 cc:2d:21:ba:fe:d0 UHLc 0 194 - 3 bse0
192.168.2.26 e8:65:d4:64:59:80 UHLc 1 3165 - 3 bse0
192.168.2.78 74:56:3c:67:bf:35 UHLc 0 6841 - 3 bse0
192.168.2.80 00:16:3e:62:88:54 UHLc 0 121 - 3 bse0
192.168.2.81 bc:60:a7:99:c6:05 UHLc 0 118 - 3 bse0
192.168.2.151 aa:01:c3:46:e7:88 UHLc 0 58 - 3 bse0
192.168.2.155 de:13:82:c0:c1:14 UHLc 0 138 - 3 bse0
192.168.2.255 192.168.2.1 UHb 0 0 - 1 bse0
192.168.3/24 192.168.3.1 UCn 0 0 - 8
bwfm0
192.168.3.1 dc:a6:32:78:eb:b2 UHLl 0 0 - 1
bwfm0
192.168.3.255 192.168.3.1 UHb 0 0 - 1
bwfm0
217.169.18.56/29 217.169.18.56 UCn 1 0 - 4 bse0
217.169.18.56 dc:a6:32:78:eb:b1 UHLl 0 1567 - 1 bse0
217.169.18.63 217.169.18.56 UHb 0 2 - 1 bse0
(note: -inet was used to not print inet6, as again this is not relevant
to the problem and would make a large email even larger, which I assume
a lot of people would be against.)
Now, I may suck at networking, but I am not a complete idiot and have
noticed that there is no entry for the route of 217.169.18.57 which is
the allocated address, so I have attempted to add it following route(8),
and then if this fixed my issue I could add it into the hostname.if(5)
for bse0, but I wouldn't be emailing this mailing list if it worked would I?
The command I attempted to use was:
route add -link 217.169.18.57 00:16:3e:bf:b5:92
(note: The mac address is assigned to a LXC container sitting ontop of a
host bridge, so it should act as any physical device on the network)
(note: I have checked the mac address, it is correct!)
Executing this command yields the following error:
add host 217.169.18.57: gateway 00:16:3e:bf:b5:92: Network is unreachable
Now, route(8) does cover this error, stating "An attempt to add a route
failed because the gateway listed was not on a directly connected
network. The next-hop gateway must be given." however this is a NAT
bridge, it SHOULD be directly accessable, as a note all the other
192.168.2.1/24 allocations you see in the routing table are to other
containers on the host bridge, and I did check the mac addresses, they
are the mac address of the lxc containers, so they are in fact directly
addressable.
Anyways, the routing table after the command executed can be found below:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 81.187.81.187 UGS 9 56083 - 8
pppoe
224/4 127.0.0.1 URS 0 0 32768 8 lo0
81.187.81.187 81.187.86.85 UHh 1 1 - 8
pppoe
81.187.86.85 81.187.86.85 UHl 0 722 - 1
pppoe
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0
192.168.2/24 192.168.2.1 UCn 14 0 - 4 bse0
192.168.2.1 dc:a6:32:78:eb:b1 UHLl 0 5569 - 1 bse0
192.168.2.2 e2:1b:81:ac:c7:a1 UHLc 0 13555 - 3 bse0
192.168.2.3 a4:34:d9:78:c5:94 UHLc 0 20006 - 3 bse0
192.168.2.11 00:16:3e:38:e1:e0 UHLc 0 3338 - 3 bse0
192.168.2.15 00:16:3e:e7:6e:d8 UHLc 0 4288 - 3 bse0
192.168.2.17 52:54:00:d3:ec:64 UHLc 0 2476 - 3 bse0
192.168.2.18 00:16:3e:fd:34:cc UHLc 0 680 - 3 bse0
192.168.2.19 00:16:3e:22:c3:58 UHLc 0 1525 - 3 bse0
192.168.2.25 cc:2d:21:ba:fe:d0 UHLc 0 194 - 3 bse0
192.168.2.26 e8:65:d4:64:59:80 UHLc 1 3165 - 3 bse0
192.168.2.78 74:56:3c:67:bf:35 UHLc 0 6841 - 3 bse0
192.168.2.80 00:16:3e:62:88:54 UHLc 0 121 - 3 bse0
192.168.2.81 bc:60:a7:99:c6:05 UHLc 0 118 - 3 bse0
192.168.2.151 aa:01:c3:46:e7:88 UHLc 0 58 - 3 bse0
192.168.2.155 de:13:82:c0:c1:14 UHLc 0 138 - 3 bse0
192.168.2.255 192.168.2.1 UHb 0 0 - 1 bse0
192.168.3/24 192.168.3.1 UCn 0 0 - 8
bwfm0
192.168.3.1 dc:a6:32:78:eb:b2 UHLl 0 0 - 1
bwfm0
192.168.3.255 192.168.3.1 UHb 0 0 - 1
bwfm0
217.169.18.56/29 217.169.18.56 UCn 1 0 - 4 bse0
217.169.18.56 dc:a6:32:78:eb:b1 UHLl 0 1567 - 1 bse0
217.169.18.57 00:16:3e:bf:b5:92 UHLc 0 5 - 3 bse0
217.169.18.63 217.169.18.56 UHb 0 2 - 1 bse0
I am out of ideas, and have spent 3-4 hours desperately trying to find a
blog on anyone else who has attempted globally routable addresses along
with a NAT setup, and I couldn't find anything of use to diagnose the
problem.
I am pretty sure its a very simple problem, and the "oh moment" will be
embarrassing and I will have publicly humiliated myself, but isn't that
the fun of learning?
Feel free to ask for any additional information which you deem will be
useful.
Maybe one day I might actually be half decent at networking, if some
miracle occurs (probably not).
Thank you in advance,
--
Polarian
GPG signature: 0770E5312238C760
Website: https://polarian.dev
JID/XMPP: polarian@polarian.dev
No comments:
Post a Comment