You can configure a private address on the hosts ethernet interfaces,
the public address on a loopback (e.g. lo1), and on the gateway route
the public address to the private address. ARP will work normally.
If the host uses "strong host model" you'll need to disable that so
it accepts traffic to an address via an interface that doesn't have
that address (currently on OpenBSD the only way to do this is enable
IP forwarding - might not have been the case in 5.9 though).
On 2026-04-03, Jacob Welsh <jacob@welshcomputing.com> wrote:
> For IPv4 scarcity reasons, I'm trying to squeeze every drop from a block
> of public addresses I've been allocated.
>
> There's a LAN consisting of hosts with mostly private IPs and some with
> public IPs. An OpenBSD gateway has a public IP on the uplink interface
> (cnmac0) for NAT purposes, but private only on the LAN interface (cnmac1,
> call it 10.0.0.1). Then I set specific routes to the hosts with LAN-side
> public IPs (say 1.2.3.4). The trouble is when the host is directly
> connected on the gateway's ethernet, i.e. gateway needs to send to an
> address outside its interface's subnet without a next hop.
>
> route(8) reads:
>
>> If the destination is directly reachable via an interface requiring no
> intermediary system to act as a gateway, the -iface modifier should be
> specified; the gateway given is the address of this host on the common
> network, indicating the interface to be used for transmission.
>
> Thus, I tried:
>
> # route add -host 1.2.3.4 -iface 10.0.0.1
>
> The kernel reports "arp_rtrequest: bad gateway value: cnmac1" but adds the
> route:
>
> 1.2.3.4 10.0.0.1 UHS 0 0 - 8 cnmac1
>
> Testing:
>
> # ping 1.2.3.4
> ping: sendto: Invalid argument
>
> and the kernel reports "arpresolve: 1.2.3.4: route contains no arp
> information". If I disregard the manual and do as google tells me:
>
> # route add -host 1.2.3.4 -iface cnmac1
> route: cnmac1: bad address
>
> Or
>
> # route add -host 1.2.3.4 -iface -link cnmac1
> add host 1.2.3.4: gateway cnmac1
>
> which seems promising; the route shows as
>
> 1.2.3.4 link#2 UHLS 0 0 - 8 cnmac1
>
> and the ping initially works, but rather than adding a new cloned route
> after ARP resolution, the "static" route itself changes to
>
> 1.2.3.4 <target MAC> UHLS 0 2 - 8 cnmac1
>
> then expires from ARP cache after 20 minutes and stops working. If I add
> -cloning to the route, its flags show as UHCS and the ping goes back to
> Invalid argument / route contains no arp information. If I also add
> -llinfo, flags show as UHCLS, ping still gives Invalid argument, but the
> kernel now logs "arpresolve: 1.2.3.4: route without link local address".
>
> This is with OpenBSD 5.9. I'm aware that's a bit old now, but I'd think
> it's already well into the mature years of this basic networking code.
> I've had no problem with this configuration on Linux, and reportedly it
> worked in 2011 on FreeBSD and even OpenBSD 3.x:
> https://forums.freebsd.org/threads/problem-with-host-ip-and-gateway-are-on-different-networks.26945/#post-150463
>
> What am I missing here?
>
> Jacob
>
>
--
Please keep replies on the mailing list.
No comments:
Post a Comment