Friday, April 03, 2026

Routing to locally connected off-subnet host address

For IPv4 scarcity reasons, I'm trying to squeeze every drop from a block
of public addresses I've been allocated.

There's a LAN consisting of hosts with mostly private IPs and some with
public IPs. An OpenBSD gateway has a public IP on the uplink interface
(cnmac0) for NAT purposes, but private only on the LAN interface (cnmac1,
call it 10.0.0.1). Then I set specific routes to the hosts with LAN-side
public IPs (say 1.2.3.4). The trouble is when the host is directly
connected on the gateway's ethernet, i.e. gateway needs to send to an
address outside its interface's subnet without a next hop.

route(8) reads:

> If the destination is directly reachable via an interface requiring no
intermediary system to act as a gateway, the -iface modifier should be
specified; the gateway given is the address of this host on the common
network, indicating the interface to be used for transmission.

Thus, I tried:

# route add -host 1.2.3.4 -iface 10.0.0.1

The kernel reports "arp_rtrequest: bad gateway value: cnmac1" but adds the
route:

1.2.3.4 10.0.0.1 UHS 0 0 - 8 cnmac1

Testing:

# ping 1.2.3.4
ping: sendto: Invalid argument

and the kernel reports "arpresolve: 1.2.3.4: route contains no arp
information". If I disregard the manual and do as google tells me:

# route add -host 1.2.3.4 -iface cnmac1
route: cnmac1: bad address

Or

# route add -host 1.2.3.4 -iface -link cnmac1
add host 1.2.3.4: gateway cnmac1

which seems promising; the route shows as

1.2.3.4 link#2 UHLS 0 0 - 8 cnmac1

and the ping initially works, but rather than adding a new cloned route
after ARP resolution, the "static" route itself changes to

1.2.3.4 <target MAC> UHLS 0 2 - 8 cnmac1

then expires from ARP cache after 20 minutes and stops working. If I add
-cloning to the route, its flags show as UHCS and the ping goes back to
Invalid argument / route contains no arp information. If I also add
-llinfo, flags show as UHCLS, ping still gives Invalid argument, but the
kernel now logs "arpresolve: 1.2.3.4: route without link local address".

This is with OpenBSD 5.9. I'm aware that's a bit old now, but I'd think
it's already well into the mature years of this basic networking code.
I've had no problem with this configuration on Linux, and reportedly it
worked in 2011 on FreeBSD and even OpenBSD 3.x:
https://forums.freebsd.org/threads/problem-with-host-ip-and-gateway-are-on-different-networks.26945/#post-150463

What am I missing here?

Jacob

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)