On Sun, Dec 11, 2022 at 04:20:53PM -0800, Randall Gellens wrote:
> I have a Protectli box that is the router for my home network. The home
> network uses U-Verse to connect to the outside, and has separate Ethernet
> networks for servers, wired clients, and Wi-Fi IoT clients. U-Verse supplies
> their own box (a "Residential Gateway" or RG) that sits at the connection
> points. The RG throws a tantrum if it detects an internal router or
> multi-homed devices, so the OpenBSD box is set up as a transparent filtering
> bridge so the RG thinks all the devices are connected directly to it. The
> OpenBSD box has Ethernet ports for the U-Verse RG and one for the three
> internal networks, with pf filtering the packets. The /etc/hostname.if files
> provide an IP address for the interface for the server network and one for
> the Wi-Fi interface (these are on different networks). The /etc/hostname.if
> files for the U-Verse and wired client Ethernet ports have just a
> description.
>
> The Protectli was running (I think) OpenBSD 6.2, but suffered a disk failure
> and I couldn't find my backup, so I installed a fresh OpenBSD 7.2 on it and
> added the users and config files (I had current versions of those). The
> config files are pretty minimal: /etc/hostname.if files for the four
> Ethernet ports and the bridge, /etc/sysctl.conf to set
> net.inet.ip.forwarding=1, pf.conf for the rules. There aren't any other
> services running on the box (other boxes are used for DHCP, DNS, etc.).
>
> Initially, the server and Wi-Fi Ethernet ports had traffic and packets were
> routed between them, but there was no traffic on the wired clients nor
> U-Verse Ethernet ports, and no packets got between them. A client on Wi-Fi
> could ping a server and vice versa, and other servers could reach the
> OpenBSD box. But clients couldn't reach servers, and nothing could get
> outside. All interfaces looked right when viewed using ifconfig, and the
> bridge looked right (it was up and had the four interfaces). There were no
> errors during startup, nor when running netstart.
>
> Changing the /etc/hostname.if files for the U-Verse and client ports to add
> an 'inet' line with a dummy IP address made it all start working. Before,
> they just had a line with "description" and text.
>
> Questions:
>
> (1) I'd like to understand the interfaces worked without having IP addresses
> in OpenBSD 6 but not in OpenBSD 7. They showed as up and as part of the
> bridge, but no traffic.
Without *at least* the applicable /etc/hostname.* files its hard to help
you with this. FWIW, I have a 7.1 box with a similar setup that
forwards packets adequately (bridging two vlan interfaces, with no IP
addresses on the parent interfaces, the vlan interfaces or the bridge).
> (2) Also, I have several old machines that can no longer SSH into the
> OpenBSD 7 box. They get an error "no hostkey alg". Is there an easy way to
> get the OpenBSD box to accept connections from older clients? Presumably I
> need to enable older key algorithms, but after hunting through the OpenSSH
> manual I can't see what I need to do. The packet rules block access to the
> OpenBSD box from outside.
RSA was deprecated some time ago. Add
HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms=+ssh-rsa
to /etc/ssh/sshd_config, or, better yet, change the clients' config to
bring them up to speed (I understand it might not be feasible).
> Thank you for any help,
>
> --Randall
>
--
