Hello,
I am struggling to figure this out and do not know what to try next, so
am asking for help. I am missing something simple, no doubt.
Setting up a network gateway at home. Ultimately, I want to have a
backup internet, with fiber first then cable as a back-up. This is to
replace a Unifi solution that I started to use during the pandemic,
which maybe is not a good idea given the issues I am already having. :)
I am just able to assign addresses, which it is now doing. I can 'ping'
and 'host' and ssh into the gateway from the client Openbsd computer. I
can also ping and host on the gateway computer running Fuguita (Openbsd
7.9 release). I am able to 'dig @9.9.9.9 openbsd.org' and traceroute -I
is working as well. However, I cannot load any web pages and
applications, like Profanity, cannot login as they seemingly cannot find
the hosting site (conversations.im). Disabling pf does not change this
behavior.
I have pasted my /etc dhcpd.conf, pf.conf, rc.conf.local and resolv.conf
files below. Any pointers or suggestions are greatly appreciated.
Thanks, Aric
# $OpenBSD: dhcpd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/255.255.255.0
# Domain name: xochitlfilms.org
# Name servers: 192.168.1.1
# Default router: 192.168.1.1
# Addresses: 192.168.1.10 - 192.168.1.150
#
option domain-name "xochitlfilms";
option domain-name-servers 192.168.1.1;
# option domain-name-servers 208.67.222.222;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.10 192.168.1.150;
}
pf.conf follows:
# macros
ext_if = "em0" # may be better to remove this macro and just use 'egress'
ext2_if = "em1"
int_if = "em2"
int2_if = "em3"
localnet = $int_if:network
# for tables from dhcpd, need the following in /etc/rc.conf.local
# dhcpd_flags="-L leased_ip_table -A abandoned_ip_table -C changed_ip_table em0"
table <abandoned_ip_table> persist counters
table <changed_ip_table> persist counters
table <leased_ip_table> persist counters
# see /etc/services. 8801/02 for zoom - May need more udp ports
# https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference.
Need some more for the phone
client_out = "{ ssh, domain, imaps, imap, irc, telnet, nntp, www, presence, sip,
https, submission, submissions, xmpp-bosh, xmpp-client, xmpp-server, 8801, 8802 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
# rulesets
# book keeps changing the wording, see page 84
# ext_if IPv4 address may be dynamic, hence ($ext_if)
match out on egress inet nat-to ($ext_if) # now another below
# match out on egress from $localnet nat-to ($ext_if)
block
pass quick proto udp to port $udp_services # taken care of below
pass inet proto icmp icmp-type $icmp_types
pass quick proto tcp to port domain # taken care of below
pass proto tcp from <leased_ip_table> to port $client_out
rc.conf.local follows:
dhcpd_flags="-L leased_ip_table -A abandoned_ip_table -C
changed_ip_table em2"
resolv.conf follows:
nameserver 209.18.47.63 # resolvd: em0
nameserver 209.18.47.62 # resolvd: em0
nameserver 9.9.9.9
nameserver 84.200.69.80
nameserver 208.67.222.222
lookup file bind
family inet4 inet6
