On Sun, May 17, 2009 at 4:13 PM, Claudio Jeker <[email protected]>wrote:
> On Sun, May 17, 2009 at 11:39:43AM +0200, Felipe Alfaro Solana wrote: > > On Sun, May 17, 2009 at 9:57 AM, Claudio Jeker <[email protected] > >wrote: > > > > > On Sun, May 17, 2009 at 01:13:29AM +0200, Felipe Alfaro Solana wrote: > > > > Hi misc, > > > > route add allows one to specify a directly-connected route reachable > over > > > an > > > > interface, using the -interface switch. However, I can't seem to > figure > > > out > > > > if it's possible to specify just the interface name to the -interface > > > > switch. According to the manual page, only an IP address is allowed: > > > > > > > > """ > > > > If the destination is directly reachable via an interface > requiring > > > no > > > > intermediary system to act as a gateway, the -interface modifier > > > should > > > > be specified; the gateway given is the address of this host on > the > > > > common > > > > network, indicating the interface to be used for transmission. > > > > """ > > > > > > > > The thing is the interface I want to use with the -interface switch > does > > > not > > > > have a static IP address. I could script something to get the current > IP > > > > address of that interface but looks hacky to me. Is it possible to do > > > > something like? > > > > > > > > # route add -net 128.0.0.0/16 -interface vr2 > > > > > > > > instead in OpenBSD? I'm a little bit confused since adding the route > > > while > > > > using the IP address yields the following entry in the routing table: > > > > > > > > 128.0/16 link#3 UCS 0 0 - > 8 > > > vr2 > > > > > > > > So, why is exactly that -interface wants an IP address but does not > like > > > > interface names? > > > > > > > > > > ifconfig vr2 alias 128.0.0.1/16 > > > > > > This will ensure that everything is correctly set up. > > > Doing it with route will most probably cause issues because it will not > > > setup everything correctly. You need an IP on that interface in that > > > network or it will not work. > > > > > > Thanks for your reply, Claudio. > > > > Initially, I tried setting up the alias directly in the vr2 interface. > > However, I had problems because vr2 is an Internet-facing interface > > that uses DHCP. I > > used to use a custom dhclient.conf configuration file as described in [1] > > but, for some reason, when the lease is renewed, I start to suffer > > packet loss. A tcpdump capture shows that some TCP connections are > > being sourced with the IP > > alias address and not the public IP address. That's why I tried using a > > loopback interface. > > > > This was my custom dhclient.conf: > > > > interface "vr2" { > > supersede domain-name "my.domain"; > > supersede domain-name-servers 1.2.3.4; > > } > > > > alias { > > interface "vr2"; > > fixed-address 128.0.0.1; > > option subnet-mask 255.255.0.0; > > } > > > > First time I invoke dhclient, everything seems to work fine: > > > > # dhclient vr2 > > > > DHCPREQUEST on vr2 to 255.255.255.255 port 67 > > DHCPACK from 10.177.128.1 > > bound to A.B.C.D -- renewal in 2590 seconds. > > # ifconfig vr2 > > vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:0d:b9:18:9b:fa > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex) > > status: active > > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3 > > inet A.B.C.D netmask 0xfffffe00 broadcast 255.255.255.255 > > inet 128.0.0.1 netmask 0xffff0000 broadcast 128.0.255.255 > > > > However, if I call dhclient one more time, the martian IP address seems > to > > become the primary IP address and the public IP address the alias: > > > > # dhclient vr2 > > DHCPREQUEST on vr2 to 255.255.255.255 port 67 > > DHCPACK from 10.177.128.1 > > bound to A.B.C.D -- renewal in 2579 seconds. > > # ifconfig vr2 > > vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:0d:b9:18:9b:fa > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex) > > status: active > > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3 > > inet 128.0.0.1 netmask 0xffff0000 broadcast 128.0.255.255 > > inet A.B.C.D netmask 0xfffffe00 broadcast 255.255.255.255 > > > > Even more funny, if I want to entirely remove the martian IP address I > need > > to remove it twice: > > > > # ifconfig vr2 > > vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:0d:b9:18:9b:fa > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex) > > status: active > > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3 > > inet 128.0.0.1 netmask 0xffff0000 broadcast 128.0.255.255 > > inet A.B.C.D netmask 0xfffffe00 broadcast 255.255.255.255 > > # ifconfig vr2 delete 128.0.0.1 > > # ifconfig vr2 > > vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:0d:b9:18:9b:fa > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex) > > status: active > > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3 > > inet A.B.C.D netmask 0xfffffe00 broadcast 255.255.255.255 > > inet 128.0.0.1 netmask 0xffff0000 broadcast 128.0.255.255 > > # ifconfig vr2 delete 128.0.0.1 > > # ifconfig vr2 > > vr2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > lladdr 00:0d:b9:18:9b:fa > > priority: 0 > > groups: egress > > media: Ethernet autoselect (100baseTX full-duplex) > > status: active > > inet6 fe80::20d:b9ff:fe18:9bfa%vr2 prefixlen 64 scopeid 0x3 > > inet A.B.C.D netmask 0xfffffe00 broadcast 255.255.255.255 > > > > Is this a bug in dhclient? A bug in the OpenBSD kernel? > > > > What are you trying to do? Why do you think you can use 128.0/16 and why > do you need it to be assigned on the external interface? > I have the feeling you try something that should be done differently. The explanation is bizarre, I know. I have two machines connected to my ISP, using dynamic and public IP addresses. One of the machines is the OpenBSD box all this thread is about that is a firewall and the default gateway for my internal network. The other one is an old machine that I'm using as a BitTorrent client. For various reasons, I don't want to put the BitTorrent machine behind inside the internal network and punch holes in the firewall. For this reason, and because the BitTorrent machine is effectively outside my internal network, when I want to transfer files from the BitTorrent machine back into the internal network I want the traffic to not hit the ISP/Internet. The thing is that both the OpenBSD and BitTorrent machines get assigned dynamic and public IPs addresses that do not always belong to the same subnet. Therefore, when I scp files from the BitTorrent machine, traffic exits my OpenBSD gateway, goes upstream to my ISP, and from there downstream to the BitTorrent machine. This is not optimal so I'm short-circuiting that path by having the OpenBSD gateway and BitTorrent machines live in the 128.0.0.0/16network. Hence, I can scp files from the 128.0.0.0/16 network and have move from the BitTorrent machine back to the OpenBSD gateway bypassing the ISP. Does it make sense? -- http://www.felipe-alfaro.org/blog/disclaimer/
