ok so I solved the dhcpd ack issue by explicitly allowing pass any on each of the bridge member interfaces and the bridge0 device itself.
Still having issues with clients unable to ping between themselves when they situated off the GPON node, back to the drawing board. On 3 December 2010 19:40, Joel Wiramu Pauling <[email protected]> wrote: > Kia ora, > > I am having a similar problem as discussed here: > > http://kerneltrap.org/mailarchive/openbsd-misc/2010/8/24/6489 > > However I am running latest stable on sunfire v215 > > OpenBSD ufb-fw.ufb.net.nz 4.8 GENERIC#86 sparc64 > > I am running double NAT but unfortunately at this point it is the only > option for this machine. > > My interfaces are configured: > > # cat /etc/hostname.bge0 > dhcp > up > rtsol > > # cat /etc/hostname.bge1 > up > > # cat /etc/hostname.bge2 > up > > # cat /etc/hostname.bge3 > up > > # cat /etc/hostname.vether0 > inet 192.168.1.1 255.255.255.0 NONE description "bridge port with ip" > > # cat /etc/hostname.bridge0 > description "bridge for internal" > add vether0 > add bge1 > add bge2 > add bge3 > up > > # cat /etc/rc.conf.local > ntpd_flags= B B B B B B # enabled during install > dhcpd_flags="vether0" > > > # ifconfig > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160 > B B B B priority: 0 > B B B B groups: lo > B B B B inet 127.0.0.1 netmask 0xff000000 > B B B B inet6 ::1 prefixlen 128 > B B B B inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > B B B B lladdr 00:14:4f:b1:b4:62 > B B B B priority: 0 > B B B B groups: egress > B B B B media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) > B B B B status: active > B B B B inet6 fe80::214:4fff:feb1:b462%bge0 prefixlen 64 scopeid 0x1 > B B B B inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255 > bge1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > B B B B lladdr 00:14:4f:b1:b4:63 > B B B B priority: 0 > B B B B media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > B B B B status: active > B B B B inet6 fe80::214:4fff:feb1:b463%bge1 prefixlen 64 scopeid 0x2 > bge2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > B B B B lladdr 00:14:4f:b1:b4:64 > B B B B priority: 0 > B B B B media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > B B B B status: active > B B B B inet6 fe80::214:4fff:feb1:b464%bge2 prefixlen 64 scopeid 0x3 > bge3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> > mtu 1500 > B B B B lladdr 00:14:4f:b1:b4:65 > B B B B priority: 0 > B B B B media: Ethernet autoselect (none) > B B B B status: no carrier > B B B B inet6 fe80::214:4fff:feb1:b465%bge3 prefixlen 64 scopeid 0x4 > enc0: flags=0<> > B B B B priority: 0 > B B B B groups: enc > B B B B status: active > vether0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > B B B B lladdr fe:e1:ba:d0:e5:34 > B B B B description: bridge port with ip > B B B B priority: 0 > B B B B groups: vether > B B B B media: Ethernet autoselect > B B B B status: active > B B B B inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > B B B B inet6 fe80::fce1:baff:fed0:e534%vether0 prefixlen 64 scopeid 0x7 > bridge0: flags=41<UP,RUNNING> > B B B B description: bridge for internal > B B B B groups: bridge > B B B B priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > B B B B bge3 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 4 ifpriority 0 ifcost 0 > B B B B bge2 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 3 ifpriority 0 ifcost 0 > B B B B bge1 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 2 ifpriority 0 ifcost 0 > B B B B vether0 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 7 ifpriority 0 ifcost 0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160 > B B B B priority: 0 > B B B B groups: pflog > # > > Bridge is showing that it has learned the various mac addresses: > # ifconfig bridge0 > bridge0: flags=41<UP,RUNNING> > B B B B description: bridge for internal > B B B B groups: bridge > B B B B priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > B B B B designated: id 00:00:00:00:00:00 priority 0 > B B B B bge3 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 4 ifpriority 0 ifcost 0 > B B B B bge2 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 3 ifpriority 0 ifcost 0 > B B B B bge1 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 2 ifpriority 0 ifcost 0 > B B B B vether0 flags=3<LEARNING,DISCOVER> > B B B B B B B B port 7 ifpriority 0 ifcost 0 > B B B B Addresses (max cache: 100, timeout: 240): > B B B B B B B B 00:27:13:64:e3:df bge2 0 flags=0<> > B B B B B B B B 08:00:27:5b:9d:b6 bge1 1 flags=0<> > B B B B B B B B 00:0e:86:15:81:bf bge1 0 flags=0<> > B B B B B B B B 00:0e:86:15:80:63 bge1 0 flags=0<> > B B B B B B B B 00:0e:86:16:39:c4 bge1 0 flags=0<> > B B B B B B B B 00:13:fa:04:ae:44 bge1 1 flags=0<> > B B B B B B B B 48:5b:39:b5:b4:63 bge1 1 flags=0<> > B B B B B B B B d8:5d:4c:e1:d3:16 bge1 1 flags=0<> > B B B B B B B B 6c:62:6d:7b:c8:05 bge1 1 flags=0<> > > And daemon log is showing that vether0 is receiving dhcprequests and > sending acks - but the acks never reach clients. > > I am able to statically add IP's on client and get them to work: (the > .11 host in the routing table for example) > > # route show > Routing tables > > Internet: > Destination B B B B Gateway B B B B B B Flags B Refs B B B Use B Mtu B Prio Iface > default B B B B B B SpeedTouch.lan B B UGS B B B 61 B B 4163 B B - B B 8 bge0 > 10.0.0/24 B B B B B link#1 B B B B B B UC B B B B 1 B B B B 0 B B - B B 4 bge0 > ufb-fw.lan B B B B localhost B B B B B UGHS B B B 0 B B B B 0 33160 B B 8 lo0 > SpeedTouch.lan B B 00:90:d0:72:87:38 B UHLc B B B 15 B B B 481 B B - B B 4 bge0 > loopback B B B B B localhost B B B B B UGRS B B B 0 B B B B 0 33160 B B 8 lo0 > localhost B B B B B localhost B B B B B UH B B B B 2 B B B B 0 33160 B B 4 lo0 > 192.168.1/24 B B B link#7 B B B B B B UC B B B B 1 B B B B 0 B B - B B 4 vether0 > 192.168.1.11 B B B 48:5b:39:b5:b4:63 B UHLc B B B 1 B B 6493 B B - L B 4 vether0 > > > And if I remove the bridge and use bge1 directly as the dhcpd > interface clients get IP's (although strangely are unable to ping each > other, but can ping the router and get internet). > > > # cat /etc/dhcpd.conf > option domain-name "ufb.net.nz"; > option domain-name-servers 10.0.0.138; > > > > default-lease-time 2400; > max-lease-time 7200; > > #subnet 10.37.0.0 netmask 255.255.255.0 { > # B range 10.37.0.50 10.37.0.254; > # B option routers 10.37.0.1; > # B option domain-name-servers 10.0.0.138; > #} > > subnet 192.168.1.0 netmask 255.255.255.0 { > B range 192.168.1.10 192.168.1.100; > B option routers 192.168.1.1; > B option domain-name-servers 10.0.0.138; > } > # > > i've tried this with both a minimal permisive pf set and my normal > (same results with both). > > > # pfctl -s rules > match out on bge0 inet proto tcp from 192.168.1.0/24 to ! > 192.168.1.0/24 nat-to (bge0) round-robin > match out on bge0 inet proto udp from 192.168.1.0/24 to ! > 192.168.1.0/24 nat-to (bge0) round-robin > match out on bge0 inet proto icmp from 192.168.1.0/24 to ! > 192.168.1.0/24 nat-to (bge0) round-robin > pass in quick inet proto tcp from 0.0.0.0 to <tbl.r9998.d> port = ssh > flags any keep state label "RULE 9998 -- ACCEPT " > block drop in log quick on bge0 inet from <tbl.r9998.d> to any label > "RULE 0 -- DROP " > block drop in log quick on bge0 inet from 192.168.1.0/24 to any label > "RULE 0 -- DROP " > pass quick on lo inet all flags S/SA keep state label "RULE 1 -- ACCEPT " > pass quick on vether0 inet from 192.168.1.0/24 to 192.168.1.0/24 flags > S/SA keep state label "RULE 2 -- ACCEPT " > pass in quick inet proto icmp from 192.168.1.0/24 to <tbl.r9998.d> > keep state label "RULE 3 -- ACCEPT " > pass in quick inet proto tcp from 192.168.1.0/24 to <tbl.r9998.d> port > = ssh flags any keep state label "RULE 3 -- ACCEPT " > pass in quick inet proto tcp from 192.168.1.0/24 to <tbl.r9998.d> port > = domain flags any keep state label "RULE 3 -- ACCEPT " > pass in quick inet proto udp from 192.168.1.0/24 to <tbl.r9998.d> port > = domain keep state label "RULE 3 -- ACCEPT " > pass in quick inet proto udp from <tbl.r4.s> to <tbl.r9998.d> port = > bootpc keep state label "RULE 4 -- ACCEPT " > pass in quick inet proto udp from <tbl.r4.s> to <tbl.r9998.d> port = > bootps keep state label "RULE 4 -- ACCEPT " > pass quick inet proto udp from <tbl.r4.sx> to 255.255.255.255 port = > bootpc keep state label "RULE 4 -- ACCEPT " > pass quick inet proto udp from <tbl.r4.sx> to 255.255.255.255 port = > bootps keep state label "RULE 4 -- ACCEPT " > pass out quick inet proto udp from <tbl.r9998.d> to 192.168.1.0/24 > port = bootpc keep state label "RULE 5 -- ACCEPT " > pass out quick inet proto udp from <tbl.r9998.d> to 192.168.1.0/24 > port = bootps keep state label "RULE 5 -- ACCEPT " > pass out quick inet proto icmp from <tbl.r9998.d> to any keep state > label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> port = ftp-data to > any port >= 1024 flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = domain > flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = www > flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = https > flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = ssh > flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = ftp > flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto tcp from <tbl.r9998.d> to any port = > ftp-data flags any keep state label "RULE 6 -- ACCEPT " > pass out quick inet proto udp from <tbl.r9998.d> to any port = domain > keep state label "RULE 6 -- ACCEPT " > block drop in log quick inet from any to <tbl.r9998.d> label "RULE 7 -- DROP " > pass quick inet from 192.168.1.0/24 to any flags S/SA keep state label > "RULE 8 -- ACCEPT " > block drop log quick inet all label "RULE 9 -- DROP " > block drop quick inet all label "RULE 10000 -- DROP " > # > > > I am really tearing my hair out on this one - best I can understand > there appears to be some sort of arp dropping/blocking somewhere. > > console is /e...@1f,464000/ser...@2,80 > Copyright (c) 1982, 1986, 1989, 1991, 1993 > B B B B The Regents of the University of California. B All rights reserved. > Copyright (c) 1995-2010 OpenBSD. All rights reserved. B http://www.OpenBSD.org > > OpenBSD 4.8 (GENERIC) #86: Mon Aug 16 09:09:34 MDT 2010 > B B [email protected]:/usr/src/sys/arch/sparc64/compile/GENERIC > real mem = 1073741824 (1024MB) > avail mem = 1044054016 (995MB) > mainbus0 at root: Sun Fire V215 > cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1504 MHz > cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K > external (64 b/l) > "memory-controller" at mainbus0 not configured > pyro0 at mainbus0: "Fire", rev 3, ign 780, bus A 2 to 13 > pyro0: dvma map c0000000-ffffffff > pci0 at pyro0 > ppb0 at pci0 dev 0 function 0 "PLX PEX 8532" rev 0xbb > pci1 at ppb0 bus 3 > ppb1 at pci1 dev 1 function 0 "PLX PEX 8532" rev 0xbb > pci2 at ppb1 bus 4 > ppb2 at pci2 dev 0 function 0 "Acer Labs M5249 PCI-PCI" rev 0x00 > pci3 at ppb2 bus 5 > ohci0 at pci3 dev 28 function 0 "Acer Labs M5237 USB" rev 0x03: ivec > 0x780, version 1.0, legacy support > ohci1 at pci3 dev 28 function 1 "Acer Labs M5237 USB" rev 0x03: ivec > 0x780, version 1.0, legacy support > ehci0 at pci3 dev 28 function 3 "Acer Labs M5239 USB2" rev 0x01: ivec 0x781 > usb0 at ehci0: USB revision 2.0 > uhub0 at usb0 "Acer Labs EHCI root hub" rev 2.00/1.00 addr 1 > ebus0 at pci3 dev 30 function 0 "Acer Labs M1575 ISA" rev 0x00 > rtc0 at ebus0 addr 70-73: m5823 > pciide0 at pci3 dev 31 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc8: > DMA, channel 0 configured to native-PCI, channel 1 configured to > native-PCI > pciide0: using ivec 0x784 for native-PCI interrupt > pciide0: channel 0 disabled (no drives) > pciide0: channel 1 disabled (no drives) > usb1 at ohci0: USB revision 1.0 > uhub1 at usb1 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1 > usb2 at ohci1: USB revision 1.0 > uhub2 at usb2 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1 > ppb3 at pci1 dev 2 function 0 "PLX PEX 8532" rev 0xbb: ivec 0x794 > pci4 at ppb3 bus 6 > ppb4 at pci1 dev 8 function 0 "PLX PEX 8532" rev 0xbb: ivec 0x794 > pci5 at ppb4 bus 7 > ppb5 at pci1 dev 9 function 0 "PLX PEX 8532" rev 0xbb > pci6 at ppb5 bus 8 > ppb6 at pci6 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xb5 > pci7 at ppb6 bus 9 > bge0 at pci7 dev 4 function 0 "Broadcom BCM5714" rev 0xa3, BCM5715 A3 > (0x9003): ivec 0x795, address 00:14:4f:b1:b4:62 > brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 > bge1 at pci7 dev 4 function 1 "Broadcom BCM5714" rev 0xa3, BCM5715 A3 > (0x9003): ivec 0x796, address 00:14:4f:b1:b4:63 > brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 > ppb7 at pci7 dev 8 function 0 "ServerWorks HT-1000 PCIX" rev 0xb4 > pci8 at ppb7 bus 10 > ppb8 at pci1 dev 10 function 0 "PLX PEX 8532" rev 0xbb > pci9 at ppb8 bus 11 > ppb9 at pci9 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xb5 > pci10 at ppb9 bus 12 > bge2 at pci10 dev 4 function 0 "Broadcom BCM5714" rev 0xa3, BCM5715 A3 > (0x9003): ivec 0x796, address 00:14:4f:b1:b4:64 > brgphy2 at bge2 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 > bge3 at pci10 dev 4 function 1 "Broadcom BCM5714" rev 0xa3, BCM5715 A3 > (0x9003): ivec 0x797, address 00:14:4f:b1:b4:65 > brgphy3 at bge3 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0 > ppb10 at pci10 dev 8 function 0 "ServerWorks HT-1000 PCIX" rev 0xb4 > pci11 at ppb10 bus 13 > mpi0 at pci11 dev 1 function 0 "Symbios Logic SAS1064" rev 0x02: ivec 0x78f > scsibus0 at mpi0: 63 targets > sd0 at scsibus0 targ 0 lun 0: <SEAGATE, ST973402SSUN72G, 0603> SCSI3 > 0/direct fixed > sd0: 70007MB, 512 bytes/sec, 143374738 sec total > pyro1 at mainbus0: "Fire", rev 3, ign 7c0, bus B 2 to 255 > pyro1: dvma map c0000000-ffffffff > pci12 at pyro1 > ebus1 at mainbus0: ign 7c0 > "flashprom" at ebus1 addr 0-1fffff not configured > com0 at ebus1 addr 80-87 ivec 0x8: ns16550a, 16 byte fifo > com0: console > com1 at ebus1 addr 40-47 ivec 0x9: ns16550a, 16 byte fifo > "rmc-comm" at ebus1 addr 0-7 ivec 0xa not configured > "gpio" at ebus1 addr c0-c0 not configured > led0 at ebus1 addr 0-80: rev 0x5a > power0 at ebus1 addr 40-c1 ivec 0x3 > "i2c" at mainbus0 not configured > softraid0 at root > bootpath: > /p...@1e,600000/p...@0,0/p...@a,0/p...@0,0/p...@8,0/s...@1,0/d...@0,0 > root on sd0a swap on sd0b dump on sd0b > > > > > > Any help/suggestions, greatly appreciated. > > Kind regards > > -JoelW
