{2600}---
| --- /29
| |
---- fxp0 { OpenBSD } fxp1 --|
{ Bridge } |
eth0 { Cisco 2514 } eth1 --|
|
| /28
More OpenBSD Units
I am having a problem that I have been unable to fix. The scenario above
is what my lab looks like. Essentially my workstation lives off the /29
behind the fxp1 interface. The OpenBSD Bridge is a 3.3 Generic with
pf/altq protecting everything behind it. I can ssh to the OpenBSD bridge
from my workstation because my IP address is on the same /29 as the
External Int of the Bridge on fxp0, but none of my machines behind the
Cisco 2514 on the eth1 network /28 can talk directly to the Bridge but can
bridge out/in just fine. Mind you traffic from the /29 can talk to the
bridge just fine. Just to clarify anything that comes in from the
Internet and lands on fxp0 can talk to the Bridge as well.
I see this in my tcpdumps
## XXX.XXX.56.211 = machine on /28 subnet
## xxx.xxx.43.114 = fxp0 IP on Bridge on /29
Jun 09 11:09:48.142206 rule 20/0(match): pass in on fxp0: XXX.XXX.56.211.32214 >
xxx.xxx.43.114.22: S
Jun 09 11:09:48.146181 rule 6/0(match): block in on fxp0: xxx.xxx.43.114.22 >
XXX.XXX.56.211.32214: S
supporting icmp redirect dumps show this
Jun 09 11:19:55.824378 : ROU.TER.IP.113 > xxx.xxx.43.114: icmp: redirect
XXX.XXX.56.211 to net xxx.xxx.43.116
This looks to me like a icmp redirect problem because I am seeing the
External IP of my bridge send the packet right back at the interface with
destination of the correct machine on the /29.
I at first thought it was a problem with icmp route-redirects on the
Bridge not being allowed to pass in to tell the Bridge external IP to
redirect the traffic back out fxp1. After adding
$gw_router = ip of bridge next hop --> Cisco 2600
# ICMP router redirect for multiple networks
pass in log quick on $br0_if inet proto icmp from $gw_router to any icmp-type 5 code 0
keep state queue man1 label "pass icmp redirects from gw_router"
pass in log quick on $br0_if inet proto icmp from $gw_router to any icmp-type 5 code 1
keep state queue man1 label "pass icmp redirects from gw_router"
pass in log quick on $br0_if inet proto icmp from $gw_router to any icmp-type 5 code 2
keep state queue man1 label "pass icmp redirects from gw_router"
pass in log quick on $br0_if inet proto icmp from $gw_router to any icmp-type 5 code 3
keep state queue man1 label "pass icmp redirects from gw_router"
This didn't work and I noticed that the block was on xxx.xxx.43.114
coming in the fxp0 interface so I put a statement for xxx.xxx.43.114 to
allow in on fxp0 although this should never happen except in this
situation. After doing this I see the following when trying to ssh to
xxx.xxx.43.114 from a IP on the /28 network.
Jun 09 12:09:24.680962 rule 20/0(match): pass in on fxp0: XXX.XX.56.211.32148 >
xxx.xxx.43.114.22: S
Jun 09 12:09:24.700588 rule 61/0(match): pass in on fxp0: xxx.xxx.43.114.22 >
XXX.XXX.56.211.32148: S
Jun 09 12:09:30.692264 rule 61/0(match): pass in on fxp0: xxx.xxx.43.114.22 >
XXX.XXX.56.211.32148: S
Jun 09 12:09:36.679255 rule 61/0(match): pass in on fxp0: xxx.xxx.43.114.22 >
XXX.XXX.56.211.32148: S
but It never establishes the connection and I don't see any blocks on
pflog0
Seeing how this didn't work I again looked at what was happening and tried
to add a route on the bridge using the interface as the direction to push
the /28 network - I assumed this would work like a Cisco { ie static
route a network out a interface }q
route add XXX.XXX.56.208/28 -interface fxp1
route: fxp1: bad value
route add XXX.XXX.56.208 -netmask XXX.XXX.XXX.240 -interface fxp1
route: fxp1: bad value
I am confused now - do I have syntax wrong on this can I not influence a
route out a interface
that is just "up"
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:b3:bf:e8:b6
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::202:b3ff:febf:e8b6%fxp1 prefixlen 64 scopeid 0x2
I even tried this line in my pf.conf
@13 pass in log quick on fxp0 reply-to fxp1 inet proto tcp from XXX.XXX.56.211 to
xxx.xxx.43.114 port = ssh keep state
and do see the action hiting that line
Jun 09 12:59:01.243481 rule 13/0(match): pass in on fxp0: XXX.XXX.56.211.9681 >
xxx.xxx.43.114.22: S
but I still get no connection.
The 2514 can talk directly to the bridge but it knows about both /29 and
/28
2514_dual_eth>telnet XXX.XXX.43.114 22
Trying XXX.XXX.43.114, 22 ... Open
SSH-1.99-OpenSSH_3.6.1
But a Unit on the other side of the 2514 can't
some.host.name:/etc% telnet XXX.XXX.43.114 22
Trying XXX.XXX.43.114...
Any Ideas or anyone have a similar situation and they found a resolution?
TIA
Jason Houx
