Hi again,
Sorry about that last note -- that was the general question I had
written up for openbsd-misc.
I *do* have a more specific question, relevant to this list, now that
I've got the e-mail addresses straight. With the setup I outlined in my
last message, I did try bridging the internal interfaces, and managing
connections with authpf. It didn't work, however.
A repeat of the topology I tried:
wireless ap --- (qe0) --- [ss4/openbsd] --- (le0) --- external net
|
hub #1 --- (qe1) ----- |
|
hub #2 --- (qe2) ----- |
Because I want all internal clients to use 192.168.0.1 as their gateway,
qe0, qe1, qe2 are bridged; qe0 is 192.168.0.1; qe1 and qe2 are up, but
not assigned an address.
I tested with an internal client on one of the internal bridged
interfaces, which got an appropriate address from dhcpd, and could ssh
to 192.168.0.1 to authenticate with authpf. Only problem is, my traffic
made it through the openbsd box, NAT and all, whether or not I was
authenticated with authpf.
Here are the relevant rules in my pf.conf:
nat on { $extif } from 192.168.0.0/24 to any -> $external_ip
# because it's recommended to filter only on one bridged interface...
pass in quick on { qe1, qe2 } all
pass out quick on { qe1, qe2 } all
# for authpf
block in log on { qe0 } from any to any
# for ssh
pass in log quick on { qe0 } proto tcp from any to 192.168.0.1/32 \
port 22 flags S/SA keep state
# for dhcp
pass in log quick on { qe0 } proto { tcp, udp } from \
{ 0.0.0.0/8, 255.255.255.255/32, 127.0.0.0/8, 169.254.0.0/16 } \
port = 68 to 192.168.0.1/32 port = 67
anchor authpf
Any idea of what I might be missing? With this setup, all traffic gets
through the bridged interface, without being blocked by the block rule
for authpf. Alternatively, is there a better way to do this, other than
with a bridge? (I saw the recent thread here about authpf on a bridge,
but that seemed to be using vlans.)
Again, thanks, and sorry again about that somewhat offtopic post
earlier.
Marc
--
Marc Ozon Toronto, Ontario, Canada
