Re: [OpenIKED] Is it impossible to differentiate the policies by dstid?
Thanks for the input, however, I think srcid defaults to the hostname when it’s omitted. Explicitly setting it didn’t give me any luck. > On Nov 7, 2018, at 2:33 AM, J Evans <3...@startmail.com> wrote: > > I am by no means an expert, but for my setup, in order to get multiple > policies working, I had to specify both srcid and dstid for each policy on > the passive peer. And then I set srcid and dstid for the policies on the > active peers. >
Re: [OpenIKED] Is it impossible to differentiate the policies by dstid?
All incoming connections go to “redheart” policy. “blackjack” users cannot connect. I’m using 6.4. # iked -dv set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local ikev2 "blackjack" passive esp inet from 0.0.0.0/0 to 10.0.0.2 local 45.32.34.115 peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk 0x7465737470736b31 set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local ikev2 "redheart" passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local 45.32.34.115 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 ikev2_recv: IKE_SA_INIT request from initiator 27.8.173.76:500 to 45.32.34.115:500 policy 'redheart' id 0, 230 bytes ikev2_sa_responder: no proposal chosen ikev2_msg_send: IKE_SA_INIT response from 45.32.34.115:500 to 27.8.173.76:500 msgid 0, 36 bytes sa_state: SA_INIT -> CLOSED from any to any policy 'redheart' > On Nov 5, 2018, at 7:25 AM, Aaron Mason wrote: > > What happens when you remove quick from both policies? > On Mon, Nov 5, 2018 at 7:00 AM 雷致强 wrote: >> >> OpenIKED is so great when I use one policy for all users. However, I’m >> having trouble when I try to apply different policies to different users. >> With iked.conf followed, iked seems to applies “blackjack” policy to >> incoming connections only, which keeps the users of “redheart” out. >> >> ikev2 "blackjack" quick passive ipcomp esp \ >>from 0.0.0.0/0 to 10.0.0.2 \ >>local egress \ >>ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \ >>childsa enc chacha20-poly1305 group curve25519 \ >>dstid "blackjack.local" \ >>psk "testpsk1" \ >> >> ikev2 "redheart" quick passive ipcomp esp \ >>from 0.0.0.0/0 to 172.16.0.0/24 \ >>local egress \ >>dstid "redheart.local" \ >>psk "testpsk2" \ >>config protected-subnet 0.0.0.0/0 \ >>config address 172.16.0.0/24 \ >>config netmask 255.255.255.0 \ >>config name-server 8.8.8.8 >> >> This is what happens when redheart.local connects to the responder. (I >> replaced the IPs to redheart.local and asgard.local) >> >> # iked -dv >> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local >> ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local >> asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth >> hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group >> curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk >> 0x7465737470736b31 >> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local >> ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 >> local asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf >> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group >> modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth >> hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 >> psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address >> 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 >> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to >> asgard.local:500 policy 'blackjack' id 0, 604 bytes >> ikev2_sa_responder: no proposal chosen >> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to >> redheart.local:60970 msgid 0, 36 bytes >> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' >> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to >> asgard.local:500 policy 'blackjack' id 0, 604 bytes >> ikev2_sa_responder: no proposal chosen >> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to >> redheart.local:60970 msgid 0, 36 bytes >> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' >> >> If I remove the “quick” option of “blackjack” policy, all incoming >> connection goes to “redheart” policy, which blocks “blackjack” users. >> >> Regarding to all the examples I saw, I guess dstid is not a condition to >> match the policies? Only “peer” matters? >> > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse
[OpenIKED] Is it impossible to differentiate the policies by dstid?
OpenIKED is so great when I use one policy for all users. However, I’m having trouble when I try to apply different policies to different users. With iked.conf followed, iked seems to applies “blackjack” policy to incoming connections only, which keeps the users of “redheart” out. ikev2 "blackjack" quick passive ipcomp esp \ from 0.0.0.0/0 to 10.0.0.2 \ local egress \ ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \ childsa enc chacha20-poly1305 group curve25519 \ dstid "blackjack.local" \ psk "testpsk1" \ ikev2 "redheart" quick passive ipcomp esp \ from 0.0.0.0/0 to 172.16.0.0/24 \ local egress \ dstid "redheart.local" \ psk "testpsk2" \ config protected-subnet 0.0.0.0/0 \ config address 172.16.0.0/24 \ config netmask 255.255.255.0 \ config name-server 8.8.8.8 This is what happens when redheart.local connects to the responder. (I replaced the IPs to redheart.local and asgard.local) # iked -dv set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk 0x7465737470736b31 set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to asgard.local:500 policy 'blackjack' id 0, 604 bytes ikev2_sa_responder: no proposal chosen ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to redheart.local:60970 msgid 0, 36 bytes sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to asgard.local:500 policy 'blackjack' id 0, 604 bytes ikev2_sa_responder: no proposal chosen ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to redheart.local:60970 msgid 0, 36 bytes sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' If I remove the “quick” option of “blackjack” policy, all incoming connection goes to “redheart” policy, which blocks “blackjack” users. Regarding to all the examples I saw, I guess dstid is not a condition to match the policies? Only “peer” matters?
Re: IP Forwarding is not working?
Hello, It turns out this only happens when I assign IPs to em1, em2 and em3 directly. After I bridged them with different virtual ethernets, everything works fine. Can anybody tell me why? Thanks! > On 10 Dec 2016, at 2:21 PM, 雷致强 wrote: > > en0 en2 and en3 are on my Mac, which is ok, the IP it is assigned is 192.168.3.32 (en1). My problem is that I cannot ping 192.168.1.1 (em1), 192.168.2.1 (em2) yet I can ping 192.168.3.1 (em3, the NIC my Mac is connecting to) and I can access the Internet. Moreover, all the devices cannot access the devices on other LANs. > > This is what I got on the router: > > # route -inet > route: unknown option -- i > usage: route [-dnqtv] [-T tableid] command [[modifiers] args] > commands: add, change, delete, exec, flush, get, monitor, show > # route show -inet > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default27.9.20.1 UGS 2656 45894821 - 8 pppoe0 > BASE-ADDRESS.MCAST localhost URS00 32768 8 lo0 > 27.9.20.1 27.9.22.243UH 1 48 - 8 pppoe0 > 27.9.22.24327.9.22.243UHl0 112560 - 1 pppoe0 > loopback localhost UGRS 00 32768 8 lo0 > localhost localhost UHl1 251 32768 1 lo0 > 192.168.1/24 192.168.1.1UC 0 1302369 - 4 em1 > 192.168.1.11a:cc:00:12:b1:9d UHLl 063715 - 1 em1 > 192.168.1.255 192.168.1.1UHb0 350100 - 1 em1 > 192.168.2/24 192.168.2.1C 08 - 4 em2 > 192.168.2.11a:cc:00:12:b1:9e UHLl 0 1951 - 1 em2 > 192.168.2.255 192.168.2.1Hb 01 - 1 em2 > 192.168.3/24 192.168.3.1UC 2 21 - 4 em3 > 192.168.3.11a:cc:00:12:b1:9f UHLl 025515 - 1 em3 > 192.168.3.32 78:9f:70:79:b8:5a UHLc 1 3399193 - 4 em3 > 192.168.3.33 f0:cb:a1:79:18:43 UHLc 067314 - 4 em3 > 192.168.3.255 192.168.3.1UHb0 75 - 1 em3 > 192.168.244/24 192.168.244.1 UC 00 - 4 em0 > 192.168.244.1 1a:cc:00:12:b1:9c UHLl 00 - 1 em0 > 192.168.244.255192.168.244.1 UHb 00 - 1 em0 > >> On 10 Dec 2016, at 6:45 AM, Fred wrote: >> >> On 12/09/16 19:35, 雷致强 wrote: >>> Sorry, I posted the wrong ifconfig configuration, this is the one on my Mac: >>> >>> $ ifconfig >>> lo0: flags=8049 mtu 16384 >>> options=1203 >>> inet 127.0.0.1 netmask 0xff00 >>> inet6 ::1 prefixlen 128 >>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 >>> nd6 options=201 >>> gif0: flags=8010 mtu 1280 >>> stf0: flags=0<> mtu 1280 >>> en1: flags=8863 mtu 1500 >>> ether 78:9f:70:79:b8:5a >>> inet6 fe80::1c73:268c:55f4:65ef%en1 prefixlen 64 secured scopeid 0x4 >>> inet 192.168.3.32 netmask 0xff00 broadcast 192.168.3.255 >>> nd6 options=201 >>> media: autoselect >>> status: active >>> en0: flags=8863 mtu 1500 >>> options=10b >>> ether 38:c9:86:08:81:84 >>> nd6 options=201 >>> media: autoselect (none) >>> status: inactive >>> en2: flags=963 mtu 1500 >>> options=60 >>> ether 2a:00:00:fa:2f:c0 >>> media: autoselect >>> status: inactive >>> en3: flags=963 mtu 1500 >>> options=60 >>> ether 2a:00:00:fa:2f:c1 >>> media: autoselect >>> status: inactive >>> p2p0: flags=8843 mtu 2304 >>> ether 0a:9f:70:79:b8:5a >>> media: autoselect >>> status: inactive >>> awdl0: flags=8943 mtu 1484 >>> ether be:e7:72:f1:a8:96 >>> inet6 fe80::bce7:72ff:fef1:a896%awdl0 prefixlen 64 scopeid 0x9 >>> nd6 options=201 >>> media: autoselect >>> status: active >>> bridge0: flags=8863 mtu 1500 >>> options=63 >>> ether 2a:00:00:fa:2f:c0 >>> Configuration: >>> id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 >>> maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 >>> root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 >>> ipfilter disabled flags 0x2 >>> member: en2 flags=3 >>> ifmaxaddr 0 port 6 priority 0 path c
Re: IP Forwarding is not working?
en0 en2 and en3 are on my Mac, which is ok, the IP it is assigned is 192.168.3.32 (en1). My problem is that I cannot ping 192.168.1.1 (em1), 192.168.2.1 (em2) yet I can ping 192.168.3.1 (em3, the NIC my Mac is connecting to) and I can access the Internet. Moreover, all the devices cannot access the devices on other LANs. This is what I got on the router: # route -inet route: unknown option -- i usage: route [-dnqtv] [-T tableid] command [[modifiers] args] commands: add, change, delete, exec, flush, get, monitor, show # route show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default27.9.20.1 UGS 2656 45894821 - 8 pppoe0 BASE-ADDRESS.MCAST localhost URS00 32768 8 lo0 27.9.20.1 27.9.22.243UH 1 48 - 8 pppoe0 27.9.22.24327.9.22.243UHl0 112560 - 1 pppoe0 loopback localhost UGRS 00 32768 8 lo0 localhost localhost UHl1 251 32768 1 lo0 192.168.1/24 192.168.1.1UC 0 1302369 - 4 em1 192.168.1.11a:cc:00:12:b1:9d UHLl 063715 - 1 em1 192.168.1.255 192.168.1.1UHb0 350100 - 1 em1 192.168.2/24 192.168.2.1C 08 - 4 em2 192.168.2.11a:cc:00:12:b1:9e UHLl 0 1951 - 1 em2 192.168.2.255 192.168.2.1Hb 01 - 1 em2 192.168.3/24 192.168.3.1UC 2 21 - 4 em3 192.168.3.11a:cc:00:12:b1:9f UHLl 025515 - 1 em3 192.168.3.32 78:9f:70:79:b8:5a UHLc 1 3399193 - 4 em3 192.168.3.33 f0:cb:a1:79:18:43 UHLc 067314 - 4 em3 192.168.3.255 192.168.3.1UHb0 75 - 1 em3 192.168.244/24 192.168.244.1 UC 00 - 4 em0 192.168.244.1 1a:cc:00:12:b1:9c UHLl 00 - 1 em0 192.168.244.255192.168.244.1 UHb00 - 1 em0 > On 10 Dec 2016, at 6:45 AM, Fred wrote: > > On 12/09/16 19:35, 雷致强 wrote: >> Sorry, I posted the wrong ifconfig configuration, this is the one on my Mac: >> >> $ ifconfig >> lo0: flags=8049 mtu 16384 >> options=1203 >> inet 127.0.0.1 netmask 0xff00 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 >> nd6 options=201 >> gif0: flags=8010 mtu 1280 >> stf0: flags=0<> mtu 1280 >> en1: flags=8863 mtu 1500 >> ether 78:9f:70:79:b8:5a >> inet6 fe80::1c73:268c:55f4:65ef%en1 prefixlen 64 secured scopeid 0x4 >> inet 192.168.3.32 netmask 0xff00 broadcast 192.168.3.255 >> nd6 options=201 >> media: autoselect >> status: active >> en0: flags=8863 mtu 1500 >> options=10b >> ether 38:c9:86:08:81:84 >> nd6 options=201 >> media: autoselect (none) >> status: inactive >> en2: flags=963 mtu 1500 >> options=60 >> ether 2a:00:00:fa:2f:c0 >> media: autoselect >> status: inactive >> en3: flags=963 mtu 1500 >> options=60 >> ether 2a:00:00:fa:2f:c1 >> media: autoselect >> status: inactive >> p2p0: flags=8843 mtu 2304 >> ether 0a:9f:70:79:b8:5a >> media: autoselect >> status: inactive >> awdl0: flags=8943 mtu 1484 >> ether be:e7:72:f1:a8:96 >> inet6 fe80::bce7:72ff:fef1:a896%awdl0 prefixlen 64 scopeid 0x9 >> nd6 options=201 >> media: autoselect >> status: active >> bridge0: flags=8863 mtu 1500 >> options=63 >> ether 2a:00:00:fa:2f:c0 >> Configuration: >> id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 >> maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 >> root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 >> ipfilter disabled flags 0x2 >> member: en2 flags=3 >> ifmaxaddr 0 port 6 priority 0 path cost 0 >> member: en3 flags=3 >> ifmaxaddr 0 port 7 priority 0 path cost 0 >> nd6 options=201 >> media: >> status: inactive >> utun0: flags=8051 mtu 2000 >> inet6 fe80::98f7:b520:f58b:14dc%utun0 prefixlen 64 scopeid 0xb >> nd6 options=201 >> ppp0: flags=8051 mtu 1280 >> inet 10.0.0.24 --> 10.0.0.1 netmask 0xff00 >> >>> On 10 Dec 2016, at 3:16 AM, Mihai Popescu wrote: >>> >>> What is the ifconfig configuration of your PC? >>> Do you run any pf configuration on your router? >>> >>> I really doubt ip forwarding is broken, even on a snapshot! >> > This is really confusing - en0 en2 and en3 are not active... > > but em1 and em2 are your issue? > > what does route show -inet say? > > hth > > Fred > > Thanks and best regards, Siegfried
Re: IP Forwarding is not working?
Sorry, I posted the wrong ifconfig configuration, this is the one on my Mac: $ ifconfig lo0: flags=8049 mtu 16384 options=1203 inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201 gif0: flags=8010 mtu 1280 stf0: flags=0<> mtu 1280 en1: flags=8863 mtu 1500 ether 78:9f:70:79:b8:5a inet6 fe80::1c73:268c:55f4:65ef%en1 prefixlen 64 secured scopeid 0x4 inet 192.168.3.32 netmask 0xff00 broadcast 192.168.3.255 nd6 options=201 media: autoselect status: active en0: flags=8863 mtu 1500 options=10b ether 38:c9:86:08:81:84 nd6 options=201 media: autoselect (none) status: inactive en2: flags=963 mtu 1500 options=60 ether 2a:00:00:fa:2f:c0 media: autoselect status: inactive en3: flags=963 mtu 1500 options=60 ether 2a:00:00:fa:2f:c1 media: autoselect status: inactive p2p0: flags=8843 mtu 2304 ether 0a:9f:70:79:b8:5a media: autoselect status: inactive awdl0: flags=8943 mtu 1484 ether be:e7:72:f1:a8:96 inet6 fe80::bce7:72ff:fef1:a896%awdl0 prefixlen 64 scopeid 0x9 nd6 options=201 media: autoselect status: active bridge0: flags=8863 mtu 1500 options=63 ether 2a:00:00:fa:2f:c0 Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x2 member: en2 flags=3 ifmaxaddr 0 port 6 priority 0 path cost 0 member: en3 flags=3 ifmaxaddr 0 port 7 priority 0 path cost 0 nd6 options=201 media: status: inactive utun0: flags=8051 mtu 2000 inet6 fe80::98f7:b520:f58b:14dc%utun0 prefixlen 64 scopeid 0xb nd6 options=201 ppp0: flags=8051 mtu 1280 inet 10.0.0.24 --> 10.0.0.1 netmask 0xff00 > On 10 Dec 2016, at 3:16 AM, Mihai Popescu wrote: > > What is the ifconfig configuration of your PC? > Do you run any pf configuration on your router? > > I really doubt ip forwarding is broken, even on a snapshot!
Re: IP Forwarding is not working?
Hi, I don’t really think ip forwarding is broken either as I can still access the Internet. # ifconfig lo0: flags=8049 mtu 32768 index 6 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff00 em0: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9c index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.244.1 netmask 0xff00 broadcast 192.168.244.255 em1: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9d index 2 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 em2: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9e index 3 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 em3: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9f index 4 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 enc0: flags=0<> index 5 priority 0 llprio 3 groups: enc status: active pppoe0: flags=8851 mtu 1492 index 7 priority 0 llprio 3 dev: em0 state: session sid: 0x69cc PADI retries: 15 PADR retries: 0 time: 4d 13:55:21 sppp: phase network authproto pap authname "lan1201210025" groups: pppoe egress status: active inet 27.9.22.243 --> 27.9.20.1 netmask 0x pflog0: flags=141 mtu 33144 index 8 priority 0 llprio 3 groups: pflog # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo block return# block stateless traffic pass# establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 pass out on egress from !(egress:network) to any nat-to (egress) > On 10 Dec 2016, at 3:16 AM, Mihai Popescu wrote: > > What is the ifconfig configuration of your PC? > Do you run any pf configuration on your router? > > I really doubt ip forwarding is broken, even on a snapshot!
Re: IP Forwarding is not working?
Sorry, I forgot to post this: OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4182605824 (3988MB) avail mem = 4051369984 (3863MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebea0 (51 entries) bios0: vendor American Megatrends Inc. version "5.6.5" date 08/15/2016 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT SSDT SSDT UEFI acpi0: wakeup devices XHC1(S4) EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE, LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 83MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE, LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE, LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE, LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 87 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (RP04) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PLPE acpipwrres1 at acpi0: PLPE acpipwrres2 at acpi0: USBC, resource for EHC1, OTG1 "DMA0F28" at acpi0 not configured acpibtn0 at acpi0: SLPB "INT33BD" at acpi0 not configured acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: Enhanced SpeedStep 2000 MHz: speeds: 1993, 1992, 1909, 1826, 1743, 1660, 1577, 1494, 1411, 1328 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Bay Trail Host" rev 0x0e inteldrm0 at pci0 dev 2 function 0 "Intel Bay Trail Video" rev 0x0e drm0 at inteldrm0 inteldrm0: msi inteldrm0: 1024x768 wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) ahci0 at pci0 dev 19 function 0 "Intel Bay Trail AHCI" rev 0x0e: msi, AHCI 1.3 ahci0: port 0: 3.0Gb/s scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed t10.ATA_JWX_16GB_MSATA_AA0003083363 sd0: 15104MB, 512 bytes/sector, 30932992 sectors, thin "Intel Bay Trail TXE" rev 0x0e at pci0 dev 26 function 0 not configured azalia0 at pci0 dev 27 function 0 "Intel Bay Trail HD Audio" rev 0x0e: msi azalia0: no supported codecs ppb0 at pci0 dev 28 function 0 "Intel Bay Trail I2C" rev 0x0e: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address 1a:cc:00:12:b1:9c ppb1 at pci0 dev 28 function 1 "Intel Bay Trail PCIE" rev 0x0e: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel 82583V" rev 0x00: msi, address 1a:cc:00:12:b1:9d ppb2 at pci0 dev 28 function 2 "Intel Bay Trail PCIE" rev 0x0e: msi pci3 at ppb2 bus 3 e
IP Forwarding is not working?
Hi, Thanks for making OpenBSD so great. It has been my first and only choice for routers. Recently I’ve just got a fanless PC with 4 NICs and have OpenBSD 6.0 installed on it as a router. Everything is working great except the LANs are blind to each other. em0: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9c index 1 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.244.1 netmask 0xff00 broadcast 192.168.244.255 em1: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9d index 2 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 em2: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9e index 3 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255 em3: flags=8843 mtu 1500 lladdr 1a:cc:00:12:b1:9f index 4 priority 0 llprio 3 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.3.1 netmask 0xff00 broadcast 192.168.3.255 em0 has a pppoe, which is the NIC for WAN. My PC is connecting to the router via em3. The weird thing is my PC can access the Internet yet it timeout pinging devices on em1 and em2. $ ping 192.168.3.1 PING 192.168.3.1 (192.168.3.1): 56 data bytes 64 bytes from 192.168.3.1: icmp_seq=0 ttl=255 time=2.114 ms 64 bytes from 192.168.3.1: icmp_seq=1 ttl=255 time=2.045 ms 64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=2.419 ms ^C --- 192.168.3.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss $ ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ^C --- 192.168.1.1 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss $ ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3 ^C --- 192.168.2.1 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss The IP Forwarding has been enabled: # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 The NICs are 4 Intel 82583V. What goes wrong? Thanks and best regards, Siegfried