Re: Communication between hosts on different network interfaces
Indeed, that is why I always added 0.0.0.0/0 Sorry for not mentioning it. On Tuesday, January 30, 2024 at 08:56:19 p.m. GMT+9, Stuart Henderson wrote: On 2024-01-07, All wrote: > This is very much doable with DHCP one liner: > add the following to your dhcpd.conf ((!) inside the block of your > 192.168.2.0/24 network) > option classless-static-routes 192.168.3.0/24 192.168.2.1; > > This will install static route into all machines in 192.168.2.0/24 network. On clients that follow the spec properly, that will *override* the default routes so they will have a route to 192.168.3.0/24 but no default route. You need to include the default route too, for example (assuming that should go via 192.168.2.254), option classless-static-routes 192.168.3.0/24 192.168.2.1, 0.0.0.0/0 192.168.2.254;
Re: Communication between hosts on different network interfaces
On 2024-01-07, All wrote: > This is very much doable with DHCP one liner: > add the following to your dhcpd.conf ((!) inside the block of your > 192.168.2.0/24 network) > option classless-static-routes 192.168.3.0/24 192.168.2.1; > > This will install static route into all machines in 192.168.2.0/24 network. On clients that follow the spec properly, that will *override* the default routes so they will have a route to 192.168.3.0/24 but no default route. You need to include the default route too, for example (assuming that should go via 192.168.2.254), option classless-static-routes 192.168.3.0/24 192.168.2.1, 0.0.0.0/0 192.168.2.254;
Re: Communication between hosts on different network interfaces
Dear colleagues, A printer doesn't need internet access, and that is why I can block the internet access. The printer on the white network a label printer that just works. The other printer is a laser printer connected by USB to an Ubuntu computer on the white network, because that was easier than getting it working on OpenBSD; the same goes for the scanner. If only I had the right plug for my matrix printer, then maybe I would not need such complexity. Alas, they don't make matrix printers and parallel ports like they used to. Anyway, I return to my original inquiry. My barrier machine is indeed my primary gateway/firewall. I have configured the it in the way Brian and Nick recommended, except I added magic routes proposed by All, and it works as I want. I remain curious as to why it was necessary. Could someone explain my flaw in reasoning? Aside from setting those routes by DHCP, I am using vanila routes. In particular, the default route on the other computers is the barrier machine. With great humility, Ibsen
Re: Communication between hosts on different network interfaces
This is very much doable with DHCP one liner: add the following to your dhcpd.conf ((!) inside the block of your 192.168.2.0/24 network) option classless-static-routes 192.168.3.0/24 192.168.2.1; This will install static route into all machines in 192.168.2.0/24 network. When they will try to reach 192.168.3.0/24 machines they will send packets to 192.168.2.1 On Sunday, January 7, 2024 at 02:03:10 p.m. GMT+9, Nick Holland wrote: On 1/6/24 15:09, Ibsen S Ripsbusker wrote: > Dear colleagues, > > > > I have various network appliances that I don't really trust, like > a printer. I have these plugged into an unmanaged switch and > connected to network interface igc2. > > I want to allow the igc1 network to make web requests to the igc2 > network, and I want the igc2 network to have very restricted access > outside of igc2. what does a printer need internet access for? nevermind. Don't answer that. It's the 21st century. Many people think their bloomin' thermostats should have Internet access...(I'm really close to replacing my non-internet connected digital programmable thermostat with a 100% mechanical. Because...they don't suck) > (My main computer is connected to network interface igc1. > And the egress interface is igc0.) > > MY QUESTION: What would be a normal way of achieving this? let's abstract this a bit... (in large part because a sequence of letters and numbers confuses me quickly.) So you have a trusted network, an untrusted network, and of course, the Internet, which we will just call "The Evil". While you can do it with a bridge, I don't want to think that hard. And it would be a lot of work. [snip bridge stuff] > I also tried setting different subnets. yeah. that's the way I'd go. trusted: > /etc/hostname.igc1:> inet 192.168.2.1/24 untrusted: > /etc/hostname.igc2: > inet 192.168.3.1/24 > > With this everything works as I want except that > the only way I figured out to allow hosts on 192.168.2.1/24 > to access 192.168.3.1/24 was with NAT, and that can't be right. yeah, the problem is, it sounds like your barrier machine is not your primary gateway/firewall. So when your trusted machine in 192.168.2/24 talks to an address in 192.168.3/24, it talks to your primary gateway, and your gateway says, "whoa, dude. wazzat?" I'd fix this by making your main firewall the barrier machine. This would require a three or more port firewall. Pass in from trusted to anywhere. block in quick on untrusted to trusted Pass from untrusted to anywhere (but trusted is already blocked) Failing that, with a separate barrier machine, you will need to add a static route for the 192.168.3/24 subnet to point to the "trusted" address of your barrier machine. That way, when your trusted network machines try to access the untrusted network, they know to route through your barrier machine. Every single trusted machine that wants to access something in that subnet will need that extra route added. Clumsy at best (probably doable with the DHCP server. I just glanced, looks kinda ugly). I guess if there is only one untrusted device, you could just use an inbound NAT tunnel for whatever ports need to access that device, then just use the barrier's IP address to access the device. But I don't normally think in quantities of one, and this doesn't scale well. But if there's only one device, or several devices, but they can all be hit on different ports, that's an option. Another way to do it is with two NATting firewalls: Evil <--[NAT-FW] <- untrusted network [NAT-FW] <- trusted network. (internet) (192.168.3/24) (192.168.2/24) traffic flows unimpeded in the direction of the arrows, and is blocked going backwards. Your trusted machines can hit untrused machines or the internet, untrusted machines can hit the Internet, but they can't dig through to your trusted network. Yeah, the down side is that the trusted network has to jump through two routers, so the untrusted network potentially has better access than the trusted network, and that's just not fair. But ... it's easy. I've done the opposite, what I call "portable DMZ"s, where untrusted machines need access to the Internet but shouldn't be allowed to touch the trusted machines, but unlike your situation, the untrusted machines don't need to be accessed by the trusted. Small machine, two NICs. One NIC is DHCP to the trusted network, NAT and DCHP server on the untrustedv side, maybe a logging DNS server. Block all from the untrusted to the trusted subnet, pass everything else (internet). These don't need those inbound static routes. Nick.
Re: Communication between hosts on different network interfaces
On 1/6/24 15:09, Ibsen S Ripsbusker wrote: Dear colleagues, I have various network appliances that I don't really trust, like a printer. I have these plugged into an unmanaged switch and connected to network interface igc2. I want to allow the igc1 network to make web requests to the igc2 network, and I want the igc2 network to have very restricted access outside of igc2. what does a printer need internet access for? nevermind. Don't answer that. It's the 21st century. Many people think their bloomin' thermostats should have Internet access...(I'm really close to replacing my non-internet connected digital programmable thermostat with a 100% mechanical. Because...they don't suck) (My main computer is connected to network interface igc1. And the egress interface is igc0.) MY QUESTION: What would be a normal way of achieving this? let's abstract this a bit... (in large part because a sequence of letters and numbers confuses me quickly.) So you have a trusted network, an untrusted network, and of course, the Internet, which we will just call "The Evil". While you can do it with a bridge, I don't want to think that hard. And it would be a lot of work. [snip bridge stuff] I also tried setting different subnets. yeah. that's the way I'd go. trusted: /etc/hostname.igc1:>inet 192.168.2.1/24 untrusted: /etc/hostname.igc2: inet 192.168.3.1/24 With this everything works as I want except that the only way I figured out to allow hosts on 192.168.2.1/24 to access 192.168.3.1/24 was with NAT, and that can't be right. yeah, the problem is, it sounds like your barrier machine is not your primary gateway/firewall. So when your trusted machine in 192.168.2/24 talks to an address in 192.168.3/24, it talks to your primary gateway, and your gateway says, "whoa, dude. wazzat?" I'd fix this by making your main firewall the barrier machine. This would require a three or more port firewall. Pass in from trusted to anywhere. block in quick on untrusted to trusted Pass from untrusted to anywhere (but trusted is already blocked) Failing that, with a separate barrier machine, you will need to add a static route for the 192.168.3/24 subnet to point to the "trusted" address of your barrier machine. That way, when your trusted network machines try to access the untrusted network, they know to route through your barrier machine. Every single trusted machine that wants to access something in that subnet will need that extra route added. Clumsy at best (probably doable with the DHCP server. I just glanced, looks kinda ugly). I guess if there is only one untrusted device, you could just use an inbound NAT tunnel for whatever ports need to access that device, then just use the barrier's IP address to access the device. But I don't normally think in quantities of one, and this doesn't scale well. But if there's only one device, or several devices, but they can all be hit on different ports, that's an option. Another way to do it is with two NATting firewalls: Evil <--[NAT-FW] <- untrusted network [NAT-FW] <- trusted network. (internet) (192.168.3/24) (192.168.2/24) traffic flows unimpeded in the direction of the arrows, and is blocked going backwards. Your trusted machines can hit untrused machines or the internet, untrusted machines can hit the Internet, but they can't dig through to your trusted network. Yeah, the down side is that the trusted network has to jump through two routers, so the untrusted network potentially has better access than the trusted network, and that's just not fair. But ... it's easy. I've done the opposite, what I call "portable DMZ"s, where untrusted machines need access to the Internet but shouldn't be allowed to touch the trusted machines, but unlike your situation, the untrusted machines don't need to be accessed by the trusted. Small machine, two NICs. One NIC is DHCP to the trusted network, NAT and DCHP server on the untrustedv side, maybe a logging DNS server. Block all from the untrusted to the trusted subnet, pass everything else (internet). These don't need those inbound static routes. Nick.
Re: Communication between hosts on different network interfaces
On Sat, Jan 6, 2024, at 2:09 PM, Ibsen S Ripsbusker wrote: > I also tried setting different subnets. > > /etc/hostname.igc1: > inet 192.168.2.1/24 > > /etc/hostname.igc2: > inet 192.168.3.1/24 This is what I have done, with a pf rule to block connections originating from my less-trusted network to my more-trusted network. With the IP forwarding sysctl set, no routing magic or NAT is required. It works well for both IPv4 and IPv6. Brian
Communication between hosts on different network interfaces
Dear colleagues,
I have various network appliances that I don't really trust, like
a printer. I have these plugged into an unmanaged switch and
connected to network interface igc2.
I want to allow the igc1 network to make web requests to the igc2
network, and I want the igc2 network to have very restricted access
outside of igc2.
(My main computer is connected to network interface igc1.
And the egress interface is igc0.)
MY QUESTION: What would be a normal way of achieving this?
For further clarification, I provide what I have tried so far that
did not turn out as I wanted.
I tried with bridging igc1 and igc2 and setting tags
in hostname.igc{1,2}. I configured the bridge as specified
in the FAQ except I also added lines like this
in /etc/hostname.bridge0.
rule pass in on igc1 tag white
rule pass in on igc2 tag yellow
(The tag names are the colors of the ethernet cables.)
The bridge worked exactly like I expected except that it seemed
tags weren't applied, based on what I saw in pfctl and tcpdump.
Since the tags weren't applied, I couldn't restrict
the communication as I wanted.
I also tried setting different subnets.
/etc/hostname.igc1:
inet 192.168.2.1/24
/etc/hostname.igc2:
inet 192.168.3.1/24
With this everything works as I want except that
the only way I figured out to allow hosts on 192.168.2.1/24
to access 192.168.3.1/24 was with NAT, and that can't be right.
With appreciation,
Ibsen
