Re: Openbsd pf firewall ipv6 routing

2021-07-30 Thread Daniel Melameth 
On Thu, Jul 29, 2021 at 10:10 PM Irshad  wrote:
> I have following setup at home ,I am sharing internet 
> with neighbour , our ISP provides IPV6
> With 2001:16a2:cdd2:xx00::/56 prefix delegation , until now I was only using 
> IPv4 NAT with following setup
>
> ISP-RouterOPENBSD/PFVLAN10—openWRT—Macbook
> |
> VLAN20__openWRT  some Devices
> |
> |
> Neighbour Access Point
>
> Recently I tried to enable IPv6 in openbsd
> i can ping6 google.com from openbsd firewall itself
> but i cannot route ipv6 traffic from LAN side devices
> i can get ipv6 address assigned to my LAN devices
>
> ps:isp provides only dynamic ip's not static
>
> /etc/hostname.iwn0
> inet6 autoconf -soii -temporary
> inet 192.168.100.177 255.255.255.0
>
> Ifconfig iwn0
> inet 192.168.100.177 netmask 0xff00 broadcast 192.168.100.255
> inet6 2001:16a2:cdd2:xx00:xxx:faff:fe92:c7c6 prefixlen 64 autoconf pltime 
> 86081 vltime 86081
>
> This is connecting to ISP Router with ipv4 LAN side ip
>
> And NAT with pf firewall
>
> vlan10
> /etc/hostname.vlan10
> 192.168.10.1/24 192.168.10.255 parent em0 vnetid 10
> inet6 autoconf
>
> ifconfig vlan10
> inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
> inet6 fe80::5e26:aff:fe0e:d6ea%vlan10 prefixlen 64 scopeid 0x8
>
> ip forwarding for ipv6
> sysctl net.inet6.ip6.forwarding=1
>
>  rad.conf(5)
> interface vlan10 {
> prefix 2001:16a2:cdd2:xx01::/64
> }
>
> openbsd  netstat -nr
> DestinationGatewayFlags   
> Refs  Use   Mtu  Prio Iface
> defaultfe80::1%iwn0   UGS
> 0   90 -12 iwn0
>
> macOS netstat -nr
> Internet6:
> Destination Gateway Flags 
> Netif Expire
> default fe80::5e26:aff:fe0e:d6ea%en0UGcg  
>   en0
> 2001:16a2:cdd2:9500::/64link#4  UC
>   en0
> 2001:16a2:cdd2:xx00:1c07:xxc4:1577:55e1 8:6d:41:de:6d:4aUHL   
>   lo0

You might want to consider using dhcpcd, in ports, to help you with
the PD and doling out /64s to your networks.

Re: WireGuard host crashes roughly every week

2021-07-30 Thread Todd C . Miller 
On Thu, 29 Jul 2021 20:09:12 -0500, "Matt P." wrote:

> I have an OpenBSD box that breaks after a week or so of running. All network 
> traffic stops reaching the box. If I look at the screen or serial output, I c
> an get the "login:" prompt, and when I enter my name I get prompted for a pas
> sword, but once I enter a password it hangs. Key presses and control codes st
> ill show on the screen, but the login never succeeds or fails. I thought cont
> rol-C might cause it to go back to the login prompt, but it doesn't. I have t
> o hard reboot the box to get it back.

This may be due to a memory leak.  You could monitor the output of
"netstat -m" and also "vmstat -m" and watch for memory use increasing
over time.  The number of mbufs in use reported by "netstat -m"
should be relatively stable.

 - todd

Re: Unexpected pf behavior for DHCP traffic?

2021-07-30 Thread Stefan Sperling 
On Fri, Jul 30, 2021 at 04:59:03AM +, beebeet...@posteo.de wrote:
> Thanks Theo for the answer!
> 
> I'm still having difficulty wrapping my head around it.
> 
> I have two packets: DHCPREQUEST and DHCPACK
> {timestamp} {my_ip}.68 > {ip1}.67: xid:0xfe51c9a3 [|bootp]
> {timestamp} {ip2}.67 > {my_ip}.68: xid:0xfe51c9a3 Y:{my_ip} G:{ip1}[|bootp]
> 
> I get that tcpdump taps to bpf so it can see both packets.
> 
> And my understanding of your answer is that pf doesn't see the
> first packet (DHCPREQUEST) since it's being sent using bpf.
> 
> The second packet (DHCPACK) -- although dhcpleased has unfiltered
> access to -- is eventually visible to pf, thus will be blocked by
> pf and should show up on the pflog0 interface as per the following
> rule:
> 
> > block drop in log (all) on $ext_if inet proto udp \
> > from port 67 to port 68
> 
> However, it seems that nothing appears on pflog0 in my case, which
> is what I still can't comprehend.
> 
> Am I missing something here?

BPF filters have the ability to drop packets before pf sees them.
dhclient/dhcpleased make use of this feature, and they match any UDP
packets using DHCP-related ports.

Openbsd pf firewall ipv6 routing

2021-07-30 Thread Irshad 
Hi 

I have following setup at home ,I am sharing internet 
with neighbour , our ISP provides IPV6 
With 2001:16a2:cdd2:xx00::/56 prefix delegation , until now I was only using 
IPv4 NAT with following setup


ISP-RouterOPENBSD/PFVLAN10—openWRT—Macbook 
|
VLAN20__openWRT  some Devices 
|   

|
Neighbour Access Point 

Recently I tried to enable IPv6 in openbsd 
i can ping6 google.com from openbsd firewall itself
but i cannot route ipv6 traffic from LAN side devices 
i can get ipv6 address assigned to my LAN devices

ps:isp provides only dynamic ip's not static


/etc/hostname.iwn0
inet6 autoconf -soii -temporary
inet 192.168.100.177 255.255.255.0

Ifconfig iwn0
inet 192.168.100.177 netmask 0xff00 broadcast 192.168.100.255
inet6 2001:16a2:cdd2:xx00:xxx:faff:fe92:c7c6 prefixlen 64 autoconf pltime 86081 
vltime 86081

This is connecting to ISP Router with ipv4 LAN side ip 

And NAT with pf firewall

vlan10 
/etc/hostname.vlan10
192.168.10.1/24 192.168.10.255 parent em0 vnetid 10
inet6 autoconf

ifconfig vlan10
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
inet6 fe80::5e26:aff:fe0e:d6ea%vlan10 prefixlen 64 scopeid 0x8


ip forwarding for ipv6
sysctl net.inet6.ip6.forwarding=1

 rad.conf(5) 
interface vlan10 {
prefix 2001:16a2:cdd2:xx01::/64
}

openbsd  netstat -nr 
DestinationGatewayFlags   Refs  
Use   Mtu  Prio Iface
defaultfe80::1%iwn0   UGS0  
 90 -12 iwn0


macOS netstat -nr
Internet6:
Destination Gateway Flags   
  Netif Expire
default fe80::5e26:aff:fe0e:d6ea%en0UGcg
en0
2001:16a2:cdd2:9500::/64link#4  UC  
en0
2001:16a2:cdd2:xx00:1c07:xxc4:1577:55e1 8:6d:41:de:6d:4aUHL 
lo0



Thanks 
Irshad