Re: Shell for PF
* Fil DiNoto fdin...@gmail.com [2013-02-16 21:54]: I prefer rule processing order kinda funny, that is what I consider the biggest (and unfixable) mistake in pf. but that's all history. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Shell for PF
2013/2/16 Matthew Weigel uni...@idempot.net: On Feb 16, 2013, at 5:28 AM, Vadim Zhukov persg...@gmail.com wrote: 2013/2/16 Fil DiNoto fdin...@gmail.com: But this is all off-topic, I'm not slaming pf in any way i love it. I was just saying it can't hurt to try to emulate what people know if at all possible. And the fact is that junos/ios have the market share so thats what people know. Sorry, Vadim, for responding to Fil through your email. I think there is a real risk to trying to present an interface that is reminiscent of other systems, that behave differently and do less. People will begin to expect that pf does the same things - no more, no less. Power that is specific to pf over other systems will be ignored, because people will think that since they are familiar with the interface they know what they're doing. Yes, there are people who wants to know enough to have work being done somehow - those don't care what to use and don't want to learn in the general place. Probably they aren't OpenBSD audience but they hurt other people, advanced enough, to use OpenBSD either. Those ones who don't care about tools they are actually using, WILL fuck up their use. And hell, yes, I'd prefer netfilter-based solutiong built by smart man than PF-based built by stupid one. But when choosing between netfilter-based and PF-based firewalls built by the same lazy man (I'm NOT talking about OP himself here)... who cares? There is no point in caring about what tools other do use, until this hurts you. If others just use netfilter, fine - it's their problem. :) If you have to use netfilter because others do use PF - it becames your problem. A real problem. Just an example: I had to spent last few months in building virtualized environment based on CentOS 6. Well, I could not say it's full crap - just about 70% of it. :) I know that building the same using OpenBSD could take a few weeks (including detailed documentation of the whole process). But I had to use Linux, because other people here don't know anything about BSDs at all, and because they really need Sun JDK 1.6 for some stuff. It's really pain in the ass: for example, I had to fight with udev, grub and LVM each time I clone a virtual machine; I have to choose between old (CentOS/RHEL repos) and badly tested (EPEL) packages most of the time, or build stuff on my own; I have to debug PAM modules to allow logging in using 25 years old technologies because official HOWTOs are not valid for given OS and tools provided with distro fail silently, and ever then it doesn't work the way I want... But people don't want thing that Just Works(TM) if they could not fix it later themselves (though I suspect they could not fix this Linux-based infrastructure either). So many of us have to build Linux-based environments for others and use OpenBSD for ourselves. A bit frustrating but it's better than nothing. :) And let see the problem from the other side. Remember the school. At first you'd learn Newton's physics, where you could just accelerate and run as fast as light could and even faster. And only then, a few years off, the Einstein's theory come. Don't think about shell-like interface for the PF as the right solution for the final product - such thinking IS wrong, I totally agree. But remember, when people will _really_ want some more functionality, they _will_ learn. They just need an incentive. Straightforward making people around learning the whole PF at once is almost the same thing as trying to make the first grader learning relativity theory. I've made enough such mistakes already, trust me. :) And I don't want to say those people are stupid at all, they just could not apprehend as quickly as you or me may want them do. Presenting a different interface is a FANTASTIC way to communicate 'difference' to the user. It forces them to think about the difference sooner, rather than when things aren't working as expected (or after they've bought more equipment on top of the OpenBSD firewall because JunOS can't do that). If that means people don't learn pf because they realize very quickly that it's unlike anything they know... That is a SERVICE being provided. They knew they didn't have the time to figure it out before they got ass-deep into it. Everyone does mistakes. Everyone sometimes fucks up the things. I do. :) If you want those happen more rarely than often, set up the appropriate process: give the people as much info as they could handle at the moment given, but not more - or they won't get any info at all. Get they know that there is a PF. Just a few words. Then show some things they use (or want to use) in netfilter/DamnSwitchOS/etc. that are easy in PF, so people get interested. Do this several times. Make them know that PF is easy. Then get them trying to do the same you're doing. If you've done that well, they'll like it, and they will want to try it in production. Just make people _want_ to learn and try. They will
Re: Shell for PF
2013/2/16 Fil DiNoto fdin...@gmail.com: Well in this case JunOS, IOS, and Brocade would be what people know and are accustomed to, because these are common brands. But I was speaking of my experiences in working at an ISP and using vendors that most people haven't heard of. Alcatel, Atrica to name a couple, multi-service customer premise stuff or vpn. It's easy to hire people who know juniper/cisco/brocade. It takes the new guys a few months to get used to the telco specific stuff. But this is all off-topic, I'm not slaming pf in any way i love it. I was just saying it can't hurt to try to emulate what people know if at all possible. And the fact is that junos/ios have the market share so thats what people know. As a user I'd love to see some attempt to make it happen but I'll be using pf regardless Well, noone stops anyone here from writing such shell and create OpenBSD port for this stuff. We already have Firewall Builder port outta there, for example... oh, wait, the developers went off the project recently. Will this happen to PFSH or whatever it will be called, too?.. On Fri, Feb 15, 2013 at 9:05 PM, Daniel Ouellet dan...@presscom.net wrote: Hi, I own an ISP and I see no problem using OpenBSD, or Cisco as routers and I have no problem with the configuration of PF. I kind of find it much simpler then Cisco. Definitely better man page for sure! (: Just know, you don't need every single features of PF to have a great router. PF does offer you more then IOS, or JunOS. The only place where it fall short is for the hardware for you can get on Cisco or Juniper for high end traffic and all. But as is, it's fare ahead of where it was a few years ago and you can run lots of stuff on that I tell you! Never the less the traffic you can pass through OpenBSD keep increasing at each release and for any small business, it provide way more then what's needed. Even Equinix have been using OpenBSD as router reflector for years now and if you are an ISP, you know Equinix is way up there! So, I don't think you are really understanding what you are asking I think. On 2/15/13 11:05 PM, Fil DiNoto wrote: I was drawing from situations where we implemented hardware from a less well known vendor that has a completely different configuration style than what most people are used to. We end up having more outages caused by human error to the point where the equipment gets a bad reputation. So, don;'t you have anyone that needed to learn the difference between JunOS and IOS. There is plenty there too. Your tech just need to learn it as they did. If you have errors with PF, then you will have the same tech doing errors with IOS and JunOS because they are not paying any attention to what they are doing! It's just a third OS to learn to use, nothing more or less, but I tell you, neither IOS and JunOS have all the information handy and exact as PF however! (: I don't see that as a valid argument really. Either you are a network engineer and learn what you work with or you don't. Plus just a side note there is more then just Cico and Juiniper for routers as well. You want to have Brocade use IOS syntax too? Or Nortel Network, well they are bankrupt, so I guess yea you will not learn that one! (: But there is more too. Lucent have their own OS too. So, in all, it's just one more to learn, that's all. Unfortunately I have never been able to convince management to use OpenBSD for anything outside the lab except for a VPN server for internal/vendor use so I can't provide any real examples involving OpenBSD. Management are focus on Money most of the time. So, if they send all the money you want to get the gear you need, then you should be happy. When they run out, may be they will give PF and OpenBSD a try. Just know that most if not all management are not innovative in nature, they all want outside support so they can blame someone else and wash their hands of problem, but be jumping up and done to promote their choice when all is good so they look good. There is way more politics then good old logics and innovations there you know right? But I think with all the virtualization these days and the virtual network appliances for vmware and such devices like Raspberry Pi the software router is going to become a more popular choice in a lot of situations. Like me personally I have an ESXi server I lease, I'm not going buy/lease a hardware router/firewall to sit in front of a single machine with a handful of VMs on it, I use an OpenBSD VM as a router to the other VMs and it works wonderfully. My provider had a hard time understanding why I wanted another /29 routed to one of my IP addresses the sales guy kept saying it won't work that way you need a router and all you have is one server but eventually they made it happen. This I must say that's why I decided to answer your message as I can't imagine of understand why you would like to run a router inside
Re: Shell for PF
I work on Cisco ASA, Juniper ScreenOS Junos commercial firewalls. Linux iptables on various systems. All because that is what they pay me to support. However when I need to setup something in the Lab that works I use OpenBSD pf, which it does quite well. I've tried, without success to get co-workers working on custom hardware to look at PF, but they go down the iptables route. Their loss, not mine. g.day diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005) On Fri, 15 Feb 2013, Fil DiNoto wrote: Well in this case JunOS, IOS, and Brocade would be what people know and are accustomed to, because these are common brands. But I was speaking of my experiences in working at an ISP and using vendors that most people haven't heard of. Alcatel, Atrica to name a couple, multi-service customer premise stuff or vpn. It's easy to hire people who know juniper/cisco/brocade. It takes the new guys a few months to get used to the telco specific stuff.
Re: Shell for PF
On Feb 16, 2013, at 5:28 AM, Vadim Zhukov persg...@gmail.com wrote: 2013/2/16 Fil DiNoto fdin...@gmail.com: But this is all off-topic, I'm not slaming pf in any way i love it. I was just saying it can't hurt to try to emulate what people know if at all possible. And the fact is that junos/ios have the market share so thats what people know. Sorry, Vadim, for responding to Fil through your email. I think there is a real risk to trying to present an interface that is reminiscent of other systems, that behave differently and do less. People will begin to expect that pf does the same things - no more, no less. Power that is specific to pf over other systems will be ignored, because people will think that since they are familiar with the interface they know what they're doing. Presenting a different interface is a FANTASTIC way to communicate 'difference' to the user. It forces them to think about the difference sooner, rather than when things aren't working as expected (or after they've bought more equipment on top of the OpenBSD firewall because JunOS can't do that). If that means people don't learn pf because they realize very quickly that it's unlike anything they know... That is a SERVICE being provided. They knew they didn't have the time to figure it out before they got ass-deep into it. -- Matthew Weigel hacker unique idempot . ent
Re: Shell for PF
You've convinced me. Why try to emulate something, even if it is just cosmetic, that isn't as good. That's just going to obscure what pf really is. I must be honest though, I wouldn't know how to answer someone if they asked me why pf is better than say an SRX or ASA firewall-router or vice versa. I use OpenBSD/pf because it is Free and it does everything I can think of. Theo compared junos vs pf, to shoes and a 737. That's pretty exciting, but why? pf has done what I need it to do without me needing to learn much about it I suppose. I can point out things I like about each (I prefer rule processing order and 'quick' of pf to anything else for example) but I wouldn't be able to provide anything definitive and that's only because of my own ignorance. Unless we are talking about things that are particularly interesting to developers which I am not but I understand the value of an open platform. I suppose that alone is enough to make the shoes vs 737 comparison, but I'm asking along the lines of things you can do simply through configuration. On Sat, Feb 16, 2013 at 9:20 AM, Matthew Weigel uni...@idempot.net wrote: On Feb 16, 2013, at 5:28 AM, Vadim Zhukov persg...@gmail.com wrote: 2013/2/16 Fil DiNoto fdin...@gmail.com: But this is all off-topic, I'm not slaming pf in any way i love it. I was just saying it can't hurt to try to emulate what people know if at all possible. And the fact is that junos/ios have the market share so thats what people know. Sorry, Vadim, for responding to Fil through your email. I think there is a real risk to trying to present an interface that is reminiscent of other systems, that behave differently and do less. People will begin to expect that pf does the same things - no more, no less. Power that is specific to pf over other systems will be ignored, because people will think that since they are familiar with the interface they know what they're doing. Presenting a different interface is a FANTASTIC way to communicate 'difference' to the user. It forces them to think about the difference sooner, rather than when things aren't working as expected (or after they've bought more equipment on top of the OpenBSD firewall because JunOS can't do that). If that means people don't learn pf because they realize very quickly that it's unlike anything they know... That is a SERVICE being provided. They knew they didn't have the time to figure it out before they got ass-deep into it. -- Matthew Weigel hacker unique idempot . ent
Re: Shell for PF
On Sat, Feb 16, 2013 at 10:41 AM, Fil DiNoto fdin...@gmail.com wrote: with something vaguely familiar to what they would encounter in the other equipment like cisco or juniper they would be far less likely to make a mistake that would result in an outage or security problem. So as superficial as this might seem to you in practice I think it would have a large impact God no, please. Turning pf into the stupidity that is ios would be a nightmare. One of the many good things about PF (and OpenBSD) is that, as opposed to ios/junos, it's actually managed in a way that isn't reminiscent of 1985. --- Lars
Shell for PF
I was wondering why nobody has ever created a shell for pf so that you could manipulate it in a way similar to JunOS instead of editing pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff like that.
Re: Shell for PF
I was wondering why nobody has ever created a shell for pf so that you could manipulate it in a way similar to JunOS instead of editing pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff like that. Because pf does not follow the configuration model of a switch or router, or other such device, which have much simpler configuration. pf is capable of doing things *much much more complex*. If you spent 1 hour trying to build what you wonder about, rather than writing such a mail, you would begin to understand the problem.
Re: Shell for PF
On Fri, Feb 15, 2013 at 8:42 PM, Theo de Raadt dera...@cvs.openbsd.orgwrote: I was wondering why nobody has ever created a shell for pf so that you could manipulate it in a way similar to JunOS instead of editing pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff like that. Because pf does not follow the configuration model of a switch or router, or other such device, which have much simpler configuration. pf is capable of doing things *much much more complex*. If you spent 1 hour trying to build what you wonder about, rather than writing such a mail, you would begin to understand the problem. and pfctl do a lot -- - () ascii ribbon campaign - against html e-mail /\
Re: Shell for PF
Thanks for the reply Theo, big fan of OpenBSD Someone referred me to NSH which is exactly what I was thinking of. It even incorporates ifconfig so you can do all the layer 2 stuff which is more than I was hoping for. Can't wait to play with it. I know exactly what you mean about the hardware differences and the challenges that would go into creating a true JunOS style experience I was just looking for a way to fake it. I'm not a coder at all I'm a network guy and OpenBSD has been my OS of choice for many years when I need a router for a lab or when hardware isn't available. pf rocks! I can't stand iptables. It's like they had a contest to see who could come up with the longest possible minimum command to block/open a port. I would like to offer a suggestion though from my experience, simplifying the configuration of a device greatly increases its security, operationally. So if users (network IT staff) are presented with something vaguely familiar to what they would encounter in the other equipment like cisco or juniper they would be far less likely to make a mistake that would result in an outage or security problem. So as superficial as this might seem to you in practice I think it would have a large impact On Fri, Feb 15, 2013 at 5:42 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: I was wondering why nobody has ever created a shell for pf so that you could manipulate it in a way similar to JunOS instead of editing pf.conf. Also show / monitor commands. Hierarchical edit mode, stuff like that. Because pf does not follow the configuration model of a switch or router, or other such device, which have much simpler configuration. pf is capable of doing things *much much more complex*. If you spent 1 hour trying to build what you wonder about, rather than writing such a mail, you would begin to understand the problem.
Re: Shell for PF
Someone referred me to NSH which is exactly what I was thinking of. No, NSH is now what you are thinking of at all. You are asking for something which nests the *entire heirarchy* of command structure to control interfaces and stuff PLUS pf... but NSH cannot do that in the 'natural way' you ask for. pf is not designed to match that model.
Re: Shell for PF
I would like to offer a suggestion though from my experience, simplifying the configuration of a device greatly increases its security, operationally. So if users (network IT staff) are presented with something vaguely familiar to what they would encounter in the other equipment like cisco or juniper they would be far less likely to make a mistake that would result in an outage or security problem. So as superficial as this might seem to you in practice I think it would have a large impact This is a grand dilusion. Show me how you do the power and control that pf gives on a Cisco or Juniper. Your metaphor is like shoes vs 737. You have to prove that first; otherwise, your entire paragraph is based on false premises.
Re: Shell for PF
I was drawing from situations where we implemented hardware from a less well known vendor that has a completely different configuration style than what most people are used to. We end up having more outages caused by human error to the point where the equipment gets a bad reputation. Unfortunately I have never been able to convince management to use OpenBSD for anything outside the lab except for a VPN server for internal/vendor use so I can't provide any real examples involving OpenBSD. But I think with all the virtualization these days and the virtual network appliances for vmware and such devices like Raspberry Pi the software router is going to become a more popular choice in a lot of situations. Like me personally I have an ESXi server I lease, I'm not going buy/lease a hardware router/firewall to sit in front of a single machine with a handful of VMs on it, I use an OpenBSD VM as a router to the other VMs and it works wonderfully. My provider had a hard time understanding why I wanted another /29 routed to one of my IP addresses the sales guy kept saying it won't work that way you need a router and all you have is one server but eventually they made it happen. On Fri, Feb 15, 2013 at 6:48 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: I would like to offer a suggestion though from my experience, simplifying the configuration of a device greatly increases its security, operationally. So if users (network IT staff) are presented with something vaguely familiar to what they would encounter in the other equipment like cisco or juniper they would be far less likely to make a mistake that would result in an outage or security problem. So as superficial as this might seem to you in practice I think it would have a large impact This is a grand dilusion. Show me how you do the power and control that pf gives on a Cisco or Juniper. Your metaphor is like shoes vs 737. You have to prove that first; otherwise, your entire paragraph is based on false premises.
Re: Shell for PF
Hi, I own an ISP and I see no problem using OpenBSD, or Cisco as routers and I have no problem with the configuration of PF. I kind of find it much simpler then Cisco. Definitely better man page for sure! (: Just know, you don't need every single features of PF to have a great router. PF does offer you more then IOS, or JunOS. The only place where it fall short is for the hardware for you can get on Cisco or Juniper for high end traffic and all. But as is, it's fare ahead of where it was a few years ago and you can run lots of stuff on that I tell you! Never the less the traffic you can pass through OpenBSD keep increasing at each release and for any small business, it provide way more then what's needed. Even Equinix have been using OpenBSD as router reflector for years now and if you are an ISP, you know Equinix is way up there! So, I don't think you are really understanding what you are asking I think. On 2/15/13 11:05 PM, Fil DiNoto wrote: I was drawing from situations where we implemented hardware from a less well known vendor that has a completely different configuration style than what most people are used to. We end up having more outages caused by human error to the point where the equipment gets a bad reputation. So, don;'t you have anyone that needed to learn the difference between JunOS and IOS. There is plenty there too. Your tech just need to learn it as they did. If you have errors with PF, then you will have the same tech doing errors with IOS and JunOS because they are not paying any attention to what they are doing! It's just a third OS to learn to use, nothing more or less, but I tell you, neither IOS and JunOS have all the information handy and exact as PF however! (: I don't see that as a valid argument really. Either you are a network engineer and learn what you work with or you don't. Plus just a side note there is more then just Cico and Juiniper for routers as well. You want to have Brocade use IOS syntax too? Or Nortel Network, well they are bankrupt, so I guess yea you will not learn that one! (: But there is more too. Lucent have their own OS too. So, in all, it's just one more to learn, that's all. Unfortunately I have never been able to convince management to use OpenBSD for anything outside the lab except for a VPN server for internal/vendor use so I can't provide any real examples involving OpenBSD. Management are focus on Money most of the time. So, if they send all the money you want to get the gear you need, then you should be happy. When they run out, may be they will give PF and OpenBSD a try. Just know that most if not all management are not innovative in nature, they all want outside support so they can blame someone else and wash their hands of problem, but be jumping up and done to promote their choice when all is good so they look good. There is way more politics then good old logics and innovations there you know right? But I think with all the virtualization these days and the virtual network appliances for vmware and such devices like Raspberry Pi the software router is going to become a more popular choice in a lot of situations. Like me personally I have an ESXi server I lease, I'm not going buy/lease a hardware router/firewall to sit in front of a single machine with a handful of VMs on it, I use an OpenBSD VM as a router to the other VMs and it works wonderfully. My provider had a hard time understanding why I wanted another /29 routed to one of my IP addresses the sales guy kept saying it won't work that way you need a router and all you have is one server but eventually they made it happen. This I must say that's why I decided to answer your message as I can't imagine of understand why you would like to run a router inside VMWare!?!?!??! And don't say that it is to make it more secure please. You make everything more complex and you were talking about making things simpler!?!?! A real paradox there don't you think? Forget that VMWare will not run on OpenBSD as the host and you know you will loose a lots of efficiency too? There is a very long list why you shouldn't run a router in VMWare. Just think about it a little and you will see why it make no sense really. Looks like everyone wants to run everything in VMWare these days and thinks it's good for everything... May be you would gain by playing with PF more and setup routers for fun with it. Just give it a chance and then after a few weeks you will wonder why Cisco and JunOS don't do their syntax like PF really. (: Just my $0.02 worth for using both and I see no need to have PF be like IOS. I would be way more in favor to see a company out there somewhere do custom hardware for PF and OpenBSD to compete with Cisco routers for example. Some network cards are pretty good as is, but yes it could be even better and faster. I think if such a company would see the light of day, sooner then you think Cisco would come and buy them flat out to avoid that competition. I
Re: Shell for PF
Well in this case JunOS, IOS, and Brocade would be what people know and are accustomed to, because these are common brands. But I was speaking of my experiences in working at an ISP and using vendors that most people haven't heard of. Alcatel, Atrica to name a couple, multi-service customer premise stuff or vpn. It's easy to hire people who know juniper/cisco/brocade. It takes the new guys a few months to get used to the telco specific stuff. But this is all off-topic, I'm not slaming pf in any way i love it. I was just saying it can't hurt to try to emulate what people know if at all possible. And the fact is that junos/ios have the market share so thats what people know. As a user I'd love to see some attempt to make it happen but I'll be using pf regardless On Fri, Feb 15, 2013 at 9:05 PM, Daniel Ouellet dan...@presscom.net wrote: Hi, I own an ISP and I see no problem using OpenBSD, or Cisco as routers and I have no problem with the configuration of PF. I kind of find it much simpler then Cisco. Definitely better man page for sure! (: Just know, you don't need every single features of PF to have a great router. PF does offer you more then IOS, or JunOS. The only place where it fall short is for the hardware for you can get on Cisco or Juniper for high end traffic and all. But as is, it's fare ahead of where it was a few years ago and you can run lots of stuff on that I tell you! Never the less the traffic you can pass through OpenBSD keep increasing at each release and for any small business, it provide way more then what's needed. Even Equinix have been using OpenBSD as router reflector for years now and if you are an ISP, you know Equinix is way up there! So, I don't think you are really understanding what you are asking I think. On 2/15/13 11:05 PM, Fil DiNoto wrote: I was drawing from situations where we implemented hardware from a less well known vendor that has a completely different configuration style than what most people are used to. We end up having more outages caused by human error to the point where the equipment gets a bad reputation. So, don;'t you have anyone that needed to learn the difference between JunOS and IOS. There is plenty there too. Your tech just need to learn it as they did. If you have errors with PF, then you will have the same tech doing errors with IOS and JunOS because they are not paying any attention to what they are doing! It's just a third OS to learn to use, nothing more or less, but I tell you, neither IOS and JunOS have all the information handy and exact as PF however! (: I don't see that as a valid argument really. Either you are a network engineer and learn what you work with or you don't. Plus just a side note there is more then just Cico and Juiniper for routers as well. You want to have Brocade use IOS syntax too? Or Nortel Network, well they are bankrupt, so I guess yea you will not learn that one! (: But there is more too. Lucent have their own OS too. So, in all, it's just one more to learn, that's all. Unfortunately I have never been able to convince management to use OpenBSD for anything outside the lab except for a VPN server for internal/vendor use so I can't provide any real examples involving OpenBSD. Management are focus on Money most of the time. So, if they send all the money you want to get the gear you need, then you should be happy. When they run out, may be they will give PF and OpenBSD a try. Just know that most if not all management are not innovative in nature, they all want outside support so they can blame someone else and wash their hands of problem, but be jumping up and done to promote their choice when all is good so they look good. There is way more politics then good old logics and innovations there you know right? But I think with all the virtualization these days and the virtual network appliances for vmware and such devices like Raspberry Pi the software router is going to become a more popular choice in a lot of situations. Like me personally I have an ESXi server I lease, I'm not going buy/lease a hardware router/firewall to sit in front of a single machine with a handful of VMs on it, I use an OpenBSD VM as a router to the other VMs and it works wonderfully. My provider had a hard time understanding why I wanted another /29 routed to one of my IP addresses the sales guy kept saying it won't work that way you need a router and all you have is one server but eventually they made it happen. This I must say that's why I decided to answer your message as I can't imagine of understand why you would like to run a router inside VMWare!?!?!??! And don't say that it is to make it more secure please. You make everything more complex and you were talking about making things simpler!?!?! A real paradox there don't you think? Forget that VMWare will not run on OpenBSD as the host and you know you will loose a lots of efficiency too? There is a very