Re: Routing and forwarding: directly connected computers
On 9/3/20 5:41 PM, Ernest Stewart wrote: > And which pf rules and how to establish those routing tables are exactly what > I'm asking. Maybe if you share the output of the ping test from your original mail we could see what is actually happening. >From your setup I would assume that the IP addresses the hosts are using for the ping are not what you expect. best /m
Re: Routing and forwarding: directly connected computers
> On Sep 3, 2020, at 12:38 PM, Brian Brombacher wrote: > > > On Sep 3, 2020, at 12:15 PM, Ernest Stewart wrote: >>> Theo de Raadt wrote: >>> Oh my. Have you considered hiring a consultant? >>> >>> Of course. As you have already noticed, I have no idea about how to do what >>> I'm trying to do. But a consultant is out of my budget. >>> >>> Are you guys saying all I have to do is the following, and packets will >>> automatically be routed correctly?: >>> >>> computer1) >>> /etc/hostname.re0: 192.168.1.10 0xff00 >>> /etc/hostname.re1: 192.168.2.10 0xff00 >>> /etc/hostname.re2: 192.168.3.10 0xff00 >>> /etc/hostname.re3: 192.168.4.10 0xff00 >>> /etc/mygate: >>> 192.168.1.1 >> >> Much better. >> >> >> >> computer2) >> /etc/hostname.re0: 192.168.2.11 0xfff0 One last thing: change Computer 2’s re0 netmask to 0xff00 >> /etc/hostname.re1: 192.168.2.128 0xfff0 >> /etc/mygate: >> 192.168.2.10 > > You’ll need a route rule on computer1 like this to make computer 5 talk to > the rest of the computers: > > route add -net 192.168.2.128/28 192.168.2.11 > >> >> computer3) >> /etc/hostname.re0: 192.168.3.11 0xff00 >> /etc/mygate: >> 192.168.3.10 >> >> computer4) >> /etc/hostname.re0: 192.168.4.11 0xff00 >> /etc/mygate: >> 192.168.4.10 >> >> >> computer5) >> /etc/hostname.re0: 192.168.2.129 0xfff0 >> /etc/mygate: >> 192.168.2.128 >> >> >> Computer1's physical connections are like this: >> re0->ISP router(192.168.1.1) >> re1->Computer2 re0 >> re2->Computer3 re0 >> re3->Computer4 re0 >> >> Computer2's re1 is connected to Computer5's re0.
Re: Routing and forwarding: directly connected computers
>> On Sep 3, 2020, at 12:15 PM, Ernest Stewart >> wrote: > Theo de Raadt wrote: > Oh my. Have you considered hiring a consultant? > > Of course. As you have already noticed, I have no idea about how to do what > I'm trying to do. But a consultant is out of my budget. > > Are you guys saying all I have to do is the following, and packets will > automatically be routed correctly?: > > computer1) > /etc/hostname.re0: 192.168.1.10 0xff00 > /etc/hostname.re1: 192.168.2.10 0xff00 > /etc/hostname.re2: 192.168.3.10 0xff00 > /etc/hostname.re3: 192.168.4.10 0xff00 > /etc/mygate: > 192.168.1.1 Much better. > > > computer2) > /etc/hostname.re0: 192.168.2.11 0xfff0 > /etc/hostname.re1: 192.168.2.128 0xfff0 > /etc/mygate: > 192.168.2.10 You’ll need a route rule on computer1 like this to make computer 5 talk to the rest of the computers: route add -net 192.168.2.128/28 192.168.2.11 > > computer3) > /etc/hostname.re0: 192.168.3.11 0xff00 > /etc/mygate: > 192.168.3.10 > > computer4) > /etc/hostname.re0: 192.168.4.11 0xff00 > /etc/mygate: > 192.168.4.10 > > > computer5) > /etc/hostname.re0: 192.168.2.129 0xfff0 > /etc/mygate: > 192.168.2.128 > > > Computer1's physical connections are like this: > re0->ISP router(192.168.1.1) > re1->Computer2 re0 > re2->Computer3 re0 > re3->Computer4 re0 > > Computer2's re1 is connected to Computer5's re0.
Re: Routing and forwarding: directly connected computers
> On Sep 3, 2020, at 11:44 AM, Ernest Stewart > wrote: > > On Sep 3, 2020, at 15:07 AM, Brian Brombacher wrote: > > "Your setup ... requires pf \rules and additional routing tables to make this > work." > > And which pf rules and how to establish those routing tables are exactly what > I'm asking. Ernest, You are not providing any justification for your ridiculous demands. Again: Why are you trying to wire the network with the same and disjoint networks? You are not getting to the root cause of the problem. You want to solve a problem that everyone in the thread keeps telling you is not a problem to be solved without CLEAR JUSTIFICATION. Hire a consultant, as Theo said. You’re request for help, without proper justification, is not amenable to this mailing list. -Brian > > But ok, let's say I reassign addresses so Comp1 re1= 192.168.3.2, Comp2 re0= > 192.168.3.127, Comp2 re1 = 192.168.3.128 and Comp5 re0= 192.168.3.129, with > all the proper netmasks. That still does not explain why Comp2 is receiving > icmp.reply packets but not delivering them to "ping".
Re: Routing and forwarding: directly connected computers
Theo de Raadt wrote: Oh my. Have you considered hiring a consultant? Of course. As you have already noticed, I have no idea about how to do what I'm trying to do. But a consultant is out of my budget. Are you guys saying all I have to do is the following, and packets will automatically be routed correctly?: computer1) /etc/hostname.re0: 192.168.1.10 0xff00 /etc/hostname.re1: 192.168.2.10 0xff00 /etc/hostname.re2: 192.168.3.10 0xff00 /etc/hostname.re3: 192.168.4.10 0xff00 /etc/mygate: 192.168.1.1 computer2) /etc/hostname.re0: 192.168.2.11 0xfff0 /etc/hostname.re1: 192.168.2.128 0xfff0 /etc/mygate: 192.168.2.10 computer3) /etc/hostname.re0: 192.168.3.11 0xff00 /etc/mygate: 192.168.3.10 computer4) /etc/hostname.re0: 192.168.4.11 0xff00 /etc/mygate: 192.168.4.10 computer5) /etc/hostname.re0: 192.168.2.129 0xfff0 /etc/mygate: 192.168.2.128 Computer1's physical connections are like this: re0->ISP router(192.168.1.1) re1->Computer2 re0 re2->Computer3 re0 re3->Computer4 re0 Computer2's re1 is connected to Computer5's re0.
Re: Routing and forwarding: directly connected computers
Ernest Stewart wrote: > You guys are focusing on the netmasks. Let's consider my setup again > BUT with all netmasks at 0x, so all the forwarding and routing > need to be explicitly configured. Oh my. Have you considered hiring a consultant?
Re: Routing and forwarding: directly connected computers
You guys are focusing on the netmasks. Let's consider my setup again BUT with all netmasks at 0x, so all the forwarding and routing need to be explicitly configured.
Re: Routing and forwarding: directly connected computers
On Sep 3, 2020, at 15:07 AM, Brian Brombacher wrote: "Your setup ... requires pf \rules and additional routing tables to make this work." And which pf rules and how to establish those routing tables are exactly what I'm asking. But ok, let's say I reassign addresses so Comp1 re1= 192.168.3.2, Comp2 re0= 192.168.3.127, Comp2 re1 = 192.168.3.128 and Comp5 re0= 192.168.3.129, with all the proper netmasks. That still does not explain why Comp2 is receiving icmp.reply packets but not delivering them to "ping".
Re: Routing and forwarding: directly connected computers
> On Sep 3, 2020, at 11:02 AM, Ernest Stewart > wrote: > > I forgot to say, in every computer I have /etc/sysctl.conf with > "net.inet.ip.forwarding=1". > > And I insist, what shocks me the most is that tcpdump shows in both computers > the right icmp packets but ping says 100% packets lost. You’ve really got to pay attention to the netmasks here. You’re trying to use multi routing without doing it right. Your setup is unnecessarily complex, and requires pf rules and additional routing tables to make this work. Switch to bridges networking if it helps simplify things. What is the insistence on re-using portions of 192.168.1 addresses on a network with a router of 192.168.2? You should expand and use more subnets under 192.168.x.
Re: Routing and forwarding: directly connected computers
Den tors 3 sep. 2020 kl 17:01 skrev Ernest Stewart < erneststewar...@hotmail.com>: > I forgot to say, in every computer I have /etc/sysctl.conf with > "net.inet.ip.forwarding=1". > > And I insist, what shocks me the most is that tcpdump shows in both > computers the right icmp packets but ping says 100% packets lost. > This part has far too little detail to be relevant. Sorry. We can not divine from remote which of the interfaces you listened to, and what you saw. -- May the most significant bit of your life be positive.
Re: Routing and forwarding: directly connected computers
Den tors 3 sep. 2020 kl 14:55 skrev Ernest Stewart < erneststewar...@hotmail.com>: > I was actually wondering about using netmask 0x for the external > interface. As you noted, they are different networks, I just wanted to be > able to use any 192.168/16 ip address in the internal network and use > nat-to and rdr-to in Computer1 so every packet going to or from the ISP > router comes from or goes to 192.168.1.10 (and block everything else). > > But still, that (external connections) is the last thing I am going to > test. At the moment not even a ping from two directly connected computers > that are actually sending and receiving the packets (according to tcpdump > in both computers) seems to work... > The setup for computer01 is still weird, it thinks it has 4 interfaces on the same identical network, because all the nets overlap, except it doesn't overlap physically because they are on separate cards. Just grab any "how to build networks guide" and start using separate network numbering for separate networks and things will work out better. The fifth network card which points to your ISP device is smaller, but still inside those 4 others, which also is a bad choice. The way comp01 is set up on your first mail makes it equally valid for it to send out a packet on any of the 5 network cards to try to reach 192.168.1.254 for instance. This is of course not how you set up a box with 5 networks (even if "the network" is just a cable from comp1-re1 to comp2-re0) -- May the most significant bit of your life be positive.
Re: Routing and forwarding: directly connected computers
I forgot to say, in every computer I have /etc/sysctl.conf with "net.inet.ip.forwarding=1". And I insist, what shocks me the most is that tcpdump shows in both computers the right icmp packets but ping says 100% packets lost.
Re: Routing and forwarding: directly connected computers
>1) Why is this little test not working? > >2) How should I configure pf.conf (and maybe rc.conf.local with route >commands) to allow computers >communicate with each other (including Computer1 >with Computer5, thru Computer2)? In every information I >have found this is >automatically done with DHCP, which I won't use, or BGP-4, RIP,OSPF,etc., >which I will neither >use because these addresses and routes will be static. You can assign a /30 between the router and each computer, they can be adjacent within a larger subnet, but not overlap. Enable forwarding of packets between interfaces, and instead of using NAT, you can have the upstream configure a static route pointing to your subnets, or to a single aggregated subnet that encompasses all of them. If you are manually configuring each device on the network you won't need DHCP.
Re: Routing and forwarding: directly connected computers
I was actually wondering about using netmask 0x for the external interface. As you noted, they are different networks, I just wanted to be able to use any 192.168/16 ip address in the internal network and use nat-to and rdr-to in Computer1 so every packet going to or from the ISP router comes from or goes to 192.168.1.10 (and block everything else). But still, that (external connections) is the last thing I am going to test. At the moment not even a ping from two directly connected computers that are actually sending and receiving the packets (according to tcpdump in both computers) seems to work...
Re: Routing and forwarding: directly connected computers
Den tors 3 sep. 2020 kl 11:39 skrev Ernest Stewart < erneststewar...@hotmail.com>: > I have a local network with 5 computers: > > computer1) > /etc/hostname.re0: 192.168.1.10 0xff00 > Different netmask here? > /etc/hostname.re1: 192.168.2.11 0x > /etc/hostname.re2: 192.168.2.12 0x > /etc/hostname.re3: 192.168.2.13 0x > /etc/mygate: > 192.168.1.1 > > > computer2) > /etc/hostname.re0: 192.168.1.11 0x > ..compared to here. > /etc/hostname.re1: 192.168.2.14 0x > /etc/mygate: > 192.168.2.11 > > computer3) > /etc/hostname.re0: 192.168.1.12 0x > /etc/mygate: > 192.168.2.12 > > computer4) > /etc/hostname.re0: 192.168.1.13 0x > /etc/mygate: > 192.168.2.13 > > > computer5) > /etc/hostname.re0: 192.168.1.14 0x > /etc/mygate: > 192.168.2.14 > > > Computer1's physical connections are like this: > re0->ISP router(192.168.1.1) > Seems like you chose overlapping networks for your "internal" things and the ISP router network. Don't do that. > re1->Computer2 re0 > re2->Computer3 re0 > re3->Computer4 re0 > > Computer2's re1 is connected to Computer5's re0. > > -- May the most significant bit of your life be positive.
