tarballed
August 14th, 2002, 21:21
Well, I got off work early today so I raced home in hopes of getting my firewall/gateway up and bringing my LAN online.
Firewall/gateway booted up no problems and received its IP via DHCP from my ISP.
I then proceeded to configure my Windows computer on my LAN. I edited the network information with the following info:
IP = 192.168.1.2
Mask = 255.255.255.0
Gate = 192.168.1.1
DNS = ISP DNS servers
Problem was my internal computer could not reach the internet. It could not even ping my Gateway!!
I tried to do some troubleshooting, but I could not narrow down the problem. So I came for help. :)
Anyone have any ideas of what could be the problem?
Let me post some infor:
----------------------PF.CONF-------------------------------------
# Define useful variables
ext_if="dc0" # External Interface
int_if="dc1" # Our internal network range 192.168.1.0/24
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255 }"
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
# by default, block all incoming packets, except those explicitly
# allowed by further rules
block in on $ext_if all
# and let out-going traffic out and maintain state on established connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out on $ext_if all
pass out on $Ext_if inet proto tcp all flags S/SA keep state
pass out on $Ext_if inet proto udp all keep state
pass out on $Ext_if inet proto icmp all keep state
--------------------NAT.CONF--------------------------------
ext_if = "dc0"
int_if = "dc1"
nat on $ext_if inet from 192.168.1.0/24 to any -> $ext_if
-------------------hostname files----------------
/etc/hostname.dc0
dhcp NONE NONE NONE
/etc/hostname.dc1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
The basics to get started I believe.
I did notice one thing when I was trying to troubleshoot. Let me write down some things I noticed:
1. Internal PC on LAN could not ping gateway. I verfied TCP/IP was functioning and it was.
2. when I ran a ifconfig -a, dc0 showed status = active where as dc1 showed status (not active)...i believe.
4. When i tried to ping something on the internet, i would get back, request timed out.
Anyone have suggestions? I can grab more information and post in here asap.
Thanks for your help.
Tarballed
elmore
August 14th, 2002, 21:30
First let's make sure your routing packets, from your OpenBSD firewall
type the following
ping -I dc1 "dhcp IP From Cable Provider"
Basically you want to ping your external address (the one you just pulled from your ISP) from your internal interface (192.168.1.1). If you can't then what you need to do is simple,
edit the following:
/etc/sysctl.conf
and unremark the following line
net.inet.ip.forwarding=1
Just a little gotcha. reboot and try again.
tarballed
August 14th, 2002, 21:34
Ok...i think I narrowed down the problem. It seems to be a problem with my nat.conf file.
Here is a error I get when I run pfctl -R /etc/nat.conf (reloading nat rules)
/etc/nat.conf:18: syntax error
pfctl: syntax error in rule file: pf rules not loaded
Im guessing 18 refers to line 18? If so, thats my nat rules:
I verified that:
net.inet.ip.forwarding=1
is unmarked...
I need to teset to make sure pf is routing packets...
I will post more when I can.
Tarballed
elmore
August 14th, 2002, 21:39
looks like you might be reverse natting maybe. post your nat.conf and we'll get you straightened out in a gif.
You should have something like this in your nat.conf
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
Drop the inet in you nat.conf file
tarballed
August 14th, 2002, 21:43
Alright, here is what is in my nat.conf:
nat on $ext_if inet from 192.168.1.0/24 to any -> $ext_if
i've been trying to find the error, but cant seem to find out what the issue is.
Maybe interfaces are confused/backwards?
Tarballed
elmore
August 14th, 2002, 21:44
drop inet, see the above post I edited it while you were posting, I forgot you had alrewady posted your nat.conf.
tarballed
August 14th, 2002, 21:52
Hmm, still no dice.
Took out the inet, reloaded the rules and it still came back with that same error message:
/etc/nat.conf:18: syntax error
pfctl: syntax error in rule file: pf rules not loaded
Possible confliction some where between my nat.conf and pf.conf?
Very interesting. :)
tarballed
elmore
August 14th, 2002, 21:55
I not sure about this but a while ago variable expanison was buggy in nat.conf. Thinking OBSD 3.0
Try just removeing your variables and replacing $ext_if with dc0
tarballed
August 14th, 2002, 21:58
I think nat likes giving me a hard time. I replaced the variables with dc0 and now I receive this error:
/etc/nat.conf:18: nat rule not permitted in filter mode
pfctl: syntax error in rule file: pf rules not loaded
Sheesh. This is making my head spin.
Do i have something else misconfigured? I verified in rc.conf that nat is pointing to /etc/nat.conf
Any ideas?
Tarballed
tarballed
August 14th, 2002, 22:05
Possible problem with my hostname files?
/etc/hostname.dc0
dhcp NONE NONE NONE
/etc/hostname.dc1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
Tarballed
elmore
August 14th, 2002, 22:10
Hmmmm..... Don;t know why I didn;t see this before.
you have variables done like this.
Quoting tarball:
# Define useful variables
ext_if="dc0" # External Interface
int_if="dc1" # Our internal network range 192.168.1.0/24
NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255 }"
I have variables done like this:
Quoting Elmore:
ext_if="{ dc0 }"
int_if="{ dc1 }"
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/16, 10.0.0.0/8 }"
Also make sure your cAsInG is correct in your file, with regards to your variables. One last thing, when reloading pf or nat rules make sure to use the -v switch.
I.E.
pfctl -v -R /etc/pf.conf
post the output here, that'll help
tarballed
August 14th, 2002, 22:20
Ok...here is output of pfctl -v -R /etc/pf.conf
ext_if = { dc0 }
int_if = { dc1 }
NoRoute = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255 }
@0 scrub in all
@1 block in quick on dc0 inet from 255.255.255.255/32 to any
@2 block in quick on dc0 inet from 192.168.0.0/16 to any
@3 block in quick on dc0 inet from 172.16.0.0/12 to any
@4 block in quick on dc0 inet from 10.0.0.0/8 to any
@5 block out quick on dc0 inet from any to 255.255.255.255/32
@6 block out quick on dc0 inet from any to 192.168.0.0/16
@7 block out quick on dc0 inet from any to 172.16.0.0/12 to any
@8 block out quick on dc0 inet from any to 10.0.0.0/8 to any
@9 block in on dc0 all
@10 block out on dc0 all
@11 pass out on dc0 inet proto tcp all flags S/SA keep state
@12 pass out on dc0 inet proto udp all keep state
@13 pass out on dc0 inet proto icmp all keep state
Still getting error when reloading nat.conf.
Hope this helps.
Tarballed
bsdjunkie
August 14th, 2002, 22:24
above hes got quotes around the {dco} and you dont. "{ dc0 }"
elmore
August 14th, 2002, 22:24
print the output of your nat.conf
bsdjunkie,
I do that on mine, it works fine. I never have a problem, I do
ext_if="{ xl0 }"
I have never had a problem.
tarballed
August 14th, 2002, 22:27
Here is the output of nat.conf...its the error message
/etc/nat.conf:13: syntax error
pfctl: syntax error in rule file: pf rules not loaded
::scratches head vigorously::
I dont get it. You think I would have had problems with other things, not my nat rules. :)
Tarballed
bsdjunkie
August 14th, 2002, 22:27
did notice one thing when I was trying to troubleshoot. Let me write down some things I noticed:
1. Internal PC on LAN could not ping gateway. I verfied TCP/IP was functioning and it was.
2. when I ran a ifconfig -a, dc0 showed status = active where as dc1 showed status (not active)...i believe.
4. When i tried to ping something on the internet, i would get back, request timed out.
If your internal interface is not active, you got a bigger problem than NAT =P
tarballed
August 14th, 2002, 22:29
Ya, I thought of that.
Could this be the problem? My rules not loading due to my internal NIC issue?
tarballed
bsdjunkie
August 14th, 2002, 22:31
im willing to bet thats the main issue, yes/ 8)
elmore
August 14th, 2002, 22:31
Here's my ruleset for my home fw verbatim
# $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
# Variable Expansion to keep things clean and neat
ExtIF="{ xl0 }"
NoRouteIPs="{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Clean up fragmented and abnormal packets
scrub in all
# don't allow anyone to spoof non-routeable addresses
block in quick on $ExtIF inet from $NoRouteIPs to any
block out quick on $ExtIF inet from any to $NoRouteIPs
# finally lock the rest down with a default deny
block in quick on $ExtIF from any to any
# and let out-going traffic out and maintain state on established #connections
pass out on $ExtIF from any to any keep state
Here's my nat.conf verbatim
# $OpenBSD: nat.conf,v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
nat on xl0 from 10.26.1.0/24 to any -> xl0
elmore
August 14th, 2002, 22:36
Allow me to talk about myself in the third person here:
If elmore had paid a little closer attention he might of realized that the internal interface was not active.
elmore should know that it'll be hard to nat on an interface that has no connection.
elmore feels foolish. :oops:
tarballed
August 14th, 2002, 22:37
Well, I really do appreciate all your help. Really does mean a lot.
Now I need to figure out why, my internal NIC (dc1) is not active.
Anything jump out right away as to what possible could be the issue?
Thanks for all your help guys.
Tarballed
bsdjunkie
August 14th, 2002, 22:38
check your dmesg
tarballed
August 14th, 2002, 22:41
Let me give more information on my internal NIC.
status: no carrier
Thats what I see when I do a ifconfig -a
something wrong with the hostname.dc1 file correct?
dc0 = dhcp NONE NONE NONE
dc1 = inet 192.168.1.1 255.255.255.0 NONE media autoselect
Tarballed
elmore
August 14th, 2002, 22:45
I usually just put
inet xxx.xxx.xxx.xxx 255.255.255.0 NONE
in mine
try that, also no carrier, make sure your NIC, your cable and your hub port are in fact good. Also, take bsdjunkies advice and run a dmesg
dmesg | more
make your interface is being recognized properly.
tarballed
August 15th, 2002, 00:02
The saga continues. :)
Ok, so I did some hardware troubleshooting. I double checked to make sure the internal NIC works and it does. Have a light on now.
I also adjusted some wiring to the firewall and switch and then I had link lights on both NIC's in the box.
So I fired up the box and ran ifconfig -a
Woo hoo!
Both NIC's are 'active'
So I try and reload my rules and BOOM! error :(
I cant seem to figure this one out. I have no clue as to what it can be.
Every time I reload the rules, I still get that error saying their is some syntax problem with my nat rules.
oh well...guess I have to do some research, see what I can find.
Tarballed
elmore
August 15th, 2002, 00:21
Look at my examples, make sure there are no typos, etc. etc. Syntax can be a bitch, if both of your interfaces are now up and everything is is good then it's something simple, one of the things that I do to help trouble shoot is this:
I create a /etc/pf.open file that contains
pass in all
pass out all
this will help you in troubleshooting your nat.conf, with filter rules eliminated, you'll be sure that there's no problem with your nat rules.
Once that's verified, try adding your pf rules back in.[/quote]
|MiNi0n|
August 15th, 2002, 08:46
Woo hoo!
Both NIC's are 'active'
So I try and reload my rules and BOOM! error :(
It has nothing to do with the above. Here's a quote from one of your first messages:
Here is a error I get when I run pfctl -R /etc/nat.conf (reloading nat rules)
You're using the wrong command. To load your pf rules you use:
pfctl -R -f /etc/pf.conf
And to load your *nat* rules you use:
pfctl -N -f /etc/nat.conf
frisco
August 15th, 2002, 09:40
Here is the output of nat.conf...its the error message
/etc/nat.conf:13: syntax error
pfctl: syntax error in rule file: pf rules not loaded
You are running the wrong command. You are running something like:
pfctl -R /etc/nat.conf
but you should be running:
pfctl -N /etc/nat.conf
-R is for pf rules, -N is for nat rules (this is for 3.0 and 3.1, not -current, -current combines both nat and pf rules and runs as 'pfctl -f /etc/pf.conf').
That is why the error message is 'pf rules not loaded' and not 'nat rules not loaded'
However, before you can even think about nat'ing, your windows box needs to be able to reach the OpenBSD gateway. If dc1 is showing status not active then you have trouble and no nat/pf rules will help. Check the cabling from that ethernet device to your hub. If it's plugged directly into the windows box then remember you need a crossover cable to do that. If the cabling appears fine then try using ifconfig to set that device again - you need to reach a status: active state. The dc(4) manpage may help. If you are still having trouble getting dc1 active then report back with full ifconfig output, a description of your physical network setup and full dmesg (sometimes irq conflicts with other devices can be Bad)
tarballed
August 15th, 2002, 11:15
Ok...
So i've been able to get both NIC's up and running with status of 'active.'
I did realize I was using the wrong command to load my nat rules.
I started using pfctl -N /etc/nat.conf
However, i'm still getting the same error. :(
The error is pointing to the line. Here is some info:
---------------------------Nat.conf------------------------------------
# $OpenBSD: nat.conf, v 1.4 2001/07/09 23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and samples
#
#Declare interface
ext_if = "dc0"
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
Here is the output from two commands:
pfctl -N /etc/nat.conf
/etc/nat.conf:8: syntax error
pfctl: syntax error in file: nat rules not loaded
pfctl -R /etc/nat.conf
/etc/nat.conf:8: syntax error
pfctl: syntax error in rule file: pf rules not loaded
I'm starting to wonder if its a hardware issue, but I dont think so since i've troubleshooted just about everything.
Tarballed, who is still working on his firewall
frisco
August 15th, 2002, 11:51
On the off chance you're not the same person posting the exact same problem to misc@, be sure your nat.conf file has no strange unprintable characters in it. Daniel Hartmeier gives the following suggestion:
That looks fine and should load. The only explanation I can think of is
that you have some non-printable characters in there, like a trailing
carriage-return (introduced by editing with a foreign editor).
Run
head -n 8 /etc/nat.conf | tail -n 1 | hexdump -C
to verify.
Daniel
how are you editing /etc/nat.conf ? are you editing it on the system using vi/emacs/pico or are you editing it on a windows/mac box and then floppy'ing/scp'ing it over?
tarballed
August 15th, 2002, 13:30
Hmm, I wil have to give that command suggested by Daniel.
Also, im editing with vi. :)
Tarballed
tarballed
August 15th, 2002, 13:44
Here's a quick thought. Since my pf.conf file works fine, what about this:
What if I backup my current nat.conf and recreate a new nat.conf with the following info in the file:
#declare interfaces
ext_if = "dc0"
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
I mean, fresh new file, simple nat.conf?
Thoughts?
Tarballed
frisco
August 15th, 2002, 13:59
What if I backup my current nat.conf and recreate a new nat.conf with the following info in the file:
good idea.
you might also want to just try commenting out the nat line, run pfctl, see if you get errors. if not, type it in again, run pfctl. if then you get errors, replace $ext_if with dc1, run pfctl and see if you get errors.
If you get errors at every step of the way, you might try
pfctl -N /dev/null
to see if pfctl is working right.
tarballed
August 15th, 2002, 15:02
you might also want to just try commenting out the nat line, run pfctl, see if you get errors. if not, type it in again, run pfctl.
It just so happens I happened to try this.
When I ran pfctl, I received no errors.
I'm going to try here backing up my nat.conf, recreating it. Then running the command that Daniel suggested.
I'll try what you suggested as well...i wont be able to get to it until this afternoon.
I will keep everyone posted. :)
On a side note, im not sure if this could be a problem. Lets just say for some stupid reason, their was a problem with the cable running from the internal NIC to the uplink port on the switch. Could this be a problem? Hypothetically speaking here.
I'm just wondering if their was a 'issue' from the internal NIC to the uplink port on the switch, if that could be causing a problem with NAT. NOt sure, just thought i'd ask.
Tarballed
frisco
August 15th, 2002, 15:52
On a side note, im not sure if this could be a problem. Lets just say for some stupid reason, their was a problem with the cable running from the internal NIC to the uplink port on the switch. Could this be a problem? Hypothetically speaking here.
I'm just wondering if their was a 'issue' from the internal NIC to the uplink port on the switch, if that could be causing a problem with NAT. NOt sure, just thought i'd ask.
It will cause an issue in that NAT will not work since your internal lan will not be able to reach the gateway.
it will not cause an issue for pfctl as long as the device has an ip associated with it. pfctl wants either an ip address or an ethernet device with an ip address associated with it. If that device is down or is "status: no carrier", that's ok, the pfctl command should still work and not give you a syntax error.
example:
puritan# uname -a
OpenBSD puritan 3.1 GENERIC#59 i386
# cat /etc/nat.conf
nat on xl0 from 10.0.0.0/8 to any -> xl0
# ifconfig xl0
xl0: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::260:97ff:fe9a:a419%xl0 prefixlen 64 scopeid 0x1
# pfctl -N /etc/nat.conf
/etc/nat.conf:1: nat ip versions must match
pfctl: syntax error in file: nat rules not loaded
# ifconfig xl0 192.168.10.10
# ifconfig xl0
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MU LTICAST> mtu 1500
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::260:97ff:fe9a:a419%xl0 prefixlen 64 scopeid 0x1
inet 192.168.10.10 netmask 0xffffff00 broadcast 192.168.10.255
# pfctl -N /etc/nat.conf
# ifconfig xl0 down
# pfctl -N /etc/nat.conf
#
the first time pfctl gets an error when there is no ip associated with xl0.
the second time we ifconfig an ip to xl0 and pfctl gives no error, despite there being no carrier on the dev.
the third time we down xl0 and still pfctl give no error.
of course, the nat is useless since there is no carrier but that is another issue.
tarballed
August 15th, 2002, 16:09
Thanks for the example. Good stuff.
I'm making a list here of stuff im going to try this afternoon.
It really is quite baffling to me that i'm having such odd issues with NAT.
Doesn't make a whole lof of sense here.
I'll go ahead and print some more output later this afternoon.
Thanks again.
Tarballed