-   *BSD (
-   -   OpenBSD routing problems (

c_rugby 06-21-2004 11:52 AM

OpenBSD routing problems
I am having some difficulty and I hope someone can lend a much appreciated hand.

I would like to set up an OpenBSD box to act as a router and a packet filter on a network. Currently the network connects to their gateway at The machines are in the same range as the gateway ( - I was wondering if it is possible to put the OpenBSD machine in between the network switch and the gateway? I would also like to serve dhcp to the internal network from the OpenBSd box.

The reason I am asking is that I heard that it might not be possible to do routing when their are addresses on both sides of the machine in the same subnet.

I have turned ip forwarding on. I have attempted to set it up as a bridge as well but that doesn't work either. I can ssh to the box from the internet but I cannot ssh to it from the internal network. The machine has as its default gateway, which is also the gateway of all the machines in the network.

The dhcp works fine, what else could be the problem. I also disabled packet filter in case it was a rule problem. That didn't help either. Anything you can think of would be great.


chort 06-21-2004 12:32 PM

You would need to use proxy-arp for that, since as you pointed out IPs on both sides of the machine are on the same subnet. You can't do it as a bridge since the DHCP daemon will need an IP to use (bridges don't have IPs).

c_rugby 06-21-2004 03:46 PM

So would the command

arp -s [MAC Address o fthe internal interface] pub


From what I can gather, my OpenBSD box would reply to the ARP requests on the internal network with its MAC address and then once it received the packets, it would forward them out its default gateway?

chort 06-21-2004 05:23 PM

In theory, yes ;) OpenBSD man pages are generally very accurate, so I would be very surprised if that doesn't work. You will of course need to enable IP forwarding if you have not done so already (it's in /etc/sysctl.conf, which is where you would make it enable on boot, then use sysctl -w to write it to kernel memory to change it now w/o rebooting).

Oh, and going back the other way (from the gateway router to the OpenBSD box) you will either need to have the OpenBSD box proxy-arp on it's external address for all the internal IPs, or put the external interface on a tiny subnet with the gateway router, then on the router make a static route to the rest of the subnet that is behind the OpenBSD box and designate the external interface IP on the OBSD box as the gateway.

Last edit, I swear... You'll need to put that arp -s command in your /etc/rc.local file so it will run at boot, otherwise you'll have to manually re-add it each time.

newpenguin 06-21-2004 06:06 PM

first decide what u want to do u have 2 options
1.make openbsd a bridge and do the filtering.
2.divide ur machines in two subnets give ur openbsd machine 2 ips.
one ip from one subnet and other one from second subnet.
on both subets make openbsd ips the gateway. enable ip forwarding.
then it will be a router.

by the way a bridge can have ip address.and openbsd bridge filters the traffic at layer 4.

chort 06-21-2004 11:18 PM

It should work fine with proxy-arp, that's the whole point of it's existence. Yes it would be better to re-subnet, but those look like public IPs to me and it would be a waste to use up 4 of them just for one link.

c_rugby 06-23-2004 11:23 AM

I have two questions still:
1) Proxy Arp doesn't seem to be working. I think the problem may lie in the arp table where the proxy entry for the gateway is

128.127.X.y at [MAC Address of Internal Interface] on rl0 static published

I think the problem is that rl0 is the external interface and not the internal interface. How do you change the interface named in the arp table. The MAC address is correct.

2) If the above problem isn't solved I will probabl have to try subnetting. But I am unsure as to how to proceed. Does anyone know how I woul devenn go about that or where there might be a good tutorial?

chort 06-23-2004 04:38 PM

Hmm, maybe I have it backwards and you need the MAC of the NIC the address can actually be reached by (i.e. you need to proxy the MAC of the NIC that's on the same network as that IP, not the MAC of the NIC on the same segment as the requestor).

I'll have to try this out at home, but it should be trivial for you to try.

All times are GMT -5. The time now is 04:36 AM.