OpenBSD router in VM: client can't ping external IPs

swapjim · 05-06-2022, 01:29 PM

I'm trying to setup an OpenBSD router in Virtual Box so that I can later set it up in the actual metal

The OpenBSD VM has three Eth cards and I'm using two right now. em0 is bridged to the actual Eth adapter and OpenBSD can ping 1.1.1.1 and google.com. em1 connects to Virtual Box's internal network.

There is a Linux VM with one Eth card and connects to Virtual Box's internal network. Linux gets a dhcp IP and can ping OpenBSD. Also, OpenBSD can ping Linux. But Linux can't ping 1.1.1.1 (or any other public IP). I haven't reach the point to set up DNS but I should be able to ping an external IP, right? What am I missing?

My /etc/sysctl.conf:

Code:

net.inet.ip.forwarding=1
net.inet6.ip6.forearding=1

My /etc/hostname.em0:

Code:

dhcp

My /etc/hostname.em1:

Code:

inet 10.8.0.1 255.255.255.0 10.8.0.255

ifconfig output on OpenBSD:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 4 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
        lladdr 08:00:27:00:41:3e
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 10.2.0.52 netmask 0xffffff00 broadcast 10.2.0.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 08:00:27:ff:65:ad
        index 2 priority 0 llprio 3
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 10.8.0.1 netmask 0xffffff00 broadcast 10.8.0.255
enc0: flags=0<>
        index 3 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
        index 5 priority 0 llprio 3
        groups: pflog

I've read these:

https://www.openbsd.org/faq/pf/example1.html

https://www.openbsdhandbook.com/howto/simple_router/

jggimi · 05-06-2022, 05:57 PM

I'm guessing -- because I'm not sure which NIC connects where -- that you have some sort of routing problem. Look at the output of `$ netstat -rnf inet` or `$ route -n show -inet` and see how this OS reaches 1.1.1.1. Do you have a default route? If not, that's why.

jggimi · 05-06-2022, 06:08 PM

Quote:

Originally Posted by swapjim

My /etc/sysctl.conf:

Code:

net.inet.ip.forwarding=1
net.inet6.ip6.forearding=1

I hope that's a typo in your post, and not in the file.

jggimi · 05-06-2022, 06:10 PM

And, I see you've replicated your post on Reddit, where a couple of folks recommend looking at your NAT provisioning.

swapjim · 05-07-2022, 12:33 PM

Quote:

Originally Posted by jggimi

I hope that's a typo in your post, and not in the file.

Yes, it's a typo.

Quote:

Originally Posted by jggimi

And, I see you've replicated your post on Reddit, where a couple of folks recommend looking at your NAT provisioning.

Yes, and their responses made me look at the next section in the howto. I took this line:

Code:

pass out on em0 inet from em1:network to any nat-to em0

which solved the problem. I don't know yet what it does but I will. The next step is understanding pf and NAT.

Thank you, both!

jggimi · 05-07-2022, 07:27 PM

Quote:

Originally Posted by swapjim

The next step is understanding pf and NAT.

Network Address Translation (NAT) has been a standard Internet practice for decades. Briefly, it permits all of us to have our own private networks that can't be directly addressed on the Internet, and those private networks each have shared access to the Internet.

Let us know if you have any questions about it, or about provisioning it.