Hi, thanks for taking a look.

I have a Internet <> router <> OpenBSD system <> another router <> PC's

I want to set up my OpenBSD box as a gateway and firewall, as it already has 2 NICs.

However, I am unable to get it to work. I have enabled packet forwarding, and the two NIC's are called tl0 and dc0, having IP addresses of 192.168.1.3 and 192.168.1.4 respectively. tl0 is connected to the internet router, and dc0 is connected to the internal router. My default gateway is 192.168.1.1, the IP of the router.

The problem is, I can only ping the internal router and not the internet one from the OpenBSD system, and trying to use it as a gateway times out all the time.

Does anyone know why this might be? Do the border and internal routers need different subnet masks or something? If you need more info, please ask, this is driving me mad.

Thanks a lot.

Try using ip addresses on different subnets for each section of your network - it will make the routing much more automatic and save you having to add static routes.

Il do that, thanks.

What about the default gateway of the OpenBSD system? Should it be set to the IP of the internet router/modem, or something else? I don't unbderstand why I can't ping the internet router, but I can ping the internal router on the other side...

Thanks a lot if anyone can help.

I agree - give each card a different range of IPs to use. I would think that you'd need to get your bsd box to see the external router as a first step - check to see what IP it's using and give your bsd box an IP in the same range. Don't worry about the internal stuff until you can see the external router as it may well require changes based on what you do with the externally connected card.

Best of luck.

DOH! I type too slow.

Check to see if there's a firewall enabled on your external router as well and disable it if there is. (Be sure to unplug your 'net connection first.) It may be blocking the connection to the bsd box - if it is, you can go back and dig into the firewall settings.


The way I have my masquerading boxes set up is to have the default gateway of the card hooked to the internet set to that provided by my ISP and the gateway of the other card blank. (The iptables rules that I use can be seen in my other thread; although I discovered that they aren't 100% secure either, they work for masqing.)

Yay! My OpenBSD box can talk to systems either side of it, here how:

External router set to 10.0.0.1, and external NIC set to 10.0.0.2
Internal Router and systems set to 192.168.1.x, internal NIC set to 192.168.1.3.

I can see how this works, but now using Windows and Linux systems on the internal side of the bsd router I cannot access the internet. I have set their default gateways to that of the OpenBSD router.

Any ideas?

And thanks a lot for such quick replies

I went through the same thing recently so I hope I can talk you through it.
If the router is using 10.0.0.X numbers set the net card interfacing with it on the same subnet e.g. 10.0.0.4 and same mask. Then try to ping it from the router box.
Now a rule I shall never forget ethernet addresses relate to the card and not to the box. On that box (BSD) set the gateway to the interfacing ethernet ip i.e. 10.0.0.4.
The second ethernet card is assigned an address 192.168.1.4 and interfaces with the boxes on the network. All the boxes behind it should be given this ip number as the gateway i.e. 192.168.1.4
Hope this helps.