Special configuration of DHCP, NAT - BSD

This is a discussion on Special configuration of DHCP, NAT - BSD ; Hi My ISP provides me with 5 dynamic ip addresses. I have 5+ computers connected today via a broadband router which means I am just using 1 of my addresses. I am now thinking about replacing the broadband router with ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Special configuration of DHCP, NAT

  1. Special configuration of DHCP, NAT

    Hi

    My ISP provides me with 5 dynamic ip addresses.
    I have 5+ computers connected today via a broadband router which means
    I am just using 1 of my addresses.

    I am now thinking about replacing the broadband router with my openbsd
    box who is already handling my mail.
    My question is if the following setup is possible.

    * I will have 2 NICs in my OpenBSD box, one connected to the DSL modem
    and one connected to the LAN
    * I want my openbsd box to trick my broadband modem that it is
    actually 5 computers, requesting from my ISPs DHCP server and
    reserving all 5 dynamic ip addresses I have available from my ISP.
    * I want my openbsd box to run dhcpd and provide my computers on the
    LAN with IP addresses. All computers should get addresses in the LAN
    ip address range 192.168.0.something. These addresses shoud connect
    the computers to the Internet via NAT.
    * I want certain (specified by hostname) computers on my LAN to get an
    additional external dynamic address (one of those previously reserved)
    and I want my openbsd box to route the traffic through.


    So What I want is something like the following with my server
    (whiterussian) and 5 computers connected (screwdriver, bloodymary,
    irishcoffe, pinkpanther, apfelkorn). I want it to be predescided that
    screwdriver, bloodymary, irishcoffe and pinkpanther shold have
    external IP addresses, all other connecting computers will only get
    internal addresses (apfelkorn in this example).


    whiterussian (OpenBSD with dhcp and 2 NICs)
    192.168.0.1
    23.43.15.16
    (also reserved 23.43.34.4, 23.43.4.1, 23.43.19.20, 23.43.99.253)



    bloodymary
    192.168.0.4
    23.43.34.4

    apfelkorn
    192.168.0.6

    irishcoffe
    192.168.0.3
    23.43.4.1

    screwdriver
    192.168.0.2
    23.43.19.20

    pinkpanther
    192.168.0.5
    23.43.99.253


    Is this possible to configure this with OpenBSD without having to
    recompile things?

    Thankful for any advice
    Best Regards
    Jens


  2. Re: Special configuration of DHCP, NAT

    On 2007-10-23, jens@zekra.se wrote:
    > Hi
    >
    > My ISP provides me with 5 dynamic ip addresses.
    > I have 5+ computers connected today via a broadband router which means
    > I am just using 1 of my addresses.
    >
    > I am now thinking about replacing the broadband router with my openbsd
    > box who is already handling my mail.


    This is what I do at home with OpenBSD 4.1. Standard install. Running my web
    site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
    DSL modem and NAT's the LAN. I use a combination of static IP address for
    hosts plus bind and dhcpd.

    I also make sure my one windoze box doesn't emit anything too nasty to the
    Internet...

    My /etc/pf.conf:

    LAN = "fxp0"
    WAN = "xl0"

    icmp_types = "echoreq"

    tcp_services = "{ ssh, http, https, smtp, imaps }"

    MSports = "{ 135:139, 161, 389, 445, 593 }"

    set skip on lo

    scrub in on $WAN all
    scrub out on $WAN all random-id

    ## NAT
    nat on $WAN from $LAN:network to any -> ($WAN)

    ## FILTER RULES

    block drop in all
    block drop out all

    ## allow traffic out to Internet
    pass out on $WAN proto tcp from any to any modulate state flags S/SA
    pass out on $WAN proto { udp, icmp } from any to any

    ## allow pings
    pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state

    ## watch for address spoofing
    antispoof quick for { lo $LAN }

    ## allow LAN traffic
    pass on $LAN

    block on $LAN proto {udp, tcp} from any to any port $MSports

    ## allow specific server traffic, use TCP SYN Proxy
    pass in on $WAN inet proto tcp from any to any \
    port $tcp_services flags S/SA synproxy state


    I also start up named and dhcpd per their man pages.

    Hope this helps!



  3. Re: Special configuration of DHCP, NAT

    On Oct 23, 8:48 pm, Doug Carter wrote:

    > This is what I do at home with OpenBSD 4.1. Standard install. Running my web
    > site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
    > DSL modem and NAT's the LAN. I use a combination of static IP address for
    > hosts plus bind and dhcpd.
    >
    > I also make sure my one windoze box doesn't emit anything too nasty to the
    > Internet...
    >
    > My /etc/pf.conf:
    >
    > LAN = "fxp0"
    > WAN = "xl0"
    >
    > icmp_types = "echoreq"
    >
    > tcp_services = "{ ssh, http, https, smtp, imaps }"
    >
    > MSports = "{ 135:139, 161, 389, 445, 593 }"
    >
    > set skip on lo
    >
    > scrub in on $WAN all
    > scrub out on $WAN all random-id
    >
    > ## NAT
    > nat on $WAN from $LAN:network to any -> ($WAN)
    >
    > ## FILTER RULES
    >
    > block drop in all
    > block drop out all
    >
    > ## allow traffic out to Internet
    > pass out on $WAN proto tcp from any to any modulate state flags S/SA
    > pass out on $WAN proto { udp, icmp } from any to any
    >
    > ## allow pings
    > pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state
    >
    > ## watch for address spoofing
    > antispoof quick for { lo $LAN }
    >
    > ## allow LAN traffic
    > pass on $LAN
    >
    > block on $LAN proto {udp, tcp} from any to any port $MSports
    >
    > ## allow specific server traffic, use TCP SYN Proxy
    > pass in on $WAN inet proto tcp from any to any \
    > port $tcp_services flags S/SA synproxy state
    >
    > I also start up named and dhcpd per their man pages.
    >
    > Hope this helps!


    First of all, many thanks for the reply
    This made me understand more of how it should be done.
    There are however some parts I still dont udnerstand.

    * nat on $WAN from $LAN:network to any -> ($WAN)
    Does this mean that pf will make the NAT packet translation for me? no
    NAT daemon that need to be runned?

    * I still dont know how to reserve 5 ip addresses from my ISP and how
    to pass 4 of them right through the openbsd box to computers on the
    other side. I think I now know enough to set up computer behind the
    firewall with NAT and internal addresses for all computers except the
    router.

    Thanks for all help so far
    Best Regards
    Jens



  4. Re: Special configuration of DHCP, NAT

    On 2007-10-24, jens@zekra.se wrote:
    > On Oct 23, 8:48 pm, Doug Carter wrote:
    >
    >> This is what I do at home with OpenBSD 4.1. Standard install. Running my web
    >> site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
    >> DSL modem and NAT's the LAN. I use a combination of static IP address for
    >> hosts plus bind and dhcpd.
    >>
    >>


    > * nat on $WAN from $LAN:network to any -> ($WAN)
    > Does this mean that pf will make the NAT packet translation for me? no
    > NAT daemon that need to be runned?


    That is correct. PF is all you need. Do, however make sure and enable
    IP Forwarding if you have not done already:


    > * I still dont know how to reserve 5 ip addresses from my ISP and how
    > to pass 4 of them right through the openbsd box to computers on the
    > other side.


    Got me on that one. Never tried it. The ifconfig "alias" function might
    be used to cause the WAN side interface to respond to all the addresses.

    Do you intend to put each LAN side host on a seperate interface card?


  5. Re: Special configuration of DHCP, NAT

    wrote:

    > Hi
    >
    > My ISP provides me with 5 dynamic ip addresses.
    > I have 5+ computers connected today via a broadband router which means
    > I am just using 1 of my addresses.
    >
    > I am now thinking about replacing the broadband router with my openbsd
    > box who is already handling my mail.
    > My question is if the following setup is possible.
    >
    > * I will have 2 NICs in my OpenBSD box, one connected to the DSL modem
    > and one connected to the LAN
    > * I want my openbsd box to trick my broadband modem that it is
    > actually 5 computers, requesting from my ISPs DHCP server and
    > reserving all 5 dynamic ip addresses I have available from my ISP.
    > * I want my openbsd box to run dhcpd and provide my computers on the
    > LAN with IP addresses. All computers should get addresses in the LAN
    > ip address range 192.168.0.something. These addresses shoud connect
    > the computers to the Internet via NAT.
    > * I want certain (specified by hostname) computers on my LAN to get an
    > additional external dynamic address (one of those previously reserved)
    > and I want my openbsd box to route the traffic through.


    I don't think it is possible to get multiple DHCP lease on the same
    interface.

    Well it used to be impossible. I beleive you would need a way to assign
    interface alias with separate ethernet MAC to make it work.

    What is possible with dhclient is to get one lease and setup multiple
    static aliases.

    DHCP is meant to simplify automatic setup of workstations. Not provide
    complicated solutions.

    Good luck with your problem.

    (Either run whiterussian as a bridge. or try dhcrelay. both with
    192.168.0/24 staticly setup.)

    (Or get a non-dhcp setup from your ISP. If you were in a static setup,
    it'd be really easy. It's the 5xDHCP lease your problem. That's not
    something an ISP provide for client-side firewalled setup.)






  6. Re: Special configuration of DHCP, NAT

    Hugo Villeneuve wrote:
    > wrote:
    >
    >> Hi
    >>
    >> My ISP provides me with 5 dynamic ip addresses.
    >> I have 5+ computers connected today via a broadband router which means
    >> I am just using 1 of my addresses.
    >>
    >> I am now thinking about replacing the broadband router with my openbsd
    >> box who is already handling my mail.
    >> My question is if the following setup is possible.
    >>
    >> * I will have 2 NICs in my OpenBSD box, one connected to the DSL modem
    >> and one connected to the LAN
    >> * I want my openbsd box to trick my broadband modem that it is
    >> actually 5 computers, requesting from my ISPs DHCP server and
    >> reserving all 5 dynamic ip addresses I have available from my ISP.
    >> * I want my openbsd box to run dhcpd and provide my computers on the
    >> LAN with IP addresses. All computers should get addresses in the LAN
    >> ip address range 192.168.0.something. These addresses shoud connect
    >> the computers to the Internet via NAT.
    >> * I want certain (specified by hostname) computers on my LAN to get an
    >> additional external dynamic address (one of those previously reserved)
    >> and I want my openbsd box to route the traffic through.

    >
    > I don't think it is possible to get multiple DHCP lease on the same
    > interface.
    >
    > Well it used to be impossible. I beleive you would need a way to assign
    > interface alias with separate ethernet MAC to make it work.
    >
    > What is possible with dhclient is to get one lease and setup multiple
    > static aliases.
    >
    > DHCP is meant to simplify automatic setup of workstations. Not provide
    > complicated solutions.
    >
    > Good luck with your problem.
    >
    > (Either run whiterussian as a bridge. or try dhcrelay. both with
    > 192.168.0/24 staticly setup.)
    >
    > (Or get a non-dhcp setup from your ISP. If you were in a static setup,
    > it'd be really easy. It's the 5xDHCP lease your problem. That's not
    > something an ISP provide for client-side firewalled setup.)
    >

    Try turning off dhcp in your router so that all dhcp requests go to
    the isp.
    >
    >
    >


    --

  7. Re: Special configuration of DHCP, NAT

    On Oct 28, 1:54 pm, dave wrote:

    > Try turning off dhcp in your router so that all dhcp requests go to
    > the isp.
    >
    >
    >
    > --- Hide quoted text -
    >
    > - Show quoted text -


    Ok, I see, this is becoming very complicated.

    Could I have DHCP on whiterussian to configure only some hosts on my
    network and let the other's requests through to my ISPs DHCP server?

    Then I could have whiterussian to configure the local 192.168.0.*
    addresses and the hosts that should have external ip addresses get
    them diretly from the ISP?

    Thanks everyone for all help so far!


+ Reply to Thread