On 2007-10-23, jens@zekra.se wrote:
> Hi
>
> My ISP provides me with 5 dynamic ip addresses.
> I have 5+ computers connected today via a broadband router which means
> I am just using 1 of my addresses.
>
> I am now thinking about replacing the broadband router with my openbsd
> box who is already handling my mail.

This is what I do at home with OpenBSD 4.1. Standard install. Running my web
site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
DSL modem and NAT's the LAN. I use a combination of static IP address for
hosts plus bind and dhcpd.

I also make sure my one windoze box doesn't emit anything too nasty to the
Internet...

My /etc/pf.conf:

LAN = "fxp0"
WAN = "xl0"

icmp_types = "echoreq"

tcp_services = "{ ssh, http, https, smtp, imaps }"

MSports = "{ 135:139, 161, 389, 445, 593 }"

set skip on lo

scrub in on $WAN all
scrub out on $WAN all random-id

## NAT
nat on $WAN from $LAN:network to any -> ($WAN)

## FILTER RULES

block drop in all
block drop out all

## allow traffic out to Internet
pass out on $WAN proto tcp from any to any modulate state flags S/SA
pass out on $WAN proto { udp, icmp } from any to any

## allow pings
pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state

## watch for address spoofing
antispoof quick for { lo $LAN }

## allow LAN traffic
pass on $LAN

block on $LAN proto {udp, tcp} from any to any port $MSports

## allow specific server traffic, use TCP SYN Proxy
pass in on $WAN inet proto tcp from any to any \
port $tcp_services flags S/SA synproxy state


I also start up named and dhcpd per their man pages.

Hope this helps!

On Oct 23, 8:48 pm, Doug Carter wrote:

> This is what I do at home with OpenBSD 4.1. Standard install. Running my web
> site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
> DSL modem and NAT's the LAN. I use a combination of static IP address for
> hosts plus bind and dhcpd.
>
> I also make sure my one windoze box doesn't emit anything too nasty to the
> Internet...
>
> My /etc/pf.conf:
>
> LAN = "fxp0"
> WAN = "xl0"
>
> icmp_types = "echoreq"
>
> tcp_services = "{ ssh, http, https, smtp, imaps }"
>
> MSports = "{ 135:139, 161, 389, 445, 593 }"
>
> set skip on lo
>
> scrub in on $WAN all
> scrub out on $WAN all random-id
>
> ## NAT
> nat on $WAN from $LAN:network to any -> ($WAN)
>
> ## FILTER RULES
>
> block drop in all
> block drop out all
>
> ## allow traffic out to Internet
> pass out on $WAN proto tcp from any to any modulate state flags S/SA
> pass out on $WAN proto { udp, icmp } from any to any
>
> ## allow pings
> pass in on $WAN inet proto icmp from any to any icmp-type $icmp_types keep state
>
> ## watch for address spoofing
> antispoof quick for { lo $LAN }
>
> ## allow LAN traffic
> pass on $LAN
>
> block on $LAN proto {udp, tcp} from any to any port $MSports
>
> ## allow specific server traffic, use TCP SYN Proxy
> pass in on $WAN inet proto tcp from any to any \
> port $tcp_services flags S/SA synproxy state
>
> I also start up named and dhcpd per their man pages.
>
> Hope this helps!

First of all, many thanks for the reply
This made me understand more of how it should be done.
There are however some parts I still dont udnerstand.

* nat on $WAN from $LAN:network to any -> ($WAN)
Does this mean that pf will make the NAT packet translation for me? no
NAT daemon that need to be runned?

* I still dont know how to reserve 5 ip addresses from my ISP and how
to pass 4 of them right through the openbsd box to computers on the
other side. I think I now know enough to set up computer behind the
firewall with NAT and internal addresses for all computers except the
router.

Thanks for all help so far
Best Regards
Jens

On 2007-10-24, jens@zekra.se wrote:
> On Oct 23, 8:48 pm, Doug Carter wrote:
>
>> This is what I do at home with OpenBSD 4.1. Standard install. Running my web
>> site, mail server plus firewall to my LAN. OpenBSD DHCP's an address from the
>> DSL modem and NAT's the LAN. I use a combination of static IP address for
>> hosts plus bind and dhcpd.
>>
>>

> * nat on $WAN from $LAN:network to any -> ($WAN)
> Does this mean that pf will make the NAT packet translation for me? no
> NAT daemon that need to be runned?

That is correct. PF is all you need. Do, however make sure and enable
IP Forwarding if you have not done already:


> * I still dont know how to reserve 5 ip addresses from my ISP and how
> to pass 4 of them right through the openbsd box to computers on the
> other side.

Got me on that one. Never tried it. The ifconfig "alias" function might
be used to cause the WAN side interface to respond to all the addresses.

Do you intend to put each LAN side host on a seperate interface card?

wrote:

> Hi
>
> My ISP provides me with 5 dynamic ip addresses.
> I have 5+ computers connected today via a broadband router which means
> I am just using 1 of my addresses.
>
> I am now thinking about replacing the broadband router with my openbsd
> box who is already handling my mail.
> My question is if the following setup is possible.
>
> * I will have 2 NICs in my OpenBSD box, one connected to the DSL modem
> and one connected to the LAN
> * I want my openbsd box to trick my broadband modem that it is
> actually 5 computers, requesting from my ISPs DHCP server and
> reserving all 5 dynamic ip addresses I have available from my ISP.
> * I want my openbsd box to run dhcpd and provide my computers on the
> LAN with IP addresses. All computers should get addresses in the LAN
> ip address range 192.168.0.something. These addresses shoud connect
> the computers to the Internet via NAT.
> * I want certain (specified by hostname) computers on my LAN to get an
> additional external dynamic address (one of those previously reserved)
> and I want my openbsd box to route the traffic through.

I don't think it is possible to get multiple DHCP lease on the same
interface.

Well it used to be impossible. I beleive you would need a way to assign
interface alias with separate ethernet MAC to make it work.

What is possible with dhclient is to get one lease and setup multiple
static aliases.

DHCP is meant to simplify automatic setup of workstations. Not provide
complicated solutions.

Good luck with your problem.

(Either run whiterussian as a bridge. or try dhcrelay. both with
192.168.0/24 staticly setup.)

(Or get a non-dhcp setup from your ISP. If you were in a static setup,
it'd be really easy. It's the 5xDHCP lease your problem. That's not
something an ISP provide for client-side firewalled setup.)

Hugo Villeneuve wrote:
> wrote:
>
>> Hi
>>
>> My ISP provides me with 5 dynamic ip addresses.
>> I have 5+ computers connected today via a broadband router which means
>> I am just using 1 of my addresses.
>>
>> I am now thinking about replacing the broadband router with my openbsd
>> box who is already handling my mail.
>> My question is if the following setup is possible.
>>
>> * I will have 2 NICs in my OpenBSD box, one connected to the DSL modem
>> and one connected to the LAN
>> * I want my openbsd box to trick my broadband modem that it is
>> actually 5 computers, requesting from my ISPs DHCP server and
>> reserving all 5 dynamic ip addresses I have available from my ISP.
>> * I want my openbsd box to run dhcpd and provide my computers on the
>> LAN with IP addresses. All computers should get addresses in the LAN
>> ip address range 192.168.0.something. These addresses shoud connect
>> the computers to the Internet via NAT.
>> * I want certain (specified by hostname) computers on my LAN to get an
>> additional external dynamic address (one of those previously reserved)
>> and I want my openbsd box to route the traffic through.
>
> I don't think it is possible to get multiple DHCP lease on the same
> interface.
>
> Well it used to be impossible. I beleive you would need a way to assign
> interface alias with separate ethernet MAC to make it work.
>
> What is possible with dhclient is to get one lease and setup multiple
> static aliases.
>
> DHCP is meant to simplify automatic setup of workstations. Not provide
> complicated solutions.
>
> Good luck with your problem.
>
> (Either run whiterussian as a bridge. or try dhcrelay. both with
> 192.168.0/24 staticly setup.)
>
> (Or get a non-dhcp setup from your ISP. If you were in a static setup,
> it'd be really easy. It's the 5xDHCP lease your problem. That's not
> something an ISP provide for client-side firewalled setup.)
>
Try turning off dhcp in your router so that all dhcp requests go to
the isp.
>
>
>

--

On Oct 28, 1:54 pm, dave wrote:

> Try turning off dhcp in your router so that all dhcp requests go to
> the isp.
>
>
>
> --- Hide quoted text -
>
> - Show quoted text -

Ok, I see, this is becoming very complicated.

Could I have DHCP on whiterussian to configure only some hosts on my
network and let the other's requests through to my ISPs DHCP server?

Then I could have whiterussian to configure the local 192.168.0.*
addresses and the hosts that should have external ip addresses get
them diretly from the ISP?

Thanks everyone for all help so far!