Re: pf, bridge and dhcrelay
> I have a setup to limit network access for students during exams (students
> use their own laptops). Bridge interface with packet filtering constitutes
> our "filter". PF doesn't forward dhcp request/response, so I need dhcrelay.
> I had this setup working OK last year, but after reinstall I can't get it to
> work properly.
> With the bridge up and pf disabled everything is OK. Everyone behind the
> filter can access all resources.
> With pf enabled everyone can access allowed resources (printserver), and
> other resources are blocked. New clients cannot use anything because they
> don't get IP. Assigning static IP helps, but I don't want the mess that
> "wild" static IP assignment will create on our network.
> Executing "dhcrelay <dhcpserver>" reports listening and sending on all
> The "external" interface (server side of the filter) has an IP and netmask
> belonging to the network.
> The "internal" (filtered client side) interface has a private ip (10.0.0.x).
> On the OpenBSD box I get ping response, http and name resolution from the
> servers, and no other outside services are available.
> A dhcp request from the internal side yields a "send_fallback: no route to
> host" message on the OpenBSD console.
> NICs are 3Com EtherExpress ($int_if, xl0) and CNet ($ext_if, fxp0)
> Running OpenBSD 3.5 (GENERIC)
> PF rules:
> block return on $ext_if all
> pass on $ext_if from <Baseservices> to any
> pass on $ext_if from any to <Baseservices>
> pass on $int_if all
> The <Baseservices> table contains the addresses to DHCP, DNS and print
> I also tried limiting the dhcp relaying to one interface, with no
> dhcrelay -i $int_if <DHCPserver>
> *Please help me*
> Do I need to set up routes manually?
> Is the promiscuous setting of the NICs causing trouble?
> (Allowed services are available when working inside OpenBSD, and all traffic
> passes OK when pf is disabled. To me this indicates that NICs do their job
> and no additional route setup is needed.)
> What am I missing?
Come to think of it, I have a 3Com etherlink III (3c509, 10 Mb)
configured as a span interface on the bridge. On the previous (working)
setup the external interface was on a line that never would pass 10 Mb
of traffic. Now I have the box inside my network. Could the added
traffic (though filtered at both interfaces) be overloading the span
interface, causing some kind of network saturation?
Over the weekend I'll remove the span interface from the bridge and see.