pf, bridge and dhcrelay - BSD

This is a discussion on pf, bridge and dhcrelay - BSD ; *Background* I have a setup to limit network access for students during exams (students use their own laptops). Bridge interface with packet filtering constitutes our "filter". PF doesn't forward dhcp request/response, so I need dhcrelay. I had this setup working ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: pf, bridge and dhcrelay

  1. pf, bridge and dhcrelay

    *Background*

    I have a setup to limit network access for students during exams (students
    use their own laptops). Bridge interface with packet filtering constitutes
    our "filter". PF doesn't forward dhcp request/response, so I need dhcrelay.
    I had this setup working OK last year, but after reinstall I can't get it to
    work properly.

    With the bridge up and pf disabled everything is OK. Everyone behind the
    filter can access all resources.

    With pf enabled everyone can access allowed resources (printserver), and
    other resources are blocked. New clients cannot use anything because they
    don't get IP. Assigning static IP helps, but I don't want the mess that
    "wild" static IP assignment will create on our network.

    Executing "dhcrelay " reports listening and sending on all
    interfaces.
    The "external" interface (server side of the filter) has an IP and netmask
    belonging to the network.

    The "internal" (filtered client side) interface has a private ip (10.0.0.x).

    On the OpenBSD box I get ping response, http and name resolution from the
    servers, and no other outside services are available.
    A dhcp request from the internal side yields a "send_fallback: no route to
    host" message on the OpenBSD console.

    *Details*

    NICs are 3Com EtherExpress ($int_if, xl0) and CNet ($ext_if, fxp0)

    Running OpenBSD 3.5 (GENERIC)

    PF rules:
    --------
    block return on $ext_if all
    pass on $ext_if from to any
    pass on $ext_if from any to
    pass on $int_if all
    --------

    The table contains the addresses to DHCP, DNS and print
    servers.

    I also tried limiting the dhcp relaying to one interface, with no
    improvement:
    dhcrelay -i $int_if

    *Please help me*
    Do I need to set up routes manually?
    Is the promiscuous setting of the NICs causing trouble?
    (Allowed services are available when working inside OpenBSD, and all traffic
    passes OK when pf is disabled. To me this indicates that NICs do their job
    and no additional route setup is needed.)

    What am I missing?



  2. Re: pf, bridge and dhcrelay

    keme wrote:
    > *Background*
    >
    > I have a setup to limit network access for students during exams (students
    > use their own laptops). Bridge interface with packet filtering constitutes
    > our "filter". PF doesn't forward dhcp request/response, so I need dhcrelay.
    > I had this setup working OK last year, but after reinstall I can't get it to
    > work properly.
    >
    > With the bridge up and pf disabled everything is OK. Everyone behind the
    > filter can access all resources.
    >
    > With pf enabled everyone can access allowed resources (printserver), and
    > other resources are blocked. New clients cannot use anything because they
    > don't get IP. Assigning static IP helps, but I don't want the mess that
    > "wild" static IP assignment will create on our network.
    >
    > Executing "dhcrelay " reports listening and sending on all
    > interfaces.
    > The "external" interface (server side of the filter) has an IP and netmask
    > belonging to the network.
    >
    > The "internal" (filtered client side) interface has a private ip (10.0.0.x).
    >
    > On the OpenBSD box I get ping response, http and name resolution from the
    > servers, and no other outside services are available.
    > A dhcp request from the internal side yields a "send_fallback: no route to
    > host" message on the OpenBSD console.
    >
    > *Details*
    >
    > NICs are 3Com EtherExpress ($int_if, xl0) and CNet ($ext_if, fxp0)
    >
    > Running OpenBSD 3.5 (GENERIC)
    >
    > PF rules:
    > --------
    > block return on $ext_if all
    > pass on $ext_if from to any
    > pass on $ext_if from any to
    > pass on $int_if all
    > --------
    >
    > The table contains the addresses to DHCP, DNS and print
    > servers.
    >
    > I also tried limiting the dhcp relaying to one interface, with no
    > improvement:
    > dhcrelay -i $int_if
    >
    > *Please help me*
    > Do I need to set up routes manually?
    > Is the promiscuous setting of the NICs causing trouble?
    > (Allowed services are available when working inside OpenBSD, and all traffic
    > passes OK when pf is disabled. To me this indicates that NICs do their job
    > and no additional route setup is needed.)
    >
    > What am I missing?
    >
    >


    Come to think of it, I have a 3Com etherlink III (3c509, 10 Mb)
    configured as a span interface on the bridge. On the previous (working)
    setup the external interface was on a line that never would pass 10 Mb
    of traffic. Now I have the box inside my network. Could the added
    traffic (though filtered at both interfaces) be overloading the span
    interface, causing some kind of network saturation?

    Over the weekend I'll remove the span interface from the bridge and see.

+ Reply to Thread