Bridging OpenBSD

I am connecting four hosts to the Internet via a net5501 running
OpenBSD.  I would like also to be able to ping and ssh between these
hosts directly rather than having each on a separate subnet.
Where should I be looking to set up such capabilities?

         +-----net5501------+
         |                  |
host1 ---+--vr0--?          |
         |                  |
host2 ---+--vr1--?          |
         |          ?--re0--+----isp dhcp
host3 ---+--vr2--?          |
         |                  |
host4 ---+--vr3--?          |
         |                  |
         +------------------+

My first guess was to add vr0 - vr3 to a bridge and try to assign an IP
number to the bridge, but that does not work.

Regards
/Lars
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On Apr 25, 2012, at 2:07 PM, Lars Noodén wrote:
I'll assume you've seen http://www.openbsd.org/faq/faq6.html#Bridge

Can you expand on "does not work"?  Do you mean host1-4 can't ping each other?  Or they can't ping the IP on the net5501 bridge interface?   Or they can't reach the Internet through the net5501 (assuming that is the ultimate goal)?

If hosts1-4 can't ping each other, do you still have /etc/hostname.vr0-3 with the "up"?  Can you post the output of "ifconfig -a"?  Any network related log entries from a reboot?

-Jed
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

         +-----net5501------+
         |                  |
host1 ---+--vr0--?          |
         |                  |
host2 ---+--vr1--?          |
         |          ?--re0--+----isp dhcp
host3 ---+--vr2--?          |
         |                  |
host4 ---+--vr3--?          |
         |                  |
         +------------------+

On 4/26/12 2:17 AM, Jed Clear wrote:
> I'll assume you've seen http://www.openbsd.org/faq/faq6.html#Bridge

Yes, that was the first place I looked, along with various web pages on
bridging.  It seems that bridging only two interfaces is what is covered.

> Can you expand on "does not work"?  Do you mean host1-4 can't ping
> each other?  Or they can't ping the IP on the net5501 bridge
> interface?   Or they can't reach the Internet through the net5501
> (assuming that is the ultimate goal)?

The middle one, I'm not getting as far as pinging the net5501 bridge
interface.

I've bridged vr0 - vr3 and they show up in the bridge.  I've assigned an
IP number to vr0 and serve DHCP to that ip range.  If I connect to vr0,
I can get an address via DHCP.  If I connect to the other ports, then I
cannot.   If I understand correctly, connections from vr1 - vr3 will be
bridged to vr0 and will get DHCP from vr0 via the bridge, but that is
not happening.

Regards
/Lars

> If hosts1-4 can't ping each other, do you still have
> /etc/hostname.vr0-3 with the "up"?  Can you post the output of
> "ifconfig -a"?  Any network related log entries from a reboot?
====

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a9:24
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::200:24ff:fecb:a924%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a9:25
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fecb:a925%vr1 prefixlen 64 scopeid 0x2
vr2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a9:26
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet6 fe80::200:24ff:fecb:a926%vr2 prefixlen 64 scopeid 0x3
vr3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
        lladdr 00:00:24:cb:a9:27
        priority: 0
        media: Ethernet autoselect (none)
        status: no carrier
        inet6 fe80::200:24ff:fecb:a927%vr3 prefixlen 64 scopeid 0x4
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0a:fa:20:03:79
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::20a:faff:fe20:379%re0 prefixlen 64 scopeid 0x5
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
bridge0: flags=41<UP,RUNNING>
        groups: bridge
        priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
        vr3 flags=3<LEARNING,DISCOVER>
                port 4 ifpriority 0 ifcost 0
        vr2 flags=3<LEARNING,DISCOVER>
                port 3 ifpriority 0 ifcost 0
        vr1 flags=3<LEARNING,DISCOVER>
                port 2 ifpriority 0 ifcost 0
        vr0 flags=3<LEARNING,DISCOVER>
                port 1 ifpriority 0 ifcost 0

===

>From /var/log/daemon,

Apr 26 09:45:24 net5501 dhcpd[2122]: Can't listen on vr3 - it has no IP
address.
Apr 26 09:45:24 net5501 dhcpd[2122]: Can't listen on vr2 - it has no IP
address.
Apr 26 09:45:24 net5501 dhcpd[2122]: Can't listen on vr1 - it has no IP
address.
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

Lars Noodén wrote:
> I've bridged vr0 - vr3 and they show up in the bridge.  I've assigned an
> IP number to vr0 and serve DHCP to that ip range.  If I connect to vr0,
> I can get an address via DHCP.  If I connect to the other ports, then I
> cannot.   If I understand correctly, connections from vr1 - vr3 will be
> bridged to vr0 and will get DHCP from vr0 via the bridge, but that is
> not happening.

I'm a Linux guy and know nothing about *BSD.

With Linux you need to assign the IP address to the bridge itself,
rather than to any of the interfaces that are part of it. Also the DHCP
server needs to be bound to the bridge.

HTH, Jan
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

  I've bridged vr0 - vr3 and they show up in the bridge.  I've assigned an
  IP number to vr0 and serve DHCP to that ip range.  If I connect to vr0,
  I can get an address via DHCP.  If I connect to the other ports, then I
  cannot.   If I understand correctly, connections from vr1 - vr3 will be
  bridged to vr0 and will get DHCP from vr0 via the bridge, but that is
  not happening.

I wonder if the issue is that dhcp is implemented by bpf, and bpf raw
frames are not bridged.



_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

You really should be posting this to misc@...



On Apr 26, 2012, at 8:02 AM, Jan Ceuleers <jan.ceuleers@...> wrote:
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

I have done similar on a NetBSD box but was hoping to be able to log
in and provide the details.  It's disconnected at the moment but should
be able to look at it sometime today.

Regards,
Malcolm

--
Malcolm Herbert                                This brain intentionally
mjch@...                                                left blank


_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 4/26/12 6:02 PM, Jan Ceuleers wrote:
[snip]
> With Linux you need to assign the IP address to the bridge itself,
>  rather than to any of the interfaces that are part of it. Also
> the DHCP server needs to be bound to the bridge.

Yes.  That's what I did before on Debian Wheezy.  The way for OpenBSD
turns out to be to assign an IP number to one bridged interface.  It
is accessible to the others then via the bridge.

On 4/26/12 6:09 PM, Greg Troxel wrote:
> I wonder if the issue is that dhcp is implemented by bpf, and bpf
> raw frames are not bridged.

That seems to be the problem.  If I connect to the ethernet port with
the ip number and dhcpd, then I can move the cable over to one of the
bridged ports and it works fine.

On 4/26/12 6:12 PM, Bryan Irvine wrote:
> You really should be posting this to misc@...

I'll do that.

Thanks.
/Lars
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

Thanks to those who responded.  The hints helped.

A way to get DHCP over bridged interfaces in OpenBSD is to make the
bridge but assign an IP number to each interface anyway, not just the
first one.  dhcpd will squawk about interfaces sharing the same subnet,
but will bind to the first one if it is configured to do so.   The
bridge itself is not allowed an ip number of its own.

In that way each of the hosts plugged into the Soekris are available on
the same subnet.

/Lars
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 2012-04-28 13:57:08 +0100 (+0100), Paul Lavender wrote:
> Debian Wheezy? I thought the Debian kernels did not have bridging.
> But perhaps that has changed recently, or perhaps you roll your
> own kernel.

   fungi@azathoth:~$ cat /etc/debian_version
   6.0.2
   fungi@azathoth:~$ uname -a
   Linux azathoth 2.6.32-5-xen-686 #1 SMP Mon Jun 13 09:07:50 UTC 2011 i686 GNU/Linux
   fungi@azathoth:~$ /usr/sbin/brctl show
   bridge name     bridge id               STP enabled     interfaces
   br0             8000.0002a5d9d399       no              vif1.0
                                                           vif2.0
                                                           vif3.0
                                                           vif7.0
                                                           vif8.0
                                                           vlan5
   br23            8000.0002a5d9d399       no              vlan23

--
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi@...); FINGER(fungi@...);
MUD(kinrui@...:6669); IRC(fungi@...#ccl); }
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 4/28/12 3:57 PM, Paul Lavender wrote:
> I know the purists are grumbling that this is for other forums but it is
> more interesting than flame wars about capacitors on the pcb :)
>
> Debian Wheezy? I thought the Debian kernels did not have bridging. But
> perhaps that has changed recently, or perhaps you roll your own kernel.

I had it going in both squeeze and wheezy with minimal configuration:

/etc/network/interfaces
        auto lo
        iface lo inet loopback

        allow-hotplug eth4
        auto eth4
        iface eth4 inet dhcp

        allow-hotplug eth0
        iface eth0 inet manual
           pre-up   ifconfig $IFACE up
           pre-down ifconfig $IFACE down

        allow-hotplug eth1
        iface eth1 inet manual
           pre-up   ifconfig $IFACE up
           pre-down ifconfig $IFACE down

        allow-hotplug eth2
        iface eth2 inet manual
           pre-up   ifconfig $IFACE up
           pre-down ifconfig $IFACE down

        allow-hotplug eth3
        iface eth3 inet manual
           pre-up   ifconfig $IFACE up
           pre-down ifconfig $IFACE down

        auto br0
        iface br0 inet static
          bridge_ports eth0 eth1 eth2 eth3
          address 192.168.0.1
          broadcast 192.168.0.255
          netmask 255.255.255.0

/etc/rc.local
        iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE

/etc/sysctl.conf
        net.ipv4.ip_forward=1

regards,
/Lars
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 2012-04-26, Greg Troxel <gdt@...> wrote:
> I wonder if the issue is that dhcp is implemented by bpf, and bpf raw
> frames are not bridged.

Yes, exactly. You would need to specify the list of network adapters
in dhcpd_flags in /etc/rc.conf.local, then /etc/rc.d/dhcpd restart.



_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On Sat, Apr 28, 2012 at 08:05:27PM +0000, Stuart Henderson wrote:
|On 2012-04-26, Greg Troxel <gdt@...> wrote:
|> I wonder if the issue is that dhcp is implemented by bpf, and bpf raw
|> frames are not bridged.
|
|Yes, exactly. You would need to specify the list of network adapters
|in dhcpd_flags in /etc/rc.conf.local, then /etc/rc.d/dhcpd restart.

wierd ... wonder why mine works on NetBSD then ...

Regards,
Malcolm

--
Malcolm Herbert                                This brain intentionally
mjch@...                                                left blank


_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 2012/04/29 14:24, Malcolm Herbert wrote:
> On Sat, Apr 28, 2012 at 08:05:27PM +0000, Stuart Henderson wrote:
> |On 2012-04-26, Greg Troxel <gdt@...> wrote:
> |> I wonder if the issue is that dhcp is implemented by bpf, and bpf raw
> |> frames are not bridged.
> |
> |Yes, exactly. You would need to specify the list of network adapters
> |in dhcpd_flags in /etc/rc.conf.local, then /etc/rc.d/dhcpd restart.
>
> wierd ... wonder why mine works on NetBSD then ...

probably because because NetBSD is different to OpenBSD..
sounds like maybe it duplicates frames to bpf listeners on any member
interface of a bridge; this would simplify dhcpd configuration but I think
also makes it harder to use bpf to diagnose problems with the bridge,
it would prevent you checking on which physical port traffic is sent/
received on.

_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On Sun, Apr 29, 2012 at 10:24:31AM +0100, Stuart Henderson wrote:
|On 2012/04/29 14:24, Malcolm Herbert wrote:
|> wierd ... wonder why mine works on NetBSD then ...
|
|probably because because NetBSD is different to OpenBSD..
|sounds like maybe it duplicates frames to bpf listeners on any member
|interface of a bridge; this would simplify dhcpd configuration but I think
|also makes it harder to use bpf to diagnose problems with the bridge,
|it would prevent you checking on which physical port traffic is sent/
|received on.

I do recall that under NetBSD you can't assign an IP address to a
bridge - I tried this first and it didn't work at all ...

Regards,
Malcolm

--
Malcolm Herbert                                This brain intentionally
mjch@...                                                left blank


_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On Sat, Apr 28, 2012 at 9:57 PM, Paul Lavender <paul@...> wrote:
> I know the purists are grumbling that this is for other forums but it is
> more interesting than flame wars about capacitors on the pcb :)

Since this mailing list is about Soekris devices, I think a possible
solution for the net5501 miniPCI instability issues is much more
relevant than this.
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 2012-04-27, Lars Noodén <lars.nooden@...> wrote:
You should not be assigning addresses to more than one interface.

Is there a problem with the method I suggested i.e. put the address
on *one* interface and list the interface names in dhcpd_flags?

I suggest following up on an openbsd list as this is not a soekris
issue.


_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

On 5/1/12 3:15 PM, Stuart Henderson wrote:
> You should not be assigning addresses to more than one interface.
>
> Is there a problem with the method I suggested i.e. put the address
> on *one* interface and list the interface names in dhcpd_flags?

Yes.  Thanks for the follow-up, Stuart.  Setting dhcpd_flags in
/etc/rc.conf.local did the trick and I was able to remove the
unnecessary addresses.

> I suggest following up on an openbsd list as this is not a soekris
issue.

I've subscribe to misc@ again.

Regards,
/Lars
_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech

So, I think my net5501 may have died this afternoon when it was
accidentally yanked from a shelf ... not normally a problem, however as
I was building a new system based on this board, the case was off and
the hard drive was floating free and they all ended up in the drawer
together whilst it was powered ...

I suspect in the confusion the HDD might have contacted something vital
as now it doesn't appear to light up at all, although I can hear the HDD
spin up, so _something_ might be recoverable ... what are my chances?

Also, I seem to recall somewhere that Soekris were willing to re-test
boards if they were faulty however I can't find this information on
their website to know whether this is true and what rates are offered -
does anyone know?

Failing that, I have a working net5501 Soekris box, 2500mA 12V power
supply and 2.5" SATA HDD mounting bracket. Rather than buy a replacement
net5501 board, it would be nice if the net6501 could just drop in - is
this the case? If not, which bits would I need to buy again?

Regards,
Malcolm

--
Malcolm Herbert                                This brain intentionally
mjch@...                                                left blank


_______________________________________________
Soekris-tech mailing list
Soekris-tech@...
http://lists.soekris.com/mailman/listinfo/soekris-tech