[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Possible to handle fiber WAN connection with OpenBSD using PCIe card?
From:       Kaya Saman <kayasaman () gmail ! com>
Date:       2023-03-25 10:32:39
Message-ID: 20735f82-42db-7c64-ef86-53dcc8043fb5 () gmail ! com
[Download RAW message or body]


On 3/25/23 09:33, Stuart Henderson wrote:
> On 2023-03-24, Kaya Saman <kayasaman@gmail.com> wrote:
>> Just responding to this for completeness as I have some more information
>> on my side
>>
>> On 3/24/23 07:21, Stuart Henderson wrote:
>>> On 2023-03-23, Kaya Saman <kayasaman@gmail.com> wrote:
>>>> Unfortunately I haven't been well for a long time hence the delay in
>>>> upgrade and at first found it a little difficult but the way forward
>>>> after a bit of reading around was to go to 7.1-release then 7.2 and
>>>> finally jump back to Current which I believe is called Beta now? (unless
>>>> I missed something or am confusing)
>>> The main release cycle is -current, -beta, <no suffix>, -current - this
>>> hasn't changed. (The "no suffix" includes a few snapshots prior to an
>>> actual finished release, and that's the stage we are at right now).
>>
>> Ah ok I see, I also understand what has happened in the meantime... no
>> problem. I'll see if I really need to upgrade to current again as right
>> now Beta seems to be doing everything I need
> I suggest waiting until the actual 7.3 release and install that
> (sysupgrade -r) n order that you can install errata patches.
>
> It will be simpler if you do _not_ upgrade to a newer snapshot first -
> sysupgrade can't go from a snapshot labelled "7.3" (as they are now)
> to the actual release without modifying it.

Great advice, will wait in this case.


>
>> Just got off a lengthy phone call with Tier2 tech support at G-Net,
>> which was a lot of fun!! It's so rare to talk in technical terms with
>> someone and have them understand you.
> That's a good sign.

It's amazing how well this company is willing to deal with what they 
consider "vulnerable" people, as I explained about my condition: ASD 
(Autism/Asperger's Spectral Disorder - if after all these years you 
hadn't guessed already :-) ), and basically they do training to cater 
for people with ADD, ADHD, ASD etc....


>
>> Currently there is a little confusion in how to setup the block of IP
>> addresses as I have had to upgrade to a block of 16. Right now my
>> connection gets a single IPv4 address through ipcp with the rest of the
>> IP addresses being handled in PF through NAT/PAT mappings. I have
>> forgotten how it is handled but I am willing to bet that my current ISP
>> is forwarding those addresses in static routes??
>>
>> I am wondering if it will be similar except for the gateway IP address
>> which will need to be provisioned on the WAN facing ethernet interface
>> along with default 0 dot quaded route, or if I'm going to have to create
>> sub interfaces for the rest of the provisioned IP addresses?? I am told
>> that out of the 16 addresses I loose 3 - network, broadcast, gateway ,
>> so I should have 13 addresses to play around with.
> Typically you have pppoe pick up its own address - see examples in
> pppoe(4) for this and setting the default route - and configure an
> address from the /28 on another network interface on the router.


Exactly how things are done currently as I'm using pppoe - interface 
hostname.pppoe0:


inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \
         pppoedev em5 authproto chap \
         authname '*****' authkey '****' \
         up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1


Then the rest of the IP's are handled like so:

match out on $ext_if from { IP or Macro } to any nat-to { IP or Macro } 
for outbound.

So if ipcp gets (imaginary) ip address of 1.1.1.1, I can fit the next 
one in the block into the PF "match" rule so it becomes:

match out on $ext_if from { 10.10.10.100 } to any nat-to { 1.1.1.2 }

>
> If you will be addressing other machines directly from that /28 (easier)
> that would be a physical interface or vlan connected to those machines.
>
> If you're doing that via NAT/rdr-to then you might want to use a vether
> interface with one address configured as /28 and the others as /32
> aliases.
>

Not directly addressing. I will use "rdr-to" PF rules. Basically I want 
to keep my current configuration as much the same as possible but just 
adjust enough to handle the new connection.



I think right now what was said is that I don't get a subnet mask (if I 
understood correctly).... so I will need to provision each IP address 
with a /32 or 255.255.255.255, even though they will be providing the 
network and broadcast addresses.


Had a flick through vether as you suggested... currently I'm unsure to 
be honest. Do I need it? As I'm not using that currently for my current 
6x IP block...

To be honest my mindset right now is pointing towards the Cisco 
sub-interface way of doing things so I'm probably reading and confusing 
a lot :-(

I guess it will be needed judging by the description:

DESCRIPTION
      The vether interface simulates a normal Ethernet interface by
      encapsulating standard network frames with an Ethernet header,
      specifically for use as a member in a bridge(4).

      To use vether the administrator needs to configure an address onto the
      interface so that packets can be routed to it.  An Ethernet header 
will
      be prepended and, if the vether interface is a member of a 
bridge(4), the
      frame will show up there.


my understanding is that it gets bridged to the parent IF. Maybe it is 
similar in a way to the description from "man 4 vlan" particularly I am 
pointing out the example:

ifconfig vlan0 parent em0 vnetid 5

where you use the 'parent' clause to define the public facing or egress 
interface.


Right now I feel like everything is colliding with each other inside my 
head so I will need to take my time on Monday and play to see how to get 
this to work.


My actual intention (just to over complicate things), as I don't have 
any spare ethernet ports left on my OpenBSD machine is to use a VLAN and 
plug the ONT into a spare port on my Cisco 2970 switch, then use the 
vlan as the egress interface so that I can keep my current VDSL2 
connection alongside until I figure out the necessary config to migrate 
fully....


Maybe I'm being too opportunistic here... but it's worth a shot I 
guess.... or just buy another NIC :-/


Kaya




[prev in list] [next in list] [prev in thread] [next in thread]