Obtaining multiple IPs from ISP via DHCP

[dextro]

I've been trying to do this for some time now.

So from what I have gathered what I need is virtual interfaces with different MAC addresses bridged to the physical interface. I think I have accomplished that much.

Code:

gateway# ifconfig nfe0
nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:14:2a:19:c4:a5
        inet 216.232.236.243 netmask 0xfffff000 broadcast 216.232.239.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gateway# ifconfig ngeth0
ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:5c:16:10:dd:79
        inet 207.6.112.184 netmask 0xfffff000 broadcast 207.6.127.255
gateway#

I followed most of the steps on http://ezine.daemonnews.org/200406/netgraph.html

Went something like this:

Code:

ngctl mkpeer . eiface hook ether
ifconfig ngeth0 up
ngctl mkpeer ngeth0: bridge lower link0
ngctl name ngeth0:lower mybridge
ngctl connect nfe0: mybridge: lower link1
ngctl connect nfe0: mybridge: upper link2
ngctl connect ngeth0: mybridge: upper link3
ngctl msg nfe0: setautosrc 0
ifconfig ngeth0 link 00:5c:16:10:dd:79
dhclient ngeth0

Everything works great except when I try and use ngeth0 for something like my nat.

Here is my pf.conf:

Code:

ext1="nfe0"
ext2="ngeth0"
int1="rl0"

pc1="10.0.0.2"
pc2="10.0.0.3"

set skip on lo

# nat/rdr
binat on $ext1 from $pc1 to any -> $ext1
nat on $ext2 from !($ext2) -> ($ext2:0)
rdr-anchor "miniupnpd"

# Hamachi
rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1

# Xbox Live
rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2

anchor "miniupnpd"

10.0.0.2 works fine, can access the internet everything works. 10.0.0.3 does not work at all. I am guessing its not pf but its how I setup the virtual interface.

[J65nko]

If you ISP gives you a netblock, they are usually fixed.
You can just assign the first IP as normal to the NIC, the remaining IPs you assign as alias with a 255.255.255.255 netmask.

Code:

# ifconfig re0 11.1.1.1 netmask 255.255.255.248
# ifconfig re0
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:db:47:b0:4c
        media: Ethernet autoselect (none)
        status: no carrier
        inet6 fe80::219:dbff:fe47:b04c%re0 prefixlen 64 scopeid 0x2
        inet 11.1.1.1 netmask 0xfffffff8 broadcast 11.1.1.7
# ifconfig re0 alias 11.1.1.2 netmask 255.255.255.255
# ifconfig re0 alias 11.1.1.3 netmask 255.255.255.255 
# ifconfig re0 alias 11.1.1.4 netmask 255.255.255.255 
# ifconfig re0 alias 11.1.1.5 netmask 255.255.255.255 
# ifconfig re0 alias 11.1.1.6 netmask 255.255.255.255 
# ifconfig re0
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:db:47:b0:4c
        media: Ethernet autoselect (none)
        status: no carrier
        inet6 fe80::219:dbff:fe47:b04c%re0 prefixlen 64 scopeid 0x2
        inet 11.1.1.1 netmask 0xfffffff8 broadcast 11.1.1.7
        inet 11.1.1.2 netmask 0xffffffff broadcast 11.1.1.2
        inet 11.1.1.3 netmask 0xffffffff broadcast 11.1.1.3
        inet 11.1.1.4 netmask 0xffffffff broadcast 11.1.1.4
        inet 11.1.1.5 netmask 0xffffffff broadcast 11.1.1.5
        inet 11.1.1.6 netmask 0xffffffff broadcast 11.1.1.6

See rc.conf(5) how to do this in /etc/rc.conf.

[dextro]

They're not static, they have to be obtained with DHCP.

[BSDfan666]

Sorry J65nko, I have a cable modem like that.. and like dextro.. statically assigning addresses doesn't work as expected.

I've never worked with FreeBSD/netgraph before, but that appears to offer the necessary functionality.. spoofing multiple MAC addresses on 1 interface.

I would also be interested in alternate solutions to this problem.. preferably something better then installing additional interfaces.

[J65nko]

From man dhcpd.conf

Code:

The fixed-address declaration

	 fixed-address address [, address ... ];

	 The fixed-address declaration is used to assign one or more fixed  IP
	 addresses  to a client.  It should only appear in a host declaration.
	 If more than one address is supplied, then when the client boots,  it
	 will be assigned the address that corresponds to the network on which
	 it is booting.  If none of the addresses in the fixed-address	state-
	 ment are valid for the network to which the client is connected, that
	 client will not match the host  declaration  containing  that	fixed-
	 address  declaration.	 Each address in the fixed-address declaration
	 should be either an IP address or a domain name that resolves to  one
	 or more IP addresses.

So a client site can retrieve multiple IP addresses from a DHCP server.

A bit earlier in the same man page

Code:

SPAWNING CLASSES
       It is possible to declare a spawning class.   A	spawning  class  is  a
       class  that  automatically produces subclasses based on what the client
       sends.	The reason that spawning classes were created was to  make  it
       possible  to  create lease-limited classes on the fly.	The envisioned
       application is a cable-modem environment where the ISP wishes  to  pro-
       vide  clients  at  a particular site with more than one IP address, but
       does not wish to provide such clients with their own subnet,  nor  give
       them  an  unlimited  number of IP addresses from the network segment to
       which they are connected.

       Many cable modem head-end systems can be  configured  to  add  a  Relay
       Agent Information option to DHCP packets when relaying them to the DHCP
       server.	 These systems typically add a circuit ID or remote ID	option
       that  uniquely  identifies  the	customer  site.   To take advantage of
       this, you can write a class declaration as follows:

       class "customer" {
	 spawn with option agent.circuit-id;
	 lease limit 4;
       }

       Now whenever a request comes in from a customer site,  the  circuit  ID
       option  will be checked against the class's hash table.	 If a subclass
       is found that matches the circuit ID, the client will be classified  in
       that subclass and treated accordingly.	If no subclass is found match-
       ing the circuit ID, a new  one  will  be  created  and  logged  in  the
       dhcpd.leases file, and the client will be classified in this new class.
       Once the client has been classified, it will be	treated  according  to
       the  rules  of the class, including, in this case, being subject to the
       per-site limit of four leases.

       The use of the subclass spawning mechanism is not restricted  to  relay
       agent  options  - this particular example is given only because it is a
       fairly straightforward one.

So it looks like that the purpose of this all is to assign IP's to different machines behind one dhcp relay agent.

It could be interesting to use tcpdump to wiretap the DHCP traffic

Code:

# tcpdump -eni nfe0 -s1500 -w dhcp.dump

You then run dhclient from another xterm or console. After the IP address has been assigned, press CNTRL-C to stop the tcpdump capture.
Read the dump with

Code:

# tcpdump -envv -s1500 -r dhcpd.dump

In case you are using ssh to access the firewall append 'not port ssh' to the capture command. That will prevent ssh packet pollution of your dump.

BTW how does your netstat -rn output look like after having received leases for nfe as well as ngeth0?

[dextro]

Code:

gateway# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            216.232.224.254    UGS         0   771074   nfe0
10.0.0.0/24        link#2             UC          0        0    rl0
10.0.0.2           00:17:31:b2:31:1d  UHLW        1 44602500    rl0    804
127.0.0.1          127.0.0.1          UH          0      295    lo0
207.6.112.0/20     link#5             UC          0        0 ngeth0
207.6.112.254      link#5             UHLW        1        0 ngeth0
216.232.224.0/20   link#1             UC          0        0   nfe0
216.232.224.254    00:90:1a:a0:3d:ce  UHLW        2        0   nfe0      6

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#4                        UHL         lo0
ff01:4::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0

gateway# ifconfig nfe0
nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:14:2a:19:c4:a5
        inet 216.232.236.243 netmask 0xfffff000 broadcast 216.232.239.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

gateway# ifconfig ngeth0
ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:5c:16:10:dd:79
        inet 207.6.112.184 netmask 0xfffff000 broadcast 207.6.127.255

gateway# dhclient nfe0
DHCPREQUEST on nfe0 to 255.255.255.255 port 67
DHCPACK from 216.232.224.254
bound to 216.232.236.243 -- renewal in 3600 seconds.

gateway# dhclient ngeth0
DHCPREQUEST on ngeth0 to 255.255.255.255 port 67
DHCPACK from 207.6.112.254
bound to 207.6.112.184 -- renewal in 3600 seconds.

gateway# ping -S 216.232.236.243 72.14.207.104
PING 72.14.207.104 (72.14.207.104) from 216.232.236.243: 56 data bytes
64 bytes from 72.14.207.104: icmp_seq=0 ttl=244 time=119.186 ms
^C
--- 72.14.207.104 ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 119.186/119.186/119.186/0.000 ms

gateway# ping -S 207.6.112.184 72.14.207.104
PING 72.14.207.104 (72.14.207.104) from 207.6.112.184: 56 data bytes
64 bytes from 72.14.207.104: icmp_seq=0 ttl=244 time=121.193 ms
^C
--- 72.14.207.104 ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 121.193/121.193/121.193/0.000 ms

gateway#

So from what I can tell both interfaces (nfe0, ngeth0) work fine. But when I try and do something like:

Code:

nat on ngeth0 from !(ngeth0) -> (ngeth0:0)

it doesn't work, but

Code:

nat on nfe0 from !(nfe0) -> (nfe0:0)

works just fine! wtf?

[dextro]

Code:

<?php

function g($url, $opts = array())
{
    if ( !isset($opts['ua']) )
        $opts['ua'] = 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4';
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_FAILONERROR, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_USERAGENT, $opts['ua']);
    if ( isset($opts['bind']) )
        curl_setopt($ch, CURLOPT_INTERFACE, $opts['bind']);
    if ( !($cr = curl_exec($ch)) )
        printf("<p>g() failed: url={$url}; curl_errno()=%d; curl_eror()=%s;</p>", curl_errno($ch), curl_error($ch));
    curl_close($ch);
    return $cr;
}

echo '216.232.236.243 => ' . g('http://94.75.205.177/ip.php', array('bind' => '216.232.236.243')) . "\n";
echo '207.6.112.184 => ' . g('http://94.75.205.177/ip.php', array('bind' => '207.6.112.184')) . "\n";

echo 'nfe0 => ' . g('http://94.75.205.177/ip.php', array('bind' => 'nfe0')) . "\n";
echo 'ngeth0 => ' . g('http://94.75.205.177/ip.php', array('bind' => 'ngeth0')) . "\n";
?>

Wrote a script to bind to IP and interface

Code:

gateway# php w.php
216.232.236.243 => 216.232.236.243
207.6.112.184 => 216.232.236.243
nfe0 => 216.232.236.243
ngeth0 => 216.232.236.243
gateway#

The main IP is the only one making requests even when the virtual interface is used!

[J65nko]

What are you are trying to accomplish with those multiple IP addresses? For what do you need those addresses, and how many IPs is your ISP giving you?

The big unkown is your network topology. How does that look like?

[dextro]

/clear

My ISP allows me 2 dynamic IPs, as far as I can tell I have to obtain them via DHCP so I have to use a different MAC in the DHCP request which makes a problem when I am trying to do it on 1 NIC. One machine on my network needs full access over its own IP and the rest of the network will share second.

nat on $ip2 from !($ip2) -> ($ip2:0)
binat on $ip1 from $pc1 to any -> $ip1

Someone actually recommended I go
modem -> switch -> 2 cat5 -> router with 3 nic -> switch -> network
currently it looks like
modem -> router -> switch -> network

[J65nko]

Code:

   INTERNET
       |
       |
     modem
       |
       |
-------|------------
    external

                 D
                 M
     FBSD        Z--------------- Server   
    router       n
                 i
                 c
          
    internal
-------|------------
       |
       |
       |
    switch 
  internal Lan

Since you seem not to have any issue with getting DHCP leases for the real nfe0 as well as the virtual ngeth0, you could try the topology from this diagram.
The DMZ nic gets the second IP address through DHCP.

The server nic can have a private 10.x.x.x address directly connected to the DMZ nic. This is possible, you only need to specify the -interface modifier when you add the default route on the server.

[dextro]

I know how to setup my network, my problem is getting both IPs to work on the box as the same time so I can configure PF.

Code:

gateway# ifconfig nfe0 link 00:5c:16:10:dd:79
gateway# dhclient nfe0
DHCPREQUEST on nfe0 to 255.255.255.255 port 67
DHCPREQUEST on nfe0 to 255.255.255.255 port 67
DHCPDISCOVER on nfe0 to 255.255.255.255 port 67 interval 5
DHCPOFFER from 75.153.0.254
DHCPREQUEST on nfe0 to 255.255.255.255 port 67
DHCPACK from 75.153.0.254
bound to 75.153.5.9 -- renewal in 3600 seconds.
gateway# ifconfig nfe0 inet alias 216.232.236.243 netmask 255.255.255.255
gateway# ifconfig nfe0
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:5c:16:10:dd:79
        inet 75.153.5.9 netmask 0xfffff000 broadcast 75.153.15.255
        inet 216.232.236.243 netmask 0xffffffff broadcast 216.232.236.243
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
gateway# ping -S 75.153.5.9 64.233.187.104
PING 64.233.187.104 (64.233.187.104) from 75.153.5.9: 56 data bytes
64 bytes from 64.233.187.104: icmp_seq=0 ttl=241 time=121.223 ms
64 bytes from 64.233.187.104: icmp_seq=1 ttl=241 time=121.596 ms
64 bytes from 64.233.187.104: icmp_seq=2 ttl=241 time=121.255 ms
64 bytes from 64.233.187.104: icmp_seq=3 ttl=241 time=121.421 ms
64 bytes from 64.233.187.104: icmp_seq=4 ttl=241 time=121.556 ms
64 bytes from 64.233.187.104: icmp_seq=5 ttl=241 time=121.732 ms
64 bytes from 64.233.187.104: icmp_seq=6 ttl=241 time=121.886 ms
^C
--- 64.233.187.104 ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 121.223/121.524/121.886/0.225 ms
gateway# ping -S 216.232.236.243 64.233.187.104
PING 64.233.187.104 (64.233.187.104) from 216.232.236.243: 56 data bytes
^C
--- 64.233.187.104 ping statistics ---
30 packets transmitted, 0 packets received, 100.0% packet loss
gateway#

It would apear that only one IP is working, BUT I was tcpdumping and found:

Code:

01:00:56.994012 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 0, length 64
01:00:57.115131 IP 64.233.187.104 > 75.153.5.9: ICMP echo reply, id 49902, seq 0, length 64
01:00:57.995022 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 1, length 64
01:00:58.116580 IP 64.233.187.104 > 75.153.5.9: ICMP echo reply, id 49902, seq 1, length 64
01:00:58.996762 IP 75.153.5.9 > 64.233.187.104: ICMP echo request, id 49902, seq 2, length 64
01:01:39.388473 IP 216.232.236.243 > 64.233.187.104: ICMP echo request, id 50926, seq 28, length 64
01:01:39.507437 IP 64.233.187.104 > 216.232.236.243: ICMP echo reply, id 50926, seq 28, length 64
01:01:40.390209 IP 216.232.236.243 > 64.233.187.104: ICMP echo request, id 50926, seq 29, length 64
01:01:40.508135 IP 64.233.187.104 > 216.232.236.243: ICMP echo reply, id 50926, seq 29, length 64

They are both working but why does the second ping command not show me replies?

[dextro]

Okay, the following creates a virtual interface named ngeth0 and bridges it with nfe0 (my modem nic)

Code:

 ngctl mkpeer . eiface hook ether
 ifconfig ngeth0 up
 ngctl mkpeer ngeth0: bridge lower link0
 ngctl name ngeth0:lower mybridge
 ngctl connect nfe0: mybridge: lower link1
 ngctl connect nfe0: mybridge: upper link2
 ngctl connect ngeth0: mybridge: upper link3
 ngctl msg nfe0: setautosrc 0
 ngctl msg nfe0: setpromisc 1
 ifconfig ngeth0 link 00:5c:16:10:dd:79
 dhclient ngeth0

The point is so I can obtain a second IP via DHCP. At this point everyone seems to tell me about ifconfig alias... its not an option.
Moving on, everything seems to work great except when I try and use ngeth0 it just uses nfe0 IP.

Code:

gateway# ping -S 216.232.234.205 google.ca
PING google.ca (64.233.161.104) from 216.232.234.205: 56 data bytes
64 bytes from 64.233.161.104: icmp_seq=0 ttl=245 time=130.315 ms
64 bytes from 64.233.161.104: icmp_seq=1 ttl=245 time=129.767 ms
^C
--- google.ca ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 129.767/130.041/130.315/0.274 ms

gateway# ping -S 216.232.253.26 google.ca
PING google.ca (64.233.187.104) from 216.232.253.26: 56 data bytes
64 bytes from 64.233.187.104: icmp_seq=0 ttl=246 time=117.465 ms
64 bytes from 64.233.187.104: icmp_seq=1 ttl=246 time=118.204 ms
^C
--- google.ca ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 117.465/117.834/118.204/0.370 ms

gateway#

Looks good right? wrong! tcpdump:

Code:

16:15:50.372500 IP d216-232-234-205.bchsia.telus.net > od-in-f104.google.com: ICMP echo request, id 36101, seq 0, length 64
16:15:50.502758 IP od-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 36101, seq 0, length 64
16:15:51.374205 IP d216-232-234-205.bchsia.telus.net > od-in-f104.google.com: ICMP echo request, id 36101, seq 1, length 64
16:15:51.503924 IP od-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 36101, seq 1, length 64

16:15:53.133567 IP d216-232-234-205.bchsia.telus.net > jc-in-f104.google.com: ICMP echo request, id 21409, seq 0, length 64
16:15:53.250960 IP jc-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 21409, seq 0, length 64
16:15:54.135215 IP d216-232-234-205.bchsia.telus.net > jc-in-f104.google.com: ICMP echo request, id 21409, seq 1, length 64
16:15:54.253380 IP jc-in-f104.google.com > d216-232-234-205.bchsia.telus.net: ICMP echo reply, id 21409, seq 1, length 64

also some ifconfig

Code:

gateway# ifconfig nfe0
nfe0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:14:2a:19:c4:a5
        inet 216.232.234.205 netmask 0xfffff000 broadcast 216.232.239.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

gateway# ifconfig ngeth0
ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:5c:16:10:dd:79
        inet 216.232.253.26 netmask 0xfffff000 broadcast 216.232.255.255

gateway#

[J65nko]

Weren't you using NAT? And leaving out the command you used to get the tcpdump also doesn't help.

If you want to see what is going on with your pings: disable NAT, use a simple pf.conf with a default block log all and only passing out ICMP stateful, and for your tcpdump commands use -n to disable name lookups and -e to see the link level or MAC address.

[dextro]

NAT will come when I can get both IPs working...

The problem is, it uses nfe0 main IP for all outgoing traffic, I need to stop this behavior...

[robbak]

So, what you are wanting to do is mess about with routing so that packets generated by the local machine are sent through one interface, but packets coming from remote machines are redirected to another? I fail to see the point, and I do not know if it is possible without hacking the routing code.

netstat -rn will tell you what your current routing tables are. With simple routing, the last dhclient to bind to an address will probably have set the default route to the gateway it was set to. Maybe dhclient is another place you could hack.

You are lucky that you have been given addresses in different subnets. If you are given addresses in the same subnet, you will have different problems (2 interfaces on the same subnet is logically wrong, even if most system handle it gracefully)
Another place to look is routed, the routing daemon. This uses things like RIP and SAP to determine the best interface to send packets on.

[ai-danno]

I think the problem is that you only have one default gateway on this system, and that is on the first interface. So all traffic should be doing what it's doing- nothing's broken or misconfigured.

If this is the case, I would recommend PF NAT redirection outbound that sources the second interface's internal addressing to flow back out the second interface, if that hasn't been done already. In fact, if you still have it as-

nat on $ext2 from !($ext2) -> ($ext2:0)

then perhaps binat or an rdr would help?