Here's my situation: landlord's cable modem--landlord's Linksys router running NAT--switch--my WAP Linksys router.
I am trying to put my OpenBSD 3.2 box between the switch and my WAP as a firewall to block all traffic except incoming web, mail ( pop3 imap), DNS, and Unreal Tournament 2003 ( it's like crack ).
So here's the network I want: landlord's cable modem--landlord's Linksys router running NAT--switch--OpenBSD 3.2 firewall--my WAP.
The landlord's router is using the 192.168.1.x address space w/ 192.168.1.1 as the default gateway. I think the way to keep myself seperate would be to let my OpenSD box use DHCP to get an address off of the landlord's router and then I should assign the 192.168.2.x address space to my little LAN.
Any input? WIll this work? Take a look at my post in the installing FreeSD section if you're feeling especially generous w/ your knowledge!

Yes, that will work just fine to DHCP the external interface of your OBSD firewall and use the internal to supply your own little subnet. Easy breezy ;)

You could also simplify (I think of this as simplifying, you may think the opposite!), you could just set up your OBSD box as an invisible (IPless) bridge. Therefore, it would sit imbetween your boxes and the landlords, provide firewalling, while allowing you to just DHCP of his network still.

Either way, should be no trouble at all. Shout back for more help. BTW - You'll enjoy OBSD, it's the shit.

As for your FBSD query, I'll reply to that too...

Well, I'm getting my address setup correctly through DHCP on my external interface but I can't actually use it for some reason. My DNS servers are set correctly in resolv.conf and I get an address but I can't ping, run dig, or anything else for that matter. This really sucks since I've spent the past 2 days fixing my pf.conf in accordance w/ a couple of threads on this site. BTW and completely off topic this site rocks! I've tried BSDVault and Linuxquestions.org and this is the first site that explained pf so that I can completely understand it . Everybody here seems pretty cool w/ newbies, too and that's just gravy. Any idea what I'm missing on my external interface problems? Shouldn't I be setting my gateway (mygate) as my landlord's router (192.168.1.1)? Imay try the invisible bridge idea once I get the firewall up and pf.conf figured out completely. I'm just stoked I found this site and that OpenBSD installed on this http://www.targetpc.com/hardware/barebones/cr51/[/url]

duder,

Welcome we're glad you found us too. One of the project goals is to provide a "fun" forum if you will, a place where people can go and ask questions without the fear of the response they might get.


On to your question, sounds like you might not have packet forwarding turned on. edit you /etc/sysctl.conf and make sure the line

net.inet.ip.forwarding=1 is there and uncommented, beyond that post up your ruleset and we'll be happy to take a look.

Welcome to S.E.

Also, if as you say, you've been structuring a ruleset based off of some of those that you've seen on here, you've likely set up a standard "norouteip" rule which blocks private addressess from communicating into or out of your pf firewall. By this I mean something like:

# Tables
table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

Obviously this will not work in your scenario cuz you're piggy backing off the landlords 192.168.1.xxx subnet and the above type rule will block that communication. What you'll need to do is add a rule at the end, something like:

table <NoRouteIPs> { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, !192.168.2.0/24 }

You'll see I added "!192.168.2.0/24" to the rule, this means exclude the 192.168.2.xxx subnet from this list.

Post your ruleset for more input, good luck!!!

Whoah, people wanting to help out w/ my ruleset. Schweeet. Here goes:

#Interfaces
external = "vr0"
internal = "xl0"
loopback = "lo0"
private = "{172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 255.255.255.255/32}"

#Scrub
scrub in on vr0 all fragment reassemble
scrub out vr0 all

#That which is not expressly permitted is denied
block in all
block out all

#Block non-routable addresses
block in log on $external from $private any

#Block and reset connection on auth requests
block return-rst in on $external proto tcp fromany to any port = auth flags S/S

#Allow web browsing and mail
pass in on $external proto tcp from any to $internal port 80 keep state
pass out on $internal proto { tcp, udp, icmp } keep state
pass in on $external proto tcp from any to any port = 25 keep state
pass in on $external proto tcp from any to any port = 110 keep state
pass in on $external proto udp from any to any port = 53 keep state
pass in on $external proto tcp from any to any port = 143 keep state

#Leave loopback alone
pass out quick on $loopback from any to any keep state
pass in quick on $loopback from to any keep state

#Block ICMP & UDP
block in log quick on $external inet proto icmp from any to any icmp-type redir

Dont forget to pass out on your $external as well.

pass out on $external proto tcp all modulate state flags S/SAFR
pass out on $external proto { udp, icmp } all keep state

or however you want to do it.

I just tried adding the lines that bsdjunkie suggested since it was kind of obvious but for some reason when I run pfctl -f pf.cnf, I get errors everytime I have any type of flags set. Could this be because I'm running 3.2 unpatched?

First off, I'd like to thank everybody who helped me so far. Adding this :
pass out on $external proto tcp all modulate state
pass out on $external proto { udp, icmp } all keep state

got my connectivity up and running. I still haven't figured out why I can't add flags to my rulset but I am concentrating on getting the firewall up and running instead of having to shut down the LAN to check and see if the firewall is working. Now my problem is that the internal interface isn't working. I have assigned it an address of 192.168.2.1 and plan to have my Linksys WAP use 192.168.2.1 as it's defaut gateway and the Lnksys will be a DHCP sever for my LAN using 192.168.2.x addresses. I set 192.168.1.1 (landlord's router) as the gateway in /etc/mygate. Hostname.xl0 (my internal) is
192.68.2.1 255.255.255.0 NONE

What is this dumb jarhead missing now?

Maude."You can guess where it goes from here."
TheDude."He fixes the cable?"

in 3.2, try putting the flags before the keep state or modulate state instead of after.

pass out on $external proto tcp all flags S/SAFR modulate state

That worked just fine. Thanks! Any ideas on what I'm missing w/ my internal interface? It was recognized and installed properly and shows up during boot but I can't seem to bring it up.

can you post some info?

ifconfig -a
route show

Hostname.xl0 (my internal) is
192.68.2.1 255.255.255.0 NONE

is this correct in what you have? It should be 192.168.2.1, not 68.2.1...

Here we go. This may have a few errors since I have to type all of this in. You're right-that was a typo above-it should have been 192.168.2.1

lo0: flags=804UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe8::1%lo0 prefixlen 64 scopeid 0x5
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu1500
address: 00:40:63:c2:8:f7
media: Ethernet autoselect (10baseTX full-duplex
status: active
inet6 fe80::240:63ff:fec2:8ef7%vr0 prefixlen 64 scopeid 0x1
inet 192.168.1.108 netmask 0xffffff00 broadcast 192.168.1.255
xl0: flags8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:10:4b:cd:2d:b4
status: no carrier
inet 192168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::210:4bff:fecd:2db4%x10 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
sl0: flags=c010&lt;PONTOPOINT,LINK2,MULTICAST&gt; mtu 296
sl1: flags=c010&lt;POINTOPONT,LINK2,MULTICAST&gt; mtu 296
ppp0" flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500
ppp1: flags=8010&lt;POINTOPOINT,MULTICAST&gt; mtu 1500
tun0: flags=10&lt;POINTOPOINT&gt; mtu 3000
tun1: flags=10&lt;POINTPOINT&gt; mtu 3000
enc0: flags=0&lt;&gt; mtu 1536
bridge0: flags=0&lt;&gt; mtu 1500
bridge1: flags=0&lt;&gt; mtu 1500
vlan0: flags=0&lt;&gt; mtu 1500
address: 00:00:00:00:00:00
vlan1: flags=0&lt;&gt; mtu 1500
address: 00:00:00:00:00:00
gre0: flags=9010&lt;POINTOPOINT,LINK0,MULTICAST&gt; mtu 1450
gif0: flags=8010&lt;POINTOPONT,MULTICAST&gt; mtu 1280
gif1: flags=8010&lt;POINTOPONT,MULTICAST&gt; mtu 1280
gif2: flags=8010&lt;POINTOPONT,MULTICAST&gt; mtu 1280
gif3: flags=8010&lt;POINTOPONT,MULTICAST&gt; mtu 1280

xl0: flags8843 mtu 1500
address: 00:10:4b:cd:2d:b4
status: no carrier
inet 192168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

OK, you have no carrier.
try ifconfig xl0 192.168.2.1 up netmask 255.255.255.0

If that does not bring it up, double check your cables. This looks like a physical problem. obsd identifies the interface, but if the cable is loose or bad you wont get the link.

I had to take off some stuff on the card to make it fit into my case, do you think the card might be bad? Wouldn't I see an error of some sort if the card was't working?

I had to take off some stuff on the card to make it fit into my case,

umm, :?

It could be the card for sure then. And what do you mean take stuff off of it?? :roll: [/quote]

This is the case:http://www.targetpc.com/hardware/barebones/cr51/
I had to take off the metal backplate that you see on the back where the ethernet port is.

You mean there's an onboard ethernet for your pc and you just had to remove the metal casing surrounding it?

No, sorry I wasn't clear enough. The onboard NIC is my external and my internal NIC is the PCI one that I removed the back off of. It is only staying in there by means of the PCI slot and a piece of foam-rubber that keepsit remarkably stable. I posted a pic of my box to show you guys how small the box is and why I had to modify the NIC.
**Update** I tried switching around the CAT5 going from the internal NIC to the router and I get connectivity going to any of the open ports on the Linksys except for the "Uplink" and "WAN" ports. So the problem is not the NIC.
Here's my 2 guesses:
-I have no default route from internal to external?
-I need to reconfigure the router to go ahead and use the 192.168.2.x address space. I haven't done this because I'm trying to minimize downtime for my LAN. Would not having the router configured to seek the 192168.2.1 gateway keep the link from being active between my internal and the router?

The no carrier error junkie pointed out to you is always indicitive of a "lack of physical connection" error. Regardless of config, the NIC should detect what it's plugged into (ie. 10baseT or 100 full duplex etc.).

When you see the no carrier, you're generally looking at some kind of physical problem with:

a) the cable
b) the NIC
c) the router the cable is plugged into

It only works so far when plugged into one of the switch ports which should still be broadcasting a DHCP offer from my own Linksys router. So either my internal NIC is not finding a route to my external NIC or maybe I need to use a crossover cable to the WAN port on my router? I know the NIC and cable are good now after getting a link. Sorry I'm being such a bonehead right now. Once my wife gets done sshing into her work's server and writing her scripts, I will try configuring the router to use 192.168.2.1 as its default gateway. I still appreciate everybdy's help. My local BUG and BSDVault haven't been nearly as much help as the past 24 hours w/ you guys.

I would look at a cross-over cable first with what is being described and go from there if needed.

I just tried a crossover cable and it worked but I can't get my internal address (192.168.2.1) to connect w/ my Linksys (192.168.2.2). The linksys is my DHCP server and my WAP. I set it up to to use my internal NIC (192.168.2.1) as the default gateway However once all of this was setup, I coudn't ping the Linksys from my OpenBSD box and I couldn't ping the OpenBSD box from any computer behind the Linksys. I am verrry close, someone please tip me over the edge.

My local BUG and BSDVault haven't been nearly as much help as the past 2 4hours w/ you guys.Ouch. Sorry about that, the bsdvault.net forums are dead lately, and well I've been focusing on the pf-repository for the past 4 weeks. We're (myself, Strog, elmore, bsdjunkie, soup4you2, Plagued) usually around in #bsdvault, #pf and #screamingelectron on irc.freenode.net. BSDforums.org is another good place to get quick help if you prefer forums.

Well, I'm a Marine so I can't IRC at work :( No worries, Solarflux! The last thing I want to do is badmouth someone's site. I am just SOOO close. I think all I'm missing is a route to the internal from external. Any ideas?

El Duderino, u r close indeed. But, I'm confused. Where exactly to you stand now in terms of connectivity?

Are you able to ping the loopback and both IP addresses from the OBSD box itself? Are you doing any NAT?

Here's a quick breakdown of how I interpret your setup:


&lt;---&gt;Internet&lt;---&gt;Landord's Net (192.168.1.0/24)&lt;---&gt;thedude's Net (192.168.2.0/24)

Correct?

Another question is are you running any services yourself like http, email (pop, smtp) or DNS on your OpenBSD box, or do you merely intend to allow access to those services *out* to the Internet from your hosts behind the firewall?

" &lt;---&gt;Internet&lt;---&gt;Landord's Net (192.168.1.0/24)&lt;---&gt;thedude's Net (192.168.2.0/24)"
That's right. I can ping my own loopback, the landlord's router (192.168.1.1), my external (DHCP assigned from the landlord), and my internal ( 192.168.2.1).
Using a crossover cable between my Linksys and my internal NIC got me this far. However, I am still using my Linsys router/WAP to assign DHCP addresses for my LAN. So when I bring up the OpenBSD box and setup the Linksys to use my internal NIC (192.168.2.1) as its default gateway, nothing happens.
I don't think my internal is routing traffic from the external to my Linksys. Here's a sorry little visual of what I think is happening
internet--landlord's router--switch--OpenBSD external--OpenBSD internal--STOP!!
Also I am running no services on my OpenBSD box.

post your route tables: route show
Also, post traceroutes to diff parts of your network, both working and the broken one.

You're gonna need to NAT. You're 192.168.2.x subnet is unkown to the landlord's Net, so anything destined for the internal side of your net (192.168.2.x) is not routeable as far as the landlord's gateway is concerned.

nat on $ExtIF from 192.168.2.0/24 to any -> $ExtIF

Should get you up and running.

You're right. I added your line in the right place in pf.conf and am trying to find out how to enable NAT.

enable it in the rc.conf right below the line that says pf=YES

That line below pf.conf is portmap on my box. Is that the right one?

hmmm... what version of OpenBSD are your running again? 3.2?

Yes, I'm running 3.2 I've already enable inet forwarding in syctl.conf. Should I join you in IRC? If so, where?

irc.freenode.net

/j #screamingelectron

woops sorry I forgot there is no nat line in the pf.conf after 3.1, pf is so rapidly developed I have a hard time keeping up on stuff. As long af pf is enabled then nat should be enabled. you can do the following to manually enable it:

pfctl -e

pfctl -s nat

shows currently loaded nat rules.

#Interfaces
external = "vr0"
internal = "xl0"
loopback = "lo0"
private = "{172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 255.255.255.255/32}"

#Scrub
scrub in on vr0 all fragment reassemble
scrub out vr0 all

#NAT
nat on $external from 192.168.2.0/24 to any -> $external

#That which is not expressly permitted is denied
block in all
block out all

#Block non-routable addresses
block in log on $external from $private any

#Block and reset connection on auth requests
block return-rst in on $external proto tcp fromany to any port = auth flags S/S

#Allow web browsing and mail
pass in on $external proto tcp from any to $internal port 80 keep state
pass out on $internal proto { tcp, udp, icmp } keep state
pass in on $external proto tcp from any to any port = 25 keep state
pass in on $external proto tcp from any to any port = 110 keep state
pass in on $external proto udp from any to any port = 53 keep state
pass in on $external proto tcp from any to any port = 143 keep state
pass out on $external proto tc all flags S/SAFR modulate state
pass out on {external, internal } inet proto {tcp, udp, icmp } all keep state
pass in on { $external, $internal } int proto icmp all keep state

#Leave loopback alone
pass out quick on $loopback from any to any keep state
pass in quick on $loopback from to any keep state

Great, the nat looks about right. Made some notes on the rest of your rules though, have a look...

private = "{172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 255.255.255.255/32}"

You'll want to add 192.168.0.0/16 to the private area, else you'll leave yourself pretty wide open to some spoofing. As I mentioned before, you should just be able to add !192.168.1.0/24 to exclude blocking the packets incoming from the landlord's subnet!

#Allow web browsing and mail
pass in on $external proto tcp from any to $internal port 80 keep state
pass out on $internal proto { tcp, udp, icmp } keep state
pass in on $external proto tcp from any to any port = 25 keep state
pass in on $external proto tcp from any to any port = 110 keep state
pass in on $external proto udp from any to any port = 53 keep state
pass in on $external proto tcp from any to any port = 143 keep state


Are you running any of these services or are you trying to pass them out only? The above rules imply allowing traffic from the outside world (The Internet!!!) into your computer, not vica versa. If you're just wanting to allow hosts behind your firewall to have access to smtp, pop, dns and imap somewhere on the Net you don't need the above. Again, you're leaving yourself wide open for attack!

Here's how I'd clean up, simplify and secure your rules:

[code:1:efc31ccaa3]
#Interfaces
external = &quot;vr0&quot;
internal = &quot;xl0&quot;
private = &quot;{172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.0.0/8, 255.255.255.255/32, 192.168.0.0/16, !192.168.1.0/24}&quot;

#Scrub
scrub in all fragment reassemble
scrub out all

#NAT
nat on $external from 192.168.2.0/24 to any -&gt; $external

#That which is not expressly permitted is denied
block in on $external all

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port = auth flags S/S

# block all outgoing except traffic that we've initiated from behind
# the firewall and are keeping state on -&gt; all legit traffic!
block out on $external all
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto udp all keep state
pass out on $external inet proto icmp all keep state
[/code:1:efc31ccaa3]

You'll want to add 192.168.0.0/16 to the private area, else you'll leave
yourself pretty wide open to some spoofing. As I mentioned before, you should
just be able to add !192.168.1.0/24 to exclude blocking the packets incoming from
the landlord's subnet!

Doesn't that still leave him open to spoofing from 192.168.1.0/24? I would leave
out the !192.168.1.0/24 and just add a pass quick rule from the specific
192.168.1.X IP (landlord's DHCP and/or default gateway) or IPs, and place the pass
rule(s) right above the 'private' block quick rules for non-routable networks.

Does that make sense?

Sure does!

For now though, maybe you can give the above a try thedude and let us know what happens, then we'll lock it down further as SolarfluX suggests.

Man, I really appreciate the time you took to rewrite my pf.conf. Solar and elmore really had their patience tested w/ me today as well. I don't know what I've done to deserve such help but it's sincerely appreciated.

OK, starting off. I applied the pf.conf you wrote above but w/ one modification:
pass out on $external inet proto { icmp, udp } all keep state
instead of the last two lines. I think it worked just fine that way.
After running pfctl -v -f /etc/pf.conf and finding no errors, I rant he link from my landlord to the external and plugged the cable from my internal to my uplink on my Linksys WAP/router. I changed the default gateway on the router to 192.168.2.1 and changed the router's address to 192.168.2.2. I then checked each interface on the OpenBSD box to make sure they were good and they were both up. I then commenced to pinging back and forth but couldn't hit my internal 192.168.2.x network until I removed it from the private line in my pf.conf. The I was able to ping te Linksys and ping the internal interface from my laptop behind the LInksys router. Still no connectivity. Can't browse at all.

After running pfctl -v -f /etc/pf.conf and finding no errors, I rant he link from my landlord to the external and plugged the cable from my internal to my uplink on my Linksys WAP/router.

Why the uplink? Should be no need for the uplink. All your hosts (internal address of the firewall, the linksys wap, laptop etc) don't require it, you're not connecting a hub to a hub. Unplug from the uplink spot and just use a regular one!!!!!!

Well, I was using my Linksys as a DHCP server. Should I just go static on my boxes?
The problem looks like (at least to me) that traffice is isn't floing between my external and internal NICs. Well, I know for sure that traffc isn't flowing out from the internal

d00d ssh to your firewall and dor the following


ping -I &lt;internal Firewall address&gt; www.yahoo.com

so for me on my home net I have:

10.26.1.4 on my lanlords net and 192.168.2.1 on my own net:

I type ping -I 192.168.2.1 www.yahoo.com

make sense. If you get replies then the prblem is not the firewall. From what you've desribed Mini0ns ruleset is perfect, no reason that shouldn't work.

Well, I was using my Linksys as a DHCP server. Should I just go static on my boxes?
The problem looks like (at least to me) that traffice is isn't floing between my external and internal NICs. Well, I know for sure that traffc isn't flowing out from the internal

Ok, here it is: *YOU DON'T NEED TO USE THE UPLINK*

I would venture to say that uplink is your entire problem. The ruleset I supplied should work just fine as elmore suggests. The uplink has *zero* bearing on your using the Linksys as the DHCP server. Using the uplink will break your connection and cause the problems you're having. Here's a diagram of how you should set things up:


[ COMP1 ] [ Lynksys ]
....|.........|.......|
---+------+-----+------- xl0 [ OpenBSD ] vr0 -------- (LL's Net)---> Internet
..............|
[ COMP2 ]

Breakdown:
1) Your external interface gets plugged into the LL's net (no uplink required)
2) Your internal interface gets plugged into the Linksys WAP/hub in a standard port (read *not* the uplink)
3) All other hosts behind the firewall also get plugged into a standard port on the Linksys hub

That should do it man! It's a simple and very common setup, as elmore described many of us have the same or similar setups and ours work fine.

&lt;hangs head&gt; Nothing worked. I can get connectivity from my internal by running ping -l 192.168.2.1 www.yahoo.com and that wors fine. Cable is plugged in from internal to *regular not uplink port* on the Linksys. I'm going to excuse myself to pull my hair out and scream I'm not worthy of all of this advice!!!

if the ping works from your internal interface duder then your problem is not the firewall but the linksys. Want my advice. Configure OpenBSD to run dhcp that'll take you 5 minutes. Unplug the linksys and throw it in the corner go by yourself a $10 hub at officemax. problems solved.

I would but I need the wireless :(

hmmm then reset your linksys back to the default settings. I can almost promise you your problem is with the linksys and some setting. You proved your firewall works by ping to the internet from the internal interface. Time to look at something else. The next logical thing is to check physical connections and then move to the switch/WAP/hub whatever. :)

Let us know how it turns out duder!

keep at 'er man, you're almost there.

Well, I reset the router last night, tried changing from gateway to router mode, tried RIP 1 and 2, and nothing worked. For some reason anything forwarded from the router isn't getting past the internal interface. Also, I tried hooking a box up directly to the internal w/ a static IP and that didn't work either. I think I'm going to replace the internal NIC this afternoon and install 3.3 and retry Minion's pf.conf. Just a little while longer :)

hmmm why are you setting the linksys up in router mode? Don't need to do that, the linksys should be set up to operate as a hub and nothing more. The OpenBSD box does your routing and nat etc. all for you. the linksys really doesn;t need any config, other than an ssid and wep if you choose to run wireless. Other than that the linksys should work as a hub only, no route information or anything is required.

Anyone here have a linksys at home that would be willing to share a config with the duder here?

I'd leave the firewall alone for the time being. Let's get this linksys worked out and get everything up and running then we'll start on an upgrade. :)

Keep in there duder you'll get it!

Just ask tarballed. He can tell you.

My gut feeling is that there is something blocking traffic out of that internal NIC. It's not the router since I hooked a box directly up to thtat NIC and got the same results. I tried the Linksys in router mode since it was by default in gateway mode so tried switching back and forth and mixing and matching. I'm getting ready to start the next round of troubleshooting rightnow. Thanks for the encouragement, guys:)

I think I need to setup that invisible bridge....

My gut feeling is that there is something blocking traffic out of that internal NIC. It's not the router since I hooked a box directly up to thtat NIC and got the same results.

You mean you plugged a cable directly imbetween a PC and the internal nic on the firewall? In that case you *need* to use a cross-over cable... did you do that?

Truth is, the trouble is in the way you have things physically setup and not the firewall. The ping test elmore asked you to do proves that outright.

I had to setup OpenBSD as a DHCP server. Muddling through that was easy thanks to the man pages. For some reason, my Linksys router wouldn't forward requests to the internal NIC on the firewall when the Linksys was configured w/ a static IP. Once the Linksys is getting its address address via DHCP, that seem to force it into switch/WAP mode. I used a straight through cable to one of the regular ports. I guess I need to start updating/patching the box and I'll be doing some research on the easiest way but I need to hand out some props to everybody who helped me and put up w/ my stupidity. This community is incredible. I had gotten the impression that I would be told to RTFM endlessly in the BSD community. Instead people responded to my posts ASAP, offered to check my pf.conf, told me to meet them in IRC for live help. I owe this community a lot and I will try to help out by helping some other frustrated newbie. Thanks guys (posted from behind my new OpenBSD firewall)!

Awesome! Glad you got it working d00der! Thanks for the comments as well. Hopefully we can help you out with some other stuff here in the future.

OK, I decided to touch up my pf.conf and here it is. Am I screwing up w/ my rule for my landlord's router?

Interfaces
external = "xl0"
internal = "vr0"
private = "{ 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8,192.168.1.0/24, 192.168.0.0/24, 255.255.255.255/32 }"

#Scrub
scrub in all fragment reassemble
scrub out all

#Nat
nat on $external from 192.168.2/24 to any -> $external

#That which is not expressly permitted is denied
block in on $external all

#Landlord's router
pass in quick on $external from 192.168.1.1 to any

#Block non-routable addresses
block in quick on $external from $private to any
block out quick on $internal from any to $private

#Block and reset connection on auth requests
block return-rst in on $external proto tcp from any to any port = auth flags S/S

#block all outgoing except traffic that we've initiated from behind
#the firewall and are keeping state on -> all legit traffic
block out on $external all
pass out on $external inet proto tcp all flags S/SA keep state
pass out on $external inet proto { udp, icmp } all keep state

I don't know know completely, but the private line I think you might still want to add the ! in front of your lanlords private range. EDIT: Nevermind, I see what it's doing. :D

I'm having the exact same issue you were having, but I'm going to try to get it to work with static. If I can't, I'll switch to DHCP also.

At the same time Dude, you are helping me. Thank you. :D

Are you forwarding to the (for lack of a better term) border router; the rouer on the outside of your network? Are you using a Linksys router for your internal?

You can check out my setup in the Networking/Routing forum. Got it working thanx to SE also. :D

In short, I am using the OpenBSD box as a gateway/NAT/Firewall for 2 other subnets.