Accidently posted this in the OpenBSD security forum a minute ago :-P

Hi all
I have a little problem that i just cant figure out by myself.

Here are som background:
My ISP gives me 5 dynamic, public ip-numbers via DHCP from a rj45 in the wall. They also filter all windows specific ports in their net (NetBIOS, LDAP osv).

My network layout home is like this:
ISP -- |openbsd3.3-bridge|-- switch -- two workstations and a server

The problem is:
When the computers in switch try to communicate with each other using the windows filesharing protocols (that are filtered in my ISP:s net) it works, but not all the time. Sometimes the connections just fail, even though they are in the same, unfiltered switch.

I have run tcpdump on the obsd bridge and verified that packages sometimes are sent out on the ISP:s net when they are not supposed to.

Someone got a clue of what i can do to make the packages stay inside my own net without using NAT, VPN, separate internal net, or other firesharing protocol? Please help.

I have tried and changed the switch to a hub and it is no different.


//Robin :roll:

When the connections fail, check the ip's assigned to the machines in question. They could be giving you ip's on different subnets, which mean that the packets would have to travel from the workstation -> switch -> bridge -> ISP's router -> bridge -> switch -> workstation... which doesn't happen since they get blocked at the ISP's router. This would explain why you see the packets travelling out the firewall when you think they shouldn't.

You ask for a solution w/o using a separate internal network, but b/c you need to use your ISP's dhcp the only course of action i see is to call up your ISP and ask if it's possible to always get ip's in the same subnet.
Otherwise, assign non-routeable ip's to your computers in addition to the dhcp they already get, have them communicate with eachother via those ips.

Good luck

I forgot to mention that i always get IP:s on the same subnet.
A connection can work fine one second and a minute later the network share is unreachable..

:x

I've got it working now. Seems like a problem with arp, so when i set up the arp table static on both the communicating machines, everything is fine.