Backstory (or skip this section to diagram)
My home setup relies on a MikroTik router and a switch (a repurposed old ADSL-modem).
I also run 24/7 an OpenBSD-powered ASRock QC6000M-based fanless computer for torrenting and backups.
Since QC6000M is always on, I'd like to ditch switch.
I read that for production sites, you shouldn't put all your eggs in one basket - let servers serve, switches switch and routers route and don't combine devices.
But this is a home setup where I suppose it'll be fine.
I installed a 4-port PCIe ethernet card into QC6000M
and followed "PF - Building a Router" https://www.openbsd.design/faq/pf/example1.html
which is the only pf
example in FAQ.
Diagram
old -> new
ISP modem ISP modem
| |
MikroTik router @room1 MikroTik router @room1
| | | |
| *--- computer | *- computer
| |
switch @room2 QC6000M OpenBSD router @room2
| | | | |
| | *- laptop | *- laptop
| *--- laptop *--- laptop
*----- QC6000M OpenBSD computer
Good
This setup works - I can access the internet from laptops.
Problem
Before, I could access MikroTik from my laptop directly at 192.168.88.1 as switches don't mangle addresses.
Now, I can't. Worse, I can't access it even from QC6000M, neither via browser, nor ssh, nor even ping:
root@QC6000M# ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1): 56 data bytes
ping: sendmsg: Permission denied
ping: wrote 192.168.88.1 64 chars, ret=-1
ping: sendmsg: Permission denied
ping: wrote 192.168.88.1 64 chars, ret=-1
^C
--- 192.168.88.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
re0 - the QC6000M interface connecting it to MikroTik
ifconfig re0
re0: flags=808843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF4> mtu 1500
lladdr a8:a1:59:8d:13:64
index 5 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.88.227 netmask 0xffffff00 broadcast 192.168.88.255
re0 is 192.168.88.227 - same net as 192.168.88.1
I didn't configure re0 in /etc/dhcpd.conf and /etc/pf.conf as per "PF - Building a Router".
Although there is group egress
which I don't understand.
The interfaces the default routes point to are members of the “egress” interface group.
from https://man.openbsd.org/ifconfig#group is not meaningful to me
cat /etc/hostname.re0
inet autoconf
Questions
Minimum - What blocks MikroTik 192.168.88.1 from QC6000M OpenBSD router and how do I make 192.168.88.1 accessible via browser, ssh and ping?
Desirable - How could I make MikroTik accessible from a laptop directly, without ssh-ing to QC6000M?
Thanks