New developments here, and not all of them are good.
To begin with, in the first part, I made a mistake (I was at work when writing it, just like now): my OpenBSD box isn’t connected to the “Internet” port in the Linksys, but to one of the “normal” ports. If I connect it to the former, it doesn’t work
Second, it still isn’t working perfectly. I’m still trying out stuff; however, it’s like this: if I haven’t gone online with the DS for a while, and I try to do so, it doesn’t work. I simply have to go to the OpenBSD server and ping the router’s internal address… and it works afterwards. It’s as if the server “forgets” that the DS is behind the router (as they’re in the same network - otherwise, the router would have to do NAT), and has to find it for itself first - if it’s “forgotten” about it, then connections from the DS go out, but the return packets aren’t routed to it.
I’m going to try a static ARP for it later tonight. I really, really don’t want to use a crontab to ping the router every 5 minutes. 
I’ve also tried another possibility, which was to connect the switch’s “Internet” port to the server, and connect one of the ports to the switch for my old network, 192.168.0.0/24. I have to enable NAT in the Linksys between the 192.168.0 and 192.168.1. This way allows the router to update its clock using NTP, which it does every time it’s turned on, but then the DS can only connect while I’m pinging it from the server (!).
This is weird. This Linksys model isn’t exactly great - for instance, it basically “reboots” itself for every configuration change, unlike the Linux models (which I’ve seen at my father’s place).
I know, I know - I could have avoided all of this by just connecting the Linksys to the Internet, doing NAT there, and redirecting ports 22, 80 and 443 to the OpenBSD server. But I’m stubborn, and I trust OpenBSD to be “in the front lines” much more than I do the Linksys. Besides, pf (the OpenBSD firewall) is great.
Related posts:
RSS feed
I have a Linux model. Was quite cheap too.
Do you think you could post your pf.conf (or at least the relevant sections of it) that you’re using? Also whatever you’ve done for the static ARP?
I have a similar situation. I have an OpenBSD box running at the front, as my firewall. I have a D-Link wireless router essentially operating as a wireless switch (I have one NIC on the OpenBSD box plugged into port 1 on the D-Link, ie. one of the “normal” ports, and another NIC on the OpenBSD box connected to the “internet”).
I’m having horrible connection problems with the DS. I can usually connect to the WFC, but getting it to match me up with players almost never works. I’m currently using the dhcpd on the OpenBSD machine to assign a static IP to the DS, and I’m letting everything pass, when it’s destined for the DS. I’ve even tried rdr’ing all UDP traffic coming in to the DS.
If I try taking the OpenBSD machine out of the equation, and plug my cable modem directly into the D-Link, things seem to work better.
Any thoughts? Thus far, you’re the only other person I know of that is using an OpenBSD firewall with a DS.
Jay P.
I’ve just gotten one of these routers as well in the hope that it would work with my new DS (it’s replacing an el-cheapo Edimax 802.11b AP which would the DS could only see if I forced it to 2Mb/s link speed…) The AP is hooked up to one side of a Linux box that’s acting as a firewall to keep random wardrivers off my LAN.
It seems to be behaving rather strangely, to say the least. If the router has just reset itself (after any config change), the DS will generally connect quite happily. On subsequent attempts it seems to sit there sending repeated ARP requests asking for the Linksys’ MAC before finally giving up. (If I see one more packet trace today I swear my eyes will start to bleed.) Giving the DS a static IP address unsurprisingly doesn’t help things.
So far I’m 0 for 3 (I borrowed a different Edimax 11g AP too) in terms of AP compatibility with the DS. Everything else I have that talks WiFi has been perfectly happy on every occasion, of course.
Let’s see…
I ended up not using static ARP; it gave me other problems. I still don’t know whether the fault is with the router, or the DS.
As for pf rules, there’s nothing special there at the moment. The only rules that affect this are:
pass in all keep state queue(q_def, q_pri)pass out all keep state queue(q_def, q_pri)
(the
(q_def, q_pri)are there because I prioritize acks, but that isn’t relevant here)I’m also doing NAT for the wireless network:
nat on $ext_if from 192.168.1.0/24 -> ($ext_if)and have a fixed IP on the DS.
And now the dumb part: I have a cron to ping the router’s internal IP every minute… it was the only way I could find; otherwise, it would only work, as Adam says, just after a configuration change - not a couple of hours later. This way, it works. As I said, I tried static ARP, and it didn’t work then.
While I’ve neither a linksys wrk54g nor a nintendo ds, I do have an openbsd edge router and enjoy online gaming through an old netgear 11-mbit router that I essentially use as a bridge by connecting it to my openbsd machine via a regular port and not the internet port. One pf behavior worth noting is the way it “translates” the port numbers of packets originating from the internal network to different port numbers for packets meant for the internet. This can be disabled by adding “static-port” to the end of the nat line for your gaming network in your pf.conf. It’s important that you don’t static-port more than one nat line as it will result in a kernel panic should two internal hosts decide to use the same port to connect to an internet host.
Using “static-port” in your pf.conf nat line resolves most issues with connecting to online games, as Jay P seems to have. As for having to periodically ping your router, this shouldn’t be necessary at all. I would investigate this from the openbsd machine with tcpdump or ethereal (if you’ve got X11 handy) and pay particular attention to arp requests.