Re: nat or routing problem?

[Mitja]

Andreas Bihlmaier wrote:
 On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote:
 Hello,

 I am trying to configure nat from internal network 192.168.1.0/24 to
 external nat gateway address 193.189.180.193. The problem is that
 packets are not passing from nat gateway to the interface 193.77.12.154
 to the internet.

 ISP - 193.77.12.154 -- hostA -- 192.168.1.1
|
  193.189.180.193 (em1)
|
/27 network

 All hosts on 193.189.180.192/27 are routed correctly through
 193.77.12.154 to internet. My pf.conf is practically empty:

 # pfctl -s all
 TRANSLATION RULES:
 nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
 rdr pass on em1 inet proto tcp from any to any port = 5900 -
 192.168.1.111 port 5900

 FILTER RULES:
 pass in all keep state
 pass out all keep state
 No queue in use

 What I am doing wrong? Any suggestions?
 
 #grep forwarding /etc/sysctl.conf

Enabled...

net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
packets
#net.inet.ip.mforwarding=1  # 1=Permit forwarding (routing) of IPv4
multicast packets
#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6
packets
#net.inet6.ip6.accept_rtadv=1   # 1=Permit IPv6 autoconf (forwarding
must be 0)

For additional info:

# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu
Interface
default193.77.12.153  UGS 963486  -   bge0
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  1   92  33224   lo0
172.16.15.4/30 link#4 UC  10  -   bge1
172.16.15.500:05:85:86:84:7e  UHLc10  -   bge1
172.16.16.6172.16.15.5UGHS218739  -   bge1
192.168.1/24   link#1 UC  20  -   em0
192.168.1.20   00:0f:1f:02:44:1f  UHLc0   10  -   em0
192.168.1.111  00:60:97:82:73:ce  UHLc00  -   em0
193.77.12.152/30   link#3 UC  10  -   bge0
193.77.12.153  00:05:85:86:84:7e  UHLc10  -   bge0
193.189.180.192/27 link#2 UC  50  -   em1
224/4  127.0.0.1  URS 00  33224   lo0

Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
10.1.1/24  0 192.168.1/24   0 0
172.16.16.6/esp/use/in
192.168.1/24   0 10.1.1/24  0 0
172.16.16.6/esp/require/out
172.16.16.6/32 0 172.16.15.6/32 0 0
172.16.16.6/esp/use/in
172.16.15.6/32 0 172.16.16.6/32 0 0
172.16.16.6/esp/require/out
193.189.180.128/27 0 default0 0
172.16.16.6/esp/use/in
default0 193.189.180.128/27 0 0
172.16.16.6/esp/require/out


Regards,
Mitja

problem to chroot ftp users

[Sebastian Reitenbach]

Hi all,

I try to setup the ftpd and to have chrooted users.

1. according to the ftpd man page, the users are in the password database, have
a password 
   and ksh as shell
2. their login name is not in /etc/ftpusers
3. their login name is in /etc/ftpchroot


when I start the ftpd with -US
the users can login but they are not chrooted

when I start the ftpd with -A
then only anonymous ftp works, the ftpd states:
530 Sorry, only anonymous ftp allowed.
ftp: Login failed.

when I start the ftpd with -An login access is denied:
530 User ftp_user access denied.
ftp: Login failed.

I do not have the ftp-chroot variable set in login.conf, the man page of
login.conf has 
nothing about the ftp-chroot variable, I guess I have to add it for the
ftp_user, but do 
not know how.

how do I define the ftp-chroot variable in login.conf, or am I missing something
else?

kind regards
Sebastian

Re: problem to chroot ftp users

[Joel Goguen]

Add the usernames to /etc/ftpchroot and the user will be chrooted when
they login with FTP.  If you don't want them to have shell access, add
/usr/bin/false to /etc/shells and change the users' shell to
/usr/bin/false.  That will allow chrooted FTP access and deny shell access.

You could also set ftp-chroot in login.conf(5) but I'm not sure exactly
how that works since I haven't RTFM for that :)

Sebastian Reitenbach wrote:
 Hi all,
 
 I try to setup the ftpd and to have chrooted users.
 
 1. according to the ftpd man page, the users are in the password database, 
 have
 a password 
and ksh as shell
 2. their login name is not in /etc/ftpusers
 3. their login name is in /etc/ftpchroot
 
 
 when I start the ftpd with -US
 the users can login but they are not chrooted
 
 when I start the ftpd with -A
 then only anonymous ftp works, the ftpd states:
 530 Sorry, only anonymous ftp allowed.
 ftp: Login failed.
 
 when I start the ftpd with -An login access is denied:
 530 User ftp_user access denied.
 ftp: Login failed.
 
 I do not have the ftp-chroot variable set in login.conf, the man page of
 login.conf has 
 nothing about the ftp-chroot variable, I guess I have to add it for the
 ftp_user, but do 
 not know how.
 
 how do I define the ftp-chroot variable in login.conf, or am I missing 
 something
 else?
 
 kind regards
 Sebastian
 


-- 
Joel Goguen
Bachelor of Computer Science III
University of New Brunswick
http://iapetus.dyndns.org/

Re: problem to chroot ftp users

[Otto Moerbeek]

On Fri, 8 Dec 2006, Sebastian Reitenbach wrote:

 Hi all,
 
 I try to setup the ftpd and to have chrooted users.
 
 1. according to the ftpd man page, the users are in the password database, 
 have
 a password 
and ksh as shell
 2. their login name is not in /etc/ftpusers
 3. their login name is in /etc/ftpchroot
 
 
 when I start the ftpd with -US
 the users can login but they are not chrooted

What is the user's home dir? How do you test if the user is chrooted or not?

 
 when I start the ftpd with -A
 then only anonymous ftp works, the ftpd states:
 530 Sorry, only anonymous ftp allowed.
 ftp: Login failed.
 
 when I start the ftpd with -An login access is denied:
 530 User ftp_user access denied.
 ftp: Login failed.
 
 I do not have the ftp-chroot variable set in login.conf, the man page of
 login.conf has 
 nothing about the ftp-chroot variable, I guess I have to add it for the
 ftp_user, but do 
 not know how.
 
 how do I define the ftp-chroot variable in login.conf, or am I missing 
 something
 else?

If the user is in /etc/ftpchroot, there's no need to set ftp-chroot.

-Otto

Re: Fintek F71805 driver for test

[openbsd]

hi,

Geoff Steckel ([EMAIL PROTECTED]) wrote:

 I've mangled the lm78 driver into a Fintek F71805 sensor driver.
 If anyone else has a board using this chip I'd appreciate a test of it.

i've built a kernel using your drivers. sensor output and dmesg (attached
below) look okay (the third temp-sensor isn't connected in my case).

i've looked at your files, and the one existing driver for another fintek
sensor that's in 4.0, which uses iic in stead of isa. the sensor-part looks
pretty easy to rewrite (mostly different offsets and more sensors), but i'm
quite mystified by the initialization part. can anybody shed a light ? i'm
quite willing to experiment, but i'm not a kernel-level quality programmer...



OpenBSD 4.0 (GENERIC) #0: Tue Dec  5 22:21:45 CET 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: VIA Esther processor 1500MHz (CentaurHauls 686-class) 1.72 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3
cpu0: RNG AES AES-CTR SHA1 SHA256 RSA
real mem  = 468152320 (457180K)
avail mem = 418967552 (409148K)
using 4256 buffers containing 23511040 bytes (22960K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(d9) BIOS, date 09/15/06, BIOS32 rev. 0 @ 0xfa960, 
SMBIOS rev. 2.3 @ 0xf (33 entries)
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xcce4
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcc20/192 (10 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 10 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11 15
pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xfc00 0xd/0x5000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA CN700 Host rev 0x00
pchb1 at pci0 dev 0 function 1 VIA CN700 Host rev 0x00
pchb2 at pci0 dev 0 function 2 VIA CN700 Host rev 0x00
pchb3 at pci0 dev 0 function 3 VIA PT890 Host rev 0x00
pchb4 at pci0 dev 0 function 4 VIA CN700 Host rev 0x00
pchb5 at pci0 dev 0 function 7 VIA CN700 Host rev 0x00
ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 VIA S3 Unichrome PRO IGP rev 0x01: aperture at 
0xf400, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
re0 at pci0 dev 9 function 0 Realtek 8169SC rev 0x10: irq 11, address 
00:30:18:b0:26:ef
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
re1 at pci0 dev 11 function 0 Realtek 8169SC rev 0x10: irq 10, address 
00:30:18:b0:26:f0
rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 2
pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA
pciide0: using irq 15 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: ST3320620AS
wd0: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0: ST3320620AS
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
viapm0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00
iic0 at viapm0
unknown at iic0 addr 0x18 not configured
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
fins1 at isa0 port 0x4e/2
npx0 at isa0 port 0xf0/16: using exception 16
biomask f3fd netmask fffd ttymask 
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
wd1: no disk label
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302



hw.sensors.0=fins1, +3.3V, 3.34 V DC
hw.sensors.1=fins1, Vtt, 1.08 V DC
hw.sensors.2=fins1, Vram, 1.50 V DC
hw.sensors.3=fins1, Vchips, 1.63 V DC
hw.sensors.4=fins1, +5V, 5.00 V DC
hw.sensors.5=fins1, +12V, 12.06 V DC
hw.sensors.6=fins1, Vcc 1.5V, 1.10 V DC
hw.sensors.7=fins1, VCore, 1.08 V DC
hw.sensors.8=fins1, Vsb, 5.05 V DC
hw.sensors.11=fins1, Temp1, 30.00 degC
hw.sensors.12=fins1, Temp2, 22.00 degC
hw.sensors.13=fins1, Temp3, 107.00 degC
hw.sensors.14=fins1, Fan1, 5791 RPM
hw.sensors.15=fins1, Fan2, 4424 RPM
hw.sensors.16=fins1, Fan3, 3496 RPM

-- 
CUL8R, Peter.

Re: problem to chroot ftp users

[Sebastian Reitenbach]

Hi,

Otto Moerbeek [EMAIL PROTECTED] wrote: 
 On Fri, 8 Dec 2006, Sebastian Reitenbach wrote:
 
  Hi all,
  
  I try to setup the ftpd and to have chrooted users.
  
  1. according to the ftpd man page, the users are in the password database,
have
  a password 
 and ksh as shell
  2. their login name is not in /etc/ftpusers
  3. their login name is in /etc/ftpchroot
  
  
  when I start the ftpd with -US
  the users can login but they are not chrooted
 
 What is the user's home dir? How do you test if the user is chrooted or not?
the home directory of the user is /home/ftp_user

I test the chroot by just ftp to the host, so I am in my home directory, when I
then cd ..
I am in /home, therefore not chrooted.


  
  how do I define the ftp-chroot variable in login.conf, or am I missing
something
  else?
 
 If the user is in /etc/ftpchroot, there's no need to set ftp-chroot.
I thought that, after reading ftpd(8), and therefore I have the user in
/etc/ftpchroot.

I have the same problem on two servers, OpenBSD 4.0 and 3.9.

I prevent the ftp users from logging in via ssh via the ssh config, the ftp
users are all 
in group _ftp, and this group is disallowed in /etc/ssh/sshd_config for login,
but I doubt 
that this will interfere with the ftpd.

kind regards
Sebastian

Re: links in the OpenBSD FAQs

[Igor Sobrado]

An important note: I missed one of the advices of Tom Cosgrove...
I would replace the OpenBSD's Flavors link in the patch with
something like section 5 (as Tom suggests) or either FAQ 5, flavors
as found on other parts of the FAQ.  Tom suggestion is more readable,
though.  Of course, there are other alternatives as section 5, flavors,.

By the way, these FAQ X, word entries are sometimes typed FAQ X - word,
don't know if it is what maintainer are looking for, or just a minor
mistake.  I suppose that using a hyphen can make these entries in the
FAQ look nice on a browser or PDF reader (links have different colors
than standard text) but more difficult to read on text.

On the other hand, I supose that sometimes using lowercases
(e.g., replacing Upgrade Guide with upgrade guide) is advisable.
Lowercase letters will probably follow better the BSD style.

At last, I want to say again that this patch is only a draft.  I am
awaiting for all the changes recommended by the maintainers and
certainly do not expect the final patch to be as this one.  I am not
proposing this patch, but only providing a draft to work on it.

Cheers,
Igor.

Re: links in the OpenBSD FAQs

[Igor Sobrado]

D'oh!  Of course, the SIMH entry in the FAQ 12 should read
Instructions can be found _at the_ OpenBSD/vax on SIMH page.

Well... there are people with more appropriate english skills that
will probably suggest a lot of changes like this one.

Igor.

Re: One new Soekris net4801-50 available in Moscow

[Andrew Pantyukhin]

Sold. Sorry for the noise.

Problem configuring vlan interfaces on startup

[Brian Candler]

I'm running OpenBSD 4.0. My external interface, fxp0, is a tagged trunk.

I've configured it as follows:

# head /etc/hostname.fxp* /etc/hostname.vlan*
== /etc/hostname.fxp0 ==
up

== /etc/hostname.vlan0 ==
dhcp vlan 853 vlandev fxp0

== /etc/hostname.vlan1 ==
inet 10.69.255.254 netmask 255.255.255.224 vlan 841 vlandev fxp0

== /etc/hostname.vlan2 ==
inet 10.70.207.142 netmask 255.255.255.240 vlan 842 vlandev fxp0

== /etc/hostname.vlan3 ==
inet 192.168.0.250 netmask 255.255.255.0 vlan 843 vlandev fxp0
inet alias 192.168.1.250 netmask 255.255.255.0
inet alias 192.168.2.250 netmask 255.255.255.0
inet alias 192.168.168.250 netmask 255.255.255.0

However, what I find is that on power-up, my vlan0 interface is configured
correctly (it picks up an IP address via DHCP), but interfaces vlan1-vlan3
are not configured. So I end up configuring them by hand, for example by

  # ifconfig vlan1 $(cat /etc/hostname.vlan1)
  # ifconfig vlan2 $(cat /etc/hostname.vlan2)
  # sed 's/^/ifconfig vlan3 /' /etc/hostname.vlan3 | sh

which works fine.

So I was just wondering, is there something I've missed which is needed to
get them to self-configure at startup?

Thanks,

Brian.

Re: Openldap

[Marc Balmer]

Dr. Harry Knitter wrote:

Am Montag, 4. Dezember 2006 20:23 schrieb Bryan Irvine:

I have installed the following binaries:
openldap-server-2.3.24
openldap-client-2.3.24
db-4.2.52p8
OS is OpenBSD 4.0

You need to install openldap-server-2.3.24-bdb

If installed from ports use env FLAVOR=bdb make install to get it, or if
you used packages then use the bdb version.

--Bryan



I installed the package. However, on the mirror I used I don4t find any bdb 
version.


On a side note, some people obersved data corruption or even data loss 
when using the bdb backend.  The gdbm backends on the other hand, is stable.

Re: Problem configuring vlan interfaces on startup

[Mathieu Sauve-Frankel]

 So I was just wondering, is there something I've missed which is needed to
 get them to self-configure at startup?

you could start by reading the man page. 

pay attention to the examples in hostname.if(5), it should be pretty obvious
what you've done wrong. 

-- 
Mathieu Sauve-Frankel

Re: problem to chroot ftp users

[Joel Goguen]

On Fri, 08 Dec 2006 12:24:48 +0100, Sebastian Reitenbach [EMAIL PROTECTED] 
wrote:
 I thought that, after reading ftpd(8), and therefore I have the user in
 /etc/ftpchroot.
 
 I have the same problem on two servers, OpenBSD 4.0 and 3.9.
I think I misunderstand you.  Are you saying that you have users in 
/etc/ftpchroot and they're still not chrooted after logging in?  Did you 
restart ftpd?  Assuming you're not running it from inetd of course.

--
Joel Goguen
http://iapetus.dyndns.org/

Re: mounting an svnd device on /var

[Jacob Yocom-Piatt]

 Original message 
Date: Fri, 8 Dec 2006 02:32:01 -0500 (EST)
From: Woodchuck [EMAIL PROTECTED]  
Subject: Re: mounting an svnd device on /var  
To: misc@openbsd.org

On Thu, 7 Dec 2006, Jacob Yocom-Piatt wrote:

 it's not clear to me where the best place to mount a disk image is using
 vnconfig for the whole /var partition. this should obviously happen after
 mounting /usr.
 
 advice appreciated.
 
 cheers,
 jake

For a start, I'd *guess* it could be mounted immediately after the
file-system containing its regular file (and of course /usr) is
mounted.  If this file-system is not nfs, then that is at the first
occurences of mount in /etc/rc.  (Around line 203 in 4.0).  You
would add your vnconfig and mount command there.  You now have a 
non-standard /etc/rc.


dave,

thanks for your input! this is essentially where i was thinking about adding it.
specifically, between lines 260 and 261:

mount -s /usr /dev/null 21
mount -s /var /dev/null 21

i'll give this a shot.

You want it mounted before logging and any other process or daemon
that uses /var is run, including daemons that chroot to /var, notably
named.  You probably want them running on the svnd, not underneath
it on whatever /var was before mounting the svnd.


correct

Note that if you plan on encryption, the vnconfig command will hang
waiting for the key.  It uses a call to getpass(3) for the key,
which will read from /dev/tty.  Usually /etc/rc executes with a
/dev/tty so I think that if you use vnconfg -k or -K in /etc/rc, a
human will have to intervene at boot time to enter the key.  (I
don't know a cute, simple way (i.e. a shell trick) to execute
vnconfig without a controlling terminal, so it could read from its
stdin (presumably a disk file or maybe from some dongle-like Sekrit
Krypto Device) or if that would be a good idea anyway.)  You could
hack vnconfig to read the key from a file, but that's kinda insecure.
I don't know your threat model.  See man getpass(3).


i am aware that it will hang at the passphrase prompt, as i have a netbsd
machine (ugh!) with cgd as my mailserver and it does just this on boot.  using a
dongle is a possibility, but i would rather enter a password over a serial
console and/or use a salt file.

the threat model is physical theft of the mailserver while i am not on-site and
that the machine is running netbsd ;).

cheers,
jake

Hoping for further comments,

Dave
-- 
  [In] all human groups at all times there are the few who rule
   and the many who are ruled.
-- A. Livingston

Re: Problem configuring vlan interfaces on startup

[Brian Candler]

On Fri, Dec 08, 2006 at 10:06:23PM +0900, Mathieu Sauve-Frankel wrote:
  So I was just wondering, is there something I've missed which is needed to
  get them to self-configure at startup?
 
 you could start by reading the man page. 
 
 pay attention to the examples in hostname.if(5), it should be pretty obvious
 what you've done wrong. 

Hmm. That's what happens when two syntaxes are almost the same, but not
quite.

I did read that page previously, and what entered my brain was that these
lines just contained arguments to ifconfig. But they're not.

Thanks for pointing me to what I needed.

Regards,

Brian.

Re: nat or routing problem?

[Mitja]

Mitja wrote:
 Andreas Bihlmaier wrote:
 On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote:
 Hello,

 I am trying to configure nat from internal network 192.168.1.0/24 to
 external nat gateway address 193.189.180.193. The problem is that
 packets are not passing from nat gateway to the interface 193.77.12.154
 to the internet.

 ISP - 193.77.12.154 -- hostA -- 192.168.1.1
|
  193.189.180.193 (em1)
|
/27 network

More testing:
I changed my pf.conf to:

# pfctl -s all
TRANSLATION RULES:
nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154),
the closest interface to my ISP. Test:

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms
64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms
--- 209.85.129.147 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:46:10.614558 193.77.12.154  209.85.129.147: icmp: echo request
14:46:10.659932 209.85.129.147  193.77.12.154: icmp: echo reply
14:46:11.624513 193.77.12.154  209.85.129.147: icmp: echo request
14:46:11.669838 209.85.129.147  193.77.12.154: icmp: echo reply

It looks like NAT is working. The same test with changed configuration
in pf.conf to:
# pfctl -s all
TRANSLATION RULES:
nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

The same test, with tcpdump on the last interface (bge0;193.77.12.154).

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
--- 209.85.129.147 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:49:16.377482 192.168.1.95  209.85.129.147: icmp: echo request
14:49:17.387437 192.168.1.95  209.85.129.147: icmp: echo request
14:49:18.397398 192.168.1.95  209.85.129.147: icmp: echo request

icmp packets are going out, but it looks like NAT is not working (it
should change my source IP address).

I checked with google, http://www.openbsd.org/faq/pf/nat.html,
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=apropos=0manpath=OpenBSD+4.0
and did not found anything usefull.

I'm stuck. Any ideas?


Regards,
Mitja

Re: VPN Howto

[Brian Candler]

On Thu, Dec 07, 2006 at 11:08:40PM +0100, misc(at)openbsd.org wrote:
 I want to replace my linux firewall/vpn-server with an openbsd 4.0
 installation. My problem is, that the linux server is a vpn-endpoint
 with two draytek vigor 2900. At the moment I'm looking for a
 vpn-documentation (or a howto) for ipsec and openbsd 4.0.
 Does somebody have a link for me? The man-pages didn't help me out (I'm
 using strongswan at the moment, it looks like there are many
 differences).

OpenBSD 4.0 includes the ipsecctl interface, which makes life much easier
for the majority of cases, such as basic IPSEC tunnel mode setups.

Try this as a starting point (*):
http://www.securityfocus.com/infocus/1859

One difference to note between Linux and OpenBSD is the handling of policy.
OpenBSD's approach is IMO a lot simpler and cleaner. If you want to enforce
that certain traffic is (or is not) encrypted you just do this using pf
rules, since encrypted traffic appears to go in and out of the 'enc0'
pseudo-interface.

So whereas Linux has both a Security Policy Database and a Security
Association Database in the kernel, I believe (and someone please correct me
if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into
ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and
sticks them in the SAD.

For a typical VPN setup which says everything which comes in via IPSEC is
trusted then the pf policy is very simple.

Regards,

Brian.

(*) There are a few errors in this article. What you actually need in
/etc/rc.conf or /etc/rc.conf.local is

isakmpd_flags=-K  # I use -K -4 to disable IPv6
ipsec=YES
pf=YES

There's no need to stick anything in /etc/rc.local

Re: nat or routing problem?

[Joel Goguen]

On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote:
[snip]
 # pfctl -s all
 TRANSLATION RULES:
 nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
If em1 is only serving the one IP address, try changing em1:0 to em1 and see if 
that works.

--
Joel Goguen
http://iapetus.dyndns.org/

Re: nat or routing problem?

[Mitja]

Joel Goguen wrote:
 On Fri, 08 Dec 2006 15:16:50 +0100, Mitja [EMAIL PROTECTED] wrote:
 [snip]
 # pfctl -s all
 TRANSLATION RULES:
 nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
 If em1 is only serving the one IP address, try changing em1:0 to em1 and see 
 if that works.

Checked that option. It is the same...not working.

Regards,
Mitja

OpenBSD - Vlans - CISCO

[michel bédard]

Hi,

I have connected my OpenBSD box to a CISCO switch model 2924.  I decided 
to setup vlans and I did the configuration on the CISCO. There is one 
port where all the trafic goes on the CISCO switch. This is what I did 
on the firewall:


# ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0

# ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0

# ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

# ...

All the configs on the CISCO device have been done. All the hosts on the 
vlan 2 are able to ping each other and to surf. However, the remaining 
vlans aren't working. I have tried to ping the ip's of the vlans but 
that doesn't work. I've created an alias on the interface for a specific 
vlan but that doesn't work either. I have the same rules in /etc/pf.conf 
for all the vlans. Is there something I'm missing? The vlans have been 
done using 802.1q.


Thanks,


Mik

Re: OpenBSD - Vlans - CISCO

[Aleksandar Milosevic]

# ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0

# ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0

# ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

 ^

cisco switch port is set as trunk?

Casa en Santo Domingo de Heredia

[Epropiedades]

This e-mail message is an advertisement and/or solicitation.Este mensaje de 
correo electronico es una publicidad y/o solicitada.
BR
Si las imaacute;genes no son visibles en este correo, por favor visite la 
versioacute;n en linea. 
BR

 If images are not visible in this email, please visit the online version. BR
a 
href=http://www.envios-cr.com/mail.php?s=68member=92728710members=f6fdebf2; 
http://www.envios-cr.com/mail.php?s=68member=92728710members=f6fdebf2 /a

Re: OpenBSD - Vlans - CISCO

[Henning Brauer]

* michel b?dard [EMAIL PROTECTED] [2006-12-08 17:48]:
 Hi,
 
 I have connected my OpenBSD box to a CISCO switch model 2924.

my condolences.

 I decided 
 to setup vlans and I did the configuration on the CISCO. There is one 
 port where all the trafic goes on the CISCO switch. This is what I did 
 on the firewall:
 
 # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0
 
 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0
 
 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

so, let's see.
vlan0 is in 10/8.
vlan1 is in 10/8.
vlan2 is in 10/8.

 vlan 2 are able to ping each other and to surf. However, the remaining 
 vlans aren't working. I have tried to ping the ip's of the vlans but 
 that doesn't work. 

no surprise with overlapping address space.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg  Amsterdam

Re: OpenBSD - Vlans - CISCO

[Karsten McMinn]

On 12/8/06, michel bidard [EMAIL PROTECTED] wrote:

All the configs on the CISCO device have been done. All the hosts on the
vlan 2 are able to ping each other and to surf. However, the remaining
vlans aren't working.


things to check that haven't been mentioned:
-set switch vtp mode to transparent
-set your native (non-tagged vlan) right on dot1q link on the switch
-set allowed vlans correctly on the dot1q link on the switch

post your results when you figure it out.

Re: Toshiba Notebook Display Brightness/Power Saving

[Michael]

Hi,

Alexey Vatchenko schrieb:
 Why not to make it available for the public?

I am/was not even sure that this is the right list. So before I get
flamed for posting at the wrong list I wanted to be sure and not add any
attachments to make it even worse.

 - Michael
The screen brightness control in accordance with the battery power 

by BIOS can be cancelled by executing the following function.



Application existence setting of power save utility:

AH = 44h

AL = FFh

BX = 0025h

CX = 0002h (power save utility)

DX = 0001h

INT 15h





With this change, the following BIOS functions will be restricted.



* ClockRun(GatedClock)will be disabled.

* System Auto Off will be disabled.

* HDD Auto Off will be disabled.

* Display Auto Off will be disabled.

* Throttle Control by the amount of battery change will be disabled.

* Cooling Method will not be switchable.

* C3 Control will be disabled.



i.e. every power-saving control in BIOS will be prohibited.a

This might cause some problems in the state of power-saving

but this will not cause any problem in PC operation.
2-2.35  Reading brightness level
 [2.35]

2-2.35-1   Function

Reads the brightness level.

2-2.35-2   I/O register specifications

(1)  Input registers 
AH =44h
AL =FEh
BX =002Ah  brightness level

(2)  Output registers
 When the function ends normally
AH =00h
CX =brightness level
DX =possible bit
CF =0

 When an error is encountered
AH =80h  Subfunction error, or function not supported by the system.
CF =1

2-2.35-3  Function details

This function reads the level of the LCD brightness from SM-RAM. 
For example, if a system uses 3 bits to control its brightness (000:Level 0  
111:level 7) and the current setting is the Level 3, this function returns 
6000h to CX register and E000h to DX register (indicates bit15-13 are valid).




2-2.36  Setting brightness level
[2.35]

2-2.36-1   Function

Sets the brightness level.

2-2.36-2   I/O register specifications

(1)  Input registers 
AH =44h
AL =FFh
BX =002Ah  brightness level
CX =brightness level

(2)  Output registers
 When the function ends normally
AH =00h
CF =0

 When an error is encountered
AH =80h  Subfunction error, or function not supported by the system.
CF =1

2-2.36-3  Function details

This function sets the LCD brightness.
The level of the brightness is set to CX register. If a system uses 3 bits to 
control the brightness, the valid bits of
CX are bit 15,14,13 and the other bits of CX are not cared (so iX=E000h and 
iX=h are same settings).

If a system supports SCI function to set LCD brightness (0115h:LCD Brightness), 
the LCD brightness is controlled by the SCI function until this HCI function is 
called.

Re: nat or routing problem?

[Aleksandar Milosevic]

Mitja wrote:

Mitja wrote:

Andreas Bihlmaier wrote:

On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote:

Hello,

I am trying to configure nat from internal network 192.168.1.0/24 to
external nat gateway address 193.189.180.193. The problem is that
packets are not passing from nat gateway to the interface 193.77.12.154
to the internet.

ISP - 193.77.12.154 -- hostA -- 192.168.1.1
   |
 193.189.180.193 (em1)
   |
   /27 network


More testing:
I changed my pf.conf to:

# pfctl -s all
TRANSLATION RULES:
nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

Now I am doing translation from 192.168.1.0/24 to bge0 (193.77.12.154),
the closest interface to my ISP. Test:

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
64 bytes from 209.85.129.147: icmp_seq=0 ttl=242 time=45.439 ms
64 bytes from 209.85.129.147: icmp_seq=1 ttl=242 time=45.307 ms
--- 209.85.129.147 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 45.307/45.373/45.439/0.066 ms

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:46:10.614558 193.77.12.154  209.85.129.147: icmp: echo request
14:46:10.659932 209.85.129.147  193.77.12.154: icmp: echo reply
14:46:11.624513 193.77.12.154  209.85.129.147: icmp: echo request
14:46:11.669838 209.85.129.147  193.77.12.154: icmp: echo reply

It looks like NAT is working. The same test with changed configuration
in pf.conf to:
# pfctl -s all
TRANSLATION RULES:
nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

The same test, with tcpdump on the last interface (bge0;193.77.12.154).

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
--- 209.85.129.147 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:49:16.377482 192.168.1.95  209.85.129.147: icmp: echo request
14:49:17.387437 192.168.1.95  209.85.129.147: icmp: echo request
14:49:18.397398 192.168.1.95  209.85.129.147: icmp: echo request

icmp packets are going out, but it looks like NAT is not working (it
should change my source IP address).



Maybe, you should try somthing like this.

nat on bge0 inet from 192.168.1.0/24 to any - (em1:0)
nat on em1 inet from 192.168.1.0/24 to any - (em1:0)

rdr ...

I might work.

Pozdrav,
Aleksandar

Re: Openldap

[Bryan Irvine]

 I installed the package. However, on the mirror I used I don4t find any bdb
 version.

On a side note, some people obersved data corruption or even data loss
when using the bdb backend.  The gdbm backends on the other hand, is stable.



I don't remember the specific details, but there was a version of
openldap where that happened a lot. I was having to restore from
backups about once a week. IIRC it was 2.2.24 (and earlier?).

I've been running 2.2.27 (with db4 FWIW) since august-ish of last year
with zero corruption problems.

YMMV though.  I only have a few tens-of-thousands of lookups a day and
roughly 5 writes.  So my server may not be the best comparison.

--Bryan

Re: nat or routing problem?

[Mikael Fridh]

Mitja wrote:

Mitja wrote:


Andreas Bihlmaier wrote:


On Thu, Dec 07, 2006 at 11:27:11PM +0100, Mitja wrote:


Hello,

I am trying to configure nat from internal network 192.168.1.0/24 to
external nat gateway address 193.189.180.193. The problem is that
packets are not passing from nat gateway to the interface 193.77.12.154
to the internet.

ISP - 193.77.12.154 -- hostA -- 192.168.1.1
  |
193.189.180.193 (em1)
  |
  /27 network



More testing:
I changed my pf.conf to:

# pfctl -s all
TRANSLATION RULES:
nat on bge0 inet from 192.168.1.0/24 to any - (bge0:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900


If bge0 is your external interface that nat line now looks correct.
If your internal hosts on the 192.168.1.0/24 net have default gateway 
192.168.1.1 it should be nating properly.


Sounds like you want traffic to traverse:
192.168.1.0/24 - 192.168.1.1 - 193.189.180.193 - 193.77.12.154 - 0/0

I don't yet fully get what you're trying to accomplish.


# pfctl -s all
TRANSLATION RULES:
nat on em1 inet from 192.168.1.0/24 to any - (em1:0)
rdr pass on em1 inet proto tcp from any to any port = 5900 -
192.168.1.111 port 5900

FILTER RULES:
pass in all keep state
pass out all keep state
No queue in use

The same test, with tcpdump on the last interface (bge0;193.77.12.154).

# ping -I 192.168.1.95 209.85.129.147
PING 209.85.129.147 (209.85.129.147): 56 data bytes
--- 209.85.129.147 ping statistics ---
15 packets transmitted, 0 packets received, 100.0% packet loss

# tcpdump -i bge0 icmp
tcpdump: listening on bge0, link-type EN10MB
14:49:16.377482 192.168.1.95  209.85.129.147: icmp: echo request
14:49:17.387437 192.168.1.95  209.85.129.147: icmp: echo request
14:49:18.397398 192.168.1.95  209.85.129.147: icmp: echo request

icmp packets are going out, but it looks like NAT is not working (it
should change my source IP address).


That's because now you are dumping traffic on the internal interface 
where the packets hasn't traversed the NAT yet.
The nat rule you made above has the internal interface where it should 
have the external:

nat on em1:0 from int_net to - em1:0.


# This is a proper simple nat example (that works):
ext_if=rl0 # (or whatever is your external interface)
nat on $ext_if inet from ! ($ext_if) - ($ext_if:0)

--
Fridh

Re: OpenBSD - Vlans - CISCO

[[EMAIL PROTECTED]]

you need on openbsd

ifconfig vlan0 create
ifconfig vlan0 vlan 2 vlandev rl0 up

Thomas


On Friday 08 December 2006 15:25, you wrote:
 Hi,

 I have connected my OpenBSD box to a CISCO switch model 2924.  I decided
 to setup vlans and I did the configuration on the CISCO. There is one
 port where all the trafic goes on the CISCO switch. This is what I did
 on the firewall:

 # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0

 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0

 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

 # ...

 All the configs on the CISCO device have been done. All the hosts on the
 vlan 2 are able to ping each other and to surf. However, the remaining
 vlans aren't working. I have tried to ping the ip's of the vlans but
 that doesn't work. I've created an alias on the interface for a specific
 vlan but that doesn't work either. I have the same rules in /etc/pf.conf
 for all the vlans. Is there something I'm missing? The vlans have been
 done using 802.1q.

 Thanks,


 Mik

Re: OpenBSD - Vlans - CISCO

[Jeffrey C. Ollie]

On Fri, 2006-12-08 at 09:25 -0500, michel bC)dard wrote:
 Hi,

 I have connected my OpenBSD box to a CISCO switch model 2924.  I decided
 to setup vlans and I did the configuration on the CISCO. There is one
 port where all the trafic goes on the CISCO switch. This is what I did
 on the firewall:

 # ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0

 # ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0

 # ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

 # ...

 All the configs on the CISCO device have been done. All the hosts on the
 vlan 2 are able to ping each other and to surf. However, the remaining
 vlans aren't working. I have tried to ping the ip's of the vlans but
 that doesn't work. I've created an alias on the interface for a specific
 vlan but that doesn't work either. I have the same rules in /etc/pf.conf
 for all the vlans. Is there something I'm missing? The vlans have been
 done using 802.1q.

Turn off spanning tree on the other VLANs:

no spanning-tree vlan 3
no spanning-tree vlan 4

etc.

Jeff

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OpenBSD - Vlans - CISCO

[Michael Lockhart]

Here is a working configuration for one of our switches running OpenBSD 3.2 
with 4 vlans on Cisco devices:

!
config-register 0xF
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***_***
!
enable secret 5 **
!
ip subnet-zero
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport access vlan 3
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 4
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 5
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 11
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport access vlan 12
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 150
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 150
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 150
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 150
 spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 150
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 150
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport mode trunk
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 150
!
interface FastEthernet0/21
switchport access vlan 150
!
interface FastEthernet0/22
switchport access vlan 150
!
interface FastEthernet0/23
switchport access vlan 150
 speed 100
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/24
switchport mode trunk
 speed 100
 duplex full
 spanning-tree portfast
!
interface Vlan1
 ip address 10.***.***.*** 255.255.255.192
 no ip route-cache
!
ip default-gateway 10.***.***.***
ip http server
snmp-server community *** RW
!
line con 0
line vty 0 4
 password *
 login
line vty 5 15
 password *
 login

Regards,
Mike Lockhart
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Lockhart[Systems Engineering  Operations]
StayOnline, Inc
http://www.stayonline.net/
mailto: [EMAIL PROTECTED]
GPG: 8714 6F73 3FC8 E0A4 0663  3AFF 9F5C 888D 0767 1550
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of michel bidard
Sent: Friday, December 08, 2006 9:26 AM
To: misc@openbsd.org
Subject: OpenBSD - Vlans - CISCO

Hi,

I have connected my OpenBSD box to a CISCO switch model 2924.  I decided 
to setup vlans and I did the configuration on the CISCO. There is one 
port where all the trafic goes on the CISCO switch. This is what I did 
on the firewall:

# ifconfig vlan0 10.0.0.1 vlan 2 vlandev rl0

# ifconfig vlan1 10.0.1.1 vlan 3 vlandev rl0

# ifconfig vlan0 10.0.2.1 vlan 4 vlandev rl0

# ...

All the configs on the CISCO device have been done. All the hosts on the 
vlan 2 are able to ping each other and to surf. However, the remaining 
vlans aren't working. I have tried to ping the ip's of the vlans but 
that doesn't work. I've created an alias on the interface for a specific 
vlan but that doesn't work either. I have the same rules in /etc/pf.conf 
for all the vlans. Is there something I'm missing? The vlans have been 
done using 802.1q.

Thanks,


Mik

Prospective hardware angels

[Bret Lambert]

Good afternoon misc@ -

A gentleman in the UK and I have decided
to pool our resources, and start semi-regularly
trolling want.html for items that we can get for
the devs. I'm able to do something like $50 US
each month (I have no idea how much he's in
for; he keeps talking about quid, which, as
far as I can tell, is some sort of telepathic
space crab).

If there are fellow-travelers who are interested
in going in with us on this, please don't hesitate
to let me know.

Please reply only to my email, so that we don't
clutter the list with chatter.

- Bert

Re: firefox + flash

[Nick Guenther]

On 12/8/06, Vim Visual [EMAIL PROTECTED] wrote:

yes, I was aware of gnash... it sounds indeed very promising

http://blogs.zdnet.com/Stewart/index.php?p=177

in principle they should have something working with youtube and
similar format videos by next summer, even if their main goal is much
more ambitious...

thanks for the port hint... I'm installing it right now

ps... something went wrong...

Error: bad shared lib version /usr/local/lib/libcurl.so.3.4 (curl.=4)
Fatal error
*** Error code 1

Stop in /usr/ports/www/gnash (line 1523 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/gnash (line 1787 of
/usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/gnash (line 1326 of
/usr/ports/infrastructure/mk/bsd.port.mk).


mmmh... now what?

I start to understand why the yencourage you to only use the package
binaries and not the ports tree...



Are you running -CURRENT? I'm very interested in this port too, but
I'm just going to wait 4 months for 4.1 to come out and for gnash to
be in packages.

-Nick

Re: OpenBSD - Vlans - CISCO

[Michael Lockhart]

Also, here's the ifconfig output.  And I didn't mean a switch running
OpenBSD, we have a gateway system running 3.2 connected to a cisco
switch ;)

vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:02:a5:13:8f:3b
vlan: 12 parent interface: fxp1
inet 172.16.4.1 netmask 0xfe00 broadcast 172.16.5.255
vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:02:a5:13:8f:3b
vlan: 3 parent interface: fxp1
inet 172.16.6.1 netmask 0xfe00 broadcast 172.16.7.255
vlan4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:02:a5:13:8f:3b
vlan: 4 parent interface: fxp1
inet 172.16.8.1 netmask 0xfe00 broadcast 172.16.9.255
vlan5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:02:a5:13:8f:3b
vlan: 5 parent interface: fxp1
inet 172.16.10.1 netmask 0xfe00 broadcast 172.16.11.255
vlan6: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
address: 00:02:a5:13:8f:3b
vlan: 11 parent interface: fxp1
inet 172.16.12.1 netmask 0xfe00 broadcast 172.16.13.255


our dhcpd.conf is like this:

-- snip --
shared-network vlan2 {
option domain-name ***.net;
option domain-name-servers 172.16.4.1;
subnet 172.16.4.0 netmask 255.255.254.0 {
option routers 172.16.4.1;
range 172.16.4.15 172.16.5.254;
}
}
shared-network vlan3 {
option domain-name ***.net;
option domain-name-servers 172.16.6.1;
subnet 172.16.6.0 netmask 255.255.254.0 {
option routers 172.16.6.1;
range 172.16.6.15 172.16.7.254;
}
}
shared-network vlan4 {
option domain-name ***.net;
option domain-name-servers 172.16.8.1;
subnet 172.16.8.0 netmask 255.255.254.0 {
option routers 172.16.8.1;
range 172.16.8.15 172.16.9.254;
}
}
shared-network vlan5 {
option domain-name ***.net;
option domain-name-servers 172.16.10.1;
subnet 172.16.10.0 netmask 255.255.254.0 {
option routers 172.16.10.1;
range 172.16.10.15 172.16.11.254;
}
}
shared-network vlan6 {
option domain-name ***.net;
option domain-name-servers 172.16.12.1;
subnet 172.16.12.0 netmask 255.255.254.0 {
option routers 172.16.12.1;
range 172.16.12.15 172.16.13.254;
}
}
-- snip --


So you can see that with the switch config, the proper vlan setup on the
interfaces, and a good dhcpd.conf, you shouldn't have any issue no
matter what version of OBSD you're running.  Just make sure your kernel
has a correct number of vlan dev's, not sure what the default limit is
on a vanilla kernel, all ours are custom built. 


Regards,
Mike Lockhart
 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Mike Lockhart[Systems Engineering  Operations]
StayOnline, Inc
http://www.stayonline.net/
mailto: [EMAIL PROTECTED]
GPG: 8714 6F73 3FC8 E0A4 0663  3AFF 9F5C 888D 0767 1550
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Michael Lockhart
Sent: Friday, December 08, 2006 3:05 PM
To: misc@openbsd.org
Subject: Re: OpenBSD - Vlans - CISCO

Here is a working configuration for one of our switches running OpenBSD
3.2 with 4 vlans on Cisco devices:

!
config-register 0xF
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ***_***
!
enable secret 5 **
!
ip subnet-zero
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet0/1
 switchport access vlan 3
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 4
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 5
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 11
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport access vlan 12
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 150
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport protected
 spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 150
 switchport protected
 spanning-tree 

[Fwd: [EMAIL PROTECTED] alias live]

[Craig Skinner]

- Forwarded message from Craig Skinner - Sun Remote Support Centre [EMAIL 
PROTECTED] -

From: Craig Skinner - Sun Remote Support Centre [EMAIL PROTECTED]
Subject: [Fwd: [EMAIL PROTECTED] alias live]
To: [EMAIL PROTECTED]


Hi there,

I have created a new alias/mailing list: [EMAIL PROTECTED]

This list is open to the public.

There is also an internal only [EMAIL PROTECTED] alias that is
cc'd here.

I hope that all Sun staff that follow the fish maybe able to assist the
OpenBSD crew in some way, and a first step is to subscibe via
http://netadmin

External people can also be subscribed, just send the list an email and ask.

Unfortunately non-Sun addresses can only post, they do not get any
internal traffic from the list.






I work as a Tier 2 remote sys admin in one of Sun's largest factories,
in Scotland: http://www.sun.com/aboutsun/coinfo/history.html#1990

I support customers globally, eg: Alberta Uni, Sydney Uni, NY Stock
Exchange, NASA, Honda, NZ Telecom, Air Canada, Chrysler,.

Tools sets I support are patching and monitoring: Update Connection,
NetConnect, Configuration and Service Tracker, Explorer, etc, etc. -
which is probably not much help to OpenBSD related issues, other than
having a voice on the inside.

Regards,
-- 

Craig Skinner   [EMAIL PROTECTED]

Phone +44 (0) 1506 673024   5-digit shortdial:x73024

Sun Remote Support Centre, Linlithgow, Scotland, UK

Picasso Events Team

[Picasso Middle East | Events Team]

Take the Lead with Us!
www.picassome.com

Re: OpenBSD - Vlans - CISCO

[michel bédard]

Henning Brauer a icrit :

* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-12-08 20:15]:
  

you need on openbsd

ifconfig vlan0 create
ifconfig vlan0 vlan 2 vlandev rl0 up



no. create is implicit.

  
This is what I already did and tried for each port configured on the 
switch:


1- interface FastEthernet0/23
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2-8
 switchport mode trunk
 spanning-tree portfast
 no cdp enable

2- And then the ports for the vlans ...
  interface FastEthernet0/2
 switchport access vlan 2
 spanning-tree portfast
 no cdp enable

I did the same for all the ports on the switch and then .. write memory.

3- This is what I have in my /etc/hostname.vlan0
  10.0.0.1 255.255.255.0 vlan 2 vlandev rl0

And the same for all the vlans ...

4- Finally the config in /etc/pf.conf for natting ...
  nat on tun0 from 10.0.0.0/24 to any - tun0
 And again the same for all the vlans ...

So I'm using a Class C mask ... maybe I should change that ? Is there 
something I should add in /etc/pf.conf ?



Thank you very much for your answers,

Mik