Re: Same NIC name to MAC mapping on FreeBSD
On my production systems, I've never seen it deviate without hardware changes. Are you seeing otherwise? On 6/29/2015 午後 04:23, Wei Hu wrote: Hi, On a FreeBSD system with multiple NICs, ie, multiple MAC addresses, is there a way to keep the same network interface name to MAC address mapping across reboot? It seems on Linux udev rule can help achieve this. Anything similar on FreeBSD? Thanks, Wei ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: net.inet.ip.forwarding is mysteriously set to 0
Can confirm that anything to do with netif restart on a forwarding interface also creates the same problem. On 4/25/2015 午前 01:46, Nikos Vassiliadis wrote: Hi, Just saw this. Can somebody re-produce this? root@m4fh2:~ # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 root@m4fh2:~ # ifconfig bridge0 create root@m4fh2:~ # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 0 That's on GENERIC 10-STABLE from the day before yesterday. Thanks, Nikos ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: ng_netgraph and BGP
Additionally, pmacct doesn't seem to really work in FreeBSD -- as far as the latest versions go. Their use of 'return' (with no args) on functions that are meant to return an int flat out makes it unable to compile on FreeBSD. If you fix those by hand, it compiles, but just seems to segfault -- I didn't get the time to look into it further with GDB. There's another option that claims to be able to do the same thing (introduce BGP accounting data to normal flows - ntop's nprobe (www.ntop.org/products/nprobe/), but it's not free. I don't know if it works in FreeBSD well either.) As to the ng_netflow hook, +1, excellent idea. On 4/2/2015 午前 03:08, Nikolay Denev wrote: On Wed, Apr 1, 2015 at 12:50 PM, William Waites wrote: I run a small network composed of even smaller networks each encapsulated in an autonomous system. I'd like to do traffic accounting using netflow aggregated by ASN. My border routers run FreeBSD and BIRD. Right now, and this is mentioned in ng_netflow(4), we do not fill in the source and destination ASN because there is no information to get this from the routing daemon's RIB. Probably if we come up with such a way it should be generic so it could be used by Quagga, BIRD or OpenBGPD. I've done a little bit of thinking about how this could be done, and come up with two main strategies: 1. A new kind of netgraph node inserted before ng_netflow knows how to query the routing daemon and decorates the packet with the result, which ng_netflow then puts into the flow packet if present. This entails either a copy (tee) or putting the lookup in the data path which may be suboptimal. 2. A new hook added to the ng_netflow node that allows it to query the routing daemon through a different new kind of netgraph node. This is probably better but may be slightly more complicated to implement. Is anyone working on this or has given this though? I wasn't able to find much by searching the list archives. It may be that I will soon have some students that I can set on this task but would not like to unnecessarily duplicate effort. Cheers, -w -- William Waites | School of Informatics http://tardis.ed.ac.uk/~wwaites/ | University of Edinburgh http://www.hubs.net.uk/| HUBS AS60241 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Hi, It's not ng_netflow, but if you need this today you can take a look at http://www.pmacct.net ? (there is a package/port too). It comes with BGP daemon (stripped down quagga) and can export this data. --Nikolay ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Unremovable ARP entry and 'address already in use'
Guess was right on the money, thank you! It turns out that there was a route for that entire /23 on another interface for some unfathomable reason. I had to turn that iface down too to remove it, but once I did so, everything is once again peachy! Thank you! On 3/20/2015 午前 12:58, Eric van Gyzen wrote: On 3/19/2015 午前 11:20, Paul S. wrote: root@ipfw-0:~ # arp -d 110.62..211.87 arp: writing to routing socket: Invalid argument I have a vague memory of similar behavior when I had a misconfigured route. I think there was a route for a local interface address with an off-box gateway. (Don't ask. Long story. Not my fault! :) ) Eric ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: Unremovable ARP entry and 'address already in use'
I just noticed that when obfuscating the IP, I added two dots. Please excuse them, the IP is proper (110.62.211.87 for the purposes of this thread) On 3/19/2015 午前 11:20, Paul S. wrote: Hi, Seeing this on 10.1-release p5. FreeBSD ipfw-0.syd.fqdn.tld 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0 r278455: Mon Feb 9 07:18:21 UTC 2015 r...@ipfw-0.syd.fqdn.tld:/usr/obj/usr/src/sys/qfkern amd64 Basically, I have a static arp entry that I cannot remove. This in itself is not a problem. Problem is, when trying to assign that IP address to the same interface, it says the 'address is in use' (which it is not) ? (110.62..211.87) at 00:12:c0:88:03:8f on ix1 permanent [ethernet] Attempting to remove the entry produces an invalid argument error. root@ipfw-0:~ # arp -d 110.62..211.87 arp: writing to routing socket: Invalid argument ix1 does not have this IP configured anymore either. ix1: flags=8843 metric 0 mtu 1500 description: FW Upstream 0 options=8400bb ether 00:12:c0:88:03:8f inet6 fe80::212:c0ff:fe88:38f%ix1 prefixlen 64 scopeid 0x2 nd6 options=21 media: Ethernet autoselect (10Gbase-LR ) status: active When I try to assign it back to ix1, I get this root@ipfw-0:~ # ifconfig ix1 inet 110.62..211.87 netmask 255.255.254.0 ifconfig: ioctl (SIOCAIFADDR): Address already in use I've verified with the provider that there isn't an arp entry at present for this IP address, so the issue seems local to freebsd. Anyone ever see anything like this? I'm aware rebooting will fix it, but this is a live firewall and I'd rather not do that. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Unremovable ARP entry and 'address already in use'
Hi, Seeing this on 10.1-release p5. FreeBSD ipfw-0.syd.fqdn.tld 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0 r278455: Mon Feb 9 07:18:21 UTC 2015 r...@ipfw-0.syd.fqdn.tld:/usr/obj/usr/src/sys/qfkern amd64 Basically, I have a static arp entry that I cannot remove. This in itself is not a problem. Problem is, when trying to assign that IP address to the same interface, it says the 'address is in use' (which it is not) ? (110.62..211.87) at 00:12:c0:88:03:8f on ix1 permanent [ethernet] Attempting to remove the entry produces an invalid argument error. root@ipfw-0:~ # arp -d 110.62..211.87 arp: writing to routing socket: Invalid argument ix1 does not have this IP configured anymore either. ix1: flags=8843 metric 0 mtu 1500 description: FW Upstream 0 options=8400bb ether 00:12:c0:88:03:8f inet6 fe80::212:c0ff:fe88:38f%ix1 prefixlen 64 scopeid 0x2 nd6 options=21 media: Ethernet autoselect (10Gbase-LR ) status: active When I try to assign it back to ix1, I get this root@ipfw-0:~ # ifconfig ix1 inet 110.62..211.87 netmask 255.255.254.0 ifconfig: ioctl (SIOCAIFADDR): Address already in use I've verified with the provider that there isn't an arp entry at present for this IP address, so the issue seems local to freebsd. Anyone ever see anything like this? I'm aware rebooting will fix it, but this is a live firewall and I'd rather not do that. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: FreeBSD responding with wrong receiving interface IP
Joe, That was it, thank you! I looked over net.inet.ip and ip6, icmp never crossed my mind. George, thank you as well. On 3/10/2015 午後 11:40, Joe Holden wrote: On 10/03/2015 13:16, George Neville-Neil wrote: On 10 Mar 2015, at 11:26, Paul S. wrote: Hi, I've been deploying FreeBSD as customer edge routers for customers with sites that do not require high throughput (>1g/s). Each site has two ISPs (Mostly Telstra + Verizon/Optus), and take full routes via OpenBGPd and BIRD. I use next-hop self on all received routes. The FreeBSD boxes have static routes delegating the announced IP blocks to a L3 switch down the road. i.e: route add -net 10.100.1.0/24 10.0.0.1, and then that /24 is originated via BGP to both upstreams. Things in general work fine, but I've been receiving reports of 'weird traceroute results' from my customers. Examples of this would be, 1 some.random.isp (...) (...) 2 gigabitethernet3-3.exi1.melbourne.telstra.net (203.50.77.49) 0.309 ms 0.284 ms 0.227 ms 3 bundle-ether3-100.exi-core10.melbourne.telstra.net (203.50.80.1) 1.966 ms 1.675 ms 1.852 ms 4 bundle-ether12.chw-core10.sydney.telstra.net (203.50.11.124) 16.707 ms 15.917 ms 16.360 ms 5 customer-gw.syd.ALTER.net (...) (...) This traceroute seems to claim that the packet was received over the Verizon gateway, which in reality it was not -- it was received directly over the Telstra interface, but my outbound AS-PATH towards some.random.isp uses Verizon. So FreeBSD replies back with the Verizon address. Another person having the same issue (mostly, but on OpenBSD) can be found at http://openbsd.7691.n7.nabble.com/BGP-responding-with-wrong-IP-address-td90264.html I would love to know if there's a way to fix this, or if I've missed something, or if there's something wrong in the way I set it up. Thank you for taking the time to read. I wonder if we could see some routing tables? That might help. Best, George sysctl net.inet.icmp.reply_from_interface=1 will probably do what you expect. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
FreeBSD responding with wrong receiving interface IP
Hi, I've been deploying FreeBSD as customer edge routers for customers with sites that do not require high throughput (>1g/s). Each site has two ISPs (Mostly Telstra + Verizon/Optus), and take full routes via OpenBGPd and BIRD. I use next-hop self on all received routes. The FreeBSD boxes have static routes delegating the announced IP blocks to a L3 switch down the road. i.e: route add -net 10.100.1.0/24 10.0.0.1, and then that /24 is originated via BGP to both upstreams. Things in general work fine, but I've been receiving reports of 'weird traceroute results' from my customers. Examples of this would be, 1 some.random.isp (...) (...) 2 gigabitethernet3-3.exi1.melbourne.telstra.net (203.50.77.49) 0.309 ms 0.284 ms 0.227 ms 3 bundle-ether3-100.exi-core10.melbourne.telstra.net (203.50.80.1) 1.966 ms 1.675 ms 1.852 ms 4 bundle-ether12.chw-core10.sydney.telstra.net (203.50.11.124) 16.707 ms 15.917 ms 16.360 ms 5 customer-gw.syd.ALTER.net (...) (...) This traceroute seems to claim that the packet was received over the Verizon gateway, which in reality it was not -- it was received directly over the Telstra interface, but my outbound AS-PATH towards some.random.isp uses Verizon. So FreeBSD replies back with the Verizon address. Another person having the same issue (mostly, but on OpenBSD) can be found at http://openbsd.7691.n7.nabble.com/BGP-responding-with-wrong-IP-address-td90264.html I would love to know if there's a way to fix this, or if I've missed something, or if there's something wrong in the way I set it up. Thank you for taking the time to read. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Solved] Re: IP fast forwarding and setkey
So, just to notify -- I got a copy of the pfsense port of OpenBGPD (available from the pfsense-tools repository -- see https://forum.pfsense.org/index.php?topic=76132.0) and TCP-MD5 indeed does work in the build. Configuring local-address per peer is mandatory, however. I think it uses that to configure the SPDs. Cheers! On 9/21/2014 午後 07:35, Ermal Luçi wrote: On Sun, Sep 21, 2014 at 12:31 PM, Paul S. <mailto:cont...@winterei.se>> wrote: Ermal, I'd prefer a raw BSD installation (Call it a comfort thing, if you will). Has the pfSense project actually managed to patch OpenBGPD to remove its dependency on OpenBSD specific bindings for TCP_MD5? It might be worth it to just try to build their fork, if that's the case. Thank you for responding! Yeah OpenBGPd port of pfSense has the support for installing SPDs without setkey. On 9/21/2014 午後 07:26, Ermal Luçi wrote: If for you is an option pfSense has all the hard work done for you and you can use it for such installations. On Sun, Sep 21, 2014 at 12:08 PM, Paul S. mailto:cont...@winterei.se>> wrote: Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been reading up, and noticed that the net.inet.ip.fastforwarding flag provides rather nice performance benefits. My issue is, my upstream networks insist on using TCP MD5 authentication on their BGP sessions. This is fine, except on FreeBSD -- I'm going to have to use the setkey utility to set those since native PF_KEY support for OpenBGPD does not seem available. Now, since setkey is part of IPSec, and there are countless warnings about using IPSec and fastforwarding together in the manpage, am I correct in assuming that this will not work if I have fastforwarding enabled? Is there any way to make it work? Quagga, from what I've read, seems to also be in the same boat (Usage of setkey required for TCP MD5). I tried searching the manpages, but couldn't locate anything concrete on this. Any assistance/replies are welcome. Thank you! ___ freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org <mailto:freebsd-net-unsubscr...@freebsd.org>" -- Ermal -- Ermal ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: IP fast forwarding and setkey
Interesting. Would you happen to know where I could obtain sources to their version of OpenBGPD, then? Thanks! On 9/21/2014 午後 07:35, Ermal Luçi wrote: On Sun, Sep 21, 2014 at 12:31 PM, Paul S. <mailto:cont...@winterei.se>> wrote: Ermal, I'd prefer a raw BSD installation (Call it a comfort thing, if you will). Has the pfSense project actually managed to patch OpenBGPD to remove its dependency on OpenBSD specific bindings for TCP_MD5? It might be worth it to just try to build their fork, if that's the case. Thank you for responding! Yeah OpenBGPd port of pfSense has the support for installing SPDs without setkey. On 9/21/2014 午後 07:26, Ermal Luçi wrote: If for you is an option pfSense has all the hard work done for you and you can use it for such installations. On Sun, Sep 21, 2014 at 12:08 PM, Paul S. mailto:cont...@winterei.se>> wrote: Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been reading up, and noticed that the net.inet.ip.fastforwarding flag provides rather nice performance benefits. My issue is, my upstream networks insist on using TCP MD5 authentication on their BGP sessions. This is fine, except on FreeBSD -- I'm going to have to use the setkey utility to set those since native PF_KEY support for OpenBGPD does not seem available. Now, since setkey is part of IPSec, and there are countless warnings about using IPSec and fastforwarding together in the manpage, am I correct in assuming that this will not work if I have fastforwarding enabled? Is there any way to make it work? Quagga, from what I've read, seems to also be in the same boat (Usage of setkey required for TCP MD5). I tried searching the manpages, but couldn't locate anything concrete on this. Any assistance/replies are welcome. Thank you! ___ freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org <mailto:freebsd-net-unsubscr...@freebsd.org>" -- Ermal -- Ermal ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: IP fast forwarding and setkey
Ermal, I'd prefer a raw BSD installation (Call it a comfort thing, if you will). Has the pfSense project actually managed to patch OpenBGPD to remove its dependency on OpenBSD specific bindings for TCP_MD5? It might be worth it to just try to build their fork, if that's the case. Thank you for responding! On 9/21/2014 午後 07:26, Ermal Luçi wrote: If for you is an option pfSense has all the hard work done for you and you can use it for such installations. On Sun, Sep 21, 2014 at 12:08 PM, Paul S. <mailto:cont...@winterei.se>> wrote: Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been reading up, and noticed that the net.inet.ip.fastforwarding flag provides rather nice performance benefits. My issue is, my upstream networks insist on using TCP MD5 authentication on their BGP sessions. This is fine, except on FreeBSD -- I'm going to have to use the setkey utility to set those since native PF_KEY support for OpenBGPD does not seem available. Now, since setkey is part of IPSec, and there are countless warnings about using IPSec and fastforwarding together in the manpage, am I correct in assuming that this will not work if I have fastforwarding enabled? Is there any way to make it work? Quagga, from what I've read, seems to also be in the same boat (Usage of setkey required for TCP MD5). I tried searching the manpages, but couldn't locate anything concrete on this. Any assistance/replies are welcome. Thank you! ___ freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org <mailto:freebsd-net-unsubscr...@freebsd.org>" -- Ermal ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
IP fast forwarding and setkey
Hi folks, I plan to make an edge router out of a freebsd system with OpenBGPD + FreeBSD 10, or such. I've been reading up, and noticed that the net.inet.ip.fastforwarding flag provides rather nice performance benefits. My issue is, my upstream networks insist on using TCP MD5 authentication on their BGP sessions. This is fine, except on FreeBSD -- I'm going to have to use the setkey utility to set those since native PF_KEY support for OpenBGPD does not seem available. Now, since setkey is part of IPSec, and there are countless warnings about using IPSec and fastforwarding together in the manpage, am I correct in assuming that this will not work if I have fastforwarding enabled? Is there any way to make it work? Quagga, from what I've read, seems to also be in the same boat (Usage of setkey required for TCP MD5). I tried searching the manpages, but couldn't locate anything concrete on this. Any assistance/replies are welcome. Thank you! ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"