Re: silence logging of dhcpd deny unknown-clients
> Is there any way to silence these logs? I only want to hand out a > small number of IPv4 addresses on my IPv6 network to those machines > that won't function properly without them. That leaves many machines > on my network constantly requesting IPv4 addresses, and dhcpd is > clogging my /var/log/daemon file: > >> ... dhcpd[13399]: DHCPDISCOVER from xx:xx:xx:xx:xx:xx via igc3 >> ... dhcpd[13399]: no free leases on subnet 192.168.3.0 > > ... over and over and over again. > > I didn't see any logging options in dhcpd(8) or dhcpd.conf(5). I wasn't able to figure out how silence specific messages from a given daemon at a specific level. I read up on syslog.conf(5) and saw that I could silence all warnings from dhcpd, but I don't want to do thatâjust those for this specific directive. In the meantime, I realized that my list of machines that need IPv4 addresses is so small I'm probably better off statically-assigning those machines their addresses instead of running dhcpd at all, so I've done that. If there is a way to silence a log message from a "facility" at a given "level" without affecting other messages at the same "facility" and "level," I'd be curious to know, as I'm sure I'll run into this issue again with something else.
Re: configure rad for ULA addresses
Ok, think I figured it out.
My core problem was that I was assigning prefixes manually in rad.conf,
then assigning each interface an address *in the same prefix*. This
created some kind of conflictâthe nature of which I still don't fully
understand.
This was the key line I missed in rad.conf(5):
> The default is to discover prefixes to announce by inspecting the IPv6
> addresses configured on an interface.
So as long as my interface has both addresses assigned in their
respective prefixes, rad can serve those without any extra
configuration.
Here's my final /etc/hostname.igc1:
inet 192.168.1.1 255.255.255.0 NONE
inet6 autoconf
inet6 alias fdd0:c720:85fa:100::1 64
And my final /etc/rad.conf:
interface igc1 {
dns {
nameserver {
fdd0:c720:85fa:100::1
}
}
}
Now devices on my network are getting both GUA and ULA addresses
assigned automatically through SLAAC.
silence logging of dhcpd deny unknown-clients
Is there any way to silence these logs? I only want to hand out a small number of IPv4 addresses on my IPv6 network to those machines that won't function properly without them. That leaves many machines on my network constantly requesting IPv4 addresses, and dhcpd is clogging my /var/log/daemon file: > ... dhcpd[13399]: DHCPDISCOVER from xx:xx:xx:xx:xx:xx via igc3 > ... dhcpd[13399]: no free leases on subnet 192.168.3.0 ... over and over and over again. I didn't see any logging options in dhcpd(8) or dhcpd.conf(5).
Re: How to exit cu?
Before I learned about the tilde sequences, I just unplugged the USB adapter. That quits cu. Worked in my case since my device was under its own power. FYI.
Re: configure rad for ULA addresses
> To reach the internet from ULA addresses you'll need NAT. > Alternatively use *both* global and ULA prefixes in rad.conf (or I > think you can use auto prefix). But I don't think you've got that far > yet. I was planning on using the ULAs for internal addressing only, and doing port-forwarding from pf for external services. I'd like all devices to have both GUA and ULA addresses, but devices on the network would refer to each other using ULA to safeguard against my ISP changing my prefix delegation (which has already happened once in the past few days). > Better to show what's actually configured (ifconfig -A, rad.conf, > netstat -rnfinet6, etc). For context, my OpenBSD router (cerberus) has four interfaces: igc0 (connected to ISP #1), igc1, igc2 (unused), & igc3. My test client is another laptop running OpenBSD (vulpes) that has a hardwired connection to the igc3 interface. Public-facing IPs & ports have been redacted. cerberus# cat /etc/hostname.igc0 inet autoconf inet6 autoconf inet6 alias fdd0:c720:85fa:100::1 64 cerberus# cat /etc/hostname.igc1 inet 192.168.1.1 255.255.255.0 NONE inet6 autoconf cerberus# cat /etc/hostname.igc2 inet autoconf inet6 autoconf cerberus# cat /etc/hostname.igc3 inet6 autoconf cerberus# netstat -rnfinet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface default fe80::ee7c:5cff:fe1c:3bce%igc0 UGS1 724 - 8 igc0 ::/96 ::1 UGRS 00 32768 8 lo0 ::1 ::1 UHhl 11 22 32768 1 lo0 :::0.0.0.0/96 ::1 UGRS 00 32768 8 lo0 gua1::601:15::c1f a8:b8:e0:01:d0:51 UHLl 03 - 1 igc0 gua1::454e:cf00::/56::1 UGR02 3276856 lo0 gua1::454e:cf00::/64gua1::454e:cf00::1 UCn47 - 4 igc1 gua1::454e:cf00::1 a8:b8:e0:01:d0:52 UHLl 0 38 - 1 igc1 gua1::454e:cf00:1155:d278:71b7:acf7 00:e0:4c:11:22:b5 UHLc 0 331 - 3 igc1 gua1::454e:cf00:265e:beff:fe68:5f61 24:5e:be:68:5f:61 UHLc 0 200 - 3 igc1 gua1::454e:cf00:28df:b561:3fea:f448 5c:1b:f4:7c:c0:6a UHLc 1 284 - 3 igc1 gua1::454e:cf00:50af:f07a:55d9:61ff 5c:1b:f4:7c:c0:6a UHLc 0 15 - 3 igc1 gua1::454e:cf02::/64gua1::454e:cf02::1 UCn00 - 4 igc3 gua1::454e:cf02::1 a8:b8:e0:01:d0:54 UHLl 00 - 1 igc3 2002::/24 ::1 UGRS 00 32768 8 lo0 2002:7f00::/24 ::1 UGRS 00 32768 8 lo0 2002:e000::/20 ::1 UGRS 00 32768 8 lo0 2002:ff00::/24 ::1 UGRS 00 32768 8 lo0 fdd0:c720:85fa:100::/64 fdd0:c720:85fa:100::1 UCn00 - 4 igc0 fdd0:c720:85fa:100::1 a8:b8:e0:01:d0:51 UHLl 0 1063 - 1 igc0 fe80::/10 ::1 UGRS 04 32768 8 lo0 fec0::/10 ::1 UGRS 00 32768 8 lo0 fe80::%igc0/64 fe80::aab8:e0ff:fe01:d051%igc0 UCn11 - 4 igc0 fe80::aab8:e0ff:fe01:d051%igc0 a8:b8:e0:01:d0:51 UHLl 0 16 - 1 igc0 fe80::ee7c:5cff:fe1c:3bce%igc0 ec:7c:5c:1c:3b:ce UHLch 1 50 - 3 igc0 fe80::%igc1/64 fe80::aab8:e0ff:fe01:d052%igc1 UCn36 - 4 igc1 fe80::2e:233a:e1fc:f8b0%igc15c:1b:f4:7c:c0:6a UHLc 0 95 - 3 igc1 fe80::1836:c7a0:e2cb:777%igc1 00:e0:4c:11:22:b5 UHLc 0 60 - 3 igc1 fe80::265e:beff:fe68:5f61%igc1 24:5e:be:68:5f:61
Re: configure rad for ULA addresses
> I can ping6 back to my router using the IPv6 address in the prefix > delegation from my ISP, but I cannot seem to do the same for the > addresses in my ULA prefix. I can see neighbor solicitation requests from my clients for the ULA gateway address, but I see no neighbor advertisements sent in response: tcpdump -i igc3 ether host xx:xx:xx:xx:xx:xx and ip6 I see neighbor advertisements sent in response for GUA addresses. I strongly suspect I'm missing some key piece of configuration or information, but I can't see what. :(
Re: configure rad for ULA addresses
>> interface igc1 {
>> prefix fdbf:e79a:8e3e::/48
>
> lesser operating systems will refuse to form autoconf addresses if the
> prefix length is not 64.
Thanks, this was helpful. I got addresses allocated on client machines,
but they don't seem routable.
I can ping6 back to my router using the IPv6 address in the prefix
delegation from my ISP, but I cannot seem to do the same for the
addresses in my ULA prefix.
I was following this guide:
https://www.kuon.ch/post/2022-03-15-openbsd-dhcp-pd/
I modified my /etc/dhcpcd_up.sh to read
```
route sourceaddr -ifp igc0
```
... where igc0 is my ISP-facing interface. I assigned a static ULA to
the same interface as an alias. Not sure if that's relevant, but it felt
relevant to mention.
On the router, netstat -rn shows a route to my client in the ISP prefix,
but no route in my ULA prefix.
Is there something additional I need to do to enable communication over
addresses in my ULA prefix?
configure rad for ULA addresses
I'm not sure how to configure rad (or if rad is the right program) to
help have my devices autoconfigured ULA addresses in a given prefix
(generated from https://www.unique-local-ipv6.com).
I am debugging a new ISP and need to switch between two ISPs without
disrupting communication between my network devices. I didn't see
anything in rad.conf(5) that would help, other than setting a prefix
option in my interface configuration.
I tried
interface igc1 {
prefix fdbf:e79a:8e3e::/48
}
... and restarted rad but devices that connect don't seem to get
addresses in that prefix.
Would appreciate any help and guidance I could get. Thanks!
Re: unbound signature expired
> ... however I'm getting different errors now for the Slack-group > specific URLs: > > ... > > validation failure : signatures from unknown keys > from 2620:fe::fe Was able to fix this by running `unbound-anchor` after fixing my system clock. I think everything is working normally now. Thanks!
Re: unbound signature expired
> You can use rdate to jump the clock instead.
That updated my system clock to the correct time. dig queries against
Slack now work as expected, however I'm getting different errors now for
the Slack-group specific URLs:
```
# dig @::1 kubernetes.slack.com
; <<>> DiG 9.10.6 <<>> kubernetes.slack.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 20 3c 6b
75 62 65 72 6e 65 74 65 73 2e 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e
3a 20 73 69 67 6e 61 74 75 72 65 73 20 66 72 6f 6d 20 75 6e 6b 6e 6f 77 6e 20
6b 65 79 73 20 66 72 6f 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("..validation
failure : signatures from unknown keys from
2620:fe::fe")
;; QUESTION SECTION:
;kubernetes.slack.com. IN A
;; Query time: 20 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Mar 18 13:46:54 PDT 2024
;; MSG SIZE rcvd: 149
```
Again, querying directly from Quad9 works.
Any idea what's going on here?
Re: unbound signature expired
> Wild guess, your time is off. Huh, I think you're right. `date` shows me 7 hours ahead of my timezone. I restarted ntpd and I see no errors in /var/log/daemon, but the time is still off. I should be 1200 PDT but it's showing me as 1900 PDT (not UTC). What do I do to fix this? Pretty sure I had set my timezone to America/Los_Angeles when I installed OpenBSD.
unbound signature expired
I have an unbound server using Quad9 as an upstream DNS provider. I have
been unable to resolve records from slack.com recently using my local
unbound.
On the server:
```
# dig @::1 slack.com
; <<>> dig 9.10.8-P1 <<>> @::1 slack.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 69 6c 75
72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e 3a 20 73 69 67 6e
61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f 6d 20 32 36 32 30 3a 66 65
3a 3a 66 65 ("validation failure : signature expired from
2620:fe::fe")
;; QUESTION SECTION:
;slack.com. IN A
;; Query time: 26 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon Mar 18 18:02:25 PDT 2024
;; MSG SIZE rcvd: 116
```
But when I try to query Quad9 directly, it works:
```
# dig @2620:fe::fe slack.com
; <<>> dig 9.10.8-P1 <<>> slack.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;slack.com. IN A
;; ANSWER SECTION:
slack.com. 10 IN A 35.81.85.251
slack.com. 10 IN A 44.234.235.93
slack.com. 10 IN A 54.70.179.16
slack.com. 10 IN A 44.237.180.172
slack.com. 10 IN A 52.89.90.67
slack.com. 10 IN A 54.245.50.245
slack.com. 10 IN A 54.188.33.22
slack.com. 10 IN A 54.71.95.193
slack.com. 10 IN A 35.82.91.193
;; Query time: 2 msec
;; SERVER: 2620:fe::fe#53(2620:fe::fe)
;; WHEN: Mon Mar 18 18:05:05 PDT 2024
;; MSG SIZE rcvd: 182
```
I've tried
- `unbound-control reload`
- `unbound-control flush slack.com`
- `unbound-anchor`
... and there's no change. All other domains I've tried work.
I am using one of StevenBlack's block lists and I changed that recently
(from one list to another one), if that's relevant.
I tried removing the block list entirely and saw no change.
Here's my unbound.conf:
```
server:
interface: ::1
interface: :::::
do-ip6: yes
ede: yes
do-nat64: yes
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::::: allow
access-control: 192.168.1.0/32 allow
access-control: :::5700::/64 allow
access-control: :::5702::/64 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
auto-trust-anchor-file: "/var/unbound/db/root.key"
val-log-level: 2
aggressive-nsec: yes
private-address: ::1/128
private-address: :::0:0/96
private-address: fd00::/8
private-address: fe80::/10
module-config: "dns64 validator iterator"
include: /etc/unwind.conf.deny
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
forward-zone:
name: "."
forward-addr: 2620:fe::fe
```
This feels like a caching issue to me, but I don't know what to do to
resolve it.
Unbound logs show the same error from the failing dig command.
Would appreciate any help.
Re: pf nat64 rule not matching
> I don't think there is at present. There are no "only use v4" or "only > use v6" addresses modifiers, and pf isn't figuring out for itself that > it only makes sense to use addresses from the relevant family for > af-to translation addresses (although it _does_ do this for nat-to). Good to know. I was able to get this working by using ($wan) instead of ($wan:0), fwiw. > Ah I meant that the router should not use the local unbound dns64 > resolver for its own traffic - otherwise it won't be able to reach v4 > hosts because there won't be anything to handle the translation. > Either point it off-machine (ISP or public resolver) or run another > local resolver for its own traffic. Ah, that makes sense. I was totally doing this. *facepalm* I've changed it to use Quad9. Thanks for the follow-up! > Please keep replies on the mailing list. My bad! Still getting used to the `mail` client and how this mailing list operates in general, and I see now the default behavior is to do a reply-all that includes your personal email in addition to the mailing list. Apologies!
Re: pf nat64 rule not matching
> Try changing ($wan:0) to $(wan) and see what happens. Huh, that worked! Thanks!
Re: replying to mailing list message after subscribing
> you should be able to reply to the copy in your "sent" folder Good to know. > I just re-sent the original messages to your new address so you should > now have a copy to reply to. Thanks! Is that something you can do because you're a list administrator or something? Still wondering if there is a way to do this without asking someone to resend an email.
Re: pf nat64 rule not matching
> Can you try if the same happens with a more specific rule (for > testing)? > > i.e.: > > pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96 > af-to inet from "actual IP on igc0"/32 This worked! Specifically, I think the ($wan:0) was the problem. I could've sworn I tried this with the actual IP and it wasn't working before, but I might've deleted the inet6 at that point, so maybe I created a new problem then... which you also pointed out: > I am suspecting that the missing inet6 may lead to some confusion. Is there a way to configure this without hard-coding my IPv4 address? I do not think my IPv4 address from my ISP is static, thus my original interest in the ($wan:0) form. > Alternatively, remove the block rules; URPF may be an issue here, if > you lack a route for the /96. I had tried commenting out all of the block rules and saw no change. Tcpdump also showed no blocks, fwiw. > Regarding the other rules and tests, the ::1 rule is wrong, packets > outgoing on the network won't have a ::1 address, try "!received-on > any", and packets sourced from the router itself won't hit the af-to > rule so tests need to be from another machine (and probably best use > different DNS servers not doing dns64 on the router). Thanks for this follow-up. You're right that I was trying to only target traffic that originated from the router itself with this rule. I had figured out that the tests needed to be from another machine, though that did take me a while. What are the reasons for doing dns64 on a different machine?
replying to mailing list message after subscribing
Apologies for the newbie question: I'm new to mailing lists. ;D I sent a message to this list earlier from a ProtonMail account, and none of the replies have arrived (not even in Junk), even though I see there are replies via the web archive... so I don't have a message to reply to. I've since subscribed to this mailing list on a different email account where I can author messages on the command line instead of through a web interface, but there have been no new replies on my original message since I subscribed, so I still don't have a message to reply to. How do I send a reply to a thread I have no messages from in my inbox? I'm using the `mail` command. I couldn't find anything that seemed helpful from the majordomo help commands, nor through online searching. I see there are "In-Reply-To" headers on other messages I've received from the mailing list, but they seem like generated values, and as I don't have any messages from the thread I want to reply to I don't know what to set for that. The thread I want to reply to is titled (started in the last 24 hours): Re: pf nat64 rule not matching I know someone could reply to that thread and I'd get it in my inbox and could reply from there, but I am curious how I would do this without that kind of intervention, in case there are other messages that predate my subscription that I'd want to reply to. Thanks for the help!
pf nat64 rule not matching
Hello,
I'm trying to get a basic OpenBSD NAT64 router setup. I'm following
along with these instructions:
- https://blog.obtusenet.com/dns64-nat64-on-openbsd/
My unbound instance looks like it's correctly configured and returning
correct IPv6 addresses, so that's good.
# dig ipv4.google.com +short
ipv4.l.google.com.
64:ff9b::8efa:bc0e
However, the pf rule using af-to does not appear to do anything and
I haven't been able to figure out why. When I try to ping6, I get 100%
packet loss.
I inspected packets through tcpdump (after adding "log" to everything
in pf.conf) and nothing seems to be getting blocked, though it also
appears the 64:ff9b::/96 address are not being translated either; I
think the packets are passing through pf unchanged (the rule doesn't
apply, but I don't know why).
Here is my entire pf.conf:
wan = "igc0"
trusted = "igc1"
untrusted = "igc2"
iot = "igc3"
cerberus_ssh = "36285"
table persist file "/etc/martians"
set block-policy drop
set loginterface egress
set skip on lo0
block in log quick from urpf-failed
block in log quick on egress from to any
block return out log quick on egress from any to
block return log all
pass
# allow IPv6 PD from ISP
pass in inet6 proto udp from fe80::/10 port dhcpv6-server to fe80::/10 port
dhcpv6-client no state
# allow ICMPv6 traffic (necessary for IPv6 to work)
pass inet6 proto icmp6 all
# perform nat64 (NOT WORKING)
pass in to 64:ff9b::/96 af-to inet from ($wan:0)
# allow outbound queries from local unbound and NTP
pass out inet6 proto { tcp, udp } from ::1 to port { domain, ntp }
# allow DNS & NTP queries from the iot network
pass in on $iot proto { tcp, udp } from $iot:network to port { domain, ntp }
# allow ssh, http, & https
pass inet6 proto tcp to port { ssh, http, https, $cerberus_ssh }
I have IP forwarding turned on:
# sysctl | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=1
I have an IPv4 and IPv6 address for igc0 via autoconf.
Here's a rough sketch of my network topology:
+---+
| ISP modem |
+---+
|
|
igc0
+---+
| cerberus (OpenBSD router) |
+---+
igc1 igc2 igc3
| ||
| ||
... ... +-+
| vulpes (OpenBSD client) |
+-+
>From both vulpes and cerberus, ping6 ipv4.google.com hangs and never
returns.
I tried substituting ($wan:0) for my actual IPv4 address assigned to
igc0, but I got no change in behavior. I read in the man page that
:0 does not include aliases when used on an interface. When I print
the rules out using pfctl -vvsr, it gets expanded to (igc0:0:1),
which looks weird and I don't understand why. My understanding is
that it should be "... af-to inet from IPV4_ADDRESS_OF_WAN_IF", but
I don't know if (igc0:0:1) is the IPv4 address of igc0, and I can't
figure out how to verify if that's right... or even if that's
the problem in the first place and I'm chasing a red herring.
I feel like I'm missing something, but I can't see it. The Book of PF
doesn't have any information on NAT64 that I could see, and the man page
for pf.conf shows an example of what I'm already doing with no
additional instructions. I've found maybe 3 articles about NAT64 on
OpenBSD through searching, but none give me any more context or clues
beyond the one I mentioned earlier.
I'd appreciate any help I could get!
Evan
Here's my dmesg:
OpenBSD 7.4 (GENERIC.MP) #1397: Tue Oct 10 09:02:37 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8332189696 (7946MB)
avail mem = 8059916288 (7686MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.5 @ 0x75d9f000 (122 entries)
bios0: vendor American Megatrends International, LLC. version "ALN4L102" date
11/08/2023
bios0: Default string Default string
efi0 at bios0: UEFI 2.8
efi0: American Megatrends rev 0x5001a
acpi0 at bios0: ACPI 6.4
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP FIDT SSDT SSDT SSDT SSDT SSDT HPET APIC MCFG SSDT UEFI
RTCT PSDS NHLT LPIT SSDT SSDT DBGP DBG2 SSDT DMAR FPDT SSDT SSDT SSDT SSDT TPM2
PHAT WSMT
acpi0: wakeup devices PEGP(S4) PEGP(S4) PEGP(S4) SIO1(S3) RP09(S4) PXSX(S4)
RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) RP13(S4) PXSX(S4)
RP14(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 1920 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) N100, 3392.18 MHz, 06-be-00, patch 0012
cpu0:
