Backup ISP
I now have two ISPs A primary on vmx2 and a backup (4G) on vmx4 Both needs to initiate connection with a dhcp request, so I have: inet autoconf description Internet in hostname.vmx2 and inet autoconf description Internet4Gbackup in hostname.vmx4 My idea is to have an active/passive setup being able to ssh from the internet to both vmx2 and vmx4 Seems that I am only able to access vmx2 from the internet vmx2: flags=808843 mtu 1500 lladdr 00:0c:29:e0:88:a6 description: Internet index 3 priority 0 llprio 3 groups: egress media: Ethernet autoselect (10GbaseT) status: active vmx4: flags=808843 mtu 1500 lladdr 00:0c:29:e0:88:7e description: Internet4Gbackup index 5 priority 0 llprio 3 media: Ethernet autoselect (10GbaseT) status: active I cannot see "egress" under vmx4 - I guess this is part of the problem. How do I get incoming traffic via vmx2 to return out via vmx2 and visa versa incoming traffic via vmx4 to return out vmx4 Regards, Lars.
Re: Two parent NICs for VLAN
Ah, ok... and then you assign the IP address to that vport... thanks... will try that out later. On Tue, Dec 19, 2023 at 2:42 PM Zé Loff wrote: > > On Tue, Dec 19, 2023 at 02:25:01PM +0100, Lars Bonnesen wrote: > > That is exactly what I want. > > > > Ah, veb... although I cannot make it work. I see a lot of arp'ing not > > getting any replies. So devices that working before tries to arp for the > > gateway and not getting any replies.even though they are on the same > layer2 > > net: > > > > 12:28:54.101968 arp who-has 172.18.14.1 tell 172.18.14.201 > > 12:28:54.573677 arp who-has 172.18.14.1 tell 172.18.14.101 > > 12:28:55.101913 arp who-has 172.18.14.1 tell 172.18.14.201 > > 12:28:55.597716 arp who-has 172.18.14.1 tell 172.18.14.101 > > 12:28:56.101910 arp who-has 172.18.14.1 tell 172.18.14.201 > > Apologies, there was a missing detail on my suggestion: it is meant to > completely bypass the router, which plays no part in that vlan's > traffic (more details below, if needed). > > If you want the router/gateway to be connected to that VLAN, you need to > create a vport interface and add it to the veb, as noted on veb's man > page. > > > Unecessary details: > I get thee VLANs from my ISP on the same wire: internet, VoIP and IPIV. > I need to manage the internet connection, but not the rest, so I used > the veb to simply forward all traffic (DHCP, etc) on the VoIP VLAN > directly to the VoIP phone. This means that the firewall/gateway plays > no part in it, other than blindly forwarding at L2. I could to this > simply putting the managed switch before the firewall, but the idea of > having a managed switch directly connected to the internet, makes me > itchy. > >
Re: Two parent NICs for VLAN
That is exactly what I want. Ah, veb... although I cannot make it work. I see a lot of arp'ing not getting any replies. So devices that working before tries to arp for the gateway and not getting any replies.even though they are on the same layer2 net: 12:28:54.101968 arp who-has 172.18.14.1 tell 172.18.14.201 12:28:54.573677 arp who-has 172.18.14.1 tell 172.18.14.101 12:28:55.101913 arp who-has 172.18.14.1 tell 172.18.14.201 12:28:55.597716 arp who-has 172.18.14.1 tell 172.18.14.101 12:28:56.101910 arp who-has 172.18.14.1 tell 172.18.14.201 On Tue, Dec 19, 2023 at 10:09 AM Zé Loff wrote: > On Tue, Dec 19, 2023 at 09:33:18AM +0100, Lars Bonnesen wrote: > > I have a physical switch with a number of VLANs and a NIC connected to a > > wireless setup. I want to have those two separated except for one > > particular VLAN that I want on the physical switch as well as on the APs. > > > > So I have vmx1 connected to the APs and vmx3 to the switch. > > > > Then some vlans that each has one of these as parents. > > > > But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they > > have joint custody? > > > > I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3 > > bridged for vlan 860. Does it make sense? > > > > How to achieve this? Something similar to: > > > > > > > > > > > > > > > > > > *vlan860: flags=8943 mtu > > 1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex > > 27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1 > txprio > > packet rxprio outergroups: vlanmedia: Ethernet autoselect > > (10GbaseT)status: active* > > > > ... which of coarse does not work. > > > > Regards, Lars. > > I'm not entirely sure if this is what you are asking, but I achieved > something like this by > > - Creating one vlan interface on each physical interface *with the same > vnetid, but with different names (obviously): > - veb-ing the two vlan interfaces: > > I.e.: > > $ cat /etc/hostname.vlan1010 > description "VoIP WAN" > vnetid 101 parent re1 > -inet6 > up > > $ cat /etc/hostname.vlan1011 > description "VoIP DMZ" > vnetid 101 parent re2 > -inet6 > up > > $ cat /etc/hostname.veb1 > add vlan1010 > add vlan1011 > up > > Hope this helps > > -- > >
Two parent NICs for VLAN
I have a physical switch with a number of VLANs and a NIC connected to a wireless setup. I want to have those two separated except for one particular VLAN that I want on the physical switch as well as on the APs. So I have vmx1 connected to the APs and vmx3 to the switch. Then some vlans that each has one of these as parents. But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they have joint custody? I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3 bridged for vlan 860. Does it make sense? How to achieve this? Something similar to: *vlan860: flags=8943 mtu 1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex 27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1 txprio packet rxprio outergroups: vlanmedia: Ethernet autoselect (10GbaseT)status: active* ... which of coarse does not work. Regards, Lars.
Re: Performance optimizing OpenBSD 7.2
systat tells me One box: 89450 IPKTS 19438 OPKTS The other: 68814 IPKTS 87939 OPKTS As the box are doing L2VPN, the NIC's for the vlans that are being stretched are in promiscuous mode - thus all traffic on the networks are hitting this box I have default block saying block drop I guess this causes the box to care as little as possible about packages it really shouldn't care about. On Wed, Feb 15, 2023 at 5:52 PM Stuart Henderson wrote: > On 2023-02-15, Lars Bonnesen wrote: > > lbo@PLOSLOL2VPN:/etc$ pfctl -s info > > Status: Enabled for 0 days 00:06:49 Debug: err > > > > State Table Total Rate > > current entries 149331 > > half-open tcp 5333 > > searches 4462647255 1098.0/s > > inserts 78143904 191060.9/s > > removals77994573 190695.8/s > > Counters > > match 250452866 612354.2/s > > bad-offset 00.0/s > > fragment 10.0/s > > short 00.0/s > > normalize 10.0/s > > memory 524795412831.2/s > > bad-timestamp 00.0/s > > congestion 14693.6/s > > ip-option 30.0/s > > proto-cksum 30127.4/s > > state-mismatch 145502864 355752.7/s > > state-insert 3050.7/s > > state-limit00.0/s > > src-limit 00.0/s > > synproxy 00.0/s > > translate 00.0/s > > no-route 00.0/s > > oof, how many packets/sec is the machine doing? ("systat ifs", IPKT/OPKT > columns) > > mismatches are still really high. > > does this machine see packets in both directions of the traffic > that it's passing? no active/active setup where the traffic is getting > split, or asymmetric routing where it only sees traffic in one > direction? > > > >
Re: Performance optimizing OpenBSD 7.2
I think that I am now hitting a bottleneck somewhere else. Thanks for the help so far... I might come back thirsty for more later... (-: Regards, Lars. On Wed, Feb 15, 2023 at 4:13 PM Lars Bonnesen wrote: > lbo@PLOSLOL2VPN:/etc$ pfctl -s info > Status: Enabled for 0 days 00:06:49 Debug: err > > State Table Total Rate > current entries 149331 > half-open tcp 5333 > searches 4462647255 1098.0/s > inserts 78143904 191060.9/s > removals77994573 190695.8/s > Counters > match 250452866 612354.2/s > bad-offset 00.0/s > fragment 10.0/s > short 00.0/s > normalize 10.0/s > memory 524795412831.2/s > bad-timestamp 00.0/s > congestion 14693.6/s > ip-option 30.0/s > proto-cksum 30127.4/s > state-mismatch 145502864 355752.7/s > state-insert 3050.7/s > state-limit00.0/s > src-limit 00.0/s > synproxy 00.0/s > translate 00.0/s > no-route 00.0/s > > On Wed, Feb 15, 2023 at 2:15 PM Claudio Jeker > wrote: > >> On Wed, Feb 15, 2023 at 01:01:10PM -, Stuart Henderson wrote: >> > On 2023-02-15, Lars Bonnesen wrote: >> > > One says: >> > > >> > > # pfctl -s info >> > > Status: Enabled for 0 days 10:56:43 Debug: err >> > > >> > > State Table Total Rate >> > > current entries91680 >> > >> > Lots of entries, close to the default: >> > >> > $ doas pfctl -sm >> > stateshard limit 10 >> > src-nodes hard limit1 >> > frags hard limit65536 >> > tableshard limit 1000 >> > table-entries hard limit 20 >> > pktdelay-pkts hard limit1 >> > anchors hard limit 512 >> > >> > > half-open tcp 4032 >> > > searches 313230429479494.1/s >> > > inserts 60916552 1546.0/s >> > > removals60824872 1543.7/s >> > > Counters >> > > match 79164265 2009.1/s >> > > bad-offset 00.0/s >> > > fragment 10.0/s >> > > short 00.0/s >> > > normalize 00.0/s >> > > memory 1768012 44.9/s >> > >> > And this most likely means that you've been bumping into the >> > state limit plenty of times already. >> > >> > > bad-timestamp 00.0/s >> > > congestion 12010.0/s >> > > ip-option 00.0/s >> > > proto-cksum 3870.0/s >> > > state-mismatch 82794949 2101.2/s >> > >> > Loads of state mismatches and, looking at the rate, this is >> > probably on an ongoing basis. >> > >> > Check to make sure that all packets match either a "pass" or "block" >> > rule (the easiest way to do this is usually to have a simple "block" >> > or "block log" as the first rule) - if you don't have any matching >> > rule in the config, there is an implicit default which passes traffic >> > *without* creating state. >> > >> > (One particularly common result of this is that TCP window scaling >> > isn't handled properly such that longer lived or fast TCP connections >> > are likely to slow down or stall.) >> > >> > You might also need to bump the state limit, but I'd check the above >> > first because the high number of states might be caused because of >> > mismatches. >> >> I think the state-mismatch is a result of hitting the state limit and not >> the other way around. At over 90'000 states the default timeouts are >> reduced by more than 50% and so states are removed too soon resulting in a >> state-mismatch. >> >> So first bump the limit up and then look at the counters again. >> >> -- >> :wq Claudio >> >>
Re: Performance optimizing OpenBSD 7.2
lbo@PLOSLOL2VPN:/etc$ pfctl -s info Status: Enabled for 0 days 00:06:49 Debug: err State Table Total Rate current entries 149331 half-open tcp 5333 searches 4462647255 1098.0/s inserts 78143904 191060.9/s removals77994573 190695.8/s Counters match 250452866 612354.2/s bad-offset 00.0/s fragment 10.0/s short 00.0/s normalize 10.0/s memory 524795412831.2/s bad-timestamp 00.0/s congestion 14693.6/s ip-option 30.0/s proto-cksum 30127.4/s state-mismatch 145502864 355752.7/s state-insert 3050.7/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s translate 00.0/s no-route 00.0/s On Wed, Feb 15, 2023 at 2:15 PM Claudio Jeker wrote: > On Wed, Feb 15, 2023 at 01:01:10PM -, Stuart Henderson wrote: > > On 2023-02-15, Lars Bonnesen wrote: > > > One says: > > > > > > # pfctl -s info > > > Status: Enabled for 0 days 10:56:43 Debug: err > > > > > > State Table Total Rate > > > current entries91680 > > > > Lots of entries, close to the default: > > > > $ doas pfctl -sm > > stateshard limit 10 > > src-nodes hard limit1 > > frags hard limit65536 > > tableshard limit 1000 > > table-entries hard limit 20 > > pktdelay-pkts hard limit1 > > anchors hard limit 512 > > > > > half-open tcp 4032 > > > searches 313230429479494.1/s > > > inserts 60916552 1546.0/s > > > removals60824872 1543.7/s > > > Counters > > > match 79164265 2009.1/s > > > bad-offset 00.0/s > > > fragment 10.0/s > > > short 00.0/s > > > normalize 00.0/s > > > memory 1768012 44.9/s > > > > And this most likely means that you've been bumping into the > > state limit plenty of times already. > > > > > bad-timestamp 00.0/s > > > congestion 12010.0/s > > > ip-option 00.0/s > > > proto-cksum 3870.0/s > > > state-mismatch 82794949 2101.2/s > > > > Loads of state mismatches and, looking at the rate, this is > > probably on an ongoing basis. > > > > Check to make sure that all packets match either a "pass" or "block" > > rule (the easiest way to do this is usually to have a simple "block" > > or "block log" as the first rule) - if you don't have any matching > > rule in the config, there is an implicit default which passes traffic > > *without* creating state. > > > > (One particularly common result of this is that TCP window scaling > > isn't handled properly such that longer lived or fast TCP connections > > are likely to slow down or stall.) > > > > You might also need to bump the state limit, but I'd check the above > > first because the high number of states might be caused because of > > mismatches. > > I think the state-mismatch is a result of hitting the state limit and not > the other way around. At over 90'000 states the default timeouts are > reduced by more than 50% and so states are removed too soon resulting in a > state-mismatch. > > So first bump the limit up and then look at the counters again. > > -- > :wq Claudio > >
Re: Performance optimizing OpenBSD 7.2
One says: # pfctl -s info Status: Enabled for 0 days 10:56:43 Debug: err State Table Total Rate current entries91680 half-open tcp 4032 searches 313230429479494.1/s inserts 60916552 1546.0/s removals60824872 1543.7/s Counters match 79164265 2009.1/s bad-offset 00.0/s fragment 10.0/s short 00.0/s normalize 00.0/s memory 1768012 44.9/s bad-timestamp 00.0/s congestion 12010.0/s ip-option 00.0/s proto-cksum 3870.0/s state-mismatch 82794949 2101.2/s state-insert 2300.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s translate 00.0/s no-route 00.0/s The other says: # pfctl -s info Status: Enabled for 0 days 10:39:38 Debug: err State Table Total Rate current entries93847 half-open tcp 8441 searches 3900545422 101634.9/s inserts 69463584 1810.0/s removals69369737 1807.5/s Counters match 75220369719599.9/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 20.0/s memory2124545.5/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 33380332 869.8/s state-insert 00.0/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s translate 00.0/s no-route 00.0/s What does that tell us? Regards, Lars. On Wed, Feb 15, 2023 at 9:16 AM Otto Moerbeek wrote: > On Tue, Feb 14, 2023 at 11:04:57PM +0100, Lars Bonnesen wrote: > > > What can be done to optimize obsd 7.2 running on top of ESXi 7 with > > > > 7 vmx "phys" ifs > > 3 em "phys" ifs > > 22 virtual ifs > > > > Very simply pf ruleset - the box is only running VPN solution between two > > sites up against a similar configured obsd 7.2 > > > > I came across https://calomel.org/network_performance.html which has a > > section concerning obsd 5.1 "and later" - is this also valid for 7.2? I > did > > implement the suggestions adapted to the setup, but I can't really see > any > > noticeable difference. > > This site is genereally regarded as garbage. Do not use it. > > > > > I configured the box with 8 vCPUs and 8 gig RAM and after running for > some > > time getting more and more load, I started to face massive package loss > > both for packages between the two sites but also from the obsd and to the > > rest of the world. CPU was far from reaching any critical level and loads > > of memory left > > > > I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd > > now seems to hold the packages decently. But for instance when pinging > > 1.1.1.1, I sometimes get: > > > > # ping 1.1.1.1 > > PING 1.1.1.1 (1.1.1.1): 56 data bytes > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > 64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms > > 64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms > > 64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms > > > > Some permissions denied and then it continues
Performance optimizing OpenBSD 7.2
What can be done to optimize obsd 7.2 running on top of ESXi 7 with 7 vmx "phys" ifs 3 em "phys" ifs 22 virtual ifs Very simply pf ruleset - the box is only running VPN solution between two sites up against a similar configured obsd 7.2 I came across https://calomel.org/network_performance.html which has a section concerning obsd 5.1 "and later" - is this also valid for 7.2? I did implement the suggestions adapted to the setup, but I can't really see any noticeable difference. I configured the box with 8 vCPUs and 8 gig RAM and after running for some time getting more and more load, I started to face massive package loss both for packages between the two sites but also from the obsd and to the rest of the world. CPU was far from reaching any critical level and loads of memory left I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd now seems to hold the packages decently. But for instance when pinging 1.1.1.1, I sometimes get: # ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1): 56 data bytes ping: sendmsg: Permission denied ping: wrote 1.1.1.1 64 chars, ret=-1 ping: sendmsg: Permission denied ping: wrote 1.1.1.1 64 chars, ret=-1 ping: sendmsg: Permission denied ping: wrote 1.1.1.1 64 chars, ret=-1 64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms 64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms Some permissions denied and then it continues to ping Sometimes when trying to ping a FQDN, I get: ping: no address associated with name as it cannot resolve the name The name is of course registered correctly in DNS. We are planning to put even more load on the setup, but I am not sure that it is a good idea The ESX server has hyperthreading enabled.There are many discussions about this, and what I can summarize is that apart from a security perspective, hyperthreading should be left enabled How to get better performance? Regards, Lars.
Zabbix: Support for PSK was not compiled in
Installed zabbix-agent but when doing "./zabbix_agentd -d start", I get: ERROR: value of parameter "TLSConnect" requires support of encrypted connection with PSK but support for PSK was not compiled in How do I add support for Preshared key? Regards, Lars.
Max number of NICs
How many physical NICs can you add to an OpenBSD host (vmx) I am asking because I am running an OpenBSD on a VMware host but apparently OpenBSD can only see 8 of them. Can I raise the limit somehow? Regards, Lars.
Re: Stretch/L2VPN between two datacenters
I have been fighting with this for a while now, trying to make it work reading man pages... But it does not work as I want it to work. tcpdump can see a lot of arp requests on bridge0, egre0, vlan172 - but nothing seems to get to wg0. This is my ifconfig filtered for public IPs: lo0: flags=8049 mtu 32768 index 5 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 vmx0: flags=8843 mtu 1500 lladdr 00:50:56:b4:a5:ab index 1 priority 0 llprio 3 groups: egress media: Ethernet autoselect (10GbaseT) status: active inet qq.ww.ee.rr netmask 0xff00 broadcast ee.rr.tt.yy vmx1: flags=8802 mtu 1500 lladdr 00:50:56:b4:0d:26 index 2 priority 0 llprio 3 media: Ethernet autoselect (10GbaseT) status: active vmx2: flags=8b43 mtu 1600 lladdr 00:50:56:b4:ef:b4 description: corp index 3 priority 0 llprio 3 media: Ethernet autoselect (10GbaseT) status: active enc0: flags=0<> index 4 priority 0 llprio 3 groups: enc status: active pflog0: flags=141 mtu 33136 index 6 priority 0 llprio 3 groups: pflog lo1: flags=8008 rdomain 1 mtu 32768 index 8 priority 0 llprio 3 groups: lo wg0: flags=80c3 mtu 1420 index 9 priority 0 llprio 3 wgport 51820 wgpubkey GIWFxfaaxt1VmURRvEtJkG/mZQgVLNtHuEtPa6vt/kM= wgpeer MSS4DjJjPtp9DsTpMbNQ1ict6jEx07DICfipOpnOUR4= wgendpoint aa.bb.cc.dd 51820 tx: 1690108800, rx: 2934539600 last handshake: x seconds ago wgaip 192.168.5.1/32 groups: wg inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255 egre0: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:31:5b index 14 priority 0 llprio 3 encap: vnetid 172 txprio 0 rxprio packet groups: egre tunnel: inet 172.24.90.92 --> 172.24.90.91 ttl 64 nodf vlan172: flags=8943 mtu 1500 lladdr 00:50:56:b4:ef:b4 index 24 priority 0 llprio 3 encap: vnetid 172 parent vmx2 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (10GbaseT) status: active inet 172.24.90.94 netmask 0xff00 broadcast 172.24.90.255 bridge0: flags=41 mtu 1500 index 25 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp vlan172 flags=3 port 24 ifpriority 0 ifcost 0 egre0 flags=3 port 14 ifpriority 0 ifcost 0 vmx2 flags=3 port 3 ifpriority 0 ifcost 0 On the other end the ifconfig is similar wg0 is working. I can ping 192.168.5.1 from 192.168.5.2 and visa versa. 172.24.90.0/24 (vlan172) is the network that I want to strech... and is presented to the obsd as vmx2 connected to an access port on a switch Can anyone guide me in the right direction, thx? Regards, Lars. On Wed, Jan 4, 2023 at 7:24 AM Lars Bonnesen wrote: > Thanks for your replies. It has been Xmas and I have been delayed, but I > have now read up upon it. I am going for the tpmr(4). We are going to > replicate a lot of live data from Site1 to Site2, and my experiences with > OpenVPN is that it is great, but not high performing. So I have established > a WireGuard connection with one OBSD on each site, and I am planning to > tunnel tpmr through this - I guess that tpmr itself is not encrypted in any > way? > > Regards, Lars. > > On Fri, Dec 16, 2022 at 4:30 PM deich...@placebonol.com < > deich...@placebonol.com> wrote: > >> I've run L2 over an IPsec tunnel using egre (gre(4)) and bridge (bridge >> (4)) to connect systems in different locations together. >> >> This was done before David Gwynne created tpmr(4). I've been to lazy to >> reimplement my current configuration. >> >> 73 >> diana >> >
Best USB NIC for obsd7.2
Which 1Gbit USB 3.0A NIC is performing best with obsd 7.2? I am aware of the hardware list, but I am asking personal experience from users in here Regards, Lars.
Re: Stretch/L2VPN between two datacenters
Thanks for your replies. It has been Xmas and I have been delayed, but I have now read up upon it. I am going for the tpmr(4). We are going to replicate a lot of live data from Site1 to Site2, and my experiences with OpenVPN is that it is great, but not high performing. So I have established a WireGuard connection with one OBSD on each site, and I am planning to tunnel tpmr through this - I guess that tpmr itself is not encrypted in any way? Regards, Lars. On Fri, Dec 16, 2022 at 4:30 PM deich...@placebonol.com < deich...@placebonol.com> wrote: > I've run L2 over an IPsec tunnel using egre (gre(4)) and bridge (bridge > (4)) to connect systems in different locations together. > > This was done before David Gwynne created tpmr(4). I've been to lazy to > reimplement my current configuration. > > 73 > diana >
Stretch/L2VPN between two datacenters
We are about to migrate VM's from one datacenter to another and the VMware L2VPN we are using for this is simply not stable for some reason that we cannot figure out why. I have used GRE-tunneling before on a software router that I actually cannot remember the name of now, but if OpenBSD can do the same, I would rather deploy one OpenBSD on each site and have that task handled by OpenBSD. Each site should be able to use the other site gateway over a L2-network.and VMs on each site should be able to see each other as they are on the same LAN Where to start reading? Regards, Lars.
axen0 sometimese "lost"
sh /etc/netstart sometimes just ends in a hanging network state... I need to boot from console, and then we are fine again. Sometimes, I get: ifconfig: SIOCSIFPARENT: Invalid argument ifconfig: SIOCAIFADDR: Device not configured ifconfig: SIOCSIFPARENT: Invalid argument ifconfig: SIOCAIFADDR: Device not configured and the ifconfig doesn't report anything about axen0 ifconfig axen0 up doesn't change anything... if I reboot, maybe we are fine again. It seems to me that the axen0 is very unstable. It is a USB-NIC. Any ideas to make it more stable? Can I disable powermanagement or similar on this USB-port?` Regards, Lars.
Re: No Authen::PAM for perl?
Ok, I am sorry... I found the port openvpn_bsdauth via-env never worked, but using via-file and tmp-dir, I am now able to auth. Does a similar solution exist for additional MFA-solutions? Google Auth? Regards, Lars. On Mon, Aug 15, 2022 at 7:47 PM Lars Bonnesen wrote: > Setting up an OpenVPN-box in a network with no central user database, and > I would like an extra layer of security than just the certificate. > > As I can't use LDAP (unless I install this), I found the auth-pam.pl > script, but using this OpenVPN complains: > > Can't locate Authen/PAM.pm in @INC (you may need to install the > Authen::PAM module) (@INC contains: /usr/at /etc/openvpn/auth-pam.pl line > 30. > > Googled som non-OpenBSD ways to install the Authen::PAM module, but they > all failed. Anyone has succeeded in this? > > Regards, Lars >
Trunking two usb-nics
Yeah, I agree... any other solution than USB is better for this, but this is what I have. Startech - they are on the supported hcl list Running tagged VLANs on top of one of these goes well, but if I create a trunk against a cisco catalyst switch, I get random USB IOERRORs and similar. The trunk comes up, but not data passes Cisco has this: interface GigabitEthernet1/0/1 switchport trunk allowed vlan 51 switchport mode trunk channel-group 1 mode active ! interface GigabitEthernet1/0/2 switchport trunk allowed vlan 51 switchport mode trunk channel-group 1 mode active ! interface GigabitEthernet1/0/3 switchport access vlan 51 switchport mode access ! interface GigabitEthernet1/0/4 switchport trunk allowed vlan 51 switchport mode trunk ! Trunk comes up: Switch#sh etherchannel detail Channel-group listing: -- Group: 1 -- Group state = L2 Ports: 2 Maxports = 16 Port-channels: 1 Max Port-channels = 16 Protocol: LACP Minimum Links: 0 Ports in the group: --- Port: Gi1/0/1 Port state= Up Mstr Assoc Not-in-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index= 0 Load = 0x00Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode.P - Device is in passive mode. Local information: LACP port Admin OperPortPort Port Flags State Priority Key Key Number State Gi1/0/1 SA bndl 32768 0x1 0x1 0x102 0xD Partner's information: LACP portAdmin Oper Port Port Port Flags Priority Dev ID AgekeyKeyNumber State Gi1/0/1 SA 32768 0024.9b76.24c7 29s0x00x403C 0x5 0x75 Age of the port in the current state: 0d:00h:00m:27s Port: Gi1/0/2 Port state= Up Mstr Assoc Not-in-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index= 0 Load = 0x00Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode.P - Device is in passive mode. Local information: LACP port Admin OperPortPort Port Flags State Priority Key Key Number State Gi1/0/2 SA bndl 32768 0x1 0x1 0x103 0xD Partner's information: LACP portAdmin Oper Port Port Port Flags Priority Dev ID AgekeyKeyNumber State Gi1/0/2 SA 32768 0024.9b76.24c7 28s0x00x403C 0x6 0x75 Age of the port in the current state: 0d:00h:00m:26s Port-channels in the group: --- Port-channel: Po1(Primary Aggregator) Age of the Port-channel = 0d:02h:01m:52s Logical slot/port = 12/1 Number of ports = 2 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol= LACP Port security = Disabled Ports in the Port-channel: Index Load Port EC stateNo of bits --+--+--+--+--- 0 00 Gi1/0/1 Active 0 0 00 Gi1/0/2 Active 0 Time since last port bundled:0d:00h:00m:26sGi1/0/2 Time since last port Un-bundled: 0d:00h:00m:28sGi1/0/2 On the OpenBSD, I have: trunkproto lacp trunkport axen0 trunkport axen1 up And the trunk0 comes up Then I do: parent trunk0 vnetid 51 descr unifimgmt inet 10.45.51.252/24 Does not work... but if I destroy trunk0, remove one of the USBs, and instead do like this: ifconfig axnt0 up and parent axen0 vnetid 51 descr unifimgmt inet 10.45.51.252/24 Then vlan51 passes data as it should. I do something wrong? Regards, Lars.
No Authen::PAM for perl?
Setting up an OpenVPN-box in a network with no central user database, and I would like an extra layer of security than just the certificate. As I can't use LDAP (unless I install this), I found the auth-pam.pl script, but using this OpenVPN complains: Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module) (@INC contains: /usr/at /etc/openvpn/auth-pam.pl line 30. Googled som non-OpenBSD ways to install the Authen::PAM module, but they all failed. Anyone has succeeded in this? Regards, Lars
Are relayd and httpd my future buddy?
I have been using a combination of Apache, mod_proxy and letsencrypt to set up different loadbalancing/https offload solution like this: https://URL1[Apache http_1] ---| https://URL2 [Apache https, mod_proxy, and letsencrypt] --- [Apache http_2} ---|-- SQL https://URL3[Apache http_3] ---| Of coarse running on OpenBSD The URLS are typically sharing one IP and in theory the https offload could also be load balanced. Even though the above setup works, I would like to use as much of obsd base as possible and less packages. Thinking of httpd, letsencrypt and relayd - but can it accomplish my goals about sharing IPs, loadbalancing while also doing SSL offload? Or do I need to stick with Apache or maybe look at another solution like haproxy? If I can use relayd for this, could someone please share a relayd.conf example for me? Regards, Lars.
Optimizing pf.conf
Is it no longer important to group block/pass in/out for speed optimization? I see many "modern" pf.conf where everything is mixed more or less randomly Regards, Lars.
Re: VLAN syntax in hostname.vlanxxx
That did it... thanks! On Wed, Apr 29, 2020 at 10:42 PM Sebastian Benoit wrote: > Lars Bonnesen(lars.bonne...@gmail.com) on 2020.04.29 21:58:27 +0200: > > In earlier obsd versions I have been having success with this in > > hostname.vlan703 > > inet 172.18.11.9 255.255.255.252 NONE vlandev em5 description VLAN703 > > > > On an obsd 6.6, I use the vmx device, but the syntax: > > inet 172.18.11.9 255.255.255.252 NONE vlandev vmx2 description VLAN703 > does > > not work as expected. If I do a tcpdump, I can find the packages reaching > > vmx2, but they are never passed on to vlan703 > > > > How to to if I have configured a trunk on a switch, I want to configure > say > > VLAN id 703 on a vmx device? > > Between OpenBSD 6.1 and 6.2 the syntax for configuring VLAN interfaces was > changed. > > You now have to use the 'vnetid' and 'parent' options, as well as 'up'. > > # cat /etc/hostname.vlan7 > vnetid 7 parent em0 > up > lladdr random > # ifconfig vlan7 > vlan7: flags=8843 mtu 1500 > lladdr 60:e8:d7:0d:10:6d > index 7 priority 0 llprio 3 > encap: vnetid 7 parent: em0 > groups: vlan > status: active > >
VLAN syntax in hostname.vlanxxx
In earlier obsd versions I have been having success with this in hostname.vlan703 inet 172.18.11.9 255.255.255.252 NONE vlandev em5 description VLAN703 On an obsd 6.6, I use the vmx device, but the syntax: inet 172.18.11.9 255.255.255.252 NONE vlandev vmx2 description VLAN703 does not work as expected. If I do a tcpdump, I can find the packages reaching vmx2, but they are never passed on to vlan703 How to to if I have configured a trunk on a switch, I want to configure say VLAN id 703 on a vmx device? And while we are at it, what if the switch is an access port? Regards, Lars.
Re: Samba on obsd
It seems that Debian is also recommended as an AD replacement. On Wed, Mar 25, 2020 at 12:13 PM David Sastre wrote: > Depending on your requirements, e.g. Windows machined in your setup, you > can also try > https://www.freeipa.org > I would use Fedora, not CentOS. > It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added > functionality on top you might or might not need/use. > It can also establish trust relationships with existing AD forests. > Worth checking out. > Regarding support for OpenBSD clients, I haven't tried, but you could hook > up direct LDAP access, for example. > > > On Wed, Mar 25, 2020 at 7:48 AM kasak wrote: > >> >> 25.03.2020 02:06, Lars Bonnesen пишет: >> > Hi. I am having a project on setting up Samba to work as a replacement >> for >> > MS AD. >> > >> > I would prefer to do it on OpenBSD, but how is the implementation of >> Samba >> > on OpenBSD? Is it enhanced in a way that will cause any known problems >> that >> > would not be on say... CentOS? >> > >> > Regards, Lars. >> >> samba ad is not working on OpenBSD because ffs has no ea support. >> >> centos is bad choise too, because of permanently outdated version of >> samba. >> >> You should try arch linux or freebsd for this project, both of them has >> >> nearly latest version of samba. >> >>
Samba on obsd
Hi. I am having a project on setting up Samba to work as a replacement for MS AD. I would prefer to do it on OpenBSD, but how is the implementation of Samba on OpenBSD? Is it enhanced in a way that will cause any known problems that would not be on say... CentOS? Regards, Lars.
Adding an additional IP on a NIC getting DHCP address
The NIC hostname file contains: dhcp and it configures the nic with a DHCP address and configure mygate according to this. Now I need to add an additional static IP on top of this and use the static IP address gateway address (thus not configuring myname from DHCP) Can I just add inet x.x.x.x b.b.b.b to myname so that it reads: dhcp inet x.x.x.x b.b.b.b and if so, how do I make sure that mygate does not get overwritten from dhcp? Regards, Lars.
SSH disconnects right after accepting
OpenBSD 6.4 Putty just reports "Authenticating with public key "XXX" from agent" and then I am disconnected. If I run sshd with -ddd, I get the following output. I can't seem to get any error, and therefor I can't tell what is wrong. Anyone has any idea? Thanks debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 204 debug2: parse_server_config: config /etc/ssh/sshd_config len 204 debug3: /etc/ssh/sshd_config:25 setting LogLevel DEBUG debug3: /etc/ssh/sshd_config:30 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:39 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/ssh/sshd_config:86 setting Subsystem sftp /usr/libexec/sftp-server debug1: sshd version OpenSSH_7.9, LibreSSL 2.8.2 debug1: private host key #0: ssh-rsa SHA256:XXX debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:XXX debug1: private host key #2: ssh-ed25519 SHA256:XXX debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 204 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 172.17.4.3 port 63721 on 172.17.1.2 port 22 rdomain "0" debug1: Client protocol version 2.0; client software version PuTTY_Release_0.70 debug1: no match: PuTTY_Release_0.70 debug1: Local version string SSH-2.0-OpenSSH_7.9 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing pledge sandbox debug2: Network child is on pid 89382 debug3: preauth child monitor started debug3: privsep user:group 27:27 [preauth] debug1: permanently_set_uid: 27/27 [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth] debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] debug2: ciphers ctos: chacha20-poly1...@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, aes256-...@openssh.com [preauth] debug2: ciphers stoc: chacha20-poly1...@openssh.com ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com, aes256-...@openssh.com [preauth] debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com, hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com, hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,z...@openssh.com [preauth] debug2: compression stoc: none,z...@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 [preauth] debug2: host key algorithms: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] debug2: ciphers ctos: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] debug2: ciphers stoc: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-...@openssh.com [preauth] debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-...@openssh.com [preauth] d
Access old PPTP behind OpenBSD 6.1
Yes... I know... Don't run MS PPTP and that is why I am implementing OpenBSD. Untill OpenVPN is fully installed on every client, I need to provide access to PPTP during transition. I don't know what to use in pf.conf though. I have tried everything that I find logical. In sysctl.conf I have added: net.inet.gre.allow=1 net.inet.gre.wccp=1 net.inet.mobileip.allow=1 Lets say that openBSD public IP is 1.2.3.4 local IP 10.77.1.2 and LAN is 10.77.1.0/24 - PPTP server is 10.77.1.106 How would my PPTP lines look in pf.conf? Help is greatly appriciated. Regards, Lars.
Hearbleed and OpenSSL 1.0.1c
Just want to make sure if I get this right. Patches 007 and 008 (OpenSSL-fix) for 5.4 has been run. OpenBSD 5.5 install source code patch branch run and compiled. On both setup I get this: # openssl version -a OpenSSL 1.0.1c 10 May 2012 built on: date not available platform: information not available options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: information not available OPENSSLDIR: "/etc/ssl" As far as I understand, OpenSSL 1.0.1g is needed in order to be home same reg. heartbleed. I know that OpenBSD's OpenSSL is a fork, and this is maybe where the confussion comes in... but can someone clarify for me the above? Regards, Lars.
Keeping OpenBSD up2date
I like OpenBSD for it's easiness, straight forwardness and simpleness on daily usage. Unfortunately with the last releases, I find keeping OpenBSD up2date between releases to be confusing. Please help me on this one: Well... I have been quite happy using cvsup to keep my src and ports up2date, but it seems that this is getting quite impossible to use lately, as the servers I normally use to pull from seem to block cvsup. )-: Then I read that cvsync seem to be the way to go... although I can't get it to work proberly. I follow http://www.openbsd.org/cvsync.html and I am able to pull a repository (size 5.2G) Then I am going to pull the patch branch (well using cvsup, I normally go for current), and I do: # cd /usr # cvs -d/cvs checkout -P src It works... I am getting what looks to be update source files. I find the changes of http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/002_sshgcm.patch in monitor_wrap.c Then I going to compile from source (system is i386) by doing: # cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC # make clean && make # make install Well... it looks to be going fine... not noticing any errors at least, and I can find the new kernel /bsd. But... Rebooting... and the system ends in limbo-mode. I have to boot doing "b /obsd" I can't figure out where the process goes wrong. Anyone? Regards, Lars.