Re: Request for a package & a feature
Hi Franck,
Thanks it works perfect with your feedback :) I can now remove isc-
dhcp-client and use the native dhclient !
Now i need to have a good Ipv6 native option (or pkg option) if there
is something which works as good as dibbler
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Le samedi 28 novembre 2015 à 14:18 +0100, Frank Groeneveld a écrit :
> On 11/28/15 12:47, Loïc BLOT wrote:
> > As i see OpenBSD's dhclient have the user-class (option 77) but i
> > also
> > need vendor-class-identifier (named as is in isc-dhcp-client) &
> > authentication (option 90,https://www.ietf.org/rfc/rfc3118.txt). I
> > didn't found those options.
>
> I use option 60 (vendor-class-identifier) in OpenBSD with dhclient
> like
> this:
>
> interface "vlan4" {
> send dhcp-class-identifier "IPTV_RG";
> }
>
> I found that in /usr/src/sbin/dhclient/tables.c and it includes all
> other dhcp options. For you, these entries seem interesting:
>
> /* 60 */ { "dhcp-class-identifier", "t" },
> /* 77 */ { "user-class", "t" },
> /* 90 */ { "option-90", "X" },
>
> If you use something like this you will be able to use the base
> system
> dhclient:
>
> interface "your_interface" {
> send dhcp-class-identifier "your_value";
> send user-class "your_second_value";
> send option-90 "your_third_value";
> }
>
> Good luck!
>
> Frank
Re: Request for a package & a feature
Hi, thanks Stuart & Michael for your replies. For the PPPoE i have done a similar thing on my installation to make it working and that solve the problem As i see OpenBSD's dhclient have the user-class (option 77) but i also need vendor-class-identifier (named as is in isc-dhcp-client) & authentication (option 90, https://www.ietf.org/rfc/rfc3118.txt). I didn't found those options. I haven't tested wide-dhcpv6, didn't know about it, i will test it. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 28 novembre 2015 à 09:05 +, Stuart Henderson a écrit : > On 2015-11-27, Loïc BLOT wrote: > > Hello @misc > > this evening i would thanks all OpenBSD team for their great OS for > > Security & Networking. I'm using OpenBSD as a router at home on my > > Orange FTTH link and it works great. > > > > As an improvement i would request developpers/ports maintainer > > three > > features: > > > > 1. On every OpenBSD i need to make a kernel patch to set the vlan > > priority on my PPPoE packets (because of orange restrictions using > > a > > custom priority on PPPoE instead of standard). I looked at the code > > and > > pf.prio is only used on ICMP & TCP as i see. Is this possible to > > extend > > to PPPoE ? This could be great. > > It's not possible with PF. I sent a diff to move the various places > that set prio in pppoe under a single #define that would make it > easier > to modify (and having them in one place would make it easier to add a > sysctl or ioctl later), but didn't get any feedback yet. > > https://marc.info/?l=openbsd-tech&m=144361652011039&w=2 > > > Orange has now PPPoE but provide DHCPv4 + DHCPv6/PD feature to > > connect > > to their network as a replacement (it's in test ATM but available > > now > > for somes who use a custom router, instead of the Livebox). I see > > two > > missing things in OpenBSD embedded tools > > 2. isc-dhcp-client package provide the feature permitting to add > > custom > > options when using dhclient. Is this possible to have a such > > feature in > > the base dhclient instead of having only some restricted features ? > > What option do you need? If it's not in dhcp-options(5) it can be set > by number, but if it's something common that we're missing, we could > add it. > > > 3. OpenBSD doesn't have a DHCPv6/PD client and It's commonly used > > by > > operators. Also, dibbler is not available in ports, whereas it > > works > > perfect if you add a little portability patch to fix some paths > > /var/lib => /var/db . Is this possible to import dibbler in ports > > tree > > for next OpenBSD release, or if you get some time to have a > > DHCPv6/PD > > OpenBSD tool (with custom options :D) ? > > dhcpcd is in ports and works, there are simple instructions in the > pkg-readme for the common case. > > Some people use the old wide DHCPv6 client. > > I have a port for dibbler but I didn't want to import it in the shape > it's in because it doesn't work with OpenBSD's normal libtool, only > the GNU one, and there are already several alternatives.
Request for a package & a feature
Hello @misc this evening i would thanks all OpenBSD team for their great OS for Security & Networking. I'm using OpenBSD as a router at home on my Orange FTTH link and it works great. As an improvement i would request developpers/ports maintainer three features: 1. On every OpenBSD i need to make a kernel patch to set the vlan priority on my PPPoE packets (because of orange restrictions using a custom priority on PPPoE instead of standard). I looked at the code and pf.prio is only used on ICMP & TCP as i see. Is this possible to extend to PPPoE ? This could be great. Orange has now PPPoE but provide DHCPv4 + DHCPv6/PD feature to connect to their network as a replacement (it's in test ATM but available now for somes who use a custom router, instead of the Livebox). I see two missing things in OpenBSD embedded tools 2. isc-dhcp-client package provide the feature permitting to add custom options when using dhclient. Is this possible to have a such feature in the base dhclient instead of having only some restricted features ? 3. OpenBSD doesn't have a DHCPv6/PD client and It's commonly used by operators. Also, dibbler is not available in ports, whereas it works perfect if you add a little portability patch to fix some paths /var/lib => /var/db . Is this possible to import dibbler in ports tree for next OpenBSD release, or if you get some time to have a DHCPv6/PD OpenBSD tool (with custom options :D) ? Thanks for reading -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr
Re: pf to read protocol information from /etc/services ?
Hello, in the first example you don't specify proto tcp. Regards, Loïc Blot, UNIX Systems, Network and Security Engineer http://www.unix-experience.fr 27 février 2015 09:50 "Harald Dunkel" a écrit: > Hi folks, > > /etc/services provides protocol information as well, so I wonder > if a pf line like > > pass in from any to (self) port telnet > > could be read as > > pass in proto tcp from any to (self) port 23 > > ? > > Currently (5.6 stable) there is an error message, e.g. > > /etc/pf_gate5.conf:351: port only applies to tcp/udp > /etc/pf_gate5.conf:351: skipping rule due to errors > /etc/pf_gate5.conf:351: rule expands to no valid combination > > I cannot follow the "no valid combination". > > Just a suggestion, of course. Keep on your good work > > Harri
Re: pf queuing not limiting bandwidth
Hi Raimundo,
please use max directive:
queue root on alc0 bandwidth 600M, max 500M
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Le mardi 12 août 2014 à 02:11 -0300, Raimundo Santos a écrit :
> Hello misc!
>
> I am with a very non expected behaviour. With this simple pf.conf
>
> # pfctl -vnf /etc/pf.conf
>
> set skip on { lo }
>
> queue root on alc0 bandwidth 600M default
>
> pass out on alc0 all flags S/SA set ( queue root )
>
> I got this queue output when running tcpbench in client mode
>
> # pfctl -vvvsq
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> queue root on alc0 bandwidth 600M default qlimit 50
>
> [ pkts:6099167 bytes: 9233990662 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 0.0 packets/s, 0 b/s ]
>
> queue root on alc0 bandwidth 600M default qlimit 50
>
> [ pkts:6500911 bytes: 9842225822 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 80348.8 packets/s, 973.18Mb/s ]
>
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 0.0 packets/s, 0 b/s ]
>
> queue root on alc0 bandwidth 600M default qlimit 50
>
> [ pkts:6902593 bytes: 10450369962 dropped pkts: 0 bytes:
> 0 ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 80342.6 packets/s, 973.10Mb/s ]
>
> # pfctl -vsr
>
> pass out on alc0 all flags S/SA set ( queue root )
>
> [ Evaluations: 493 Packets: 14082601 Bytes: 13949048492 States: 1
> ]
>
> [ Inserted: uid 0 pid 3493 State Creations: 1 ]
>
>
> I've tried with 100M, 200M and 400M, all not shaping.
>
> I've also tried to setup a root queue with 200M and two child: a default
> with 1M and the other, referred in the rule, with 100M, also not working.
>
> I am playing with tcpbench and this is the only traffic I really care about
> on this machine. I restarted the tcpbench client on this machine every time
> I reloaded the testing rule and queue, and even deleted the related states
> (or states, in cases that I run tcpbench -b ), but nothing
> leads me to the desired bandwidth shaping.
>
> I am experiencing the same behaviour in a virtual machine under KVM with
> PCI Passthrough of an Intel NIC. These are the conf and results from the
> virtual machine:
>
> # pfctl -vf /etc/pf.conf
>
>
>
> set skip on { lo }
>
> queue std on em0 bandwidth 100M default
>
> pass out on em0 all flags S/SA set ( queue std )
>
>
> # pfctl -vvvsq
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> queue std on em0 bandwidth 100M default qlimit 50
>
> [ pkts: 1195513815 bytes: 87858084628 dropped pkts: 0 bytes:
> 0 ]
>
> [ qlength: 0/ 50 ]
>
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 0.0 packets/s, 0 b/s ]
>
> queue std on em0 bandwidth 100M default qlimit 50
>
> [ pkts: 1195734870 bytes: 88192747866 dropped pkts: 0 bytes:
> 0 ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 44211.0 packets/s, 535.46Mb/s ]
>
>
> [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0
> ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 0.0 packets/s, 0 b/s ]
>
> queue std on em0 bandwidth 100M default qlimit 50
>
> [ pkts: 1195960995 bytes: 88535089028 dropped pkts: 0 bytes:
> 0 ]
>
> [ qlength: 0/ 50 ]
>
> [ measured: 44718.0 packets/s, 541.60Mb/s ]
>
> # pfctl -vsr
>
> pass out on em0 all flags S/SA set ( queue std )
>
> [ Evaluations: 2 Packets: 1853414 Bytes: 1708817040 States: 2
> ]
>
> [ Inserted: uid 0 pid 19622 State Creations: 2 ]
>
> The traffic passes through a Linux box where I have per ip bandwitdh
> control (justifying tcpbench -b ), an in house bandwidth controller
> (poor man's 'net equalizer'). My intent was to not put a very high load
> over this machine by getting close to my real pps and bps and so make my
> capacity planing.
>
> What am I doing wrong with these queues?
>
> Thank you all,
> Raimundo Santos
>
> Here is my dmesgs, first from the physica
Re: pfctl: DIOCADDQUEUE: No such process
Hi Henning, you are true, i found the problem 1 week ago, a "hidden" interface in my 3000 rules' pf.conf :) -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le samedi 02 août 2014 à 12:17 +0200, Henning Brauer a écrit : > * Loïc Blot [2014-07-23 17:12]: > > pfctl: DIOCADDQUEUE: No such process > > that most likely means you're trying to create a queue on a nonexistant > inmterface.
Re: CARP cluster: howto keep pf.conf in sync?
Hi Christoph,
here is my script to sync via rsync.
Please note i split pf.conf into 3 files because each router has local
specificies (some macros).
/etc/pf.conf: not synced
/etc/pf.sync.conf: filter rules
/etc/pf-nat.sync.conf: nat rules
=
#! /bin/sh
# VARS
SYNCTRACE_FILE="/tmp/pf.sync.trace"
# CODE
/usr/local/bin/rsync -Hauro
minir...@odyssee.institutoptique.fr:/etc/pf.sync.conf /etc/
SYNCTRACE=$(/bin/sha256 < /etc/pf.sync.conf)
OLDTRACE=""
if [ -f $SYNCTRACE_FILE ]; then
OLDTRACE=$(/bin/cat $SYNCTRACE_FILE)
fi
if [ "$SYNCTRACE" != "$OLDTRACE" ]; then
echo "/etc/pf.sync.conf modified"
/sbin/pfctl -nf /etc/pf.conf
if [ "$?" -eq "0" ]; then
/sbin/pfctl -f /etc/pf.conf
echo "PF Reloaded"
echo $SYNCTRACE > $SYNCTRACE_FILE
fi
else
echo "No PF modification"
fi
# NAT check
# VARS
SYNCTRACE_FILE="/tmp/pf-nat.sync.trace"
# CODE
/usr/local/bin/rsync -Hauro
th...@secondrouter2.lan:/etc/pf-nat.sync.conf /etc/
SYNCTRACE=$(/bin/sha256 < /etc/pf-nat.sync.conf)
OLDTRACE=""
if [ -f $SYNCTRACE_FILE ]; then
OLDTRACE=$(/bin/cat $SYNCTRACE_FILE)
fi
if [ "$SYNCTRACE" != "$OLDTRACE" ]; then
echo "/etc/pf-nat.sync.conf modified"
/sbin/pfctl -nf /etc/pf.conf
if [ "$?" -eq "0" ]; then
/sbin/pfctl -f /etc/pf.conf
echo "PF Reloaded"
echo $SYNCTRACE > $SYNCTRACE_FILE
fi
else
echo "No PF modification"
fi
===
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Le lundi 28 juillet 2014 à 13:50 +0200, Peus, Christoph a écrit :
> Hi all,
>
>
>
> is there a standard or recommended way to keep the pf.conf on the CARP cluster
> members in sync?
>
> Thanks!
>
> Regards
> Christoph
>
> --
> Christoph Peus
> Universitt Witten/Herdecke
> Bereich Informationstechnologie
> Tel: +49 2302 926-212
> Fax: +49 2302 926-44857
> mailto:christoph.p...@uni-wh.de
>
>
>
>
>
>
>
>
>
>
>
> Private Universitt Witten/Herdecke gGmbH
> Alfred-Herrhausen-Strae 50
> D - 58448 Witten
>
> Homepage: http://www.uni-wh.de
> Twitter: http://twitter.com/UniWH
> Facebook: http://www.facebook.com/UniWH
>
> Geschftsfhrung: Prof. Dr. Martin Butzlaff (Prsident), Dipl. oec. Jan Peter
> Nonnenkamp (Kanzler)
>
> Sitz der Gesellschaft: Witten
> Handelsregister des Amtsgerichts Bochum Nr. HRB 8671
Re: pfctl: DIOCADDQUEUE: No such process
Erf... i found the error. An admin has configured a queue on a inexisting interface... Maybe the pfctl tell us the interface doesn't exists ? Sorry for the inconvenience -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le vendredi 25 juillet 2014 à 09:25 +0200, Loïc Blot a écrit : > Hello > after the reboot the problem persists... > > pfctl: DIOCADDQUEUE: No such process > > The default ruleset has been loaded: > > block drop all > pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol > pass out inet6 proto ipv6-icmp all icmp6-type routersol > pass out inet6 proto udp from any port = 546 to any port = 547 > pass out inet proto icmp all icmp-type echoreq > pass out inet proto udp from any port = 68 to any port = 67 > pass out proto tcp from any to any port = 53 flags S/SA > pass out proto udp from any to any port = 53 > pass in inet6 proto ipv6-icmp all icmp6-type neighbradv > pass in inet6 proto ipv6-icmp all icmp6-type routeradv > pass in inet6 proto udp from any port = 547 to any port = 546 > pass in proto tcp from any to any port = 22 flags S/SA > pass in inet proto udp from any port = 67 to any port = 68 > pass on lo0 all flags S/SA > pass proto carp all keep state (no-sync)
Re: pfctl: DIOCADDQUEUE: No such process
Hello after the reboot the problem persists... pfctl: DIOCADDQUEUE: No such process The default ruleset has been loaded: block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out inet6 proto udp from any port = 546 to any port = 547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port = 68 to any port = 67 pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto udp from any port = 547 to any port = 546 pass in proto tcp from any to any port = 22 flags S/SA pass in inet proto udp from any port = 67 to any port = 68 pass on lo0 all flags S/SA pass proto carp all keep state (no-sync) -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 24 juillet 2014 à 17:44 +0200, Loïc Blot a écrit : > Hi David, > in fact no, now the ruleset is empty and everything is allowed, erf. > Now i have no choice, i need to reboot this critical router :(. > > I think there is a bug somewhere, i'll try to found why this is > happening before rebooting (maybe a patch if i can)
Re: pfctl: DIOCADDQUEUE: No such process
Hi David, in fact no, now the ruleset is empty and everything is allowed, erf. Now i have no choice, i need to reboot this critical router :(. I think there is a bug somewhere, i'll try to found why this is happening before rebooting (maybe a patch if i can) -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 24 juillet 2014 à 12:09 +, Dahlberg, David a écrit : > Am Mittwoch, den 23.07.2014, 17:10 +0200 schrieb Loïc Blot: > > Hi @misc, > > This afternoon i got a very strange issue on a router/firewall. I > > added > > a rule and then the following error appears: > > > > > pfctl -nf /etc/pf.conf > > > pfctl -f /etc/pf.conf > > pfctl: DIOCADDQUEUE: No such process > > > > I don't have any queue configured on the firewall. > > > > I also tried pfctl -d; pfctl -e; pfctl -f /etc/pf.conf > > I have seen this a few times. If it happens, then usually not > during/right after bootup, but on a running system and it won't even > accept even an empty pf.conf. > > A reboot usually helps, but this is not really a solution. Does "pfctl > -Fa help"? > > Cheers
Re: pfctl: DIOCADDQUEUE: No such process
c (class system subclass miscellaneous, rev 0x07) at pci13 dev 15 function 4 not configured vendor "Intel", unknown product 0x3cad (class system subclass miscellaneous, rev 0x07) at pci13 dev 15 function 5 not configured vendor "Intel", unknown product 0x3cae (class system subclass miscellaneous, rev 0x07) at pci13 dev 15 function 6 not configured vendor "Intel", unknown product 0x3cb0 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 0 not configured vendor "Intel", unknown product 0x3cb1 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 1 not configured vendor "Intel", unknown product 0x3cb2 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 2 not configured vendor "Intel", unknown product 0x3cb3 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 3 not configured vendor "Intel", unknown product 0x3cb5 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 5 not configured vendor "Intel", unknown product 0x3cb6 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 6 not configured vendor "Intel", unknown product 0x3cb7 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 7 not configured vendor "Intel", unknown product 0x3cb8 (class system subclass miscellaneous, rev 0x07) at pci13 dev 17 function 0 not configured vendor "Intel", unknown product 0x3ce4 (class system subclass miscellaneous, rev 0x07) at pci13 dev 19 function 0 not configured vendor "Intel", unknown product 0x3c43 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 1 not configured vendor "Intel", unknown product 0x3ce6 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 4 not configured vendor "Intel", unknown product 0x3c44 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 5 not configured vendor "Intel", unknown product 0x3c45 (class system subclass miscellaneous, rev 0x07) at pci13 dev 19 function 6 not configured pci14 at mainbus0 bus 127 uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 uhub3 at uhub2 port 6 "no manufacturer Gadget USB HUB" rev 2.00/0.00 addr 3 uhidev0 at uhub3 port 1 configuration 1 interface 0 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub3 port 1 configuration 1 interface 1 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev2 at uhub3 port 1 configuration 1 interface 2 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev2: iclass 3/1 ums1 at uhidev2: 3 buttons, Z dir wsmouse1 at ums1 mux 0 uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 uhidev3 at uhub4 port 2 configuration 1 interface 0 "Avocent Dell 03R874" rev 1.10/1.00 addr 3 uhidev3: iclass 3/1 ukbd1 at uhidev3: 8 variable keys, 6 key codes, country code 33 wskbd1 at ukbd1 mux 1 wskbd1: connecting to wsdisplay0 uhidev4 at uhub4 port 2 configuration 1 interface 1 "Avocent Dell 03R874" rev 1.10/1.00 addr 3 uhidev4: iclass 3/1, 3 report ids ums2 at uhidev4 reportid 1: 5 buttons, Z dir wsmouse2 at ums2 mux 0 uhid0 at uhidev4 reportid 2: input=2, output=0, feature=0 uhid1 at uhidev4 reportid 3: input=1, output=0, feature=0 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (12e8aef544eec09e.a) swap on sd0b dump on sd0b -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le mercredi 23 juillet 2014 à 22:36 -0700, Eric Lalonde a écrit : > > > > I cannot give you the dmesg output of the machine because the uptime > > (dmesg was polluted by some carp messages :p), i cannot reboot it at > > this time, it's a BGP router and the redundancy is in maintenance. > > > try ‘cat /var/run/dmesg.boot'
pfctl: DIOCADDQUEUE: No such process
Hi @misc, This afternoon i got a very strange issue on a router/firewall. I added a rule and then the following error appears: > pfctl -nf /etc/pf.conf > pfctl -f /etc/pf.conf pfctl: DIOCADDQUEUE: No such process I don't have any queue configured on the firewall. I also tried pfctl -d; pfctl -e; pfctl -f /etc/pf.conf On my second router firewall (which has exactly the same ruleset), there isn't any error. Here is the uname -a: OpenBSD saumur.institutoptique.fr 5.5 GENERIC.MP#315 amd64 I cannot give you the dmesg output of the machine because the uptime (dmesg was polluted by some carp messages :p), i cannot reboot it at this time, it's a BGP router and the redundancy is in maintenance. Please also note i modified rules 2 hours ago and i wasn't affected by this issue. have you got an idea ? Thanks in advance -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re: Dragonflybsd's pf concurrent instead of single-threaded
Thanks for the precisions :). And no problem i you laugh because of me :p -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 08 juillet 2014 à 11:03 +0200, Henning Brauer a écrit : > * InterNetX - Robert Garrett [2014-07-08 09:42]: > > Uprading pf with [dfly's] set of changes to support [dfly's] locking > > mechanisms, is a seriously non trivial exercise. > > and 100% wasted as done. > > starting off an old, ancient, pf, which is roughly 4 times slower than > todays (but hey, you can throw cores at it, make intel & the power > companies even richer, increase pollution, and whatnot), and making > sure we can never take these changes back even if we wanted to. > > how bright! [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dragonflybsd's pf concurrent instead of single-threaded
It's a very interesting diff. If i have time i'll test it on -CURRENT on the two next weeks. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 03 juillet 2014 à 11:35 -0500, patric conant a écrit : > This seems relevant to a lot of interest. > > commit 3a0038bfb239dd522057809c52d7d23dd2134c38 > > Author: Matthew Dillon <http://lists.dragonflybsd.org/mailman/listinfo/commits>> > Date: Thu Jun 26 20:40:32 2014 -0700 > > pf - make the bulk of PF concurrent under normal operation > > * state and ip fragment tables are now per-cpu. > > * packet paths acquire pf_token shared instead of exclusive. Packet > processing runs concurrently. > > * Any dynamic rules updates will run synchronously for now. > > * State expiration from the pfpurge thread runs synchronously for now. > More work can be done here. > > * ioctl (and also pfsync) paths acquire pf_token exclusively. That is, > primarily pfctl commands. This includes rules updates and state scans. > More work can be done here. > > Summary of changes: > sys/net/pf/Makefile| 2 + > sys/net/pf/if_pfsync.c | 85 +++--- > sys/net/pf/if_pfsync.h | 2 + > sys/net/pf/pf.c| 260 -- > sys/net/pf/pf_ioctl.c | 427 > +++-- > sys/net/pf/pf_norm.c | 118 -- > sys/net/pf/pfvar.h | 17 +- > 7 files changed, 588 insertions(+), 323 deletions(-) > http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/3a0038bfb239dd522057809c52d7d23dd2134c38
Re: Dell PE R210 won't boot from install54.iso CD
Hello, i experienced some issues on Dell R210 boot when i use CD. Use an external CD player i think this will resolve the problem (i got problems with openbsd and freebsd after the bootloader too, and it's a CD player problem). -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le mardi 22 avril 2014 à 19:59 +0200, David Vasek a écrit : > On Tue, 22 Apr 2014, Mike Grau wrote: > > >> Not necessarily but possibly related, FreeBSD also cannot currently boot > >> or run on many Dell R-series systems. It's an ongoing issue over there. > >> -Adam > >> > > > > I see ... > > > > Yes, it will not boot a FreeBSD 10.0 either. Guess I'm out of luck for now. > > You are giving up too early. I have a P4 Optiplex where I was never able > to boot OpenBSD from a flash drive. But PXE for the kernel together with > the filesystem from the flash drive always worked. > > Regards, > David
poor performance with GRE
Hi, I'm using GRE to connect to remote sites. GRE is on my border routers and PF is enabled on those routers. BGP is enabled for WAN connectivity and OSPF is enabled for local routing and OSPF over GRE routing. I have poor performance on the GRE tunnel (2 MBps instead of 500 MBps without the GRE encap). PF is also scrubing the GRE packets (no-df scrubing and frags are allowed) What can i check to improve the GRE performance ? Thanks in advance. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re: pf and nat
Hello, you are right, you need the both rules. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 18 mars 2014 à 15:19 -0300, Friedrich Locke a écrit : > Hi folks, > > i am studying pf and a doubt arose! > > Since my state policy if if-bound (set state-policy if-bound) i need two > rules for each traffic i want to pass. Is that understanding right ? > > For instance, for nat i could : > > pass out on tl0 from dc0:network to any nat-to tl0 > > pass in on dc0 from dc0:network to any > > Is this understanding correct ? Or only the first rule is ok? > > Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Packet Filter nat-to issue
Thanks all, i will be careful in the future, and i don't forget to
precise "inet" keyword :)
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Le vendredi 28 février 2014 à 11:54 +0100, Mike Belopuhov a écrit :
> On 28 February 2014 10:15, Loïc Blot wrote:
> > Hello,
> > i encounter a strange problem today on PF. I don't know if this i normal
> > but the result is illogic.
> >
> > I have this rule:
> >
> > pass out quick proto tcp from to port { smtp smtps 587
> > imap imaps pop3 pop3s } nat-to $natto_iface
> >
> > Tables contain IPv4 addresses only.
> >
> > After applying this rule (i added IPv6 support yesterday), those
> > protocols weren't NAT-ed by PF.
> >
> > By investigating, i found this:
> >
> > pfctl -sr | grep nat-to
> >
> > pass out quick inet6 proto tcp from to any port = 465
> > flags S/SA nat-to <__automatic_d309aaac_0> round-robin
> >
> > Then i look at __automatic_d309aaac_0, because inet6 was strange !
> >
> > pfctl -t __automatic_d309aaac_1 -T show
> >2001:660:3bbb:::2
> >fe80::92b1:1cad:fe18:ea18
> >
> > To resolve this problem i added inet keyword to my rule.
> >
> > Is this normal ?
>
> yes, you've got what you've asked for. you should say "pass out quick inet"
> if you don't want inet6.
>
> > Maybe a fix was required on pf parser?
> >
> > Have a nice day
> >
> >
> > --
> > Best regards,
> >
> > Loïc BLOT, Engineering
> > UNIX Systems, Security and Network Engineer
> > http://www.unix-experience.fr
Packet Filter nat-to issue
Hello,
i encounter a strange problem today on PF. I don't know if this i normal
but the result is illogic.
I have this rule:
pass out quick proto tcp from to port { smtp smtps 587
imap imaps pop3 pop3s } nat-to $natto_iface
Tables contain IPv4 addresses only.
After applying this rule (i added IPv6 support yesterday), those
protocols weren't NAT-ed by PF.
By investigating, i found this:
pfctl -sr | grep nat-to
pass out quick inet6 proto tcp from to any port = 465
flags S/SA nat-to <__automatic_d309aaac_0> round-robin
Then i look at __automatic_d309aaac_0, because inet6 was strange !
pfctl -t __automatic_d309aaac_1 -T show
2001:660:3bbb:::2
fe80::92b1:1cad:fe18:ea18
To resolve this problem i added inet keyword to my rule.
Is this normal ? Maybe a fix was required on pf parser?
Have a nice day
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Dell R320 crash
at pci13 dev 16 function 6 not configured vendor "Intel", unknown product 0x3cb7 (class system subclass miscellaneous, rev 0x07) at pci13 dev 16 function 7 not configured vendor "Intel", unknown product 0x3cb8 (class system subclass miscellaneous, rev 0x07) at pci13 dev 17 function 0 not configured vendor "Intel", unknown product 0x3ce4 (class system subclass miscellaneous, rev 0x07) at pci13 dev 19 function 0 not configured vendor "Intel", unknown product 0x3c43 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 1 not configured vendor "Intel", unknown product 0x3ce6 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 4 not configured vendor "Intel", unknown product 0x3c44 (class DASP subclass Time and Frequency, rev 0x07) at pci13 dev 19 function 5 not configured vendor "Intel", unknown product 0x3c45 (class system subclass miscellaneous, rev 0x07) at pci13 dev 19 function 6 not configured pci14 at mainbus0 bus 127 mtrr: Pentium Pro MTRR support uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 uhidev0 at uhub2 port 2 configuration 1 interface 0 "D-Link KVM-221" rev 1.00/0.01 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0 mux 1 wskbd0: connecting to wsdisplay0 uhidev1 at uhub2 port 2 configuration 1 interface 1 "D-Link KVM-221" rev 1.00/0.01 addr 3 uhidev1: iclass 3/1 ums0 at uhidev1: 5 buttons, Z dir wsmouse0 at ums0 mux 0 uhub3 at uhub2 port 6 "no manufacturer Gadget USB HUB" rev 2.00/0.00 addr 4 uhidev2 at uhub3 port 1 configuration 1 interface 0 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 5 uhidev2: iclass 3/1 ukbd1 at uhidev2: 8 variable keys, 6 key codes wskbd1 at ukbd1 mux 1 wskbd1: connecting to wsdisplay0 uhidev3 at uhub3 port 1 configuration 1 interface 1 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 5 uhidev3: iclass 3/1 ums1 at uhidev3: 3 buttons, Z dir wsmouse1 at ums1 mux 0 uhidev4 at uhub3 port 1 configuration 1 interface 2 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 5 uhidev4: iclass 3/1 ums2 at uhidev4: 3 buttons, Z dir wsmouse2 at ums2 mux 0 uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (c3d13a6a4ff0f34c.a) swap on sd0b dump on sd0b How can i help you to resolve or can i fix the bug ? Thanks in advance. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
BCM5720, Dell R320 and OpenBSD 5.4
Hi all, congrats to OpenBSD team, it seems the BCM5720 on Dell R320 is working fine since the many recent changes on bge driver ! A testing R320 is running since 8 hours at 560MB up + 560MB down with LACP trunks (on 5.3 LACP trunks with BCM freeze the server, and without, freeze are there but less frequent). My bench is composed of two dd if=/dev/random | ssh user@server "dd of=/dev/null (one of the Dell R320 and one from another server. Are there any network stressing benchmarks i can do on OpenBSD to test a little more the hardware configuration ? -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: RJ11 on Alix 2d13 with OpenBSD
Hi, thanks for you replies, i'll try a ADSL 2+ bridge modem later. Sorry noah but i'm not familiar with DSL techs, i prefer LAN tech it's simpler. I thought modern RJ45 network cards can understand the RJ11/ADSL protocol but this is wrong. Good evening ! -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 05 novembre 2013 à 15:49 -0800, noah pugsley a écrit : > On Tue, Nov 5, 2013 at 3:30 PM, Loc BLOT > wrote: > > > Hi, > > i'm trying to replace and remove my ADSL box with a Alix 2d13 runs very > > well on it and with athn, congrats !) > > I would test to plug RJ11 cable (from my ADSL line, behind the ADSL > > filter) to the RJ45 plug but it seems this doesn't work (no carrier). > > > > You plugged a phone line into an ethernet port. Why would it know what an > ADSL carrier looks like? > > > > Is this possible ? If yes, how can i do it ? > > Else, i may use modems, but are USB modems goods for ADSL 2+ (PPPoE) or > > must i use a ADSL <-> Ethernet modem (like > > > > > http://www.netgear.fr/home/products/wired-routers-and-modems/wired-modems/dm1 > > 11p.aspx) ? > > > > What is your existing 'ADSL box'? A typical setup should look something > like this: > > pstn local loop <--pots line--> ADSL modem/bridge/router <--ethernet--> > Your router/network. > > Just plug the ethernet port from your 'ADSL box' into your Alix and > configure it for ppoe/a, dhcp or whatever your provider requires. > > The modem is still a point of failure whether or not it is a card internal > to the Alix, a usb adapter (which I don't think any are supported on > OpenBSD), or an external device. I prefer an external device as it is > easier to replace. > > Just use what you got. > > > > > > Thanks in advance ! > > -- > > Best regards, > > Loc BLOT, > > UNIX systems, security and network engineer > > http://www.unix-experience.fr > > > > [demime 1.01d removed an attachment of type application/pgp-signature > > which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
RJ11 on Alix 2d13 with OpenBSD
Hi, i'm trying to replace and remove my ADSL box with a Alix 2d13 runs very well on it and with athn, congrats !) I would test to plug RJ11 cable (from my ADSL line, behind the ADSL filter) to the RJ45 plug but it seems this doesn't work (no carrier). Is this possible ? If yes, how can i do it ? Else, i may use modems, but are USB modems goods for ADSL 2+ (PPPoE) or must i use a ADSL <-> Ethernet modem (like http://www.netgear.fr/home/products/wired-routers-and-modems/wired-modems/dm1 11p.aspx) ? Thanks in advance ! -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Strange icmp6 issue
Hem bad copy paste, here is the end of previous message: pcidump: Domain /dev/pci0: 0:0:0: Intel E5 Host 0:1:0: Intel E5 PCIE 0:3:0: Intel E5 PCIE 0:5:0: Intel E5 Address Map 0:5:2: Intel E5 Error Reporting 0:17:0: Intel C600 Virtual PCIE 0:22:0: Intel C600 MEI 0:22:1: Intel C600 MEI 0:26:0: Intel C600 USB 0:28:0: Intel C600 PCIE 0:28:4: Intel C600 PCIE 0:28:7: Intel C600 PCIE 0:29:0: Intel C600 USB 0:30:0: Intel 82801BA Hub-to-PCI 0:31:0: Intel C600 LPC 0:31:2: Intel C600 AHCI 1:0:0: Symbios Logic MegaRAID SAS2008 2:0:0: Broadcom BCM5720 2:0:1: Broadcom BCM5720 3:0:0: Renesas SH7757 PCIE Switch 4:0:0: Renesas SH7757 PCIE Switch 4:1:0: Renesas SH7757 PCIE Switch 5:0:0: Renesas SH7757 PCIE-PCI 6:0:0: Matrox MGA G200eR 8:0:0: Intel I350 8:0:1: Intel I350 10:0:0: Intel I350 10:0:1: Intel I350 Have you got an idea ? Thanks in advance PS: it's 5.2 because 5.3 doesn't works very well on Dell R320, and i cannot update this router to OpenBSD 5.4 before testing with a non production testing server. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 02 novembre 2013 à 00:27 +0100, Loïc BLOT a écrit : > Hello @misc > since 1 week i have a strange issue on one of my dual stack routers. The > router doesn't answer on icmp6 on one of its interfaces. (but on all > others, i works very well) > > tcpdump -nni vlan851 > 00:08:07.204986 2001:660::ff::2:1 > 2001:660::ff::2:2: icmp6: > neighbor sol: who has 2001:660:2012:ff::2:2 [class 0xe0] > 00:08:08.205047 2001:660::ff::2:1 > 2001:660::ff::2:2: icmp6: > neighbor sol: who has 2001:660:2012:ff::2:2 [class 0xe0] > > ifconfig vlan851 > vlan851: flags=8843 mtu 1500 > lladdr a0:36:9f:10:4a:a7 > priority: 0 > vlan: 851 parent interface: trunk0 > groups: vlan > status: active > inet6 fe80::a236:9fff:fe10:4aa7%vlan851 prefixlen 64 scopeid 0xe > inet6 2001:660::ff::2:2 prefixlen 126 > > I tried to down/up the interface, destroy and netstart it but this > refuses to work. > If i try a ping6, it works > PING6(56=40+8+8 bytes) 2001:660::ff::2:2 --> 2001:660::ff::2:1 > 16 bytes from 2001:660::ff::2:1, icmp_seq=0 hlim=64 time=32.154 ms > 16 bytes from 2001:660::ff::2:1, icmp_seq=1 hlim=64 time=0.971 ms > 16 bytes from 2001:660::ff::2:1, icmp_seq=2 hlim=64 time=0.884 ms > > My pf rules are common for all icmp and works for all interfaces: > pass quick inet proto icmp all no state > pass quick inet6 proto ipv6-icmp all no state > > uname -a > OpenBSD 5.2 GENERIC.MP#368 amd64 > > pcidump > > -- > Best regards, > Loc BLOT, > UNIX systems, security and network engineer > http://www.unix-experience.fr > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Strange icmp6 issue
Hello @misc since 1 week i have a strange issue on one of my dual stack routers. The router doesn't answer on icmp6 on one of its interfaces. (but on all others, i works very well) tcpdump -nni vlan851 00:08:07.204986 2001:660::ff::2:1 > 2001:660::ff::2:2: icmp6: neighbor sol: who has 2001:660:2012:ff::2:2 [class 0xe0] 00:08:08.205047 2001:660::ff::2:1 > 2001:660::ff::2:2: icmp6: neighbor sol: who has 2001:660:2012:ff::2:2 [class 0xe0] ifconfig vlan851 vlan851: flags=8843 mtu 1500 lladdr a0:36:9f:10:4a:a7 priority: 0 vlan: 851 parent interface: trunk0 groups: vlan status: active inet6 fe80::a236:9fff:fe10:4aa7%vlan851 prefixlen 64 scopeid 0xe inet6 2001:660::ff::2:2 prefixlen 126 I tried to down/up the interface, destroy and netstart it but this refuses to work. If i try a ping6, it works PING6(56=40+8+8 bytes) 2001:660::ff::2:2 --> 2001:660::ff::2:1 16 bytes from 2001:660::ff::2:1, icmp_seq=0 hlim=64 time=32.154 ms 16 bytes from 2001:660::ff::2:1, icmp_seq=1 hlim=64 time=0.971 ms 16 bytes from 2001:660::ff::2:1, icmp_seq=2 hlim=64 time=0.884 ms My pf rules are common for all icmp and works for all interfaces: pass quick inet proto icmp all no state pass quick inet6 proto ipv6-icmp all no state uname -a OpenBSD 5.2 GENERIC.MP#368 amd64 pcidump -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: General question about openbgpd and PF
Hi, I use PF on some OpenBSD BGP+OSPF routers on Renater (IPv4 + IPv6), it works like a charm. Why this question ? pf rule are simple: pass in quick proto tcp from $bgp_neighbor_1 to $self_peering_1 port 179 pass out quick proto tcp from $self_peering_1 to $bgp_neighbor_1 port 179 -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 29 octobre 2013 à 18:27 +0100, OCEANET - Cédric BASSAGET a écrit : > Hi, > Simple and general question : > Is it a good thing to run PF on an openbgpd server (for security > reasons), or should I de-activate PF ? > > Regards, > Cédric [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Best OpenBSD cloud hosting?
Hi Antoine. I also have a hang problem when i use a cold stop on libvirt. No problem on VMWare ESX when i click on the "shutdown button". On libvirt, when i click on this button the VM hang and then i need to kill the VM. (Archlinux kernel 3.11, but the problem was also present before. OpenBSD 5.3 VMs) -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le dimanche 20 octobre 2013 à 23:13 +0200, Antoine Jacoutot a écrit : > On Sun, Oct 20, 2013 at 12:36:14PM -0700, Bryan Vyhmeister wrote: > > On Wed, Oct 09, 2013 at 08:45:37PM +0200, Antoine Jacoutot wrote: > > > I personally use SmartOS and while it is an awesome system, OpenBSD > > > does not always behave perfectly well under Solaris KVM. I've had > > > several vdisk related issues. In my experience, Linux KVM is a better > > > container for our OS. > > > > Could you elaborate on this? I've run OpenBSD under SmartOS briefly a > > few months ago and it seemed to run just fine on my own test box. Were > > you using the virtio(4) drivers? I did have network troubles when I > > tried them but that was early this year and using the non-virtio network > > setup seemed to work fine. I don't remember what I did for disk > > settings. I'll have to look at my backups. > > I am often unable to properly shutdown OpenBSD VMs, disks hang. > Using virtio or not does not change that. > I did not look into it very deeply yet so ... But I never saw this issue in Linux KVM. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Blocking facebook.com: PF or squid?
Hello Stefan, at home, i blocked facebook by creating an empty DNS zone "facebook.com" on my local bind server. It works like a charm. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 19 octobre 2013 à 00:27 +0200, Stefan Wollny a écrit : > Hi there, > > having a personal dislike of Facebook (and the MeeToo-systems alike) > for their impertinent sniffing for private data I tried on my laptop to > block facebook.com via hosts-file. Interestingly this failed: Calling > "http://www.facebook.com"; always resulted in a lookup for > "httpS://www.facebook.com" and the respective site showed up in the > browser (tried firefox and xombrero). > > Well: Beside excepting the fact that those facebook engineers did a > fine job circumventing the entrys in /etc/hosts I felt immediatly > insecure: The reports on this company's attitude towards even > non-customers privacy are legendary. Their respective track record > earns them the honorable title of "NSA's fittest supporter"... > > Anyway: I think I finally managed to block all their IPs via PF and on > this laptop I now feel a little less 'observed'. [Yes, I know - this is > just today's snapshot of IPs!] > > My question is on the squid-server I have running at home: What > would make more sense - blocking facebook.com via pf.conf alike or are > there reasons to use squid's ACL instead? Performance? Being > ultra-paranoid and implementing both (or even additionally the > hosts-file-block?)? From my understanding squid should not be able to > block https-traffic as it is encrypted - or am I wrong here? > > Curious if there is a particular (Open)BSD solution or simply how you > 'guys and gals' would do it. > > Thank you for sharing your thoughts. > > Cheers, > STEFAN [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dell servers
I have no problem on multiple couples of R320, except the BCM5720 which cause my OpenBSD to freeze. Waiting for 5.4 improvements :) -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le jeudi 10 octobre 2013 à 20:54 -0700, Chris Cappuccio a écrit : > If they have PCI-Express slots, 10G ethernet isn't a problem. > > If they have supported SATA or SCSI controllers, storage isn't an issue. > > Dell's RAID controllers tend to be well supported under OpenBSD > > Friedrich Locke [friedrich.lo...@gmail.com] wrote: > > Is anyone running OBSD 5.3 on Dell R*** series servers ? > > What about 10G etherner devices ? And Storage ? > > Is there any concern when buying these machines ? > > > > Thanks in advance. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pfsync too slow ?
Hello Stuart, thanks for your precisions. I have tried to download a big matlab.deb on our repositories and it works like a charm (3GB file). By removing 'in' i also notice a little more reactivity on the network and the latency. Now i'll wait tomorrow when my 500 users goes to work to see if router works well with this configuration, and then i deploy this new type of rule on all rules and firewalls. For the cable, i can't. I haven't any more RJ45 slot available (4/4 ports used, LACP trunks). Thanks for your tips. I the issue is coming when charge is increasing i'll try it ! Good evening. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le lundi 07 octobre 2013 à 21:30 +, Stuart Henderson a écrit : > On 2013-10-07, Loïc BLOT wrote: > > Now with pfsync state are synchronized but late, then client must launch > > 2 or 3 TCP connections and when it works it's very slow. > > I also have tried defer mode and increasing maxupd but no changes > > appear. I also add Is there anything more to do ? > > defer helps, but if your typical scenario is to have a path split > between two routers (rather than just having this happen > occasionally) you may well be better off just using sloppy states. > > > On 2013-10-07, Lo\xc3\xafc BLOT wrote: > > Hmmm > > I solved it by removing 'in' from pass in quick <...> > > test that longer connections work ok (or verify that you get wscale > information in all states associated with a connection, pfctl -ss -v > shows this) > > > Here is a pfsync configuration example: > > up syncdev vlanXX5 syncpeer 10.XX.X.129 > > > > The latency between the two host is very light, because they are on the > > same switch, with a dedicated VLAN > > have you tried a direct cable? I find latency significantly lower > that way.. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pfsync too slow ?
Hmm, to precise the last message
after the the: pass out all
There is only:
block return out log quick on { $interco_polytech_v4 $interco_hec_v4 }
inet from
block return out log quick on { $interco_polytech_v6 $interco_hec_v6 }
inet6 from
and no other out related rule.
and contain my private IP adresses. And
$interco_xxx are my physical WAN interconnections then those IP
addresses mustn't be there.
In my first problem this is an incoming HTTP connection, then a public
IP to another public IP.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Le lundi 07 octobre 2013 à 22:30 +0200, Loïc BLOT a écrit :
> Hmmm
> I solved it by removing 'in' from pass in quick <...>
>
> But my PF are configured with the first default rule: pass out all and
> there isn't any block out rule... Is this a normal situation ?
> On another router (which also do NAT), i use only pass in and pass out
> for NAT, and all PF is stateful.
> Is there anything i miss ?
> --
> Best regards,
> Loc BLOT,
> UNIX systems, security and network engineer
> http://www.unix-experience.fr
>
>
>
> Le lundi 07 octobre 2013 21:51 +0200, Loc BLOT a crit :
> > Hello,
> >
> > today i was configuring pfsync on a dual routers (BGP on WAN and CARP on
> > LAN). Before i run in a stateless mode and it works like a charm.
> >
> > Now with pfsync state are synchronized but late, then client must launch
> > 2 or 3 TCP connections and when it works it's very slow.
> > I also have tried defer mode and increasing maxupd but no changes
> > appear. I also add Is there anything more to do ?
> >
> > Because of BGP incoming request, and CARP regular configuration, traffic
> > follows this path:
> >
> > WAN > Router 2 (BGP related) > HTTP server > Router 1 (CARP related) >
> > WAN
> >
> > It seems all WAN incoming requests are blocked on Router 1 when HTTP
> > server SYN/ACK the request, but they are allowed by Router 2 and pfsync
> > is working very well.
> >
> > Here is a pflog on this router (it runs on a block in log all default
> > rule)
> >
> > 21:16:28.564254 194.XX.XX.196.80 > 92.151.191.92.49189: S
> > 1348056791:1348056791(0) ack 2684884151 win 65535 > 6,sackOK,eol> (DF)
> > 21:16:28.569211 194.XX.XX.196.80 > 92.151.191.92.49190: S
> > 274610014:274610014(0) ack 3399288798 win 65535 > 6,sackOK,eol> (DF)
> > 21:16:28.417129 194.XX.XX.197.443 > 92.141.20.30.52927: S
> > 3247839828:3247839828(0) ack 2174711713 win 65535 > 6,sackOK,timestamp 2749057892 407092137> (DF)
> > 21:16:28.417784 194.XX.XX.197.443 > 92.141.20.30.52928: S
> > 3719844564:3719844564(0) ack 524653966 win 65535 > 6,sackOK,timestamp 2971980508 407092137> (DF)
> > 21:16:28.431525 194.XX.XX.196.443 > 46.193.1.103.61043: S
> > 2792740841:2792740841(0) ack 3070150005 win 65535 > 6,sackOK,eol> (DF)
> >
> > Here is an extract of my PF rules:
> > pass in quick inet proto tcp to port { http https }
> > pass in quick inet6 proto tcp to port { http https }
> >
> > In stateless configuration this works, here is the working
> > configuration:
> > pass in quick inet proto tcp to port { http https } no
> > state
> > pass in quick inet proto tcp from port { http https }
> > no state
> > pass in quick inet6 proto tcp to port { http https }
> > no state
> > pass in quick inet6 proto tcp from port { http https }
> > no state
> >
> > Here is a pfsync configuration example:
> > up syncdev vlanXX5 syncpeer 10.XX.X.129
> >
> > The latency between the two host is very light, because they are on the
> > same switch, with a dedicated VLAN
> >
> > 64 bytes from 10.XX.XX.130: icmp_seq=2 ttl=255 time=0.146 ms
> >
> > For more informations, here is a little extract when i do a tcpdump on
> > vlanXX5 (each host see the pfsync updated)
> >
> > 21:37:25.031271 10.117.1.129: PFSYNCv6 len 108
> > act UPD ST COMP count 1
> > ...
> > (DF)
> > 21:37:25.036625 10.117.1.130: PFSYNCv6 len 192
> > act UPD ST COMP count 2
> > ...
> > (DF) [tos 0x10]
> > 21:37:25.036753 10.117.1.129: PFSYNCv6 len 108
> > act UPD ST COMP count 1
> > ...
> > (DF)
> > 21:37:25.041298 10.117.1.129: PFSYNCv6 len 108
> > act UPD ST COMP count 1
> > ...
> > (DF)
> > 21:37:25.046578 10.117.1.130: PFSYNCv6 len 192
> > act UPD ST COMP count 2
> > ...
> > (DF) [tos 0x10]
> > 21:37:25.046706 10.117.1.129: PFSYNCv6 len 108
> > act UPD ST COMP count 1
> > ...
> > (DF)
> > 21:37:25.051269 10.117.1.129: PFSYNCv6 len 108
> > act UPD ST COMP count 1
> > ...
> > (DF)
> > 21:37:25.056562 10.117.1.130: PFSYNCv6 len 192
> > act UPD ST COMP count 2
> > ...
> >
> > Have you got ideas ?
> > Thanks in advance
> >
> > --
> > Best regards,
> > Loc BLOT,
> > UNIX systems, security and network engineer
> > http://www.unix-experience.fr
> >
> > [demime 1.01d removed an attachment of type application/pgp-signature
which
> had a name of signature.asc]
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of s
Re: pfsync too slow ?
Hmmm
I solved it by removing 'in' from pass in quick <...>
But my PF are configured with the first default rule: pass out all and
there isn't any block out rule... Is this a normal situation ?
On another router (which also do NAT), i use only pass in and pass out
for NAT, and all PF is stateful.
Is there anything i miss ?
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Le lundi 07 octobre 2013 à 21:51 +0200, Loïc BLOT a écrit :
> Hello,
>
> today i was configuring pfsync on a dual routers (BGP on WAN and CARP on
> LAN). Before i run in a stateless mode and it works like a charm.
>
> Now with pfsync state are synchronized but late, then client must launch
> 2 or 3 TCP connections and when it works it's very slow.
> I also have tried defer mode and increasing maxupd but no changes
> appear. I also add Is there anything more to do ?
>
> Because of BGP incoming request, and CARP regular configuration, traffic
> follows this path:
>
> WAN > Router 2 (BGP related) > HTTP server > Router 1 (CARP related) >
> WAN
>
> It seems all WAN incoming requests are blocked on Router 1 when HTTP
> server SYN/ACK the request, but they are allowed by Router 2 and pfsync
> is working very well.
>
> Here is a pflog on this router (it runs on a block in log all default
> rule)
>
> 21:16:28.564254 194.XX.XX.196.80 > 92.151.191.92.49189: S
> 1348056791:1348056791(0) ack 2684884151 win 65535 6,sackOK,eol> (DF)
> 21:16:28.569211 194.XX.XX.196.80 > 92.151.191.92.49190: S
> 274610014:274610014(0) ack 3399288798 win 65535 6,sackOK,eol> (DF)
> 21:16:28.417129 194.XX.XX.197.443 > 92.141.20.30.52927: S
> 3247839828:3247839828(0) ack 2174711713 win 65535 6,sackOK,timestamp 2749057892 407092137> (DF)
> 21:16:28.417784 194.XX.XX.197.443 > 92.141.20.30.52928: S
> 3719844564:3719844564(0) ack 524653966 win 65535 6,sackOK,timestamp 2971980508 407092137> (DF)
> 21:16:28.431525 194.XX.XX.196.443 > 46.193.1.103.61043: S
> 2792740841:2792740841(0) ack 3070150005 win 65535 6,sackOK,eol> (DF)
>
> Here is an extract of my PF rules:
> pass in quick inet proto tcp to port { http https }
> pass in quick inet6 proto tcp to port { http https }
>
> In stateless configuration this works, here is the working
> configuration:
> pass in quick inet proto tcp to port { http https } no
> state
> pass in quick inet proto tcp from port { http https }
> no state
> pass in quick inet6 proto tcp to port { http https }
> no state
> pass in quick inet6 proto tcp from port { http https }
> no state
>
> Here is a pfsync configuration example:
> up syncdev vlanXX5 syncpeer 10.XX.X.129
>
> The latency between the two host is very light, because they are on the
> same switch, with a dedicated VLAN
>
> 64 bytes from 10.XX.XX.130: icmp_seq=2 ttl=255 time=0.146 ms
>
> For more informations, here is a little extract when i do a tcpdump on
> vlanXX5 (each host see the pfsync updated)
>
> 21:37:25.031271 10.117.1.129: PFSYNCv6 len 108
> act UPD ST COMP count 1
> ...
> (DF)
> 21:37:25.036625 10.117.1.130: PFSYNCv6 len 192
> act UPD ST COMP count 2
> ...
> (DF) [tos 0x10]
> 21:37:25.036753 10.117.1.129: PFSYNCv6 len 108
> act UPD ST COMP count 1
> ...
> (DF)
> 21:37:25.041298 10.117.1.129: PFSYNCv6 len 108
> act UPD ST COMP count 1
> ...
> (DF)
> 21:37:25.046578 10.117.1.130: PFSYNCv6 len 192
> act UPD ST COMP count 2
> ...
> (DF) [tos 0x10]
> 21:37:25.046706 10.117.1.129: PFSYNCv6 len 108
> act UPD ST COMP count 1
> ...
> (DF)
> 21:37:25.051269 10.117.1.129: PFSYNCv6 len 108
> act UPD ST COMP count 1
> ...
> (DF)
> 21:37:25.056562 10.117.1.130: PFSYNCv6 len 192
> act UPD ST COMP count 2
> ...
>
> Have you got ideas ?
> Thanks in advance
>
> --
> Best regards,
> Loc BLOT,
> UNIX systems, security and network engineer
> http://www.unix-experience.fr
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
pfsync too slow ?
Hello,
today i was configuring pfsync on a dual routers (BGP on WAN and CARP on
LAN). Before i run in a stateless mode and it works like a charm.
Now with pfsync state are synchronized but late, then client must launch
2 or 3 TCP connections and when it works it's very slow.
I also have tried defer mode and increasing maxupd but no changes
appear. I also add Is there anything more to do ?
Because of BGP incoming request, and CARP regular configuration, traffic
follows this path:
WAN > Router 2 (BGP related) > HTTP server > Router 1 (CARP related) >
WAN
It seems all WAN incoming requests are blocked on Router 1 when HTTP
server SYN/ACK the request, but they are allowed by Router 2 and pfsync
is working very well.
Here is a pflog on this router (it runs on a block in log all default
rule)
21:16:28.564254 194.XX.XX.196.80 > 92.151.191.92.49189: S
1348056791:1348056791(0) ack 2684884151 win 65535 (DF)
21:16:28.569211 194.XX.XX.196.80 > 92.151.191.92.49190: S
274610014:274610014(0) ack 3399288798 win 65535 (DF)
21:16:28.417129 194.XX.XX.197.443 > 92.141.20.30.52927: S
3247839828:3247839828(0) ack 2174711713 win 65535 (DF)
21:16:28.417784 194.XX.XX.197.443 > 92.141.20.30.52928: S
3719844564:3719844564(0) ack 524653966 win 65535 (DF)
21:16:28.431525 194.XX.XX.196.443 > 46.193.1.103.61043: S
2792740841:2792740841(0) ack 3070150005 win 65535 (DF)
Here is an extract of my PF rules:
pass in quick inet proto tcp to port { http https }
pass in quick inet6 proto tcp to port { http https }
In stateless configuration this works, here is the working
configuration:
pass in quick inet proto tcp to port { http https } no
state
pass in quick inet proto tcp from port { http https }
no state
pass in quick inet6 proto tcp to port { http https }
no state
pass in quick inet6 proto tcp from port { http https }
no state
Here is a pfsync configuration example:
up syncdev vlanXX5 syncpeer 10.XX.X.129
The latency between the two host is very light, because they are on the
same switch, with a dedicated VLAN
64 bytes from 10.XX.XX.130: icmp_seq=2 ttl=255 time=0.146 ms
For more informations, here is a little extract when i do a tcpdump on
vlanXX5 (each host see the pfsync updated)
21:37:25.031271 10.117.1.129: PFSYNCv6 len 108
act UPD ST COMP count 1
...
(DF)
21:37:25.036625 10.117.1.130: PFSYNCv6 len 192
act UPD ST COMP count 2
...
(DF) [tos 0x10]
21:37:25.036753 10.117.1.129: PFSYNCv6 len 108
act UPD ST COMP count 1
...
(DF)
21:37:25.041298 10.117.1.129: PFSYNCv6 len 108
act UPD ST COMP count 1
...
(DF)
21:37:25.046578 10.117.1.130: PFSYNCv6 len 192
act UPD ST COMP count 2
...
(DF) [tos 0x10]
21:37:25.046706 10.117.1.129: PFSYNCv6 len 108
act UPD ST COMP count 1
...
(DF)
21:37:25.051269 10.117.1.129: PFSYNCv6 len 108
act UPD ST COMP count 1
...
(DF)
21:37:25.056562 10.117.1.130: PFSYNCv6 len 192
act UPD ST COMP count 2
...
Have you got ideas ?
Thanks in advance
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: (5.3) load problem on em(4) MSI / interrupt ?
Hello. Stuart i have 8 OpenBSD routers with em(4) and OpenBSD 5.2 (MSI enabled). It seems some of our SMTP(s) connections (with attachments) are unstable but it's very very random (~1/500). Other protocols are more stable but a little slower due to errors. Here are my stats on Intel i350 servers (with LACP trunks and not): remote BGP router 1 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls em0 1500a0:36:9f:XX:XX:ac 1333571 0 12169009 0 0 em1 1500a0:36:9f:XX:XX:14 145522555 127 170665528 0 0 em2 1500a0:36:9f:XX:XX:14 279931109 214 213998835 0 0 em3 1500a0:36:9f:XX:XX:ac 92556655 201 130725384 0 0 remote BGP router 2 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls em0 1500a0:36:9f:XX:XX:1e 666924511 188865 0 0 em1 1500a0:36:9f:XX:XX:cc 46412467 0 36851370 0 0 em2 1500a0:36:9f:XX:XX:cc 46853863 0 99470829 0 0 em3 1500a0:36:9f:XX:XX:1e 78433193 294 3776291 0 0 remote client router 1 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls em0 1500a0:36:9f:XX:XX:32 57014143 0 44354406 0 0 em1 1500a0:36:9f:XX:XX:6c 34387984 142510 89895370 0 0 em2 1500a0:36:9f:XX:XX:6c 45645663 0 65272767 0 0 em3 1500a0:36:9f:XX:XX:32 48745525 0 33779694 0 0 local client router 1 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls em0 150068:05:ca:XX:XX:e0 1679516672 35681 1572183435 0 0 em1 150068:05:ca:XX:XX:e1 1908150361 121884 2196221765 0 0 Here is a dmesg example (same on all servers, all are Dell R320 with bge disabled on bios and OpenBSD) em0 at pci2 dev 0 function 0 "Intel I350" rev 0x01: msi, address a0:36:9f:XX:XX:1e em1 at pci2 dev 0 function 1 "Intel I350" rev 0x01: msi, address a0:36:9f:XX:XX:1f If it can help OpenBSD team. Please not i cannot update to 5.3 because of big problems on OpenBSD on my Dell R320 (system freezes). I'm waiting OpenBSD 5.4 and less clients to test it on a slave server. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le mardi 01 octobre 2013 à 08:37 +, Stuart Henderson a écrit : > On 2013-10-01, Patrick Lamaiziere wrote: > > Hello, > > > > With OpenBSD 5.3, our firewall does not handle our network load well. > > We loose around 5% of packets and netstat shows a lot of Ierr. > > > > That worked much better with 5.1. There was a change to not enable MSI > > on 82572 chipset on our Intel card ( "Intel PRO/1000 QP (82571EB)" rev 0x06) in 5.2 : > > > > http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a > > > > My question is: could it be the cause of our load problem ? > > > > 5.1: > > em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, address 00:15:17:ed:98:9d > > em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, address 00:15:17:ed:98:9c > > em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, address 00:15:17:ed:98:9f > > em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, address 00:15:17:ed:98:9e > > > > 5.3 (on another box with the same hardware): > > em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 13, address 00:15:17:ed:98:65 > > em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 6, address 00:15:17:ed:98:64 > > em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 15, address 00:15:17:ed:98:67 > > em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 13, address 00:15:17:ed:98:66 > > > > We don't have any problem with this card, how can we re-enable MSI (without reverting this change)? > > Simplest way to test is to just revert that change in your source tree.. > That will identify whether this issue is due to disabling MSI, or whether > it's due to one of the many other changes between 5.1 and 5.3.. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: open bsd router
Thanks for your replies :) -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le vendredi 04 octobre 2013 à 22:27 -0700, Sean Kamath a écrit : > On Oct 4, 2013, at 3:11 PM, Comète wrote: > > > Yes, we use a lot of ALIX 2D13 as routers on many sites since 2 or 3 years (nearly 20 ALIX boxes now). It works like a charm with a good compact flash card, no problem at all ! And i've recently discovered they even included a watchdog ;) > > > > Morgan > > Ditto > > I got all of mine with the cool red case. ;-) All 2d13. > > The P/S can have a wide voltage range, too. I got my CF cards from PC Engines, they've all been great. > > Sean > > > Le 04/10/2013 23:45, Loïc BLOT a écrit : > >> Hello, > >> I also looked at ALIX board since a long time. > >> Is there anybody using Alix 2d13 with OpenBSD ? > >> Thanks in advance. > >> -- > >> Best regards, > >> Loïc BLOT, > >> UNIX systems, security and network engineer > >> http://www.unix-experience.fr > >> Le vendredi 04 octobre 2013 à 15:05 +0200, Jan Stary a écrit : > >> On Oct 04 07:16:57, inform...@gmx.net wrote: > >> > >http://www.pcengines.ch/product.htm > >> > >http://en.wikipedia.org/wiki/Raspberry_Pi > >> > No, I'm not working for PC Engines. But I'm a huge fan of their > >> > products :-) > >> Just to praise PC Engines a little bit more: > >> when my ALIX.1C stopped working for some reason, > >> I sent it to PC Engines, who found that the board > >> is completely OK - it was my power supply > >> that was faulty (which I could then confirm). > >> Before sending it back, they kindly suggested > >> that ALIX.1E is a newer model that replaces > >> the ALIX.1C, so if I don't object ... > >> which I didn't. > >> The shipping didn't even cost me anything, > >> and they just replaced my old 1C with a new 1E. > >> Not to mention the chocolate. > >> In short, their customer service > >> is as good as the boards. > >> [demime 1.01d removed an attachment of type application/pgp-signature > >> which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: open bsd router
Hello, I also looked at ALIX board since a long time. Is there anybody using Alix 2d13 with OpenBSD ? Thanks in advance. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le vendredi 04 octobre 2013 à 15:05 +0200, Jan Stary a écrit : > On Oct 04 07:16:57, inform...@gmx.net wrote: > > >http://www.pcengines.ch/product.htm > > >http://en.wikipedia.org/wiki/Raspberry_Pi > > No, I'm not working for PC Engines. But I'm a huge fan of their > > products :-) > > Just to praise PC Engines a little bit more: > when my ALIX.1C stopped working for some reason, > I sent it to PC Engines, who found that the board > is completely OK - it was my power supply > that was faulty (which I could then confirm). > > Before sending it back, they kindly suggested > that ALIX.1E is a newer model that replaces > the ALIX.1C, so if I don't object ... > which I didn't. > > The shipping didn't even cost me anything, > and they just replaced my old 1C with a new 1E. > Not to mention the chocolate. > > In short, their customer service > is as good as the boards. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Strange packets lost
Hello,
you are totally right ! I haven't thought about layer 2 problems.
But the problem is partially resolve, i have strange things with DF.
Port 80 is no-df but not port 411 (avaya cfg).
Here is a fragment of my pf config:
set skip on lo
set block-policy drop
set limit { states 10, src-nodes 8, table-entries 60 }
match in scrub (no-df)
block in log all
pass out all
<...>
pass in quick inet from to scrub (no-df)
no state
Is something wrong ?
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le mercredi 25 septembre 2013 à 14:23 +0200, Mike Belopuhov a écrit :
> On 25 September 2013He 11:03, Loïc BLOT wrote:
> > Hello all,
> > i have searched many options but i haven't any new idea.
> >
> > I have 4 openbsd routers (2 on each site). Each router create a GRE
> > tunnel with it's pair.
> >
> > Here is the configuration:
> >
> > | S1R1 --- gre + ospf --- S2R1 |
> > LAN S1 (OSPF & RIP) | | LAN S2 (OSPF & RIP)
> > | S1R2 --- gre + ospf --- S2R2 |
> >
> > The routing rules are correct, ssh, http(s), smtp, ntp, ldap and many
> > other protocols works as expected between the two sites.
> >
> > But i have a problem with my Avaya phones on S2 which need to contact
> > the S1 gatekeeper. Some packets are lost, and (by sniffing every
> > interface) i don't found where the packets goes.
> >
> > If i capture LAN S1 link, i have this capture:
> >
> > 10:06:24.003479 192.168.238.121.56641 > 192.168.106.38.411: S
> > 2621611805:2621611805(0) win 5840 > 0,nop,wscale 4> (DF)
> > 10:06:24.003607 192.168.106.38.411 > 192.168.238.121.56641: S
> > 3090220105:3090220105(0) ack 2621611806 win 5840
> > (DF)
> > 10:06:24.018842 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win
> > 365 (DF)
> > 10:06:24.023582 192.168.238.121.56641 > 192.168.106.38.411: P 1:74(73)
> > ack 1 win 365 (DF)
> > 10:06:24.023710 192.168.106.38.411 > 192.168.238.121.56641: . ack 74 win
> > 46 (DF)
> > 10:06:24.024086 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:06:24.024329 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1461:2921(1460) ack 74 win 46 (DF)
> > 10:06:27.017704 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:06:33.017772 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:06:45.017907 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:07:09.018198 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:07:57.018732 192.168.106.38.411 > 192.168.238.121.56641: .
> > 1:1461(1460) ack 74 win 46 (DF)
> > 10:08:24.019074 192.168.106.38.411 > 192.168.238.121.56641: FP
> > 2921:4273(1352) ack 74 win 46 (DF)
> > 10:08:24.034803 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win
> > 365 (DF)
> >
> > If i capture the GRE tunnel i have this capture:
> >
> > 10:06:23.987975 192.168.238.121.56641 > 192.168.106.38.411: S
> > 2621611805:2621611805(0) win 5840 > 0,nop,wscale 4> (DF)
> > 10:06:24.003614 192.168.106.38.411 > 192.168.238.121.56641: S
> > 3090220105:3090220105(0) ack 2621611806 win 5840
> > (DF)
> > 10:06:24.018833 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win
> > 365 (DF)
> > 10:06:24.023573 192.168.238.121.56641 > 192.168.106.38.411: P 1:74(73)
> > ack 1 win 365 (DF)
> > 10:06:24.023716 192.168.106.38.411 > 192.168.238.121.56641: . ack 74 win
> > 46 (DF)
> > 10:08:24.019083 192.168.106.38.411 > 192.168.238.121.56641: FP
> > 2921:4273(1352) ack 74 win 46 (DF)
> > 10:08:24.034793 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win
> > 365 (DF)
> >
> > A part of the TCP transaction disappear and i don't know why.
> > Have you got ideas ???
> >
>
> this looks like a classical mtu problem. gre tunnel lowers the mtu
> and your tcp traffic uses mss of 1460 bytes and sets DF. therefore
> it gets dropped once the router figures out it can't send that much
> data over the gre link.
>
> possible solutions are using path mtu discovery on clients or making
> sure their mtu is less than 1500 or doing forced fragmentation and
> defragmentation on the router or configuring the application to use
> smaller mss value (setsockopt TCP_MAXSEG).
Strange packets lost
Hello all, i have searched many options but i haven't any new idea. I have 4 openbsd routers (2 on each site). Each router create a GRE tunnel with it's pair. Here is the configuration: | S1R1 --- gre + ospf --- S2R1 | LAN S1 (OSPF & RIP) | | LAN S2 (OSPF & RIP) | S1R2 --- gre + ospf --- S2R2 | The routing rules are correct, ssh, http(s), smtp, ntp, ldap and many other protocols works as expected between the two sites. But i have a problem with my Avaya phones on S2 which need to contact the S1 gatekeeper. Some packets are lost, and (by sniffing every interface) i don't found where the packets goes. If i capture LAN S1 link, i have this capture: 10:06:24.003479 192.168.238.121.56641 > 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 (DF) 10:06:24.003607 192.168.106.38.411 > 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 (DF) 10:06:24.018842 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023582 192.168.238.121.56641 > 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023710 192.168.106.38.411 > 192.168.238.121.56641: . ack 74 win 46 (DF) 10:06:24.024086 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:24.024329 192.168.106.38.411 > 192.168.238.121.56641: . 1461:2921(1460) ack 74 win 46 (DF) 10:06:27.017704 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:33.017772 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:06:45.017907 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:09.018198 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:07:57.018732 192.168.106.38.411 > 192.168.238.121.56641: . 1:1461(1460) ack 74 win 46 (DF) 10:08:24.019074 192.168.106.38.411 > 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034803 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win 365 (DF) If i capture the GRE tunnel i have this capture: 10:06:23.987975 192.168.238.121.56641 > 192.168.106.38.411: S 2621611805:2621611805(0) win 5840 (DF) 10:06:24.003614 192.168.106.38.411 > 192.168.238.121.56641: S 3090220105:3090220105(0) ack 2621611806 win 5840 (DF) 10:06:24.018833 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win 365 (DF) 10:06:24.023573 192.168.238.121.56641 > 192.168.106.38.411: P 1:74(73) ack 1 win 365 (DF) 10:06:24.023716 192.168.106.38.411 > 192.168.238.121.56641: . ack 74 win 46 (DF) 10:08:24.019083 192.168.106.38.411 > 192.168.238.121.56641: FP 2921:4273(1352) ack 74 win 46 (DF) 10:08:24.034793 192.168.238.121.56641 > 192.168.106.38.411: . ack 1 win 365 (DF) A part of the TCP transaction disappear and i don't know why. Have you got ideas ??? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr
Re: 5.3 Installer Hangs After Entering Netmask (Broadcom NIC)
Hmm, this problem has similar issues like i got on bge (BCM5720) with OpenBSD 5.3. I hope the many bge fixes on 5.4 -current will fix it. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 02 septembre 2013 à 07:59 -0400, Kenneth R Westerback a écrit : > On Sun, Sep 01, 2013 at 10:45:50PM -0700, andrew fabbro wrote: > > I have a Shuttle SD11G5, which is a small Celeron-based PC (1.5Ghz Celeron, > > 2GB RAM, a couple SATA drives). > > > > The OpenBSD 5.3 installer consistently hangs after I enter the Netmask for > > the onboard NIC. > > > > I'm booting the 32-bit x86 install53.iso. I start configuring bge0 (which > > is a BCM5789) and after "IPv4 address for bge0", the installer asks for > > Netmask and after I enter it (255.255.255.0), the installer sits there > > forever. > > > > Same thing if I DHCP - after "Issuing hostname-associated DHCP request for > > bge0" the installer hangs. > > > > I also have an Intel Pro/1000 gig-E card (82574L) in the PCI Express slot, > > which shows up on em0. Unfortunately dmesg says "couldn't map interrupt" > > and I'm not offered the chance to configure it. I haven't found anything > > useful via searching for fixing this. > > > > This box previously ran Debian Linux with no problems, so I'm skeptical > > it's a hardware problem. The BMC578x series is listed as supported on the > > bge(4) man page. > > > > Any advice? > > > > Read http://openbsd.org/report.html. > > Try 5.4 snapshot or -current. > > Ken [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD 5.3, CARP and IPv6
Hello Andy, here is on of my working configuration (OpenBSD 5.2) inet 194.199.X.28 255.255.255.240 NONE inet6 2001:660:abcd:1234::1:1 64 description "CARP server" carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass x -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le jeudi 29 août 2013 à 16:54 +0100, Andy a écrit : > PS; I don't have MLD capable switches in all locations if that is a > factor here regarding CARP messages being via IPv6 Multicast. > > > > On Thu 29 Aug 2013 15:57:29 BST, Andy wrote: > > Hi everyone, > > > > I'm hoping someone can help me as I'm not having much luck with adding > > IPv6 to the mix of our already working IPv4 setup. > > > > What should /etc/hostname.carpX look like for an IPv6 setup? Is this > > correct;? > > > > inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3 > > advskew 0 > > inet6 2a00:7e0:0:a::1 64 > > > > Or should I have a separate carpX interface for the IPv6? > > > > When I do a tcpdump on the master I see; > > Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: > > CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] > > Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: > > fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 > > advbase=3 advskew=0 demote=33 > > Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: > > fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101 > > Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86: > > fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1 > > Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: > > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] > > Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: > > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 > > advbase=3 advskew=100 demote=0 > > Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: > > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] > > Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: > > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 > > advbase=3 advskew=100 demote=0 > > Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: > > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10] > > Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: > > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1 > > advbase=3 advskew=100 demote=0 > > Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70: > > CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10] > > Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90: > > fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1 > > advbase=3 advskew=0 demote=33 > > > > I can see that the IPv6 CARP messages are using the link local address > > and not the global IPv6 addresses I have configured? Why?? :( > > This makes it really hard to write PF files as I would have to write > > filter rules considering the each physical hosts MAC addresses :( > > > > I'm also seeing errors stating that the inet6 carp address I have > > configured is a duplicate address! Although this could be due to the > > fact the firewalls are flapping between backup and master and there are > > going to be multi master periods. > > > > net.inet.carp.allow=1 > > net.inet.carp.preempt=1 > > net.inet.carp.log=3 > > net.inet6.ip6.forwarding=1 > > net.inet6.ip6.redirect=0 > > net.inet6.ip6.accept_rtadv=0 > > > > I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet > > filter)". > > > > Thanks for your time, Andy.
Re: OpenBSD problems on Dell R320 (not BCM 5720 related)
Hello, it's 5.3 related in fact :). In 5.2 i havent any problem at this time, i have 10 OpenBSD on Dell R320 with em cards. Maybe 5.4 will fix our problems. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 27 août 2013 à 18:06 +0100, Rodolfo Gouveia a écrit : > Any update on this? > Did you try 5.3? > > cheers, > --rodolfo [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Patch for a little install.sub bug
In fact i'm not tired, it's logical :)
Here is my patched question:
ask_which "speed" "should $_d use" \
"9600 19200 38400 57600 115200" $CSPEED $pxe_console_speed
Show:
[auto] instead if [9600] (auto is value of pxe_console_speed).
If i do a echo "speed: $CSPEED" before ask_which, CSPEED is empty
default argument is the first argument of the list.
A better patch could be:
ask_which "speed" "should $_d use" \
"9600 19200 38400 57600 115200" ${CSPEED:-""}
but this patch is useless without my pxe autoinstall patch, i think.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le dimanche 25 août 2013 à 01:19 +0200, Loïc BLOT a écrit :
> Hmm you are right, i think i'm tired :)
>
> --
> Best regards,
> Loc BLOT,
> UNIX systems, security and network expert
> http://www.unix-experience.fr
>
>
> Le samedi 24 aot 2013 23:03 +, Christian Weisgerber a crit :
> > Loc BLOT wrote:
> >
> > > if [[ $resp == y ]]; then
> > > ask_which "speed" "should $_d use" \
> > > "9600 19200 38400 57600 115200" $CSPEED
> > > case $resp in
> > > done) defcons=n ;;
> > > *) CSPEED=$resp ;;
> > > esac
> > > fi
> > >
> > > By adding a 5th argument to ask_which, i have seen that $CSPEED isn't
> > > found, and in fact it's right. Before this ask_which CSPEED isn't set,
> > > it's set after.
> >
> > That analysis can't be right. When I install OpenBSD on a Soekris
> > with the comBIOS default serial speed of 19200, the installer prompt
> > offers 19200 as default.
> >
> > And a quick look at install.sub shows that the call to questions()
> > is preceded by this:
> >
> > --->
> > CONSOLE=$(scan_dmesg '/^\([^ ]*\).*: console$/s//\1/p')
> > CONSOLE=${CONSOLE% }
> > [[ -n $CONSOLE ]] && CSPEED=$(stty speed)
> >
> > # Look for the serial device matching the console. If we are not
installing
> > # from a serial console, just find the first serial device that could be
> used
> > # as a console. If a suitable device is found, set CDEV, CTTY, CSPEED,
> CPROM.
> > md_consoleinfo
> > <---
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: Patch for a little install.sub bug
Hmm you are right, i think i'm tired :)
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le samedi 24 août 2013 à 23:03 +, Christian Weisgerber a écrit :
> Loïc BLOT wrote:
>
> > if [[ $resp == y ]]; then
> > ask_which "speed" "should $_d use" \
> > "9600 19200 38400 57600 115200" $CSPEED
> > case $resp in
> > done) defcons=n ;;
> > *) CSPEED=$resp ;;
> > esac
> > fi
> >
> > By adding a 5th argument to ask_which, i have seen that $CSPEED isn't
> > found, and in fact it's right. Before this ask_which CSPEED isn't set,
> > it's set after.
>
> That analysis can't be right. When I install OpenBSD on a Soekris
> with the comBIOS default serial speed of 19200, the installer prompt
> offers 19200 as default.
>
> And a quick look at install.sub shows that the call to questions()
> is preceded by this:
>
> --->
> CONSOLE=$(scan_dmesg '/^\([^ ]*\).*: console$/s//\1/p')
> CONSOLE=${CONSOLE% }
> [[ -n $CONSOLE ]] && CSPEED=$(stty speed)
>
> # Look for the serial device matching the console. If we are not installing
> # from a serial console, just find the first serial device that could be
used
> # as a console. If a suitable device is found, set CDEV, CTTY, CSPEED,
CPROM.
> md_consoleinfo
> <---
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Patch for a little install.sub bug
Hello,
this evening i was writing pxe automated install modifications on
install.sh and install.sub when i found a bug in installer, when the
console speed is asked.
Original (5.3):
if [[ -n $CDEV ]]; then
_d=${CPROM:-$CDEV}
ask_yn "Change the default console to $_d?" no
$pxe_change_default_console
defcons=$resp
if [[ $resp == y ]]; then
ask_which "speed" "should $_d use" \
"9600 19200 38400 57600 115200" $CSPEED
case $resp in
done) defcons=n ;;
*) CSPEED=$resp ;;
esac
fi
fi
By adding a 5th argument to ask_which, i have seen that $CSPEED isn't
found, and in fact it's right. Before this ask_which CSPEED isn't set,
it's set after.
Patched:
if [[ -n $CDEV ]]; then
_d=${CPROM:-$CDEV}
ask_yn "Change the default console to $_d?" no
$pxe_change_default_console
defcons=$resp
if [[ $resp == y ]]; then
ask_which "speed" "should $_d use" \
"9600 19200 38400 57600 115200" "9600"
case $resp in
done) defcons=n ;;
*) CSPEED=$resp ;;
esac
fi
fi
Have a nice day.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: OpenBSD pxe automated install
Hello James, you are right users may have choice. I'm working to build a distrib for pxebooting (pxeboot + bsd.rd generation). After i will try to implement those patches, which are very interesting for OpenBSD http://nbender.com/install.netboot/netboot.diff I only think we musnt't download a script and execute what it is on it. We must use variables to pass to already existing install script -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 13 août 2013 à 14:16 -0700, James A. Peltier a écrit : > - Original Message - > | On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer > | wrote: > | > Hi Loic, > | > > | > > | > Am 13.08.13 15:43, schrieb � Blot: > | > > | >> Hello Marian, > | >> i think you are right, because bsd.rd is required for last chance > | >> to > | >> repair system, among others. > | >> > | > > | > right. And I'd like to leave it untouched. This hopefully also > | > increases the > | > possibility that whatever we come up with might get added > | > upstream... ;) > | > | There's nothing preventing you from building your own installer > | within > | the RAMDISK kernel. I've done it in the past to handle some > | personalized extensions. > > This isn't the point though. Debian, RedHat, Suse, all of these OSs include support for network installs by default, no customization of the installer required. OpenBSD does not, but it would be VERY nice if it did, even if it was just noting that it was PXE booting and should look at the location where it PXE booted (a mirror) and then looked for install.netboot for network boot instructions, fetched it and ran it. This wouldn't require any changes on behalf of an end user to make this process happen. If install.netboot doesn't exist, carry on with an interactive install, else fetch it and run it. No building of a custom RAMDISK required. > > | > I agree that the most pressing point is automatic network > | > configuration in > | > order to be able to download additional configs, like disk config, > | > package > | > config, ... > | > | It's doable within the base tools, if you assemble things correctly. > | No reason to not have these stuff off of NFS or TFTP to pull in the > | config. > > There is reason not to do this. HTTP based booting being one of them. VMs without NFS access being another. The complete inability to use NFS due to policy being another. > > I think the point is that the end user shouldn't have to build/modify the base installer to get this functionality. The diffs presented show that it could be possible and other OSs already offer this. Maybe not on the floppy disk versions but certainly the CD version should offer it. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Hello Don, I haven't any problem with iPXE (used on my libvirt/KVM hypervisor). Yesterday i have booted on a pxelinux which chainload a OpenBSD pxeboot.0 (because i have made a menu for tests to choose automated debian install or OpenBSD. I will look at Nick's word tonight, but i think it's one very good way to do this. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 13 août 2013 à 10:05 -0700, Don Jackson a écrit : > On Aug 13, 2013, at 9:48 AM, Marian Hettwer wrote: > > > > I believe it's save to assume that a DHCP server is around, since this one > is needed anyways to pxeboot the box. > > So after the boot of our netboot.rd kernel, we need to figure out which > interface was used for pxe config and then do a dhclient on this interface. > > I thought Nick's work did much/all of this. > > > If we got an IP address, dhcp should probably give extra options, like the > config server url where we then can find and download the additional configs. > > > We could and probably should use DHCP options, since as stated above, dhcp > servers are available for the pxeboot anyways. > > Nick's work definitely did this. > > > Should we take this discussion off the list now? > > If so, who would like to be part of the next emails? > > I'd guess Loic, me, phessler (?), Nick Bender (?) and I will also add a > colleague some might know (Uwe Stuehler ). > > I would like to be included in any further discussion either at this email > address or don dot jackson at gmail > > Here are two additional links that provide historical context, and links to > past work: > > https://groups.google.com/d/topic/mailing.openbsd.tech/X01IcFJ0MVU/discussion > > https://groups.google.com/d/topic/mailing.openbsd.tech/h1-jrS36lqo/discussion > > And lastly, IMHO, optionally, it would be nice if the eventual solution was > capable of being pxebooted via > > iPXE - open source boot firmware [start] > > At present, I have not been able to get bsd.rd or any sort of OpenBSD > installer to run via ipxe > > Best regards, > > Don [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Hello Marian, i think you are right, because bsd.rd is required for last chance to repair system, among others. My vision is to have a system like we have in debian, i think it's proper. In fact, the problem is not to modify the installer to use the configuration file, it's to setup network automaticly to get this file. On debian, URL is passed by a kernel variable on pxelinux (url=http/ftp/tftp://...). If we can pass this variable to OpenBSD boot.conf file (used for PXE), and setup URL + network method (we need to set the config URL, and network methods (iface + dhcp/static) to get this file), we can modify install script to use some obtained variabled, loaded into this file. Many people want this function, i think we must think together to see what everybody want. What do you think about my proposed method ? We can also pass config file by DHCP (string record ?) or DNS (special TXT record ?) but it's not really automated because it doesn't resolve the networking connection problem. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mardi 13 août 2013 à 13:09 +0200, Marian Hettwer a écrit : > Hi loic, > > > Sorry for top posting. > I need exactly the same for OpenBSD. Maybe we could work together... > In my example all I need on top of it is some same network config and > a first puppet run after reboot... > But I hesitated to modify bsd.rd... > Maybe it's more wise to create a "netboot.rd" and let bsd.rd alone. > > > A starting point could be http://www.hiqu.biz/redux > > > PM me if you have interest to work together with me :-) > > > Cheers > Marian > > -- > sent via my mobile C64 > > Am 13.08.2013 um 08:37 schrieb Loïc BLOT > : > > > > Hello Tito, > > thanks to give me another time the FAQ, you think i have never read. > > This boot process is okay for me but the problem is NOT the PXE boot > > process. The problem is to automate the installation. > > My OpenBSD pxeboot is chained after a pxelinux which already deserve > > automated installed debian. Now the goal is to deserve automated > > installed OpenBSD. > > > > I don't know if i don't choose the rights words to explain my need, > > or > > if nobody read all my answers to already answered questions... but i > > give a list of precision for future answers: > > > > 1. My problem is NOT PXE boot > > (http://www.openbsd.org/faq/faq6.html#PXE > > => NO) > > 2. My problem is NOT siteXX.tgz and customized installations with > > this > > mean (http://openbsd.org/faq/faq4.html#site => NO) > > 3. What i want is something like this: > > https://wiki.debian.org/DebianInstaller/Preseed or this > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5 > > /html/Installation_Guide/ch-kickstart2.html > > > > Then i ask @misc to know if an existing process exists, but now i > > think > > this doesn't exist and i must create a special bsd.rd PXE to do this > > (and share it to OpenBSD community, it will be great for deploy > > OpenBSD > > on several machines without doing anything. > > > > Have a nice day :) > > > > -- > > Best regards, > > Loïc BLOT, > > UNIX systems, security and network expert > > http://www.unix-experience.fr > > > > > > Le mardi 13 août 2013 à 06:29 +0800, Tito Mari Francis Escaño a > > écrit : > > > Please read http://www.openbsd.org/faq/faq6.html#PXE and hope this > > > helps. You'd have been told with deliberately unpleasant choice of > > > words if next time you don't research well before asking in the > > > list. > > > > > > > > > > > > On Tue, Aug 13, 2013 at 4:57 AM, Loïc BLOT > > > wrote: > > >Thanks for the precision James, you confirmed what i have > > >understood. > > >I will search tomorrow. > > >-- > > >Best regards, > > >Loïc BLOT, > > >UNIX systems, security and network expert > > >http://www.unix-experience.fr > > > > > > > > > > > >Le lundi 12 août 2013 à 12:23 -0700, James A. Peltier a > > >écrit : > > > > - Original Message - > > > > | read the FAQ, Loic. > > > > | > > > > | http://openbsd.org/faq/faq4.html#site > > > > | > > > > | Site*.tgz, install.site and upgrade.site are a good > > >starting point. > > > > | > > >
Re: OpenBSD pxe automated install
Hello Tito, thanks to give me another time the FAQ, you think i have never read. This boot process is okay for me but the problem is NOT the PXE boot process. The problem is to automate the installation. My OpenBSD pxeboot is chained after a pxelinux which already deserve automated installed debian. Now the goal is to deserve automated installed OpenBSD. I don't know if i don't choose the rights words to explain my need, or if nobody read all my answers to already answered questions... but i give a list of precision for future answers: 1. My problem is NOT PXE boot (http://www.openbsd.org/faq/faq6.html#PXE => NO) 2. My problem is NOT siteXX.tgz and customized installations with this mean (http://openbsd.org/faq/faq4.html#site => NO) 3. What i want is something like this: https://wiki.debian.org/DebianInstaller/Preseed or this https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5 /html/Installation_Guide/ch-kickstart2.html Then i ask @misc to know if an existing process exists, but now i think this doesn't exist and i must create a special bsd.rd PXE to do this (and share it to OpenBSD community, it will be great for deploy OpenBSD on several machines without doing anything. Have a nice day :) -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 13 août 2013 à 06:29 +0800, Tito Mari Francis Escaño a écrit : > Please read http://www.openbsd.org/faq/faq6.html#PXE and hope this > helps. You'd have been told with deliberately unpleasant choice of > words if next time you don't research well before asking in the list. > > > > On Tue, Aug 13, 2013 at 4:57 AM, Loïc BLOT > wrote: > Thanks for the precision James, you confirmed what i have > understood. > I will search tomorrow. > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > > > Le lundi 12 août 2013 à 12:23 -0700, James A. Peltier a > écrit : > > - Original Message - > > | read the FAQ, Loic. > > | > > | http://openbsd.org/faq/faq4.html#site > > | > > | Site*.tgz, install.site and upgrade.site are a good > starting point. > > | > > | On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT > > | wrote: > > | > Hello @misc. > > | > > > | > Today i'm working on automated deploy with PXE. I have > successful > > | > found > > | > and made automated PXE install on Debian with pxelinux. > > | > > > | > I know OpenBSD have a pxe boot image to netinstall the > system > > | > > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > > | > -environment/ > > | > > > | > Is there any options to automate the installation ? > > | > I want a machine to boot on bsd.rd, read a configuration > file (url > > | > passed by etc/boot.conf, for example) and install with > the read > > | > parameters. > > | > Is there any issue to do this or i do it myself ? > > | > > > | > Thanks for advance > > | > -- > > | > Best regards, > > | > Loïc BLOT, > > | > UNIX systems, security and network expert > > | > http://www.unix-experience.fr > > | > > > | > [demime 1.01d removed an attachment of type > > | > application/pgp-signature which had a name of > signature.asc] > > > > If you are looking for automated partitioning and the like > the site.install > and site.upgrade don't apply whatsoever. In order to fully > automate the > installation you will need to modify the bsd.rd file contents > in order to do > that. site.install and site.upgrade can be used to do other > things like > install packages or upgrade the OS as necessary. > > [demime 1.01d removed an attachment of type > application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Thanks for the precision James, you confirmed what i have understood. I will search tomorrow. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 12:23 -0700, James A. Peltier a écrit : > - Original Message - > | read the FAQ, Loic. > | > | http://openbsd.org/faq/faq4.html#site > | > | Site*.tgz, install.site and upgrade.site are a good starting point. > | > | On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT > | wrote: > | > Hello @misc. > | > > | > Today i'm working on automated deploy with PXE. I have successful > | > found > | > and made automated PXE install on Debian with pxelinux. > | > > | > I know OpenBSD have a pxe boot image to netinstall the system > | > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > | > -environment/ > | > > | > Is there any options to automate the installation ? > | > I want a machine to boot on bsd.rd, read a configuration file (url > | > passed by etc/boot.conf, for example) and install with the read > | > parameters. > | > Is there any issue to do this or i do it myself ? > | > > | > Thanks for advance > | > -- > | > Best regards, > | > Loïc BLOT, > | > UNIX systems, security and network expert > | > http://www.unix-experience.fr > | > > | > [demime 1.01d removed an attachment of type > | > application/pgp-signature which had a name of signature.asc] > > If you are looking for automated partitioning and the like the site.install and site.upgrade don't apply whatsoever. In order to fully automate the installation you will need to modify the bsd.rd file contents in order to do that. site.install and site.upgrade can be used to do other things like install packages or upgrade the OS as necessary. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
It's exactly that. Kickstart for Redhat and Preseed.cfg for Debian -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 22:20 +0200, Francois Pussault a écrit : > like kickstart for devil redhat ? > > > > > From: Loïc BLOT > > Sent: Mon Aug 12 21:52:05 CEST 2013 > > To: > > Subject: Re: OpenBSD pxe automated install > > > > > > Hello, > > thanks for your reply Johan, but this is not why i want. site.tgz > > contain a set of preconfigured files to deploy with other sets to deploy > > similar machines. > > > > My need is to install a clean OpenBSD with an automated mean: > > The server boot in PXE and install OpenBSD, configure network, hostname, > > disk, install sets by network and reboots without any human > > intervention. After, the server can use siteXX.tgz, yes, but this is not > > the main problem here > > > > -- > > Best regards, > > Loïc BLOT, > > UNIX systems, security and network expert > > http://www.unix-experience.fr > > > > > > Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : > > > read the FAQ, Loic. > > > > > > http://openbsd.org/faq/faq4.html#site > > > > > > Site*.tgz, install.site and upgrade.site are a good starting point. > > > > > > On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT > > > wrote: > > > > Hello @misc. > > > > > > > > Today i'm working on automated deploy with PXE. I have successful found > > > > and made automated PXE install on Debian with pxelinux. > > > > > > > > I know OpenBSD have a pxe boot image to netinstall the system > > > > > > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > > > > -environment/ > > > > > > > > Is there any options to automate the installation ? > > > > I want a machine to boot on bsd.rd, read a configuration file (url > > > > passed by etc/boot.conf, for example) and install with the read > > > > parameters. > > > > Is there any issue to do this or i do it myself ? > > > > > > > > Thanks for advance > > > > -- > > > > Best regards, > > > > Loïc BLOT, > > > > UNIX systems, security and network expert > > > > http://www.unix-experience.fr > > > > > > > > [demime 1.01d removed an attachment of type application/pgp-signature > > which had a name of signature.asc] > > > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] > > > > > Cordialement > Francois Pussault > 3701 - 8 rue Marcel Pagnol > 31100 Toulouse > France > +33 6 17 230 820 +33 5 34 365 269 > fpussa...@contactoffice.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Sorry if i misunderstood the goal of install.site. I look at this, more clearly, to see if it's the solution i search. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 13:07 -0700, Johan Beisser a écrit : > Please read the FAQ entry I sent you, pay close attention to install.site and upgrade.site. > > Both of those are scripts that are executed by the installer. > > Fully automatic installs have been done, usually by modifying the installer script or root's .profile. > > Basically: automatic, unattended installation of openbsd is possible, but you have to build the glue for it. > > Sent form my iFoe. > > On Aug 12, 2013, at 12:52, Loïc BLOT wrote: > > > Hello, > > thanks for your reply Johan, but this is not why i want. site.tgz > > contain a set of preconfigured files to deploy with other sets to deploy > > similar machines. > > > > My need is to install a clean OpenBSD with an automated mean: > > The server boot in PXE and install OpenBSD, configure network, hostname, > > disk, install sets by network and reboots without any human > > intervention. After, the server can use siteXX.tgz, yes, but this is not > > the main problem here > > > > -- > > Best regards, > > Loïc BLOT, > > UNIX systems, security and network expert > > http://www.unix-experience.fr > > > > > > Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : > >> read the FAQ, Loic. > >> > >> http://openbsd.org/faq/faq4.html#site > >> > >> Site*.tgz, install.site and upgrade.site are a good starting point. > >> > >> On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT > >> wrote: > >>> Hello @misc. > >>> > >>> Today i'm working on automated deploy with PXE. I have successful found > >>> and made automated PXE install on Debian with pxelinux. > >>> > >>> I know OpenBSD have a pxe boot image to netinstall the system > > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > >>> -environment/ > >>> > >>> Is there any options to automate the installation ? > >>> I want a machine to boot on bsd.rd, read a configuration file (url > >>> passed by etc/boot.conf, for example) and install with the read > >>> parameters. > >>> Is there any issue to do this or i do it myself ? > >>> > >>> Thanks for advance > >>> -- > >>> Best regards, > >>> Loïc BLOT, > >>> UNIX systems, security and network expert > >>> http://www.unix-experience.fr > >>> > >>> [demime 1.01d removed an attachment of type application/pgp-signature > > which had a name of signature.asc] > > > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD pxe automated install
Hello, thanks for your reply Johan, but this is not why i want. site.tgz contain a set of preconfigured files to deploy with other sets to deploy similar machines. My need is to install a clean OpenBSD with an automated mean: The server boot in PXE and install OpenBSD, configure network, hostname, disk, install sets by network and reboots without any human intervention. After, the server can use siteXX.tgz, yes, but this is not the main problem here -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 12 août 2013 à 12:09 -0700, Johan Beisser a écrit : > read the FAQ, Loic. > > http://openbsd.org/faq/faq4.html#site > > Site*.tgz, install.site and upgrade.site are a good starting point. > > On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT > wrote: > > Hello @misc. > > > > Today i'm working on automated deploy with PXE. I have successful found > > and made automated PXE install on Debian with pxelinux. > > > > I know OpenBSD have a pxe boot image to netinstall the system > > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution > > -environment/ > > > > Is there any options to automate the installation ? > > I want a machine to boot on bsd.rd, read a configuration file (url > > passed by etc/boot.conf, for example) and install with the read > > parameters. > > Is there any issue to do this or i do it myself ? > > > > Thanks for advance > > -- > > Best regards, > > Loïc BLOT, > > UNIX systems, security and network expert > > http://www.unix-experience.fr > > > > [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
OpenBSD pxe automated install
Hello @misc. Today i'm working on automated deploy with PXE. I have successful found and made automated PXE install on Debian with pxelinux. I know OpenBSD have a pxe boot image to netinstall the system http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution -environment/ Is there any options to automate the installation ? I want a machine to boot on bsd.rd, read a configuration file (url passed by etc/boot.conf, for example) and install with the read parameters. Is there any issue to do this or i do it myself ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: poptop on OpenBSD 5.3
I approve Wesley, if you use OpenBSD 5.3 you should use npppd it's simpler than poptop and have nearly the same functionalities -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 05 août 2013 à 08:46 +0400, Wesley MOUEDINE ASSABY a écrit : > Hi, > > Why not use the embedded package in OpenBSD 5.3 : npppd ?? > conf files : /etc/npppd/npppd.conf and npppd-users > > Below a link that will help you on : > http://fr.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd > > > Cheers, > > Wesley > > Le 2013-08-05 4:48, Alvaro Mantilla Gimenez a écrit : > > Hi, > > > > I am trying to configure poptop on OpenBSD 5.3 without success. > > I've > > installed the package and configured the files as > > the /usr/local/share/doc/pkg-readmes/poptop-1.3.4p4 says but didn't > > work so > > I started to change things here and there without success. These are > > the > > facts: > > > > /etc/pptpd.conf: > > > >stimeout 10 > >noipparam > >logwtmp > >localip 5.5.5.1 > >remoteip 5.5.5.2-102 > > > > > > /etc/ppp/options: > > > >lock > >auth > >usehostname > >proxyarp > >+MSChap-V2 mppe-128 mppe-stateless > > > > > > /etc/ppp/ppp.conf: > > > >default: > > set log Phase Chat LCP IPCP CCP tun command > > set speed 115200 > > > >pptp: > > set log phase tun > > enable proxy > > set dns 8.8.8.8 8.8.4.4 > > set ifaddr 5.5.5.1 5.5.5.0/0 255.255.255.0 > > set timeout 0 > > enable chap > > enable MSChapV2 > > > > > > And here the error: > > > >pptpd[25764]: CTRL: Starting call (launching pppd, opening GRE) > >ppp[14716]: Phase: Using interface: tun0 > >ppp[14716]: Phase: deflink: Created in closed state > >ppp[14716]: tun0: Command: default: set speed 115200 > >ppp[14716]: tun0: Command: pptp: set log phase tun > >ppp[14716]: tun0: Phase: PPP Started (direct mode). > >ppp[14716]: tun0: Phase: bundle: Establish > >ppp[14716]: tun0: Phase: deflink: closed -> opening > >ppp[14716]: tun0: Phase: deflink: Connected! > >ppp[14716]: tun0: Phase: deflink: opening -> carrier > >ppp[14716]: tun0: Phase: deflink: carrier -> lcp > >ppp[14716]: tun0: Phase: bundle: Authenticate > >ppp[14716]: tun0: Phase: deflink: his = none, mine = CHAP 0x81 > >ppp[14716]: tun0: Phase: Chap Output: CHALLENGE > >ppp[14716]: tun0: Phase: Chap Input: RESPONSE (49 bytes from > > testuser) > >ppp[14716]: tun0: Phase: Chap Output: SUCCESS > >ppp[14716]: tun0: Phase: deflink: lcp -> open > >ppp[14716]: tun0: Phase: bundle: Network > >ppp[14716]: tun0: Phase: deflink: open -> lcp > >ppp[14716]: tun0: Warning: ff01:4::: Change route failed: errno: > > Network > > is unreachable > >ppp[14716]: tun0: Warning: ff02:4::: Change route failed: errno: > > Network > > is unreachable > >ppp[14716]: tun0: Warning: ff02:4::: Change route failed: errno: > > Network > > is unreachable > >ppp[14716]: tun0: Phase: bundle: Terminate > >pptpd[25764]: CTRL: EOF or bad error reading ctrl packet length. > >pptpd[25764]: CTRL: couldn't read packet header (exit) > >pptpd[25764]: CTRL: CTRL read failed > >ppp[14716]: tun0: Phase: deflink: read (0): Got zero bytes > >ppp[14716]: tun0: Phase: deflink: Disconnected! > >ppp[14716]: tun0: Phase: deflink: Connect time: 1 secs: 354 octets > > in, > > 364 octets out > >ppp[14716]: tun0: Phase: deflink: 7 packets in, 11 packets out > >ppp[14716]: tun0: Phase: total 718 bytes/sec, peak 0 bytes/sec on > > Sun > > Aug 4 18:23:07 2013 > >ppp[14716]: tun0: Phase: deflink: lcp -> closed > >ppp[14716]: tun0: Phase: bundle: Dead > >ppp[14716]: tun0: Phase: PPP Terminated (normal). > >pptpd[25764]: CTRL: Client control connection > > finished > > > > > > So far I think is not an authentication problem (the authentication > > process > > seems to be "success") and it is a network related issue. However, I > > do not > > how to fix it according to the three lines on the output: > > > > ppp[14716]: tun0: Warning: ff01:4::: Change route failed: errno: > > Network > > is unreachable > > ppp[14716]: tun0: Warning: ff02:4::: Change route failed: errno: > > Network > > is unreachable > > ppp[14716]: tun0: Warning: ff02:4::: Change route failed: errno: > > Network > > is unreachable > > > > I enabled and applied on sysctl.conf: > > > > net.inet.gre.allow=1 > > net.inet.gre.wccp=1 > > > > Also, I added the pf.conf lines needed to allow traffic from 1723 and > > GRE > > connections and, to be sure, let all traffic from 5.5.5.0 network > > pass > > through the firewall on tun0. > > > > Any help? What I am missing? > > > > Thanks in advance, > > > > Alvaro [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: "route get" syntax fror ipv6 ?
Hello, I think it's route get -inet6 Like when you do route add -inet6 default -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 31 juillet 2013 à 10:19 +0600, ÐлÑÑ Ð¨Ð¸Ð¿Ð¸Ñин a écrit : > Hello! > > # ping6 www.ripe.net > PING6(56=40+8+8 bytes) 2001:1bb0:e000:d::2 --> 2001:67c:2e8:22::c100:68b > ^C > --- www.ripe.net ping6 statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > > # route get 2001:67c:2e8:22::c100:68b > route: 2001:67c:2e8:22::c100:68b: bad address > # > > > > is there "route get" equivalent for ipv6 ? > > Cheers, > Ilya Shipitsin [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PF sync doesn't not work very well
Hello all, thanks for this interesting debate about pf syncing. To remember my initial question: pfsync seems to sync states but not correctly on my BGP+OSPF routers. Because each BGP router is master/standby to 2 neighbors (full meshed bgp) packets which are outgoing by one router can income by the other router, then if i want to use pf as a stateful firewall i must use pfsync to sync created states from router A to router B. If you tell me it's not possible, then i will use pf as a stateless firewall. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le jeudi 04 juillet 2013 à 13:17 -0500, Mark Felder a écrit : > My apologies for just being noise; I missed his first full post with > much more detail. I was picturing him trying to run redundant servers > without CARP and running into issues of states disappearing. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PF sync doesn't not work very well
The connection is not done by my routers themselves but by DMZ servers behind them ! -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 17:32 +0200, mxb a écrit : > States ARE synced. > IPs are not the same on node1 and node2 for external. The you initiated > connection to ftp.fr, you done it via node1 with its external IP. On node2 > those packets will be DROPPED as those do not belong to external NIC on node2 > (IP) > > > > On 3 jul 2013, at 17:16, Loïc Blot wrote: > > > I don't understand why they can't be synced because if i have this > > scheme: > > > > server 1 - | Router 1 + Router 2 | remote > > > > server 1 contact remote, outgoing by Router 1 and the return traffic > > comes from Router 2. > > > > The state may have "server 1 port A to remote port B", then the virtual > > IP is useless in this configuration, no ? > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr > > > > > > Le mercredi 03 juillet 2013 à 09:36 -0500, Mark Felder a écrit : > >> On Wed, 03 Jul 2013 09:24:54 -0500, Loïc Blot > >> wrote: > >> > >>> For me pf table is (sorry for the missing precisions) the pf state > >>> stable for stateful operations > >> > >> First of all, the states of node 1 being synced to node 2 and vice versa > >> is worthless because they have different IP addresses; the states wont > >> match anything. > >> > >> Secondly, you'll probably end up dealing with the nodes fighting each > >> other as they sync back and forth. If a state from node1 is synced to > >> node2 and node2 decides to expire that session because it hasn't been used > >> > >> it will tell node1 to remove that session as well. Now your session that > >> was working on node1 has stopped functioning. This is probably the > >> hanging/stalling behavior you were experiencing before. I've never even > >> attempted to set this up in a lab and I know nothing of the pfsync/pf > >> code, but I assume this is what is happening to you. I'm actually quite > >> surprised it will even accept any changes to states for IPs that don't > >> exist on the server, but I suppose it doesn't seem worthwhile to put such > >> strict validation on it.
Re: PF sync doesn't not work very well
I don't understand why they can't be synced because if i have this scheme: server 1 - | Router 1 + Router 2 | remote server 1 contact remote, outgoing by Router 1 and the return traffic comes from Router 2. The state may have "server 1 port A to remote port B", then the virtual IP is useless in this configuration, no ? -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 09:36 -0500, Mark Felder a écrit : > On Wed, 03 Jul 2013 09:24:54 -0500, Loïc Blot > wrote: > > > For me pf table is (sorry for the missing precisions) the pf state > > stable for stateful operations > > First of all, the states of node 1 being synced to node 2 and vice versa > is worthless because they have different IP addresses; the states wont > match anything. > > Secondly, you'll probably end up dealing with the nodes fighting each > other as they sync back and forth. If a state from node1 is synced to > node2 and node2 decides to expire that session because it hasn't been used > it will tell node1 to remove that session as well. Now your session that > was working on node1 has stopped functioning. This is probably the > hanging/stalling behavior you were experiencing before. I've never even > attempted to set this up in a lab and I know nothing of the pfsync/pf > code, but I assume this is what is happening to you. I'm actually quite > surprised it will even accept any changes to states for IPs that don't > exist on the server, but I suppose it doesn't seem worthwhile to put such > strict validation on it.
Re: PF sync doesn't not work very well
For me pf table is (sorry for the missing precisions) the pf state stable for stateful operations -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 08:22 -0500, Mark Felder a écrit : > On Wed, 03 Jul 2013 07:40:08 -0500, Loïc Blot > wrote: > > > It's not possible to sync pf table without CARP ? > > In order to answer that I'll need to understand what you believe the "pf > table" is.
Re: PF sync doesn't not work very well
It's not possible to sync pf table without CARP ? I must use it in some case, then those case will be fixed but the other (OSPFd routing) may fail i think ? -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 07:11 -0500, Mark Felder a écrit : > On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot > wrote: > > > Hello, > > no carp is used at this time. > > pfsync needs to be used with carp... without it you're just playing > whack-a-mole with your session table.
Re: PF sync doesn't not work very well
Hello, no carp is used at this time. My configuration on each router is simple: em0 + em3 = trunk0 em1 + em2 = trunk1 4 interco vlan (at this time, only 2 are active, 1 for a BGP neighbor IPv4, 1 for a BGP neighbor IPv6) on trunk0 vlan 50 + vlan 90 + vlan995 on trunk1 pfsync on vlan 995 -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 12:47 +0200, mxb a écrit : > How does your CARP setup looks like. On both machines? > Can you send your ifconfig output? > > What is your environment/setup for this 2-node CARP? > How interfaces (ext/int) are connected? What switches do you use? > > > On 3 jul 2013, at 10:23, Loïc Blot wrote: > > > Okay, defer is now enabled on pfsync interface (sorry for my last idea, > > i haven't the man on me :) ). > > It seems the problem isn't resolved. > > The transfer starts but blocked at random time. > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr > > > > > > Le mercredi 03 juillet 2013 à 08:12 +0200, Loïc BLOT a écrit : > >> Hi, > >> Thanks for your reply. I wasn't careful about this section. > >> If i understand i must add defer option to my WAN iface (or i'm wrong i > >> must add it to my vlan995 iface ?) ? > >> > >> I will test it this morning, and i return back to misc :) > >> -- > >> Best regards, > >> Loc BLOT, > >> UNIX systems, security and network expert > >> http://www.unix-experience.fr > >> > >> > >> Le mercredi 03 juillet 2013 02:02 +0200, mxb a crit : > >>> pfsync(4) explains this: > >>> > >>> " The pfsync interface will attempt to collapse multiple state updates > >> into > >>> a single packet where possible. The maximum number of times a single > >>> state can be updated before a pfsync packet will be sent out is > >>> controlled by the maxupd parameter > >>> " > >>> > >>> > >>> and > >>> > >>> " Where more than one firewall might actively handle packets, e.g. with > >>> certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial > >> to > >>> defer transmission of the initial packet of a connection. The pfsync > >>> state insert message is sent immediately; the packet is queued until > >>> either this message is acknowledged by another system, or a timeout > >> has > >>> expired. This behaviour is enabled with the defer parameter to > >>> ifconfig(8). > >>> " > >>> > >>> > >>> Eg. "defer: on", yours is "off". > >>> > >>> //mxb > >>> > >>> > >>> On 2 jul 2013, at 21:54, Loc BLOT wrote: > >>> > >>>> Hi all > >>>> I have a strange issue (or i haven't read pfsync correctly but i don't > >>>> think this is the problem :D) > >>>> > >>>> I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. > >>>> > >>>> Those BGP routers are secure with strong PF in stateful mode, and the > >>>> stateful is working very well on each router. Because of my full mesh > >>>> BGP configuration, the outgoing layer 7 sessions can leave my network by > >>>> one router and responses can income by the other. > >>>> > >>>> To resolve this issue, i have created a dedidated VLAN for the pfsync > >>>> traffic and attached pfsync to this VLAN. > >>>> > >>>> Here is a sample output of ifconfig on my first router: > >>>> > >>>> vlan995: flags=8843 mtu 1500 > >>>> lladdr a0:36:9f:10:4a:a6 > >>>> priority: 0 > >>>> vlan: 995 parent interface: trunk1 > >>>> groups: vlan > >>>> status: active > >>>> inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid > >>>> 0x10 > >>>> inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135 > >>>> pfsync0: flags=41 mtu 1500 > >>>> priority: 0 > >>>> pfsync: syncdev: vlan995 maxupd: 255 defer: off > >>>> groups: carp pfsync > >>>> > >&
Re: PF sync doesn't not work very well
Okay, defer is now enabled on pfsync interface (sorry for my last idea, i haven't the man on me :) ). It seems the problem isn't resolved. The transfer starts but blocked at random time. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 08:12 +0200, Loïc BLOT a écrit : > Hi, > Thanks for your reply. I wasn't careful about this section. > If i understand i must add defer option to my WAN iface (or i'm wrong i > must add it to my vlan995 iface ?) ? > > I will test it this morning, and i return back to misc :) > -- > Best regards, > Loc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > > Le mercredi 03 juillet 2013 02:02 +0200, mxb a crit : > > pfsync(4) explains this: > > > > " The pfsync interface will attempt to collapse multiple state updates > into > > a single packet where possible. The maximum number of times a single > > state can be updated before a pfsync packet will be sent out is > > controlled by the maxupd parameter > > " > > > > > > and > > > > " Where more than one firewall might actively handle packets, e.g. with > > certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial > to > > defer transmission of the initial packet of a connection. The pfsync > > state insert message is sent immediately; the packet is queued until > > either this message is acknowledged by another system, or a timeout > has > > expired. This behaviour is enabled with the defer parameter to > > ifconfig(8). > > " > > > > > > Eg. "defer: on", yours is "off". > > > > //mxb > > > > > > On 2 jul 2013, at 21:54, Loc BLOT wrote: > > > > > Hi all > > > I have a strange issue (or i haven't read pfsync correctly but i don't > > > think this is the problem :D) > > > > > > I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. > > > > > > Those BGP routers are secure with strong PF in stateful mode, and the > > > stateful is working very well on each router. Because of my full mesh > > > BGP configuration, the outgoing layer 7 sessions can leave my network by > > > one router and responses can income by the other. > > > > > > To resolve this issue, i have created a dedidated VLAN for the pfsync > > > traffic and attached pfsync to this VLAN. > > > > > > Here is a sample output of ifconfig on my first router: > > > > > > vlan995: flags=8843 mtu 1500 > > >lladdr a0:36:9f:10:4a:a6 > > >priority: 0 > > >vlan: 995 parent interface: trunk1 > > >groups: vlan > > >status: active > > >inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid > > > 0x10 > > >inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135 > > > pfsync0: flags=41 mtu 1500 > > >priority: 0 > > >pfsync: syncdev: vlan995 maxupd: 255 defer: off > > >groups: carp pfsync > > > > > > And here on my second router: > > > > > > vlan995: flags=8843 mtu 1500 > > >lladdr a0:36:9f:17:e2:1e > > >priority: 0 > > >vlan: 995 parent interface: trunk1 > > >groups: vlan > > >status: active > > >inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid > > > 0x10 > > >inet 10.117.1.130 netmask 0xfff8 broadcast 10.117.1.135 > > > pfsync0: flags=41 mtu 1500 > > >priority: 0 > > >pfsync: syncdev: vlan995 maxupd: 255 defer: off > > >groups: carp pfsync > > > > > > As you see in next tcpdump capture, there is some discussions between > > > the two routers: > > > > > > # tcpdump -nni vlan995 > > > tcpdump: listening on vlan995, link-type EN10MB > > > tcpdump: WARNING: compensating for unaligned libpcap packets > > > 23:41:13.699617 10.117.1.130: PFSYNCv6 len 108 > > >act UPD ST COMP count 1 > > >... > > > (DF) [tos 0x10] > > > 23:41:14.158500 10.117.1.129: PFSYNCv6 len 108 > > >act UPD ST COMP count 1 > > >... > > > (DF) [tos 0x10] > > > 23:41:14.941396 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 > > > bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=1
Re: PF sync doesn't not work very well
Hi, Thanks for your reply. I wasn't careful about this section. If i understand i must add defer option to my WAN iface (or i'm wrong i must add it to my vlan995 iface ?) ? I will test it this morning, and i return back to misc :) -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 02:02 +0200, mxb a écrit : > pfsync(4) explains this: > > "⦠The pfsync interface will attempt to collapse multiple state updates into > a single packet where possible. The maximum number of times a single > state can be updated before a pfsync packet will be sent out is > controlled by the maxupd parameter > â¦" > > > and > > "⦠Where more than one firewall might actively handle packets, e.g. with > certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to > defer transmission of the initial packet of a connection. The pfsync > state insert message is sent immediately; the packet is queued until > either this message is acknowledged by another system, or a timeout has > expired. This behaviour is enabled with the defer parameter to > ifconfig(8). > â¦" > > > Eg. "defer: on", yours is "off". > > //mxb > > > On 2 jul 2013, at 21:54, Loïc BLOT wrote: > > > Hi all > > I have a strange issue (or i haven't read pfsync correctly but i don't > > think this is the problem :D) > > > > I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. > > > > Those BGP routers are secure with strong PF in stateful mode, and the > > stateful is working very well on each router. Because of my full mesh > > BGP configuration, the outgoing layer 7 sessions can leave my network by > > one router and responses can income by the other. > > > > To resolve this issue, i have created a dedidated VLAN for the pfsync > > traffic and attached pfsync to this VLAN. > > > > Here is a sample output of ifconfig on my first router: > > > > vlan995: flags=8843 mtu 1500 > >lladdr a0:36:9f:10:4a:a6 > >priority: 0 > >vlan: 995 parent interface: trunk1 > >groups: vlan > >status: active > >inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid > > 0x10 > >inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135 > > pfsync0: flags=41 mtu 1500 > >priority: 0 > >pfsync: syncdev: vlan995 maxupd: 255 defer: off > >groups: carp pfsync > > > > And here on my second router: > > > > vlan995: flags=8843 mtu 1500 > >lladdr a0:36:9f:17:e2:1e > >priority: 0 > >vlan: 995 parent interface: trunk1 > >groups: vlan > >status: active > >inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid > > 0x10 > >inet 10.117.1.130 netmask 0xfff8 broadcast 10.117.1.135 > > pfsync0: flags=41 mtu 1500 > >priority: 0 > >pfsync: syncdev: vlan995 maxupd: 255 defer: off > >groups: carp pfsync > > > > As you see in next tcpdump capture, there is some discussions between > > the two routers: > > > > # tcpdump -nni vlan995 > > tcpdump: listening on vlan995, link-type EN10MB > > tcpdump: WARNING: compensating for unaligned libpcap packets > > 23:41:13.699617 10.117.1.130: PFSYNCv6 len 108 > >act UPD ST COMP count 1 > >... > > (DF) [tos 0x10] > > 23:41:14.158500 10.117.1.129: PFSYNCv6 len 108 > >act UPD ST COMP count 1 > >... > > (DF) [tos 0x10] > > 23:41:14.941396 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 > > bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 > > hello=2/0 fwdelay=15/0 pvid=995 > > 23:41:14.949617 10.117.1.130: PFSYNCv6 len 108 > >act UPD ST COMP count 1 > >... > > (DF) [tos 0x10] > > 23:41:15.237655 10.117.1.129: PFSYNCv6 len 640 > >act UPD ST COMP count 1 > >... > > (DF) [tos 0x10] > > 23:41:15.949617 10.117.1.130: PFSYNCv6 len 124 > >act UPD ST COMP count 1 > >... > > (DF) [tos 0x10] > > 23:41:16.255230 10.117.1.129: PFSYNCv6 len 36 > >act DEL ST COMP count 1 > >id: 51d16a356c33 creatorid: a10bbd21 > > (DF) [tos 0x10] > > 23:41:16.946454 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 > > bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 > > hello=2/0 fwdelay=15/0 pvid=995 > > 23:41:16.949619 10.117.1.130: PFSYNCv6 len 1116 > >act UPD ST COMP count 13 > >... > > (DF) [tos 0x10] > > > > > > The problem is simple, when i initiate a stateful connection from one > > server, the return (by second router) is blocked by PF (i see the return > > with pflog0) > > > > To be precise here is an example (and tested path): > > > > OBSD NTP -> OBSD router 1 -> WAN...ftp.fr.openbsd.org...WAN -> OBSD > > router 2 || blocked > > > > PF allow in/out routing traffic from this server but incoming from WAN > > is blocked by default > > > > Can you confirm to me that pfsync may add a state for outgoing tcp > > connection in the second router when the first router add it ? >
PF sync doesn't not work very well
Hi all I have a strange issue (or i haven't read pfsync correctly but i don't think this is the problem :D) I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. Those BGP routers are secure with strong PF in stateful mode, and the stateful is working very well on each router. Because of my full mesh BGP configuration, the outgoing layer 7 sessions can leave my network by one router and responses can income by the other. To resolve this issue, i have created a dedidated VLAN for the pfsync traffic and attached pfsync to this VLAN. Here is a sample output of ifconfig on my first router: vlan995: flags=8843 mtu 1500 lladdr a0:36:9f:10:4a:a6 priority: 0 vlan: 995 parent interface: trunk1 groups: vlan status: active inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid 0x10 inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135 pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: vlan995 maxupd: 255 defer: off groups: carp pfsync And here on my second router: vlan995: flags=8843 mtu 1500 lladdr a0:36:9f:17:e2:1e priority: 0 vlan: 995 parent interface: trunk1 groups: vlan status: active inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid 0x10 inet 10.117.1.130 netmask 0xfff8 broadcast 10.117.1.135 pfsync0: flags=41 mtu 1500 priority: 0 pfsync: syncdev: vlan995 maxupd: 255 defer: off groups: carp pfsync As you see in next tcpdump capture, there is some discussions between the two routers: # tcpdump -nni vlan995 tcpdump: listening on vlan995, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 23:41:13.699617 10.117.1.130: PFSYNCv6 len 108 act UPD ST COMP count 1 ... (DF) [tos 0x10] 23:41:14.158500 10.117.1.129: PFSYNCv6 len 108 act UPD ST COMP count 1 ... (DF) [tos 0x10] 23:41:14.941396 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 hello=2/0 fwdelay=15/0 pvid=995 23:41:14.949617 10.117.1.130: PFSYNCv6 len 108 act UPD ST COMP count 1 ... (DF) [tos 0x10] 23:41:15.237655 10.117.1.129: PFSYNCv6 len 640 act UPD ST COMP count 1 ... (DF) [tos 0x10] 23:41:15.949617 10.117.1.130: PFSYNCv6 len 124 act UPD ST COMP count 1 ... (DF) [tos 0x10] 23:41:16.255230 10.117.1.129: PFSYNCv6 len 36 act DEL ST COMP count 1 id: 51d16a356c33 creatorid: a10bbd21 (DF) [tos 0x10] 23:41:16.946454 SSTP STP config root=83e3.0:a:b8:7b:27:80 rootcost=3 bridge=c3e3.0:17:e:2e:f:80 port=142 ifcost=130 age=1/0 max=20/0 hello=2/0 fwdelay=15/0 pvid=995 23:41:16.949619 10.117.1.130: PFSYNCv6 len 1116 act UPD ST COMP count 13 ... (DF) [tos 0x10] The problem is simple, when i initiate a stateful connection from one server, the return (by second router) is blocked by PF (i see the return with pflog0) To be precise here is an example (and tested path): OBSD NTP -> OBSD router 1 -> WAN...ftp.fr.openbsd.org...WAN -> OBSD router 2 || blocked PF allow in/out routing traffic from this server but incoming from WAN is blocked by default Can you confirm to me that pfsync may add a state for outgoing tcp connection in the second router when the first router add it ? Have you got any idea on this issue ? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Internet access on openvpn with PF and NAT
Hello mike You are blocking trafic after matching nat rule. Because you don't use quick keyword, your PF match the first rule, and next the second and next the third and to do third. In your firewall configuration you block nothing and you nat nothing. Better way is to write this: set skip on lo block in log pass out pass in quick on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x This allow outgoing traffic and incoming trafic from tun0 (+nat). Because PF is stateful, you don't have to allow return traffic from tun0 nated clients. If you want to allow some more incoming traffic, add new rules after the previous rules. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 28 juin 2013 à 23:50 -0500, Mike Parker a écrit : > pf.conf > set skip on lo > pass in on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x > block log > pass > block in on ! lo0 proto tcp to port 6000:6010 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD problems on Dell R320 (not BCM 5720 related)
face 0 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0 mux 1 wskbd0: connecting to wsdisplay0 uhidev1 at uhub3 port 1 configuration 1 interface 1 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons, Z dir wsmouse0 at ums0 mux 0 uhidev2 at uhub3 port 1 configuration 1 interface 2 "Avocent Keyboard/Mouse Function" rev 2.00/0.00 addr 4 uhidev2: iclass 3/1 ums1 at uhidev2: 3 buttons, Z dir wsmouse1 at ums1 mux 0 uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr
Re: pf filtering encapsulated icmpv6
i think: Pass in on enc0 proto ipv6-icmp Loic Blot Le 7 juin 2013 à 19:29, Christopher Zimmermann a écrit : > Hi, > > simple problem: how do I allow this package to pass? > > 18:59:44.768197 rule 0/(match) [uid 0, pid 1051] block in on enc0: > 172.26.153.7 > 172.26.153.1: 2001:4dd0:fbdf:0:f8b8:dafc:cff0:ae3b > > 2a00:1450:4001:808::101f: [|icmp6] (len 16, hlim 255) (ttl 64, id 2105, len > 76) > > Christopher
OpenBSD problems on Dell R320 (not BCM 5720 related)
Hello misc, I have serious problems with my Dell R320 servers (6 servers but i use Intel em i350 cards). Before i was under OpenBSD 5.3 but problem also occurs on 5.2 (today it occurs). Sometimes (too often) the totally freeze. Nothing responds (but ICMP ping works...) Since 1 month i search to resolve this problem but i don't found where is the problem. I have tried all you mentioned about DDB without success. * Four systems handle 700 clients, and two have squid 3.2.5 compiled with small options (pf-transparent, ssl), and use also named, dhcpd and openOSPFd * The last two system uses only PF+openBGPd+openOSPFd. Before, i think it was related to LACP agregates, but two of the squid systems doesn't use agregates. I also think it's related to CARP, but only 4 four uses CARP... On each system, only 10% of bw is used (10-50Mbps), RAM is correct (each system has too many ram, 16Gbit and use only 8G for squid servers and 200M for other servers). One month ago i have this network problem each 30 minutes on one server. I thinked about too many connections on my proxy. In UNIX logic, a network connection is a file. Then i have increased kern.maxfiles to 16K, openfiles-cur to 8k and openfiles-max to 16k. Since this moment, i haven't have crashed since today. Then i have increased all to 36K. Is this the good way ? Is there anything else to check ?? Must i set openfiles to infinity ?? At this time, here is the current open files on the main squid router on the production: kern.nfiles=4701. Thanks for advance. If you need more details please tell me. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr
Re: ospfd filtering
Hi
Sorry for the double, but i have forgotten the kroute.c in my diff, then
i cannot work :)
Have a nice day
--- old/usr.sbin/ospfd/kroute.c 2011-11-15 05:17:46.0 +0100
+++ OpenBSD/usr.sbin/ospfd/kroute.c 2013-05-31 22:37:59.434032287 +0200
@@ -1,6 +1,7 @@
-/* $OpenBSD: kroute.c,v 1.91 2011/09/16 18:24:57 sthen Exp $ */
+/* $OpenBSD: kroute.c,v 1.92 2013/05/31 22:37:13 sthen Exp $ */
/*
+ * Copyright (c) 2013 Loic Blot
* Copyright (c) 2004 Esben Norby
* Copyright (c) 2003, 2004 Henning Brauer
*
@@ -580,7 +581,7 @@
struct kroute_node *kn;
struct krouterr;
int redistribute = 0;
-
+
/* only the highest prio route can be redistributed */
if (kroute_find(kh->r.prefix.s_addr, kh->r.prefixlen, RTP_ANY) != kh)
return;
@@ -1137,6 +1138,9 @@
if (kr_state.fib_sync == 0)
return (0);
+
+ if (kr_filter_do(kroute) != 0)
+ return (0);
/* initialize header */
bzero(&hdr, sizeof(hdr));
@@ -1581,3 +1585,43 @@
return (offset);
}
+
+struct kroute_filter *
+kr_filter_new(struct in_addr nexthop, struct in_addr prefix,
+u_int8_t prefixlen)
+{
+ struct kroute_filter*kroute_filter;
+
+ if ((kroute_filter = calloc(1, sizeof(*kroute_filter))) == NULL)
+ err(1, "kr_filter_new: calloc");
+
+ kroute_filter->prefix = prefix;
+ kroute_filter->nexthop = nexthop;
+ kroute_filter->prefixlen = prefixlen;
+
+ return (kroute_filter);
+}
+
+void
+kr_filter_del(struct kroute_filter *kroute_filter)
+{
+ LIST_REMOVE(kroute_filter, entry);
+
+ free(kroute_filter);
+}
+
+struct kroute_filter *
+kr_filter_find(struct ospfd_conf *ospfd_conf, struct in_addr nexthop,
+struct in_addr prefix, u_int8_t prefixlen)
+{
+ struct kroute_filter *kroute_filter;
+
+ LIST_FOREACH(kroute_filter, &ospfd_conf->kroute_filter_list, entry) {
+ if (kroute_filter->nexthop.s_addr == nexthop.s_addr &&
+ kroute_filter->prefix.s_addr == prefix.s_addr &&
+ kroute_filter->prefixlen == prefixlen) {
+ return (kroute_filter);
+ }
+ }
+ return (NULL);
+}
--- old/usr.sbin/ospfd/ospfd.c 2011-11-15 05:17:46.0 +0100
+++ OpenBSD/usr.sbin/ospfd/ospfd.c 2013-05-31 22:38:22.202030731 +0200
@@ -1,6 +1,7 @@
-/* $OpenBSD: ospfd.c,v 1.78 2011/08/20 11:16:09 sthen Exp $ */
+/* $OpenBSD: ospfd.c,v 1.79 2013/05/31 22:35:17 sthen Exp $ */
/*
+ * Copyright (c) 2013 Loic Blot
* Copyright (c) 2005 Claudio Jeker
* Copyright (c) 2004 Esben Norby
* Copyright (c) 2003, 2004 Henning Brauer
@@ -680,6 +681,7 @@
struct area *a, *xa, *na;
struct iface*iface;
struct redistribute *r;
+ struct kroute_filter *rf, *nrf;
int rchange = 0;
/* change of rtr_id needs a restart */
@@ -701,6 +703,14 @@
SIMPLEQ_REMOVE_HEAD(&xconf->redist_list, entry);
SIMPLEQ_INSERT_TAIL(&conf->redist_list, r, entry);
}
+ for (rf = LIST_FIRST(&conf->kroute_filter_list); rf != NULL; rf
=
nrf) {
+ nrf = LIST_NEXT(rf, entry);
+ kr_filter_del(rf);
+ }
+ for (rf = LIST_FIRST(&xconf->kroute_filter_list); rf != NULL;
rf =
nrf) {
+ nrf = LIST_NEXT(rf, entry);
+ LIST_INSERT_HEAD(&conf->kroute_filter_list, rf, entry);
+ }
goto done;
}
@@ -891,3 +901,26 @@
return (i);
return (NULL);
}
+
+int
+kr_filter_do(struct kroute *kr)
+{
+ struct kroute_filter*i;
+
+ LIST_FOREACH(i, &ospfd_conf->kroute_filter_list, entry) {
+ /*
+* TODO: filter all routes for one nexthop
+*/
+ if (i->prefix.s_addr == kr->prefix.s_addr &&
+ i->prefixlen == kr->prefixlen &&
+ (i->nexthop.s_addr == kr->nexthop.s_addr ||
+ i->nexthop.s_addr == INADDR_ANY)) {
+ log_info("ospfd_filternexthop: filtering route
%s/%u",
+ inet_ntoa(i->prefix), i->prefixlen);
+ log_info("ospfd_filternexthop: nexthop is %s",
+ inet_ntoa(i->nexthop));
+ return (1);
+ }
+ }
+ return (0);
+}
--- old/usr.sbin/ospfd/ospfd.h 2013-02-16 04:03:42.0 +0100
+++ OpenBSD/usr.sbin/ospfd/ospfd.h 2013-05-31 22:38:44.768029188 +0200
@@ -1,6 +1,7 @@
-/* $OpenBSD: ospfd.h,v 1.91 2013/01/17 10:07:56 markus Exp $ */
+/* $OpenBSD: ospfd
Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]
Hello Rob,
mine is a forward proxy, it's used by my clients to go to all websites
(except blacklisted by squidguard).
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le dimanche 02 juin 2013 à 12:33 -0700, Rob Sheldon a écrit :
> On 2013-06-02 2:35, Loïc BLOT wrote:
> > Hello rob,
> > i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid
> > 3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port
> > 3129 as my configuration suggests:
> >
> > http_port 3128
> > http_port 3129 intercept
> >
> > And i have those rule in my PF
> >
> > pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port
> > { $squid_port $squid_intercept_port http }
> > pass in quick inet proto tcp from { }
> > to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port
> >
> > And all works perfect :). I haven't tested on 5.3 because the BCM5720
> > which are disabled on 5.2 are enabled and cause problem on my second
> > squid server... but i don't think this cause a problem.
>
> As a forward proxy or a reverse proxy? There's no way a Squid 3.2+
> installation should work with rdr-to, unless:
>
> - the sources were modified to disable the security check described by
> Amos in
> http://www.squid-cache.org/mail-archive/squid-users/201208/0374.html;
>
> - or the destination IP of the requests matches the IP of the requested
> web server (reverse proxy, internal web server, or something).
>
> Amos spelled out the code change in 3.2+ in the mail post above. rdr-to
> rewrites the destination IP in the request. If Squid receives a request
> for a host (e.g. a get request for / on www.google.com), and the DNS
> lookup for the requested host does not match the destination IP of the
> request (e.g. the request was rdr-to'd 10.5.1.1), then Squid will refuse
> to forward the request to www.google.com.
>
> I can accept that maybe there's something going on that I still don't
> understand that's causing my particular configuration to require the
> listening IP in the http_port setting -- although I doubt it, I'm very
> very close to the configuration in the official Squid documentation at
> this point -- but I understand the rdr-to problem well enough now to
> assert that it won't work as intended except in a few specific cases.
>
> - R.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]
Hello rob,
i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid
3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port
3129 as my configuration suggests:
http_port 3128
http_port 3129 intercept
And i have those rule in my PF
pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port
{ $squid_port $squid_intercept_port http }
pass in quick inet proto tcp from { }
to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port
And all works perfect :). I haven't tested on 5.3 because the BCM5720
which are disabled on 5.2 are enabled and cause problem on my second
squid server... but i don't think this cause a problem.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le dimanche 02 juin 2013 à 02:17 -0700, Rob Sheldon a écrit :
> Sorry for the noise.
>
> OpenBSD 5.3 introduced Squid 3.2, which now checks the destination IP
> of inbound packets against the Host: header in interception mode. This
> breaks rdr-to, which makes nearly every howto online incorrect (joy).
> There was a minor error in the Squid docs which confused me (http_port
> must have IP-of-interface-to-listen on:port, e.g., "http_port
> 127.0.0.1:3129 intercept", instead of just "http_port 3129 intercept" as
> in the current docs), which caused the connection refused errors, which
> I stupidly misinterpreted.
>
> FWIW, the Squid docs link to
>
http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/pkg/README-main?rev=1.1
;content-type=text%2Fplain,
> which have "http_port 127.0.0.1:3129 transparent" as the example, but
> as of Squid 3.1, "transparent" was deprecated in favor of "intercept":
> http://www.squid-cache.org/Doc/config/http_port/
>
> - R.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: ospfd filtering
er, &conf->kroute_filter_list, entry) {
+ printf("kroute-ignore-insert %s prefixlen %u",
+
inet_ntoa(kroute_filter->prefix),kroute_filter->prefixlen);
+ printf(" nexthop %s\n",
+ inet_ntoa(kroute_filter->nexthop));
+ }
+}
+
+void
print_iface(struct iface *iface)
{
struct auth_md *md;
=
Have a nice day !
--
Best regards,
Loïc BLOT,
UNIX systems, security and network expert
http://www.unix-experience.fr
Le mercredi 01 mai 2013 à 23:45 +0200, Loïc BLOT a écrit :
> My border routers obtain a default route in fact, and OSPF must
> redistribute this route to LAN Routers. Here is a scheme
>
>
> |-- R1 site 1 R3 Site 1
> | BGP AS 650XX | OSPF a3|
> |-- R2 site 1 R4 Site 1
> | |
> WAN | GRE (OSPF a3)
> | |
> |-- R1 site 2 R3 Site 2
> | BGP AS 650YY | OSPF a3|
> |-- R2 site 2- R4 Site 2
>
> Each BGP AS redistribute a default route.
> you are right, OSPF should redistribute default route (it's the case)
> for R3/R4 routers on each site. The problem is between between the two
> border routers and on GRE.
> Please note R1 and R2 are full mesh GRE (R1S1 -> R1S2 / R1S1 -> R2S2 /
> R2S1 -> R2S1 -> R2S1 / R2S1 -> R2S2).
> When i said priority it's not route priority but protocol priority (BGP:
> 48/OSPF: 40)
>
> Any idea ? I think the only and the best solution is to filter installed
> routes
>
> --
> Best regards,
> Loc BLOT,
> UNIX systems, security and network expert
> http://www.unix-experience.fr
>
>
>
>
> Le mercredi 01 mai 2013 23:26 +0200, Claudio Jeker a crit :
> > On Wed, May 01, 2013 at 10:00:55PM +0200, Loc BLOT wrote:
> > > In fact, this isn't really an interarea problem but a inter protocol
> > > problem.
> > >
> > > Next month i'll have two border routers which are connecter to MAN by
> > > BGP. In my LAN and on my tunnels i'm in a "LAN backbone" area.
> > >
> > > Because of the priority of OSPF and the default route redistribution,
> > > the default route will be redistributed on my GRE tunnel and also
> > > between the two border routers and those routes are prior to BGP routes.
> > > A problem is also redistribute default is a global function, then the
> > > default route will be redistributed (and also taken) everywhere) .
> > > If we could configure redistribute default/static/connected on area, i
> > > could split my "LAN backbone" area into 3 areas (1 per site + 1 for
> > > GRE), and do not redistribute default route on GRE, but the
> > > redistribution between the two border routers is not fixed. Then the
> > > only way to resolve this issue is to filter entries to kernel routing
> > > table, you are right.
> > >
> >
> > Hmm. I don't know your network setup but you should redistribute the
> > default route from your border routers. Also the routing priority only
> > matters for equal prefixes so the more specifc bgp routes from a full feed
> > will still be considered. Last but not least on border routers I also
> > normaly install a default blackhole route which again would prevent the
> > ospf default route to take precedence (if the prio is set right of course).
> >
> > --
> > :wq Claudio
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
> had a name of signature.asc]
Re: BCM5720 and LACP
Hello all, At this time, i have recompiled a fresh kernel (from ftp 5.3 sources). The problem persist. I have recompiled with makeoptions DEBUG=-g, can this help ?? If i use option DEBUG my kernel stays after the OpenBSD boot banner :s. I can say bge1 doesn't want to be in the trunk, never. For now i have em0-1 and bge0,2-3 in trunks (http://www.hostingpics.net/viewer.php?id=705980photo.jpg ) At this time system works but there is some system freezes for 10-15sec and after it comes back. Any ideas ? -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le jeudi 09 mai 2013 à 10:02 +0200, Loïc BLOT a écrit : > No it's a dell r320 Then a 64bit cpu then amd64 architecture :) > > Loic Blot > > Le 8 mai 2013 à 23:54, Joerg Goltermann a écrit : > > > Hi, > > > > On 04.05.2013 20:11, Loïc Blot wrote: > >> Today, i want to upgrade exactly same model (Dell R320 with PCI Intel > >> CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very > >> problematic issues. OpenBSD upgrade works like a charm, but when i use > >> LACP with broadcom cards, after a moment, system totally freeze and > >> nothing responds (on ssh connect but also on the server screen and > >> keyboard). > > > > let me guess, you have upgraded from <= 5.1 to 5.3 on i386 platform? > > > > - Joerg
Re: BCM5720, LACP and CARP serious problem
I have disabled motherboard BCM5720 and plugged the external. i have understand the problem. If I have two BCM5720 the server freeze. If you have only one no problem. The only remaining problem is bge1 stay in active mode (on each card) and don't pass in distribute mode -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 22 mai 2013 à 11:03 +0200, Loïc Blot a écrit : > Ok, i have another new to this problem. > > I have unplugged the external BCM5720 card, and now there is only the > motherboard BCM5720 + the Intel Pro 1000. > I created two LACP trunks with 2 ports (1 for each card). > The servers doesn't freeze anymore !! (but there is a problem, > motherboard bge1 stay active but doesn't collect and distribute. The > switch doesn't agregate the port, this problem was present when the 4 > bge ports were on the server). > > The next test is to disable motherboard BCM 5720 and retry with the > external BCM5720, to see if the same comportment is present.
Re: BCM5720, LACP and CARP serious problem
Hi all, i have plugged a serial cable on the server and started a tty on it. In fact my server has com0 and com1 port but it seems com1 is the real console port. I have also set ddb.console=1 to sysctl.conf but when i send break or ctrl+alt+escape in the console terminal nothing happen. I am connected on another switch (before i thought it's a cisco 2960 communication problem, but it seem not, i'm on a dell powerconnect 6224). Why break doesn't have effect on com1 ? -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 06 mai 2013 à 14:59 +1000, David Gwynne a écrit : > do you have a real serial console hooked up to the machines? more > specifically, can you break into ddb when the machine breaks and get a trace? > > i use carp on vlans on lacp trunks on top of myx(4) and em(4) "quite a lot" > without trouble, so its likely to be bge(4) if you ask me. unfortunately that > means its my fault or responsibility. > > if you could get a trace to verify, that would be much appreciated. > > cheers, > dlg > > On 05/05/2013, at 4:11 AM, Loïc Blot wrote: > > > Hello misc. > > On thursay i have upgraded one of our BGP border routers to OpenBSD 5.3, > > and i was pleased to get the BCM5720 working. I have added it to > > existing LACP trunk for LAN (2 LACP, 2 ports on WAN 4 on LAN now). > > There is no problem on this router. > > > > Today, i want to upgrade exactly same model (Dell R320 with PCI Intel > > CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very > > problematic issues. OpenBSD upgrade works like a charm, but when i use > > LACP with broadcom cards, after a moment, system totally freeze and > > nothing responds (on ssh connect but also on the server screen and > > keyboard). > > On this router ports must be agregated by 3 (3 for LAN 3 for DMZ), then > > each trunk have 1 intel port and 2 broadcom ports. > > I have tried two configuration, same BCM5720 card in the trunk and 1 > > port from each card. Same problem appears. > > To finish, i have disabled all ports except working Intel card, but the > > problem also occurs The only solution i have found to get server > > working is to up bge1 and bge2 and down other interfaces (on the CISCO > > 2960G switch, ios 12.2(55)SE3), it's the only case when server doesn't > > freeze. > > When i do each try and i think it was a success i waited 5 min and > > problem occurs, or problem occurs when i reboot the machine. > > > > Other detail, the working router with BCM 5720 is between an Alcatel > > 6850 and a CISCO 4507 (Supervisor IV, ios 12.2(54)SG) > > > > OpenBSD mustn't freeze totally, i think something is missing on BCM > > driver or on LACP handling or maybe BCM + LACP + CARP isn't a good idea > > but i haven't any choice :s > > > > Thanks for advance. > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr
Re: BCM5720, LACP and CARP serious problem
Ok, i have another new to this problem. I have unplugged the external BCM5720 card, and now there is only the motherboard BCM5720 + the Intel Pro 1000. I created two LACP trunks with 2 ports (1 for each card). The servers doesn't freeze anymore !! (but there is a problem, motherboard bge1 stay active but doesn't collect and distribute. The switch doesn't agregate the port, this problem was present when the 4 bge ports were on the server). The next test is to disable motherboard BCM 5720 and retry with the external BCM5720, to see if the same comportment is present. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 06 mai 2013 à 14:59 +1000, David Gwynne a écrit : > do you have a real serial console hooked up to the machines? more > specifically, can you break into ddb when the machine breaks and get a trace? > > i use carp on vlans on lacp trunks on top of myx(4) and em(4) "quite a lot" > without trouble, so its likely to be bge(4) if you ask me. unfortunately that > means its my fault or responsibility. > > if you could get a trace to verify, that would be much appreciated. > > cheers, > dlg > > On 05/05/2013, at 4:11 AM, Loïc Blot wrote: > > > Hello misc. > > On thursay i have upgraded one of our BGP border routers to OpenBSD 5.3, > > and i was pleased to get the BCM5720 working. I have added it to > > existing LACP trunk for LAN (2 LACP, 2 ports on WAN 4 on LAN now). > > There is no problem on this router. > > > > Today, i want to upgrade exactly same model (Dell R320 with PCI Intel > > CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very > > problematic issues. OpenBSD upgrade works like a charm, but when i use > > LACP with broadcom cards, after a moment, system totally freeze and > > nothing responds (on ssh connect but also on the server screen and > > keyboard). > > On this router ports must be agregated by 3 (3 for LAN 3 for DMZ), then > > each trunk have 1 intel port and 2 broadcom ports. > > I have tried two configuration, same BCM5720 card in the trunk and 1 > > port from each card. Same problem appears. > > To finish, i have disabled all ports except working Intel card, but the > > problem also occurs The only solution i have found to get server > > working is to up bge1 and bge2 and down other interfaces (on the CISCO > > 2960G switch, ios 12.2(55)SE3), it's the only case when server doesn't > > freeze. > > When i do each try and i think it was a success i waited 5 min and > > problem occurs, or problem occurs when i reboot the machine. > > > > Other detail, the working router with BCM 5720 is between an Alcatel > > 6850 and a CISCO 4507 (Supervisor IV, ios 12.2(54)SG) > > > > OpenBSD mustn't freeze totally, i think something is missing on BCM > > driver or on LACP handling or maybe BCM + LACP + CARP isn't a good idea > > but i haven't any choice :s > > > > Thanks for advance. > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr
Re: openospfd vs bird vs quagga etc on OpenBSD for OSPF interoperating with IOS XE (v4 & v6)
Openbsd and openbgpd are working Like a charm With CISCO and alcatel routers. With openbsd routing daemon you can also backup the ospf configurations and create différent versions. Also the debug is simpler Loic Blot Le 16 mai 2013 à 17:45, mxb a écrit : > Quagga might have more features (which you probably don't need at all), > but I find it difficult to work with than OpenOSPFD. > > 1. Configuration in at least two files > 2. In order to reload config or to check out state you have to telnet to > quagga. E.g. no ospfctl > > //mxb > > On 16 maj 2013, at 17:16, andy wrote: > >> Hello, >> I would like to appeal to the knowledge and experience of this mailing >> list to offer any opinions/preferences for which routing daemon would be >> best to use (openospfd or bird or quagga) on OpenBSD when interoperating >> with Cisco IOS XE routers for redistributing IPv4 and IPv6 routes? >> >> I am planning to install 2 Cisco ASR 1002 routers as POPs to interconnect >> our many OpenBSD firewalls at our data centres, and would like OSPF to >> redistribute all the prefixes. >> >> I like BIRD and have used it before to a basic extent, but wonder if the >> OpenOSPFd daemon would be better seeing as it seems to be more closely >> coupled with OpenBSD development? >> >> Thank you in advance for your time. >> Kind regards, Andy.
Re: BCM5719C/BCM5720 partially working
Thanks for the précision, i will test your issue to verify if my bcm5720 issue is linked With yours Loic Blot Le 10 mai 2013 à 14:12, David Imhoff a écrit : > Hi, > > I'm having problems with a 4-ports BCM5719C based PCI-E network card > and the 2-ports BCM5720 network interfaces build into a Dell R320 > server. The first network port functions fine but the other ports do > not, partially(only receive) or sometimes function. Where the most > common situation is that a port only receives packets, but do not > transmit packets. Forcing packets to be send on one of these broken > interfaces, by creating a static arp entry and flood pinging that > address, always results in the following error: > "ping: sendto: No buffer space available" > Currently i have the second port of the BCM5719C based card working, > only if a bring up all ports of the interface in the order from 0 to 4. > > I tested with two different R320 servers, two different BCM5719C cards, > and two different firmware versions for the BCM5719C cards. All with > the same results. > > I'm sorry that I can't be more specific, but i'm available for > questions or running tests/debugging. > > Kind Regards, > > David > > dmesg of server with BCM5719C cards: > OpenBSD 5.3-current (GENERIC.MP) #108: Tue Apr 30 11:35:41 MDT 2013 >t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4273274880 (4075MB) > avail mem = 4151812096 (3959MB) > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (67 entries) > bios0: vendor Dell Inc. version "2.5.0" date 10/13/2008 > bios0: Dell Inc. PowerEdge 1950 > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S4 S5 > acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA > acpi0: wakeup devices PCI0(S5) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.10 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF > cpu0: 6MB 64b/line 16-way L2 cache > cpu0: apic clock running at 332MHz > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2493.78 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF > cpu1: 6MB 64b/line 16-way L2 cache > cpu2 at mainbus0: apid 1 (application processor) > cpu2: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2493.78 MHz > cpu2: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF > cpu2: 6MB 64b/line 16-way L2 cache > cpu3 at mainbus0: apid 3 (application processor) > cpu3: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2493.78 MHz > cpu3: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF > cpu3: 6MB 64b/line 16-way L2 cache > ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins > ioapic0: misconfigured as apic 0, remapped to apid 4 > acpihpet0 at acpi0: 14318179 Hz > acpimcfg0 at acpi0 addr 0xe000, bus 0-255 > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 4 (PEX2) > acpiprt2 at acpi0: bus 5 (UPST) > acpiprt3 at acpi0: bus 6 (DWN1) > acpiprt4 at acpi0: bus 8 (DWN2) > acpiprt5 at acpi0: bus 1 (PEX3) > acpiprt6 at acpi0: bus -1 (PE2P) > acpiprt7 at acpi0: bus 10 (PEX4) > acpiprt8 at acpi0: bus 12 (PEX6) > acpiprt9 at acpi0: bus 2 (SBEX) > acpiprt10 at acpi0: bus 14 (COMP) > acpicpu0 at acpi0: C3 > acpicpu1 at acpi0: C3 > acpicpu2 at acpi0: C3 > acpicpu3 at acpi0: C3 > ipmi at mainbus0 not configured > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 5000X Host" rev 0x12 > ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE" rev 0x12 > pci1 at ppb0 bus 4 > ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 > pci2 at ppb1 bus 5 > ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01 > pci3 at ppb2 bus 6 > ppb3 at pci3 dev 0 function 0 "ServerWorks PCIE-PCIX" rev 0xc3 > pci4 at ppb3 bus 7 > bnx0 at pci4 dev 0 function 0 "Broadcom BCM5708" rev 0x12: apic 4 int 16 > ppb4 at pci2 dev 1 function 0 "Intel 6321ESB PCIE" rev 0x01 > pci5 at ppb4 bus 8 > ppb5 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01 > pci6 at ppb5 bus 9 > ppb6 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0x12 > pci7 at ppb6 bus 1 > mfi0 at pci7 dev 0 function 0 "Symbios Logic SAS1078" rev 0x04: apic 4 int 16 > mfi0: "PERC 6/i Integrated", firmware 6.2.0-0013, 256MB cache >
Re: ospfd filtering
Perfect Claudio, if you need some tests, tell me. I will need this fix before middle june, then i can help you. I cannot get /1 from MAN routers, sorry, then i'm blocked with one router for now (and i hope the default route wouldn't be sent to the GRE tunnel :p). If you want i would help you to implement filtering if you tell me how to do it. -- Cordialement, Loïc BLOT, Expertise en Systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Le jeudi 09 mai 2013 à 14:50 +0200, Claudio Jeker a écrit : > On Wed, May 01, 2013 at 11:45:04PM +0200, Loïc BLOT wrote: > > My border routers obtain a default route in fact, and OSPF must > > redistribute this route to LAN Routers. Here is a scheme > > > > > > |-- R1 site 1 R3 Site 1 > > | BGP AS 650XX | OSPF a3| > > |-- R2 site 1 R4 Site 1 > > | | > > WAN | GRE (OSPF a3) > > | | > > |-- R1 site 2 R3 Site 2 > > | BGP AS 650YY | OSPF a3| > > |-- R2 site 2- R4 Site 2 > > > > Each BGP AS redistribute a default route. > > you are right, OSPF should redistribute default route (it's the case) > > for R3/R4 routers on each site. The problem is between between the two > > border routers and on GRE. > > Please note R1 and R2 are full mesh GRE (R1S1 -> R1S2 / R1S1 -> R2S2 / > > R2S1 -> R2S1 -> R2S1 / R2S1 -> R2S2). > > When i said priority it's not route priority but protocol priority (BGP: > > 48/OSPF: 40) > > > > Any idea ? I think the only and the best solution is to filter installed > > routes > > > > OK I see your problem now. The BGP feeds are not sending you a full view > but just a default route and so you clash on the default routes. > For now the only hack that I know which would work is to have BGP > distribute to /1 (0/1 and 128/1) networks instead of the default route > because those will be more specific and win over the OSPF default route. > I know this is a ugly hack. > > My plan is two make the routing priority configurable per daemon and I > will also look into a Ext-LSA filter option for ospfd. Ext-LSA are strict > leave nodes in the LS graph and can be pruned without risk. This will take > some time so don't hold your breath. > > -- > :wq Claudio
Re: BCM5720, LACP and CARP serious problem
No it's a dell r320 Then a 64bit cpu then amd64 architecture :) Loic Blot Le 8 mai 2013 à 23:54, Joerg Goltermann a écrit : > Hi, > > On 04.05.2013 20:11, Loïc Blot wrote: >> Today, i want to upgrade exactly same model (Dell R320 with PCI Intel >> CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very >> problematic issues. OpenBSD upgrade works like a charm, but when i use >> LACP with broadcom cards, after a moment, system totally freeze and >> nothing responds (on ssh connect but also on the server screen and >> keyboard). > > let me guess, you have upgraded from <= 5.1 to 5.3 on i386 platform? > > - Joerg
Re: BCM5720, LACP and CARP serious problem
Hello Stuart, ok for the console, (i would tell i use keyboard and screen on the server directly, sorry for the mistake :s). I can't test this week, because of production (and then i have shutted down the server because he interfers with the CARP master and take the hand whereas he mustn't...) Can i access to this ddb console when server is totally frozen ? And can i access to ddb console via directly connected keyboard ? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mardi 07 mai 2013 à 13:28 +, Stuart Henderson a écrit : > On 2013-05-06, Loïc BLOT wrote: > > Hello, > > I use the same stack: > > Carp on vlan on trunk on physical, > > There is no backtrace its a complète server freeze (im on a serial), i would prefer a ddb but there isn't > > Can you get into ddb if you send BREAK over serial? > > You will need to reboot with ddb.console=1 in sysctl.conf if you don't > already have it set. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: BCM5720, LACP and CARP serious problem
A little more precision, my server have network, but some times he looses also network for 1 second and CARP goes to master on this backup servers and generate instability. I think there is a problem somewhere, but i don't know why. To compare, i have two Dell R320 with BCM5720 and EM, on works perfect and have only Trunk+VLAN The other have Trunk+Vlan+CARP/PFSync and have networking problems. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 06 mai 2013 à 14:59 +1000, David Gwynne a écrit : > do you have a real serial console hooked up to the machines? more specifically, can you break into ddb when the machine breaks and get a trace? > > i use carp on vlans on lacp trunks on top of myx(4) and em(4) "quite a lot" without trouble, so its likely to be bge(4) if you ask me. unfortunately that means its my fault or responsibility. > > if you could get a trace to verify, that would be much appreciated. > > cheers, > dlg > > On 05/05/2013, at 4:11 AM, Loïc Blot wrote: > > > Hello misc. > > On thursay i have upgraded one of our BGP border routers to OpenBSD 5.3, > > and i was pleased to get the BCM5720 working. I have added it to > > existing LACP trunk for LAN (2 LACP, 2 ports on WAN 4 on LAN now). > > There is no problem on this router. > > > > Today, i want to upgrade exactly same model (Dell R320 with PCI Intel > > CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very > > problematic issues. OpenBSD upgrade works like a charm, but when i use > > LACP with broadcom cards, after a moment, system totally freeze and > > nothing responds (on ssh connect but also on the server screen and > > keyboard). > > On this router ports must be agregated by 3 (3 for LAN 3 for DMZ), then > > each trunk have 1 intel port and 2 broadcom ports. > > I have tried two configuration, same BCM5720 card in the trunk and 1 > > port from each card. Same problem appears. > > To finish, i have disabled all ports except working Intel card, but the > > problem also occurs The only solution i have found to get server > > working is to up bge1 and bge2 and down other interfaces (on the CISCO > > 2960G switch, ios 12.2(55)SE3), it's the only case when server doesn't > > freeze. > > When i do each try and i think it was a success i waited 5 min and > > problem occurs, or problem occurs when i reboot the machine. > > > > Other detail, the working router with BCM 5720 is between an Alcatel > > 6850 and a CISCO 4507 (Supervisor IV, ios 12.2(54)SG) > > > > OpenBSD mustn't freeze totally, i think something is missing on BCM > > driver or on LACP handling or maybe BCM + LACP + CARP isn't a good idea > > but i haven't any choice :s > > > > Thanks for advance. > > -- > > Best regards, > > > > Loïc BLOT, Engineering > > UNIX Systems, Security and Networks > > http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: BCM5720, LACP and CARP serious problem
Hello, I use the same stack: Carp on vlan on trunk on physical, There is no backtrace its a complète server freeze (im on a serial), i would prefer a ddb but there isn't Loic Blot Le 6 mai 2013 à 06:59, David Gwynne a écrit : > do you have a real serial console hooked up to the machines? more > specifically, can you break into ddb when the machine breaks and get a trace? > > i use carp on vlans on lacp trunks on top of myx(4) and em(4) "quite a lot" > without trouble, so its likely to be bge(4) if you ask me. unfortunately that > means its my fault or responsibility. > > if you could get a trace to verify, that would be much appreciated. > > cheers, > dlg > > On 05/05/2013, at 4:11 AM, Loïc Blot wrote: > >> Hello misc. >> On thursay i have upgraded one of our BGP border routers to OpenBSD 5.3, >> and i was pleased to get the BCM5720 working. I have added it to >> existing LACP trunk for LAN (2 LACP, 2 ports on WAN 4 on LAN now). >> There is no problem on this router. >> >> Today, i want to upgrade exactly same model (Dell R320 with PCI Intel >> CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very >> problematic issues. OpenBSD upgrade works like a charm, but when i use >> LACP with broadcom cards, after a moment, system totally freeze and >> nothing responds (on ssh connect but also on the server screen and >> keyboard). >> On this router ports must be agregated by 3 (3 for LAN 3 for DMZ), then >> each trunk have 1 intel port and 2 broadcom ports. >> I have tried two configuration, same BCM5720 card in the trunk and 1 >> port from each card. Same problem appears. >> To finish, i have disabled all ports except working Intel card, but the >> problem also occurs The only solution i have found to get server >> working is to up bge1 and bge2 and down other interfaces (on the CISCO >> 2960G switch, ios 12.2(55)SE3), it's the only case when server doesn't >> freeze. >> When i do each try and i think it was a success i waited 5 min and >> problem occurs, or problem occurs when i reboot the machine. >> >> Other detail, the working router with BCM 5720 is between an Alcatel >> 6850 and a CISCO 4507 (Supervisor IV, ios 12.2(54)SG) >> >> OpenBSD mustn't freeze totally, i think something is missing on BCM >> driver or on LACP handling or maybe BCM + LACP + CARP isn't a good idea >> but i haven't any choice :s >> >> Thanks for advance. >> -- >> Best regards, >> >> Loïc BLOT, Engineering >> UNIX Systems, Security and Networks >> http://www.unix-experience.fr
BCM5720, LACP and CARP serious problem
Hello misc. On thursay i have upgraded one of our BGP border routers to OpenBSD 5.3, and i was pleased to get the BCM5720 working. I have added it to existing LACP trunk for LAN (2 LACP, 2 ports on WAN 4 on LAN now). There is no problem on this router. Today, i want to upgrade exactly same model (Dell R320 with PCI Intel CARD and BCM5720 on motherbroad plus PCI BCM5720), and i have some very problematic issues. OpenBSD upgrade works like a charm, but when i use LACP with broadcom cards, after a moment, system totally freeze and nothing responds (on ssh connect but also on the server screen and keyboard). On this router ports must be agregated by 3 (3 for LAN 3 for DMZ), then each trunk have 1 intel port and 2 broadcom ports. I have tried two configuration, same BCM5720 card in the trunk and 1 port from each card. Same problem appears. To finish, i have disabled all ports except working Intel card, but the problem also occurs The only solution i have found to get server working is to up bge1 and bge2 and down other interfaces (on the CISCO 2960G switch, ios 12.2(55)SE3), it's the only case when server doesn't freeze. When i do each try and i think it was a success i waited 5 min and problem occurs, or problem occurs when i reboot the machine. Other detail, the working router with BCM 5720 is between an Alcatel 6850 and a CISCO 4507 (Supervisor IV, ios 12.2(54)SG) OpenBSD mustn't freeze totally, i think something is missing on BCM driver or on LACP handling or maybe BCM + LACP + CARP isn't a good idea but i haven't any choice :s Thanks for advance. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr
Re: ospfd filtering
My border routers obtain a default route in fact, and OSPF must redistribute this route to LAN Routers. Here is a scheme |-- R1 site 1 R3 Site 1 | BGP AS 650XX | OSPF a3| |-- R2 site 1 R4 Site 1 | | WAN | GRE (OSPF a3) | | |-- R1 site 2 R3 Site 2 | BGP AS 650YY | OSPF a3| |-- R2 site 2- R4 Site 2 Each BGP AS redistribute a default route. you are right, OSPF should redistribute default route (it's the case) for R3/R4 routers on each site. The problem is between between the two border routers and on GRE. Please note R1 and R2 are full mesh GRE (R1S1 -> R1S2 / R1S1 -> R2S2 / R2S1 -> R2S1 -> R2S1 / R2S1 -> R2S2). When i said priority it's not route priority but protocol priority (BGP: 48/OSPF: 40) Any idea ? I think the only and the best solution is to filter installed routes -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 01 mai 2013 à 23:26 +0200, Claudio Jeker a écrit : > On Wed, May 01, 2013 at 10:00:55PM +0200, Loïc BLOT wrote: > > In fact, this isn't really an interarea problem but a inter protocol > > problem. > > > > Next month i'll have two border routers which are connecter to MAN by > > BGP. In my LAN and on my tunnels i'm in a "LAN backbone" area. > > > > Because of the priority of OSPF and the default route redistribution, > > the default route will be redistributed on my GRE tunnel and also > > between the two border routers and those routes are prior to BGP routes. > > A problem is also redistribute default is a global function, then the > > default route will be redistributed (and also taken) everywhere) . > > If we could configure redistribute default/static/connected on area, i > > could split my "LAN backbone" area into 3 areas (1 per site + 1 for > > GRE), and do not redistribute default route on GRE, but the > > redistribution between the two border routers is not fixed. Then the > > only way to resolve this issue is to filter entries to kernel routing > > table, you are right. > > > > Hmm. I don't know your network setup but you should redistribute the > default route from your border routers. Also the routing priority only > matters for equal prefixes so the more specifc bgp routes from a full feed > will still be considered. Last but not least on border routers I also > normaly install a default blackhole route which again would prevent the > ospf default route to take precedence (if the prio is set right of course). > > -- > :wq Claudio [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ospfd filtering
In fact, this isn't really an interarea problem but a inter protocol problem. Next month i'll have two border routers which are connecter to MAN by BGP. In my LAN and on my tunnels i'm in a "LAN backbone" area. Because of the priority of OSPF and the default route redistribution, the default route will be redistributed on my GRE tunnel and also between the two border routers and those routes are prior to BGP routes. A problem is also redistribute default is a global function, then the default route will be redistributed (and also taken) everywhere) . If we could configure redistribute default/static/connected on area, i could split my "LAN backbone" area into 3 areas (1 per site + 1 for GRE), and do not redistribute default route on GRE, but the redistribution between the two border routers is not fixed. Then the only way to resolve this issue is to filter entries to kernel routing table, you are right. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 01 mai 2013 à 21:35 +0200, Claudio Jeker a écrit : > On Wed, May 01, 2013 at 08:56:32PM +0300, Dan Shechter wrote: > > You can't filter OSPF routes inside an area. It will break the OSPF > > shortest path tree. > > > > I don't know about ospfd, but on Cisco IOS you can filter routes > > (LSAs) between areas and you can also prevent prefixes from being > > inserted to the routing table of the router where the filtering > > commands are entered (you can't influence other routers' decisions for > > intra area routes) . > > > > Not having routes from the LSDB (RIB) in the routing table (FIB) is a good > way to melt down your network with routing loops. > In OSPF there is the assumption that if there is a path in the link-state > DB passing router A-B-C that the traffic will also flow that way. This is > only possible if the FIB and the RIB are in sync. You can't use a > link-state routing protocol with a distributed DB when you want to filter. > > Sure we could add inter-area filtering but even there you may end up with > some strange behaviours. The somewhat big hammer is to use a stub area in > that case. Until now I never saw a good reason for complex filter logic > and so I never implemented it. > > -- > :wq Claudio [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ospfd filtering
OK for the tree, but refuse to insert routes in the kernel is useful. It would be a great function to refuse inserting kernel routes from some routers. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 01 mai 2013 à 20:56 +0300, Dan Shechter a écrit : > You can't filter OSPF routes inside an area. It will break the OSPF > shortest path tree. > > I don't know about ospfd, but on Cisco IOS you can filter routes > (LSAs) between areas and you can also prevent prefixes from being > inserted to the routing table of the router where the filtering > commands are entered (you can't influence other routers' decisions for > intra area routes) . > > HTH > > > > Best regards, > Dan [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
ospfd filtering
Hello all, to begin, thanks to OpenBSD team & contributors for this very good release. I have a question about ospfd. Why ospfd doesn't have capabitilities to filter some routes, or filter by sources ? (ok by source can be filtered by PF, but if i want to refuse routes from specific hosts, or some routes from some hosts :) ) This limitation is a standard specification ? Or only it's because the code isn't wrote ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
ospfd filtering
Hello all, to begin, thanks to OpenBSD team & contributors for this very good release. I have a question about ospfd. Why ospfd doesn't have capabitilities to filter some routes, or filter by sources ? (ok by source can be filtered by PF, but if i want to refuse routes from specific hosts, or some routes from some hosts :) ) This limitation is a standard specification ? Or only it's because the code isn't wrote ? Tanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: ospfd default route problem
Hi stuart, i agree, but that means i must use area 0 on LAN ifaces. And if i have another area on that iface (my extented LAN area), i can't use backbone area. Now, i have replaced area 12 with area 0, but the problem also persists. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le lundi 25 mars 2013 à 22:52 +, Stuart Henderson a écrit : > On 2013-03-25, Loïc BLOT wrote: > > Hi Robert and misc@openbsd, > > thanks for your reply, but if i don't want to connect area 12 on area > > 0 ? My area 12 is reserved for LAN to LAN only, i don't want to publish > > its routes on the backbone area and backbone area is not in stub mode. > > It sounds like you are trying to get a default route from area 3 into area > 12 though, you would need to do that via the backbone (area 0). > > > Le lundi 25 mars 2013 \xc3\xa0 14:23 +0100, Robert Blacquiere a > > \xc3\xa9crit : > > > >> See also: > >> > > http://www.netcraftsmen.net/resources/archived-articles/434-introducing-ospf.html > > yes, there are a bunch of pretty decent OSPF articles on that site.
Re: ospfd default route problem
Hi Robert and misc@openbsd, thanks for your reply, but if i don't want to connect area 12 on area 0 ? My area 12 is reserved for LAN to LAN only, i don't want to publish its routes on the backbone area and backbone area is not in stub mode. Also, I thought about stub areas to not publish routes. I think i must apply stub to area 3 but not under area 12, right ? Stub is on the area on which we don't want to obtain routes from other areas, don't we ? Thank you in advance, -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le lundi 25 mars 2013 à 14:23 +0100, Robert Blacquiere a écrit : > On Mon, Mar 25, 2013 at 11:24:56AM +0100, Lo?c Blot wrote: > > Hi all, > > I update my last mail with OSPF to give you precisions. > > > > I have 2 LAN OBSD routers, which are on a local VLAN, and 1 MAN OBSD > > router, connected to local VLAN and has an interco with MAN Router > > - my 3 OpenBSD routers use area 12 to exchange local routes > > - my MAN router use area 12 over GRE+IPSec with a remote site > > - my MAN router use area 3 to get routes from MAN (default route > > especially) > > > > A little scheme network scheme > > > > > >Area 3Area 12 > > WAN --| MAN Router || My OBSD MAN Router || My OBSD LAN1 > > | ||| My OBSD LAN2 > > | | > > | | > > | Gre + IPSec | Area 12 > > | | > > | | > > | | > > |--| Remote OBSD Router || Remote LAN > > > > > > Every OSPF area needs to connect to area 0 (Backbone area). If you don't > you need to use virtual interface tunnel (CISCO specific) to attach Area 12 to Area 0. > It seems this can cause the issue you are seeing. > > See also: > http://www.netcraftsmen.net/resources/archived-articles/434-introducing-ospf. html > > Regards > > Robert [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
ospfd default route problem
Hi all,
I update my last mail with OSPF to give you precisions.
I have 2 LAN OBSD routers, which are on a local VLAN, and 1 MAN OBSD
router, connected to local VLAN and has an interco with MAN Router
- my 3 OpenBSD routers use area 12 to exchange local routes
- my MAN router use area 12 over GRE+IPSec with a remote site
- my MAN router use area 3 to get routes from MAN (default route
especially)
A little scheme network scheme
Area 3Area 12
WAN --| MAN Router || My OBSD MAN Router || My OBSD LAN1
| ||| My OBSD LAN2
| |
| |
| Gre + IPSec | Area 12
| |
| |
| |
|--| Remote OBSD Router || Remote LAN
The problem is when my MAN router learn routes from area 12, the default
route, learnt from area 3, disapears (same problem if area 3 is loaded
after area 12).
I have tryied combinaison of stub/non stub areas, but in each case the
problem is present.
here is my configuration for the man router:
router-id A.B.C.D
auth-md 1 "pwd1"
auth-md 3 "pwd2"
area 12 {
auth-type crypt
auth-md-keyid 1
interface gre0
interface trunk1
}
area 3 {
auth-type crypt
auth-md-keyid 3
interface trunk0
}
and my configuration from one LAN router
router-id A.B.C.D
no redistribute default
auth-md 1 "pwd1"
area 12 {
auth-type crypt
auth-md-keyid 1
interface trunk0
interface trunk1 { passive }
interface vlan994 { passive }
}
Has anyone an idea ? i'm stucked :s.
Thanks for advance
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr
OSPF and default route problem
Hello misc, i am installing a WAN router under openbsd but i have a strange problem with OSPF and OpenBSD. I use two OSPF areas. One area is stub and the other isn't (and i have tryied to stub it too). We can say area 1 is stub area and area 5 is LAN area. When the router learn routes from area 1 it learns the link route and the default route, that's good BUT when it learns routes from area 5 (or if area 5 is loaded before area 1) default route disapears from routing table (and also FIB & RIB). I have tryied stub and stub redistribute default for area 1. Here is a little draft WAN -- (BGP) MAN Router (OSPF 1) -- (OSPF 1) My border Router (OSPF 5) -- LAN Has anyone ideas ? -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: AES/3DES problem with isakmpd and IPSec
Hi Stuart, you are right, and i was tired :p, i haven't seen the source was wrong in tcpdump. In fact, the negotiation uses WAN src ip instead of LAN src ip. I forced src with local A.B.C.D and then, it works ! Thanks for your advice, i need to clean my eyes ^^ Have a nice day -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le vendredi 01 mars 2013 à 19:34 +, Stuart Henderson a écrit : > On 2013/03/01 20:16, Loïc BLOT wrote: > > Thanks for the reply Stuart, but: > > - It's a test network, with an offline switch > > - only the two routers are on the switch, with the good VLAN connected > > by one LACP trunk (for each device) > > - isakmp negotation is from the expected hosts > > - the certificate are default certificates, generated by OpenBSD > > > > What's wrong ? I think it's another problem, but the configuration is > > trivial. Two monthes before i tested it with under two KVM hosts and i > > haven't this problem. Now with servers i have this problem, and many > > guys have this problem but nobody have an answer. > > > > Someone know how can i switch to AES instead of 3DES ? > > Thanks for advance > > Your ipsec.conf lines are already setup for AES, to see the isakmpd > config sections used, try this: > > echo 'ike esp transport from 10.0.0.1 to 10.0.0.2' | ipsecctl -nvf - > > The fact that the log shows it expecting 3DES means that the connection > attempt isn't matching any of the configuration sections which ipsecctl > added to isakmpd, so isakmpd falls back to its built-in default > (3DES-SHA-RSA_SIG) and fails because the other side *is* using AES. > > Mismatching IP addresses is usually the most common reason on > multihomed hosts but there are other possibilities. Sometimes it > helps to tcpdump -vvs1500 -nienc0, sometimes it helps to use > "isakmpd -L" to generate a decrypted /var/run/isakmpd.pcap file > and examining that with tcpdump -r..but whatever the cause, > the 3DES thing means it is not using your configuration section.
Re: AES/3DES problem with isakmpd and IPSec
Thanks for the reply Stuart, but: - It's a test network, with an offline switch - only the two routers are on the switch, with the good VLAN connected by one LACP trunk (for each device) - isakmp negotation is from the expected hosts - the certificate are default certificates, generated by OpenBSD What's wrong ? I think it's another problem, but the configuration is trivial. Two monthes before i tested it with under two KVM hosts and i haven't this problem. Now with servers i have this problem, and many guys have this problem but nobody have an answer. Someone know how can i switch to AES instead of 3DES ? Thanks for advance -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 01 mars 2013 à 17:42 +, Stuart Henderson a écrit : > On 2013-03-01, Loïc Blot wrote: > > Hello Misc ! > > I have a strange problem, and google doesn't help me. > > I want to make an IPSec+GRE tunnel with OSPF. For now, OSPF over GRE is > > perfectly working (ipv4+ipv6). > > I have a problem with IPSec, and I don't find how to resolve it. > > > > It's a fresh OpenBSD 5.2 image. > > > > The error is the following: > > attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected > > 3DES_CBC > > > > My ipsec.conf is very simple for now: > > > > on host A > > > > ike esp transport from 10.0.0.1 to 10.0.0.2 > > > > and on host B > > > > ike esp transport from 10.0.0.2 to 10.0.0.1 > > > > Any idea ? > > > The default settings in isakmpd are for 3DES_CBC so this indicates > that the packets did not match the configuration added by ipsecctl and > instead matched the default in isakmpd. > > Are the packets coming from the expected IP addresses? Check with > tcpdump if in doubt.
AES/3DES problem with isakmpd and IPSec
Hello Misc ! I have a strange problem, and google doesn't help me. I want to make an IPSec+GRE tunnel with OSPF. For now, OSPF over GRE is perfectly working (ipv4+ipv6). I have a problem with IPSec, and I don't find how to resolve it. It's a fresh OpenBSD 5.2 image. The error is the following: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC My ipsec.conf is very simple for now: on host A ike esp transport from 10.0.0.1 to 10.0.0.2 and on host B ike esp transport from 10.0.0.2 to 10.0.0.1 Any idea ? Thanks for advance -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr
Re: dhcp and dns
I confirm dynamic dns updates works with OpenBSD named, but you must replace OpenBSD dhcpd with isc-dhcpd from packages, failover and dynamic dns updates works with it -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le dimanche 03 février 2013 à 12:42 +0100, Bruno Flückiger a écrit : > On 02/03/13 05:56, bofh wrote: > > I'm running 5.2. And starting to have more and more things that need > > IP addresses pop in and out of the house. Rather than hardcoding > > everything into dhcpd.conf, I thought I'd check with you guys to see > > what you use to have new devices register into DNS? I'm using > > unbound, but will go back to bind if need be. > > > > Thanks! > > > > Dynamic DNS works fine here. I use BIND from the base system toghether > with ISC DHCPD 4.2.4 from the packages on OpenBSD 5.2. There are plenty > of docus about how to setup dynamic DNS using BIND and ISC DHCPD. > > Regards, > Bruno
Re: OpenSMTPD - thank you!
Also look at: http://www.openbsd.org/plus.html -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le samedi 02 février 2013 à 18:08 -0500, bofh a écrit : > On Sat, Feb 2, 2013 at 6:02 PM, bofh wrote: > > On Sat, Feb 2, 2013 at 6:00 PM, Gilles Chehade wrote: > >> Oh, and if you liked what's in 5.2, you will love what's in -current ! > > > > Don't be a tease!! What's in -current? And I see 5.3-beta is tagged > > already... Are you talking about 5.3 or post 5.3...? :) > > I'm reading http://undeadly.org/cgi?action=article&sid=20130130081741 > > Oh wow!
Re: CARP compatibility between 5.1 and 5.2
Hi ! There is no problem as i Know and use Loic Blot Le 15 janv. 2013 à 12:50, "R0me0 ***" a écrit : > Hello misc, > > I've a OpenBSD 5.1 in production and I will put another OpenBSD 5.2 and > then configure CARP. > will I have some compatibility issue ? > > Thanks in advanced
Re: dhcrelay Can't find free bpf: No such file or directory
if i'm not mistaken, it's Berkeley Packet Filter.
I must do the same issue for dhcpd when i use many vlan interfaces and
PF :)
--
Cordialement,
Loïc BLOT, UNIX systems, security and network expert
http://www.unix-experience.fr
Le mardi 08 janvier 2013 à 20:39 +0100, Ulrich Drolshagen a écrit :
> Am 08.01.2013 19:48, schrieb Janne Johansson:
> > cd /dev
> > for i in $(jot 20 10); do ./MAKEDEV bpf${i} ; done
> > to make 20 more bpfs. Each tcpdump and dhcrelay will want one of their
> > own so you may need more dev-entries.
> Thank you, this did the trick. I really didn't know what "bpf" are and
> didn't think of devices.
> >
> >
> > 2013/1/8 Ulrich Drolshagen :
> >> Hi,
> >>
> >> I am running an openbsd router attached to several vlans. On one of them
> >> there is running a box with an isc-dhcp server.
> >> For one of the vlans I have started a dhcrelay to forward the dhcp
> >> broadcasts of the respective subnet to the server
> >>
> >> dhcrelay -i vlan5 172.16.1.4
> >>
> >> This is working fine for some time now. If I try to start it a second time,
> >> I get this:
> >>
> >> root:42# dhcrelay -d -i vlan6 172.16.1.4
> >> Can't find free bpf: No such file or directory
> >> Jan 8 18:33:05 router dhcrelay: Can't find free bpf: No such file or
> >> directory
> >> exiting.
> >>
> >> To my understanding dhcrelay should support whatever vlan requires
> >> forwarding the broadcasts. For me it does not make sense to only support
> >> just one subnet. Or am I missing something here?
> >>
> >> Thank you for looking into this
> >>
> >> Ulrich
> >>
> >> --
> >> http://www.ulrich-drolshagen.de
