Re: OpenSMTP lmtp without unix users
On Sat Apr 27, 2024 at 5:31 PM CEST, Nicolas Goy wrote: > > How can I make it work with a single vmail unix user? Without losing the > catchall? Ok, I finally figured it out with the answer I got. I tried to use the rcpt-to flag in deliver in the smtpd.conf, but I always ended with non existing users. The thing is, in vusers, there must be alias to emails AND at the end, an alias to the virtual user, like: a...@example.com a...@example.com @ m...@example.com m...@example.com vmail a...@example.com vmail Then, rcpt-to must be added in the smtpd.conf, like so action deliver lmtp "/var/dovecot/lmtp" rcpt-to virtual Then dovecot will get emails with the full email address as username, but that can easily be mapped to the correct folder with mail_home=/srv/mail/%Ln # (%Ln insteand of %Lu) Of course, the vusers table above will need to have different local part for all users, but that's ok in my case. -- Nicolas Goy Developer and electronic engineer Goyman SA https://kuon.ch https://goyman.com
OpenSMTP lmtp without unix users
Hello, I have my OpenSMTP server configured as follow: pki mx-pki cert "xxx" pki mx-pki key"xxx" filter "rdns" phase connect match !rdns disconnect "550 DNS error" filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error" filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd" filter "rspamd-dkim" proc-exec "/usr/local/libexec/smtpd/filter-rspamd -settings-id dkim" srs key "xxx" table credsfile:/etc/mail/creds table vdomsfile:/etc/mail/vdoms table vusers file:/etc/mail/vusers table aliases file:/etc/mail/aliases # Inbound from external listen on re0 tls pki mx-pki filter { "rdns", "fcrdns", "rspamd" } # Run rspamd on outgoing for DKIM listen on re0 port 587 tls pki mx-pki auth-optional filter "rspamd-dkim" action expand expand-only alias action deliver lmtp "/var/dovecot/lmtp" virtual action send relay helo srs match from local for local action expand match from local !for domain action send match from any for domain action deliver match from auth for any action send match from src 10.0.0.0/8 for any action send Now, in vdom, I have a list of domain that I accept email for: a.com b.com ... And in vusers, I have something like this: exter...@a.com someth...@gmail.com foo...@a.com foobar @ kuon Now this works, emails received for exter...@a.com are relayed back to someth...@gmail.com and foo...@a.com is delivered to the foobar user and the rest to my user kuon. The problem is that this requires the local users kuon and foobar. How can I make it work with a single vmail unix user? Without losing the catchall? Thanks -- Nicolas Goy Developer and electronic engineer Goyman SA https://kuon.ch https://goyman.com
Re: snmpd dies
On 07.01.24 09:37, Martijn van Duren wrote: On Sat, 2024-01-06 at 16:12 +0100, Nicolas Goy wrote: Unfortunately this isn't enough to give me a hint where the issue might be... Let's keep an eye out and hope that we can gather some more context next time, or that I can find something during normal development. Yeah, I took a glimpse at the logs and I thought it wouldn't help that much, but I still sent them because maybe it might help later. I kept the agent in verbose mode and I will send the logs again if it crash again. Thanks for your time. Have a great day -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
snmpd dies
Hello, I am on OpenBSD 7.4 amd64 and today snmpd died with the following error message: snmpd[44109]: AgentX(1207475061): Protocol error<27>snmpd_metrics[52600]: [fd:0 sess:3150713266 ctx:]: unsupported call: agentx-Close-PDU snmpd[44109]: AgentX(1207475061/3150713266): Closed by snmpd (shutting down)<26>snmpd[44109]: snmpe: AgentX(1207475061): disappeared unexpected My snmpd.conf listen on :::1 snmpv2c listen on xxx.xxx.xxx.1 snmpv2c filter-pf-addresses yes filter-routes yes read-only community public Any idea if there is something wrong or if it is just an snmpd bug? Regards -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Smtpd is not adding message-id
On 09.10.23 22:56, Todd C. Miller wrote: I just committed the fix but I don't think there is a workaround. You will need to patch and recompile smtpd. Thank you very much. Have a great day -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Smtpd is not adding message-id
Hello, I am hitting this issue with some go based process that send emails: https://github.com/OpenSMTPD/OpenSMTPD/issues/1068 Basically the client is not putting any Message-Id header and smtpd is not adding it when sending the email. Do you have an idea how to work around it? Or do I need to patch and recompile smtpd? Regards -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: IPv4 to IPv6 mapping
On Wed, 2023-04-12 at 21:42 +, Stuart Henderson wrote: > On 2023-04-12, Gabor LENCSE wrote: > > > > That's for the opposite translation (v6 connection to "fake" > addresses > mapped to v4). > > Nicolas wants the other direction. af-to can do that as well, to a > fixed > address, but doesn't currently have a way to extract the v4 address > and > embed it in a fake v6 address. > Yeah, I don't see a problem technically, but af-to does not support it. I'll see if I can find a solution with somekind of proxy outside pf. -- Nicolas Goy Developer & Engineer https://kuon.ch https://goyman.com
Re: IPv4 to IPv6 mapping
On Fri, 2023-04-07 at 10:30 +, Stuart Henderson wrote: > On 2023-04-04, Nicolas Goy wrote: > > > Looking at pf.conf(5) for syntax I just tried something fairly > obvious: > > pass in quick log proto tcp from any to $v4_address port 8383 af-to > inet6 from $dummy_v6_address to $listening_v6_address > Yeah, but as you said, you lose source address. I was trying to get the effect that the source address would be changed in a predictable way. For example, instead of dummy_v6_address, you give a /96 subnet, and the source ipv4 would be put in the last 32 bits. But af-to seems to be only able to do that with destination. -- Nicolas Goy Developer & Engineer https://kuon.ch https://goyman.com
Re: IPv4 to IPv6 mapping
On Sun, 2023-04-02 at 15:49 +, Stuart Henderson wrote: > On 2023-04-02, Jared Harper wrote: > > On Sun, Apr 2, 2023, at 6:56 AM, Nicolas Goy wrote: > > > Hello, > > > > > > Is it possible, with pf, to expose an ipv6 server on an ipv4 > > > port? > > > > > > Something like this: > > > > > > -req on 1.2.3.4:80->pf->[1:2:3:4::1]:80 > > > > > > I know this doesn't work: > > > > > > pass in on any proto {tcp, udp} to $wan_ip port {80, 443} rdr-to > > > $some_ipv6 > > > > > > I know af-to can map between families, but I don't know if I can > > > couple > > > it with rdr-to in some way. > > > > This seems like a job for relayd. > > Or af-to. > > How would you use af-to this configuration? -- Nicolas Goy Developer & Engineer https://kuon.ch https://goyman.com
IPv4 to IPv6 mapping
Hello, Is it possible, with pf, to expose an ipv6 server on an ipv4 port? Something like this: -req on 1.2.3.4:80->pf->[1:2:3:4::1]:80 I know this doesn't work: pass in on any proto {tcp, udp} to $wan_ip port {80, 443} rdr-to $some_ipv6 I know af-to can map between families, but I don't know if I can couple it with rdr-to in some way. Thanks -- Nicolas Goy Developer & Engineer https://kuon.ch https://goyman.com
Re: Selecting a 10G NIC
On 17.02.23 19:28, Hrvoje Popovski wrote: long time ago i've stopped worrying about performance and start learning about features that pf and openbsd gave me This is also my general mood, pf and openbsd provide an ecosystem we can rely on, keeping this is very valuable to us. I'll go with the fastest ryzen and a intel NIC. Thanks -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Selecting a 10G NIC
I know this question has been answered multiple times, but I wonder if things changed with 7.2. Which NIC would provide the best performance with 10G physical layer with open bsd? I have choice between intel e810, x710, x550, x520, broadcom BCM957414A4142CC or maybe even something else. It will be forwarding through pf. Thanks -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 sam 06 aoĆ» - 09:51, Zack Newman wrote: > Correction. Apparently even though it is not explicitly stated, > Section 2.4 merely allocates fe80::/10 for link-local addresses while > Section 2.5.6 defines what range, fe80::/64, from that allocation is > currently valid, so it is not a contradiction; just poorly worded. > > Source: > https://community.cisco.com/t5/ipv6/ipv6-link-local-address-space/td-p/3411919 > As a follow up, I was able to get my ISP to change the link local address of their cisco and now everything works. I realize I've be a bit vague in this thread as I was debbugging the issue. And I am very grateful that regardeless you were able to guide me to the solution. Best regards -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 ven 29 jui - 14:08, Stuart Henderson wrote: > On 2022-07-28, Nicolas Goy wrote: > > > > Ok, I think I found the issue. > > > > The cisco is useing the address fe80:b2b:11fe:161::2 but for some > > reason, openbsd doesn't link this. > > > > I cannot ping fe80:b2b:11fe:161::2%vport0 > > > > The system is adding fe80::%vport0/64 to the routing table. > > > > I am not sure, but I think that's the cause. > > > > I tried to add it to the routing table but it says "file exists". > > I suggest you send output from the commands which show the current > actual state of the system, i.e. netstat -rnfinet6, ifconfig -A, etc. > And instead of e.g. "I cannot ping X", show the actual command you > typed and what happened. > > For anyone who might have an idea what's up, it's a lot easier to read > these than it is to interpret information from english descriptions, > and might give some clues from things which you didn't describe. > Also it's much easier to compare this with how things look on a working > system. > > I don't think there's a dmesg in the information scattered in the > thread either, sometimes that is useful, which is why it's always > requested. > > Well, yes, maybe I missed some info. But hopefully someone figured it out, my ISP is using a link local address that does not follow RFC 4129 which states that there must be 54 0 before the interface id. https://www.rfc-editor.org/rfc/rfc4291.html#section-2.5.6 I asked my ISP to changeg the link local address, but no answer yet, they are "working on it". -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 jeu 28 jui - 12:20, Kevin Wallace wrote: > On 2022-07-28 11:32 AM, Nicolas Goy wrote: > > I found something weird that might be a bug. > > > ping6 fe80:b2b:11fe:161::2%vport0 > > The KAME IPv6 code uses the second word of link-local addresses for > internal bookkeeping, and clears it before sending the packet over the > wire. Addresses within fe80::/10 but outside of fe80::/32 will cause > weirdness like this. See > https://github.com/kame/kame/blob/master/IMPLEMENTATION, section 1.3.1 Is there a workaround? It seems those link local addresses are common with cisco routers. Thanks -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
I found something weird that might be a bug. If I do doas ifconfig vport0 inet6 fe80::2/10 Then ping6 fe80:b2b:11fe:161::2%vport0 On the tcpdump output, I see a different address 20:31:15.816576 fe80::fce1:baff:fed1:b34 > ff02::1:ff00:2: icmp6: neighbor sol: who has fe80:0:11fe:161::2 -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
Ok, I think I found the issue. The cisco is useing the address fe80:b2b:11fe:161::2 but for some reason, openbsd doesn't link this. I cannot ping fe80:b2b:11fe:161::2%vport0 The system is adding fe80::%vport0/64 to the routing table. I am not sure, but I think that's the cause. I tried to add it to the routing table but it says "file exists". -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
I added this as my first line in pf.conf pass quick log on vport0 proto icmp6 When I do tcpdump -i vport0 I do see the packets 19:21:09.846069 fe80:b2b:11fe:161::2 > ff02::1:ff01:1: icmp6: neighbor sol: who has [class 0xe0] But there is nothing on tcpdump -i pflog0 It seems those packet disapears somewhere. I tried on a regular interface (without veb) but same behaviour. -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
As additional info, here are my sysctl net.inet6.ip6.forwarding=1 net.inet6.ip6.redirect=1 net.inet6.ip6.hlim=64 net.inet6.ip6.mrtproto=0 net.inet6.ip6.maxfragpackets=200 net.inet6.ip6.log_interval=5 net.inet6.ip6.hdrnestlimit=10 net.inet6.ip6.dad_count=1 net.inet6.ip6.auto_flowlabel=1 net.inet6.ip6.defmcasthlim=1 net.inet6.ip6.use_deprecated=1 net.inet6.ip6.maxfrags=200 net.inet6.ip6.mforwarding=0 net.inet6.ip6.multipath=0 net.inet6.ip6.multicast_mtudisc=0 net.inet6.ip6.neighborgcthresh=2048 net.inet6.ip6.maxdynroutes=4096 net.inet6.ip6.dad_pending=0 net.inet6.ip6.mtudisctimeout=600 net.inet6.icmp6.redirtimeout=600 net.inet6.icmp6.nd6_delay=5 net.inet6.icmp6.nd6_umaxtries=3 net.inet6.icmp6.nd6_mmaxtries=3 net.inet6.icmp6.errppslimit=100 net.inet6.icmp6.nd6_maxnudhint=0 net.inet6.icmp6.mtudisc_hiwat=1280 net.inet6.icmp6.mtudisc_lowat=256 net.inet6.icmp6.nd6_debug=0 net.inet6.divert.recvspace=65636 net.inet6.divert.sendspace=65636 -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
Ok, actually the ISP router is also trying the multicast after failing the unicast: Here are two packets, the first one works, the router responds (openbsd box), but the second one is ignored. first one (works is responded to): [+] Frame 12012: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface vport0, id 0 [+] Ethernet II, Src: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc), Dst: IPv6mcast_ff:01:00:01 (33:33:ff:01:00:01) [-] Internet Protocol Version 6, Src: fe80::7e10:c9ff:fe42:5cdc, Dst: ff02::1:ff01:1 0110 = Version: 6 [+] = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT) 1110 0100 0001 0010 = Flow Label: 0xe41f2 Payload Length: 32 Next Header: ICMPv6 (58) Hop Limit: 255 Source Address: fe80::7e10:c9ff:fe42:5cdc Destination Address: ff02::1:ff01:1 Source SLAAC MAC: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc) [-] Internet Control Message Protocol v6 Type: Neighbor Solicitation (135) Code: 0 Checksum: 0xd6ae [correct] Checksum Status: Good Reserved: Target Address: 2a02:aa08::::1:1 # redacted [-] ICMPv6 Option (Source link-layer address : 7c:10:c9:42:5c:dc) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc) [=] second one (doesn't work, is ignored): [+] Frame 10611: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface vport0, id 0 [+] Ethernet II, Src: Cisco_4e:41:74 (00:df:1d:4e:41:74), Dst: IPv6mcast_ff:01:00:01 (33:33:ff:01:00:01) [-] Internet Protocol Version 6, Src: fe80:b2b:11fe:161::2, Dst: ff02::1:ff01:1 0110 = Version: 6 [+] 1110 = Traffic Class: 0xe0 (DSCP: CS7, ECN: Not-ECT) = Flow Label: 0x0 Payload Length: 32 Next Header: ICMPv6 (58) Hop Limit: 255 Source Address: fe80:b2b:11fe:161::2 Destination Address: ff02::1:ff01:1 [-] Internet Control Message Protocol v6 Type: Neighbor Solicitation (135) Code: 0 Checksum: 0x9de0 [correct] Checksum Status: Good Reserved: Target Address: 2a02:aa08::::1:1 # redacted [-] ICMPv6 Option (Source link-layer address : 00:df:1d:4e:41:74) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: Cisco_4e:41:74 (00:df:1d:4e:41:74) [=] -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 jeu 28 jui - 16:14, Nicolas Goy wrote: > On 2022 jeu 28 jui - 15:52, Nicolas Goy wrote: > > On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote: > > > > > > - I can ping internet from my router, but it cuts every 10 seconds or > > > so. If I inspect the traffic, I see that the ISP router is sending > > > neighbor discovery with my router address, and that my router does not > > > respond. > > > > > > > This seems to be the main issue, (I'll figure out the second one after > > that, using nd proxy or other method), I watched the network for some time > > now, and the openbsd router is never responding to neighbor solicitation > > on the wan interface. > > > > When I use tcpdump, I see that on the wan interface, neighbor > > solicitation has an added [class 0xe0] at the end of the line which is > > not present on working solicitations. > > > > After more analyse, I realized that the dst of the ISP/Cisco neighbor solicitation is the actual IP, while usually it's ff02::1:ff01:1 it seems to do unicast solicitation. -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 jeu 28 jui - 15:52, Nicolas Goy wrote: > On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote: > > > > - I can ping internet from my router, but it cuts every 10 seconds or > > so. If I inspect the traffic, I see that the ISP router is sending > > neighbor discovery with my router address, and that my router does not > > respond. > > > > This seems to be the main issue, (I'll figure out the second one after > that, using nd proxy or other method), I watched the network for some time > now, and the openbsd router is never responding to neighbor solicitation > on the wan interface. > > When I use tcpdump, I see that on the wan interface, neighbor > solicitation has an added [class 0xe0] at the end of the line which is > not present on working solicitations. > I forgot to mention that the WAN port is a vport with veb, I don't know if that can affect the ndp protocol. -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Re: Configuration of static ipv6 router
On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote: > > - I can ping internet from my router, but it cuts every 10 seconds or > so. If I inspect the traffic, I see that the ISP router is sending > neighbor discovery with my router address, and that my router does not > respond. > This seems to be the main issue, (I'll figure out the second one after that, using nd proxy or other method), I watched the network for some time now, and the openbsd router is never responding to neighbor solicitation on the wan interface. When I use tcpdump, I see that on the wan interface, neighbor solicitation has an added [class 0xe0] at the end of the line which is not present on working solicitations. -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
Configuration of static ipv6 router
Hello, My ISP gave me a /56 and told me it was statically routed (no DHCPv6-PD). Let's say this prefix 2a02:aa08::YY00::/56 is now x00::/56 What I want to do, is to split this prefix into /64 and use the /64 for my vlans. So what I did is on my interfaces I have the following ips: wan x00::1:1/64 vlan1 x01::1:1/64 vlan2 x02::1:1/64 ... The ISP router is at x00::1 so I did route add -inet6 default x00::1 In pf.conf I have a pass all for icmpv6 >From this point I have two issues: - I can ping internet from my router, but it cuts every 10 seconds or so. If I inspect the traffic, I see that the ISP router is sending neighbor discovery with my router address, and that my router does not respond. So on my wan interface I see tons of neighbor advertisement from the ISP router at x00::1 with flags router/solicited/override set, I also see neighbor solicitation from the ISP router to my router. There is also neighbor solicitation from my router to the ISP router, but what I don't see is the neighbord advertisement from my router TO the ISP router. So I guess the ISP router is removing the NDP entry of my router after some times, and put it back when it sees the neighbor solicitation again. How can I make so that my openbsd router will respond to the neighbor solicitation from the ISP router? - The second issue is how do I tell the ISP (cisco) router that I am the router for the /64 in the /56? If I ping from an inside host, the packet gets router into the WAN interface, and I see that the ISP router is doing neighbor solicitation for the source addrress, like this: ping from x01::10:1 to external ip E packet reaches x01::1:1, is routed by the openbsd router, and is visible on wan ISP router sees the packet on the WAN inteface and sends a neighbor solicitation for x01::1:1 which is not answered because x01::1:1 is on another subnet behind the openbsd router. Any idea for those two issues? -- Nicolas Goy Engineer & Developer https://www.kuon.ch https://www.goyman.com
pf nat64 interface reference
In my pf.conf, I have a line like this: wan = "re2" pass in quick on $priv inet6 from any to 64:ff9b::/96 af-to inet from $wan It used to work, but now it doesn't, I suspect that's because the order of the ip addresses have changed when I type "ifconfig". Now I have some ipv6 addresses before the ipv4 one. I have this error: /etc/pf.conf:74: translation spec contains addresses that don't match target address family If instead of $wan, I put the ip, it works. My $wan interface have only 1 ipv4 address, is there a way to reference it? -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
OpenBSD benchmarks
Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Re: Hardware for OpenBSD based access point
On Mon, Mar 14, 2022 at 02:31:13PM -, Stuart Henderson wrote: > > Roaming decisions are client-side though there are some things an AP can > do to influence them. At present, with non communicating AP, the android clients are holding to their AP for way too long. For example if I enable wifi in the garden, it pairs with the garden AP to get a strong signal, but as I move in the house to the basement, it holds to the garden AP with like 1% signal even if the basement AP is literraly next to it, and I have to disable-enable wifi on the phone to force it to change, otherwise it doesn't. I heard that controller based AP "fleet" can mitigate that by kicking devices that are on the "wrong" AP. But I am not sure how it works in practice as I only read about it and it is not any standard. -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Re: Hardware for OpenBSD based access point
On Mon, Mar 14, 2022 at 01:32:35PM -, Stuart Henderson wrote: > There's no chance of meeting all of these requirements with OpenBSD. > > For AP-side 11ac there are some bwfm(4) devices which _might_ do but they > are not common. Really at this point the emphasis for wifi on OpenBSD > is for client-side not AP-side. There are some options but they are limited, > and bwfm is the only one with 11ac. > > Ignoring trying to run it on OpenBSD, for setups with more than a couple > of APs I would probably get either TP-Link Omada or Ubiquiti Unifi with > an on-site controller. Omada is a Unifi clone and so far they haven't > made quite such annoying/questionable decisions as Ubiquiti have been > doing recently. > > They both use java 8+mongodb for the controllers. Unifi runs on > amd64 OpenBSD (you need to install it from ports as we can't distribute > packages - you can't run distributions direct from upstream as some > binary part in one of the .jar files isn't built for OpenBSD). > I haven't tried running omada on OpenBSD recently; last time I tried > it didn't work but that may have changed. There are fairly cheap small > "hardware" controllers which might not be a bad idea. > Thanks. I had many issue with device not being able to roam properly, so I guess having a managed setup would help, as it would allow me to not have to turn off/on wifi on my devices when moving around the house. I should have a Raspberry pi to spare, I can put the controller on it and jail that. Thanks for all your feedback. Regards -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Re: Hardware for OpenBSD based access point
On Mon, Mar 14, 2022 at 01:45:09PM +1000, Stuart Longland wrote: > On Mon, 14 Mar 2022 03:43:01 +0100 > Nicolas Goy wrote: > > > I looked at the hardware that was supported, but I forgot to check > > the wifi controller, I took that for granted, my bad. > > > > Thanks for the pcengine suggestion, but I have already a dedicated > > OpenBSD box as router/firewall. I just want to replace my access > > points. > > > > Last time I installed an access point (netgear) for my aunt, I had to > > create a cloud account to be able to access the config UI, this > > enraged me quite a bit, that's why I am scared to buy a WAP that I do > > not control. I live in a old farm with very thick stone walls and I > > currently have 8 WAP to cover all rooms. > > Yeah, that seems to be the latest fashion, "let's require a > cloud-hosted server to control a device on your network critical for > security of said network". Given how well consumer routers' firmware > seems to be written, I don't hold a lot of faith for security when they > decide to host that rubbish publicly. Yeah, this is literally a gift to DDoS botnet. I must be seeing an article about a remote control exploit on consumer router at least once a month. > > If you don't mind having a small Linux machine running Java 8 (yes, I > know), Ubiquiti UniFI APs aren't bad, but I can well understand the > desire to avoid such a dependency. The silver lining I guess is the > Linux machine could be a virtual machine running atop an OpenBSD host > on-premise and "powered off" unless configuration settings need to be > made. Aren't unifi AP notorious for phoning home? Well, I can deny them outside access. I actually have a linux server with java for my kids' minecraft world, so I can use that. The controller is only required to be running for configuration changes? I guess that could work. > > The other approach would be to look for something that runs OpenWRT, > either as an after-market OS or out-of-the-box. Yes it's still Linux, > but the source code is available (like OpenBSD) and the user interfaces > are all _local_. I actually have an OpenWRT box (LTE SMS gateway, the LTE modem wasn't compatible with OpenBSD when I installed it), and yeah, it is very decent. I guess that would be a viable alternative. Thanks for the suggestions. -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Re: Hardware for OpenBSD based access point
On 14.03.22 03:28, Atticus wrote: AFAIK, OpenBSD doesn't support .11ac or .11ax at all, with only a very limited number of cards supporting Host AP mode. The only .11n ones I found being athn(4), bwfm(4), and ral(4). The (few) others that support Host AP mode only do so in .11g or .11b. In the future, I would take a look through section 4 of the manual pages, and search the mailing list archives, which could have told you this within a few minutes. I use (and I believe there are others on here who do as well) an external WAP, that handles only the wireless connections, with DHCP, routing, firewalling, etc., handled by a separate OpenBSD box, the WAP being used only as a bridge. For the OpenBSD hardware portion, you could try https://pcengines.ch <https://pcengines.ch> APU models, which run from around $130-$180 USD price point, and are well supported by OpenBSD. Unfortunately, they don't have any current stocking information other than "expected ~ 2022." I looked at the hardware that was supported, but I forgot to check the wifi controller, I took that for granted, my bad. Thanks for the pcengine suggestion, but I have already a dedicated OpenBSD box as router/firewall. I just want to replace my access points. Last time I installed an access point (netgear) for my aunt, I had to create a cloud account to be able to access the config UI, this enraged me quite a bit, that's why I am scared to buy a WAP that I do not control. I live in a old farm with very thick stone walls and I currently have 8 WAP to cover all rooms. Anyway, thanks for your reply, I'll try to find a decent WAP. -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Hardware for OpenBSD based access point
Hello, I use OpenBSD for all my network gears except wireless access points. My current access points are getting old and I'd like to replace them. I did a bit of researches and there are quite some boards supported by OpenBSD, but I cannot find one that tick all my boxes. Here are my requirements: - OpenBSD compatible without proprietary binary blob (coreboot...) - Wifi .11ax or way to update to it in the future (mini PCI), I can manage without it for now with .11ac, my current AP are .11n - SMA/i-pex... connector - 1 gigabit ethernet - Bonus: PoE but I don't mind if it doesn't, I'll manage - can be a board, a full computer... I'll manage. - the form factor doesn't really matter as long as I don't have to hang a midi tower to my wall. - must be available in europe (switzerland) - < 200$ If you have any suggestion, I would be delighted. Regards -- Nicolas Goy https://www.kuon.ch https://www.goyman.com