Re: Join two overlapping subnets with two way NAT/BINAT
On 07/09/2013 23:22, Florian Obser wrote: On 09/07/13 21:32, Simon Slaytor wrote: Hi Folks, I've been trying to wrap my head around a problem for a little while and I'm getting nowhere fast so thought I'd ask the experts: Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. So I need to setup a PF box which links to both networks and translates between the two. Conceptually I want to have it that from NetA's perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is 172.16.30.0/24 NetA > NetB-NAT (172.16.20.0/24) -> NIC1 (172.16.10.254/24) PF Firewall/Route NIC2 (172.16.10.254/24) < NetA-NAT (172.16.30.0) <- NetB I've read about bitmask on NAT/BITNAT etc and all this looks good the problem however is that this is done on the outgoing interface however given that both the outbound and inbound interfaces share an ip/subnet the packets never get to the outbound interface to be translated. I'm sure there's something completely obvious I'm missing, any help would be much appreciated. Simon So you have 172.16.10.254 on two interfaces on the same box? I don't think that will end well. I would go with two firewalls, one nats NetA, the other nats NetB and put a link net in between. - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3392 / Virus Database: 3222/6645 - Release Date: 09/07/13 Cheers Florian, Yes I was thinking this myself, just wondering if I could do something with VRF's and PF's route to as a way to avoid this?
Join two overlapping subnets with two way NAT/BINAT
Hi Folks, I've been trying to wrap my head around a problem for a little while and I'm getting nowhere fast so thought I'd ask the experts: Due to a company take over I have two networks, NetA and NetB, that I need to link together for bi directional data sharing etc. Unfortunately both networks use the same IP addressing scheme i.e. 172.16.10.0/24 and neither can changed within the timespan available to me. So I need to setup a PF box which links to both networks and translates between the two. Conceptually I want to have it that from NetA's perspective NetB is 172.16.20.0/24 and from NetB's perspective NetA is 172.16.30.0/24 NetA > NetB-NAT (172.16.20.0/24) -> NIC1 (172.16.10.254/24) PF Firewall/Route NIC2 (172.16.10.254/24) < NetA-NAT (172.16.30.0) <- NetB I've read about bitmask on NAT/BITNAT etc and all this looks good the problem however is that this is done on the outgoing interface however given that both the outbound and inbound interfaces share an ip/subnet the packets never get to the outbound interface to be translated. I'm sure there's something completely obvious I'm missing, any help would be much appreciated. Simon
Re: VLAN Tagging problem Intel D945GCLF / Realtek 8101E - UPDATE
UHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b On 16/11/2010 18:52, Simon Slaytor wrote: Thanks for the reply, no I'm not saying anything 'broke' or 'did or din't' work, I'm just reporting what I'm observing just in case anyone goes 'ah yes' that's a problem with X. To sumarise my original e-mail: 4.7 AMD64 RE(4) does 'not' function with tagging enabled, the nic works fine otherwise. 4.8 i386 DC(4) tagging works fine with the same port on the switch with 'no' changes to the switch configuration. The OpenBSD vlan configuration is consistent between the two, all be it with a change from re(4) to dc(4) I will perform a 4.8 AMD64 upgrade on the 4.7 box tonight and attempt again the vlan configuration to see if this solves the problem. I also have an 8169 based adapter to hand, I'll try installing that an moving the vlan config over. Cheers for the patch, if all else fails I'll try this against thre re(4) driver. On 16/11/2010 13:53, Claudio Jeker wrote: On Mon, Nov 15, 2010 at 11:46:25PM +, Simon Slaytor wrote: Hey Folks, I've been pulling my hair out on this one for a little while now, I have a 4.7 AMD64 release firewall based around an Intel D945GCLF using the on-board 8101E based Realtek Nic which is connected to a Netgear FSM726v1 L2 Managed switch. I've been trying to configure the Firewall/Switch to run multiple .1q vlans over the single interface without any luck. Configs listed below. So in a fit of desperation I pulled out an old Nokia IP440, installed 4.8 i386 release and configured up the 'same' vlan interface, the Nokia uses the dc nic driver. In this configuration with this device the tagging works! Both devices where plugged into the same port on the switch, the configuration of which wasn't changed. So my question is this, is the problem with 4.7AMD64 the Realtek Nic or the Intel D945GCLF board? Given the teething problems of BSD of the Intel board I suspect its this but thought I'd try and save myself the time in re-installing etc if someone in the know could point out whats fubar'd. Cheers guys, 4.8 yet another fantastic release ;) Hmm. If I read this correctly you claim that VLAN support started to fail between OpenBSD 4.7 and 4.8. Did you ever try to attach an other system directly to the re(4) and do a tcpdump of the packets sent out/received by re(4)? It would be interesting if TX or RX is affected. The following diff disabled HW VLAN tagging support, maybe do a test with this and see if this solves your problems.
Re: geode
I've had ver 3.7 onwards running on a Nokia IP120 performing site to site IPSec vpn's (3DES+PFS) without any problems. Performance isn't huge, sadly no figures to hand but had no issues running VOIP/ICA/MS SMB traffic etc. On 16/11/2010 16:12, Claudiu Pruna wrote: Hi there, Could anyone provide some personal experience about OpenBSD and AMD Geode based boards ? I am thinking of doing some piece of IPSEC router for a friend and I can't appreciate correctly what should I expect from it in matters of max bandwidth, pps, etc. Thanks, Claudiu
Re: VLAN Tagging problem Intel D945GCLF / Realtek 8101E
Thanks for the reply, no I'm not saying anything 'broke' or 'did or din't' work, I'm just reporting what I'm observing just in case anyone goes 'ah yes' that's a problem with X. To sumarise my original e-mail: 4.7 AMD64 RE(4) does 'not' function with tagging enabled, the nic works fine otherwise. 4.8 i386 DC(4) tagging works fine with the same port on the switch with 'no' changes to the switch configuration. The OpenBSD vlan configuration is consistent between the two, all be it with a change from re(4) to dc(4) I will perform a 4.8 AMD64 upgrade on the 4.7 box tonight and attempt again the vlan configuration to see if this solves the problem. I also have an 8169 based adapter to hand, I'll try installing that an moving the vlan config over. Cheers for the patch, if all else fails I'll try this against thre re(4) driver. On 16/11/2010 13:53, Claudio Jeker wrote: On Mon, Nov 15, 2010 at 11:46:25PM +, Simon Slaytor wrote: Hey Folks, I've been pulling my hair out on this one for a little while now, I have a 4.7 AMD64 release firewall based around an Intel D945GCLF using the on-board 8101E based Realtek Nic which is connected to a Netgear FSM726v1 L2 Managed switch. I've been trying to configure the Firewall/Switch to run multiple .1q vlans over the single interface without any luck. Configs listed below. So in a fit of desperation I pulled out an old Nokia IP440, installed 4.8 i386 release and configured up the 'same' vlan interface, the Nokia uses the dc nic driver. In this configuration with this device the tagging works! Both devices where plugged into the same port on the switch, the configuration of which wasn't changed. So my question is this, is the problem with 4.7AMD64 the Realtek Nic or the Intel D945GCLF board? Given the teething problems of BSD of the Intel board I suspect its this but thought I'd try and save myself the time in re-installing etc if someone in the know could point out whats fubar'd. Cheers guys, 4.8 yet another fantastic release ;) Hmm. If I read this correctly you claim that VLAN support started to fail between OpenBSD 4.7 and 4.8. Did you ever try to attach an other system directly to the re(4) and do a tcpdump of the packets sent out/received by re(4)? It would be interesting if TX or RX is affected. The following diff disabled HW VLAN tagging support, maybe do a test with this and see if this solves your problems.
VLAN Tagging problem Intel D945GCLF / Realtek 8101E
Hey Folks, I've been pulling my hair out on this one for a little while now, I have a 4.7 AMD64 release firewall based around an Intel D945GCLF using the on-board 8101E based Realtek Nic which is connected to a Netgear FSM726v1 L2 Managed switch. I've been trying to configure the Firewall/Switch to run multiple .1q vlans over the single interface without any luck. Configs listed below. So in a fit of desperation I pulled out an old Nokia IP440, installed 4.8 i386 release and configured up the 'same' vlan interface, the Nokia uses the dc nic driver. In this configuration with this device the tagging works! Both devices where plugged into the same port on the switch, the configuration of which wasn't changed. So my question is this, is the problem with 4.7AMD64 the Realtek Nic or the Intel D945GCLF board? Given the teething problems of BSD of the Intel board I suspect its this but thought I'd try and save myself the time in re-installing etc if someone in the know could point out whats fubar'd. Cheers guys, 4.8 yet another fantastic release ;) Simon Non working D945GCLF # cat /etc/hostname.re0 up # cat /etc/hostname.vlan11 inet 11.0.0.199 255.255.255.0 11.0.0.255 vlan 11 vlandev re0 Working Nokia IP440 # cat /etc/hostname.dc0 up # cat /etc/hostname.vlan11 inet 11.0.0.199 255.255.255.0 11.0.0.255 vlan 11 vlandev dc0 Switch Config (FSM726 firmware 2.6.5): interface Ethernet 1/1 cos normal description Not Defined no shutdown speed 100 duplex full flow-ctrl negotiation auto broadcast-rate 3000 dot1x port-control authorized no mac-lockdown no switchport access vlan 1 switchport access vlan tagged 11 switchport access native 11 no mirror spanning-tree port-priority 128 spanning-tree cost 19 spanning-tree fastlink exit Intel Board: OpenBSD 4.7 (GENERIC) #112: Wed Mar 17 20:43:49 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2135109632 (2036MB) avail mem = 2068836352 (1972MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe3590 (23 entries) bios0: vendor Intel Corp. version "LF94510J.86A.0038.2008.0427.2223" date 04/27/2008 bios0: Intel Corporation D945GCLF acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC WDDT MCFG ASF! acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S4) UAR2(S4) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) EHCI(S3) AC9M(S4) AZAL(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU 230 @ 1.60GHz, 1596.34 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR,NXE,LONG cpu0: 512KB 64b/line 16-way L2 cache cpu0: apic clock running at 133MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P32_) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus 2 (PEX2) acpiprt5 at acpi0: bus 3 (PEX3) acpiprt6 at acpi0: bus -1 (PEX4) acpiprt7 at acpi0: bus -1 (PEX5) acpicpu0 at acpi0 acpibtn0 at acpi0: SLPB pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x02 vga1 at pci0 dev 2 function 0 "Intel 82945G Video" rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0x8000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 (irq 11) drm0 at inteldrm0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 2 int 17 (irq 255) pci1 at ppb0 bus 1 re0 at pci1 dev 0 function 0 "Realtek 8101E" rev 0x02: RTL8102EL (0x2480), apic 2 int 16 (irq 11), address 00:1c:c0:45:3e:65 rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1 ppb1 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: apic 2 int 18 (irq 255) pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01: apic 2 int 19 (irq 255) pci3 at ppb2 bus 3 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 (irq 9) uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19 (irq 10) uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16 (irq 11) ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 (irq 9) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci4 at ppb3 bus 4 pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01 pciide0 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 2 int 19 (irq 10
Re: ham,Re: OpenBGP load balancing between 2 ISP (multihoming)
True, although in this scenario would soft reconfig not be an answer? As each router has two copies of the full table, one via the eBGP peer and another from the iBGP peer. If the eBGP peer dropped all the iBGP learned routes would remain and be used. When the eBGP peer came back up soft reconfig would allow for a seemless move back to the prefered peer? Ideally what is needed is BFD to detect the link failure between the host and the external peer, that way the BGP timers could be set to something more conservative. Also some means of reliable flap control would be good to save restoring a session to an unreliable host. Good point well taken though. Stuart Henderson wrote: On 2008-10-08, Simon Slaytor <[EMAIL PROTECTED]> wrote: It's also important to tune the BGP dead timers as low as you can if you do this, do it with care, it's a double-edged sword. sure you pick up a dead session sooner, but, it greatly increases the chance of killing a session when your or more likely your peer's routers are working ok, forwarding ok, but a bit busy to handle control plane traffic in a timely fashion. when that happens, dropping the session and forcing them to feed you full table is about the last thing you want to do... .
Re: OpenBGP load balancing between 2 ISP (multihoming)
One way to do this is to have both client fw/routers running in their own right, i.e. no carp failover. Each router peers with one of the ISP routers via eBGP and then peers with it's partner via iBGP. On each router use the 'weight' option to make each router believe it's learned routes are the best. Each router will now install it's best route in the kernel routing table and believing it has the best route will also redistribute it's routes to the iBGP partner. The result each router will have two routes to any network in it's BGP table, one via its eBGP which it regards as 'best' and another with a higher weight via it's partner router. It's also important to tune the BGP dead timers as low as you can so that if a link is lost to an upstream BGP session is cleared as soon as possible minimizing the amount of black holed traffic. Once the BGP session is down the alternate route learned from the partner router will be used to replace the failed route in the actual routing table. To control which route is used for outbound traffic CARP can be setup on the 'internal' interfaces. Which ever router is the master will be used as the egress point for the network. Padding the announcement to the secondary provider could also help with controlling incoming traffic, although in my experience the results are mixed. Now I've never tried it on OpenBGP but on Cisco this works like a charm. e.g. [ISP1][ISP2] | | ebgp ebgp | | [PRIV1]---iBGP---[PRIV2] | | M S | | -|- All traffic would flow out of PRIV1 / ISP1, if PRIV1 or ISP1 failed traffic would flow out of PRIV2 / ISP2. BARDOU Pierre wrote: Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath But AFAIK there is no way to setup this with openBGP. Am I right ? -- Cordialement, Pierre BARDOU -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyi : mercredi 8 octobre 2008 09:05 @ : BARDOU Pierre Cc : Frans Haarman; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) BARDOU Pierre wrote: Hello, I can load balance on the firewalls with pf , but the problem of that Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be lost. And not loosing packets is more important to me than load balancing... -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyi : mardi 7 octobre 2008 18:54 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre <[EMAIL PROTECTED]> Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where fail
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hi, First off lets clear up to things: OSPF is an igp protocol, you would use it to share routes between your own routers not a transit providers. iBGP is again an igp, this time BGP will automatically talk iBGP when talking to routers within the same AS. Your BGP sessions will automatically talk eBGP to your transits. Ok so lets look at the way it will need to work, BGP works by propagating the routes you announce to your up stream 'transit' peers, via eBGP. In turn these transit providers announce your routes to the larger internet. Remote AS's will choose a path back to you based on several factors inc. AS path length, local preference, weighting etc. You can control to some extent the provider your inbound traffic arrives on by padding your announcement to one provider over another, outbound traffic is much easier as you can use various methods of setting local preferences based on inbound communities etc. Now this is all great in theory however to do this with two providers you will need your OWN AS, this is necessary as the transit will simply filter out any private AS's (65xxx). You will also need your own reasonably large IP allocation. From your diagram I see you are using a /28 how did you come by this? If this was given to you by a provider e.g. ISP1 they will already be announcing this as part of a summarised route to their transits, as such they probably won't let you re announce their allocation to ISP2. Even if this IP space has been allocated to you e.g. by ripe many transit providers are now filtering out smaller routes such as /24 routes, let alone /28 in an effort to keep their routing tables to a minimum. See below we're now at about 260k routes! So in this case even if ISP1 & 2 re transmit your routes their upstreams will filter you out so you won't get connectivity. Now I'm no BGP expert by any means so please forgive me if any of this is wrong or misleading. Out of pure 'play' factor I do maintain a BGP peering session with one of my ISP's from a OpenBSD 4.3 box, I usually use Cisco so wanted to play OpenBGP. # bgpctl sh sum Neighbor AS MsgRcvdMsgSentOutQ Up/Down State/PrfRcvd MT Peering 13122183343 3245 0 2d06h03m 263451 # I would suggest your best bet is to follow the good advice of others and look at the multi homed solutions suggested. Hope that helps Simon BARDOU Pierre wrote: Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU
OPENVAS on OpneBSD [was Re: PCI Compliant Vulnerability Scanner]
Dorian B|ttner wrote: Looking for openvas? http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2005-11/0067.html I've been looking at OpenVAS has anyone got it working under OpenBSD?
Re: HPING or equiv
Hi Geoff,
Thanks for the reply, no I don't think it's the box, DMESG below.
Ok some test output where the IP pinged is the far end of a /30 subnet
on a dedicated 1G line rate router port of a 7609 cisco, sup 720 etc..
If I do a flood PING
# time ping -c 1000 -f 80.65.xxx.xxx
PING 80.65.xxx.xxx (80.65.xxx.xxx): 56 data bytes
--- 80.65.xxx.xxx ping statistics ---
1000 packets transmitted, 1000 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.241/0.279/10.349/0.344 ms
0m0.32s real 0m0.00s user 0m0.06s system
#
# time ping -f 80.65.xxx.xxx
PING 80.65.xxx.xxx (80.65.xxx.xxx): 56 data bytes
--- 80.65.xxx.xxx ping statistics ---
26221 packets transmitted, 26218 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.236/0.389/23.944/0.465 ms
0m5.89s real 0m0.04s user 0m1.59s system
#
3 usersLoad 0.56 0.46 0.46 Wed Oct 1
20:14:27 2008
IfaceState IbytesIpkts Ierrs ObytesOpkts
OerrsColls
re0 up:U 0 5585 0 798202 5670
00
re1 up:U 00 000
00
nfe0 dn 00 000
00
enc0 dn 00 000
00
lo0 up 00 000
00
pflog0 up 00 000
00
trunk0 up:U 544226 5585 0 877582 5670
00
trunk1 up:U 00 000
00
Totals 54422611170 0 167578411340
00
Packets are going out through trunk0 (1 member re0) i.e 5k+ pps
Doing a HPING to the same host
# time hping -c 1000 -i u100 -1 80.65.xxx.xxx
len=46 ip=80.65.xxx.xxx ttl=255 id=34206 icmp_seq=0 rtt=0.3 ms
len=46 ip=80.65.xxx.xxx ttl=255 id=59587 icmp_seq=1 rtt=0.3 ms
.
.
.
len=46 ip=80.65.xxx.xxx ttl=255 id=59542 icmp_seq=999 rtt=0.3 ms
--- 80.65.xxx.xxx hping statistic ---
1000 packets tramitted, 1000 packets received, 0% packet loss
round-trip min/avg/max = 0.3/4.6/193.9 ms
0m20.18s real 0m0.02s user 0m0.07s system
# time hping -c 1000 -i u100 -1 80.65.xxx.xxx
3 usersLoad 0.33 0.25 0.34 Wed Oct 1
20:20:07 2008
IfaceState IbytesIpkts Ierrs ObytesOpkts
OerrsColls
re0 up:U 0 102 011406 103
00
re1 up:U 01 000
00
nfe0 dn 00 000
00
enc0 dn 00 000
00
lo0 up 00 000
00
pflog0 up 00 000
00
trunk0 up:U6432 102 012848 103
00
trunk1 up:U 601 000
00
Totals 6492 206 024254 206
00
Sorry I fibbed it manages 100pps
# dmesg
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3000+ ("AuthenticAMD" 686-class, 512KB
L2 cache) 1.81 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16
real mem = 1039364096 (991MB)
avail mem = 996900864 (950MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/31/07, BIOS32 rev. 0 @ 0xf0010,
SMBIOS rev. 2.5 @ 0xf06e0 (67 entries)
bios0: vendor American Megatrends Inc. version "0201" date 10/31/2007
bios0: ASUSTeK Computer INC. M2N-VM HDMI
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 3.0 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf56b0/240 (13 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x10de product 0x0548
pcibios0: PCI bus #8 is the last bus
bios0: ROM list: 0xc/0xea00
cpu0 at mainbus0
cpu0: PowerNow! K8 1801 MHz: speeds: 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
vendor "NVIDIA", unknown product 0x0547 (class memory subclass RAM, rev
0xa2) at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 vendor "NVIDIA", unknown product 0x0548
rev 0xa2
nviic0 at pci0 dev 1 function 1 "NVIDIA MCP67 SMBus" rev 0xa2
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 512MB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x51: 512MB DDR2 SDRAM non-parity PC2-5300CL5
iic1 at nviic0
ohci0 at pci0 dev 2 function 0 vendor "NVIDIA", unknown product 0x055e
rev 0xa2: irq 7, version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 vendor "NVIDIA", unkn
Re: ham,Intel Atom and D945GCLF2
Not yet, but will be by the end of today. I will post a DMESG later. Steve B wrote: Is anyone running OpenBSD on one of these boards? The supported platform page does not list either the chipset or the CPU so I'm guesing it is not supported at this time. Steve .
Re: ham,Re: ham,Re: Monitoring Bandwidth Usage, based on ports, service, client, etc.
Sorry Richard, should have mentioned the RRD voodoo, hopefully Peter has set you on the right track. I never really liked the 'rough' graphs produced by the version of RRD Graph available from the packages collection. I've downloaded the latest 1.2.6 port version from openports.se and compiled and built this. I then tweak nfsen adding the RRD 'slope' and anti alias features, not exactly accurate but very pretty! Peter Haag wrote: --On February 16, 2008 2:36:33 AM -0500 Richard Daemon <[EMAIL PROTECTED]> wrote: | How did you get --enable-nfprofile working? | | I tried with --with-rrdpath=/usr/local where /usr/local/lib/ has: | | /usr/local/lib/librrd.a | /usr/local/lib/librrd.la | /usr/local/lib/librrd.so.0.0 RRD is a bit picky especially under OpenBSD. So In your shell (C-shell ex.) set: setenv LDFLAGS '-L/usr/local/lib -L/usr/X11R6/lib' rerun ./configure Enjoy - Peter | | Yet I get this error: | configure: error: Can not link librrd. Please specify --with-rrdpath=.. | configure failed! | ... | Using nfsen 1.3 (latest -stable) and nfdump 1.5.6. | | I'm not sure what else to try. | | Now if only someone could make this BSD licensed software as a port. :-) It's on my todo list, as soon as time allows. | | On Fri, Feb 15, 2008 at 5:07 PM, Simon Slaytor <[EMAIL PROTECTED]> wrote: | | > Yes I have four high availability 4.2 firewalls, 8 boxes in total all | > sending data to a single nfsen backend which is running on a dedicated | > OBSD 4.2 box. All dependent apps/tools are available from ports, simply | > enable apache in non chroot mode then just compile up the two apps from | > src. | > | > Richard Daemon wrote: | > > | > > | > > On Fri, Feb 15, 2008 at 11:17 AM, Simon Slaytor <[EMAIL PROTECTED] | > > <mailto:[EMAIL PROTECTED]>> wrote: | > > | > > It would take a bit more setting up but what about pfflowd from | > > ports/packages and nfdump/nfsen? | > > | > > I use this at work for tracking exactly what's flowing through our | > > firewalls i.e. which protocols by who'm to where etc. | > > | > > Sounds like exactly what your after. | > > | > > http://nfsen.sourceforge.net/ | > > | > > | > > Wow, now this looks good! | > > | > > You have it working with OpenBSD firewalls using pfflowd for | > > nfdump/nfsen or are you using nfdump/nfsen with netflows from other | > > infrastructure systems? | -- Peter Haag .
Re: ham,Re: Monitoring Bandwidth Usage, based on ports, service, client, etc.
Yes I have four high availability 4.2 firewalls, 8 boxes in total all sending data to a single nfsen backend which is running on a dedicated OBSD 4.2 box. All dependent apps/tools are available from ports, simply enable apache in non chroot mode then just compile up the two apps from src. Richard Daemon wrote: On Fri, Feb 15, 2008 at 11:17 AM, Simon Slaytor <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: It would take a bit more setting up but what about pfflowd from ports/packages and nfdump/nfsen? I use this at work for tracking exactly what's flowing through our firewalls i.e. which protocols by who'm to where etc. Sounds like exactly what your after. http://nfsen.sourceforge.net/ Wow, now this looks good! You have it working with OpenBSD firewalls using pfflowd for nfdump/nfsen or are you using nfdump/nfsen with netflows from other infrastructure systems?
Re: Monitoring Bandwidth Usage, based on ports, service, client, etc.
It would take a bit more setting up but what about pfflowd from ports/packages and nfdump/nfsen? I use this at work for tracking exactly what's flowing through our firewalls i.e. which protocols by who'm to where etc. Sounds like exactly what your after. http://nfsen.sourceforge.net/ Richard Daemon wrote: Hi all, Does anyone know how I can go about monitoring bandwidth usage based on ports (or service) and maybe client as well? I have checked and tried both pfstat and symon and they're both great at what they do, but not fully what I'm looking to do. As for Cacti, I will be trying to get working this weekend in the chroot as there's no port yet, unfortunately, but I don't think it will quite do what I'm seeking either. In other words, what I'm looking to do is mainly to monitor and graph the average (baseline) bandwidth usage for a few systems and to know what ports are mostly used (ftp, http, https, ssh, etc.) and how much bandwidth they consume or need, on average. By doing this, I can also better adjust my ALTQ rules accordingly. TIA.
Re: Move to 4.2 where has all my memory gone?
Ahhh, that will be me caught with my pants down! That will teach me I usually keep up-to-date with patches as well, obviously too giddy getting the new code on the boxes! Thanks for the reply. Stuart Henderson wrote: On 2007/12/18 11:56, Simon Slaytor wrote: Apologies if this appears a simple question but I'm a bit baffled. We have a pair of firewalls, each with two units running as a HA pair via CARP/PFSYNC etc. Have you patched for errata 004? ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/004_pf.patch
Move to 4.2 where has all my memory gone?
Hi Folks, Apologies if this appears a simple question but I'm a bit baffled. We have a pair of firewalls, each with two units running as a HA pair via CARP/PFSYNC etc. All nodes use identical hardware, Nokia IP440's (Intel BX boards, PIII6333Mhz CPU's, 256Mb RAM) I have recently rebuilt one pair using 4.2, the others remaining at 4.1 for the moment. When I compare TOP on the primary nodes of the two systems the amount of free memory shown is hugely different, see below: Top From - 4.1 load averages: 0.29, 0.14, 0.10 11:34:33 26 processes: 25 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.6% system, 0.6% interrupt, 98.8% idle Memory: Real: 13M/51M act/tot Free: 194M Swap: 0K/2048M used/tot Top From - 4.2 load averages: 1.37, 0.65, 0.41 11:40:29 25 processes: 24 idle, 1 on processor CPU states: 0.1% user, 0.0% nice, 0.7% system, 0.1% interrupt, 99.1% idle Memory: Real: 1632K/244M act/tot Free: 704K Swap: 7908K/2048M used/tot PS list from the 4.2 box USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 1 0.0 0.0 340 4 ?? IsFri09AM0:00.27 /sbin/init root 28306 0.0 0.0 404 4 ?? IsFri09AM0:00.23 syslogd: [priv] (syslogd) _syslogd 11455 0.0 0.1 456 300 ?? S Fri09AM0:09.50 syslogd -a /var/empty/dev/log _ntp 13162 0.0 0.0 448 4 ?? IsFri09AM0:00.94 ntpd: ntp engine (ntpd) root 5108 0.0 0.0 496 4 ?? IsFri09AM0:00.06 ntpd: [priv] (ntpd) root 9819 0.0 0.0 328 4 ?? IsFri09AM0:01.69 inetd root 14047 0.0 0.0 536 4 ?? IsFri09AM0:00.07 /usr/sbin/sshd root 2085 0.0 0.1 1208 196 ?? SsFri09AM0:19.17 sendmail: accepting connections (sendmail) root 5713 0.0 0.1 2400 212 ?? S Fri09AM0:43.33 /usr/local/sbin/snmpd -c /etc/snmp/snmpd.conf root 8195 0.0 0.0 39232 ?? SsFri09AM0:02.16 ifstated root 22154 0.0 0.0 648 4 ?? IsFri09AM0:01.29 pflogd: [priv] (pflogd) root 21896 0.0 0.0 508 4 ?? IsFri09AM0:04.17 cron _pflogd 30509 0.0 0.0 716 4 ?? S Fri09AM0:09.62 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd) root 16894 0.0 0.1 220 160 ?? Ss11:30AM0:00.08 comsat root 24371 0.0 0.2 3264 564 ?? Ss11:40AM0:00.29 sshd: [EMAIL PROTECTED] (sshd) root 11570 0.0 0.2 508 460 p1 Ss11:40AM0:00.07 -ksh (ksh) root 18971 0.0 0.1 332 220 p1 R+11:43AM0:00.00 ps -aux root 26501 0.0 0.0 220 4 00 Is+ Fri09AM0:00.01 /usr/libexec/getty std.9600 tty00 root 5258 0.0 0.0 348 4 C0 Is+ Fri09AM0:00.01 /usr/libexec/getty Pc ttyC0 root 16841 0.0 0.0 316 4 C1 Is+ Fri09AM0:00.01 /usr/libexec/getty Pc ttyC1 root 8020 0.0 0.0 324 4 C2 Is+ Fri09AM0:00.01 /usr/libexec/getty Pc ttyC2 root 2680 0.0 0.0 240 4 C3 Is+ Fri09AM0:00.01 /usr/libexec/getty Pc ttyC3 root 13756 0.0 0.0 352 4 C5 Is+ Fri09AM0:00.01 /usr/libexec/getty Pc ttyC5 When SSH'ing onto the 4.2 box is seems sluggish compared to the 4.1, might be me though. Does the TOP output from the 4.2 box look OK and if so where has the other 193Mb gone? Thanks Simon
Lost my Sensors (or should be senses!) with 4.2
Hi Folks,
I've just been upgrading some of our old war horses (Nokia IP440) to
4.2. They run Intel made BX PIII chipset motherboards, dmesg below.
Whilst not extensive the boards do have some sensor data that we grab to
check on the health of the old girls. After a fresh install of 4.2 I
noticed we had lost the FAN readout from the list of sensors, see output
below (taken from different boxes but I've confirmed the loss using the
same box switching between 4.1 and 4.2).
Whilst this isn't critical for us on these units whatever is causing the
omission may have bigger problems for other people so I thought I'd
bring it to the lists attention.
Many thanks to all the developers for yet another excellence release in
4.2, the bulk CD order is going through soon!
Sensor Output from 4.1 i386 (sysctl -a hw)
hw.machine=i386
hw.model=Intel Pentium III ("GenuineIntel" 686-class)
hw.ncpu=1
hw.byteorder=1234
hw.physmem=267993088
hw.usermem=267988992
hw.pagesize=4096
hw.disknames=wd0,cd0,fd0
hw.diskcount=3
hw.sensors.lmenv0.temp1=23.00 degC (Internal)
*hw.sensors.lmenv0.fan0=2647 RPM *** MISSING ***
hw.sensors.lmenv0.fan1=3970 RPM * MISSING
hw.sensors.lmenv0.volt0=1.52 VDC (+2.5Vin)
hw.sensors.lmenv0.volt1=1.66 VDC (Vccp)
hw.sensors.lmenv0.volt2=3.30 VDC (+Vcc)
hw.sensors.lmenv0.volt3=5.08 VDC (+5Vin/Vcc)
hw.sensors.lmenv0.volt4=12.38 VDC (+12Vin)
hw.sensors.lmenv0.volt5=2.43 VDC (Vccp)
hw.cpuspeed=599
hw.vendor=Intel Corporation
hw.product=SE440BX-2
hw.uuid=ebf758f0-b47b-11d4-af0d-0030d3006ea4
Sensor Output from 4.2 i386 (sysctl -a hw)
hw.machine=i386
hw.model=Intel Pentium III ("GenuineIntel" 686-class)
hw.ncpu=1
hw.byteorder=1234
hw.physmem=267993088
hw.usermem=267984896
hw.pagesize=4096
hw.disknames=wd0,cd0,fd0
hw.diskcount=3
hw.sensors.lmenv0.temp1=28.00 degC (Internal)
hw.sensors.lmenv0.volt0=1.50 VDC (+2.5Vin)
hw.sensors.lmenv0.volt1=1.69 VDC (Vccp)
hw.sensors.lmenv0.volt2=3.27 VDC (+Vcc)
hw.sensors.lmenv0.volt3=5.05 VDC (+5Vin/Vcc)
hw.sensors.lmenv0.volt4=12.00 VDC (+12Vin)
hw.sensors.lmenv0.volt5=2.40 VDC (Vccp)
hw.sensors.lmenv0.volt6=2.48 VDC (AIN1)
hw.sensors.lmenv0.volt7=1.66 VDC (AIN2)
hw.cpuspeed=599
hw.vendor=Intel Corporation
hw.product=SE440BX-2
hw.uuid=82947f19-b652-11d4-b074-0030d3001e5e
DMESG's
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 599 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
real mem = 267993088 (261712K)
avail mem = 236847104 (231296K)
using 3302 buffers containing 13524992 bytes (13208K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 02/23/00, BIOS32 rev. 0 @ 0xfd7a0,
SMBIOS rev. 2.1 @ 0xefbe0 (42 entries)
bios0: Intel Corporation SE440BX-2
pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0x8000 0xe/0x4000! 0xe4000/0xc000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Mach64 GM" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 19623MB, 40188960 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 9
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
lmenv0 at iic0 addr 0x2d: adm9240 rev 2, starting scan
ppb1 at pci0 dev 13 function 0 "DEC 21152 PCI-PCI" rev 0x03
pci2 at ppb1 bus 2
dc0 at pci2 dev 4 function 0 "DEC 21142/3" rev 0x41: irq 11, address
00:c0:95:e0:9d:1c
dcphy0 at dc0 phy 31: internal PHY
dc1 at pci2 dev 5 function 0 "DEC 21142/3" rev 0x41: irq 10, address
00:c0:95:e0:9d:1d
dcphy1 at dc1 phy 31: internal PHY
dc2 at pci2 dev 6 function 0 "DEC 21142/3" rev 0x41: irq 7, address
00:c0:95:e0:9d:1e
dcphy2 at dc2 phy 31: internal PHY
dc3 at pci2 dev 7 function 0 "DEC 21142/3" rev 0x41: irq 9, address
00:c0:95:e0:9d:1f
dcphy3 at dc3 phy 31: internal PHY
isa0 at pc
Re: nokia IP120 problem
I've got three 120's and six 330's all running OBSD not a problem with any of them. In each case I removed checkpoint and moved to OpenBSD. Saved a shed load of money, got better performance, security and features. 'Checkpoint Rocks', only if your selling the damn thing and taking your cut! It may not be much but in each case I have bought a full copy of OpenBSD for each platform, I'm just about to order up another 10 copies of 4.0. Even after all this it's going to cost me way less than a grand. Now compare that to the single High Availability license I just bought for an existing Checkpoint box #5k ! and that didn't include the primary fw license! [EMAIL PROTECTED] wrote: I've had some experience with the IP120. They're all bad. The IP330 however, had no problems at all. In my opinion, the IP120 has bad hardware. Nokia replaced our IP120's with other IP120's. That didn't solve anything. It kept locking up randomly. I don't know how their IP130 are, but the 120's sucked big time. Checkpoint rocks however. Nils -Original Message- From: Denis Doroshenko [mailto:[EMAIL PROTECTED] Sent: woensdag 18 oktober 2006 23:58 To: misc@openbsd.org Subject: nokia IP120 problem hello guys, have seen a few mails recently on the least about these routers. i have got my hands on one (sticker at the bottom says it is "IP110", sticker at the top says it is "IP120"). i saw, the mails recently WRT software reboot, but that's the least problem with mine. the poor beast locks solid after random period of time (that's why it came to me). have thrown that bloody early-fbsd-hacked-into-ipso and put the latest snapshots. well it locks still, even at the boot prompt! ethernet leds go off and the box rests enlessly. no documentation is available and i didn't find much via googling either. may be somebody can help me with information for these? there is some kind of BIOS there, is it accessible via console or otherwise? is there any other settings (switches etc.) that can be causing the locking, may be it can be debugged somehow? thanks in any case...
Re: nokia IP120 problem
Hi Denis, First off an IP120 and OBSD combination is a beauty, there are a couple of gotcha's. The first and recently discussed being the reboot, or lack off. The second being the non standard rom location for the on-board nic's resulting in the fxp driver not being able to read the actual MAC addresses. Both of these are easily worked around and once done the units are 100% solid. The units have a 'traditional' PC BIOS, however you will need a full handshaking null modem cable to access it. A standard null modem will only work for output following the POST. From what you've said it sounds like a hardware problem not a software one. Things to check are the brick power supply, the hard drive and the passive heatsink on the CPU, obvious I know but. They're worth the effort but are never going to be the most powerful device. Regards Simon Denis Doroshenko wrote: hello guys, have seen a few mails recently on the least about these routers. i have got my hands on one (sticker at the bottom says it is "IP110", sticker at the top says it is "IP120"). i saw, the mails recently WRT software reboot, but that's the least problem with mine. the poor beast locks solid after random period of time (that's why it came to me). have thrown that bloody early-fbsd-hacked-into-ipso and put the latest snapshots. well it locks still, even at the boot prompt! ethernet leds go off and the box rests enlessly. no documentation is available and i didn't find much via googling either. may be somebody can help me with information for these? there is some kind of BIOS there, is it accessible via console or otherwise? is there any other settings (switches etc.) that can be causing the locking, may be it can be debugged somehow? thanks in any case...
Re: chrooted sftponly - how ?
I'm sure the people behind http://chrootssh.sourceforge.net/index.php would argue about it being impossible. Before I saw the light and went OpenBSD I used these patches on an FC1 box and it worked like a charm, doing exactly what your after. I've not tried to replace the OpenSSH install on OpenBSD with a patched version always assuming it would break horribly. If you get it working let me know as I'd love to be able to chroot SSH/SFTP again. Bambero wrote: You can create a systrace policy for a sshd instance dedicated to sftp service This sems to be better way. Whatever, it will be nice to have builtin chroot in sftp-sever. Such in ftpd. But I suppose it's technicaly impossible. Thanks for help Bambero
Re: SMS from OpenBSD
Tomas wrote: Hi list, I was wondering is there any way to send SMS messages from OpenBSD OS? May be there is any program to do such task? I use QPAGE on 3.6 (yes I know) and it works very well, although it uses an older style TAP gateway via a modem as its transport so if your looking for 'internet' sms it's not for you.
Re: dynamic dns update
DDCLIENT works well for me on 3.7 riwanlky wrote: Hi, I will like to know if OpenBSD have the capability to update my dynamic ip to www.dyndns.org. I am currently running myDYNIPPRO on Windows to update my dynamic ip. I want to move to OpenBSD. I had currently running sendmail, popa3d, mrtg, mySQL on the machine. Thanks and best regards, Riwan
Re: aliases with carp
I'm running 3.8-release with a pair of CARP'd firewalls, CARP0 has two additional aliases and everythings working well. The only difference is that in my hostname.carp0 I don't specify the VHID/PASS etc on the alias lines. i.e. your file is inet 1.2.3.2 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0 advskew 0 inet alias 1.2.3.6 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0 advskew 127 My equivalent is inet 1.2.3.2 255.255.255.0 1.2.3.255 vhid 1 pass foo carpdev em0 inet alias 1.2.3.6 255.255.255.0 1.2.3.255 Try triming down your alias lines as see if that helps. Might be a shot in the dark but you never know.
Re: ADSL with pppoa (over ATM)
My understanding is that to operate in 'full bridge mode' requires pppoe support from the provider. Which is where this thread started. Donald J. Ankney wrote: Has anybody done this through a full bridge? My Actiontech isn't nearly as friendly with it's options... Simon Slaytor wrote: Half Bridge mode is your friend here. Not sure if the D-Link supports this mode however, Google is less than helpful. Essentially in half bridge mode the modem handles the PPPoA authentication with the ISP, as in NAT mode obtaining an IP address from the remote provider as normal. Unlike NAT mode however the modem then leases out this exact same IP address to the connected ethernet host, thereby presenting the external IP directly to your external ethernet port. Finally the modem begins to transparently bridge the ADSL/Ethernet connections. I can vouch for Zoom X3/4 and ADSL Nation X-Modems working in this mode without issue.
Re: ADSL with pppoa (over ATM)
Half Bridge mode is your friend here. Not sure if the D-Link supports this mode however, Google is less than helpful. Essentially in half bridge mode the modem handles the PPPoA authentication with the ISP, as in NAT mode obtaining an IP address from the remote provider as normal. Unlike NAT mode however the modem then leases out this exact same IP address to the connected ethernet host, thereby presenting the external IP directly to your external ethernet port. Finally the modem begins to transparently bridge the ADSL/Ethernet connections. I can vouch for Zoom X3/4 and ADSL Nation X-Modems working in this mode without issue.
Re: Carp, isakmpd & sasyncd
Theo's e-mail wasn't too encouraging, but I have VPN's with both a Cisco PIX and another OpenBSD 3.8 box. The OpenBSD box is the one I'm getting the most logs for. -Steve S. Odd, I rechecked my HA pair connecting to the GNAT / OBSD boxes defo no entries in the logs. Yes Theo's note gave me pause for thought, however for me at least SASYNCD is doing what I need and appears 'stable enough' I'm eagerly waiting to see how the Dev's move this forward, elegant fail over back to a recovered primary would be nirvana.
Re: Carp, isakmpd & sasyncd
Hey Steve, I have two logical external firewalls, each configured as 3.8-stable HA pairs using PFSync, CARP, SASync etc. One my first firewall I see exactly this with 1 VPN terminating to a Checkpoint R60 (NGX) HA Cluster. However the VPN is 100% stable and VPN fail over works 9 out of 10 times, on the 10th occasion failover appears to work but no traffic flows. On my second firewall I see no such entries, 3 x VPN's 2 terminating on a GNAT1000 boxes (FreeSwan?) the other a single 3.8-stable box. 100% stable VPN failover works everytime. I have used the traditional isakmpd.conf method of configuring the VPN's. In both cases the OBSD boxes replaced Checkpoint R55 boxes, during my extensive testing with a R55 box at one end, non HA and OBSD at the other I again saw no such entries. I therefore wonder if it could be a R60 thing or a CP HA thing? What IPSec device(s) are at the other end of your VPN(s)? Steven S wrote: Are these messages "normal" for a carped pair of firewalls running isakmpd with sasyncd (3.8-stable)? FW1/master - /var/log/message: Mar 16 01:37:40 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:40 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE Mar 16 01:37:45 fw1 isakmpd[32692]: message_recv: invalid cookie(s) 222729dc227c8f28 a0d29ef92ee65243 Mar 16 01:37:45 fw1 isakmpd[32692]: dropped message from x1.x2.x3.178 port 500 due to notification type INVALID_COOKIE FW2/backup - /var/log/message: Mar 16 01:35:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 Mar 16 01:37:49 fw2 isakmpd[5980]: transport_send_messages: giving up on exchange ISAKMP-peer, no response from peer x1.x2.x3.178:500 -Steve S.
Re: openbsd 3.8 on a nokia ip110 and the reboot problems (it hangs after a soft reboot)
Same deal on a IP120, thankfully for me my IP120 is local, as such on the rare occasion that I need to reboot it I simply 'halt' it then hit the reset switch.
Re: Need advice about VPN
Stuart Henderson wrote: >On 2006/01/19 09:38, Simon Slaytor wrote: > > >>When comparing the two vpn solutions for speed, subjectively the OpenVPN >>feels slightly faster >> >> > >If you're using compression on OpenVPN but not on IPSEC, that would >probably explain the speed difference. > > > > > Agreed, any idea on how the cyphers compare i.e. 3DES v Blowfish in regard to CPU overhead? I was not trying to suggest that this was a like for like comparison. I was merely trying to get the point across that OpenVPN is a viable alternative.
Re: Need advice about VPN
Going to go against the flow here and say go for OpenVPN. This recommendation is based on the following observations: It's easy to implement It's secure It's stable By using the tls-auth option the fact that your firewall is acting as a vpn endpoint becomes invisible to the 'net' It easily handles NAT'ing firewalls with no special NAT requirements Will easily work with dynamic DNS clients as end points. Works well with OpenBSD In your scenario you could setup a single central OpenVPN/CA server to act as a VPN concentrator your 2nd site and your two colo servers could then act as 'clients' making admin and setup very straight forward. With regard to the speed of IPSec v OpenVPN (SSL/TLS), we use IPSec for site to site VPN's (3DES+PFS) where each end has a static IP and OpenVPN (Blowfish) for our 'road warriors' The IPSec VPN's terminate onto a 3.8 box with a 450Mhz CPU (K62) OpenVPN runs on a separate 3.8 box behind the firewall and uses a PII 450Mhz CPU When comparing the two vpn solutions for speed, subjectively the OpenVPN feels slightly faster, but there's not much in it and the different encyption schemes may well account for the speed variance, we don't push a lot of traffic through the VPN's hence I can get away with low power hardware. However what I'm trying to say is that running OpenVPN doesn't require a large amount of horsepower and is no disadvantage over IPSec. Regards Simon
GNOME PANEL unexpectedly quits
Hi Folks,
I've Googled until I'm blue in the face and checked the bug reporting
system and cannot find an answer to my problem.
I have just completed two 3.8 release installs on two different hardware
platforms, both i386 but one a Celeron D / 75xx chipset box (Gigabyte
SR147S server chassis) and the other a PIII / 815 chipset box.
On both platforms I've also installed GNOME from the release packages.
The problem I'm having is that on both installs when running in a GNOME
session the GNOME-PANEL quits at various random times and during
different operations, although only when interacting with the panel.
As this occurs on both platforms I can discount a hardware problem but
Google only shows one other post on the problem, which appears to have
been dismissed due to lack of information.
Does anyones else have this issue and if so is there a workaround?
Thanks for any replies
Simon
DMESG from SR147S (Gigabyte Server)
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.66GHz ("GenuineIntel" 686-class) 2.66 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3
,MWAIT,CNXT-ID
real mem = 535859200 (523300K)
avail mem = 482045952 (470748K)
using 4278 buffers containing 26894336 bytes (26264K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(dc) BIOS, date 12/13/04, BIOS32 rev. 0 @ 0xfd5e6
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd550/0xab0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/304 (17 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
10, address: 00:0d:61:7c:2c:ca
ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci2 at ppb1 bus 2
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 5300ESB USB" rev 0x02: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub2: 4 ports with 4 removable, self powered
ppb2 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci3 at ppb2 bus 3
vga1 at pci3 dev 5 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em1 at pci3 dev 10 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq
5, address: 00:0d:61:7c:2c:cb
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configu
red to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
"Intel 6300ESB SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
sysbeep0 at pcppi0
it0 at isa0 port 0x290/8: IT87
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ebe5 netmask efe5 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: Help with lpd and XP
Same issue when using the CUPS LPD daemon so it's not an LPD thing, surprise surprise it looks like a Windows thing. Greg Thomas wrote: On 12/4/05, Steve Murdoch <[EMAIL PROTECTED]> wrote: Any issues I had printing from XP went away when I enabled LPR Byte counting in the LPR port settings. Any ideas why that is? Greg
Re: Help with lpd and XP
Why not use CUPS?, with the CUPS LPD daemon, works like a charm for us. Just enable RAW and LPR Byte accounting on your Windows XP hosts. When configuring the CUPS printer again choose a RAW device to ensure straight pass through from your Windows PC to the printer. I seem to remember a problem when I was setting up the same scenario as you using FreeBSD. When trying to print from a Windows host using LPR/LPD the FBSD LPD daemon expects connections from a certain TCP/IP port on the connecting host, but Windows doesn't use the said port for it's LPR connections. Hence the connections are being rejected. This may not apply to OBSD's LPD implementation but you never know. Sorry I can't remember more it was along time ago before CUPS became really useful. Try googling. Greg Thomas wrote: On 12/2/05, Fred Crowson <[EMAIL PROTECTED]> wrote: Greg Thomas wrote: Ok, I decided to switch from using a little Linksys 802.11b parallel print server to using my OpenBSD box for printing to my one printer. Printing locally works fine but I'm having trouble printing from XP. [EMAIL PROTECTED]:/home/ethant# cat /etc/printcap # $OpenBSD: printcap,v 1.4 2003/03/28 21:32:30 jmc Exp $ # lp|:\ :sh:sf:lp=/dev/lpt0:sd=/var/spool/output:lf=/var/log/lpd-errs: [EMAIL PROTECTED]:/home/ethant# lpq Warning: no daemon present Rank Owner Job Files Total Size 1stethant 9Test Page 0 bytes [EMAIL PROTECTED]:/home/ethant# ps waux |grep lpd daemon7435 0.0 0.9 180 556 ?? Ss10:22PM0:00.03 /usr/sbin/lpd [EMAIL PROTECTED]:/home/ethant# sudo lprm 9 cannot dequeue dfA009LOCUST cfA009locust.2fortheroad.net dequeued And I get a bunch of these in /var/log/lpd-errs until I rm everything in /var/spool/output: Dec 1 22:31:06 grits lpd[15269]: locust.2fortheroad.net Dec 1 22:31:06 grits lpd[15269]: link tfA009locust.2fortheroad.net cfA009locust.2fortheroad.net: File exists Dec 1 22:31:14 grits lpd[5050]: locust.2fortheroad.net Dec 1 22:31:14 grits lpd[5050]: link tfA009locust.2fortheroad.net cfA009locust.2fortheroad.net: File exists Dec 1 22:31:22 grits lpd[21910]: locust.2fortheroad.net Dec 1 22:31:22 grits lpd[21910]: link tfA009locust.2fortheroad.net cfA009locust.2fortheroad.net: File exists Dec 1 22:31:30 grits lpd[17060]: locust.2fortheroad.net Dec 1 22:31:30 grits lpd[17060]: link tfA009locust.2fortheroad.net cfA009locust.2fortheroad.net: File exists Dec 1 22:31:38 grits lpd[23270]: locust.2fortheroad.net Dec 1 22:31:38 grits lpd[23270]: link tfA009locust.2fortheroad.net cfA009locust.2fortheroad.net: File exists I saw a similar message on misc back in August but no resolution. What am I doing wrong? Thanks, Greg Hi Have you tried using samba to share the printer with XP? No, I'll just go back to running the wireless print server before I bother with samba. I just wanted to reduce the number of devices here. The little print server runs lpd so I don't know why I'm having problems with XP and OpenBSD's lpd. Thanks, Greg
ISAKMPD / SASYNCD
Hi Folks, Sorry but I need to ask what some will see as an obvious and stupid question, so feel free to shoot me down in flames but please answer the question :-) I have a pair of 3.8 boxes, each with 3 interfaces xl0,xl1 and rl0 configured as a redundant firewall using CARP, PFSYNC and SASYNCD (for my ipsec VPN's configured with isakmpd.conf & .policy) Carp0 (Internet) is bound to XL0 on both firewalls, CARP1 (Internal) is bound to XL1 with rl0 being used for PFSYNC and SASYNCD traffic, with me so far? Ok the pair work like a charm, fail over and recovery work, SA & SPD's are synced on both boxes, I couldn't be happier. Now for the silly question: I know SASYNCD doesn't do any fail over so by default I have ISAKMPD started on both machines. No looking at the message log on the 'secondary' box I see ISAKMPD logging lots of messages about no response from the remote peer, which sounds right as the VPN's established with the ISAKMPD daemon running on the primary box. Looking at the primary box I get a lot of 'bad cookie' errors which seem to correspond to the secondary's attempts to connect to the remote peer. Although the VPN is running sweetly. Is this right or should I instead use ifstated to monitor the CARP0 interface and start ISAKMPD on the secondary box only when the primary fails? During my testing phase using only OBSD boxes for local and remote peers IPSec fail over worked, now in the 'live' config where the remote peer is a Checkpoint R56 HA pair the primary VPN works but fail over doesn't appear to. Many thanks, asbestos undies at the ready ;-) Simon
Re: Anyone tried this hardware raid solution?
Not that particular solution but I have used several of these without problem. http://www.arcoide.com/disk_raidcase.php Not tried their SATA solutions, they currently don't do one with 'hot plug' cages but do have the following: http://www.arcoide.com/ezraid_3.5_dd4_baymount.php Regards Simon Jean-Daniel Beaubien wrote: Hi everyone, I am wondering if anyone tried this (http://www.allmediait.com/html/araid.html) hardware raid solution. It seems to only support PATA. Anyways I was just wondering if anyone had any experiences with this box. Anyone ever compared it to an Accusys 7500? On a side note, anyone knows hardware raid solution similar to this or to Accusys's 7500 solution but SATA? Jd http://www.allmediait.com/html/araid.html
Re: OpenBSD on Nokia IP3300?
Not an IP330 but I am currently running 3.6 on an IP120. Install was done on a surrogate PC and the hard drive transfered over to the 120 after install. Whilst the AMD processors aren't the most spritely my little 120 is running a 3DES VPN with PSK between it and a Checkpoint NG box and achieveing quite respectable throughput. Don't forget to redirect the serial console! Mattias R. Lindgren wrote: Hello everyone. Has anyone tried running openbsd on a Nokia IP3300? It is a 1U unit with an AMD processor, 256mb ram and a 20gb hdd. It has 2 serial interfaces and 3 intel pro 100's. They are very inexpensive to pick up on ebay, so I was wondering if anyone has attempted an install? I would think it should work pretty easily? Thanks, Mattias
Re: stupid litte "speaker beep" that doesn't stop
Hi Didier, This is not much help I know but I also suffered from the same problem with 3.8 and interestingly enough it was also a Foxconn board, this time however sporting a Athlon XP. The only solution I found was to disconnect the speaker. Unfortunately the box is currently doing firewall / WiFi Access Point duties in an International Chess tournaments competitors LAN so can't provide a DMSEG or model number. Regards Simon
Re: [OT] Question about vpn and athorization between OpenBSD and Windows clients
Why not give OpenVPN a try, works well with OpenBSD and Windows XP and has various options for password protection along with a nice 'stealth' mechanism preventing it from appearing to none authorised clients. http://openvpn.net Tomas wrote: Hello, Please, can someone give me a clue how to setup a vpn with authentication. I've set up a vpn between Windows clients and OpenBSD server, everything works fine. But since most of our clients are using ADSL lines and their IP's aren't static I had to allow the whole world to connect to my vpn server and my internal network. There are a lot of PCs with Windows XP with firewalls enabled in my internal network, so when a client comes with a different IP each time he can't connect to Windos PCs because their IPs aren't listed in windows firewalls. So I decided to somehow authenticate those users and give them one of the internal IPs. But I don't even have a clue how to do that. First thing I thought off was authpf, but it only works with ssh clients. So maybe can someone help me?
Re: BSD PPPoA Hardware
Currently using a zoom x4 modem in half bridge mode with 3.6 stable and haven't had any problems with dhclient obtaining a lease from the modem so maybe it's a 3.7 thing?. I'm just about to move to 3.7 current so this is worthwhile knowing. Many thanks. Nathan Gould wrote: >Just for interest, I've set this up successfully using a Zoom X4 (about #45) >using half bridge but originally ran into problems getting the OBSD box to >collect the address via DHCP on the external interface when in this mode (no >such >problems without half-bridge). > >Eventually, narrowed it down to the default route being allocated. A slighltly >modified dhclient-script later, specified in dhclient.conf, and all works >perfectly. > >< >81c80 >< route add default -iface $new_ip_address >/dev/null >2>&1 >--- > > >> route add default $router >/dev/null 2>&1 >> >> >85d83 >< > > Msg sent via @Mail - http://www.advance-internet.com
Re: raid kernel
One point in favour of a GENERIC RAID Kernel(s), consider when a user posts the following request for help: 'I've compiled my own kernel and Xyz is broken' Now after being on the mailing list for a quite a while I know the stock answer always seems to be 'drop back to GENERIC and stop playing with custom kernels if you want help from this list'. Now if the user is using RAID and has APPS/Data etc on a raid volume this isn't exactly going to be easy. Now I 100% understand this thinking and won't raise a complaint against it, but as your now advocating that in order to use a key feature of OBSD a custom kernel is 'the way' where does that leave the sys admins such as myself when it comes to support from the lists? By having a GENERIC RAID kernel, with or without various options would at least allow for some alternate yet supported systems all be it at an increased workload for the team I'm not currently using any kernel based system so have no axe to grid, I'm just making an observation. just my 2 pence anyway.
Re: PPTP GRE NAT & PF!
Sorry folks being stupid!
change:
nat on xl1 proto {tcp udp icmp} from 10.190.0.0/16 to any -> 11.11.0.1
to
nat on xl1 proto {tcp udp icmp gre} from 10.190.0.0/16 to any -> 11.11.0.1
of FW1 and
nat on ste0 proto {tcp udp icmp} from 12.12.0.2 to any -> 11.11.0.10
to
nat on ste0 proto {tcp udp icmp gre} from 12.12.0.2 to any -> 11.11.0.10
Solves it.
Foot, mouth, idiot!
PPTP GRE NAT & PF!
Ok, first off sorry if this is old ground or posted to the wrong list.
I've come across something a bit odd and I'd like someone who actually
knows what he's doing, not me to shed some light on what's going on.
I'm trying to connect a Windows XP Sp2 (yes I know) box to a Win2k
Server using PPTP across two firewalls. i.e.
Logical layout
[Win XP] IP/1723 GRE(47) > [Firewall 1] - Internet
[Firewall 2]--> [Win2k PPTP endpoint]
Subnets:
|---IP 10.190/16 | [FW] |--- IP 11.11/16 ---| [FW]|--- IP
12.12/16---|
IP
XP-10.190.70.70
FW1 - 10.190.70.66 & 11.11.0.1
FW2 - 11.11.0.2 & 12.12.0.1
Win2k - 12.12.0.2
Win2k Static NAT'd as 11.11.0.10 on FW2 for GRE and IP/1723
Now for my first test Firewall 1 was a Linux 2.6.10 (ubuntu 5.04) box,
and Firewall 2 was 3.7-current from last month.
Rules on the Linux box are (generealised)
Local LAN -> ANY using IP 1723 / GRE - accept
NAT Local LAN using any ---> WAN Interface
Rules on the OpenBSD box
Any -> Win2k Server using IP 1723 / GRE - accept
NAT Any -> Win2k NAT Address [11.11.0.10] using GRE -- as -- Any
-> Win2k Internal Address [12.12.0.2] using GRE
NAT Any -> Win2k NAT address [11.11.0.10] using PPTP -- as --
Any -> Win2k Internal Address [12.12.0.2] using PPTP
NAT Win2k -> Any using Ant as - Win2k NAT'd address
[11.11.0.10] -> any using any
ok hope that make sense.
In this configuration everything works!
PFLOG on the OBSD box shows PPTP and GRE passing in through NAT and out etc.
PFLOG on FW2:
Aug 19 13:04:47.751613 rule 12/(match) pass in on ste0: 11.11.0.1.57976
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 1460,nop,nop,sackOK>
Aug 19 13:04:47.751671 rule 14/(match) pass out on ste1: 11.11.0.1.57976
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 1460,nop,nop,sackOK>
Aug 19 13:04:47.764918 rule 13/(match) pass in on ste0: call 33767 seq 0
gre-ppp-payload (gre encap)
Aug 19 13:04:47.764952 rule 15/(match) pass out on ste1: call 33767 seq
0 gre-ppp-payload (gre encap)
no further log entries are generated and the VPN is up and running.
Now if I change FW1 to OBSD 3.7 current, i.e. same as FW2 and create the
equivalent rule base I get the following on FW2 yes 2 not 1
Aug 19 13:10:03.780470 rule 12/(match) pass in on ste0: 11.11.0.1.56938
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 1460,nop,nop,sackOK>
Aug 19 13:10:03.780529 rule 14/(match) pass out on ste1: 11.11.0.1.56938
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 1460,nop,nop,sackOK>
Aug 19 13:10:03.793545 rule 13/(match) pass in on ste0: call 33767 seq 0
gre-ppp-payload (gre encap)
Aug 19 13:10:03.793579 rule 15/(match) pass out on ste1: call 33767 seq
0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795089 rule 16/(match) block in on ste1: call 16384 seq
0 ack 0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795142 rule 16/(match) block in on ste1: call 16384 seq
1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.794048 rule 16/(match) block in on ste1: call 16384 seq
2 ack 1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.797300 rule 16/(match) block in on ste1: call 16384 seq
3 gre-ppp-payload (gre encap)
Aug 19 13:10:06.575114 rule 16/(match) block in on ste1: call 16384 seq
4 ack 2 gre-ppp-payload (gre encap)
As you can see the newly OBSD FW1 is allowing the same traffic out as
the Linux box however for some reason FW2 no longer correctly tracks the
state of the GRE service instead seeing it as a new connection and
dropping the packets.
Just to confirm the PF rules on FW2 where not changed, simply changing
FW1 breaks FW2.
Has anyone any clue why this is happening?
Many thanks in advance.
Simon
PF Rules from FW1:
set optimization Normal
scrub in all fragment reassemble no-df
scrub out all random-id max-mss 1460
nat on xl1 proto {tcp udp icmp} from 10.190.0.0/16 to any -> 11.11.0.1
table { 10.190.70.66 , 11.11.0.1 }
table { 10.190.70.66 , 11.11.0.1 , 127.0.0.1 }
table { 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
pass out quick on xl0 inet from to any keep state
label "RULE 0 -- ACCEPT "
block in log quick on xl1 inet from to any label
"RULE 0 -- DROP "
block in log quick on xl1 inet from 10.190.0.0/16 to any label
"RULE 0 -- DROP "
pass out log quick on xl1 inet from to any keep
state label "RULE 1 -- ACCEPT "
pass in quick on lo inet from to any keep state
label "RULE 0 -- ACCEPT "
pass out quick on lo inet from to any keep state
label "RULE 0 -- ACCEPT "
pass in log quick inet proto tcp from 10.190.0.0/16 to
port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
pass in log quick inet proto tcp from 10.190.0.0/16 to
port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
pass out log quick inet proto tcp from 10.190.0.0/16 to
port 22 flags S/SA keep state label "RULE 0 -- ACCEPT "
block in quick inet from any to label "RULE 1 --
DROP "
pass in log quick inet proto 47 from 1
Re: BSD PPPoA Hardware
Stuart Henderson wrote: --On 16 August 2005 16:49 +0100, Simon Slaytor wrote: There's a nice little racket on ebay.co.uk at the moment with someone selling 'Nortel E20B ethernet modems' and advertising them as operating in RFC1483 bridge mode i.e. PPPoE which they do. The seller does not however tell people that the units won't easily work with PPPoA connections as found in the UK. fwiw, PPPoE should work in UK too, it's been in the relevant BT SIN for a while now. FWIW not all of us have BT as our ADSL line provider, I say line as obviously the circuit and Internet connectivity aspects of an ADSL service can be provided by different company's. Also because many of you unfortunates DO have BT and they are rather tardy in their replacement schedule for the older PPPoA DSLAM's the statement whilst slightly generalised still holds true.
Re: BSD PPPoA Hardware
J.C. Roberts wrote: You seem to be confused on your terms. The term "PPPoA" means Point-to-Point Protocol over ATM (Asyncronous Transfer Mode). I seriously doubt you're running ADSL over ATM. ;-) He could be right, in the UK PPPoE is very rare most providers instead prefer to present their ADSL connections as pure ATM circuits requiring PPPoA. There's a nice little racket on ebay.co.uk at the moment with someone selling 'Nortel E20B ethernet modems' and advertising them as operating in RFC1483 bridge mode i.e. PPPoE which they do. The seller does not however tell people that the units won't easily work with PPPoA connections as found in the UK. Money for old rope!
Re: BSD PPPoA Hardware
Another solution is to buy an ethernet modem that supports 'Half Bridge Mode'. I have two such units, an ADSL Nation X-Modem and a Zoom X4. When operating in half bridge the modem does all the PPPoA negotiation with the DSL provider to login and obtain and IP address. Once done it acts as a DHCP server and leases out the IP address just obtained to the connected host. -Private LAN>(1st Eth Card)[OBSD FIREWALL](2nd Eth Card)-->[ADSL Modem]---PPPoA connection-> Internet Once the link is setup the modem becomes 'transparent' and the OBSD see's all traffic from the NET, no reverse NAT, port forwarding or anything and to make life even better the OBSD only needs an Ethernet card with DHCP enabled! I've got a little Nokia IP120 running 3.6 and a EPIAM9000 running 3.7 both running in this manner. The Nokia does IPsec with a Checkpoint box and the EPIA Runs OpenVPN, sweet! Simon Morgan wrote: Hi, I have a PPPoA ADSL connection and would like to use FreeBSD or OpenBSD as a gateway/server and am looking for compatible hardware that would facilitate this. I'm specifically looking to avoid combination modem + routers and NAT and port forwarding in particular. This will be a pure routed IP setup. Obviously stability is very important (So far I've been using a SpeedTouch 330 with Linux which hasn't been fun). Does anyone have any suggestions? Any advice is welcome. Thanks. Simon
Re: VPN behind a router
Do you really need to use IPsec? If not try OpenVPN (www.openvpn.org) it's an SSL/TLS VPN, it.s VERY easy to setup works like a charm on OBSD and is quite happy sitting behind a NAT'd Internet connection. All you need to do is reverse PAT UDP 1194 from you router's/Firewall's external interfaces to their repective OBSD partners. It can do Client -> Firewall and Firewall -> Firewall VPN's and any mix in between. And interestingly enough seems quicker than my 3.6->Checkpoint IPsec VPN. Just a suggest. Helio Santana wrote: Hi, first excuse my english, please. I'm trying to make a VPN between 2 computers with OpenBSD behind a router that connected to internet (See schema) Private LAN4 -- OBSD_4 Router_4 Internet Router_5 - OBSD_5 Private LAN5 Every OBSD has 2 net cards 1 connected to router, and the other to the hub in private lan. I have made all steps explained in "man vpn". My private Lan's are 192.168.4.0/24 and 192.168.5.0/24. The Lan between OBSD and router's are 192.168.41.0/24 and 192.168.51.0/24. Routers redirect all incoming trafic to his respective OBSD and have his Firewalls disabled. External IP Router_4 is A.B.C.D, External IP Router_5 is W.X.Y.Z All computers in LAN4 has access to internet and can make a ping to W.X.Y.Z... I can make an ssh connection from OBSD_4 to OBSD_5... even from an conection from Internet I can make a ping, etc. The only way I have make possible to connect the VPN is configuring routers as modems (I don't know whats the name of this in english, in spanish 'monopuesto'). But I need to do configuring both routers as routers (in spanish 'multipuesto'). Thanks in advance, Helio.
Re: OpenBSD in commercial firewalls?
Ray Percival wrote: If it is the latter there is strong evidence that IPSO (The OS on Nokia and Checkpoint based firewalls) is derived from OpenBSD. Nokia say that IPSO is based on FreeBSD
PKG_ADD Gnome on 3.7 PPC
Hi Folks, Just a quick one as I think I'm going mad. I've just installed 3.7 on my G4 PowerMac, smooth install not problems! Now I've started adding GNOME 2.8 from the packages collection, however when I try and add GNOME-SESSION-2.8.1 pkg_add complains about the missing package GNOME-APPLETS2-2.8.2p0 and quite righlty too as I don't have it. Now comes the problem, neither do any of the FTP sites I've checked, it exits in the 3.6ppc packages, all be it in an older 2.6 form. Can anyone shed any light on where the missing package has gone? Will gladly supply a very big stick however if I've missed something obvious. Thanks Simon
