Re: 5.0 kernel won't compile on 4.9 i386 system

[Stefan Midjich]

Thanks David, I tried different settings for the type of VM and in the end
the random results I got seem to have been caused by my Alcor CF card
reader. Whenever that device was plugged into the vm OpenBSD would find it
very hard to boot. Sometimes hanging at mtrr, other times at fdc0.
Seemingly random sometimes.

Either way, I've got my alix router setup now and mostly thanks to the
support of the community, thank you all.

P.S. I did end up compiling my own kernel after all, I realize there was
probably no need for this. I didn't use the github link I pasted because
that config was outdated and in fact produced a kernel binary of 50MB in
size while the GENERIC one is 8MB.

So I ended up with a kernel binary of 5MB with no optimizations at all
other than removing devices I wouldn't need on an embedded board. So
clearly there's little to gain from compiling your own kernel, as the
community so gladly will remind me of.

2012/1/28 David Higgs hig...@gmail.com

 On Sat, Jan 28, 2012 at 12:42 PM, Stefan Midjich sweh...@gmail.com
 wrote:
  Thanks everyone for the info, I clearly didn't read the whole FAQ but
 only
  the parts I needed.
 
  The reason I was using 4.9 was because 5.0 i386 didn't boot in vmware
  fusion 3, it hangs at mtrr. And since I was formatting a CF card from the
  vm I thought I had to use the same arch as the kernel that will run from
  it, so I ended up trying on a 4.9.

 I do exactly the same thing: use VMWare Fusion 3 to build release(8)
 whenever there's changes to -stable that I need (otherwise I just
 install -release directly).  I've been doing this since 4.8 and have
 never had a problem using stock i386 GENERIC.  You might try changing
 the VM type to Other or disabling some peripheral emulation.  FWIW,
 amd64 works like a champ too using Other 64-bit.  I haven't tried
 running i386 on Other 64-bit.

  Also the reason I wanted to compile is something I should have stated,
  there's a kernel config online for pcengines alix boards so I wanted to
 use
  it on mine thinking it was better optimized for the tiny board with very
  few peripherals.
 
  https://raw.github.com/openbsd/flashboot/master/PCENGINES

 Keep reading the FAQ: http://www.openbsd.org/faq/faq5.html#Why

 I run i386 GENERIC on my ALIX 2D13, no custom anything required.  I
 included my dmesg below for posterity.  Everything I need fits more
 than comfortably on a 16GB CF card.

 I performed the initial install using the VM as well.  I gave my
 OpenBSD VM access to the CF via USB card reader, booted the VM into
 bsd.rd, did a fresh install to the CF card, added tty items to
 /etc/boot.conf, and tweaked /etc/fstab.  Then I installed the CF card
 into the ALIX board and from there just configured everything else
 over serial / network.

 Good luck,

 --david

 OpenBSD 5.0-stable (GENERIC) #1: Tue Nov  8 02:05:22 EST 2011
root@vm.localdomain:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD
 586-class) 499 MHz
 cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
 real mem  = 267976704 (255MB)
 avail mem = 253542400 (241MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: pcibios_get_intr_routing - function not supported
 pcibios0: PCI IRQ Routing information unavailable.
 pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xe/0xa800
 cpu0 at mainbus0: (uniprocessor)
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
 vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10,
 address 00:0d:b9:1e:60:7c
 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
 address 00:0d:b9:1e:60:7d
 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15,
 address 00:0d:b9:1e:60:7e
 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
 0x004063, model 0x0034
 glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3,
 32-bit 3579545Hz timer, watchdog, gpio
 gpio0 at glxpcib0: 32 pins
 pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA,
 channel 0 wired to compatibility, channel 1 wired to compatibility
 wd0 at pciide0 channel 0 drive 0: TS16GCF133
 wd0: 1-sector PIO, LBA, 15296MB, 31326208 sectors
 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
 pciide0: channel 1 ignored (disabled)
 ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12,
 version 1.0, legacy support
 ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
 usb0 at ehci0: USB revision 2.0
 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
 isa0 at glxpcib0
 isadma0 at isa0
 com0 at isa0 port 0x3f8/8

5.0 kernel won't compile on 4.9 i386 system

[Stefan Midjich]

: excess elements in struct initializer
ioconf.c:230: warning: (near initialization for 'cfdata[6]')

The last ones continue for many more lines for 68 members of the array
before the make process exits.

Now this has happened twice, on brand new systems, also I've found other
list posts describing the same errors but no solutions applying to my
situation. So what do I do to get 5.0 compiled?

--
Hdlsningar / Greetings

Stefan Midjich
[De omnibus dubitandum]

Re: 5.0 kernel won't compile on 4.9 i386 system

[Stefan Midjich]

Thanks everyone for the info, I clearly didn't read the whole FAQ but only
the parts I needed.

The reason I was using 4.9 was because 5.0 i386 didn't boot in vmware
fusion 3, it hangs at mtrr. And since I was formatting a CF card from the
vm I thought I had to use the same arch as the kernel that will run from
it, so I ended up trying on a 4.9.

Also the reason I wanted to compile is something I should have stated,
there's a kernel config online for pcengines alix boards so I wanted to use
it on mine thinking it was better optimized for the tiny board with very
few peripherals.

https://raw.github.com/openbsd/flashboot/master/PCENGINES

I wanted to do a kernel compile from the 5.0 generic system I installed on
the CF at first, but I ran out of space before the cvs was even done.

So my only option now is to find a machine that can run 5.0 i386, do the
compile from there. Alternatively be satisified with a binary install and
generic kernel.

2012/1/28 Christer Solskogen christer.solsko...@gmail.com

 On Sat, Jan 28, 2012 at 5:25 PM, Stefan Midjich sweh...@gmail.com wrote:
  So what do I do to get 5.0 compiled?
 

 You upgrade to 5.0 first.

 --
 chs,




--
Hdlsningar / Greetings

Stefan Midjich
[De omnibus dubitandum]

Perplexed by PF rules in NAT

[Stefan Midjich]

   Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
@39 pass out log on vic2 inet proto tcp from 10.221.182.0/24 to any
flags S/SA keep state
  [ Evaluations: 0 Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
@40 anchor ftp-proxy/* all
  [ Evaluations: 337   Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
@41 pass in log on vic3 inet proto tcp from any to any port = ftp
flags S/SA keep state label CUST-PassInRDRFTP rdr-to 127.0.0.1 port
8021
  [ Evaluations: 337   Packets: 0 Bytes: 0   States: 0
]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]

My real issue is with connections going out from the LAN to remote
destinations on the internet.

From a LAN server I do nc -vv 212.211.132.250 80 # (this is
security.debian.org) and get the following on pflog0.

Oct 17 07:47:30.793687 rule 34/(match) pass in on vic3:
10.221.181.21.45667  212.211.132.250.80: S 3729652686:3729652686(0)
win 5840 mss 1460,sackOK,timestamp 85822017 0,nop,wscale 7 (DF)
Oct 17 07:47:30.793786 rule 28/(match) match out on vic2:
XX.XX.XX.59.57433  212.211.132.250.80: S 3729652686:3729652686(0) win
5840 mss 1460,sackOK,timestamp 85822017 0,nop,wscale 7 (DF)
Oct 17 07:47:30.793800 rule 29/(match) pass out on vic2:
XX.XX.XX.59.57433  212.211.132.250.80: S 3729652686:3729652686(0) win
5840 mss 1460,sackOK,timestamp 85822017 0,nop,wscale 7 (DF)

So this tells me that NAT is being done, and it is even sending
packets out on the external carpdev (vic2) to the remote destination.
But nothing comes back and the connection times out. I am not a
networking guy but TCP is a streaming protocol, I know that much, am I
to allow packets coming back through that stream? Or even packets
coming back to establish the stream?

Even removing 'tcp' from that tcpdump command doesn't give me any new
clues as to what is happening to the rest of the stream. If I do nc
-vv 212.211.132.250 80 from the shell on the gateway it works fine.
Strangely enough the same command from lb02 does not work, it triggers
rule 29 in tcpdump of pflog0 on both systems but on lb02 no connection
is established.

lb01 $
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 01:00:5e:00:01:01
description: Customer External Public Loadbalancer
priority: 0
carp: carpdev vic2 advbase 1 balancing ip
state MASTER vhid 1 advskew 0
state MASTER vhid 2 advskew 100
groups: carp egress
status: master
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x8
inet XX.XX.XX.59 netmask 0xff00 broadcast XX.XX.XX.255
vic2: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:50:56:8e:00:63
description: Customer External
priority: 0
media: Ethernet autoselect
status: active
inet6 fe80::250:56ff:fe8e:63%vic2 prefixlen 64 scopeid 0x3

lb02 $
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 01:00:5e:00:01:01
description: Customer External Public Loadbalancer
priority: 0
carp: carpdev vic2 advbase 1 balancing ip
state MASTER vhid 1 advskew 100
state MASTER vhid 2 advskew 0
groups: carp egress
status: master
inet6 fe80::200:5eff:fe00:102%carp0 prefixlen 64 scopeid 0x8
Connection to 10.220.100.53 closed.
inet XX.XX.XX.59 netmask 0xff00 broadcast XX.XX.XX.255
vic2: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:50:56:8e:00:5e
description: Customer External
priority: 0
media: Ethernet autoselect
status: active
Connection to 10.220.100.53 closed.
inet6 fe80::250:56ff:fe8e:5e%vic2 prefixlen 64 scopeid 0x3

Now there is actually another issue here that is of lower priority,
the fact that I can ping the external IP of the gateway without issue
but I can't have my LAN servers ping their gateways, meaning the
IP-addresses of carp1 and carp2. In that case I can see packets going
in on the physical interface behind carp1, but no reply comes back.

Oct 17 07:45:48.710962 rule 16/(match) pass in on vic3: 10.221.181.21
 10.221.181.10: icmp: echo request (DF)

This is strange to me as the rule to allow ICMP on the external
interface is nearly identical to the ones to allow on the internal
interfaces.

--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Perplexed by PF rules in NAT

[Stefan Midjich]

I must add to this that I have seen a clear pattern now but I can't explain
it.

Like I said, round-robin redirection for certain ports to certain
hosts. It's very predictable, if netcat worked, next connect won't.
But I'm less sure this is because of the LAN machines now, because of
this tcpdump output here.

lb01 $ tcpdump -nettti pflog0 'tcp'
Oct 17 09:58:44.006881 rule 30/(match) pass in on vic2:
XX.XX.XX.234.52143  10.221.181.22.25: S 3081755618:3081755618(0) win
65535 mss 1460,nop,wscale 3,nop,nop,timestamp 421950519 0,[|tcp]
(DF)
tcpdump: WARNING: compensating for unaligned libpcap packets
Oct 17 09:58:44.006909 rule 38/(match) pass out on vic3:
XX.XX.XX.234.52143  10.221.181.22.25: S 3081755618:3081755618(0) win
65535 mss 1460,nop,wscale 3,nop,nop,timestamp 421950519 0,[|tcp]
(DF)
Oct 17 09:58:45.261752 rule 30/(match) pass in on vic2:
XX.XX.XX.234.52144  10.221.181.21.25: S 523320814:523320814(0) win
65535 mss 1460,nop,wscale 3,nop,nop,timestamp 421950532 0,[|tcp]
(DF)
Oct 17 09:58:45.261786 rule 38/(match) pass out on vic3:
XX.XX.XX.234.52144  10.221.181.21.25: S 523320814:523320814(0) win
65535 mss 1460,nop,wscale 3,nop,nop,timestamp 421950532 0,[|tcp]
(DF)

This is when it works, then CARP makes the packets come in on lb02 the
next connection attempt and I get this.

lb02 $ tcpdump -nettti pflog0 'tcp'
Oct 17 09:59:03.349586 rule 12/(match) block in on vic3:
10.221.181.21.25  XX.XX.XX.234.52144: S 3675863197:3675863197(0) ack
523320815 win 5792 mss 1460,sackOK,timestamp 87795141
421950532,nop,wscale 7 (DF)

And this always happens on lb02, so after adding multiple variations
of pass in on vic3 from 10.221.181.0/24 to any I of course made sure
to check the configurations themselves and they're identical.

I have this script setup now to regularly check that they're identical
but so far they have been without fail.

$ cat bin/compare
#!/bin/sh

ssh lb02 sudo pfctl -sr  /tmp/pf.compare.lb02
sudo pfctl -sr  /tmp/pf.compare.lb01

diff /tmp/pf.compare.lb01 /tmp/pf.compare.lb02

The remote source I'm testing from has been censored by the EPA. ;)

2011/10/17 Stefan Midjich sweh...@gmail.com:
 I had this gateway with NAT working fine until I added another for
 load balancing using carp. So now I've been slowly discovering the ins
 and outs of carp in PF rules. Namely that packets seem to be going in
 and out of the physical interfaces, but in on the carp interfaces at
 the same time. Only a detail I've noted with tcpdump.

 vic0 is management only, works fine.
 vic1 is pfsync only, set skip
 vic2 is external public ipv4 address, seen here below as XX.XX.XX.59.
 vic3 is the first internal network 10.221.181.0/24
 vic4 is the second internal network 10.221.182.0/24
 carp0 is vic2 on both machines, there is no IP-information on the
 physical carpdev's, only on the carps.
 carp1 is vic3
 carp2 is vic4

 There are no pfsync update errors in syslog, I can see carp traffic
 pass between the carpdevs using proto carp.

 Both loadbalancers are identical in configuration and I use git,
 public ssh keys and bash scripts to update the configuration on the
 git-server, update it on both loadbalancers and then run pfctl -vf
 /etc/pf.conf on both.

 Here is output of pfctl -vvsr, please excuse the mail formatting. I'm
 hoping this will shed light on my ruleset.

 @0 block drop on vic0 all
  [ Evaluations: 353   Packets: 0 Bytes: 0   States: 0  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
 @1 pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24
 port = 1022 flags S/SA keep state label PassInMGMTSSH
  [ Evaluations: 347   Packets: 0 Bytes: 0   States: 0  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
 @2 pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24
 port = ssh flags S/SA keep state label PassInMGMTSSH  [ Evaluations:
 0 Packets: 0 Bytes: 0   States: 0 ]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
 @3 pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any
 port = 1022 flags S/SA keep state label PassOutMGMTSSH
  [ Evaluations: 16Packets: 136   Bytes: 19978   States: 0  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 1 ]
 @4 pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any
 port = ssh flags S/SA keep state label PassOutMGMTSSH
  [ Evaluations: 15Packets: 1020  Bytes: 441024  States: 4  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 30]
 @5 pass on vic0 proto udp from any to any port = domain keep state
 label PassMGMTDNS
  [ Evaluations: 331   Packets: 0 Bytes: 0   States: 0  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
 @6 pass on vic0 inet proto icmp all icmp-type echorep keep state label
 PassMGMTICMP
  [ Evaluations: 331   Packets: 0 Bytes: 0   States: 0  
  ]
  [ Inserted: uid 0 pid 3940 State Creations: 0 ]
 @7 pass on vic0 inet proto icmp all icmp

Re: Dennis Ritchie

[Stefan Midjich]

So many lives touched, so many that don't even know about it. That
saddens me the most, that so many are using products of his
achievements daily to make their lives comfortable and only a small
minority know what it took to get here.

2011/10/13 Marc Smith marc_sm...@gmx.com:
 #include stdio.h

 int main()
 {
 printf(goodbye, dad\n);
 return 0;
 }

 That was really touching.

 Rest in peace, Dennis Ritchie.





--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

I must say that thanks to your help on this list I've finally managed
to get it working. I have bought FreeBSD CD sets in the past as a
means to donate and I intend to buy 5.0 sets now because I believe
strongly in open source software.

Well it was also thanks to some pf.conf samples I found online from
4.7 and 4.8.

http://mouedine.net/ruleset49.aspx
http://serverfault.com/questions/175405/help-me-upgrade-my-pf-conf-for-openbsd-4-7

The only thing I have yet to solve is the ftp-proxy redirection. Here
is my current ruleset.

Here's my current pfctl -vf output.

block drop all
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port
= 1022 flags S/SA keep state label PassInMGMTSSH
pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port
= ssh flags S/SA keep state label PassInMGMTSSH
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port
= 1022 flags S/SA keep state label PassOutMGMTSSH
pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port
= ssh flags S/SA keep state label PassOutMGMTSSH
pass on vic0 proto udp from any to any port = domain keep state label
PassMGMTDNS
pass on vic0 inet proto icmp all icmp-type echorep keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type echoreq keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type unreach keep state label
PassMGMTICMP
pass quick on vic2 proto carp all keep state label CUST-PassCarp
pass quick on vic3 proto carp all keep state label CUST-PassCarp
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
echoreq keep state label CUST-PingOut
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
echorep keep state label CUST-PingOut
pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type
unreach keep state label CUST-PingOut
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echoreq keep state label CUST-PingIn
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echorep keep state label CUST-PingIn
pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type unreach keep state label CUST-PingIn
match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin
match in on vic2 proto tcp from any to any port = smtp rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = www rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = ssh rdr-to
CUST_FrontendPool round-robin
match in on vic2 proto tcp from any to any port = 5222 rdr-to
CUST_FrontendPool round-robin
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = smtp
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = www
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = ssh
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.21 port = 5222
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = smtp
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = www
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = ssh
flags S/SA keep state
pass in on vic2 inet proto tcp from any to 10.221.181.22 port = 5222
flags S/SA keep state
pass out on vic2 all flags S/SA keep state
pass on vic3 all flags S/SA keep state
anchor ftp-proxy/* all
pass in quick inet proto tcp from any to any port = ftp flags S/SA
keep state rdr-to 127.0.0.1 port 8021
pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep state

All of this works sans the ftp-proxy, it is listening on 8021 and I
get no errors in the syslog. Just a message that it started.

If I tcpdump -i lo0 I get no packets at all. I do see packets coming
in on the internal interface.

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

After all that I was still doing NAT wrong, I thank you Norman! It
works perfectly now and it makes much more sense as NAT must be done
from the lo0 too out on the external IF.

2011/10/13 Norman Golisz li...@zcat.de:
 Hi Stefan,

 On Wed Oct 12 2011 14:59, Stefan Midjich wrote:
 I must say that thanks to your help on this list I've finally managed
 to get it working. I have bought FreeBSD CD sets in the past as a
 means to donate and I intend to buy 5.0 sets now because I believe
 strongly in open source software.

 really fine!

 The only thing I have yet to solve is the ftp-proxy redirection. Here
 is my current ruleset.

 Well, you defined this match for outgoing packets of vic2:

 match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin

 but allow the ftp-proxy to send packets from 127.0.0.1:

 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep
state

 Hence, change the match rule to:

 match out on vic2 inet all nat-to (vic2) round-robin

 Good luck,
 Norman




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

It works now that I started over from scratch, I have a block in all
and a pass out all by default and NAT is working. I can see packets on
both in and out-interfaces with tcpdump. Of course ICMP response is
not being sent back since I have a block in all but at least NAT is
working and it is forwarding packets.

I think what I was missing, a crucial step and basic knowledge to any
networking tech, was the ins and the outs of gateways. I didn't
understand what Out or In was in the eyes of the gateway. I now
understand that Out is where the default gateway points, /etc/mygate,
in other words egress group in ifconfig. And In is of course the
opposite.

This is a very subtle detail but it made a WORLD of difference.

Thank you all for your support. :)

Help setting up a PF NAT gateway

[Stefan Midjich]

Simplest of things but I'm failing miserably.

$ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4 address
inet 50.50.50.59 255.255.255.0 50.50.50.255

$ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
machines on same network
inet 10.221.181.10 255.255.255.0 10.221.181.255

For troubleshooting I have removed the block all rule, to confirm that
it is in fact my NAT related rules that don't work.

These are my first and only NAT rules. The other rules work fine and
are just to allow SSH to my management interface and ICMP response
from the external IP and from the internal gateway IP. Besides I've
removed the block all so the other rules don't matter much now.

match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2) round-robin
pass inet from 10.221.181.0/24 to any flags S/SA keep state

With tcpdump I can see packets going to vic3, but no further.

With block all commented out I can fully test the network around and
everything is working just fine, I can nc -kl 50.50.50.59 65535 and
connect to that port from anywhere on the internet. I just can't
connect out from the private network through the gateway. The systems
in the private network have 10.221.181.10 as their default gateway.

I even have the Book of PF 2nd edition here but it's of no use, the
rules are mostly from there. Just for troubleshooting I can also nc
-kl 10.221.181.10 65535 on the gateway and connect to that port from
the private network machines without issues.

So please tell me, what am I missing in this nat-to rule?

--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so far.

2011/10/10 Mark (obsd) openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com wrote:

 Simplest of things but I'm failing miserably.

 ...

 With tcpdump I can see packets going to vic3, but no further.


 Do you definitely have forwarding enabled?
 # sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0 instead of 1, you'd get your symptoms.  Edit
/etc/sysctl.conf
 to enable forwarding if you haven't.
 Regards,
 Mark



--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

That was from the output of pfctl -vf /etc/pf.conf so it expands the
rules and adds all that is implied, like keep state for example.

2011/10/10 pavel pocheptsov lilit-aibo...@mail.ru:
 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 in what reason you paste round-robin?
 also you need
 pass in on $local_if from $localnet to any
 pass out on $ext_if from $localnet to any


 10 PP:QQP1QQ 2011, 19:42 PQ Stefan Midjich sweh...@gmail.com:

 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.

 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.

 So please tell me, what am I missing in this nat-to rule?

 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich





--


Med vC$nliga hC$lsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

ManagementIF = vic0
PFsyncIF = vic1
LocalIF = lo0
ManagementPorts = { 1022, 22 }
UDPManagementPorts = { domain }
ICMPTypes = { echorep, echoreq, unreach }
set skip on { lo0 vic1 }
OutIF = vic2
InIF = vic3
pass quick on vic0 inet proto tcp from any to any port = 1022 flags
S/SA keep state label PassMGMTSSH
pass quick on vic0 inet proto tcp from any to any port = ssh flags
S/SA keep state label PassMGMTSSH
pass on vic0 proto udp from any to any port = domain keep state label
PassMGMTDNS
pass on vic0 inet proto icmp all icmp-type echorep keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type echoreq keep state label
PassMGMTICMP
pass on vic0 inet proto icmp all icmp-type unreach keep state label
PassMGMTICMP
pass quick on vic2 proto carp all keep state label PassCarp
pass quick on vic3 proto carp all keep state label PassCarp
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echoreq
keep state label PingOut
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type echorep
keep state label PingOut
pass quick inet proto icmp from any to 50.50.50.0/24 icmp-type unreach
keep state label PingOut
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echoreq keep state label PingIn
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type echorep keep state label PingIn
pass quick inet proto icmp from 10.221.181.0/24 to 10.221.181.10
icmp-type unreach keep state label PingIn
match in on vic3 inet from 10.221.181.0/24 to any label NATOut
nat-to (vic2) round-robin
pass inet from 10.221.181.0/24 to any flags S/SA keep state

vic2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50X
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 50.50.50.59 netmask 0xff00 broadcast 50.50.50.255
inet6 fe80::250:56ff:fe8e:63%vic2 prefixlen 64 scopeid 0x3
vic3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:50:X
priority: 0
media: Ethernet autoselect
status: active
inet 10.221.181.10 netmask 0xff00 broadcast 10.221.181.255
inet6 fe80::250:56ff:fe8e:64%vic3 prefixlen 64 scopeid 0x4

Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default50.50.50.1  UGS0   80 - 8 vic2
10/8   10.220.100.1   UGS2 2869 - 8 vic0
10.90.100/24   link#2 UC 10 - 4 vic1
10.90.100.10   X:00:62  UHLc   02 - 4 lo0
10.220.100/24  link#1 UC 30 - 4 vic0
10.220.100.1   X07:ac:00  UHLc   10 - 4 vic0
10.220.100.10  X:49:16  UHLc   0  489 - 4 vic0
10.220.100.209 X:26:05  UHLc   1 5010 - 4 vic0
10.221.181/24  link#4 UC 00 - 4 vic3
127/8  127.0.0.1  UGRS   00 33160 8 lo0
127.0.0.1  127.0.0.1  UH 10 33160 4 lo0
50.50.50/24 link#3 UC 30 - 4 vic2
50.50.50.1  Xf:d4:20  UHLc   10 - 4 vic2
50.50.50.6  X81:86:b6  UHLc   00 - 4 vic2
50.50.50.7  XX:50:87:14  UHLc   00 - 4 vic2
224/4  127.0.0.1  URS00 33160 8 lo0

Please note that I have removed public ip-address and other private details.

2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org:
 On 10 October 2011 12:38, Stefan Midjich sweh...@gmail.com wrote:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

$ sudo pfctl -sr |grep nat-to
match in on vic3 inet from 10.221.181.0/24 to any label NATOut
nat-to (vic2) round-robin

pfctl -vsl shows only evaluated packets for all my rules, which
worries me, it never increments the counter of packets gone through
any of the nat rules. Only the first rules for management network and
of course the block rule when it was in place.

2011/10/10 James Shupe jsh...@osre.org:
 What does `pfctl -sr | grep nat-to` say?

 On 10/10/11 10:38 AM, Stefan Midjich wrote:
 Simplest of things but I'm failing miserably.

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255

 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
 machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 For troubleshooting I have removed the block all rule, to confirm that
 it is in fact my NAT related rules that don't work.

 These are my first and only NAT rules. The other rules work fine and
 are just to allow SSH to my management interface and ICMP response
 from the external IP and from the internal gateway IP. Besides I've
 removed the block all so the other rules don't matter much now.

 match out on vic2 inet from 10.221.181.0/24 to any nat-to (vic2)
round-robin
 pass inet from 10.221.181.0/24 to any flags S/SA keep state

 With tcpdump I can see packets going to vic3, but no further.

 With block all commented out I can fully test the network around and
 everything is working just fine, I can nc -kl 50.50.50.59 65535 and
 connect to that port from anywhere on the internet. I just can't
 connect out from the private network through the gateway. The systems
 in the private network have 10.221.181.10 as their default gateway.

 I even have the Book of PF 2nd edition here but it's of no use, the
 rules are mostly from there. Just for troubleshooting I can also nc
 -kl 10.221.181.10 65535 on the gateway and connect to that port from
 the private network machines without issues.

 So please tell me, what am I missing in this nat-to rule?

 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich



 --
 James Shupe, OSRE
 developer/ engineer
 jsh...@osre.org | 866.235.1288
 BSD/ Linux Support | Metro Ethernet | Hosting
 check out our site at www.osre.org





--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

Not sure what you mean but they're both in switched vlans, two
different vlans. Point to Point is a crossover cable right? I'm not
sure what it means in English. This is all a virtual environment I use
for training so there are no cables as such.

2011/10/10 Peter N. M. Hansteen pe...@bsdly.net:
 Stefan Midjich sweh...@gmail.com writes:

 $ sudo cat /etc/hostname.vic2 # External NIC with static public IPv4
address
 inet 50.50.50.59 255.255.255.0 50.50.50.255
 $ sudo cat /etc/hostname.vic3 # Internal NIC used as gateway by two
machines on same network
 inet 10.221.181.10 255.255.255.0 10.221.181.255

 Are both of those those point to point links? I have a feeling this is
 the source of your problem, see man ifconfig


 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

match out on egress inet from vic3:network nat-to (egress:0)

This is the new rule then, as it appears in pfctl -v

match out on egress inet from 10.221.181.0/24 to any nat-to (egress:0)
round-robin

vic2 is only NIC in egress group in ifconfig.

nc -vv cvs.openbsd.org 25 from 10.221.181.20 does not connect even
though there is no block rule now.

2011/10/10 Christiano F. Haesbaert haesba...@haesbaert.org:
 On 10 October 2011 15:05, Stefan Midjich sweh...@gmail.com wrote:
 That was from the output of pfctl -vf /etc/pf.conf so it expands the
 rules and adds all that is implied, like keep state for example.


 I think that is not what you want:
 match in on vic3 inet from 10.221.181.0/24 to any label NATOut
 nat-to (vic2) round-robin

 You want to match packets going out your external interface, and then
 nat-to the external interface address, so try something like:

 match out on vic2 inet from 10.221/181.0/24 nat-to (vic2)

 Considering vic2 as your external interface.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

I have taken away the block all rule, but pfctl -d makes no
difference. The gateway itself behaves just like any server connected
to multiple vlans. You can reach the world around it, through its
default gateway you can reach the internet.

The servers connected to its private vlan, vic3, cannot connect to
anything but themselves and the gateway ip 10.221.181.10. They cannot
go further. The gateway can ping them and connect to them just like on
a vlan.

2011/10/10 Peter N. M. Hansteen pe...@bsdly.net:
 Stefan Midjich sweh...@gmail.com writes:

 Not sure what you mean but they're both in switched vlans, two
 different vlans. Point to Point is a crossover cable right? I'm not
 sure what it means in English. This is all a virtual environment I use
 for training so there are no cables as such.

 take a step back. with PF disabled (pfctl -d), do you
 have connectivity, does traffic pass where you want it to?

 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Re: Help setting up a PF NAT gateway

[Stefan Midjich]

No I was not aware of this. Could you please explain the meaning of an
alias address on the external interface for NAT?

There is no mention of using an alias for NAT in this document for
example http://www.openbsd.org/faq/pf/nat.html

Just to be clear, I already have an external and internal physical
interface to work with, so I am unclear as to why I need an alias.

2011/10/11 Stefan N stefanbsd...@yahoo.com:
 Hi Stefan,
 As you mentioned that the IP forwarding is already enabled on your system.
 Have you configured the IP alias on the network interface for the NAT
 purpose?
 If the NAT is done on external interface then you'll need to add in the IP
 alias on /etc/hostname.vic2
 Please read the guide from openbsd url below:

http://www.openbsd.org/cgi-bin/man.cgi?query=hostname.ifapropos=0sektion=0;
manpath=OpenBSD+4.9arch=i386format=html
 Sample of hostname.if config with IP alias:

  A typical file contains only one line, but more extensive files are
  possible, for example:

   inet 10.0.1.12 255.255.255.0 10.0.1.255 media 100baseTX description
 Uplink
   inet alias 10.0.1.13 255.255.255.255 10.0.1.13
   inet alias 10.0.1.14 255.255.255.255 NONE
   inet alias 10.0.1.15 255.255.255.255
   inet alias 10.0.1.16 0x
   # This is an example comment line.
   inet6 alias fec0::1 64
   inet6 alias fec0::2 64 anycast
   !route add 65.65.65.65 10.0.1.13
   up

 I hope it helps.
 Regards,
 Stefan
 
 From: Stefan Midjich sweh...@gmail.com
 To: Mark (obsd) openbsd-l...@nerdish.us
 Cc: misc@openbsd.org
 Sent: Tuesday, October 11, 2011 2:06 AM
 Subject: Re: Help setting up a PF NAT gateway

 Yes forwarding is enabled. I have followed the Book of PF 2nd Edition so
 far.

 2011/10/10 Mark (obsd) openbsd-l...@nerdish.us:
 Hi Stefan,

 On Mon, Oct 10, 2011 at 10:38 AM, Stefan Midjich sweh...@gmail.com
 wrote:

 Simplest of things but I'm failing miserably.

 ...

 With tcpdump I can see packets going to vic3, but no further.


 Do you definitely have forwarding enabled?
 # sysctl net.inet.ip.forwarding
 net.inet.ip.forwarding=1
 It that were 0 instead of 1, you'd get your symptoms.  Edit
 /etc/sysctl.conf
 to enable forwarding if you haven't.
 Regards,
 Mark



 --


 Med vdnliga hdlsningar / With kind regards

 Stefan Midjich







--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich

Can I use carp with just one public IP?

[Stefan Midjich]

Everything I read about CARP, including my Book on PF 2nd edition,
says you're supposed to have two different ip-addresses set for each
carp device, for two hosts that is. And one third ip-address in the
same network on the psuedo carp0 interface you create.

Since I'm aiming to load balance on the first hop of a network this
means I need to allocate three external static IPs for my system of
two OpenBSD gateway hosts.

Is there a less wasteful way of doing load balancing with carp using IPv4?

--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich
http://swehack.se

Re: Can I use carp with just one public IP?

[Stefan Midjich]

I assume you mean balancing? I wanted to go for balancing ip but
that's only because I read about it in the carp(4) manual, now I think
I'll go with just vhid carpdev and pass set to see if I can get the
load balancing working with just one ip-address on the carp interface,
first and foremost.

But maybe you have something to add about that.

2011/10/9 Johan Ryberg jo...@securit.se:
 2011/10/9 Stefan Midjich sweh...@gmail.com:
 Everything I read about CARP, including my Book on PF 2nd edition,
 says you're supposed to have two different ip-addresses set for each
 carp device, for two hosts that is. And one third ip-address in the
 same network on the psuedo carp0 interface you create.

 Since I'm aiming to load balance on the first hop of a network this
 means I need to allocate three external static IPs for my system of
 two OpenBSD gateway hosts.

 Is there a less wasteful way of doing load balancing with carp using IPv4?

 In what way are you trying to load balance?

 // Johan




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich
http://swehack.se

Re: Can I use carp with just one public IP?

[Stefan Midjich]

It's for a gateway with one external address on the outside interface
and an internal network on the inside, with servers on the internal
network that need to receive load balanced traffic.

So the aim is to have a carp0 on the outside between two systems. One
carp1 on the inside between the same two systems. Each system has one
carpdev interface for each carp pseudo-if.

Right now it only does NAT between the external and the internal
networks, but I was hoping to use rdr-to with a table of server ip's
and the round-robin method to distribute out traffic to them. Unless
you see an issue with this setup?

2011/10/9 Johan Ryberg jo...@securit.se:
 2011/10/9 Stefan Midjich sweh...@gmail.com:
 I assume you mean balancing? I wanted to go for balancing ip but
 that's only because I read about it in the carp(4) manual, now I think
 I'll go with just vhid carpdev and pass set to see if I can get the
 load balancing working with just one ip-address on the carp interface,
 first and foremost.

 No, you wrote that you where aiming to load balancing and I just
 wonder what your goal was =)

 Do you have web servers that need load balancing or do you want to use
 torrents on one internet connection and other protocols on another or
 do you just want round robin on all outgoing traffic (probably not).

 // Johan




--


Med vdnliga hdlsningar / With kind regards

Stefan Midjich