relayd(8) dosn´t listen
Hi misc, I try to setup relayd(8) as load balancer for two Python3.6 based aiohttp web-servers on -stable. Right now I´m just playing around to get into it so everything runs inside a VirtualBox Instance. For every aiohttp instance I created one vether(4) and assigned 10.0.0.x/24 to it and start each aiohttp-server manually with it´s own host-IP on port 8080. Mostly I followed the examples within "Relayd and Httpd Mastery" by Marcus W. Lucas. There is no problem with this aiohttp-servers and vether(4) because relayd(8) successfully does the health check with 'check http "/" code 200' Right now the main problem is that relayd(8) dosen´t listen (on 0.0.0.0:80), as httpd does for example. What I´m missing here? Thanks for your support! Here are my configs and some further info that should be helpful: $ doas cat /etc/sysctl.conf net.inet.ip.forwarding=1 $ doas ifconfig vether vether0: flags=8843 mtu 1500 lladdr fe:e1:ba:d0:f5:6f index 5 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 vether1: flags=8843 mtu 1500 lladdr fe:e1:ba:d1:22:b2 index 6 priority 0 llprio 3 groups: vether media: Ethernet autoselect status: active inet 10.0.0.2 netmask 0xff00 broadcast 10.0.0.255 --- [start two aiohttp servers] # python3.6 -m aiohttp.web -H 10.0.0.1 -P 8080 main:init & [1] 53857 # python3.6 -m aiohttp.web -H 10.0.0.2 -P 8080 main:init & [2] 39992 $ curl -I 10.0.0.1:8080 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Content-Length: 14 Date: Tue, 20 Jun 2017 21:03:41 GMT Server: Python/3.6 aiohttp/2.1.0 $ curl -I 10.0.0.2:8080 HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Content-Length: 14 Date: Tue, 20 Jun 2017 21:03:50 GMT Server: Python/3.6 aiohttp/2.1.0 $ doas cat /etc/pf.conf: set block-policy return set loginterface egress set skip on lo match in all scrub (no-df random-id max-mss 1440) anchor "relayd/*" match out on egress inet from !(egress:network) to any nat-to (egress:0) block all pass out quick inet $ doas cat /etc/relayd.conf ext_if="0.0.0.0" aio1="10.0.0.1" aio2="10.0.0.2" table { $aio1, $aio2 } # interval 10 # timeout 1000 # prefork 1 redirect www { listen on $ext_if tcp port 80 forward to port 8080 check http "/" code 200 } $ doas relayd -n configuration OK $ doas relayd -dvv socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 pfe: filter init done startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 relayd_tls_ticket_rekey: rekeying tickets init_tables: created 1 tables hce_notify_done: 10.0.0.1 (http code ok) host 10.0.0.1, check http code (17ms,http code ok), state unknown -> up, availability 100.00% hce_notify_done: 10.0.0.2 (http code ok) host 10.0.0.2, check http code (21ms,http code ok), state unknown -> up, availability 100.00% pfe_dispatch_hce: state 1 for host 1 10.0.0.1 pfe_dispatch_hce: state 1 for host 2 10.0.0.2 table www: 2 added, 0 deleted, 0 changed, 0 killed pfe_sync: enabling ruleset sync_ruleset: rule added to anchor "relayd/www" hce_notify_done: 10.0.0.1 (http code ok) hce_notify_done: 10.0.0.2 (http code ok) [...] --- $ netstat -na -f inet | grep LISTEN tcp 0 0 127.0.0.1.25*.*LISTEN tcp 0 0 *.22 *.* LISTEN tcp 0 0 10.0.0.2.8080 *.*LISTEN tcp 0 0 10.0.0.1.8080 *.*LISTEN --- $ doas dmesg OpenBSD 6.1 (GENERIC) #9: Mon Jun 12 20:33:41 CEST 2017 rob...@syspatch-61-amd64.openbsd.org: /usr/src/sys/arch/amd64/compile/GENERIC real mem = 2130640896 (2031MB) avail mem = 2061524992 (1966MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries) bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006 bios0: innotek GmbH VirtualBox acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz, 2214.92 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,SSSE3,NXE,LONG,LAHF cpu0: 4MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: CPU supports MTRRs but not enabled by BIOS cpu0: apic clock running at 1000MHz cpu0: mwait min=64, max=64 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) "PNP0303" at acpi0 not configured "PNP0F03" at acpi0 not configured acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek" acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: GFX0 pci0 at mainbus0 b
Re: relayd(8) dosn´t listen
Hi Stuart, thanks for your hints and pushing me in the right direction Thomas 2017-06-21 2:49 GMT+02:00 Stuart Henderson : > On 2017-06-20, miraculli . wrote: > > For every aiohttp instance I created one vether(4) and assigned > 10.0.0.x/24 > > to it > > Don't put addresses from the same /24 onto a bunch of different > interfaces. Use one /24 and the others should be /32 aliases, all on a > single interface. > > > Right now the main problem is that relayd(8) dosen´t listen (on > 0.0.0.0:80), > > as httpd does for example. What I´m missing here? > > Your expectations don't match your current config. You would get that > behaviour with a "relay" but you use "redirect" so relayd isn't supposed > to bind to a port itself, instead it adds a PF rdr-to rule to the relayd > anchor to forward traffic to the relevant backend. > > - from relayd.conf(5) :- > > Redirections >Redirections are translated to pf(4) rdr-to rules for stateful >forwarding to a target host from a health-checked table on > layer 3. > > Relays >Relays allow application layer load balancing, TLS acceleration, >and general purpose TCP proxying on layer 7. > > > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
OpenBSD as Open Networking OS
Hi misc, I just read about a trending topic: SDN and Open Networking. The principal idea behind Open Networking is to allow the customer to install a custom OS to switch-hardware. The main software player in this business seems to be a penguin OS called: Cumulus There is also a overview of devices that are able install a custom OS: https://cumulusnetworks.com/products/hardware-compatibility-list/ Is there any experience using OpenBSD in this domain and with this kind of hardware? Thanks Thomas
Re: OpenBSD as Open Networking OS
Thanks for your input. I get the point with the closed ASICs. I wasn´t aware of that and it explains why there is even no OpenWRT, pfsense etc. support for this devices sad. best Thomas 2017-07-17 11:45 GMT+02:00 Reyk Floeter : > Yes, I'm very interested in this but there is no "open" hardware. > > As Mischa mentioned, all of the platforms need vendor drivers > and AFAIK all of them are gigantic and non-free *. > > OpenFlow is an alternative to control switches in a standard way > without direct access to the switch chipsets, but it is a long way to > get switchd(8) to this point. And it has limitations, of course. > > *) let me know if I'm wrong. > > Reyk > >> On 17.07.2017, at 11:00, miraculli . wrote: >> >> Hi misc, >> >> I just read about a trending topic: SDN and Open Networking. >> The principal idea behind Open Networking is to allow the customer >> to install a custom OS to switch-hardware. >> The main software player in this business seems to be a penguin OS >> called: Cumulus >> There is also a overview of devices that are able install a custom OS: >> >> https://cumulusnetworks.com/products/hardware-compatibility-list/ >> >> Is there any experience using OpenBSD in this domain and with this >> kind of hardware? >> >> Thanks >> Thomas >> > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
Re: Bad network performance on apu2c4
Hi, i´ve also an APU2 as router. The uplink connection (16Mbit/s) is via pppoe(4) on em0 and i couldn´t manage to messure the throughput of this interface: - iftop doesn´t work on pppoe and shows nothing on em0. - ifperf also calculates some strange numbers (14669317741 Gbits/sec) when trying to connect to one of the public iperf-servers from https://iperf.fr/iperf-servers.php how do you messure the performance? 2017-11-04 18:24 GMT+01:00 Peter Faiman : > > On Nov 4, 2017, at 09:53, Chris Cappuccio wrote: > > > > Rupert Gallagher [r...@protonmail.com] wrote: > >> > >> You seem to say that handling larger packets is a feature of having > limited CPU. I disagree. > >> > > > > Rupert, I'm saying that a slower CPU can process less packets per second. > > > > The important measurement is packets-per-second. The APU has plenty of > > memory bandwidth to handle large volumes of data. For adequate CPU power, > > you have to either lower the cost of processing (make software > better/more > > efficient) or you have to distribute the cost across the 4 cores of the > APU2 > > (make software execution parallel). > > > >>> The same traffic level, with 1500 byte packets generates 6 times more > packets per second than that traffic level with 9000 bytes packets. > >> > >> You divided 9000 by 1500 without mistakes. Congratulations. > >> > > > > The point was clearly lost on you. > > > >>> There is ongoing work to improve the network stack performance on > boxes like the APU2 (which have 4 cores). You will see improvements. If you > want it better today, you need a faster box. Chris > >> > >> The apu2c4 is fast enough to saturate its Intel 1Gbits/sec link. It has > three of those. If you connect all three to the switch, you get 3Gbps shy. > No need for a faster box. You rather need a faster switch, class 7 S-FTP > wires (better than class 6), and 2.5Gbps lan cards for clients. > > > > No, you don't need any of that. You have no idea what you are talking > about. > > > > The APU requires software crafted to evenly distribute PER-PACKET > PROCESSING > > cost across multiple cores. That is what is happening in OpenBSD today. > It has > > been happening for years, and it is getting closer to becoming a reality > with > > OpenBSD + APU2, as well as other chipsets/platforms. > > > > For a couple years now, we've had interrupts processed by one core, PF on > > another, and other parts of the kernel on a third core. But to accelerate > > packet processing alone, we need interrupts handled on multiple cores, > > PF processing handled on multiple cores. This is hard work. > > > > By the way, what I'm describing is the general-purpose OS approach towads > > this problem. If you want to turn computer hardware into routers with > little > > other concern, the go-to platform is DPDK + VPP. It is something like an > > order of magnitude faster than any general purpose OS (OpenBSD, Linux) at > > packet pushing. > > > > https://www.reddit.com/r/networking/comments/6upchy/ > can_a_bsd_system_replicate_the_performance_of/dlvdq2e/ > > > > Chris > > Thank you for this explanation. My uplink is only 240mbit and my APU2 > handles that perfectly, so I’m not having any of these problems. But the > insight into the current state of networking was great! :) > > Peter > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
Install to MacBookPro mid 2007 fails
Hello misc, I try to install OpenBSD on my Apple MacBook Pro mid 2007 (or MacBookPro3,1) for some time now with different -release and the latest -snapshot versions with no success. The bootloader shows up and tries to launch bsd.rd: probing: pc0 mem [572K 64K 3053M 13M 60K 24K 76K 1024M] disk: hd0 hd1* hd2* >>OpenBSD/amd64 BOOTX64 3.30 boot> cannot boot hd0a:/etc/random.seed: No such file or directory booting hd0a:/bsd: 3356852+1412368+2413568+0+598016=0x76d238 entry point at 0xf001000 [7205c766, 3404, 24448b12, f4c0a304] After printing this lines it takes several seconds and then it reboots. FreeBSD-11 is booting well on this device so I attached the dmesg output from there, maybe it is helpful. Thanks in advance Thomas Copyright (c) 1992-2016 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu Sep 29 01:43:23 UTC 2016 r...@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0) VT(efifb): resolution 1440x900 CPU: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz (2194.55-MHz K8-class CPU) Origin="GenuineIntel" Id=0x6fa Family=0x6 Model=0xf Stepping=10 Features=0xbfebfbff Features2=0xe3bd AMD Features=0x20100800 AMD Features2=0x1 VT-x: HLT,PAUSE TSC: P-state invariant, performance statistics real memory = 4294967296 (4096 MB) avail memory = 4087091200 (3897 MB) Event timer "LAPIC" quality 400 ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs FreeBSD/SMP: 1 package(s) x 2 core(s) random: unblocking device. ioapic0: Changing APIC ID to 1 ioapic0 irqs 0-23 on motherboard random: entropy device external interface kbd0 at kbdmux0 netmap: loaded module module_register_init: MOD_LOAD (vesa, 0x8101c950, 0) error 19 cryptosoft0: on motherboard acpi0: on motherboard acpi_ec0: port 0x62,0x66 on acpi0 acpi0: Power Button (fixed) hpet0: iomem 0xfed0-0xfed003ff irq 0,8 on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 950 Event timer "HPET" frequency 14318180 Hz quality 450 Event timer "HPET1" frequency 14318180 Hz quality 440 Event timer "HPET2" frequency 14318180 Hz quality 440 cpu0: on acpi0 cpu1: on acpi0 atrtc0: port 0x70-0x77 on acpi0 atrtc0: Warning: Couldn't map I/O. Event timer "RTC" frequency 32768 Hz quality 0 attimer0: port 0x40-0x43,0x50-0x53 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-fast" frequency 3579545 Hz quality 900 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 acpi_acad0: on acpi0 acpi_lid0: on acpi0 acpi_button0: on acpi0 acpi_button1: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pcib0: _OSC returned error 0x10 pcib0: could not evaluate _ADR - AE_NOT_FOUND pci0: on pcib0 CPU0: local APIC error 0x80 CPU0: local APIC error 0x80 CPU0: local APIC error 0x80 CPU0: local APIC error 0x80 CPU0: local APIC error 0x80 CPU0: local APIC error 0x80 pcib1: at device 1.0 on pci0 pcib1: [GIANT-LOCKED] pci1: on pcib1 vgapci0: port 0x5000-0x507f mem 0xd200-0xd2ff,0xc000-0xcfff,0xd000-0xd1ff at device 0.0 on pci1 uhci0: port 0x60c0-0x60df at device 26.0 on pci0 uhci0: LegSup = 0x3000 usbus0 on uhci0 uhci1: port 0x60a0-0x60bf at device 26.1 on pci0 usbus1 on uhci1 ehci0: mem 0xdb504c00-0xdb504fff at device 26.7 on pci0 usbus2: EHCI version 1.0 usbus2 on ehci0 hdac0: mem 0xdb50-0xdb503fff at device 27.0 on pci0 pcib2: at device 28.0 on pci0 pcib2: [GIANT-LOCKED] pcib3: at device 28.2 on pci0 pcib3: [GIANT-LOCKED] pcib4: at device 28.4 on pci0 pcib4: [GIANT-LOCKED] pci2: on pcib4 ath0: mem 0xd730-0xd730 at device 0.0 on pci2 ath0: [HT] enabling HT modes ath0: [HT] RTS aggregates limited to 8 KiB ath0: [HT] 2 RX streams; 2 TX streams ath0: AR5418 mac 12.10 RF5133 phy 8.1 ath0: 2GHz radio: 0x; 5GHz radio: 0x00c0 pcib5: at device 28.5 on pci0 pcib5: [GIANT-LOCKED] pci3: on pcib5 mskc0: port 0x3000-0x30ff mem 0xd720-0xd7203fff at device 0.0 on pci3 msk0: on mskc0 msk0: Using defaults for TSO: 65518/35/2048 msk0: Ethernet address: 00:1b:63:9f:dc:af miibus0: on msk0 e1000phy0: PHY 0 on miibus0 e1000phy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, auto, auto-flow uhci2: port 0x6080-0x609f at device 29.0 on pci0 usbus3 on uhci2 uhci3: port 0x6060-0x607f at device 29.1 on pci0 usbus4 on uhci3 uhci4: port 0x6040-0x605f at device 29.2 on pci0 usbus5 on uhci4 ehci1: mem 0xdb504800-0xdb504bff at device 29.7 on pci0 usbus6: EHCI version 1.0 usbus6 on ehci1 pcib6: at device 30.0 on pci0 pci4: on pcib6 pci4: at device 3.0 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0
Re: Install to MacBookPro mid 2007 fails
Yes, I boot from USB and want to use the whole disk. But I don´t even get to the installer or into a shell. The problem occurs during boot from install60.fs 2016-11-17 23:42 GMT+01:00 emtee : > Try this: > > Assuming you are installing from a USB drive and assuming further the > whole disk will be used for Openbsd. > > Boot from the USB, > > Choose (s)hell option, we'll prepare the disk with a EFI system partition. > > fdisk -i -b 960 sd0 > > > Step 2 > > - Run the install all the way to the Openbsd option at the fdisk question. > > -in the disklabel editor partition the disk as usual, but leave the i > partition untouched. > > Step3 > > Finish the installation but don't reboot. > > Step 4 > > format the partition and copy the uefi bootloader in place. > > /mnt/sbin/newfs_msdos sd0i > > mount /dev/sd0i /mnt2 > > mkdir -p /mnt2/efi/boot > > cp /mnt/usr/mdec/BOOTX64.EFI /mnt2/efi/boot > > --- > > reboot, and restart. > > > > > > On 11/17/16 15:16, miraculli . wrote: >> Hello misc, >> >> I try to install OpenBSD on my Apple MacBook Pro mid 2007 (or >> MacBookPro3,1) for some time now with different -release and the >> latest -snapshot versions with no success. The bootloader shows up and >> tries to launch bsd.rd: >> >> >> probing: pc0 mem [572K 64K 3053M 13M 60K 24K 76K 1024M] >> disk: hd0 hd1* hd2* >>>> OpenBSD/amd64 BOOTX64 3.30 >> boot> >> cannot boot hd0a:/etc/random.seed: No such file or directory >> booting hd0a:/bsd: 3356852+1412368+2413568+0+598016=0x76d238 >> entry point at 0xf001000 [7205c766, 3404, 24448b12, f4c0a304] >> >> >> After printing this lines it takes several seconds and then it reboots. >> >> FreeBSD-11 is booting well on this device so I attached the dmesg >> output from there, maybe it is helpful. >> >> Thanks in advance >> Thomas >> Copyright (c) 1992-2016 The FreeBSD Project. >> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 >> The Regents of the University of California. All rights reserved. >> FreeBSD is a registered trademark of The FreeBSD Foundation. >> FreeBSD 11.0-RELEASE-p1 #0 r306420: Thu Sep 29 01:43:23 UTC 2016 >> r...@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >> FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0) >> VT(efifb): resolution 1440x900 >> CPU: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz (2194.55-MHz K8-class CPU) >> Origin="GenuineIntel" Id=0x6fa Family=0x6 Model=0xf Stepping=10 >> Features=0xbfebfbff >> Features2=0xe3bd >> AMD Features=0x20100800 >> AMD Features2=0x1 >> VT-x: HLT,PAUSE >> TSC: P-state invariant, performance statistics >> real memory = 4294967296 (4096 MB) >> avail memory = 4087091200 (3897 MB) >> Event timer "LAPIC" quality 400 >> ACPI APIC Table: >> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs >> FreeBSD/SMP: 1 package(s) x 2 core(s) >> random: unblocking device. >> ioapic0: Changing APIC ID to 1 >> ioapic0 irqs 0-23 on motherboard >> random: entropy device external interface >> kbd0 at kbdmux0 >> netmap: loaded module >> module_register_init: MOD_LOAD (vesa, 0x8101c950, 0) error 19 >> cryptosoft0: on motherboard >> acpi0: on motherboard >> acpi_ec0: port 0x62,0x66 on acpi0 >> acpi0: Power Button (fixed) >> hpet0: iomem 0xfed0-0xfed003ff irq 0,8 on acpi0 >> Timecounter "HPET" frequency 14318180 Hz quality 950 >> Event timer "HPET" frequency 14318180 Hz quality 450 >> Event timer "HPET1" frequency 14318180 Hz quality 440 >> Event timer "HPET2" frequency 14318180 Hz quality 440 >> cpu0: on acpi0 >> cpu1: on acpi0 >> atrtc0: port 0x70-0x77 on acpi0 >> atrtc0: Warning: Couldn't map I/O. >> Event timer "RTC" frequency 32768 Hz quality 0 >> attimer0: port 0x40-0x43,0x50-0x53 on acpi0 >> Timecounter "i8254" frequency 1193182 Hz quality 0 >> Event timer "i8254" frequency 1193182 Hz quality 100 >> Timecounter "ACPI-fast" frequency 3579545 Hz quality 900 >> acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 >> acpi_acad0: on acpi0 >> acpi_lid0: on acpi0 >> acpi_button0: on acpi0 >> acpi_button1: on acpi0 >> pcib0: port 0xcf8-0xcff on acpi0 >> pcib0: _OSC returned error 0x10 >> pcib0: could not evaluate _ADR - AE_NOT_FOUND >> pci0: on pcib0 >> CPU0: local API
Re: macbook EFI bootloader
I try this for a while too. (https://marc.info/?l=openbsd-misc&m=147945720728652&w=2) Interesting that it works when installing from cd. But when I get you right you stuck in the reboot-loop too when trying to boot from usb (install##.fs / miniroot##.fs) I removed my super-drive and put a second ssd in, on which I want to install OpenBSD. I also recognised something similar when installing OpenBSD to a PC-Engine APU.2 board. On the APU.2 you only have to set correct serial output device at boot> and everything works fine. Maybe it is also needed to set some kind of efi-device ?!? I did´t find the time to further investigate in this direction but maybe someone on the list can help? -- best mirac 2016-12-28 3:24 GMT+01:00 Byron Klippert : > Hello Misc, > > Recently tried to get my intel macbook (circa '08) dual-booting with > -current amd64 (December 26 snapshot). > > Within OSX I repartitioned the RootDisk and added a MS-DOS (FAT) > partition for the OpenBSD install/disklabel. I booted from CD and > installed to wd0 (using the OpenBSD fdisk partition). At this stage if I > want to boot from wd0, I have to boot from CD and select hd0a:/bsd at > the second stage boot loader. This works well enough, dmesg of the > system below. > > When trying to boot directly from wd0 using the native EFI bootloader I > placed BOOTIA32.EFI and BOOTX64.EFI in the EFI partition of the RootDisk > so that I can select "EFI Partition" when booting (by holding option > key). > > /dev/disk0 >#: TYPE > NAMESIZE IDENTIFIER >0: > GUID_partition_scheme*120.0 > GB disk0 >1: > EFI 209.7 MB disk0s1 >2: Apple_HFS > RootDisk118.6 GB disk0s2 >3: Microsoft Basic > Data 1.1 GB disk0s3 > > > This setup gets as far as shown below and then stops... > > probing: pc0 mem[572K 64K 3039M 11M 60K 48K] > disk: hd0 > >> OpenBSD/amd64 BOOTIA32 3.32 > boot> > booting hd0a:/bsd: 6979304+2212872+258624+0+765952 > [72+710280+477696]=0xae2350 > entry point at 0xf001000 [7205c766, 3404, 24448b12, 1240a304] > > > I've tried booting with `boot> hd0a:/bsd.rd'. Also tried writing > install60.tgz and miniroot60.tgz to USB and got similar results there as > well. > > > Curious to know if the native EFI bootloader is designed to work with > this hardware? > > Thanks, > > dmesg output: > > OpenBSD 6.0-current (GENERIC.MP) #73: Mon Dec 26 23:25:48 MST 2016 > bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 3171909632 (3024MB) > avail mem = 3071180800 (2928MB) > warning: no entropy supplied by boot loader > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe (37 entries) > bios0: vendor Apple Inc. version "MB21.88Z.00A5.B07.0706270922" date > 06/27/07 > bios0: Apple Inc. MacBook2,1 > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S3 S4 S5 > acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT > acpi0: wakeup devices ADP1(S3) LID0(S3) PXS1(S4) PXS2(S4) USB1(S3) > USB2(S3) USB3(S3) USB4(S3) USB7(S3) EC__(S3) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpihpet0 at acpi0: 14318179 Hz > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz, 2161.65 MHz > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64, > MWAIT,DS-CPL,VMX,EST,TM > 2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR > cpu0: 4MB 64b/line 16-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 166MHz > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz, 2161.25 MHz > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA, > CMOV,PAT,PSE36,CFLUS > H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64, > MWAIT,DS-CPL,VMX,EST,TM > 2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR > cpu1: 4MB 64b/line 16-way L2 cache > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins > acpimcfg0 at acpi0 addr 0xf000, bus 0-255 > acpiec0 at acpi0 > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 1 (RP01) > acpiprt2 at acpi0: bus 2 (RP02) > acpiprt3 at acpi0: bus 3 (PCIB) > acpicpu0 at acpi0: !C3(100@55 mwait@0x31), !C2(500@1 mwait@0x10), > C1(1000@1 mwait), PSS > acpicpu1 at acpi0: !C3(100@55 mwait@0x31), !C2(500@1 mwait@0x10), > C1(1000@1 mwait), PSS > acpiac0 at acpi0: AC unit online > acpibtn0 at acpi0: LID0 > "APP0002" at acpi0 not configured > acpibtn1 at acpi0: PWRB > acpibtn2 at acpi0: SLPB > "APP0001" at acpi0 not configured > "APP0003" at acpi0 not configured > "ACPI0002" at acpi0 not
Re: macbook EFI bootloader
According to Paul Ammann's mail: >From my experience, models released after 2008 (MacBook5 and higher) should have > GOP. My MacbookPro (v 3.1) form mid 2007 utilizes UGA. 2016-12-29 15:50 GMT+01:00 YASUOKA Masahiko : > On Tue, 27 Dec 2016 18:24:38 -0800 > Byron Klippert wrote: > > This setup gets as far as shown below and then stops... > > > > probing: pc0 mem[572K 64K 3039M 11M 60K 48K] > > disk: hd0 > >>> OpenBSD/amd64 BOOTIA32 3.32 > > boot> > > booting hd0a:/bsd: 6979304+2212872+258624+0+765952 > > [72+710280+477696]=0xae2350 > > entry point at 0xf001000 [7205c766, 3404, 24448b12, 1240a304] > > > > > > I've tried booting with `boot> hd0a:/bsd.rd'. Also tried writing > > install60.tgz and miniroot60.tgz to USB and got similar results there as > > well. > > > > > > Curious to know if the native EFI bootloader is designed to work with > > this hardware? > > I'm not sure. OpenBSD efiboot supports GOP for the graphic protocol > but it doesn't support UGA. FreeBSD supports both. > > Is there anyone who are sure whether the macbook is using UGA? > > --yasuoka > > -- +49.179.1448024 <+49%20179%201448024> Karl-Kunger-StraÃe 68 D - 12435 Berlin
NAT for dual-WAN with public and private LAN
Hi misc, I just got an second ADSL-uplink installed and now I try to reconfigure my pf.conf to load-balance NAT over both connections. Just to be more concrete: It is a Hotel-Setup with a guest accessible public Wifi-LAN (Ubuiqity UniFi Devices) and a private LAN for Office-Devices. I use a PC-Engines APU2c4 with OpenBSD -stable (syspatched) as router which has two ADSL-modems in bridge-mode attached: * em0 -> pppoe0 (dynamic IP) * em1 -> pppoe1 (fixed IP) both connections seem to be fine: $ ifconfig pppoe pppoe0: flags=8851 mtu 1492 index 8 priority 0 llprio 3 dev: em0 state: session sid: 0x219f PADI retries: 1 PADR retries: 0 time: 708d 10:27:47 sppp: phase network authproto pap groups: pppoe egress status: active inet6 fe80::20d:b9ff:fe43:43b4%pppoe0 -> prefixlen 64 scopeid 0x8 inet 87.174.xxx.xxx --> 87.186.xxx.xxx netmask 0x pppoe1: flags=8851 mtu 1492 index 10 priority 0 llprio 3 dev: em1 state: session sid: 0x1dd7 PADI retries: 3 PADR retries: 0 time: 03:01:57 sppp: phase network authproto pap groups: pppoe status: active inet6 fe80::20d:b9ff:fe43:43b4%pppoe1 -> prefixlen 64 scopeid 0xa inet 217.86.xxx.xxx --> 217.5.xxx.xxx netmask 0x Further I created two vlans over em2, one for the public wifi (vlan64) and one for private lan (vlan32) $ cat /etc/hostname.vlan32 inet 10.10.10.1 255.255.255.0 10.10.10.255 vlan 32 vlandev em2 $ cat /etc/hostname.vlan64 inet 10.64.0.1 255.192.0.0 10.127.255.255 vlan 64 vlandev em2 My pf.conf for the single WAN-uplinke looks like this. I outlined the parts where I try to do the dual-WAN-NAT without success so far. My idea is to add pppoe1 to group egress. But even without that I loose internet-connection for all my network-clients. # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf int_if="{ vlan32 vlan64 }" ext_if="{ pppoe0 pppoe1 }" icmp_types="{ echoreq }" icmp6_types="{ echoreq }" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress from !(egress:network) to any nat-to (egress) block in quick on egress from to any block return out quick on egress from any to block all pass out quick inet pass in on $int_if inet # START: here I´m playing around to get NAT working pass in on vlan inet route-to (egress egress:network) round-robin pass in on vlan proto tcp from vlan:network to port https route-to (egress egress:network) # END # START: here I want to block wifi-guests to have access to office-lan but doesn´t seem to work too. block return out from vlan64:network to vlan32:network #END pass in on egress inet proto icmp icmp-type $icmp_types pass in on egress inet6 proto icmp6 all pass in on egress inet proto tcp from any to (egress) port 22 pass in on egress inet6 proto tcp from any to (egress) port 22 #pfctl -nf /etc/pf.conf seems to be fine too. I want to achieve three things: 1.) proper load balancing over both WAN-uplinks 2.) reject access from public-wifi (vlan64) to office-lan (vlan32) 3.) always prefer packets from vlan32 over vlan64 4.) general advice for this setup if you spot some problems I´m not aware of. ;-) Thanks in advance, I hope someone can help! best, Thomas # dmesg OpenBSD 6.2 (GENERIC.MP) #5: Fri Feb 2 23:02:19 CET 2018 r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/ GENERIC.MP real mem = 4261076992 (4063MB) avail mem = 4124921856 (3933MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries) bios0: vendor coreboot version "88a4f96" date 03/11/2016 bios0: PC Engines apu2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S2 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD GX-412TC SOC, 998.26 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1 cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fu
Re: NAT for dual-WAN with public and private LAN
On 17 February 2018 at 23:07, Richard Procter wrote: > > > On 18/02/2018, at 8:39 AM, Richard Procter wrote: > > > Hi, > > > > I've never attempted such a setup so the following are general pointers > > which may be mistaken. > > > > On 18/02/2018, at 3:08 AM, miraculli . wrote: > > [...] > > I would attempt a simpler config first. I suspect you're following > > the advice in https://www.openbsd.org/faq/pf/pools.html - which is > > > > pass in on $int_if from $lan_net \ > >route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ > >round-robin > > > > Only once this is working attempt to use the egress group as a short-hand. > > > >> # START: here I want to block wifi-guests to have access to office-lan but > >> doesn´t seem to work too. > >> block return out from vlan64:network to vlan32:network > >> #END > > > > I would block this on the input side -- IIRC by the time the packet > > has reached the output side it has already had its source address > > rewritten by NAT. e.g. > > > > block in on $wifi_if to $office_if:network > > block in on $office_if to $wifi_if:network # probably also want this converse > > actually a simpler way to achieve this would be to preface the rules with > > block > > and then explicitly allow the traffic you want to pass, e.g. > > pass out inet > pass in on ${int_if} > > (these rules apply only to new flows; e.g. if you make an outbound > TCP connection, and the rules allow it, pf will then create a state that > allows traffic in the reverse direction through; there's no need to > specify this explicitly in the rules, and in fact the rules won't be > consulted if a matching state already exists for a packet. One way to > inspect existing states is via # systat state). > > > > >> pass in on egress inet proto icmp icmp-type $icmp_types > > > > the icmp_types are probably too restrictive. e.g. TCP relies on > > ICMP fragmentation-needed messages to implement MTU path discovery > > over IPv4. OpenBSD implements secure defaults in its own handling > > of ICMP so far as I know. e.g. it ignores ICMP redirects by default. > > > > $ sysctl net.inet.icmp.rediraccept > > net.inet.icmp.rediraccept=0 > > > > I myself am comfortable with > > > > pass inet proto icmp > > > > at the end of my pf.conf. (but I do not consider myself an > > authority on pf configuration!) > > > > > > good luck! > > > > Richard. > > Hi Richard, and misc, thanks for your advice and motivation to tinker a little bit more! I think i got it working... at least tcpdump and pftop show something is going on on both pppoe-links. Just for the record, here is my new pf.conf which is also simplified and made it more explicit. It seems to work with interface-groups like vlan, pppoe. Maybe I missunderstand what egress is meant for but anyways, I could achieve the same with pppoe table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } set block-policy drop #set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on pppoe0 from vlan:network nat-to (pppoe0) match out on pppoe1 from vlan:network nat-to (pppoe1) block in quick on pppoe from to any block return out quick on pppoe from any to block all pass out on vlan to vlan:network pass in quick on vlan from vlan:network to vlan pass in on vlan route-to {(pppoe0 pppoe0:network), (pppoe1 pppoe1:network)} round-robin pass out on pppoe block return in on vlan from vlan64:network to vlan32:network pass in on egress inet proto icmp all pass in on egress inet proto tcp from any to (egress) port 22 Still one thing to achieve: prefer vlan32 packets over vlan64. Thanks a lot so far Thomas