Re: OpenBSD on VMware ESXi

I think FreeBSD or any Linux template will work just fine and add vmxnet3. However, last I checked (1year ago) vmxnet3 been less stable than e1000 under pressure. Sent from my iDevice > 22 мая 2019 г., в 13:47, Reyk Floeter написал(а): > >> On Wed, May 22, 2019 at 01:43:35PM +0200, Janne Joha

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

With -stable kernel and modded syspatch I was able to pull down all the patches I needed to have this machine to be fully up to date. Sent from my iDevice > 30 мая 2018 г., в 18:59, Stuart Henderson написал(а): > >> On 2018-05-30, Maxim Bourmistrov wrote: >> I ended up with a -stable kernel a

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

Reverting if_ix.c to rev 1.139 brought ix back to live. Sent from my iDevice > 29 мая 2018 г., в 21:36, Maxim Bourmistrov > написал(а): > > Diff, discussed in the thread, seems to follow all the way to 6.3. > Sure I probably can try out 6.3, but I have a feeling that this will not help. > > d

Re: 6.0-stable panic

can be applied to -stable to dump more info and hopefully resolve this long standing bug? Sorry, but -current is not an option anymore to run there. I’m happy to pull those in, apply and trigger. br //mxb > On 21 sep. 2016, at 10:44, mxb wrote: > > Panic is very similar to >

Re: IPSec

-vs 1440 -r /var/run/isakmpd.pcap All this info actually came from Stuart originally. //mxb

Re: Recommendation for firewall appliance running of and OpenBSD

Looks nice. Like a Soekis x2 + Kerberos case. What I miss on all those boards is dedicated IPMI. Else, with IPMI, those are perfect products for remote small office. //mxb > On 25 nov. 2016, at 15:01, Bob Jones wrote: > > Try the NetBoard A-10 and any of the products built on

Re: IPSec

You should be able to. As far as I understand ipses.conf gets “translated” to isakmpd.conf I use both. What I have in isakmpd.conf is: [General] DPD-check-interval = 60 Works fine. //mxb > On 24 nov. 2016, at 22:58, Damian McGuckin wrote: > > Can you mix the use of 'isa

Re: Recommendation for firewall appliance running of and OpenBSD

As far as I know, Halon cuts the number of IPSec tunnels on free version. > On 24 nov. 2016, at 21:21, Joe Crivello wrote: > >> Can somebody please recommend me a firewall appliance that can run OpenBSD > and >> pf, and can be upgradeable to the latest version? It would be a great plus > if >>

relayd with multiple pools

this parent table. As in the test above, disabling child table should override status of hosts within the table and those should become UNKNOW, which should prevent usage of this child table. Any clarification regarding this scenario is appreciated. P.S. This is 6.0-stable Br //mxb

Re: Allow FTP through Openbsd firewall

Depending on the clients software, but you should be able to use Passive mode. man 1 ftp: -p Enable passive mode operation for use behind connection filtering firewalls. This option has been deprecated as ftp now tries to use passive mode by default, falling back to act

OpenBSD 6.0-stable: uvm_mapent_alloc: out of static map entries

Hey, seeing following in dmesg: uvm_mapent_alloc: out of static map entries Wasn’t it fixed so system dynamically adjusted this or do I stil need to increase and re-compile kernel ? P.S. Have plenty of RAM (15G free) on this box. //mxb

Re: what all touches the carp demote counter?

e which toke over master roll will stay master until it goes down. All default recommendations/“best practice” are in man pages. //mxb

Re: Failure to get unbound to talk to nsd on the same server

Try to use forward-zone instead of stub-zone in unbound.conf forward-zone: name: “abc.com" forward-addr: 127.0.0.1 > On 10 okt. 2016, at 23:42, Johan Mellberg wrote: > > Hi all, > > I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my > home network with DNS. I hav

Re: what all touches the carp demote counter?

wait. //mxb > On 11 okt. 2016, at 03:58, Paul B. Henson wrote: > > On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > >> Did you adjust advskew value on the machine you want to be Backup ? > > Yes, the backup has an advskew of 5 and the primary an advskew of 1.

Re: 6.0-stable panic

Thanks for the tip, Stuart. I’ll take a look at it. > On 30 sep. 2016, at 03:40, Stuart Henderson wrote: > > On 2016-09-29, mxb wrote: >> Unfortunately, this is a remote, IPMI machine - no kbd while it is in ddb > > Many machines with IPMI do give you keyboard in

Re: unbound and truly multihomed setup

Tried to play around with ports nsd/unbound listens on? //Мэксб > On 29 sep. 2016, at 09:48, Gregory Edigarov wrote: > > Hi, > > Need an advice. > > I have a bgp router with 3 interfaces: > > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > > bgp is up and running, packets are forwarded

Re: 6.0-stable panic

seen it to overwrite /var/crash . Should it? //mxb > On 21 sep. 2016, at 11:00, Martin Pieuchot wrote: > > On 21/09/16(Wed) 10:44, mxb wrote: >> Panic is very similar to > > So far no developer have a clue how to reproduce this panic. It's a > long standing

Re: 6.0-stable panic

Where do you see word “solution” in the thread pointed out by URL? > On 21 sep. 2016, at 10:50, Mihai Popescu wrote: > >> Panic is very similar to > > So the solution must be very similar to ... too!

6.0-stable panic

Panic is very similar to https://www.mail-archive.com/tech@openbsd.org/msg32608.html Panic happened during restart of relayd. System is up to date with errata up to 004. Runs relayd, ospfd, bgpd. no Tor, no transparent stuff. OpenBSD

Re: 5.9: vmx0: device timeout

Hey, it would be nice to define “network load”. I have several VMs running 5.8-stable/5.9-stable/current without seeing this. //mxb > On 11 aug. 2016, at 21:44, Kurt Mosiejczuk wrote: > > I've noticed that for 5.9, any VMs (in VMware) using vmx(4), end up putting > "vmx0

Re: tmpfs

d any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If > you have received this email in error please notify the system manager.""" &g

Re: tmpfs

Mine is sane. Yours just couple of thousands years after. Fix yours. > On 31 juli 2016, at 21:46, Consus wrote: > > On 20:53 Sun 31 Jul, mxb wrote: >> ?? ?? ?? ??, ?? . >> ?? ?? ?? ???

Re: tmpfs

Else it is just a discussion. > On 31 juli 2016, at 20:48, Consus wrote: > > drama

Re: tmpfs

Good one. But private messages are not appreciated So misc is in loop. Sorry to pollute your private space. > On 31 juli 2016, at 20:38, Karel Gardas wrote: > > Could you be so kind and move this conversation out of misc@ > > Thanks! Karel > > On Sun, Jul 31, 2016 at 7:54 P

Re: tmpfs

Как у нас говорят, за базар надо отвечать. В Швеции ему это предоставится. > On 31 juli 2016, at 20:47, mxb wrote: > > Я Русский, и что с этого? > >> On 31 juli 2016, at 20:37, Aioi Yuuko mailto:yu.

Re: tmpfs

Я Русский, и что с этого? > On 31 juli 2016, at 20:37, Aioi Yuuko wrote: > > Stop making Russians look bad. Some of us like OpenBSD

Re: tmpfs

He didn’t answered about mirrors. I asked. So this one you can send to /dev/null. > On 31 juli 2016, at 20:37, Aioi Yuuko wrote: > > See your previous message re: mirrors.

Re: tmpfs

, buy pulling off DARPA feed. > On 31 juli 2016, at 16:51, ludovic coues wrote: > > Guess which one of you and theo have it's name all over the CVS tree ? > > 2016-07-31 16:37 GMT+02:00 mxb : >> While looking at the mirror, read your last email once again. >>

Re: tmpfs

While looking at the mirror, read your last email once again. > On 30 juli 2016, at 19:58, Theo de Raadt wrote: > > Yeah, you sure are the cool dude. > > Despite the existance of people like you, OpenBSD has been > progressing as working code for 20 years. > > > And what have you added. Jus

Re: tmpfs

I don't appreciate the private reply. Adding misc back in. > On 30 juli 2016, at 16:29, Theo de Raadt wrote: > > Just shut up.

Re: tmpfs

Missed "CC all" last time. You or any other actually answered my questions. Your “jumps” are as usual. I understand that best way to defend is to actually attack. This kind of answer I received is expected. I could add more to this mail, but I’d rather not. > On 29 juli 2016, at 23:04, Theo de

Re: tmpfs

Are there any “gatekeepers” around the code? I thought “tech” was the best place to release questionable code? //mxb > On 29 juli 2016, at 18:14, Theo de Raadt wrote: > > Because the code quality is crap.

Re: ipsec routing issues

Hey, to begin with, it would be nice to see output from ‘netstat -rn’ before you started adding/deleting routes. //mxb > On 15 juni 2016, at 22:56, rizz2pro wrote: > > Hi, im not sure if this is some kind of bug or by design but I thought > i would ask. > > Firstly check

dhcp-class-identifier in dhclient

Hey, is there any reason to no setting dhcp-class-indentifier by default in dhclient? My guess is that this is probably not mandatory? //mxb

relayd: high CPU usage by one or two proc. of many

: Question if there is anything else can be done to trace this down? Br //mxb

Re: bgpd in snapshot from 4 feb.

I actually run sysmerge. It added new users/groups, updated certs. Rest of configs I merged. Seen nothing about rc-scripts. > On 7 feb. 2016, at 22:01, Claudio Jeker wrote: > > On Sun, Feb 07, 2016 at 07:53:01PM +0100, mxb wrote: >> Hey, >> bgpd from snap of 4 feb. fails t

bgpd in snapshot from 4 feb.

Hey, bgpd from snap of 4 feb. fails to start (according to rc): shell# /etc/rc.d/bgpd start bgpd(failed) shell# ps aux|grep bgp _bgpd11880 0.0 0.0 1220 1804 ?? Sp 7:46PM0:00.02 bgpd: session engine (bgpd) _bgpd11350 0.0 0.0 920 1816 ?? Sp 7:46PM0:00.02 bgpd: rou

Re: panic: mtx_enter: locking against myself

I was unable to trigger this with OpenBSD 5.9 (GENERIC.MP) #1869: Thu Feb 4 09:50:59 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP //mxb > On 5 feb. 2016, at 19:12, mxb wrote: > > > Any one from @devs have time to pick it up? > > This is

Re: panic: mtx_enter: locking against myself

Any one from @devs have time to pick it up? This is a new env. , so I have time to investigate. Access can be provided on need bases. //mxb > On 4 feb. 2016, at 15:46, mxb wrote: > > Found it in dmesg buffer: > > Stopped at Debugger+0x9: leave > RUN AT LEAST 'trac

Re: panic: mtx_enter: locking against myself

ftnet 4749 0 0 0 3 0x14200 bored systqmp 16058 0 0 0 3 0x14200 bored systq 15954 0 0 0 3 0x40014200idle0 1 0 1 0 30x82 wait init 0 -1 0 0 3 0x10200 schedu

Re: panic: mtx_enter: locking against myself

I was able to re-produce this panic with similar stack trace. Unfortunately 'trace/show regs/ps' are not in txt format, but are screenshots. //mxb > On 4 feb. 2016, at 12:42, mxb wrote: > > > Hey, > see those again on 5.8-STABLE. > > This is a 2-node CARP

panic: mtx_enter: locking against myself

Hey, see those again on 5.8-STABLE. This is a 2-node CARP setup within VMWare ESX. Both machines are rebooting after this and it happens quite often. Any ideas? panic: mtx_enter: locking against myself Starting stack trace... panic() at panic+0x10b mtx_enter() at mtx_enter+0x60 sofree() at sofre

Re: ipsec between three networks

OSPF is not right protocol if you scale to more than 3 sites and want influence routing. BGP will do a better job in this situation. > On 27 jan. 2016, at 03:39, Dewey Hylton wrote: > > my current working configuration has 3 sites; each site is connected to the > others, and routing is handled vi

Re: Downgrade from 5.8-current to 5.8 release

-current. Also it depends on how far from -release your -current is. As far you are then more is not compatible any more and more problems you’ll get while reverting. Most easiest way is to collect all configs and to install from scratch. //mxb > On 1 nov. 2015, at 14:38, Adam Wysocki wrote: >

Re: iked ikev2 x509 authentication problem - no valid local certificate found

http://marc.info/?l=openbsd-tech&m=144362542514318&w=2 > On 1 okt. 2015, at 21:25, Rob wrote: > > Hi, > > I’m a little stuck getting two different clients connected to my OpenBSD > 5.7 (i386) VPN ikev2 server. I suspect the clients are a

Re: 5.8-stable: panic: mtx_enter locking against myself

Looks like I found the root cause. At least it is stable as it suppose to be. In need to reproduce this in lab before making next move. //mxb > On 17 sep. 2015, at 10:35, mxb wrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > > panic: mix_enter: locking agai

Re: 5.8-stable: panic: mtx_enter locking against myself

; On 2015-09-17, mxb wrote: >> Hey, >> getting panics with 5.8-STABLE kernel. >> >> panic: mix_enter: locking against myself >> Starting stack trace… >> panic() at panic+0x10b >> mtx_enter() at mtx_enter+0x60 >> sofree() at sofree+0xa0 >> in_pc

Re: 5.8-stable: panic: mtx_enter locking against myself

rev 0x02 at pci10 dev 5 function 1 not configured "Intel E5 v3 Error Reporting" rev 0x02 at pci10 dev 5 function 2 not configured "Intel E5 v3 I/O APIC" rev 0x02 at pci10 dev 5 function 4 not configured uhub3 at uhub0 port 14 "vendor 0x product 0x0001" rev 2.00/0.00 addr 2 uhub3: device problem, disabling port 1 uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 uhub5 at uhub2 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (a6bfac843655c015.a) swap on sd0b dump on sd0b carp: pfsync0 demoted group carp by 32 to 160 (pfsync init) carp: pfsync0 demoted group pfsync by 32 to 32 (pfsync init) carp: pfsync0 demoted group carp by 1 to 161 (pfsync bulk start) carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start) carp1: state transition: BACKUP -> MASTER carp302: state transition (vhid 40): BACKUP -> MASTER carp0: state transition: BACKUP -> MASTER carp302: state transition (vhid 30): BACKUP -> MASTER carp1: state transition: MASTER -> BACKUP carp302: state transition (vhid 40): MASTER -> BACKUP carp0: state transition: MASTER -> BACKUP carp302: state transition (vhid 30): MASTER -> BACKUP carp: pfsync0 demoted group carp by -1 to 32 (pfsync bulk done) carp: pfsync0 demoted group pfsync by -1 to 32 (pfsync bulk done) carp: pfsync0 demoted group carp by -32 to 0 (pfsync init) carp: pfsync0 demoted group pfsync by -32 to 0 (pfsync init) carp1: state transition: BACKUP -> MASTER carp302: state transition (vhid 40): BACKUP -> MASTER > On 17 sep. 2015, at 10:56, k...@kurawa.no-ip.org wrote: > > On Thu, 17 Sep 2015 10:35:46 +0200 > mxb wrote: > >> getting panics with 5.8-STABLE kernel. >> > 5.8-STABLE not released yet. you mean 5.8-CURRENT?

Re: 5.8-stable: panic: mtx_enter locking against myself

?? () #2 0x0005 in ?? () #3 0x8135e990 in sd_flush () Previous frame inner to this frame (corrupt stack?) Any ideas? > On 17 sep. 2015, at 10:35, mxb wrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > > panic: mix_enter: locking against my

5.8-stable: panic: mtx_enter locking against myself

Hey, getting panics with 5.8-STABLE kernel. panic: mix_enter: locking against myself Starting stack trace… panic() at panic+0x10b mtx_enter() at mtx_enter+0x60 sofree() at sofree+0xa0 in_pcbdetach() at in_pcbdetach+0x40 tcp_close() at tcp_close+0xad tcp_timer_2msl() at tcp_timer_2msl+0x90 softcloc

Re: nsd configuration problem

Good that you solved your problem. I'v done same work as you by converting from bind to nsd+unbound. "The hard way" via digging Google and trying out. You got lucky with shortcut ;) //mxb On 2015-06-25 21:22, Andrew Daugherity wrote: On Wed, Jun 24, 2015 at 1:06 PM, Graham

ifconfig carp30 state backup

is 100 on the second node. Question is if it is expected behavior? According to man I can force it to become BACKUP on the first node. Br //mxb

Re: AMD64 Snapshot Issues

This is how it goes with snaps. You should not complain. If team managed to build it, it does not mean that it IS stable. I'v been in this situation several times. There are no one to blame. You should ever stay away from snaps or be prepared to fix problems by yourself. Br //mxb Sent fr

Re: tls with relayd (on 5.7) and key without password

Try to create symlink in /etc/ssl/private. ln -s mydomain.org <http://mydomain.org/>.key 1.2.3.4.key, where “1.2.3.4” is your address in $ext_addr. //mxb > On 3 maj 2015, at 13:04, Comète wrote: > > Hi, > > my tls key has no password and i already use it for other stuf

Re: relayd crashes often

itting this problem as well. So diff is applied on top of -current on a backup node. Let’s see how it runs from now on. I’m was running old, post 5.6 snapshot. //mxb

Re: IPSec and Cisco peers

Run isakmpd with ‘-L’ and then tcpdump -n -vs 1440 -r /var/run/isakmpd.pcap and se what is going on. //mxb > On 7 apr 2015, at 19:29, jean-yves boisiaud > wrote: > > Hello Alexander, > > Thank you for your help. > > The problem is that I do not have any access to

Re: l2pt traffic forwarding

You done the routing on the client side? Client, after connecting to L2TP, should know how to reach your internal network there web3 lives. //mxb > On 31 mar 2015, at 23:17, Predrag Punosevac wrote: > > Hi Misc, > > Thanks to sevral kind fox I got L2PT server to work like a ch

Re: can't ping CARP interfaces

Probably your PF rules. put in ‘pass quick proto icmp’. > On 28 mar 2015, at 00:59, David Newman wrote: > > Greetings. In preparation for upgrading two CARP+pfsync boxes to > 5.6/i386, I put together a lab network to test new firewall rules. > > Topology is pretty simple: > > outside box (vic

Re: httpd tls - what am i missing?

> On 25 mar 2015, at 23:44, Theodore Wynnychenko wrote: > > Thank you for the suggestion. I was not aware of "pound." I’d rather go for relayd. Which is out of the box. No need to install “yet another port and make sure it is up2date”. //mxb

Re: OpenBSD 5.5 ISAKMPD

Hey, You probably want to start with ipsec.conf(5). isakmpd.conf is generated out of ipsec.conf. I think people running 5.4+ don’t even use it any more. Br //mxb > On 16 jan 2015, at 21:22, Motty Cruz wrote: > > Hello All, > > I'm trying to setup IPSec Tunnel using the

Re: Dell R630 high interrupts on acpi0

> On 16 dec 2014, at 06:40, David Gwynne wrote: > > others have hit this on r620s as well I don’t see it on mine. interrupt total rate irq0/clock 9587998940 1599 irq0/ipi136166514 22 irq144/acpi02

Re: OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

We do a lot of bulk mails and not via local smtp, eg. PHP-code talks directly to opensmtpd. opensmtpd used as internal relay/smart host. I had to higher limits for those two in order to escape "452 4.5.3 Too many recipients: Too many messages sent “ //mxb > On 8 dec 2014, at 11:14

Re: OpenBSD 5.6/current on Soekris 6501-70

We have exactly this model. tcpbench from base gave only around 340Mbit/s on those. So CPU is probably one problem on those boards. tcpbench done against 1U machines with better CPU and doing almost line rate on 1G NIC. //mxb > On 8 dec 2014, at 00:53, Martin Hanson wrote: >

OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

Hello @list, are there any plans for those constants to be configurable via smtpd.conf? //mxb

Re: Squid configuration

echo "max_filedescriptors 4096” >> /etc/squid/squid.conf > On 3 dec 2014, at 04:07, Einfach Jemand wrote: > > Am 03.12.2014 03:55, schrieb Steve Shockley: >> On 12/2/2014 8:49 PM, Einfach Jemand wrote: >> >>> Hmm, I checked on one of my boxen and there /etc/passwd has >>> >>> _squid >>> ^-

Re: Keyboard through IPMI lag/skipping keys

Tried upgrade to a newer IPMI firmware? > On 13 okt 2014, at 02:11, Justin Winch wrote: > > I have a very irritating problem with the keyboard lag through IPMI on a > supermicro X9DRT. If i install centos I do not have the lag/missed keystrokes > and also I do not have this problem with any of

Re: amd64 snapshot from Sep 17 - isakmpd drops fifo

Looks like an old OpenBSD 5.0 install caused this problem. isakmpd is stable as soon as 5.0 -> 5.6 . //mxb > On 22 sep 2014, at 23:23, mxb wrote: > > Hey, > isakmpd seems to lose its FIFO-file in the snapshot from Sep17 > > [fw1]-[23:16:35]# ipsecctl -f /etc/

amd64 snapshot from Sep 17 - isakmpd drops fifo

? OpenBSD fw1 5.6 GENERIC.MP#383 amd64 //mxb

Re: Sponsorship offer

Hey, all relevant info can be found at http://www.openbsd.org/ <http://www.openbsd.org/> or at http://www.openbsd.org/donations.html <http://www.openbsd.org/donations.html> or at http://www.openbsdfoundation.org/ <http://www.openbsdfoundation.org/> //mxb > On 20 sep 2

Re: Can OpenBSD access BBC Iplayer?

BBC is propaganda, any way. Why should you watch this?! On 4 sep 2014, at 13:49, Anthony Campbell wrote: > On 04 Sep 2014, Anthony Campbell wrote: >> On 03 Sep 2014, David Coppa wrote: >> >> Thanks. I'm not using -current at the moment (I'm too new to OpenBSD) so >> I'd better wait until the n

Re: troubleshooting carp

You should show configuration from the other side too. You’ll have to start your troubleshooting from the base, eg. can you ping node2 from node1? //mxb On 14 aug 2014, at 20:36, Stefan Olsson wrote: > > > From: stur...@hotmail.com > To: m...@alumni.chalmers.se > CC: misc@openbs

Re: troubleshooting carp

What switch do you have? "advbase 20” and "advskew 100” means that you’ll have to wait 20+ sec in order to see announcement in tcpdump. Are you sure you have waited enough? //mxb On 14 aug 2014, at 16:37, Stefan Olsson wrote: > Hi Misc, > I am having problems with sett

Re: l2tp / ipsec follow up

your cable modem. Nor services (ex. dhcpd) running inside. And then you get connection problems, you’ll look for a problem and will end up in resetting/rebooting several devices(modem, openbsd-box). //mxb On 27 jul 2014, at 22:58, Gordon Turner wrote: > The OpenBSD ip (192.168.2.232)

Re: l2tp / ipsec issue

Probably, but you can play with ipsec-config and send your results over here. On 24 jul 2014, at 13:23, Stefan Krueger wrote: > In mailing.openbsd.misc, you wrote: >> the public_ip in your ipsec.conf should be the external ip of your router, >> not the openbsd box. >> >> other setup checks can

Re: l2tp / ipsec issue

pool-address in the same subnet may not work as you expect it. proxyarp needed. at least I’v seen a discussion regarding this, so I have separate network for vpn-clients. This might have changed. framed-ip-address - yes, it should be within subnet range used for l2tp-clients //mxb On 22 jul

Re: l2tp / ipsec issue

main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk “P4SSWORD" \ tag rwarrior This setup is on 5.4-current //mxb On 22 jul 2014, at 13:05, chenghan tv wrote: > OpenBSD L2TP/IPSec w

Re: l2tp / ipsec issue

I’d made cable modem act as bridge and let OpenBSD handle public IP/firewall (guessing it is DHCP). In this setup you’d eliminate this extra device with forwarding ports and simplified debugging. //mxb On 21 jul 2014, at 02:35, Gordon Turner wrote: > Hey List, > > I am trying to us

Re: Poor CARP Interface Performance with NAT

You PF rules are needed too for this. On 22 jan 2014, at 00:51, Gabriel Kuri wrote: > I am running obsd 5.4 as my NAT router. I decided to setup a second obsd > box and run carp between the two for the external NATed interface (facing > the ISP). After I setup everything and switched pf to NAT u

Re: Is it possible to track bandwidth usage of different VPN accounts using PF?

You can setup RADIUS, make users authenticate against it and assign IP stored in RADIUS srv. Then use plow(4) to account. This is just theory. On 10 jan 2014, at 16:33, Some Developer wrote: > I have a VPN server configured using L2TP and IPSec. Clients authenticate > using x509 certificates b

Re: BCM5719/20 or I350

Mbps: 926.569 On 6 jan 2014, at 22:44, Hrvoje Popovski wrote: > On 5.1.2014. 17:10, mxb wrote: >> >> I have I350 on several machines and haven’t seen any problems. >> > > > Do you have vlans or trunk on I350? Could you share some numbers like > bps or pps? > > Tnx for info.

Re: BCM5719/20 or I350

I have I350 on several machines and haven’t seen any problems. On 5 jan 2014, at 12:18, Hrvoje Popovski wrote: > Hello, > > I need to upgrade my OpenBSD firewalls and have chance to buy HP DL360p > G8 or Supermicro 5017R-WRF. Which card is better or more stable for > firewalling BCM5719/20 or

Re: VPN Between OpenBSD and iOS

cret" } } bind tunnel from L2TP authenticated by RADIUS to tun0 //mxb On 4 jan 2014, at 02:09, Matt Carlson wrote: > mxb, > > I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? > > Thanks, > > Matt

Re: VPN Between OpenBSD and iOS

I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \

Re: relayd - sporadic high CPU usage

Could you point to the right commit in cvs? //mxb On 26 nov 2013, at 20:42, Chris Cappuccio wrote: > There was a bug fixed in 5.4-current which may cause behavior like this i > believe > > mxb [m...@alumni.chalmers.se] wrote: >> Hello list, >> >> I have a pa

relayd - sporadic high CPU usage

start to consume CPU as well. Notable thing is that I’v seen this on 5.3 as well. Any ideas where to dig? //mxb

Re: carp+pfsync+relayd question

Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq’ would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini wrote: > Sorry, looking more detailed at the logs i found this: > > /var/log/daemon > Nov 17 18:36:12 v

Re: carp+pfsync+relayd question

No, it is number of currently active sessions for this particular relay. Eg. 502 “users". On 14 nov 2013, at 21:59, Andy Lemin wrote: > Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like > an error return from nginx/apache etc. could be a direct server return issue > c

Re: carp+pfsync+relayd question

Put all of those into the same "relay { }” as they are going to the same forward table. relay { listen on addr1 port 80 listen on addr2 port 80 etc…. } or you’ll end up doing “check http” several times. and I’d do just simple "check tcp” - faster. On 14 nov 2013, at 16

Re: carp+pfsync+relayd question

15 sites and only 9? I’d put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini wrote: > set limit states 9

Re: Dell servers

I have couple of R620 in production with ix(4) as 10G NICs. You might want to disable cores you don't need and HTT (I'v done it half way). No problems so far. Below is an old dmesg with HTT disabled (else it shows up 16 cores). OpenBSD 5.3 (GENERIC.MP) #55: Fri Mar 1 09:13:04 MST 2013 dera.

Re: Sorry OpenBSD people, been a bit busy

I'd turn this to police and tried to make Twitter to shut down this account. On 7 okt 2013, at 02:48, dera...@cvs.openbsd.org wrote: > Well, at the end > of 2007 someone decided to open an impersonation account on twitter in > my name, and start sending a mix of things I have said (see wikiquote

Broken IPSec tunnels with latest snapshot

00) 141945.887028 Timr 10 timer_handle_expirations: event message_send_expire(0x20ec11a00) 141945.887225 Timr 10 timer_handle_expirations: event message_send_expire(0x20ec11800) //mxb

Re: how to compare ipsec.conf and isakmpd.conf settings?

As naddy@ answered this already for "ipsec outgoing address translation question" on this list, 'ipsecctl -nv' is the right way to go. //mxb On 26 sep 2013, at 18:04, Daniel Polak wrote: > On a computer running OpenBSD 5.3 system I am migrating from an isakmpd.conf &

Re: OSPF ABR/ASBR issue

As you can see, this setup works without any patch. I tested to remove lo1 and see if routes to carped nets disappear. No luck. Routes are there. //mxb On 24 sep 2013, at 11:08, Kapetanakis Giannis wrote: > On 24/09/13 12:02, Kapetanakis Giannis wrote: >> Without this patch, route

Re: ipsec outgoing address translation question

It is possible to achieve this via pf.conf. Sorry, no example, as this was done long time ago and for testing only. On 16 sep 2013, at 12:55, Christoph Leser wrote: > Hello, > > with ipsecctl I can configure outgoing address translation in ipsec.conf > like this: > > ike esp from 10.

Re: relayd: Is it safe to rise RELAY_MAX* limits

Discarded. :) On 10 sep 2013, at 12:13, mxb wrote: > > Hello list, > > how safe is it to rise limits in relayd.h? > > #define RELAY_MAX_SESSIONS1024 > #define RELAY_MAXPROC 32 > #define RELAY_MAXHOSTS32

relayd: Is it safe to rise RELAY_MAX* limits

Hello list, how safe is it to rise limits in relayd.h? #define RELAY_MAX_SESSIONS 1024 #define RELAY_MAXPROC 32 #define RELAY_MAXHOSTS 32

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

n use, then you'll have to divide this number with 2(avrg. and not precise number). So, per port on X540-T2, you have maximum 3Gbit/s. in theory, if both ports used and have avrg. the same amount of traffic. if not both - 6Gbit/s Correct me if I'm wrong. //mxb On 9 aug 2013, at 03

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

You might want to pull in 5.4-current instead. One you have is not that current any more. :) On 7 aug 2013, at 16:26, Maxim Khitrov wrote: > Hi all, > > I'm looking for performance measuring and tuning advice for 10 gigabit > Ethernet. I have a pair of Lanner FW-8865 systems that will be used a

Re: PF sync doesn't not work very well

one to fix this - I take simpler approach to donate my hw and test time. But there are bug to be FIXED //mxb On 4 jul 2013, at 20:07, Henning Brauer wrote: > * mxb [2013-07-03 17:33]: >> States ARE synced. >> IPs are not the same on node1 and node2 for external. The you >

  1   2   >