Re: Multiple NICs on the same subnet
Hi Scott, Scott Ullrich wrote on Thu, May 09, 2002 at 05:41:24PM -0400: > Are you using a fairly recent version of 4.5? I have mad much better luck > with maxusers 0? It's recent enough to allow to set it to 0, but I did not try it. I've talked to Mike Silbersack about this a while ago, and the 'autosizing' just picks a reasonable value, according to your RAM. I've even bumped maxusers to 768 which should be the same value as chosen by the autosizing. I don't run into any problems now, but I don't use the Gigabit link at the moment. I first need to find a way to test it reliably, before I put all services on that one. > I'm sure you've covered all the tracks... Just thinking out loud. ;) > > > -Original Message- > > From: Daniel Lang [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, May 09, 2002 5:39 PM > > To: Scott Ullrich > > Subject: Re: Multiple NICs on the same subnet > > > > > > Dear Scott, > > > > Scott Ullrich wrote on Thu, May 09, 2002 at 04:41:42PM -0400: > > > Hey, can you post your kernel config file? It sounds like > > your running out > > > of resources. > > [..] > > > > I want to use multiple NICs on the same subnet. > > > > Thats my setup: > > > > Well, depends on what you are referring to. The problems with > > the lge0 gigabit NIC may be due to lack of ressources. I can > > post my kernel config, but I would not like to SPAM a whole > > lot of people with lots of useless information. So > > if you have some specific parameter in mind, I would prefer > > to tell you those, instead of a whole lot of drivers and > > stuff which is not so interesting. > > > > FYI: > > maxusers is set to 512, nmbclusters is set to 32768. > > the box has 1.5GB RAM. > > > > Thanks already. > > > > Best regards, > > Daniel > > -- > > IRCnet: Mr-Spock - Agartim billiard bumba m'abdul in > > papejim twista > > - rumba rock n rolla. Leik'ab mai. Spirzon Heroin se'osit > > gaula. - > >- Marijuana esit gaula. Haschisch. Opis. - > > *Daniel Lang * [EMAIL PROTECTED] * +49 89 289 25735 * > > http://www.leo.org/~dl/* > > -- IRCnet: Mr-Spock - All your .sigs are belong to us - Daniel Lang * [EMAIL PROTECTED] * +49 89 289 25735 * http://www.leo.org/~dl/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Multiple NICs on the same subnet
Hi Nick, Nick Rogness wrote on Thu, May 09, 2002 at 05:28:13PM -0500: [..] > The problem you are having is not an alias problem but a routing > one. Packets come in to your alias on the proper interface but > when the reply packet gets sent it uses the default route which > goes out your default route. ^ interface I assume. Yes, true, that is probably the case. Looking at my routing tables, this makes sense. > In other words, packets that arrive inbound on an interface will > not necessarily leave that same interface on the outbound reply, > if it doesn't have a route to that network via that > interface. Instead, it leaves through the default gateway > interface (because of the default route). I see. > The best way to handle this is with ipfw fwd. Basically you > forward packets trying to leave the default gateway with the > aliased address of a different interface out the right interface. > > For example: > > xl0 --> alias= 1.1.1.1/32 , (default gateway out this interface) > xl1 --> alias= 1.1.1.2/32 > lge0 --> alias= 1.1.1.3/32 > > ipfw ruleset: > > # FOrward packets properly > ipfw fwd $IP_OF_NEXT_HOP_xl1 ip from 1.1.1.2/32 to any out via xl0 > ipfw fwd $IP_OF_NEXT_HOP_lge0 ip from 1.1.1.3/32 to any out via xl0 > . . . [rest of firewall] . . . Hmmm hm hm hm :-) May work. I can try it... I hope the additional forwarding code does not slow things down too much, but I guess not. > You will need your kernel build with 'options IPFIREWALL_FORWARD'. Ok thanks. Is that option set on building the ipfw.ko ? Anyway I try it. Maybe ipfilter works alike. > > This would not be that much of a problem so far. The problem really > > showed up, when it seemed like the Gigabit interface did not seem to > > work as expected. A couple of possible problems may be the cause, > > symptoms beeing "lge0: watchdog timeout" messages (which may be due to > > hardware/cabling problems), "sendto: no buffer space availble" > > messages (no idea where this comes from, any hints appreaciated, > > kern.ipc.nmbclusters and kern.maxusers etc, are bumped enough and did > > not max out (according to netstat -m)). > > This is another problem altogether. Yes. Any hints or suggestsion? I've got kern.maxuser=768 and kern.ipc.nmbcluster=32768 now. Maybe that solves it... [..] Thanks a lot for your help. Best regards, Daniel -- IRCnet: Mr-Spock - signs of absurd developments in the net community: #42: - "Wurstbrot gehoert m.E. zum Fruehstuecks-botnet von Cartoon" - *Daniel Lang * [EMAIL PROTECTED] * +49 89 289 25735 * http://www.leo.org/~dl/* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: UDLR
Emmanuel Duros already left INRIA. (So, there may be some old links from our pages, sorry.) Now, he is working at UDcast. Namely, this company is selling/providing UDLR functions. If you are interested in their services, you may want to mail to [EMAIL PROTECTED] -- Hitoshi Asaeda To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Multiple NICs on the same subnet
Hi all, I guess I've found a solution. I'll post it here: Nick Rogness wrote on Thu, May 09, 2002 at 05:28:13PM -0500: [..] > The best way to handle this is with ipfw fwd. Basically you > forward packets trying to leave the default gateway with the > aliased address of a different interface out the right interface. > > For example: > > xl0 --> alias= 1.1.1.1/32 , (default gateway out this interface) > xl1 --> alias= 1.1.1.2/32 > lge0 --> alias= 1.1.1.3/32 > > ipfw ruleset: > > # FOrward packets properly > ipfw fwd $IP_OF_NEXT_HOP_xl1 ip from 1.1.1.2/32 to any out via xl0 > ipfw fwd $IP_OF_NEXT_HOP_lge0 ip from 1.1.1.3/32 to any out via xl0 > . . . [rest of firewall] . . . [..] This did not work, because you cannot specify in the rule which interface to use for the forwarded packet. This is determined by the routing table, as described in ipfw(8). As the $IP_OF_NEXT_HOP_lge0 would be the same for $IP_OF_NEXT_HOP_xl0. So I've used ipfilter instead of ipfw with the following rule: [..] pass out on xl0 fastroute lge0 from 1.1.1.3 to any [..] This matches any packet from 1.1.1.3 which attempts to leave via xl0 but is then stuffed into the outgoing queue of lge0. Again, thanks for your help. Best regards, Daniel -- IRCnet: Mr-Spock - All your .sigs are belong to us - Daniel Lang * [EMAIL PROTECTED] * +49 89 289 25735 * http://www.leo.org/~dl/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
mpd-netgraph as VPN client to Cisco 2500 REDUX
Well thanks to Archie, I had mpd connecting me to my works 2500 quite successfully. 'Had' being the operative word :-) Unfortunately, the 2500 recently had some configuration changes. Specifically related to the MTU settings. This fixed some other clients, but broke me :-( Symptoms, the connection is initiated and established fine. Some traffic can pass; web access works, but slowly. All ping's fail, I quickly get: >From gw.everard.bogus (192.168.0.1): Source Quench >From gw.everard.bogus (192.168.0.1): Source Quench >From gw.everard.bogus (192.168.0.1): Source Quench >From gw.everard.bogus (192.168.0.1): Source Quench for pings. mpd is telling me: [vpn] LCP: no reply to 1 echo request(s) [vpn] LCP: no reply to 2 echo request(s) [vpn] LCP: no reply to 3 echo request(s) [vpn] LCP: no reply to 4 echo request(s) [vpn] LCP: no reply to 5 echo request(s) I'm positive that some traffic does get through - the web accesses I can do would be utterly impossible if it were not for a VPN tunnel (blocked by firewall). The link is effectively unusable though. The cisco config has an MTU of 1524 specified. After I had mpd bring the tunnel up, I manually changed the MTU on ng0 with: ifconfig ng0 mtu 1524 Initially I had limited success with this, pings started working, but web access was worse (non existent). Now I can't even get that. I've tried lower MTU's, to no visible effect. Part of me thinks that if MTU were really a problem, a low MTU (like 300) would fix it, but make performance suck. Perhaps that's not the case. Or perhaps I've misdiagnosed this problem :-) I still have my host route to the cicso via my normal default gateway (because the cisco has an IP on the tunnelled network), and I've upgraded mpd to version 3.8. Any ideas? - Justin -- [EMAIL PROTECTED] |"Don't sweat it -- http://hawkins.dropbear.id.au | it's only 1's and 0's" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: mpd-netgraph as VPN client to Cisco 2500 REDUX (doh)
On Fri, 10 May 2002, Justin Hawkins wrote: > Well thanks to Archie, I had mpd connecting me to my works 2500 quite > successfully. 'Had' being the operative word :-) In the way that only a cry for help on a large mailing list can do, I found the problem myself. It seems that lowering the MTU on the ng0 interface DOES help. I forgot to take NAT out of the equation. There is definately a problem with NAT+VPN, but for the moment I can deal with accessing the VPN networks from only my gateway machine. I actually thought I was bypassing NAT in my web tests. Though the browser is on a NAT'ted machine, it uses a proxy on the gatway to get access... must be something to do with the transparent proxying + NAT + VPN :-) Anyway, now I have a legitimate question, how can I setup mpd to change the MTU on the ng0 interface when it brings it up? - Justin -- [EMAIL PROTECTED] |"Don't sweat it -- http://hawkins.dropbear.id.au | it's only 1's and 0's" To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
RE: mpd-netgraph as VPN client to Cisco 2500 REDUX (doh)
> Anyway, now I have a legitimate question, how can I setup mpd > to change the MTU on the ng0 interface when it brings it up? I do this via mpd's "set iface up-script", using a manually chosen MTU. I'd be nice if mpd would do this automatically, based on the MTU of the underlying interface and the length of the encapsulation header... Lars -- Lars Eggert <[EMAIL PROTECTED]> Information Sciences Institute smime.p7s Description: application/pkcs7-signature
[no subject]
- Wilson Teles Marcolin Compubras Telecom (45) 572-5000 www.compubras.com.br To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: mpd-netgraph as VPN client to Cisco 2500 REDUX (doh)
Lars Eggert writes: > > Anyway, now I have a legitimate question, how can I setup mpd > > to change the MTU on the ng0 interface when it brings it up? > > I do this via mpd's "set iface up-script", using a manually chosen MTU. > > I'd be nice if mpd would do this automatically, based on the MTU of the > underlying interface and the length of the encapsulation header... Mpd is "supposed" to do this automatically, but it only does it for the PPP headers, not the device headers (such as PPTP/IP/Ethernet). In other words, there is a 'hard' MTU which is the maximum size of a packet you are allowed to send -- which by the way is dictated by (a) the transport layer for your PPP frames (in the case of PPTP, this would be on the order of 65,000 bytes -- because with PPTP the transport for the PPP frame is an IP packet) and (b) what the remote peer asks for (typically 1500 or less), and there is also a 'soft' MTU which is the largest MTU that will not cause any packets to get fragmented at any level along the chain. Mpd only adjusts the interface MTU to handle the 'hard' MTU part. If time permits I'll have it try to be a little smarter. On a related note, you can avoid these problems altogether if you enable multi-link PPP (and the remote PPTP device supports it). With multi-link, PPP packets themselves can be fragmented transparently so the higher layer MTU can be much larger without any ill effects. -Archie __ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
