vbox + bce == sporactic ethernet hangs

[Marc G. Fournier]

I am running FreeBSD 9-STABLE (updated yesterday: FreeBSD 9.1-STABLE #15: Mon 
Apr 22 07:45:07 UTC 2013) with VirtualBox 4.2.6 from ports … the hardware is 
using a Broadcom ethernet:

bce0:  mem 0xf400-0xf5ff 
irq 16 at device 0.0 on pci7
miibus0:  on bce0
bce0: Ethernet address: 00:22:19:5b:20:bd
bce0: ASIC (0x57081020); Rev (B2); Bus (PCI-X, 64-bit, 133MHz); B/C (4.4.1); 
Bufs (RX:2;TX:2;PG:8); Flags (SPLT|MSI|MFW); MFW (UMP 1.1.9)
bce0: bce_pulse(): Warning: bootcode thinks driver is absent! (bc_state = 
0x4006)

Running with simple jail's on it, the server runs flawlessly until reboot … but 
as soon as I start running Virtualbox on it, I get sporadic server 'hangs' … 
never the same time, usually can be triggered by heavier then normal load on 
the virtual box (ie. running an rsync session from the base server into the 
vbox environment) … 

When it happens, I can *usually* connect via the DRAC / remote console and 
login … but doing an 'ifconfig down' on the device and then back up makes no 
difference … if I send a ctl-alt-del through the remote console, more often 
then not, it will free up whatever is going on, so that pinging works again, 
but, of course, I've already hit ctl-alt-del, so its rebooting even though now 
I don't need it to …

Based on a page on the wiki about tuning for vbox, I have set:

net.graph.maxdata=65536

but I've seen this happen even with that set, so not sure if I'm just still 
triggering it, or its something else I'm experiencing …

So, two questions:

1. is there something I can run to see if I *am* in fact hitting that limit?  
2. is there something I can do, like ctl-alt-del, but without the reboot, to 
'free' the ethernet?

Thx


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

VirtualBox + FreeBSD 9-STABLE == Frozen Ethernet

[Marc G. Fournier]

I'm having an odd issue with FreeBSD that I'm not sure how to trace / where to 
look … 

I have 6 servers, all identical RAM / CPU / Ethernet / etc … 4 of them are 
running VirtualBox, 2 are running Jails … one of the 4 I just switched from 
Jail -> Virtualbox …

When running jail(s), the servers are rock solid … as soon as I switch to 
VirtualBox (the one I just switched is running one Vbox with a FreeBSD Guest) … 
nothing else is running on the server … but I will get sporadic freezes of the 
Ethernet.  One ran 46 days before it froze, then after a reboot, it happened a 
few hours later, now its been running several hours again without any issues …

The machine itself is not frozen … I can connect via remote console, login, do 
ps, etc … so its as if the Ethernet (bce device) just went offline.

I was pointed to a wiki about VirtualBox, and my current loader.conf looks like:

===
aio_load="YES"
kern.ipc.shm_use_phys=1
accf_http_load="YES"
if_bridge_load="YES"
if_tap_load="YES"
hw.pci.enable_msix=0
vboxdrv_load="YES"
net.graph.maxdata=65536
===

I'm running the latest version of 9-STABLE as well as the latest version of 
vBox available in ports … the bce device is an older version of Broadcom, so 
not dealing a new one with new features:

bce0: 

And as I say, these work great with jail'd environments ALIASed onto them …

The vBox environments are all configured for network using:

--nic1 bridged --bridgeadapter1 bce1

Maybe I'm setting up the network wrong?  But, it does work for awhile … 

I'm not seeing any errors on the console when the ethernet stops working … 
nothing to indicate an buffer overflowing or something like that … but, again, 
I can login and run commands, so if there is something I can run to get more 
useful details … ?


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VirtualBox + FreeBSD 9-STABLE == Frozen Ethernet

[Marc G. Fournier]

On 2013-05-06 2:49 PM, Norbert Beckmann wrote:

To Marc G. Fournier

I do not think it's an issue with VirtualBox. I am running VirtualBox
under Solaris. And I never had problems with it.
Guests: ubuntu, Windows 7, Linux Mint, FreeBSD, Chrome OS.
But the people of VirtualBox themselves state that Windows is somewhat
delicate (don't remember whether they meant as guest or as host, I 
think both).

Which would be comprehensible, because Windows has never become a real
multi user / multi process system as Unix was by birth (nearly).
I can neither help concerning the freezing Ethernet nor did I encounter
similar things (as far as I remember).
My first thought is that its something in the vboxnet kernel module when 
using a bridge ... I think the problem has been getting progressively 
worse, with each upgrade, but since I upgrade both vBox and the kernel 
in tandem, I'm currently working on going 'back in time' with the code, 
see if I can find some 'stable point' ...


If anyone with more knowledge can suggest any commands I can run to 
provide debug info, or such ... ?  I don't mind debugging, just dont' 
know what to provide that is useful ...



___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: VirtualBox + FreeBSD 9-STABLE == Frozen Ethernet

[Marc G. Fournier]

Do you happen to know of a HowTO for doing this?  

figure there are a few extra steps then simply:

ifconfig tapX plumb
--bridgeadapter tapX

Thx ..



On 2013-05-08, at 03:09 , Nicolas de Bari Embriz Garcia Rojas  
wrote:

> When using bridge mode, use tap interfaces otherwise you will get
> problems when using more than one VM.
> 
> regards
> 
> On 05/08/2013 03:49, Marc G. Fournier wrote:
>> On 2013-05-06 2:49 PM, Norbert Beckmann wrote:
>>> To Marc G. Fournier
>>> 
>>> I do not think it's an issue with VirtualBox. I am running VirtualBox
>>> under Solaris. And I never had problems with it.
>>> Guests: ubuntu, Windows 7, Linux Mint, FreeBSD, Chrome OS.
>>> But the people of VirtualBox themselves state that Windows is somewhat
>>> delicate (don't remember whether they meant as guest or as host, I
>>> think both).
>>> Which would be comprehensible, because Windows has never become a real
>>> multi user / multi process system as Unix was by birth (nearly).
>>> I can neither help concerning the freezing Ethernet nor did I encounter
>>> similar things (as far as I remember).
>> My first thought is that its something in the vboxnet kernel module
>> when using a bridge ... I think the problem has been getting
>> progressively worse, with each upgrade, but since I upgrade both vBox
>> and the kernel in tandem, I'm currently working on going 'back in
>> time' with the code, see if I can find some 'stable point' ...
>> 
>> If anyone with more knowledge can suggest any commands I can run to
>> provide debug info, or such ... ?  I don't mind debugging, just dont'
>> know what to provide that is useful ...
>> 
>> 
>> ___
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
> 

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

status of a tap device ...

[Marc G. Fournier]

Quick question ... is there a command I can run that will tell me if a 
tap device is open?  I know I can do 'ifconfig tap0' and see the 'Opened 
by' line, but I want to do this within a perl script, for instance, akin 
to how I can use the fstat function to get information about a file ...


Rather avoid re-creating the wheel, so to say, if its already been 
created ...


Thx
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: status of a tap device ...

[Marc G. Fournier]

Ended up finding the perl module: p5-Net-Ifconfig-Wrapper that does the 
trick ...


Although your suggestinos are much appreciated below, the problem is 
that I have the tap devices, and bridge 'addm's happening on server 
reboot, but need to know which one is in use before starting up / using 
them for vBox ...


Thank you for the response though ...



On 2013-05-09 10:19 PM, Jason Hellenthal wrote:

Ifconfig -v tap0 ? Does this work for you ?

Also upon opening a tap...

ifconfig tap create

Will return the numeric portion of the tap that was created with $?

So scripting it out it would be similar to...

ifconfig tap create && export MYTUNIS="$?"

echo "tap$MYTAPIS"

/-- /

/*Jason Hellenthal*/

 IS&T Services Professional

 Inbox: /jhellent...@dataix.net <mailto:jhellent...@dataix.net>/

 JJH48-ARIN



On May 10, 2013, at 1:03, "Marc G. Fournier" <mailto:scra...@hub.org>> wrote:




Quick question ... is there a command I can run that will tell me if 
a tap device is open?  I know I can do 'ifconfig tap0' and see the 
'Opened by' line, but I want to do this within a perl script, for 
instance, akin to how I can use the fstat function to get information 
about a file ...


Rather avoid re-creating the wheel, so to say, if its already been 
created ...


Thx
___
freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org 
<mailto:freebsd-net-unsubscr...@freebsd.org>"


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

nfs error: No route to host when starting apache ...

[Marc G. Fournier]

I just setup an nfs mount between two servers ...

ServerA, nfsd on 192.168.1.8
ServerB, nfs client on 192.168.1.7

I have a jail, ServerC, running on 192.168.1.7 ... most operations appear 
to work, but it looks like 'special files' of a sort aren't working, for 
when I try and startup Apache, I get:


[Fri Apr 01 19:42:02 2011] [emerg] (65)No route to host: couldn't grab the 
accept mutex


When I try and do a 'newaliases', I get:

# newaliases
postalias: fatal: lock /etc/aliases.db: No route to host

Yet, for instance, both MySQL and PostgreSQL are running without any 
issues ...


So, the mount is there, it is readable, it is working ... I can ssh into 
the jail, I can create files, etc ...


I do have rpc.lockd and rpc.statd running on both client / server sides 
...


I'm not seeing anything in eithr the man page for mount_nfs *or* nfsd that 
might account / corect for something like this, but since I'm not sure 
what "this" is exactly, not sure exactl what I should be looking for :(


Note that this behaviour happens at the *physical* server level as well, 
having tested with using postalias to generate the same 'lock' issue above 
...


Now, I do have mountd/nfsd started iwth the -h to bind them to 192.168.1.8 
... *but*, the servers themselves, although on same switch do have 
different default gateways ... I'm not seeing anything within the man page 
for, say, rpc.statd/rpc.lockd that allows me to bind it to the 
192.168.1.0/24 IP, so is it binding to my public IP instead of my private? 
So nfsd / mount_nfs can talk find, as they go thorugh 192.168.1.0/24 as 
desired, but rpc.statd/rpc.lockd are the public IPs and not able to talk 
to each other?


Thx ...
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: nfs error: No route to host when starting apache ...

[Marc G. Fournier]

I've succeedig in getting a bit further ... by the time I got to the 
bottom of my original, I started to think in terms of rpc more, and had 
overlooked lookign at thte rpcbind man page, which *does* have a -h option 
... setting that fixes things perfectly *almost* ...


The last issue I seem to be  hitting *might* be a 6.x NFS client against a 
7.x server issue ... ?


Postfix generates:

postfix/showq[65261]: fatal: select lock: Permission denied

The only post I found about this was:

http://lists.freebsd.org/pipermail/freebsd-questions/2010-April/215284.html

But there didn't appear to be any responses ... so either all responses 
were private to Robert, or ... ?


This is my last 6.x box, so it is not overly critical, but would be nice 
if I could get it to work properly ...



On Fri, 1 Apr 2011, Marc G. Fournier wrote:



I just setup an nfs mount between two servers ...

ServerA, nfsd on 192.168.1.8
ServerB, nfs client on 192.168.1.7

I have a jail, ServerC, running on 192.168.1.7 ... most operations appear to 
work, but it looks like 'special files' of a sort aren't working, for when I 
try and startup Apache, I get:


[Fri Apr 01 19:42:02 2011] [emerg] (65)No route to host: couldn't grab the 
accept mutex


When I try and do a 'newaliases', I get:

# newaliases
postalias: fatal: lock /etc/aliases.db: No route to host

Yet, for instance, both MySQL and PostgreSQL are running without any issues 
...


So, the mount is there, it is readable, it is working ... I can ssh into the 
jail, I can create files, etc ...


I do have rpc.lockd and rpc.statd running on both client / server sides ...

I'm not seeing anything in eithr the man page for mount_nfs *or* nfsd that 
might account / corect for something like this, but since I'm not sure what 
"this" is exactly, not sure exactl what I should be looking for :(


Note that this behaviour happens at the *physical* server level as well, 
having tested with using postalias to generate the same 'lock' issue above 
...


Now, I do have mountd/nfsd started iwth the -h to bind them to 192.168.1.8 
... *but*, the servers themselves, although on same switch do have different 
default gateways ... I'm not seeing anything within the man page for, say, 
rpc.statd/rpc.lockd that allows me to bind it to the 192.168.1.0/24 IP, so is 
it binding to my public IP instead of my private? So nfsd / mount_nfs can 
talk find, as they go thorugh 192.168.1.0/24 as desired, but 
rpc.statd/rpc.lockd are the public IPs and not able to talk to each other?


Thx ...
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: nfs error: No route to host when starting apache ...

[Marc G. Fournier]

On Fri, 1 Apr 2011, Rick Macklem wrote:


Since rpc.lockd and rpc.statd expect to be able to do IP broadcast
(same goes for rpcbind), I suspect that might be a problem w.r.t.
jails, although I know nothing about how jails work?


Oh, and you can use the "nolock" mount option to avoid use of
rpc.lockd and rpc.statd.


based on the mount_nfs man page, as well as trying it just in case, this 
option no longer appears to be availalble in the 7.x nfs code ... :(


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

I'm trying to simulate a diskless boot of FreeBSD, as am looking at moving 
to a more 'thin client' environment, using a Netapp as a filer to provide 
the file systems for FreeBSD front ends ...


To simulate this, I have two servers, both running 7-STABLE, one acting as 
the nfs server (ie. simulated netapp), and the other the client ...


Both servers have a private and a public IP ... the nfs traffic is over 
the private network ...


Initially, had issues with lockd that I got resolved ...

Settings in /etc/rc.conf on server are:

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.9"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-r -h 192.168.1.9"
nfs_server_flags="-u -n 8 -h 192.168.1.9"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"

Settings in /etc/rc.conf on the client are:

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.1"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

===

/etc/fstab on the client has:

192.168.1.9:/vm /vm nfs rw,noauto,intr 0 0

/etc/exports on the server has:

/vm -network 192.168.1.0/24 -maproot=0 -alldirs

===

Now, to simulate the diskless, I built a jail on top of the mounted /vm 
... that worked fine ...


I have several applications built and installed on it ... primarily, 
apache 2.2 and postfix 2.7.x ...


Apache 2.2 + mod_fcgi + php 5.3.6 *appears* to work fine ...

Postfix, on the other hand, generates the error message in the subject 
line when I try and run 'mailq':


postfix/showq[19805]: fatal: select lock: Permission denied

Since the handbook as a section on diskless boot in Chapter 31:

   http://www.freebsd.org/doc/handbook/network-diskless.html

I assumed / hoped that things would run just fine ... am I wrong in that 
assumption?  Or have I just overlooked a key setting in getting the nfs to 
work?


Any suggestions / pointers are most welcome ...


Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

'k, based on someone else's recommendation, I add 'nolockd' to the mount 
entry,a nd postfix now appears to work ... since I can safely guarantee 
that only the one host will have access to these files, that doesn't pose

a porblem for me, but still find it a weird issue all things considered :(

On Sun, 3 Apr 2011, Marc G. Fournier wrote:



I'm trying to simulate a diskless boot of FreeBSD, as am looking at moving to 
a more 'thin client' environment, using a Netapp as a filer to provide the 
file systems for FreeBSD front ends ...


To simulate this, I have two servers, both running 7-STABLE, one acting as 
the nfs server (ie. simulated netapp), and the other the client ...


Both servers have a private and a public IP ... the nfs traffic is over the 
private network ...


Initially, had issues with lockd that I got resolved ...

Settings in /etc/rc.conf on server are:

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.9"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-r -h 192.168.1.9"
nfs_server_flags="-u -n 8 -h 192.168.1.9"
rpc_statd_enable="YES"
rpc_lockd_enable="YES"

Settings in /etc/rc.conf on the client are:

rpcbind_enable="YES"
rpcbind_flags="-h 192.168.1.1"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

===

/etc/fstab on the client has:

192.168.1.9:/vm /vm nfs rw,noauto,intr 0 0

/etc/exports on the server has:

/vm -network 192.168.1.0/24 -maproot=0 -alldirs

===

Now, to simulate the diskless, I built a jail on top of the mounted /vm ... 
that worked fine ...


I have several applications built and installed on it ... primarily, apache 
2.2 and postfix 2.7.x ...


Apache 2.2 + mod_fcgi + php 5.3.6 *appears* to work fine ...

Postfix, on the other hand, generates the error message in the subject line 
when I try and run 'mailq':


   postfix/showq[19805]: fatal: select lock: Permission denied

Since the handbook as a section on diskless boot in Chapter 31:

  http://www.freebsd.org/doc/handbook/network-diskless.html

I assumed / hoped that things would run just fine ... am I wrong in that 
assumption?  Or have I just overlooked a key setting in getting the nfs to 
work?


Any suggestions / pointers are most welcome ...


Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

On Mon, 4 Apr 2011, Chuck Swiger wrote:


On Apr 4, 2011, at 11:09 AM, Marc G. Fournier wrote:

'k, based on someone else's recommendation, I add 'nolockd' to the mount 
entry,a nd postfix now appears to work ... since I can safely guarantee that 
only the one host will have access to these files, that doesn't pose a porblem 
for me, but still find it a weird issue all things considered :(


Be careful; multiple access from different processes even on a single 
host can still run into locking issues against NFS filesystems, or data 
corruption if locking isn't available.  You're most at risk with local 
delivery to an mbox-style INBOX; delivery to maildir-style INBOX is much 
safer even on NFS without locking.


In my case, I have postfix+cyrus-imapd ...



Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

On Mon, 4 Apr 2011, Chuck Swiger wrote:


On Apr 4, 2011, at 11:58 AM, Marc G. Fournier wrote:

Be careful; multiple access from different processes even on a single host can 
still run into locking issues against NFS filesystems, or data corruption if 
locking isn't available.  You're most at risk with local delivery to an 
mbox-style INBOX; delivery to maildir-style INBOX is much safer even on NFS 
without locking.


In my case, I have postfix+cyrus-imapd ...


OK-- Cyrus IMAP uses a variant of maildir, so you're relatively safe 
even if locking is not available.


So, just to get this clear ...

If I were to boot a diskless station using an NFS backend, then that 
instance would be prone to corruption since lockd wouldn't work, even 
though the only processes handling the files on that mount?


And this may be where I'm mis-understanding things:

Does rpc.lockd work at the process level or file system?  For instance, in 
my test case, I'm trying to operate within a jail ... does the rpc.lockd 
runnig at the primary OS level handle communications between 
client<->server, irrelevent of whether the process is running in a jail or 
not?




Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

On Mon, 4 Apr 2011, Chuck Swiger wrote:


On Apr 4, 2011, at 12:14 PM, Marc G. Fournier wrote:

OK-- Cyrus IMAP uses a variant of maildir, so you're relatively safe even if 
locking is not available.


So, just to get this clear ...

If I were to boot a diskless station using an NFS backend, then that instance 
would be prone to corruption since lockd wouldn't work, even though the only 
processes handling the files on that mount?


If you're running a diskless system using NFS filesystem for storage, 
and you run stuff that wants to do fcntl/lockf/flock locking, and 
rpc.lockd isn't available, then yes, there is risk of data corruption. 
However, Postfix can use .dotfile locking, even if fcntl (etc) locking 
is broken, and maildir is designed to avoid needing locking the way mbox 
does:


  http://www.postfix.org/NFS_README.html

rpc.lockd provides locking at the filesystem level.  Locks are performed 
against file descriptors either for entire files or record-level 
locking; they are not specific to a single process (indeed, locking 
would be mostly useless if it was only visible within a single process).


Okay, next question ... if lockd is running, should fcntl locks work?  My 
read of the NFS_README.html above indicates to me that they should ... but 
if that is the case, then it comes back to why doesn't it?



Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: 7-STABLE NFS: fatal: "select lock: Permission denied"

[Marc G. Fournier]

Thank you, this answers things perfectly ...

On Mon, 4 Apr 2011, Chuck Swiger wrote:


On Apr 4, 2011, at 12:37 PM, Marc G. Fournier wrote:

Okay, next question ... if lockd is running, should fcntl locks work?  My read 
of the NFS_README.html above indicates to me that they should ... but if that 
is the case, then it comes back to why doesn't it?


If rpc.lockd was bug-free and didn't suffer from an inherent design mismatch 
between NFS being stateless (prior to NFSv4, anyway) and locking being 
stateful, then sure, fcntl locking should work as well on an NFS filesystem as 
it does on a local UFS filesystem.

In practice, rpc.lockd is infamously buggy.  For that matter, fnctl-style 
locking is also fairly broken per SysV/POSIX mandate:

"This interface follows the completely stupid semantics of System V and
IEEE Std 1003.1-1988 (``POSIX.1'') that require that all locks associated
with a file for a given process are removed when any file descriptor for
that file is closed by that process.  This semantic means that applica-
tions must be aware of any files that a subroutine library may access.
For example if an application for updating the password file locks the
password file database while making the update, and then calls
getpwname(3) to retrieve a record, the lock will be lost because
getpwname(3) opens, reads, and closes the password database.  The data-
base close will release all locks that the process has associated with
the database, even if the library routine never requested a lock on the
database.  Another minor semantic problem with this interface is that
locks are not inherited by a child process created using the fork(2)
function.  The flock(2) interface has much more rational last close
semantics and allows locks to be inherited by child processes.  Flock(2)
is recommended for applications that want to ensure the integrity of
their locks when using library routines or wish to pass locks to their
children.  Note that flock(2) and fcntl(2) locks may be safely used con-
currently."

Regards,
--
-Chuck





Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

mounting nfs: what options available for /etc/fstab?

[Marc G. Fournier]

Part of the recent thread I had about mounting nfs point to using nolockd 
to disable locking ... checking the mount_nfs man page, it lists 'lockd' 
as a deprecated option, but doesn't list 'nolockd' anywhere ...


So, my question is: what options *are* currently supported?

For instance, I'm doing, right now:

rw,noauto,intr,nolockd

which isn't generating any errors, but intr is classified in the man page 
as deprecated, so what *should* I be using instead?


Also, the man page has a '-4' option for nfsv4 ... two questions on that 
front:


  1. how do I know what version *is* being used?  showmount doesn't seem
 to show that sort of info, nor does the mount command ...
  2. what would I use in /etc/fstab to force it *if* I needed to?

Thx ...



Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: mounting nfs: what options available for /etc/fstab?

[Marc G. Fournier]

On Thu, 7 Apr 2011, Chuck Swiger wrote:


On Apr 7, 2011, at 8:02 AM, Marc G. Fournier wrote:

Part of the recent thread I had about mounting nfs point to using nolockd to 
disable locking ... checking the mount_nfs man page, it lists 'lockd' as a 
deprecated option, but doesn't list 'nolockd' anywhere ...


Much as with gcc, if mount command option "foo" exists which can be 
inverted, then there will be a "nofoo" option.  Also, I am unsure where 
you find mention that "lockd" is deprecated, and I see an entry for 
"nolockd" here:


 http://www.freebsd.org/cgi/man.cgi?query=mount_nfs&sektion=8


Thanks this helps alot ... but definitely not what I'm seeing in 'man 
mount_nfs' in 7-STABLE :(



From the 7-STABLE mount_nfs man page, last updated on Feb 4th, 2011:


==
 Historic -o Options

 Use of these options is deprecated, they are only mentioned 
here

 for compatibility with historic versions of mount_nfs.

 bg Same as -b.

 fg Same as not specifying -b.

 conn   Same as not specifying -c.

 dumbtimer  Same as -d.

 intr   Same as -i.

 lockd  Same as not specifying -L.

 nfsv2  Same as -2.

 nfsv3  Same as -3.

 rdirplus   Same as -l.

 mntudp Same as -U.

 resvport   Same as -P.

 soft   Same as -s.

 hard   Same as not specifying -s.

 tcpSame as -T.
==

Thx ...


Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

One final question about NFS ... or so I hope ...

[Marc G. Fournier]

It used to be that if you did a 'mount' on the client server, it would 
tell you what options existed on the mount ... but now, it just shows 
(nfs) ... my fstab entry looks like:


192.168.1.8:/vm/neptune.hub.org  /vm/neptune.hub.org 
nfs rw,noauto,intr,tcp,nolockd  0   0


Mounts fine, no errors, and postfix works, so that I know that nolockd 
option is working as expected ... but when I type 'mount', I get:


192.168.1.8:/vm/neptune.hub.org on /vm/neptune.hub.org (nfs)

If I do 'mount -p' (fstab output), I get:

# mount -p | grep 192.168
192.168.1.8:/vm/neptune.hub.org /vm/neptune.hub.org nfs rw 
0 0


So, how do I view what options are present on a FreeBSD nfs mount?

I checked our Linux boxes at the office, and they definitely do show the 
mount options:


3.165:/vol/prd_db_logs/filer_log2 on /filer_log02 type nfs 
(rw,bg,hard,nointr,rsize=32768,wsize=32768,tcp,actimeo=0,nfsvers=3,timeo=600,addr=10.1.13.165)


I've checked the 'SEE ALSO' in both the 7.x and 8.x man page, to make sure 
it wasn't some other command I should be running, and nadda ...


So, do we *really* hide this information, or am I missing a command?



Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

SNMP Network Auto Discovery software ... ?

[Marc G. Fournier]

Would like to find something that runs on FreeBSD that I can use to map 
our network, preferrably dumping to a database, and grabbing 
information like: interface / ip / cpus / hostname, etc ...


Server needs to run on FreeBSD ... needs to be able to commuicate, via 
SNMP, with Windows, Cisco, Linux, FreeBSD, NetApp Filers, etc ...


Would like it to be able to generate an overall map of our network, but, 
also, be able to use it as a basis for keeping stuff liek nagios / cacti 
up to date ...


Web based interface into the database would be nice ...

Is there anything like this available that runs on FreeBSD that ppl are 
happily using?


Thx ...


Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: SNMP Network Auto Discovery software ... ?

[Marc G. Fournier]

Nailed it, thank you ... I've used this one in the past, and it was 
fantastic then .. .couldn't recall the name, and when I did a 'grep -i 
snmp' in the descr files under net-mgmt, wasn't finding that one :(


Thx ...

On Mon, 2 May 2011, Gary Palmer wrote:


On Wed, Apr 27, 2011 at 03:55:11PM -0300, Marc G. Fournier wrote:


Would like to find something that runs on FreeBSD that I can use to map
our network, preferrably dumping to a database, and grabbing
information like: interface / ip / cpus / hostname, etc ...

Server needs to run on FreeBSD ... needs to be able to commuicate, via
SNMP, with Windows, Cisco, Linux, FreeBSD, NetApp Filers, etc ...

Would like it to be able to generate an overall map of our network, but,
also, be able to use it as a basis for keeping stuff liek nagios / cacti
up to date ...

Web based interface into the database would be nice ...

Is there anything like this available that runs on FreeBSD that ppl are
happily using?



net-mgmt/scotty3 in ports used to have a network discovery mode. Haven't
used it in years but it may be worth a look.

Gary




Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

quagga:zebra errors on FreeBSD 6.x ...

[Marc G. Fournier]

In order to deal with a lack of layer 3 switch, last week I installed 
Quagga on all of my servers, and got it configured.  Works *great* on my 
7.x servers, but, using the same config (and port), my 6-STABLE boxes all 
generate the same error when I try and start up zebra:


2010/05/01 01:44:18 ZEBRA: Can't bind to stream socket: Can't assign 
requested address
2010/05/01 01:44:18 ZEBRA: zebra can't provice full functionality due to 
above error

2010/05/01 01:44:18 ZEBRA: Zebra 0.99.15 starting: v...@2601

So ospfd isn't able to announce / receive routes ...

My zebra.conf file looks like:

!
interface em0
 no shutdown
 ip address 200.46.204.60/24
!
interface em1
!
interface lo0
!
ip route 0.0.0.0/0 200.46.208.1
!
ip forwarding
!
line vty

The top bit of ifconfig shows:

 ifconfig em0 | less
em0: flags=8943 mtu 1500
options=1b
inet 200.46.204.60 netmask 0xff00 broadcast 200.46.204.255
inet 200.46.208.60 netmask 0xff00 broadcast 200.46.208.255
inet 192.168.1.7 netmask 0xff00 broadcast 192.168.1.255
inet 200.46.204.183 netmask 0x broadcast 200.46.204.183


Other hten appropriate interface/IP on the 7-STABLE boxes, the 7-STABLE 
boxes all work fine ... is there an issue with em/fxp devices and zebra? 
Or am I overlooking something in my config?


Thx ...

----
Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

6-STABLE + zebra == Can't bind to stream socket

[Marc G. Fournier]

In order to deal with a lack of layer 3 switch, last week I installed 
Quagga/OSPF on all of my servers, and got it configured.  Works *great* on 
my 7.x servers, but, using the same config (and port), my 6-STABLE boxes 
all generate the same error when I try and start up zebra:


2010/05/01 01:44:18 ZEBRA: Can't bind to stream socket: Can't assign 
requested address
2010/05/01 01:44:18 ZEBRA: zebra can't provice full functionality due to 
above error

2010/05/01 01:44:18 ZEBRA: Zebra 0.99.15 starting: v...@2601

So ospfd isn't able to announce / receive routes ...

My zebra.conf file looks like:

!
interface em0
 no shutdown
 ip address 200.46.204.60/24
!
interface em1
!
interface lo0
!
ip route 0.0.0.0/0 200.46.208.1
!
ip forwarding
!
line vty

The top bit of ifconfig shows:

ifconfig em0 | less
em0: flags=8943 mtu 1500
options=1b
inet 200.46.204.60 netmask 0xff00 broadcast 200.46.204.255
inet 200.46.208.60 netmask 0xff00 broadcast 200.46.208.255
inet 192.168.1.7 netmask 0xff00 broadcast 192.168.1.255
inet 200.46.204.183 netmask 0x broadcast 200.46.204.183


Other then appropriate interface/IP on the 7-STABLE boxes, the 7-STABLE 
boxes all work fine ... is there an issue with em/fxp devices and zebra on 
6-STABLE/i386? Or am I overlooking something in my config?


Thx ...

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: [quagga-users 11570] Re: quagga:zebra errors on FreeBSD 6.x ...

[Marc G. Fournier]

[+freebsd-net,+quagga port maintainer]

Two questions ...

1. Is 8.x any better at this?
2. Any idea where the 'gross patch' is?



On Tue, 1 Jun 2010, Joe Greco wrote:


Other then appropriate interface/IP on the 7-STABLE boxes, the 7-STABLE
boxes all work fine ... is there an issue with em/fxp devices and zebra?
Or am I overlooking something in my config?


It doesn't "work fine" on 7-STABLE, be warned.  It's just more subtly
busted.

I spent a little time trying to figure out whether it was FreeBSD or
Quagga that was busted, and my conclusion that it was a little bit of
both.  Changes made to the multicast code in FreeBSD seem to be the
root cause; the multicast maintainer for FreeBSD doesn't seem to have
much interest in this, or at least that was my impression, and queries
on the Quagga list haven't had much result either.

There's a patch floating around that everyone agrees is a gross hack
and "isn't correct but seems to work."

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
___
Quagga-users mailing list
quagga-us...@lists.quagga.net
http://lists.quagga.net/mailman/listinfo/quagga-users




Marc G. FournierHub.Org Hosting Solutions S.A.
scra...@hub.org http://www.hub.org

Yahoo:yscrappySkype: hub.orgICQ:7615664MSN:scra...@hub.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

tap devices ... restricting IP?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Is it possible to assign an IP to a tap device, used by something like QEMU, 
such that someone *inside* the QEMU environment can't modify?  Or, if they do 
modify their own IP, the network inside of QEMU will break, as the internal IP 
doesn't match what is attached to  tap?

I'm not seeing anything to that effect in the tap manual, but the part talking 
about 'control' seems to indicate that you can do this ...

- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkj+paMACgkQ4QvfyHIvDvPMRQCdH0hfp3Gp0N4bHwmAvgrNEOlh
lRUAoKBA9xzk7umZ782fsODzGH9FpNpM
=REoF
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

tap+bridge -> ethernet with an alias ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On my desktop here, I have a qemu-img of Win XP that is using bridging to 
connect to the Internet ... everything works great, even have remote desktop 
working so that I can login from another windows box into the VM ... and very 
responsive ...

... but this is on a private network where the ethernet doesn't have any 
aliases attached to it ...

I've tried uploading the image (after changing the IP) to one of my servers 
with a public interface on it, but now can't seem to get networking working ...

my ifconfig -a looks like:

bge0: flags=8943 metric 0 mtu 
1500
options=98
ether 00:14:c2:3f:2e:86
inet xxx.xxx.xxx.xxx netmask 0xff00 broadcast xxx.xxx.xxx.255
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet xxx.xxx.xxx.xxx netmask 0x broadcast xxx.xxx.xxx.xxx
media: Ethernet 100baseTX 
status: active
bge1: flags=8802 metric 0 mtu 1500
options=9b
ether 00:14:c2:3f:2e:85
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049 metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff00
bridge0: flags=8843 metric 0 mtu 1500
ether ce:44:c7:1b:47:40
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: bge0 flags=143
ifmaxaddr 0 port 1 priority 128 path cost 20
member: tap0 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 200
tap0: flags=8942 metric 0 mtu 1500
ether 00:bd:96:ae:67:00

the 192.168.1.x is used for 'internal routing' ...

when I startup qemu, I use:

 qemu winxp.img -net nic -net tap -vnc :1

and I can connect via VNC, but the IP assigned to the image isn't pingable, 
like it is on my desktop ...

Is there something with 'pre-aliased' interfaces that can't be used with a 
bridge/tap device?  Or have I just missed something?


- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkGRKoACgkQ4QvfyHIvDvM2MQCaAoa8mt9L+80o+IQiooQ0QjDA
X08An1/mJwduTU0uH7sDlRFPp06Bs2cN
=2c6c
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: tap+bridge -> ethernet with an alias ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


As an appendum, I have the following kernel modules loaded:

 41 0xaf49c000 5066 if_bridge.ko
 51 0xaf483000 35c5 bridgestp.ko
 61 0xaf493000 2506 if_tap.ko

same as on my desktop ...

- --On Monday, October 27, 2008 19:46:02 -0300 "Marc G. Fournier" 
<[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> On my desktop here, I have a qemu-img of Win XP that is using bridging to
> connect to the Internet ... everything works great, even have remote desktop
> working so that I can login from another windows box into the VM ... and very
> responsive ...
>
> ... but this is on a private network where the ethernet doesn't have any
> aliases attached to it ...
>
> I've tried uploading the image (after changing the IP) to one of my servers
> with a public interface on it, but now can't seem to get networking working
> ...
>
> my ifconfig -a looks like:
>
> bge0: flags=8943 metric 0 mtu
> 1500
> options=98
> ether 00:14:c2:3f:2e:86
> inet xxx.xxx.xxx.xxx netmask 0xff00 broadcast xxx.xxx.xxx.255
> inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
> inet xxx.xxx.xxx.xxx netmask 0x broadcast xxx.xxx.xxx.xxx
> media: Ethernet 100baseTX 
> status: active
> bge1: flags=8802 metric 0 mtu 1500
> options=9b
> ether 00:14:c2:3f:2e:85
> media: Ethernet autoselect (none)
> status: no carrier
> lo0: flags=8049 metric 0 mtu 16384
> inet 127.0.0.1 netmask 0xff00
> bridge0: flags=8843 metric 0 mtu 1500
> ether ce:44:c7:1b:47:40
> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
> maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
> member: bge0 flags=143
> ifmaxaddr 0 port 1 priority 128 path cost 20
> member: tap0 flags=143
> ifmaxaddr 0 port 5 priority 128 path cost 200
> tap0: flags=8942 metric 0 mtu
> 1500 ether 00:bd:96:ae:67:00
>
> the 192.168.1.x is used for 'internal routing' ...
>
> when I startup qemu, I use:
>
>  qemu winxp.img -net nic -net tap -vnc :1
>
> and I can connect via VNC, but the IP assigned to the image isn't pingable,
> like it is on my desktop ...
>
> Is there something with 'pre-aliased' interfaces that can't be used with a
> bridge/tap device?  Or have I just missed something?
>
>
> - --
> Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
> Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
> Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.9 (FreeBSD)
>
> iEYEARECAAYFAkkGRKoACgkQ4QvfyHIvDvM2MQCaAoa8mt9L+80o+IQiooQ0QjDA
> X08An1/mJwduTU0uH7sDlRFPp06Bs2cN
> =2c6c
> -END PGP SIGNATURE-
>
> ___
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"



- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkGS9MACgkQ4QvfyHIvDvOmOwCeJy6mKN0SOwqEhuwTa0u457/0
wwgAn1sxRa2L3MyVaAF/2WMhFm5hDh5X
=DYcR
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Problem with Bridging ... and bge devices under FreeBSD 7.x?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'm trying to run a QEMU VM on top of a FreeBSD 7.x server ... I've tried the 
exact same setup on my desktop, using 192.168.1.x and an fxp device, and it all 
works perfectly, but as soon as I do this on another machine on a public IP, 
I'm not getting any routing, I can't even ping it from the same machine ...

My first thought was  that there was an issue with IP aliases already on the 
bge device, but tried doing the following:

ifconfig bridge0 destroy
ifconfig tap0 destroy
ifconfig fxp0 -alias 192.168.1.101
ifconfig fxp0 alias 192.168.1.101 netmask 255.255.255.255
ifconfig bridge0 create
ifconfig tap0 create
ifconfig bridge0 addm fxp0 addm tap0 up

on my desktop here and then starting up the qemu image, and all worked as 
expected, so having an alias on the interface, before or after, doesn't make a 
difference ... at least with the fxp device ...

Using VNC to connect to the VM, I can look at the interface, and it says it is 
connected ... and the IP/Gateway are all set right for the network I'm on, 
netmask is set to 255.255.255.0, same as on the 'private network' ...

Please note that when I say "it works" on my private network / desktop, I'm 
using it to connect to my work computer, across the Internet, via Windows RDP, 
and it works flawlessly ...

Looking at /var/log/messages, you can see the bridge being setup:


Oct 27 18:53:21 io kernel: bridge0: Ethernet address: ce:44:c7:1b:47:40

as well as the tap device:

Oct 27 18:53:25 io kernel: tap0: Ethernet address: 00:bd:96:ae:67:00
Oct 27 18:53:41 io kernel: tap0: promiscuous mode enabled

and the ethernet going promiscuous:

Oct 26 20:53:56 ganymede kernel: fxp0: promiscuous mode enabled

So, all I have left is that everything is being setup okay, but there is 
something I'm missing here ... something with bridge<->bge, maybe?  I've even 
tries to compare the output of 'ifconfig -a' as far as the bridge0 and tap0 
devices are concerned, and other then the mac address, they look identical also 
...

So, pointers to what I may be missing here?  a sysctl value that I need to set 
for this interface?

Thanks ...




- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkHpscACgkQ4QvfyHIvDvPnFgCgk+6Pg+QeYO0BD9KMIkyZK2g7
JWgAn3VHq+F1OzD9M8VuYLEZDQLfFsNU
=+3J/
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problem with Bridging ... and bge devices under FreeBSD 7.x?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



- --On Tuesday, October 28, 2008 22:08:18 -0400 Michael Proto 
<[EMAIL PROTECTED]> wrote:

>
>
>
> On Tue, Oct 28, 2008 at 7:56 PM, Marc G. Fournier <[EMAIL PROTECTED]> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> I'm trying to run a QEMU VM on top of a FreeBSD 7.x server ... I've tried the
> exact same setup on my desktop, using 192.168.1.x and an fxp device, and it
> all
> works perfectly, but as soon as I do this on another machine on a public IP,
> I'm not getting any routing, I can't even ping it from the same machine ...
>
> My first thought was  that there was an issue with IP aliases already on the
> bge device, but tried doing the following:
>
> ifconfig bridge0 destroy
> ifconfig tap0 destroy
> ifconfig fxp0 -alias 192.168.1.101
> ifconfig fxp0 alias 192.168.1.101 netmask 255.255.255.255
> ifconfig bridge0 create
> ifconfig tap0 create
> ifconfig bridge0 addm fxp0 addm tap0 up
>
> on my desktop here and then starting up the qemu image, and all worked as
> expected, so having an alias on the interface, before or after, doesn't make a
> difference ... at least with the fxp device ...
>
> Using VNC to connect to the VM, I can look at the interface, and it says it is
> connected ... and the IP/Gateway are all set right for the network I'm on,
> netmask is set to 255.255.255.0, same as on the 'private network' ...
>
> Please note that when I say "it works" on my private network / desktop, I'm
> using it to connect to my work computer, across the Internet, via Windows RDP,
> and it works flawlessly ...
>
> Looking at /var/log/messages, you can see the bridge being setup:
>
>
> Oct 27 18:53:21 io kernel: bridge0: Ethernet address: ce:44:c7:1b:47:40
>
> as well as the tap device:
>
> Oct 27 18:53:25 io kernel: tap0: Ethernet address: 00:bd:96:ae:67:00
> Oct 27 18:53:41 io kernel: tap0: promiscuous mode enabled
>
> and the ethernet going promiscuous:
>
> Oct 26 20:53:56 ganymede kernel: fxp0: promiscuous mode enabled
>
> So, all I have left is that everything is being setup okay, but there is
> something I'm missing here ... something with bridge<->bge, maybe?  I've even
> tries to compare the output of 'ifconfig -a' as far as the bridge0 and tap0
> devices are concerned, and other then the mac address, they look identical
> also
> ...
>
> So, pointers to what I may be missing here?  a sysctl value that I need to set
> for this interface?
>
>
>
>
> I'm having a little trouble understanding the setup you have. In your test
> case, is the IP of your VM 192.168.1.101? If so, then I don't think you want
> that IP aliased on the physical interface of your bridge. The VM NIC will
> answer for packets destined on your local segment, which the bridge would
> forward to the physical interface. If you assign the VM's IP to that physical
> interface, then your host would think that traffic is destined for itself and
> not pass it to the bridge.
>
> If I'm misunderstanding and the 192.168.1.101 alias (or whatever the equiv in
> your production setup) isn't being used by your VM then I would start looking
> at the ARP traffic crossing both the tap0, lo0, and physical interfaces.
>
> What does an 'ifconfig -a' look like on both systems? netstat -rn? Any packet
> filtering?

I always fear I'm going to send more info then I should, and generate chaos and 
confusion :)

On my test box, the VM is set to 192.168.1.100 ... the alias I added to fxp0 
was to simulate what I have on the "public server", where there is a bge0 
device with n aliases attached to it ... in no case is the IP assigned to the 
VM actually aliased onto any interface on the network itself

Now, to try and answer your other questions ...

netstat -nr on the 192 server shows the IP to be at:

> netstat -nr | grep 168.1.100
192.168.1.100  52:54:00:12:34:56  UHLW11   fxp0   1128

which is very odd, as that MAC address is not found via ifconfig -a:

> ifconfig -a | grep 52
>

while arp -a also shows the 52:54 MAC, although MACs for the ifconfig -a are, 
in fact:

> ifconfig -a | grep ether
ether 00:02:b3:ee:da:3e
ether 5e:d1:e6:8b:55:50
ether 00:bd:25:18:6d:00

On the server, I'm getting nothing in arp or netstat for the IP in question:

io# arp -a | grep 204.213
io# netstat -nr | grep 204.213
io#

I've even tried doing a ping *from* the VM (logged in with VNC) to see if it 
will broadcast itself out, and nothing ...

I'm starting QEMU on both servers with the same options as well:

qemu -m 512M -net nic -net tap winxp.img

just to confir

Re: Problem with Bridging ... and bge devices under FreeBSD 7.x?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I only have one VM running on one server ...

- --On Tuesday, October 28, 2008 21:14:28 -0700 Bakul Shah <[EMAIL PROTECTED]> 
wrote:

> On Wed, 29 Oct 2008 00:35:35 -0300 "Marc G. Fournier" <[EMAIL PROTECTED]>
> wrote:
>> netstat -nr on the 192 server shows the IP to be at:
>>
>> > netstat -nr | grep 168.1.100
>> 192.168.1.100  52:54:00:12:34:56  UHLW11   fxp0   1128
>>
>> which is very odd, as that MAC address is not found via ifconfig -a:
>>
>> > ifconfig -a | grep 52
>> >
>>
>> while arp -a also shows the 52:54 MAC, although MACs for the ifconfig -a are,
>>
>> in fact:
>>
>> > ifconfig -a | grep ether
>> ether 00:02:b3:ee:da:3e
>> ether 5e:d1:e6:8b:55:50
>> ether 00:bd:25:18:6d:00
>
> The setup you get with a tap device talking to qemu is this:
>
> [host]-tap0qemu---ed0-[VM]
>
> Each end has its own mac address. The VM's NIC (ed0 or rl0
> or whatever) gets addresses like 52:54:00:12:34:56.  The host
> will have an arp entry for it once the VM sends an arp
> packet.  But tap0 will have an address assigned by the tap
> driver, something like 00:bd:xx:xx:xx.
>
> If you have two VMs running at the same time on two different
> machines and they both have identical MAC addresses, that
> could be part of your problem.
>
> But your network topolgy is still not clear.  What would help
> is something like this:
>
> You have:
> machine A (runs VM A1).
> machine B (runs VM B1).
> machine C (runs windows).
>
> Can you ping from A to C?
> Can you ping from B to C?
> Can you ping from A to A1?
> Can you ping from B to B1?
> Can you ping from A1 to C?
> Can you ping from B1 to C?
> Can you ping from C to A1?
> Can you ping from C to B1?
>
> All of the above should work.  Next you can try tcpdump on
> tap devices to see what is going on.  If you are still
> stumped provide ifconfig -a output on A, B, C, A1 and B1.  On
> windows machine you can do ipconfig/all to get at this
> information (IIRC).



- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkH6M4ACgkQ4QvfyHIvDvPciwCgi3LwM74g8DPrRC4XlkNQgFD4
eRgAnj6/CUVTkrzwr8GnzawWKlbfCWBc
=KgEt
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Problem with Bridging ... and bge devices under FreeBSD 7.x?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


You nailed it ... I was missing the 'tap.up_on_open=1' ... once I put that in 
place, it works like a charm ...

Thanks ...

- --On Tuesday, October 28, 2008 22:37:58 -0700 Bakul Shah <[EMAIL PROTECTED]> 
wrote:

> On Wed, 29 Oct 2008 01:38:38 -0300 "Marc G. Fournier" <[EMAIL PROTECTED]>
> wrote:
>>
>> I only have one VM running on one server ...
>
> Ok.
>
> Here are some debugging suggestions.
> - /etc/sysctl.conf should have the following;
> net.link.tap.user_open=1
> net.link.tap.up_on_open=1
>   run sysctl manually to set these.
>
> - if you are running qemu as user foo (and not root) you will need
> own tap0 foo:foo
>   in /etc/devfs.conf and do /etc/rc.d/devfs restart.
>
> - start qemu with -monitor stdio as this will give you a
>   command line interface to qemu.  Now you can type
>   info network
>   to see what qemu sees.  You should see something like
> VLAN 0 devices:
>   tap: ifname=tap0 setup_script=/usr/local/etc/qemu-ifup
>   rtl8139 pci macaddr=52:54:00:d2:56:03
>
> - I no longer remember if qemu-ifup is needed but without it
>   you may need to manually bring up tap0.
>
> - tcpdump on tap0 to see if ping packets (sent from the VM)
>   get through.  Next tcpdump on bridge0.  Next tcpdump on bge0.
>
> I'd still like to see the topology and ip addresses on
> various interfaces.



- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkI+CYACgkQ4QvfyHIvDvNuawCfQbUzADaZHkqvVRt9fwZ7H1Gm
MGIAoJCUFsfUoCh2ty41nmjDGsSq0ec4
=n/85
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

bridged networking disappears ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'm playing with bridges right now, under FreeBSD 7.x, to connect a QEMU env to 
the internet ... works like a charm, except periodically the network just 
becomes unpingable ... I've setup a cron within the QEMU environment to ping 
once a minute, which seems to 'fix' it, but that sounds more a bandaid then a 
fix ...

Is this normal (I can't see how) or am I missing something with setting up the 
bridge?


- -- 
Marc G. FournierHub.Org Hosting Solutions S.A. (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkg48IACgkQ4QvfyHIvDvPR8QCfWvlQzq8R0dq/Bijr25EzZdBK
ULMAoI4h+yv44mFHPN6ivMcj/xLcLDl4
=tusp
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

DDoS attacks ... identifying destination ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Today, I got hit by an attack, but haven't been able to easily determine whom 
was being attacked ...

I run ipaudit to monitor bandwidth usage, so I have 'source / destination' 
information, but I'm not finding any particularly easy way to narrow down whom 
was being attacked ...

I run mrtg on the switch so that I know which *server* is being attacked, so I 
need some method of being able to see whom is being attacked so that I can put 
appropriate blocks in place ...

Is there either a command line command, or ports tool, that I can use similar 
to top, or systat -iostat, that will help identify the IP that is being 
attacked?

Thank you ...

- ----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFG4EuF4QvfyHIvDvMRArtBAJ476WaXhFxzb5S+QRsJuFPQfs6SNgCePONi
MCdrm9L85MBseHho0cGM6q8=
=EfvZ
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

wireless recommendations ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


I'm looking to do some consulting on a project that will involve wireless 
networks ... since, if it goes forward, I'm going to be the "Unix person", so, 
of course, the unix side will be FreeBSD ...

... but, I haven't used wireless at all under FreeBSD ... what do we support 
*well*?  The machine(s) are going to be remote, so I'd like to go with 
something that is generally felt to be 'consistently reliable' vs 'cheap' ... 
or, at least, somewhere in the middle ground would be nice :)

- 
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHDstq4QvfyHIvDvMRAv53AJ9EErGuuWQN4QZNWHrQ0zt7Qw9O4gCfVZSt
0t0f+CdyKvNtdlZnEJcRVYY=
=5B0B
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Secure Wireless Router using FreeBSD ...

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Within my Linksys, I can restrict wireless to MAC addresses, as well as using 
stuff like WPA ... quick search on google, and I found:

   <http://www.howtoforge.com/setting_up_a_freebsd_wlan_access_point>

Which talks about setting up a WPA based wireless network ... but, some way of 
doing MAC based restrictions as well?  I'm suspecting that I can using pf, deny 
all MAC then allow specific ones ... What I would like to find, if it exists, 
is an application that I can run on FreeBSD so that there is a "user friendly" 
interface to this, vs having someone have to muddle with flat files and reload 
rules ...

Now, I just found 'Chillispot' in ports ... has anyone used this?  Is there 
something else that is better that runs under FreeBSD?

Thanks ...

- 
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHGEAm4QvfyHIvDvMRAqsDAKDgkPhQ939UyuFT6QVo9Rw+AraUxQCgh3eJ
CqB9+acgIzuWbTy0AkDrzhE=
=7Nty
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IPv6 <-> NAT <-> IPv4 ... possible?

[Marc G. Fournier]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Could I hide an IPv6 network behind NAT?  I don't know if that is even possible 
... the IPv6 IPs would be private (equiv to 192.168.x.x) ... basically, none of 
the hosts behind NAT need a public IP, *but* I may end up with more then 256 
hosts, so was wondering if using IPv6 behind the NAT would be 'simplier' ...

If possible, pointers to docs to read would be appreciated ...

Thanks ...

- 
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email . [EMAIL PROTECTED]  MSN . [EMAIL PROTECTED]
Yahoo . yscrappy   Skype: hub.orgICQ . 7615664
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHGETv4QvfyHIvDvMRApvkAKCiOKnBaN1dvhAX6f5SxXUBk9DreQCdEqh0
QbNARJ2zQhsnlOn33OfNe38=
=zWda
-END PGP SIGNATURE-

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

snmpwalk from jail -> snmp server ...

[Marc G. Fournier]

Have a jail setup that I want to be able to do a snmpwalk from to another 
server ... but, for some reason, I get a 'sendto' error:

zabbix# snmpwalk -v 1 -c public jupiter.hub.org system
SNMPv2-MIB::sysDescr.0 = STRING: FreeBSD jupiter.hub.org 4.10-STABLE FreeBSD 
4.10-STABLE #8: Fri Jun i386
snmpwalk: Failure in sendto (Invalid argument)
zabbix#
jupiter is a different machine then zabbix, and I have an rocommunity set 
in the snmpd.conf file ... the rest is pretty much defaults ...

If I run the same command on neptune (zabbix's base server), I get the 
full MIB as expected ... its only from the jail that it doesn't appear to 
work ...

thoughts?
----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

em driver worse then fxp driver ... why?

[Marc G. Fournier]

I have 5 servers sitting on a Linksys 10/100 switch ... 4 of the 5 are 
running fxp0 ethernet, while the 5th is running em ... and the 5th 
performs atrociously:

neptune# netstat -ni | head
NameMtu Network   Address  Ipkts IerrsOpkts Oerrs  Coll
em01500 00:07:e9:05:1b:2e 36915965 10306 2840 1 10858513
I've tried in bth half and full duplex mode .. full duplex, Ierrs climbs, half-duplex, 
Collisions climb ...
the fxp devices are all running at full-duplex, and perform quite well:
pluto# netstat -ni | head
NameMtu Network   Address  Ipkts IerrsOpkts Oerrs  Coll
fxp0   1500 00:03:47:bd:67:66 105856025 0 97330263 2 0
jupiter# netstat -ni | head
NameMtu Network   Address  Ipkts IerrsOpkts Oerrs  Coll
fxp0   1500 00:03:47:30:a7:1b 28832141 0 29437148 0 0
mars# netstat -ni | head
NameMtu Network   Address  Ipkts IerrsOpkts Oerrs  Coll
fxp0   1500 00:e0:81:21:d7:f6 34195201 0 29871571 0 0
venus# netstat -ni | head
NameMtu Network   Address  Ipkts IerrsOpkts Oerrs  Coll
fxp0   1500 00:e0:81:29:56:5b 95579278 1 87014732 1 0
Originally, it was explained that unmanaged switches tended to be 
problematic, but I'd expect some sort of uniformity in problems, but 'just 
the server with the em device' ...

So, is there a bug in the em device driver that doesn't exist on the fxp0 
devices?


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: em driver worse then fxp driver ... why?

[Marc G. Fournier]

'k, did someone fix something with the em driver? :(  Figuring it couldn't 
hurt to try auto-neg once more, and so far, 0 Ierrs :(  So either someone 
fixed the em problem, or the em problem was transient ... but it was 
originally the default (autoselect), and I only moved it to a hard coded 
*after* playing with all three *sigh*

Thanks ...
On Tue, 10 Aug 2004, Charles Swiger wrote:
[ ...crossposting between stable and freebsd-net trimmed... ]
On Aug 10, 2004, at 4:37 PM, Marc G. Fournier wrote:
I've tried in bth half and full duplex mode .. full duplex, Ierrs climbs, 
half-duplex, Collisions climb ...
You should expect to see some collisions (1% or so) when working in 
half-duplex mode: that's the nature of the beast.

Is your Linksys switch managed or unmanaged?  If you can set both it and the 
em to manually configured 100/FD, that would be worth trying.  I'd also try 
swapping a cable plugged into a working fxp box with the machine using the 
em, and see whether the problems follow, or whether the fxp system starts 
having issues.  A bad cable or a flaky port on the switch could also be 
causing your problems, but ethernet autonegotiation failing seems to be more 
likely given the description.

--
-Chuck


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reduce effects of DDoS attack ...

[Marc G. Fournier]

I've got 5 servers sitting on a 10/100 unmanaged switch right now ... last 
night, a DDoS attack against a network "beside us" cause 70+% packet loss 
on our network, and I'm trying to figure out if there is anything I can do 
from my side to "compensate" for this ...

I run ipaudit on all our servers, and a normal 30 minute period looks 
like:

neptune# gzcat 2004-10-06-22:00.txt.gz | grep 200.046.204 | wc -l
   12107
neptune# gzcat 2004-10-06-22:00.txt.gz | grep -v 200.046.204 | wc -l
 112
neptune# gzcat 2004-10-06-22:00.txt.gz | wc -l
   12219
where 200.046.204 is our C-class ...
Now, when the DDoS attack is running, those stats change to:
neptune# gzcat 2004-10-06-17:30.txt.gz | grep 200.046.204 | wc -l
5815
neptune# gzcat 2004-10-06-17:30.txt.gz | grep -v 200.046.204 | wc -l
  594189
neptune# gzcat 2004-10-06-17:30.txt.gz | wc -l
  64
We're getting *alot* of traffic on our network that just is not ours ...
Now, I can login to the servers, and load is negligible ... but packet 
loss is anywhere from 50->90%, so pretty much unusable ...

Now, the shared 'switch' between our networks is a Cisco Catalyst 2900xl 
... is there something that should be set on that so that I don't see that 
network traffic?  Basically, the only network traffic that I should/want 
to see is that for my network .. in this case, 200.46.204?

Baring that ... is there anything that I can do on the FreeBSD side of 
things to reduce the impact of the "extra packets"?  Some way of 
"absorbing them"?  For instance, if the packet is coming in, and it isn't 
for that server, then I imagine it has to 'bounce' it back out again, 
compounding the problem, no?

Also ... since the FreeBSD servers do seem to be handling the load, is it 
possible that the unmanaged switch that i have in place between the 
FreeBSD box and the Cisco switch is 'buckling under the load'?  Not able 
to handle the packets fast enough, and therefore just drop'ng them?

The unmanage switch is a 10/100 Linksys Switch ...
Thanks for any responses ...

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

"bug" with ifconfig ... ?

[Marc G. Fournier]

I just made one of my 4.x remote servers inaccessible and just tested it on my 
5.x laptop, and it does the same thing ... not sure if this is considered a 
'desirable' effect, or a but ... but ... 'ifconfig  -alias' will wipe 
out all IPs on the device:

mobile# ifconfig -a
lo0: flags=8049 mtu 16384
inet 127.0.0.1 netmask 0xff00 rl0: 
flags=8843 mtu 1500
options=8
inet 192.168.0.5 netmask 0xff00 broadcast 192.168.0.255
ether 00:0d:88:22:78:e4
media: Ethernet 10baseT/UTP
status: active
mobile# ifconfig rl0 -alias
mobile# ifconfig -a
lo0: flags=8049 mtu 16384
inet 127.0.0.1 netmask 0xff00 rl0: 
flags=8843 mtu 1500
options=8
ether 00:0d:88:22:78:e4
media: Ethernet 10baseT/UTP
status: active

I was running a script that happened to pick up a 'zero length' IP (and I 
hadn't properly tested for it), so erased all the IPs configured on that 
device, instead of generating an error ...

Checking the man page, if this *is* desired effect, a bit of a warning might be 
in order:

" -alias  Remove the network address specified.  This would be used if
  you incorrectly specified an alias, or it was no longer needed.
  If you have incorrectly set an NS address having the side
  effect of specifying the host portion, removing all NS
  addresses will allow you to respecify the host portion."
"Remove the network address specified.", to me, means that if one isn't 
specified, nothing should/would happen :(


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

Testing my network, I just noticed the following:
--- 200.46.204.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 399.664/407.119/420.315/8.267 ms
--- 200.46.208.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 373.045/409.266/453.402/33.280 ms
400ms to my default router seems a wee bit high ...
I'm suspecting that it has to do with:
Mar 15 01:13:28 neptune last message repeated 10 times
Mar 15 01:13:28 neptune /kernel: arp: 200.46.204.1 is on em0 but got reply from 
00:0b:bf:42:a8:06 on em1
Mar 15 01:13:28 neptune /kernel: arp: 200.46.208.1 is on em1 but got reply from 
00:0b:bf:42:a8:06 on em0
In order to provide network redundancy, and simplify our scripting, with 
have one network bound to one ethernet port, and the other network bound 
to the second one on the same machine ...

I'm plugging everything into a Cisco 2924 ... is there some way, either on 
the FreeBSD side, or Cisco, of 'cleaning this up'?

----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Tue, 15 Mar 2005, dima wrote:
I'm plugging everything into a Cisco 2924 ... is there some way, either on
the FreeBSD side, or Cisco, of 'cleaning this up'?
Try ng_fec. It works ok with 2950, not sure about 2924 though.
man page is a bit short ... what exactly is ng_fec, and how does it affect 
things?

For instance, do I start configuring an 'ifconfig fec0' device instead of 
my usual fxp0?  or, does everything pretty much stay the same except 
running that extra daemon/command?

any docs other then the man pages that I should read through?

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re[2]: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Tue, 15 Mar 2005, dima wrote:
This actually means you have 1 virtual interface fec0 representing 2 or 
more physical interfaces. The load balancing scheme can be assigned by a 
Catalyst, but low-end models like 2950 and 3550 can only balance traffic 
based on the least significant bit(s) of MAC-address.
'k, definitely not what I'm looking for then ... unless I'm missing 
something with how alias's work?

Right now, I have 2 C-classes, but theyy are assigned to the interface 'on 
the fly' ... so, I could have something like:

200.46.204.10
200.46.208.254
200.46.208.251
200.46.204.5
and then, after being up 15 days, might need to add yet another:
200.46.208.244
now, my understanding (which may be wrong) is that when aliasing the IPs 
onto the interface, they pretty much need to be 'bundled' ... if:

ifconfig fxp0 inet 200.46.204.2 netmask 255.255.255.0 (base server)
ifconfig fxp0 alias 200.46.204.10 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.204.5 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.208.254 netmask 255.255.255.0
ifconfig fxp0 alias 200.46.208.251 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.208.244 netmask 255.255.255.255
so, I could add another 200.46.208.* to the interface, but wouldn't be 
able to add another 200.46.204.* to it, at least not without erasing all 
IPs and rebuilding the list ...

If this isn't correct, please feel free to correct me ... what I'd love to 
be able to do is:

ifconfig fxp0 inet 200.46.204.2 netmask 255.255.255.0 (base server)
ifconfig fxp1 alias 200.46.208.2 netmask 255.255.255.0 (base server again)
ifconfig fxp0 alias 200.46.204.10 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.204.5 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.208.254 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.208.251 netmask 255.255.255.255
ifconfig fxp0 alias 200.46.208.244 netmask 255.255.255.255
but didn't think this was doable ...
So, right now, I'm using both fxp0 and fxp1, with fxp0 handling the 
200.46.204.* C-class, and fxp1 handling the 200.46.208.* C-class, so that 
I can easily add/remove as required ...


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Tue, 15 Mar 2005, Nikolay Kryukov wrote:
It's the case of incorrect configuration. Equal mac addresses must not 
exist in different ports on the same vlan on catalyst switches. They may 
cause problems like:
'k, now I'm confused ... I hadn't noticed that, but how is it that they 
are 'equal'?  I take it that 00:0b:bf:42:a8:06 is the MAC on the switch 
itself, since that machines MAC addresses are:

ether 00:07:e9:05:1b:2e
ether 00:07:e9:05:1b:2f
does the cisco switch 'share' a mac across all ports?
http://www.ciscotaccc.com/lanswitching/showcase?case=K19174025
and, consequently, high latency.
MGF> Testing my network, I just noticed the following:
MGF> --- 200.46.204.1 ping statistics ---
MGF> 4 packets transmitted, 4 packets received, 0% packet loss
MGF> round-trip min/avg/max/stddev = 399.664/407.119/420.315/8.267 ms
MGF> --- 200.46.208.1 ping statistics ---
MGF> 3 packets transmitted, 3 packets received, 0% packet loss
MGF> round-trip min/avg/max/stddev = 373.045/409.266/453.402/33.280 ms
MGF> 400ms to my default router seems a wee bit high ...
MGF> I'm suspecting that it has to do with:
MGF> Mar 15 01:13:28 neptune last message repeated 10 times
MGF> Mar 15 01:13:28 neptune /kernel: arp: 200.46.204.1 is on
MGF> em0 but got reply from 00:0b:bf:42:a8:06 on em1
MGF> Mar 15 01:13:28 neptune /kernel: arp: 200.46.208.1 is on
MGF> em1 but got reply from 00:0b:bf:42:a8:06 on em0
MGF> In order to provide network redundancy, and simplify our scripting, with
MGF> have one network bound to one ethernet port, and the other network bound
MGF> to the second one on the same machine ...
MGF> I'm plugging everything into a Cisco 2924 ... is there some way, either on
MGF> the FreeBSD side, or Cisco, of 'cleaning this up'?
MGF> 
MGF> Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
MGF> Email: [EMAIL PROTECTED]   Yahoo!: yscrappy   ICQ: 7615664
MGF> ___
MGF> freebsd-net@freebsd.org mailing list
MGF> http://lists.freebsd.org/mailman/listinfo/freebsd-net
MGF> To unsubscribe, send any mail to
MGF> "[EMAIL PROTECTED]"
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re[2]: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Tue, 15 Mar 2005 [EMAIL PROTECTED] wrote:
but didn't think this was doable ...
Why not:
ifconfig fxp0 inet 200.46.204.2/24
ifconfig fxp0 inet 200.46.208.2/24 alias
ifconfig fxp0 inet 200.46.204.10/32 alias
ifconfig fxp0 inet 200.46.204.5/32 alias
ifconfig fxp0 inet 200.46.208.254/32 alias
ifconfig fxp0 inet 200.46.208.251/32 alias
ifconfig fxp0 inet 200.46.208.244/32 alias
so on
?
With the only fxp0 interface
Great ... I have a new server going down next week that I'll try out the 
ng_fec stuff with, and the above, then ... thanks ...

You can freely add or delete all /32 addresses
while not 200.46.204.2 and 200.46.208.2
That's cool, since those IPs are just for the base server itself, and 
never get removed ...

Thanks ...

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re[2]: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Tue, 15 Mar 2005, dima wrote:
ng_fec is the NetGraph module which implements Cisco FastEtherChannel 
technology. This actually means you have 1 virtual interface fec0 
representing 2 or more physical interfaces. The load balancing scheme 
can be assigned by a Catalyst, but low-end models like 2950 and 3550 can 
only balance traffic based on the least significant bit(s) of 
MAC-address.
And this means ... ?
Also, how do I confirm that my 2950 *does*, in fact, support netgraph?  I 
see nothing in 'show version' to indicate it ... but:

Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA1, RELEASE SOFTWARE 
(fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Mon 12-Jul-04 08:18 by madison
Image text-base: 0x8001, data-base: 0x8055C000
Thanks ...
----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

use of ng_fec ...

[Marc G. Fournier]

After reading up on the Cisco stuff that ng_fec is meant for, I'm curious 
as to whether there is a way of determining if its needed ... in my case, 
I have one server, two ethernets but all attaching to the same switch ... 
is there some way of determining if the interface(s) (on either hte 
FreeBSD box, or the Cisco switch) is "overly busy", that load balancing 
would be beneficial?

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Re[2]: High ping latency using two ethernet under FreeBSD 4.11 ...

[Marc G. Fournier]

On Wed, 16 Mar 2005 [EMAIL PROTECTED] wrote:
On Tue, 15 Mar 2005 [EMAIL PROTECTED] wrote:
but didn't think this was doable ...
Why not:
ifconfig fxp0 inet 200.46.204.2/24
ifconfig fxp0 inet 200.46.208.2/24 alias
ifconfig fxp0 inet 200.46.204.10/32 alias
ifconfig fxp0 inet 200.46.204.5/32 alias
ifconfig fxp0 inet 200.46.208.254/32 alias
ifconfig fxp0 inet 200.46.208.251/32 alias
ifconfig fxp0 inet 200.46.208.244/32 alias
so on
?
With the only fxp0 interface
Great ... I have a new server going down next week that I'll try out the
ng_fec stuff with, and the above, then ... thanks ...

If addresses and not bandwidth is reason, no need for ng_fec.
'k, I don't think bandwidth is an issue ... just started to use mrtg on 
the switch, to see what is going on ... I might go with ng_fec anyway, so 
that both ports are used semi-balanced, since I do have them attached ...

Since the servers are remove, can I configure one interface as a fec 
device, assign its IPs over to it, then "add" the second device?

Also, where do you put your start up?  SAme as a regular interface, just 
throw it into a startup.if_fec file or something like that?

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Too many IPs assigned to an interface?

[Marc G. Fournier]

Since talking about ng_fec, and the cisco switch, I started to play with 
it a bit, and one of the things I've finally setup is snmp/mrtg, so that I 
can monitor bw activity ...

one thing that I've noticed is that two of my machines are doing alot of 
bandwidth, while the other two are doing significantly less ...

The thing is, the ones that are doing significantly less are the ones that 
have the most IPs assigned to their interfaces ...

based on 5 minute averages:
neptune -  68kb/s In, 119kb/s Out, 92 IPs assigned, Dual Xeon
mars- 289kb/s In, 320kb/s Out, 35 IPs assigned, Dual PIII
vmstat 5 on neptune:
102 3 0 1722316 206436  258   0   1   0 465   0   4  49  511 3885 2398  3 86 12
102 3 0 1681208 205624   74   0   0   0  63   0   1   0  305 3293 1233  2 57 41
96 3 0 1702012 189492   69   0   0   0 845   0   6   6  342 3606 2066  6 53 41
91 3 0 1699380 151064   85   0   0   0 2072   0  12  12  418 2752 3239  9 23 69
90 3 0 1681276 148584   53   0   0   0 463   0   1   3  325 2554 2266  6 23 72
vmstat 5 on mars:
11 5 0 4071268 211624 2329   1   2   1 1348 486   0   0  710  378 1049  6 24 70
14 5 0 4059324 198648 597648   0   0   0 920   0  18 157  933 7267 12086  4 56 
40
15 5 0 4070128 189200 652140   1   0   0 853   0   4 122  931 6188 9166  5 52 44
16 5 0 4056332 211964 693722   0   2   0 1690 1558   1 167 1276 5614 4517  9 49 
42
16 5 0 4012580 208272 722681   0   0   0 1133   0   3 137  909 3839 5456  6 48 
46
the other one that seems 'low' for traffic is a Dual Athlon (85 IPs) ... 
the other that is high for traffic is another Dual PIII (21) ...

So, is network performance that greatly affected by # of IPs assigned to 
the interface itself?  Or is there maybe another factor involved?

----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ipfw problems ...

[Marc G. Fournier]

I recently setup a box on our network, running FreeBSD 4.4-PRERELEASE,
with ipfw and dummynet to do bandwidth shaping as well as firewalling ...

The machine is a Dual PIII 733 w/1gig of RAM and 2xfxp0 devices ...

I've got an /etc/fw.rules file that has ~1200 rules in it so far, and
still have more that I want to put in, but today the machine locked up
solid ...

I ended up re-starting the machine with fw set to open, and loaded a few
rules at a time ... got up to 747 rules before the machine pretty much
ground to a halt, with the occasional keystroke going through ...

~900 or so of the rules are purely 'pass thru' rules ... we have two
connections to the internet ... one that costs us nothing, and one that
costs us quite dearly ... we want to allow all traffic that goes to sites
on the 'costs us nothing' network to go through unimpeded, while that
which goes through the 'costs us quite dearly' to be 'shaped' ... th ~900
rules are the ones that define those b-class networks that are on the
'costs us nothing' network ...

I'm not seeing any errors on the console to indicate a problem, it just
slowly grinds to a halt ... is there a setting in the kernel, or
somewhere, that I should be setting to allow fur such a high number of
rules, or is it just not possible to do more then a few hundred? :(

Thanks



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: ipfw problems ...

[Marc G. Fournier]

On Wed, 19 Sep 2001, Krzysztof Zaraska wrote:

> First, is there any specific reason for allowing only specific 900 subnets
> instead of the whole 'cost nothing' network? How big is this network? How
> would this increase the risk?

CA*Net3 vs "commercial net" traffic ...

> Second, with that number of networks, it is probable that at least some of
> them have the same prefix; for example
> 10.10.0.0/16
> 10.11.0.0/16
> can be matched with 10.10.0.0/15. This may bring down the number of rules.
> Continuing from previous point, if all class B networks are on the same
> network block (having, say 1024 class B networks) you may allow whole
> block and disallow only 124 subnets. That would bring the number of
> relevant rules down to 125.

Actually, I've already done that :(  Some areas, I've been able to get her
down to /12 ... so imagine the number of rules if I *hadn't* done that ...

> Third, take into account that since ipfw takes 'first matching rule
> wins' approach, you will get performance boost by moving more
> frequently used and more general rules "up" in the ruleset. For
> example, if you move the rule from position 700 to 200 packet will be
> matched only against 200 rules instead of 700.

Thought about, but not possible ... unless I'm mis-understanding something
... these rules are the exceptions ... "if none of these b-class networks
isn't matched, *then* shape the bandwidth for anything not in there" ...

Is there someway of creating a 'group', similar to /etc/networks, where
its one rule with many addresses in it?

> Fourth, if you have any "keep-state" rules, each of them effectively
> generates new "dynamic" rules. In order to improve performance with
> TCP connections you may try to switch to TCP flag-based approach
> (keywords "setup" and "established"). This will save you from
> additional growth of ruleset, but may open you to the TCP ACK scan (I
> haven't verified it) which exposes inside network topology.

Not using any 'keep-state' rules ...



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

ipfw: skipto changing value of where I want to skipto?

[Marc G. Fournier]

psychopompus# ipfw add 00661 skipto 00708 ip from any to 136.0.0.0/5
00661 skipto 56 ip from any to 136.0.0.0/5


why is the 00708 changing to 56? :(



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: ipfw problems ...

[Marc G. Fournier]

Our network layout is such that our ipfw box is purely a pass-thru between
our router and our network providers router:

[our router] <--> [freebsd box running ipfw] <--> [network provider]
/ \
[CA*Net3]   [Commercial]

Our CA*Net3 link is something like 50Mb/s, while Commercial is only 12, so
we don't want to restrict the traffic to CA*Net3 ...

I spent all day yesterday going through the rules, and have it working
with:

psychopompus# ipfw show | grep skipto | wc -l
 248
psychopompus# ipfw show | grep deny | wc -l
  31
psychopompus# ipfw show | grep allow | wc -l
1043
psychopompus#

And it works ... so now instead of processing >1k rules, it works out to
be <100 or so ...



On Wed, 19 Sep 2001, Leif Neland wrote:

>
>
> > > Third, take into account that since ipfw takes 'first matching rule
> > > wins' approach, you will get performance boost by moving more
> > > frequently used and more general rules "up" in the ruleset. For
> > > example, if you move the rule from position 700 to 200 packet will be
> > > matched only against 200 rules instead of 700.
> >
> > Thought about, but not possible ... unless I'm mis-understanding something
> > ... these rules are the exceptions ... "if none of these b-class networks
> > isn't matched, *then* shape the bandwidth for anything not in there" ...
> >
> Is the machine dying when *adding* the rules or when *using* the rules?
>
> If your first rule is "ipfw add 100 skipto 32768 ip from any to 1/1"
> you will have divided your rules, so networks from 0.0.0.0 to
> 127.255.255.255 will be handled by half of the rules, and the rest by the
> other half. So instead of traversing 700 rules, an unmatched packet will
> only traverse 350.
>
> Perhaps you could write a (perl?)script, which you feed a list of all the
> networks (B's?) and generates the proper rules.
>
> You could post that as a challenge to your local group of nerds, if you
> can find them...
>
> Also remember that the mask does not need to be "without holes", a mask of
> 255.127.255.0 is ok.
> But I guess you must either be a computer or autistic to be able to spot
> those masks...
>
> Another idea: is the routing mechanism better to sort by ip than ipfw?
> If so, you could route the expensive traffic to the shaper-machine.
>
> On top of that: is the routing information available from your uplinks?
> Perhaps you could get BGP or OSPF-routing information, saving you the
> trouble of maintaining the table.
>
> Also, what happens if you send "expensive" packets to the free uplink?
>
> Could that be used to having two default gateways with different metric?
> Or can this only shift the entire stream between the two gateways?
>
>
> Or you could patch ipfw to be able to use a hash-db :-)
>
>
> Leif
>
>
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

using natd to proxy through a jail ... ?

[Marc G. Fournier]

Looking at the man page, I'm wondering if its possible to use natd to
proxy port X coming into a jail to an IP:port that is sitting behind that
jail ...

For instance, I have two machines ... one holds the jail, the other holds
a database server ... jail is accessible from the 'Net, but the database
server is only accessible to the jail, so I want to proxy a connection
*through* the jail to the database itself ...

Would this work?

Thanks ...


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

dest vs source ports ...

[Marc G. Fournier]

Just a quick question ... how does the OS determine the 'source port' when
connecting to a remote site?  is it reasonably safe to assume that the
lower of the two ports is the dest port?  for instance, if I try to telnet
to a remote site where the remote site is running a service on port 6667,
is it a pretty safe bet that FreeBSD will pick a port >6667 to go out on?
or is there an equal chance of it being lower?




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

determining "originator/source" of connection ...

[Marc G. Fournier]

I've got FreeBSD setup as a firewall to our campus network, and its doing
a great job of it, but we want to be able log statistics on traffic going
in and out ...

I have trafd running on the server, with it dumping its data to a
PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
records ... so ~90k/hr, or 2.16 million per day ...

Now, I'm figuring that if I could determine direction of flow (did we
originate the connection, or did someone off campus originate it), I could
shrink that greatly, as right now I have stuff like:

216.158.133.24280  131.162.158.24  3914 6  2356 4
216.158.133.24280  131.162.158.24  3915 6 4776734
216.158.133.24280  131.162.158.24  3916 6 7896256
216.158.133.24280  131.162.158.24  3917 6330141   224
216.158.133.24280  131.162.158.24  3918 611886289
216.158.133.24280  131.162.158.24  3919 6264139   185
216.158.133.24280  131.162.158.24  3920 6259543   179
216.158.133.24280  131.162.158.24  3921 6 9801473
216.158.133.24280  131.162.158.24  3922 6267772   186
216.158.133.24280  131.162.158.24  3923 6148879   109
216.158.133.24280  131.162.158.24  3924 6  6406 8
216.158.133.24280  131.162.158.24  3925 6  2486 5
216.158.133.24280  131.162.158.24  3928 610958475
216.158.133.24280  131.162.158.24  3929 6 9243562
216.158.133.24280  131.162.158.24  3936 6 13059 9
216.158.133.24280  131.162.158.24  3937 6 2264117

where I don't care about the source port, only the dest port ... except,
in the above, trafd is writing it as 'source port == 80' and 'dest port'
is arbitray ...

while later in the results, I'll get something like:

 130.94.4.7 40072 131.162.138.19325 6  297610
 130.94.4.7 58562 131.162.138.19325 6  524916

which does make sense (ie. source port -> dest port) ...

is there something that i can do with libpcap that will give me better
information then trafd does?  is there a 'tag' in the IP headers that can
be used to determine the originator of the connection?

thanks ...



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: determining "originator/source" of connection ...

[Marc G. Fournier]

On Tue, 22 Oct 2002, Luigi Rizzo wrote:

> let me understand, you basically want something that puts flow statistics
> in the bucket identified by the  of the first SYN
> packet you see (the assumption being that connections are
> initiated by clients towards a well known port, which appears
> as dst-port in the first syn packet ?
>
> Or if you are just happy to aggregate by IP, one solution i often
> use is the following (based on dummynet's dynamic pipes):
>
> # do not expire pipes even if they have no pending traffic
> sysctl net.inet.ip.dummynet.expire=0
>
> # create separate pipes for src and dst masks
> ipfw pipe 20 config mask src-ip 0x buckets 256
> ipfw pipe 21 config mask dst-ip 0x buckets 256
>
>   ipfw add pipe 20 ip from $my_subnet to any
>   ipfw add pipe 21 ip from any to $my subnet

I don't believe I could do this with ipfw ... $my_subnet == 131.162.0.0 :(
I fear the machin would strat to smoke, no? :(


>
> cheers
> luigi
>
>
> On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote:
> >
> > I've got FreeBSD setup as a firewall to our campus network, and its doing
> > a great job of it, but we want to be able log statistics on traffic going
> > in and out ...
> >
> > I have trafd running on the server, with it dumping its data to a
> > PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
> > records ... so ~90k/hr, or 2.16 million per day ...
> >
> > Now, I'm figuring that if I could determine direction of flow (did we
> > originate the connection, or did someone off campus originate it), I could
> > shrink that greatly, as right now I have stuff like:
> >
> > 216.158.133.24280  131.162.158.24  3914 6  2356 4
> > 216.158.133.24280  131.162.158.24  3915 6 4776734
> > 216.158.133.24280  131.162.158.24  3916 6 7896256
> > 216.158.133.24280  131.162.158.24  3917 6330141   224
> > 216.158.133.24280  131.162.158.24  3918 611886289
> > 216.158.133.24280  131.162.158.24  3919 6264139   185
> > 216.158.133.24280  131.162.158.24  3920 6259543   179
> > 216.158.133.24280  131.162.158.24  3921 6 9801473
> > 216.158.133.24280  131.162.158.24  3922 6267772   186
> > 216.158.133.24280  131.162.158.24  3923 6148879   109
> > 216.158.133.24280  131.162.158.24  3924 6  6406 8
> > 216.158.133.24280  131.162.158.24  3925 6  2486 5
> > 216.158.133.24280  131.162.158.24  3928 610958475
> > 216.158.133.24280  131.162.158.24  3929 6 9243562
> > 216.158.133.24280  131.162.158.24  3936 6 13059 9
> > 216.158.133.24280  131.162.158.24  3937 6 2264117
> >
> > where I don't care about the source port, only the dest port ... except,
> > in the above, trafd is writing it as 'source port == 80' and 'dest port'
> > is arbitray ...
> >
> > while later in the results, I'll get something like:
> >
> >  130.94.4.7 40072 131.162.138.19325 6  297610
> >  130.94.4.7 58562 131.162.138.19325 6  524916
> >
> > which does make sense (ie. source port -> dest port) ...
> >
> > is there something that i can do with libpcap that will give me better
> > information then trafd does?  is there a 'tag' in the IP headers that can
> > be used to determine the originator of the connection?
> >
> > thanks ...
> >
> >
> >
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe freebsd-net" in the body of the message
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

if_ef doesn't work with if_fxp?

[Marc G. Fournier]

Morning ...

  Been trying to get ncp* to work with FreeBSD 4.7-STABLE, and finally
found some docs that refer to the if_ef device for doing this ... but when
I try to do:

ifconfig fxp0f2 ipx 0x

and it gives me back an 'interface does not exist' message ... I have ef
configured into the kernel, as well as fxp, so kernel modules aren't
involved here ...

Help?

Thanks ...




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: if_ef doesn't work with if_fxp?

[Marc G. Fournier]

'K, will try that out ...


On Wed, 13 Nov 2002, John Hay wrote:

> >
> >   Been trying to get ncp* to work with FreeBSD 4.7-STABLE, and finally
> > found some docs that refer to the if_ef device for doing this ... but when
> > I try to do:
> >
> > ifconfig fxp0f2 ipx 0x
> >
> > and it gives me back an 'interface does not exist' message ... I have ef
> > configured into the kernel, as well as fxp, so kernel modules aren't
> > involved here ...
> >
>
> I don't know if it will help, but I have never been able to get if_ef
> working when it is compiled into the kernel. I just kldload it. And
> I do use it with fxp devices.
>
> John
> --
> John Hay -- [EMAIL PROTECTED] / [EMAIL PROTECTED]
>


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: if_ef doesn't work with if_fxp?

[Marc G. Fournier]

On Wed, 13 Nov 2002, John Hay wrote:

> >
> >   Been trying to get ncp* to work with FreeBSD 4.7-STABLE, and finally
> > found some docs that refer to the if_ef device for doing this ... but when
> > I try to do:
> >
> > ifconfig fxp0f2 ipx 0x
> >
> > and it gives me back an 'interface does not exist' message ... I have ef
> > configured into the kernel, as well as fxp, so kernel modules aren't
> > involved here ...
> >
>
> I don't know if it will help, but I have never been able to get if_ef
> working when it is compiled into the kernel. I just kldload it. And
> I do use it with fxp devices.

Woo hoo ... okay, now we are slowly getting somewhere ...

I checked with our network/netware guy, and he's told me that we're
running "0 interface with an Ethernet_II frame", so I've got fxp0f0
configured with our network number, which he's given me as 0x83a2c800 ...
*but* ... and here is where I'm potentially getting things screwed up ...

Our network is a B-Class, with from x.x.128.x up being divided into
subnets of 8 C-classes each ... so subnet 128, 136, 144, etc ...

our netware server is on subnet 200, which is the 83a2c800 that he's given
me ... the computer I'm working on is a laptop, so will be on several
different subnets, but never on subnet 200 ... is 83a2c800 the netnum I
want to use, or is there something else I should be using?

With everything apparenty configured right, if I do:

ncplogin -T DOMAIN -U user -S server

it comes back with:

Warning: no cfg files found.
ncplogin: can't find server SERVER: syserr = Network is down

IP wise, I can ping the server no problem, so I'm missing one step here
for the IPX stuff ... ?

Thanks ...


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Re: Traffic analysis ports?

[Marc G. Fournier]

best I've found so far is ipaudit ...

On Thu, 18 Sep 2003, Josef Karthauser wrote:

> Dear all,
>
> I'm looking for some software to basically analyse the traffic I've got
> going over a particular pipe so that I can work out whether or what to
> traffic shape.  Can anyone recommend anything?
>
> Joe
> --
> Josef Karthauser ([EMAIL PROTECTED]) http://www.josef-k.net/
> FreeBSD (cvs meister, admin and hacker) http://www.uk.FreeBSD.org/
> Physics Particle Theory (student)   http://www.pact.cpes.sussex.ac.uk/
>  An eclectic mix of fact and theory. =
>
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

I'm having some odd behaviour with one of my servers ... it is the only
one of 4 that I have that has an em device, and, from what I can tell, the
problem doesn't exist on any of the other 3 ...

The problem is that I want to move an IP from one of the other servers
(all with fxp interfaces) over to the 4th, with the em device ... I -alias
the IP from the fxp device, and alias it over to the em device, and I can
no longer access it remotely ...

If I alias it onto any of hte other two fxp based servers, it works fine.

If I ping from the old server, on the same network, it pings fine ... its
only remote pings that don't work ... and all other IPs currently on the
em server are pingable too, so its not like I have ICMP blocked at any one
point ...

All 4 servers are plug'd into a Linksys 10/100 Switch, which is then
plug'd into a Cisco Switch ...

If I add an unused IP to the em device, it is pingable ... its as if
somewhere isn't seeing the routing change from the old fxp based server
over to the new em based one, but if I put it onto a different fxp based
server, it works ...

Trying to do a 'ping -S  ns.uunet.ca' doesn't work either, but using
an existing, pingable IP, does ... netmask is set identical to all the
other IPs on the machine, and arp -a shows the IP as 'permanent' ...

I'm not sure what to look at ... the only 'odd man out' here is the em
device itself, but by the fact that I can add an unassigned IP to it, I'm
not hitting a limit on # of aliased IPs (currently only 21) ... and I've
tried with another assigned IP (unalias from fxp device, move it to em
device) and it too becomes unpingable, but works fine if I move it to
another fxp device on a different server ...

Am I missing something obvious here?

Thanks ...



Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

On Sun, 4 Jan 2004, Barney Wolff wrote:

> On Sun, Jan 04, 2004 at 04:31:41PM -0400, Marc G. Fournier wrote:
> >
> > The problem is that I want to move an IP from one of the other servers
> > (all with fxp interfaces) over to the 4th, with the em device ... I -alias
> > the IP from the fxp device, and alias it over to the em device, and I can
> > no longer access it remotely ...
> >
> > If I alias it onto any of hte other two fxp based servers, it works fine.
>
> Something, either the switch or the router, has a stale arp table entry.
> It's a little curious that this ever works, without resetting whatever
> it is.  Perhaps the fxp's manage to send a gratuitous arp when taking
> on a new alias.

re: gratuitous arp ... I was wondering if the nics do anything like this,
but, shouldn't be 'ping -S  ' not "force" something?
Like, I could see remote pings not being able to find their way, but
sourcing one of the IP in question to go out, I would have thought it
would have found its way ...

Would the arp thing be nic based, or does the OS itself do it?


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

On Sun, 4 Jan 2004, Luigi Rizzo wrote:

> i am partly lost on the details of your specific question, but
> the symptoms do seem to suggest a stale ARP entry, which must be
> in the router (if the switch had a stale entry in its MAC forwarding
> table, you would have problems even with local pings, not only
> remote ones).
>
> It is the OS that generates a gratuitous ARP every time you assign
> an IP address (or alias) to a card, though i am not sure if it
> sends one for each address assigned to the card, or just one for the
> newly configured address -- the latter would not solve your problem.

One of the odd things I'm finding with the em0 device, over the fxp0
device on the other machines, is that if/when I do alias (or -alias), the
network hangs for a couple of seconds, and the following gets generated in
/var/log/messages:

Jan  4 16:09:17 neptune /kernel: em0: Link is up 100 Mbps Full Duplex

as if it brought the device down, and then back up again ... is that
normal?


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

On Mon, 5 Jan 2004, Sreekanth wrote:

> The "Link is up" message can be explained by the fact the device is
> reset everytime an alias is added or removed.Network hanging is
> explained by the spanning tree protocol working(It prevents the port
> from going into Forward state for around 20 seconds)

is there  a reason why the em driver does this, and the fxp doesn't?  or,
at least, why the em driver takes longer?  it only appears to be the
server with em devices that does it ...



Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

On Sun, 4 Jan 2004, Luigi Rizzo wrote:

> It is the OS that generates a gratuitous ARP every time you assign an IP
> address (or alias) to a card, though i am not sure if it sends one for
> each address assigned to the card, or just one for the newly configured
> address -- the latter would not solve your problem.

Is there a way of doing this manually?  man arp doesn't seem to indicate
any way using that ...

One thing I should note is that it *used* to do this ... the server has
been up for 84 days now, but when first booted, I could add/remove
pre-aliased IPs without this problem ... is there anything that maybe I
should be checking before a reboot that may indicate an underlying
problem?


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd behaviour on em0 device in -stable ... I think ...

[Marc G. Fournier]

Just a quick follow up note on this ... this morning, we upgraded the
server in question to latest stable, and rebooted, to see if that would
clear up the problem ...

The problem persisted, but, based on comments about auto-negotiation made
in this thread, I figured I'd see if maybe 'forcing' to 'media 100baseTX
mediaopt full-duplex' would make any difference, and it appears to ... I
can now move IPs back and forth from server to server, including this one,
without any apparently problems ...

So, problem with aliasing/unaliasing code where autoselect is enabled,
maybe?

On Sun, 4 Jan 2004, Marc G. Fournier wrote:

>
> I'm having some odd behaviour with one of my servers ... it is the only
> one of 4 that I have that has an em device, and, from what I can tell, the
> problem doesn't exist on any of the other 3 ...
>
> The problem is that I want to move an IP from one of the other servers
> (all with fxp interfaces) over to the 4th, with the em device ... I -alias
> the IP from the fxp device, and alias it over to the em device, and I can
> no longer access it remotely ...
>
> If I alias it onto any of hte other two fxp based servers, it works fine.
>
> If I ping from the old server, on the same network, it pings fine ... its
> only remote pings that don't work ... and all other IPs currently on the
> em server are pingable too, so its not like I have ICMP blocked at any one
> point ...
>
> All 4 servers are plug'd into a Linksys 10/100 Switch, which is then
> plug'd into a Cisco Switch ...
>
> If I add an unused IP to the em device, it is pingable ... its as if
> somewhere isn't seeing the routing change from the old fxp based server
> over to the new em based one, but if I put it onto a different fxp based
> server, it works ...
>
> Trying to do a 'ping -S  ns.uunet.ca' doesn't work either, but using
> an existing, pingable IP, does ... netmask is set identical to all the
> other IPs on the machine, and arp -a shows the IP as 'permanent' ...
>
> I'm not sure what to look at ... the only 'odd man out' here is the em
> device itself, but by the fact that I can add an unassigned IP to it, I'm
> not hitting a limit on # of aliased IPs (currently only 21) ... and I've
> tried with another assigned IP (unalias from fxp device, move it to em
> device) and it too becomes unpingable, but works fine if I move it to
> another fxp device on a different server ...
>
> Am I missing something obvious here?
>
> Thanks ...
>
>
> 
> Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
> Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
>


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Odd network issue ... *very* slow scp between two servers

[Marc G. Fournier]

I have two servers on the same network switch, sitting one on top of the
other ... one is running an em (Dual-Xeon 2.4Ghz) device, the other an fxp
(Dual-PIII 1.3Ghz) device ...

Doing a straight (not sftp/scp) ftp between the two servers, of a 1Meg
file, shows:

1038785 bytes received in 85.91 seconds (11.81 KB/s)

Going between two servers, same switch, both running fxp devices, for the
exact same file, shows:

1038785 bytes received in 0.09 seconds (10.64 MB/s)

Now, I have ipaudit running on all the servers, to monitor bandwidth ...
the server with the fxp device on it, that I just downloaded to from
another fxp server @ 10.64MB/s, did 11535.73M of traffic total yesterday
...  the one with the em device did 11766.46M ...

Now, in my /var/log/messages file, I am getting the RST lines:

Mar  6 12:35:38 neptune /kernel: Limiting open port RST response from 700 to 200 
packets per second
Mar  6 12:35:39 neptune /kernel: Limiting open port RST response from 636 to 200 
packets per second
Mar  6 12:35:41 neptune /kernel: Limiting open port RST response from 523 to 200 
packets per second
Mar  6 12:35:46 neptune /kernel: Limiting open port RST response from 386 to 200 
packets per second
Mar  6 12:35:55 neptune /kernel: Limiting open port RST response from 238 to 200 
packets per second
Mar  6 13:34:25 neptune /kernel: Limiting open port RST response from 799 to 200 
packets per second
Mar  6 13:34:27 neptune /kernel: Limiting open port RST response from 637 to 200 
packets per second
Mar  6 13:34:28 neptune /kernel: Limiting open port RST response from 503 to 200 
packets per second
Mar  6 13:34:32 neptune /kernel: Limiting open port RST response from 343 to 200 
packets per second
Mar  6 13:34:42 neptune /kernel: Limiting open port RST response from 206 to 200 
packets per second

And seems to be quite regular:

neptune# gzcat /var/log/messages.0.gz | grep RST | wc -l
  95

where 0.gz is from Mar  5 14:47:28 -> Mar  6 11:30:52

but, shouldn't:

net.inet.tcp.blackhole: 0 -> 2

help?  or did I read the man page wrong?  If it should, I'm still only
getting ~13k/s on that same file ...

there is nothing else in messages to indicate a problem, either with
processes, or drives, or anything, and load on the machine, right now, is
only 1.3 ...

vmstat -i shows a high rate of interrupts for the em device:

neptune# uptime
 1:43PM  up 57 days,  3:08, 5 users, load averages: 1.38, 1.32, 0.97
neptune# vmstat -i
interrupt   total   rate
ahd0 irq16 15  0
ahd1 irq17  932228686188
em0 irq18  1205773331244
clk irq0493596903 99
rtc irq8631819522128
Total  3263418457661

vs

mars# uptime
 1:43PM  up 77 days,  9:50, 3 users, load averages: 7.44, 7.73, 6.28
mars# vmstat -i
interrupt   total   rate
fxp0 irq5   499794285 74
ahc0 irq11 15  0
ahc1 irq15  915710622136
fdc0 irq6   4  0
clk irq0668800403 99
rtc irq8856196939128
Total  2940502268439

the fxp device is running:
media: Ethernet autoselect (100baseTX )

the em device is running:
media: Ethernet 100baseTX 

and, finally, the em server was last upgraded:
4.9-STABLE #4: Tue Jan  6 00:59:37 AST 2004

while the fxp server is almost ancient:
4.9-PRERELEASE #2: Sat Sep 20 14:42:25 ADT 2003

I'm going to do a reboot on the server Monday, when a tech is easily
accessible in case of a problem ... but, before I do that, is there
anything I can do to possible debug this?   Maybe something I can look at
that would show a 'leak', maybe?

Thanks ...


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd network issue ... *very* slow scp between two servers

[Marc G. Fournier]

On Sat, 6 Mar 2004, Tim Wilde wrote:

> On Sat, 6 Mar 2004, Marc G. Fournier wrote:
>
> > I have two servers on the same network switch, sitting one on top of the
> > other ... one is running an em (Dual-Xeon 2.4Ghz) device, the other an fxp
> > (Dual-PIII 1.3Ghz) device ...
>
> Is it a Cisco Catalyst switch?  If so, you need to switch the em's to
> autoselect, on both the server and switch end.  For some reason, the em
> driver will not properly lock down its rate when talking to a Cisco
> Catalyst switch.  At least, I had an identical problem with em's talking
> to a Catalyst 2950 and that was the fix I came up with.  Give it a try and
> see how your results go.

Actually, just a simple Linksys 10/100 Switch ... I *have* to upgrade it
to something managed :(


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Odd network issue ... *very* slow scp between two servers

[Marc G. Fournier]

On Sat, 6 Mar 2004, Tim Wilde wrote:

> On Sat, 6 Mar 2004, Marc G. Fournier wrote:
>
> > I have two servers on the same network switch, sitting one on top of the
> > other ... one is running an em (Dual-Xeon 2.4Ghz) device, the other an fxp
> > (Dual-PIII 1.3Ghz) device ...
>
> Is it a Cisco Catalyst switch?  If so, you need to switch the em's to
> autoselect, on both the server and switch end.  For some reason, the em
> driver will not properly lock down its rate when talking to a Cisco
> Catalyst switch.  At least, I had an identical problem with em's talking
> to a Catalyst 2950 and that was the fix I came up with.  Give it a try and
> see how your results go.

Note that forcing it to 100baseT half-duplex (or 10baseT/UTP half-duplex)
corrects the problem ... turns out it is only in full-duplex mode that its
hosed ...


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Simple question, what is an inOctet ... ?

[Marc G. Fournier]

Just setup net-snmp, and zabbix to monitor it ... what exactly is an
Octet?  1 byte?



Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Looking for switch recommendations ...

[Marc G. Fournier]

I'm looking at replacing my el'cheapo switch with something better that
will allow me to fix my issues with the em/full-duplex problem ...

I'm looking for ssomething managed, as well as SNMP aware so that I can
tie it into Zabbix for monitoring ... something 8 or 12 port preferred.

Cisco, of course, is always a big name ... but also expensive ... oen
recommendation is the xl 1900, but I can't find any specs on her at
cisco's site, so discontinued product?

What about Netgear, which I have easy access to?  Or Alcatel?

models to stay away from?

Thanks ...


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Looking for switch recommendations ...

[Marc G. Fournier]

One thing I hate about comparison shopping for computers ... there are
so many options :(

What is the difference between Layer2 and Layer3, and what does that
affect?

I see the HP Procurve 2626 (I don't need 50 ports yet) for ~$600 on the
web ... while I can pick up the Dell PowerConnect 3324 is ~$500 ...

How do I compare the two?  They seem to both use different terminologies
for what I'd guess are the same thing:

HP:
Throughput: 2650 - 10.1 mpps (64-byte packets) 2626 - 6.6 mpps (64-byte packets)
Switching capacity: 2650 - 13.6 Gbps 2626 - 9.6 Gbps

Dell:
Switch Fabric Capacity 8.8 Gb/s
Forwarding Rate 6.5 Mpps

So, in both cases, the HP  is faster, but ... is that 6.6mpps "per port"
(ie. the pp?) ... right now, I'm seeing max of around 3Mps going out a
server, with average being well below 1 ... so I can't see hitting that
high any time soon ...

Based on the #s for throughput, I can't see a big advantage of HP over
Dell to warrant the extra cost, but I see nothing on Dell about the
Layer2/3 stuff ... but not sure what that gives either ...

Price wise, both the HP and Dell versions look reasonable, and I think the
Dell is easier for me to get in Panama (I know there is a local office for
them there) ...

I've had one + for Dell ... does anyone have any caveats against them?  Or
kudos too?

On Fri, 26 Mar 2004, Per Engelbrecht wrote:

> Hi,
> Don't know your budget, but HP Procurve 2650 (layer2/layer3 hybrid)
> works just fine. Full managed, snmp et al.
>
> respectfully
> /per
> [EMAIL PROTECTED]
>
>
> >
> > I'm looking at replacing my el'cheapo switch with something better
> > that will allow me to fix my issues with the em/full-duplex problem
> > ...
> >
> > I'm looking for ssomething managed, as well as SNMP aware so that I
> > can tie it into Zabbix for monitoring ... something 8 or 12 port
> > preferred.
> >
> > Cisco, of course, is always a big name ... but also expensive ...
> > oen recommendation is the xl 1900, but I can't find any specs on
> > her at cisco's site, so discontinued product?
> >
> > What about Netgear, which I have easy access to?  Or Alcatel?
> >
> > models to stay away from?
> >
> > Thanks ...
> >
> > 
> > Marc G. Fournier   Hub.Org Networking Services
> > (http://www.hub.org) Email: [EMAIL PROTECTED]   Yahoo!:
> > yscrappy  ICQ: 7615664
> > ___
> > [EMAIL PROTECTED] mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to
> > "[EMAIL PROTECTED]"
>
>
>


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Looking for switch recommendations ...

[Marc G. Fournier]

On Fri, 26 Mar 2004, Bakul Shah wrote:

> For 100Mbps ports, the max packet rate in one direction is 10^8/672 ==
> 148809 pps (packets per sec) per port.  So for 24 port full duplex ports
> you get an aggregate maximum throughput of 148809*24*2 = 7738068 =
> 7.14Mpps (Million pps). For a 48 port switch it is 14.29Mpps.

so, the closer the Mpps gets to that 7.1Mpps, the better the switch
overall?  I take it that has to do with the CPU driving the switch itself,
or is there other factors that help drive that # up?

----
Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Stupid question about managed switches

[Marc G. Fournier]

Please excuse this, but my experience with them is zilch ... am going with
the HP Procurve 2826(?) Layer2/Layer3 switch, as was suggested, but I'm
curious as to how they work ...

For instance, I know when I setup a router, I have an IN IP and an OUT IP
configured ... but, with a managed switch, what do I have?

For instance, right now, I have a default gateway on the providers switch
of 200.46.204.1 ... and my servers are .2, .3, .4 and .5 ... if I put a
managed switch, vs the unmanaged we have now, between the providers switch
and the servers, does my default route then change to be the switch
itself?  Or is the 'login part' of the switch thought of the same way as
adding just another server to the network, for connectivity purposes?

As I said, stupid question, but for someone whose never played with a
managed switch before ... :(

Thanks ..


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Stupid question about managed switches

[Marc G. Fournier]

On Thu, 8 Apr 2004, Don Bowman wrote:

> From: Marc G. Fournier [mailto:[EMAIL PROTECTED]
> >
> > Please excuse this, but my experience with them is zilch ...
> > am going with
> > the HP Procurve 2826(?) Layer2/Layer3 switch, as was
> > suggested, but I'm
> > curious as to how they work ...
> >
> > For instance, I know when I setup a router, I have an IN IP
> > and an OUT IP
> > configured ... but, with a managed switch, what do I have?
> >
> > For instance, right now, I have a default gateway on the
> > providers switch
> > of 200.46.204.1 ... and my servers are .2, .3, .4 and .5 ...
> > if I put a
> > managed switch, vs the unmanaged we have now, between the
> > providers switch
> > and the servers, does my default route then change to be the switch
> > itself?  Or is the 'login part' of the switch thought of the
> > same way as
> > adding just another server to the network, for connectivity purposes?
> >
> > As I said, stupid question, but for someone whose never played with a
> > managed switch before ... :(
> >
> > Thanks ..
>
> In layer-2 mode, its nothing but a hub. It doesn't change your
> default route or anything. Pretend its not there.
>
> you will need a router connected to this switch, and its
> IP will remain your default route (likely).

'k, but I want to use the managed aspect of it to be able to hard code the
port rates (ie. to fix this full-duplex issue initially) as well as be
able to access SNMP so that I can do bandwidth monitoring of external
traffic ... I have SNMP setup on the FreeBSD boxes right now so that I can
see network load per server, but I want to be able to isolate the
'external' traffic from 'internal', by monitoring the specific port that
is connected to the providers switch ...

So, in both cases, I need to assign an IP somewhere, correct?


Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"