xntp mlockall issue patched yet?
Hi, found this posting back from 2013 and wondering if there was ever a commit on the proposed patch? http://openbsd-archive.7691.n7.nabble.com/PATCH-mlockall-problem-in-OpenBSD-5-2-td166000.html I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this message when trying to start ntp from @ports: ntpd 4.2.8p10@1.3728-o Fri Jun 2 02:18:56 UTC 2017 (1): Starting mlockall(): Cannot allocate memory fatal out of memory (32 bytes) "top" is showing that I have 5.6GB memory Free so it definitely isn't a memory issue as I'm sure unless there was a leak that ntpd wouldn't use 'that' much. As writing I managed to start the daemon manually by issuing /usr/local/sbin/ntpd from the cli; checking /var/log/messages these are the errors coming up: ntpd 4.2.8p10@1.3728-o Fri Jun 2 02:18:56 UTC 2017 (1): Starting mlockall(): Cannot allocate memory ./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error: getting interface addresses: getifaddrs: Cannot allocate memory If this is an interface issue, I just killed the process and tried to issue the command: /usr/local/sbin/ntpd -I vlan(num) and unfortunately again it is bombing out with the above error :-( Can anyone offer any inspiration on this? Many thanks. Kaya ntpd 4.2.8p10@1.3728-o Fri Jun 2 02:18:56 UTC 2017 (1): Starting fatal out of memory (32 bytes) fatal out of memory (32 bytes)
Re: xntp mlockall issue patched yet?
On 07/08/2017 12:11 AM, Christian Weisgerber wrote: On 2017-07-07, Kaya Saman wrote: I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this message when trying to start ntp from @ports: ntpd 4.2.8p10@1.3728-o Fri Jun 2 02:18:56 UTC 2017 (1): Starting mlockall(): Cannot allocate memory fatal out of memory (32 bytes) What exactly is your problem? The ntpd from the net/ntp port runs fine. It logs a harmless error "mlockall(): Cannot allocate memory", but this doesn't affect its operation. The exact problem is that the service doesn't start... I have disabled the ntpd from base in rc.conf then execute the rc.d script and no service?? - just the error above. The service is added in rc.conf.local as such: xntpd=YES xntpd_flags="" so it should just kick in as expected but it doesn't :-(
Re: xntp mlockall issue patched yet?
On 07/07/2017 10:11 PM, Allan Streib wrote: Kaya Saman writes: I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this message when trying to start ntp from @ports: ntpd 4.2.8p10@1.3728-o Fri Jun 2 02:18:56 UTC 2017 (1): Starting mlockall(): Cannot allocate memory fatal out of memory (32 bytes) Why not use ntpd(8), provided in the base install? Allan Yes, that would be fine however, I am running some scripts which need the output of the ntpq command which is part of xntp.
Using queueing on asynchronous interface
Hi,
I'm trying to setup packet queueing on a WAN interface with 80Mb/s
downstream bandwidth and 20Mb/s upstream bandwidth.
The first point of call of course is the PF manual:
https://man.openbsd.org/pf.conf.5
Then had a look to see what others had issues with and solutions suggested:
http://openbsd-archive.7691.n7.nabble.com/Debugging-queues-on-pf-td290829.html
http://misc.openbsd.narkive.com/lWIShFZi/per-vlan-traffic-control
My goal is to use a different queue for up/down were I can change the
max bandwidth accordingly.
So far I created a default queue outbound on the ext_if which works fine:
queue rootq_out on $ext_if bandwidth 20M
queue mail_out parent rootq_out bandwidth 2M min 1M max 20M
queue http_out parent rootq_out bandwidth 2M min 1M max 20M
queue voice_out parent rootq_out bandwidth 10M min 2M max 20M
queue dns_out parent rootq_out bandwidth 1M min 512K max 20M
queue else_out parent rootq_out bandwidth 5M max 20M default
match out on $ext_if proto tcp from to any port { 80, 443 } set
queue http_out set prio 5
match out on $ext_if proto tcp from to any port { 25, 465, 587,
993 } set queue mail_out set prio 4
match out on $ext_if proto udp from to any port 5060 set queue
voice_out set prio 7
queue rootq_out on $ext_if bandwidth 20M
queue mail_out parent rootq_out bandwidth 2M min 1M max 20M
queue http_out parent rootq_out bandwidth 2M min 1M max 20M
queue voice_out parent rootq_out bandwidth 10M min 2M max 20M
queue dns_out parent rootq_out bandwidth 1M min 512K max 20M
I have a block of IPv4 addresses hence the IP1 and IP2.
But for the downstream I am struggling to get the inbound packets to add
to the appropriate queue.
I created a list of vlan interfaces called q_if though in one of the
links above Stuart Henderson doesn't advise it but the vlans are bound
to an lacp trunk with a group of physical interfaces
queue rootq_in on $q_if bandwidth 80M
queue mail_in parent rootq_in bandwidth 10M min 1M max 80M
queue http_in parent rootq_in bandwidth 10M min 1M max 80M
queue else_in parent rootq_in bandwidth 5M max 80M default
So then tying those to the interface I used:
match out on $q_if proto tcp from any port { 80, 443 } to any set queue
http_in set prio 5 received-on pppoe0
match out on $q_if proto tcp from any port { 25, 465, 587, 993 } to any
set queue mail_in set prio 5 received-on pppoe0
I probably am approaching this in the wrong way as the state-table as
pointed out by Stuart to check, only shows packets travelling outbound
towards the public net and not back again.
So basically how would one assign queueing to this type of interface?
There is NAT involved which is why I added the "received-on pppoe0"
option but even with it off it doesn't function meaning that I am
confused and doing something wrong :-(
Regards,
Kaya
Re: Using queueing on asynchronous interface
Many thanks Stuart! On 07/26/2017 11:37 AM, Stuart Henderson wrote: On 2017-07-25, Kaya Saman wrote: My goal is to use a different queue for up/down were I can change the max bandwidth accordingly. Queuing is done outbound, your "in" queues actually need to be on the outbound interfaces. The trick is that "queue foo on em0" and "queue foo on em1" are separate queues but traffic assignment is done using the "foo" part. Don't try to split traffic between _in and _out queues. The queue is stored with the PF state; the PF state covers traffic in both directions. So you just want "somequeue", not "somequeue_in" and "somequeue_out", and get rid of the received-on. I have revised my queueing statements as you suggested and will definitely look further into adjusting them via your input. I created a list of vlan interfaces called q_if though in one of the links above Stuart Henderson doesn't advise it but the vlans are bound to an lacp trunk with a group of physical interfaces Generally I prefer simple failover for trunk, then this would be easy (a separate queue on each physical interface - the interfaces don't need to interact with each other, only one is used at a time). If you must have load-balancing you could play with queueing on the trunk interface rather than the physical ones, though I haven't tried this. It's not really load-balancing that is needed but rather a solution to allow for extra throughput-bandwidth when needed. I find the trunk does go up to and over 2Gbps at times. I'm finding that I don't really need much in the way of "downstream" queueing though. It might be needed in special cases but using mikeb's shiny new fq-codel code in -current, one single queue definition on the upstream interface is keeping traffic flowing nicely. queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 qlimit 1000 default Fantastic! I will take a look at flows, quantum and qlimit and try to understand how these options affect the traffic. (I am also throttling wifi per-user. OpenBSD's queueing isn't geared up for that - with v4 you can sort-of do it with loads of separate per-IP queues but it's horribly ugly, and no good at all for v6 - so I'm doing that in the APs instead.) Yeah... wifi is one of those connection types that can be a pain to get to function well. I'm going to have to revise my 802.11 setup at some point to go from "Standalone" AP's to a controller based solution for device handover etc... Best Regards, Kaya
Re: Using queueing on asynchronous interface
[snip] I'm finding that I don't really need much in the way of "downstream" queueing though. It might be needed in special cases but using mikeb's shiny new fq-codel code in -current, one single queue definition on the upstream interface is keeping traffic flowing nicely. queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 qlimit 1000 default Is fq_codel already implemented in -current yet? I just grabbed the latest snapshot but can't find the files in the sys/net directory?? https://github.com/openbsd/src/tree/master/sys/net Kaya
Re: Using queueing on asynchronous interface
On 07/27/2017 05:30 PM, Stuart Henderson wrote: On 2017-07-26, Kaya Saman wrote: [snip] I'm finding that I don't really need much in the way of "downstream" queueing though. It might be needed in special cases but using mikeb's shiny new fq-codel code in -current, one single queue definition on the upstream interface is keeping traffic flowing nicely. queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 qlimit 1000 default Is fq_codel already implemented in -current yet? Yes. I just grabbed the latest snapshot but can't find the files in the sys/net directory?? https://github.com/openbsd/src/tree/master/sys/net https://github.com/openbsd/src/commits/master/sys/net/fq_codel.c (and other files). Sorry if I wasn't clear... I was trying to say that I don't have those files: fq_codel.c fq_codel.h in my sys/net directory: # ls |sort CVS bpf.c bpf.h bpf_filter.c bpfdesc.h bridgestp.c bsd-comp.c ethertypes.h hfsc.c hfsc.h if.c if.h if_aoe.c if_aoe.h if_arp.h if_bridge.c if_bridge.h if_dl.h if_enc.c if_enc.h if_ethersubr.c if_gif.c if_gif.h if_gre.c if_gre.h if_llc.h if_loop.c if_media.c if_media.h if_mpe.c if_pflog.c if_pflog.h if_pflow.c if_pflow.h if_pfsync.c if_pfsync.h if_ppp.c if_ppp.h if_pppoe.c if_pppoe.h if_pppvar.h if_pppx.c if_sl.c if_slvar.h if_sppp.h if_spppsubr.c if_trunk.c if_trunk.h if_tun.c if_tun.h if_types.h if_var.h if_vether.c if_vlan.c if_vlan_var.h if_vxlan.c if_vxlan.h netisr.c netisr.h pf.c pf_if.c pf_ioctl.c pf_lb.c pf_norm.c pf_osfp.c pf_ruleset.c pf_table.c pfkey.c pfkeyv2.c pfkeyv2.h pfkeyv2_convert.c pfkeyv2_parsemessage.c pfvar.h pipex.c pipex.h pipex_local.h ppp-comp.h ppp-deflate.c ppp_defs.h ppp_tty.c radix.c radix.h radix_mpath.c radix_mpath.h raw_cb.c raw_cb.h raw_usrreq.c route.c route.h rtsock.c slcompress.c slcompress.h slip.h trunklacp.c trunklacp.h which is odd - maybe I updated from a mirror which hadn't been sync'ed yet with the latest. Just checked the "snapshots" directory and looks like it got updated today so will try again now :-) Thanks again Stuart for all your help! Regards, Kaya
Dansguardian port
Hi, I've got the Dansguardian port installed and it still seems to be part of the packages list too. https://ftp.openbsd.org/pub/OpenBSD/6.1/packa ges/amd64/ However, I think that the actual software isn't maintained anymore as it's original home: http://dansguardian.org/ has vanished. There is however, a content filter replacement which is based on DG called called e2guardian. http://e2guardian.org/cms/index.php https://github.com/e2guardian/e2guardian I have tried to compile all the versions for testing purposes and seems that v3.4 and v3.5 do compile though when doing a ./configure one has to set the CC value as /usr/local/bin/x86_64-unknown-openbsd6.1-gcc- 4.9.4 and CXX value to /usr/local/bin/x86_64-unknown-openbsd6.1-eg++ as it requires gcc version 4.7 or later to build. I was unable to get the v4.x line to build however, so I may need to ask on github for some assistance on that one; but I'm not sure who is maintaining the DG port, if they would consider switching to e2g?? Currently testing with e2g as it does run unlike the current DG port as I think the libraries that it was built with are probably too old now. I'm hoping it should work as a sort of 'inplace' replacement but able to do more - hopefully?! Regards, Kaya
Re: New laptop recommendations
I couldn't say for the compatibility with OpenBSD though I have read other people running on them, but how about Lenovo?? I've got an X220 which I run a Linux distro on which I'm really happy with though the i7 CPU does seem to overheat for some reason, though I seem to have this issue with all laptops I've gone through?? Must be me :-S - only system that never overheated was my old PowerBook G3 Firewire running Mac OS 9 I might be remembering wrong but I'm sure I've seen people on the list running OBSD on X-series Lenovo's so it might be worth a shot unless anyone else has better suggestions :-) Regards, Kaya On 06/19/18 11:37, Rupert Gallagher wrote: I'm done with my 10 years old 1200EUR MacBookPro. It served me well, every day, but is now falling apart, finally. I would buy a new one if only Steve Jobs would be alive and keeping Apple inspired. The new models are meticulously designed to make you suffer: expensive, slow cpu, soldered ram, soldered disk, small disk, bad keyboard keys, wifi only, must pay extra for standard connectors. I have 1500EUR for a new laptop. What would you buy with it?
Re: Running your own mail server
I agree here! Basically you would need a few components: MTA / MDA / MUA https://en.wikipedia.org/wiki/Message_transfer_agent One way to do it would be something like: Postfix / Courier IMAP / Then bolt something like SquirrelMail on top for web UI client There are many ways to achieve the same goal as in you don't have to use Postfix you could go for Sendmail or any other However for you it might be a better option to go with Linux as @Jay suggested and then whack something like Scalix or Zimbra on top.. http://www.scalix.com/en/ https://www.zimbra.com/ That way you have a fully managed mail system right out of the box with granular control of what users can and can't do. Regards, Kaya On 9/8/18 4:32 PM, Jay Hart wrote: Ken, I've run my own email server for 15 years now I think. I stick with Linux for email server, OpenBSD for routing/firewall. I personally find this is the best of both worlds... Just my 35 cents... Jay Just curious how many of you use openbsd to run your own personal email server? Do you find it a hassle to manage in any way? I know openbsd is perfectly fine for a mail server, don't get me wrong the question is more about is it worth it to do yourself. Specifically I will probably be doing it through a guest on vultr. Back story my family all has email addresses through the domain I have. Which basically will forward to a gmail account. The kids accounts don't really forward anywhere, they are place holders I guess. But they are getting old enough to use their own accounts for things and not just through the school which sets them up with google accounts to use through their chromebook. So my wife really doesn't like the idea of setting them loose on their own email accounts, and I don't necessarily disagree with her, but I disagree on the way to do it. In a gmail point of view all I can think of is shared passwords for for the kids. I don't like that because first of all they could change it, second of all monitoring their email means literally reading their email. My wife and I have different views on privacy as well. I was thinking I could run my own email server to give them accounts there, and at the same time instead of reading their email be able to more specifically block certain senders, but also to scan the email for troubling words. In my mind that is things like suicide, kill, etc. So I guess the end question, is for protecting the email of minors is running my own email server, when I have never done it before on any OS, worth it over some other solution. And yes I am very open to other suggestions for a solution, even if it is something I have to pay for, to avoid sharing passwords or grotesque privacy infringement of literally reading all their emails. Welcome to differences of opinion as well. Thank you. Ken
Re: Running your own mail server
On 9/8/18 6:01 PM, Chris Bennett wrote: [snip] IMHO, I would skip using partially insecure OS's like Linux. These are your kids! Of course security at the OS level is important but also a lot of work must be done around in the infrastructure area too for security... running a good IDS for example: OpenBSD with Snort totally rocks in this area going through a web proxy... again OpenBSD with Squid and Clamd. Additionally perhaps a VPN to whatever mail solution the OP chooses if 'in house' like OpenVPN running on an OBSD gateway for example then lock down the mail system to just have port 25 open inbound in PF maybe even with queueing enabled. Encryption of the storage medium can also be suggested so wherever the maildir store is located the FS becomes encrypted as added layer of security. There's a lot one can do even just by sticking to a few OpenBSD based boxes but it really is a matter of locking things down as opposed to doing something silly even OpenBSD will become insecure if port 22 (ssh) is opened up with root account available and password something easily guessed like 'root' or 'admin'. It's not really a short topic that has one specific answer but I will state that OpenBSD for router/gateways and servers is an excellent solution as unlike other OS's is not resource intensive and overall pretty secure right out of the box. --K
Re: Running your own mail server
On 9/9/18 5:42 PM, Ken M wrote: On Sun, Sep 09, 2018 at 11:24:38AM -0500, Ed Ahlsen-Girard wrote: While you should not take technical advice on mail servers from me, I've raised two kids to adulthood with a 17 year old to go, and had almost 200 foster children. The impedance mismatch you have with the missus is more important than the mail. Yeah, I know, and maybe I am exaggerating it in this discourse. Her words are, "they can have all the privacy they want when they are 18" and I don't feel that is a completely practical stand point. And in fact her own experience should tell her that might not be the best approach. I think what I want is something that I could monitor if need be, but would rather not. I am starting to lean more towards either paying for email service or paying for something that is a stronger parental control for all of their devices. My bigger concern is the link jacking porn sites can do. I recall once in the 90's mistyping msnbc.com at work and the carnage from a site called cafe flesh that came out. Ken Maybe your ISP has option for "Parental Control"?? I know these days it is a big concern so many do offer this type of service Just a thought?? --K
Re: Running your own mail server
On 9/9/18 5:54 PM, Ken M wrote: On Sun, Sep 09, 2018 at 05:49:31PM +0100, Stuart Henderson wrote: In a nutshell, monitoring email is concentrating on what is really likely to be one of the less problematic areas. The others, which IMO are MUCH more likely to be involved if any problems do occur, are less amenable to this sort of treatment. (For my children, 12-16, email is pretty much a last resort if other methods aren't available, I think that's pretty common nowadays). It's funny how things change per generation in tech. Even though I have a smart phone if I really have to compose a message I want a keyboard. And for communication I so prefer email because it can truly work on all connected devices where chat, and texts and other apps I am more at the mercy of an app or proprietary api, meanwhile with email I sync my mutt config and I have the terminal and vi style interface to work with that can be the same everywhere. I am now the fuddy duddy... Ken Lol... :-) Perhaps showing the kids a DEC VT100 style terminal might get their attention (though in good way or bad??) as through serial port text based mail will work great on those; Mutt or Alpine etc... Though this is completely off-topic now! ;-)
Re: Running your own mail server
Oh is it dead?? It used to be THE thing mind you it was the turn of the century that we are talking about! looks like I'm a little out of date lol Personally I haven't played around with Mail Web clients for a while; yeah there is Roundcube or Horde which was quite cool when I ran it in the day. Like many others have said IMAPssl is the way to go, though I wouldn't expose it to the web. Use a nice VPN system instead. Either a dedicated machine running OpenVPN as an example or a second hand Cisco ASA or any other enterprise equivalent firewall/VPN concentrator that you can pick up for cheap. Even OpenBSD has L2TP vpn built in which works well with Android clients. Regards, Kaya On 9/18/18 11:18 PM, Duncan Guthrie wrote: Hi, Please do not recommend SquirrelMail. It is unmaintained. Its last release was 5 years ago. User interfaces like Roundcube and Rainloop work well enough and still are actively maintained. I do not know how well those other ones you listed work. Alternatively, direct your users to some clear and well-written instructions that would allow them to configure a mail client of their choice. Best wishes, Duncan On 09/08/18 16:39, Kaya Saman wrote: I agree here! Basically you would need a few components: MTA / MDA / MUA https://en.wikipedia.org/wiki/Message_transfer_agent One way to do it would be something like: Postfix / Courier IMAP / Then bolt something like SquirrelMail on top for web UI client There are many ways to achieve the same goal as in you don't have to use Postfix you could go for Sendmail or any other However for you it might be a better option to go with Linux as @Jay suggested and then whack something like Scalix or Zimbra on top.. http://www.scalix.com/en/ https://www.zimbra.com/ That way you have a fully managed mail system right out of the box with granular control of what users can and can't do. Regards, Kaya
Routing stops after ipsec/gre tunnel activates
Hi, I've got an issue where something strange is happening with the routing table after establishing an ipsec connection it's quite hard to describe but what happens is that the tunnel establishes then routing goes down completely. The netstat -r command when run on the router just hangs and doesn't complete (show any routes). What I'm doing is this: start isakmp: isakmpd -Kv run ipsecctl: ipsecctl -f /etc/ipsec.conf my gre0 interface is setup like so: hostname.gre0 -> netmask 0x up tunnel inside ipsec.conf I have: ike esp transport \ from 0.0.0.0/0 to 0.0.0.0/0 peer main auth hmac-md5 enc \ 3des group modp1536 quick auth hmac-md5 enc 3des psk "mykey" (I need to have the 0.0.0.0/0 address in the "to" and "from" field otherwise the connection doesn't establish with the other end - non OpenBSD box) I can see the connection fine using ipsecctl -sa and icmp packets are able traverse the tunnel, but routing completely goes down?? I'm not sure what else I can provide in terms of information as the messages log doesn't show anything useful outside of "phase 1 done" followed by "quick mode done"; the system version is CURRENT: 6.4 GENERIC.MP#290 amd64 Any assistance would be appreciated. Kaya
Re: Routing stops after ipsec/gre tunnel activates
On 10/1/18 4:12 PM, Janne Johansson wrote: Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman <mailto:kayasa...@gmail.com>>: Hi, I've got an issue where something strange is happening with the routing table after establishing an ipsec connection it's quite hard to describe but what happens is that the tunnel establishes then routing goes down completely. The netstat -r command when run on the router just hangs and doesn't complete (show any routes). Perhaps you can't reach your resolver, try running "netstat -rn" to prevent netstat from trying to resolve all ips and networks it lists. -- May the most significant bit of your life be positive. The resolver is local. However, the issue is deeper as inter-subnet communications go down and these are ipv4 -> ipv4 If I kill the isakmpd process then communication resumes, as in all layer3+ services start functioning again: icmp, nfs, ssh etc
Re: Routing stops after ipsec/gre tunnel activates
On 10/1/18 4:36 PM, Claudio Jeker wrote: On Mon, Oct 01, 2018 at 04:16:48PM +0100, Kaya Saman wrote: On 10/1/18 4:12 PM, Janne Johansson wrote: Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman mailto:kayasa...@gmail.com>>: Hi, I've got an issue where something strange is happening with the routing table after establishing an ipsec connection it's quite hard to describe but what happens is that the tunnel establishes then routing goes down completely. The netstat -r command when run on the router just hangs and doesn't complete (show any routes). Perhaps you can't reach your resolver, try running "netstat -rn" to prevent netstat from trying to resolve all ips and networks it lists. -- May the most significant bit of your life be positive. The resolver is local. However, the issue is deeper as inter-subnet communications go down and these are ipv4 -> ipv4 If I kill the isakmpd process then communication resumes, as in all layer3+ services start functioning again: icmp, nfs, ssh etc Since your policy is from 0.0.0.0/0 to 0.0.0.0/0 all traffic will end up in the ipsec tunnel. I doubt this is what you want. IPsec flows steal the traffic before routing happens. I think you need to refine your policy also check with tcpdump what happens on enc0, etc. pp. I had a hunch that was the case!! So I will try to make the other end work now without the "default route" style policy.
Re: Routing stops after ipsec/gre tunnel activates
On 10/1/18 4:36 PM, Claudio Jeker wrote:
On Mon, Oct 01, 2018 at 04:16:48PM +0100, Kaya Saman wrote:
On 10/1/18 4:12 PM, Janne Johansson wrote:
Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman mailto:kayasa...@gmail.com>>:
Hi,
I've got an issue where something strange is happening with the
routing
table after establishing an ipsec connection it's quite hard to
describe but what happens is that the tunnel establishes then routing
goes down completely. The netstat -r command when run on the
router just
hangs and doesn't complete (show any routes).
Perhaps you can't reach your resolver, try running "netstat -rn" to
prevent netstat
from trying to resolve all ips and networks it lists.
--
May the most significant bit of your life be positive.
The resolver is local. However, the issue is deeper as inter-subnet
communications go down and these are ipv4 -> ipv4
If I kill the isakmpd process then communication resumes, as in all layer3+
services start functioning again: icmp, nfs, ssh etc
Since your policy is from 0.0.0.0/0 to 0.0.0.0/0 all traffic will end up
in the ipsec tunnel. I doubt this is what you want. IPsec flows steal the
traffic before routing happens. I think you need to refine your policy
also check with tcpdump what happens on enc0, etc. pp.
I changed the policy to this:
ike esp transport \
from IP_local to IP_remote main auth hmac-md5 enc \
3des group modp1536 quick auth hmac-md5 enc 3des group none
lifetime 3600 psk "mykey"
Now phase 1 establishes fine but there seems to be an issue negotiating
phase 2 I have exactly the same thing configured on the other end:
"auth hmac-md5 enc 3des"
When I look at the debug output from the remote box, it uses a "byte
lifetime" attribute in phase 2 when connecting to machines of the same
make - Cisco. Additionally there seems to be some sort of 'proxy'
connection too: 0.0.0.0 to remote / remote to 0.0.0.0
That would probably explain why the "from 0.0.0.0/0 to 0.0.0.0/0" worked
but nothing else does
On the OpenBSD side in the logs I get this:
isakmpd[93469]: responder_recv_HASH_SA_NONCE: peer proposed invalid
phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, responder id 0.0.0.0/0.0.0.0
isakmpd[93469]: dropped message from port 500 due to
notification type INVALID_ID_INFORMATION
I have gone through the ipsec.conf man page thoroughly but can't seem to
find any type of setting that would allow for this.
Doing something like:
from 0.0.0.0/0 to 0.0.0.0/0 local {IP} peer {IP} doesn't work either; or
putting the '0.0.0.0/0.0.0.0' field into the srcid and dstid doesn't
work either.
Checking back years ago, I managed to make it work with the global
0.0.0.0/0 from/to setting but it looks like things have changed since
then maybe?
Perhaps it simply isn't possible to get the two devices to establish
phase 2 due to incompatibility?
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/18 8:11 PM, Chris Bennett wrote: On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: On 11/20/18 11:43, Chris Bennett wrote: Unfortunately, if you have performance requirements, your choices are AMD and Intel. Older Intel and AMD chips aren't getting any support to deal with these problems, so your choices are incredibly old chips which are probably not in the most reliable hardware, and a whole bunch of other old, unreliable, and slow hardware platforms. But be realistic. Your bosses will probably mandate a VM on someone else's hw, a wordpress website, one box for everything, and that you give him the root password which he'll e-mail to himself to keep it "secure". Your most likely breach points will be an easily guessed password (usually, a manager's), a bug in a web content management system, or someone believing that "secure e-mail" is a thing. In other words, Same Old Shit. It probably won't be breached by a Spectre or Meltdown-like attack. But it MIGHT be. Obsessing about them is generally missing the real day-to-day risks. Does no one at all use OpenBSD for anything but making money or looking cool? Does no one at all do any kind of work for charity? Is there some virus going around that makes everyone so hostile? Why assume that I have some idiotic boss that wants to fuck things up? Did it ever occur to you that I might be doing this work for free? Did it ever occur to you that the organization might be doing major disaster relief from all of the recent hurricanes devastating the Southern US. That they might be helping to protect first responders doing wellness checks on homes? That they might be stopping homes and businesses from being looted? That the primary members of the organization are law enforcement, paramedics and veterans? But hey, if I can't fill up my bank account, I guess the usage of OpenBSD is discouraged. I don't think the response was assumed as such. It just is that there are so many issues with corporate politics and higher ups thinking they know things that gives OpenSource software a bad rep! Even once people didn't understand what OpenSource was and asked me what I did while 'working at OpenSource' lol As to different H/W yes there are still some different systems around... like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX capable machines are dead now; though my info could be several years out of date as I haven't dealt with this type of system in a long time. Agreed that Cloud is a lot of corporate hype in many aspects as to lower expenditure. Will you be building just the mail server or the whole infrastructure?? Virtually what you want to do is a good firewall protecting everything. OpenBSD excels at security so definitely recommended. As to mail server, I really think you need to research the different components first that make up the system. Firstly for power reasons what type of usage do you estimate? Will you be needing a separate external mail gateway? Does your ISP offer Reverse DNS? After that the best thing to do would be to setup a small lab with a test machine and try different setups out. Like say using Sendmail, Postfix etc for SMTP. Many people here have different opinions and takes on this but really it is up to you to decide what you like best and also what you need it to do - you can only find that out by testing out different things. Then how your users will connect... IMAP, POP, HTTP?? In todays day and age IMAP is the preferred protocol but there of course are others - please do not ever mention M$ Exchange as it should be obliterated! Once you understand the core components necessary then you will start to formulate specific questions of how/why is (x) needed etc... then answers can be more specific too but for now read a lot and test out different things to see which one fits you best :-) Regards, Kaya
Re: Networking/pf question, I am not sure ?
On 5/10/20 2:04 PM, Tom Smyth wrote: Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary network diagnostic commands, such as ping traceroute dns lookup tests to identify the problem associated with your connection when using openBSD.. that would help you diagnose the source of the connectivity problems you are having... Hope this helps Tom Smyth On Sun, 10 May 2020 at 13:09, man Chan wrote: Hello, I recently setup a home network as followings (Just for fun): ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the wireless function provide by the linksys-ea8300. When I replace the openbsd-router and switch with another wireless router, I can use my sony xperia to access the internet. Does any one try this before ? If yes, please let me to know how you do it. Thanks. Clarence I totally agree with the suggestion by @Tom above! Another good tool for Android is 'fing', it will give you access to Traceroute and Ping functions on your Xperia. The first thing to try would be to see if the Xperia can communicate with the gateway (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT but without further information it is basically a guess as to what it could be. Regards, Kaya
Re: Networking/pf question, I am not sure ?
On 5/10/20 2:12 PM, Kaya Saman wrote: On 5/10/20 2:04 PM, Tom Smyth wrote: Hello Clarence, you would need to provide some more information about your setup, ip addresses on interfaces , what is your pf.conf etc... In your experia ( I believe they are android) you can download the hurricane electric network tools (HE network tools) (a free app to run rudimentary network diagnostic commands, such as ping traceroute dns lookup tests to identify the problem associated with your connection when using openBSD.. that would help you diagnose the source of the connectivity problems you are having... Hope this helps Tom Smyth On Sun, 10 May 2020 at 13:09, man Chan wrote: Hello, I recently setup a home network as followings (Just for fun): ISP <> openbsd router (version 6.6 Stable) <---> gigabits switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless) everything works except that I can't use my sony xperia tablet to access internet using the wireless function provide by the linksys-ea8300. When I replace the openbsd-router and switch with another wireless router, I can use my sony xperia to access the internet. Does any one try this before ? If yes, please let me to know how you do it. Thanks. Clarence I totally agree with the suggestion by @Tom above! Another good tool for Android is 'fing', it will give you access to Traceroute and Ping functions on your Xperia. The first thing to try would be to see if the Xperia can communicate with the gateway (OpenBSD router) then if that is successful public IP addresses. If something strange is going on you can further run Traceroute to narrow down where the issue is occurring. On the OpenBSD side, it could be a number of things like PF rules, routing, NAT but without further information it is basically a guess as to what it could be. Just to elaborate here a little; you can run the 'tcpdump' program on OpenBSD to give you more information. To get started: man tcpdump If you want to see where the packets from the Xperia are traveling then something like: tcpdump -eni (inside_interface) host (ip_of_Xperia) For debugging PF rules a good start is to use: tcpdump -eni pflog0 <- you can further narrow things down by using the 'action' option eg. 'block' / 'allow' Hope this helps a little more :-)
npppd docs for tun change to pppac
Hi, I just updated my system from 6.6 (old current) to 6.7 (current) which went through fine. I realized that the npppd setup I had stopped working. Something that threw me off in the man pages was the lingering reference to the old tun interface which has since been reworked to pppac. man npppd: SEE ALSO gre(4), pipex(4), pppx(4), tun(4), npppd.conf(5), npppctl(8), sysctl(8) Of course the actual code has been changed based on the mail threads here: openbsd-archive.7691.n7.nabble.com/move-PIPEX-from-tun-4-into-pppac-4-a-dedicated-PPP-access-concentrator-td382139.html https://bsdsec.net/articles/openbsd-6-7-released-may-19-2020 I guess the tun(4) reference needs to be removed? Currently the pppac manual command is an alias to pppx(4) so I'm not entirely sure if pppac(4) needs to be added in place of tun(4) or a dedicated manual page specifically for pppac needs to be written (as it would kind of duplicate the existing pppx(4)), or just a simple removal of tun as it has been already done with npppd.conf(5)?? Regards, Kaya
Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?
Hi, I totally understand the position you're in and sympathize. I've never heard of Cisco routers being able to run OpenBSD though IOS is based on BSD as far as I'm aware. Not a direct solution to your use case but you could always run a small mini-itx or SBC system behind the Cisco router. You could put it as a firewall solution and have the OBSD box doing all the major routing, vlans, firewall (pf) etc... while the Cisco could just simply forward information between the private and public IP ranges. Or if using dial-in then you can bridge the OBSD and Cisco then use OBSD as the PPPoE device It is one suggestion in any case though it might not be the most ideal. Regards, Kaya On Tue, Jun 23, 2020 at 5:03 PM Daniel Ouellet wrote: > > Hi, > > This might be a bit weird question, but I saw the wireguard being put in > the kernel in the last few days and I am very existed abut it oppose to > use the package on it and even today there was more on it. > > Many thanks for this!!! > > I also know there was effort and some Cisco router can run OpenBSD very > well, however I have no clue as to any of this stand now. > > I don't have a problem to use APU type or other Ubiquit for small > OpenBSD router, but I wonder about using Cisco instead. The only reason > is for may be more stability, most likely less performance for sure, but > less change to have corrupted reboot on power lost, etc. > > And sadly for some customers having what they see as computer as router > don't make them fell good, but seeing a Cisco box kind of wipe out the > impression. I am not saying it's justify, but perception is sometime > everything, but if I have my say in it I want all my routers to be > OpenBSD as much as I can where the needs is not to multiple Gb in speed. > > So, any suggestion or updates as to what's now available and hopefully > in use now. > > I really don't care for any special model, or even Juniper, as long as I > can put OpenBSD on it. > > So any feedback as to where it's stand now and what's usable in a > reliable way would be greatly appreciated. > > And yes I know I may well get better performance in some cases with a > small APU device then a Cisco one, but that's for what we all know may > not be logical to be used, but for sadly how some clients may fell, not > knowing any better. > > I guess you can see that as some people do security by obstruction, but > we al know it's not more secure, this is routing by obstruction I guess > and may be less performant, but achieve comfort obstruction confidence. > > I just have no clue if wireguard needs to be run, what can be achieve as > the CPU in all Cisco device is always under power, we all know that. > > This may not go anywhere, however I liked to look even if for nothing > else then just being fun to do if that can't even be usable. > > Many thanks for your time and feedback. > > Daniel > > PS; And yes, that's most likely stupid I know. Sometime what's used is > not always what make sense for other reason that are stupid. >
Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?
Actually you reminded me about the Cisco Voice appliances which are basically PC servers. If I recall correctly they ran a Linux kernel too. Unfortunately I never got to play around with the capabilities of one but you might have some luck with something like that. Of course it wouldn't be running Call Manager ;-) - hang on... my memory is slowly coming back (it's been over 10 years lol), CCM used to also be available as a VM which could be run on VMware. Maybe the dedicated appliance would be a good choice of hardware to run OpenBSD on? The ASA appliances may also be x86 based which could make them a candidate but with large price tags for new ones I'm not sure if anyone has tried doing anything crazy with them. A quick google for the Unified Communication System came up with this: https://www.google.com/search?q=cisco+call+manager+server&sxsrf=ALeKk03xeYq4NLgIyiUGtaNmoUnR3iaXnQ:1592950661912&source=lnms&tbm=isch&sa=X&ved=2ahUKEwi_7OPS-5jqAhUpTxUIHRbnCOkQ_AUoAXoECA0QAw&biw=1918&bih=955#imgrc=yRjG43cRTHU1nM You might be really lucky with one of those devices! Hopefully someone with more experience will chime in and confirm. Regards, Kaya On 2020-06-23 23:03, Daniel Ouellet wrote: OpenBSD does run on some old Cisco routers, it's been done before. Sure it's not officially supported nor does it support all the various interfaces but it's known to work on some. I am trying to dig up a dmesg showing it too. Plus Cisco have some firewall type of device that are over price PC that can run OpenBSD. Here is an example using the4 old Cisco IDS-4215 https://komlositech.wordpress.com/2018/12/30/revive-a-cisco-ids-into-a-capable-openbsd-firewall/ I was just curious as to what stage it might be now. I am not saying it make sense to do really power wise for sure. May be Juniper instead as Juniper is based on FreeBSD anyway and it's an over price PC with specialize network cards. (; Ok more then that, but you get the picture I think. I was just curious as to what it may be running on these days? Could be Cisco routers, Cisco IDS, Cisco firewall, unless I am mistaken they also have servers or used too anyway, and why not Juniper gear? In short any box that appear to be Cisco or Juniper but that have something different under the hood. And yes, this is stupid if you look only at what you get compare to other better choices. I am not doing it for best performance, but for fell comfortable. Call it marketing bullshit, because that's exactly what it is! (; Daniel On 6/23/20 12:37 PM, Kaya Saman wrote: Hi, I totally understand the position you're in and sympathize. I've never heard of Cisco routers being able to run OpenBSD though IOS is based on BSD as far as I'm aware. Not a direct solution to your use case but you could always run a small mini-itx or SBC system behind the Cisco router. You could put it as a firewall solution and have the OBSD box doing all the major routing, vlans, firewall (pf) etc... while the Cisco could just simply forward information between the private and public IP ranges. Or if using dial-in then you can bridge the OBSD and Cisco then use OBSD as the PPPoE device It is one suggestion in any case though it might not be the most ideal. Regards, Kaya On Tue, Jun 23, 2020 at 5:03 PM Daniel Ouellet wrote: Hi, This might be a bit weird question, but I saw the wireguard being put in the kernel in the last few days and I am very existed abut it oppose to use the package on it and even today there was more on it. Many thanks for this!!! I also know there was effort and some Cisco router can run OpenBSD very well, however I have no clue as to any of this stand now. I don't have a problem to use APU type or other Ubiquit for small OpenBSD router, but I wonder about using Cisco instead. The only reason is for may be more stability, most likely less performance for sure, but less change to have corrupted reboot on power lost, etc. And sadly for some customers having what they see as computer as router don't make them fell good, but seeing a Cisco box kind of wipe out the impression. I am not saying it's justify, but perception is sometime everything, but if I have my say in it I want all my routers to be OpenBSD as much as I can where the needs is not to multiple Gb in speed. So, any suggestion or updates as to what's now available and hopefully in use now. I really don't care for any special model, or even Juniper, as long as I can put OpenBSD on it. So any feedback as to where it's stand now and what's usable in a reliable way would be greatly appreciated. And yes I know I may well get better performance in some cases with a small APU device then a Cisco one, but that's for what we all know may not be logical to be used, but for sadly how some clients may fell, not knowing any better. I guess you can see that as some peo
Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?
On 6/24/20 11:58 AM, Stuart Henderson wrote: On 2020-06-23, Daniel Ouellet wrote: Have a look through https://www.supermicro.com/en/products/embedded/servers / https://www.supermicro.com/en/products/embedded/rackmount and you'll find quite a few things that give the perception "solid custom network device" rather than either "repurposed server" or "cisco junk, well past it's sell-by date, <$100 on ebay" - things like these https://www.supermicro.com/en/products/system/1U/1019/SYS-1019D-FRN8TP.cfm https://www.supermicro.com/en/products/system/1U/5019/SYS-5019D-4C-FN8TP.cfm (some equipment from other vendors will fit the bill too, but supermicro is a lot easier to buy from than portwell etc). I agree totally here with Stuart! In the past I have built a router using a SuperMicro 4U chassis with Xeon E5 cpu. https://www.supermicro.com/en/products/chassis/4U/842/SC842TQC-668B Originally OpenBSD didn't support the RAID controller so I used the root backup cron dd script. Everything else was fine however, and it's performance has been incredible with the only downtime being during maintenance periods -> transitioning to new version of 'Current'. Consequently it is tied to a Cisco router :-) That is really only to bridge the VDSL2 line to Ethernet - https://tools.ietf.org/html/rfc1483 Another option depending on availability could be Jetway - http://www.jetwayipc.com/product-category/emb-board-en/embedded-x86-en/mini-itx-en/ https://www.jetwaycomputer.com/ Example (yes they do look like vendor based network equipment and not rack mount servers): https://www.jetwaycomputer.com/1U-Rackmount-Barebones.html One common place for their availability is the Mini-ITX store: https://www.mini-itx.com/store/category?type=motherboard&jetway=1&maxram=4GB-or-more&lan-ports=from-1&storage-ports=from-1&sortby=price&page=1 I don't have experience with them in general but if OpenBSD works well on them they could become a really big game changer. Regards, Kaya
Re: pfstat not generating graphs after upgrading to -current
On 02/15/2018 06:39 AM, Glenn Faustino wrote: On Thu, Feb 15, 2018 at 1:48 PM, Sebastien Marie wrote: On Thu, Feb 15, 2018 at 12:29:23AM +, Stuart Henderson wrote: On 2018-02-14, Glenn Faustino wrote: Hi, Did you upgrade your packages after upgrading to -current? Can you share your /etc/pfstat.conf? Every time I upgrade to -current I also update packages. Try forcing pfstat to update (pkg_delete and pkg_add maybe, if that doesn't help then build it yourself from ports). If that helps then let me know because we need to figure out what change necessitated this and track down which ports need REVISION bumps to force updates.. I had a similar problem with pftop (pftop-0.7p16). $ doas pftop pftop: DIOCGETSTATUS: Permission denied After forcing a reinstall (pkg_delete + pkg_add) it works again. From my /var/log/messages, the previous reinstall (done using pkg_ad -u) was from Jan 20: $ grep pftop /var/log/messages Dec 30 10:10:58 alf pkg_add: Added pftop-0.7p16->0.7p16 Jan 20 11:20:49 alf pkg_add: Added pftop-0.7p16->0.7p16 Feb 15 06:40:54 alf pkg_delete: Removed pftop-0.7p16 Feb 15 06:41:03 alf pkg_add: Added pftop-0.7p16 Thanks. -- Sebastien Marie After deleting and installing pfstat it now works, thanks guys! Feb 15 14:26:37 OpenBSD pkg_delete: Removed pfstat-2.5p1 Feb 15 14:27:02 OpenBSD pkg_add: Added pfstat-2.5p1 $ doas pfstat -q -d /var/db/pfstat.db $ Regards, Glenn Hi, I'm experiencing the exact same issues for both pfstat and pftop however, running pkg_delete / pkg_add doesn't seem to work for me as a fix :-( pfstat -q -p ioctl: DIOCGETSTATUS: Permission denied pf_query: query_counters() failed pftop: DIOCGETSTATUS: Permission denied uname -a : 6.2 GENERIC.MP#408 amd64 <- also CURRENT updated a few days ago Regards, Kaya
pfstat and queueing
Hi, does queueing still function with pfstat? As far as I'm aware it still uses the old altq method which has long been abandoned. It would be great if pfstat would graph queues again but the config example in: /usr/local/share/examples/pfstat/pfstat.conf still has the old altq style? Whenever I try to run it, the output is "queueing not supported". As I'm on -current the last os update broke it as referenced in the @list previously so will wait on the fix before testing again. Regards, Kaya
Re: pfstat and queueing
On 02/15/2018 12:13 PM, Stuart Henderson wrote: On 2018-02-15, Kaya Saman wrote: does queueing still function with pfstat? As far as I'm aware it still uses the old altq method which has long been abandoned. you're correct, pfstat hasn't been updated to follow changes in PF for a long time. the only change in pfstat since 2007 has been adding the -f flag to copy/clean the database. Thanks Stuart for the confirmation. Hmm looks like this might be a feature request to Daniel then. or someone who's working on pfstat :-) Regards, Kaya
Re: pfstat and queueing
On 02/15/2018 01:34 PM, Stuart Henderson wrote: On 2018/02/15 13:27, Kaya Saman wrote: On 02/15/2018 12:13 PM, Stuart Henderson wrote: On 2018-02-15, Kaya Saman wrote: does queueing still function with pfstat? As far as I'm aware it still uses the old altq method which has long been abandoned. you're correct, pfstat hasn't been updated to follow changes in PF for a long time. the only change in pfstat since 2007 has been adding the -f flag to copy/clean the database. Thanks Stuart for the confirmation. Hmm looks like this might be a feature request to Daniel then. or someone who's working on pfstat :-) Nobody is visibly working on pfstat. If anyone did want to work on queue monitoring I'd encourage them to look at adding to snmpd instead (it will need a custom MIB). There are plenty of things that can monitor SNMP stats, and as it's in base, there are no real worries about ABI getting out of sync. Interesting! I think I agree with SNMP. It would be great if pf could be monitored through net-snmp or the built in snmp. To be able to see what PF is doing in something like Observium, Zabbix, Cacti or any other SNMP based monitoring software would be a really nice asset. Regards, Kaya
Re: pfstat not generating graphs after upgrading to -current
On 02/15/18 07:48, Glenn Faustino wrote:
After deleting and installing pfstat it now works, thanks guys!
Feb 15 14:26:37 OpenBSD pkg_delete: Removed pfstat-2.5p1
Feb 15 14:27:02 OpenBSD pkg_add: Added pfstat-2.5p1
$ doas pfstat -q -d /var/db/pfstat.db
$
Regards,
Glenn
Hi,
I'm experiencing the exact same issues for both pfstat and pftop however,
running pkg_delete / pkg_add doesn't seem to work for me as a fix :-(
pfstat -q -p
ioctl: DIOCGETSTATUS: Permission denied
pf_query: query_counters() failed
pftop: DIOCGETSTATUS: Permission denied
uname -a : 6.2 GENERIC.MP#408 amd64 <- also CURRENT updated a few days ago
Regards,
Kaya
Mine is OpenBSD 6.2-current (GENERIC) #6: Tue Feb 13 20:12:04 MST 2018
Can you try installing the latest snapshot?
Regards,
Glenn
Hi Glenn,
just updated now and ran pkg_delete / pkg_install again for pftop /
pfstat but unfortunately they still come up with the same error.
Probably because I have a few tunnel interfaces and pppoe interfaces ??
{wild guess}
Also it seems that at boot pf doesn't seem to read or like my pf.conf.
After the system has booted I can manually get pf to read the file using
pfctl -f /etc/pf.conf but it should be automatic.
Regards,
Kaya
Re: Bandwidth Queuing on Asymmetrical Connections?
Hi Jordan,
I ask this a while back too and many thanks to Stuart Henderson who
might chime in? Basically the queuing is done on the outbound interface.
So when you make your rules if you have 15Mbs upstream bandwidth then
that is where you do the queuing. See the OBSD and PF manual for how to
set queues up in PF. You can then monitor them through 'systat q' or
'pfctl -sq'.
Something like eg. pass out quick on $ext_if proto tcp from
{WAN_ADDRESS} to any port 80 modulate state set queue http_out set prio 4
Regards,
Kaya
On 02/17/18 20:30, Jordan Geoghegan wrote:
Hi folks, I was wondering how one goes about maintaining separate
upload and download queues in pf. I have been playing with various
combinations and I can't seem to get both queues to apply simultaneously.
For example, I have a 150 down 15 up connection. I want to limit a
specific device on the network to 100 down and 10 up. I can't for the
life of me figure out how to make this apply. I either end up setting
a 10 megabit limit or 100. How do the pf gurus manage their
asymmetrical connections?
NIC Port L2 Switching capability
Hi, I'm wondering if it's possible to get OpenBSD to make the NIC ports act like a layer 2 switch? I made a quick test in VirtualBox (unfortunately I don't have any bare bones systems free to test with) and tried the following: create two systems, one called router , the other called client create vlans: vlan1, vlan2, vlan3 create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1 (em1), trunk2 (em2) I then added the vlans to trunk0 by setting the vlandev to trunk0 in the hostname.if files. Of course a basic router-on-a-stick method like the above works fine but if I wanted the 3 vlans to also be on the trunk1 interface in a similar way to provisioning an L2 switch how would I go about it? I attempted to bridge trunk0 and trunk1. The result I got was that dhcp worked and the client was able to get an IPv4 address, I also had multicast traffic working when dynamically sending the client routes through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd packets being sent to 224.0.0.5 . What didn't work was ICMP packets were not being seen on the router systems NIC when I tried to use the ping command and in addition the OSPF routes would not propagate either. If I changed the virtual configuration back to trunk0 then everything worked as expected. It may just be a limitation of Vbox? In the meantime I have been looking at the docs: https://www.openbsd.org/papers/bsdcan2016-switchd.pdf https://man.openbsd.org/switch for the switch interface but is this really what I need here? Has anyone tried and succeeded with this kind of config? My main reason for wanting to use something like this is that I want to add a 10GbE NIC and switch into my production router platform while still keeping the same setup going to the 1GbE switch which is running in a 4-port LACP trunk. Of course an alternate would be to link the 1GbE switch to the 10GbE switch and do things that way, but the above would be more practical from a cabling sense. Has anyone got any ideas? Thanks a lot! Kaya
Re: NIC Port L2 Switching capability
Thanks a lot Tom for your response. Perhaps I wasn't quite clear in what I am trying to achieve? When I say trunk, I meant from a switch perspective as in a 802.1Q trunk port on a switch. I think I got mixed up with the OpenBSD terminology since it is slightly different: TRUNK(4) Device Drivers Manual TRUNK(4) NAME trunk - link aggregation and link failover interface Of course different vendors call this differently and would be more like EtherChannel in Cisco terminology. So now I just need to find out how the switch interface works in OpenBSD and see if I can get it working with 802.1q tagging and the rest of the L2 networking protocols. Regards, Kaya On 1/25/21 10:51 PM, Tom Smyth wrote: Hi Kaya you need to create a bridge interface and add the interfaces you want to switch packets between into the bridge, man bridge man switch man ifconfig will give you the information you need, trunk is a bonding / team / fail over interface and not for switching because you are using a virtualisation platform you need to be wary of hypervisor / virtualisation network stack Security features / hacks / shortcuts some hypervisors filter traffic comming from a vm which has a different source mac to the mac assigned to the vm network card by the hyper-visor and somehypervispors will only switch traffic to a vm if the destination mac is the same as the mac of the virtual machine network card all the best On Mon, 25 Jan 2021 at 22:06, Kaya Saman <mailto:kayasa...@gmail.com>> wrote: Hi, I'm wondering if it's possible to get OpenBSD to make the NIC ports act like a layer 2 switch? I made a quick test in VirtualBox (unfortunately I don't have any bare bones systems free to test with) and tried the following: create two systems, one called router , the other called client create vlans: vlan1, vlan2, vlan3 create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1 (em1), trunk2 (em2) I then added the vlans to trunk0 by setting the vlandev to trunk0 in the hostname.if files. Of course a basic router-on-a-stick method like the above works fine but if I wanted the 3 vlans to also be on the trunk1 interface in a similar way to provisioning an L2 switch how would I go about it? I attempted to bridge trunk0 and trunk1. The result I got was that dhcp worked and the client was able to get an IPv4 address, I also had multicast traffic working when dynamically sending the client routes through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd packets being sent to 224.0.0.5 . What didn't work was ICMP packets were not being seen on the router systems NIC when I tried to use the ping command and in addition the OSPF routes would not propagate either. If I changed the virtual configuration back to trunk0 then everything worked as expected. It may just be a limitation of Vbox? In the meantime I have been looking at the docs: https://www.openbsd.org/papers/bsdcan2016-switchd.pdf <https://www.openbsd.org/papers/bsdcan2016-switchd.pdf> https://man.openbsd.org/switch <https://man.openbsd.org/switch> for the switch interface but is this really what I need here? Has anyone tried and succeeded with this kind of config? My main reason for wanting to use something like this is that I want to add a 10GbE NIC and switch into my production router platform while still keeping the same setup going to the 1GbE switch which is running in a 4-port LACP trunk. Of course an alternate would be to link the 1GbE switch to the 10GbE switch and do things that way, but the above would be more practical from a cabling sense. Has anyone got any ideas? Thanks a lot! Kaya -- Kindest regards, Tom Smyth.
Re: NIC Port L2 Switching capability
Thanks Stuart! On 1/26/21 11:36 AM, Stuart Henderson wrote: On 2021-01-25, Kaya Saman wrote: Thanks a lot Tom for your response. Perhaps I wasn't quite clear in what I am trying to achieve? When I say trunk, I meant from a switch perspective as in a 802.1Q trunk port on a switch. I think I got mixed up with the OpenBSD terminology since it is slightly different: yes. So now I just need to find out how the switch interface works in OpenBSD and see if I can get it working with 802.1q tagging and the rest of the L2 networking protocols. You do not want the "switch" interface type. "bridge" is the one you need for what you're asking to do, but... I figured this one out in my VM setup which was basically that I needed to activate 'promiscuous mode' on the NIC's. Afterwards, bridging the Trunks worked fine. I haven't tested anything other then basic connectivity yet though so I do not know how the setup will behave. Of course an alternate would be to link the 1GbE switch to the 10GbE switch and do things that way, but the above would be more practical from a cabling sense. ...that alternative is the real answer. Using bridge for this will be a mess (you haven't mentioned PF yet but configuring that will be a pain) and won't perform particularly well. With bridge, I *think* you will want to bridge the vlan interfaces together, not the trunk interfaces. Hmm. this is the exact area that I'm trying to explore currently. Currently what I have in place is this: Router (4 port lacp trunk - multiple vlans , no bridging , PF rules for vlans and NAT ) -> <- Switch1 (lacp trunk to router) -> Switch1 (lacp trunk to Switch2) Switch1 (lacp trunk to Switch3) Switch1 (lacp trunk to Switch4) Switch2 (lacp trunk to Switch5) So basically Switch1 is being used as an aggregation switch to link to multiple other switches. If I changed things around by adding a new higher performance (10GbE) switch above Switch1 then I would need to re-cable and change my main trunk interface over from using the 1GbE NICs to 10GbE NICs. Outside of this nothing much else would need to change as PF would stay the same. However, if I created a new 2 port lacp trunk using the 10GbE interfaces then bridged the new trunk with the existing trunk will that mean that all the sub-interfaces will be bridged additionally? For example if data is sent on vlan1 then will all the vlans see this? I will verify this in my VM setup additionally but I'm curious as to how PF would be affected by this? It would be really nice if there was a mechanism to just do something like which is perfectly fine on a switch then have PF working as normal on top: switchport g0/1 trunk lagg-group 1 switchport g0/2 trunk lagg-group 2 But of course in OpenBSD vlans are bound to an interface which makes the configuration a little different. Regards, Kaya
Possible to handle fiber WAN connection with OpenBSD using PCIe card?
Hi everyone, it's been a long time since I've posted here and in the meantime I have just upgraded from 7.0-current to 7.3-beta through sysupgrade which is amazing! Thanks so much for all the hard work and effort put in to the tool!! Unfortunately I haven't been well for a long time hence the delay in upgrade and at first found it a little difficult but the way forward after a bit of reading around was to go to 7.1-release then 7.2 and finally jump back to Current which I believe is called Beta now? (unless I missed something or am confusing) I'm about to jump onto the full fiber band wagon with my WAN connection and was wondering what advice or recommendations I could get for the hardware in this. Unfortunately right now I'm a little panicked because my (new) ISP will provide me with either a Huwei or Nokia device which seem to be very basic in functionality and don't seem to support RFC 1483 bridging which I'm using currently for my VDSL2 connection. I've read the manual for the Nokia which I was suggested that they "thought" would be able to do what I want it to do, but it doesn't seem possible. I found the manual here: https://www.manualslib.com/manual/2084440/Nokia-7368-Intelligent-Services-Access-Manager-Ont.html Model: Nokia G-2425G-B Currently I am using transparent bridging between a Cisco 887VA VDSL2 router/modem and my OpenBSD installation which I let OBSD take care of everything from Layer3 and above using the kernel PPP module and PF. I'm wondering if anyone knows if one can get a PCIe card... possibly Intel chipset will be best that can take an SFP or SFP+ module to accommodate what I assume currently is an SC/APC LR connection which I can feed directly to OpenBSD? - again I'm just basing this according to the manual as I don't have any fiber experience at all. As the OpenBSD machine in question runs SuperMicro hardware I will have a look on their website as well as they do have their own brand of cards which might be more easily obtainable then any other type..?? The ISP has not given me any information on connection type or even settings yet so I'm still quite in the dark with this and I'm still trying to get a hold of someone who actually can provide that information. Right now I'm basing what I have read in the Nokia models manual. Like with *DSL if such a system doesn't exist for PC hardware then it might be possible to look at getting something like a Cisco 11xx series with the correct SFP module and again just bridging as I'm doing now. Right now I just want to run it by here in case someone has experience with this type of setup and can suggest a better or alternative method to achieve what I'm trying to do. For me right now what's a little frustrating is that I don't know if they are using PPP dialup style connection or simply DHCP on their end. It also doesn't seem to be written down anywhere either like it used to be done with ADSL/VDSL providers. As a side note the unfortunate part is my current ISP is ceasing operations on their business services, and there are only a handful of ISP's left servicing my area. It seems like the trend has shifted towards mobile and wireless technologies with LTE being really popular :-( Many thanks, Kaya
Re: Possible to handle fiber WAN connection with OpenBSD using PCIe card?
Just responding to this for completeness as I have some more information on my side On 3/24/23 07:21, Stuart Henderson wrote: On 2023-03-23, Kaya Saman wrote: Unfortunately I haven't been well for a long time hence the delay in upgrade and at first found it a little difficult but the way forward after a bit of reading around was to go to 7.1-release then 7.2 and finally jump back to Current which I believe is called Beta now? (unless I missed something or am confusing) The main release cycle is -current, -beta, , -current - this hasn't changed. (The "no suffix" includes a few snapshots prior to an actual finished release, and that's the stage we are at right now). Ah ok I see, I also understand what has happened in the meantime... no problem. I'll see if I really need to upgrade to current again as right now Beta seems to be doing everything I need Unfortunately right now I'm a little panicked because my (new) ISP will provide me with either a Huwei or Nokia device which seem to be very basic in functionality and don't seem to support RFC 1483 bridging which I'm using currently for my VDSL2 connection. I've read the manual for the Nokia which I was suggested that they "thought" would be able to do what I want it to do, but it doesn't seem possible. IIRC you're UK based aren't you? Which ISP? If the ISP is using Openreach's FTTP you will need to use their ONT which will act as a bridge, then you use your own or an ISP-provided router connected over ethernet. Typically it's PPPoE though the backhaul supports plain ethernet and some ISPs (notably Sky) use it, normally with DHCP. The ONT is not user-configurable and you have to use it. Non-Openreach-based vary. If you're lucky you might get pppoe out of the ONT and be able to connect your own router (likely with at least some of the ISPs selling CityFibre-based lines). Some others are often much more locked down - if you're lucky you might get to put their kit in bridge mode, if not you might be behind a NAT router and can't do anything about it. (Some don't even let you make changes to even things as simple as wifi SSID yourself and you need to get them to do it for you). I haven't seen any that will let you connect to the incoming fibre directly. I'm wondering if anyone knows if one can get a PCIe card... possibly Intel chipset will be best that can take an SFP or SFP+ module to accommodate what I assume currently is an SC/APC LR connection which I can feed directly to OpenBSD? - again I'm just basing this according to the manual as I don't have any fiber experience at all. You can get various cards that will take SFP/SFP+. You can get GPON SFPs. But you can't enrol a custom router in the provider's provisioning system that sets up crypto keys etc (GPON is a shared medium; other subscribers will get the same light carrying your connection and encryption is used so they can't see your packets). As far as your connection is concerned the demarc is pretty much always the ethernet port on either the provider's ONT or their supplied router. Just got off a lengthy phone call with Tier2 tech support at G-Net, which was a lot of fun!! It's so rare to talk in technical terms with someone and have them understand you. Apparently their take is that everything up to and including 1Gb/s must be handled by their own ONT... which is in fact a transparent RFC 1483 network bridge. The only difference comes for 10Gb/s customers which get a dedicated Cisco WAN switch with SFP+ module. I'm not sure if they service speeds up to 100Gb/s but I can only imagine high throughput data centers (especially those with high bit rate streaming services) will need them. In terms of connection to their network: it is not handled by PPPoE or even DHCP. DHCP is used for dynamically allocated customers such as those on residential packages only, so no static IP reservation system in place. I am told no credentials either Currently there is a little confusion in how to setup the block of IP addresses as I have had to upgrade to a block of 16. Right now my connection gets a single IPv4 address through ipcp with the rest of the IP addresses being handled in PF through NAT/PAT mappings. I have forgotten how it is handled but I am willing to bet that my current ISP is forwarding those addresses in static routes?? I am wondering if it will be similar except for the gateway IP address which will need to be provisioned on the WAN facing ethernet interface along with default 0 dot quaded route, or if I'm going to have to create sub interfaces for the rest of the provisioned IP addresses?? I am told that out of the 16 addresses I loose 3 - network, broadcast, gateway , so I should have 13 addresses to play around with. I guess I'll have to figure things out on Monday once the installation is complete. You could say right now I'm excited but nervous at the same time :-S Kaya
Re: Possible to handle fiber WAN connection with OpenBSD using PCIe card?
On 3/25/23 09:33, Stuart Henderson wrote:
On 2023-03-24, Kaya Saman wrote:
Just responding to this for completeness as I have some more information
on my side
On 3/24/23 07:21, Stuart Henderson wrote:
On 2023-03-23, Kaya Saman wrote:
Unfortunately I haven't been well for a long time hence the delay in
upgrade and at first found it a little difficult but the way forward
after a bit of reading around was to go to 7.1-release then 7.2 and
finally jump back to Current which I believe is called Beta now? (unless
I missed something or am confusing)
The main release cycle is -current, -beta, , -current - this
hasn't changed. (The "no suffix" includes a few snapshots prior to an
actual finished release, and that's the stage we are at right now).
Ah ok I see, I also understand what has happened in the meantime... no
problem. I'll see if I really need to upgrade to current again as right
now Beta seems to be doing everything I need
I suggest waiting until the actual 7.3 release and install that
(sysupgrade -r) n order that you can install errata patches.
It will be simpler if you do _not_ upgrade to a newer snapshot first -
sysupgrade can't go from a snapshot labelled "7.3" (as they are now)
to the actual release without modifying it.
Great advice, will wait in this case.
Just got off a lengthy phone call with Tier2 tech support at G-Net,
which was a lot of fun!! It's so rare to talk in technical terms with
someone and have them understand you.
That's a good sign.
It's amazing how well this company is willing to deal with what they
consider "vulnerable" people, as I explained about my condition: ASD
(Autism/Asperger's Spectral Disorder - if after all these years you
hadn't guessed already :-) ), and basically they do training to cater
for people with ADD, ADHD, ASD etc
Currently there is a little confusion in how to setup the block of IP
addresses as I have had to upgrade to a block of 16. Right now my
connection gets a single IPv4 address through ipcp with the rest of the
IP addresses being handled in PF through NAT/PAT mappings. I have
forgotten how it is handled but I am willing to bet that my current ISP
is forwarding those addresses in static routes??
I am wondering if it will be similar except for the gateway IP address
which will need to be provisioned on the WAN facing ethernet interface
along with default 0 dot quaded route, or if I'm going to have to create
sub interfaces for the rest of the provisioned IP addresses?? I am told
that out of the 16 addresses I loose 3 - network, broadcast, gateway ,
so I should have 13 addresses to play around with.
Typically you have pppoe pick up its own address - see examples in
pppoe(4) for this and setting the default route - and configure an
address from the /28 on another network interface on the router.
Exactly how things are done currently as I'm using pppoe - interface
hostname.pppoe0:
inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \
pppoedev em5 authproto chap \
authname '*' authkey '' \
up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
Then the rest of the IP's are handled like so:
match out on $ext_if from { IP or Macro } to any nat-to { IP or Macro }
for outbound.
So if ipcp gets (imaginary) ip address of 1.1.1.1, I can fit the next
one in the block into the PF "match" rule so it becomes:
match out on $ext_if from { 10.10.10.100 } to any nat-to { 1.1.1.2 }
If you will be addressing other machines directly from that /28 (easier)
that would be a physical interface or vlan connected to those machines.
If you're doing that via NAT/rdr-to then you might want to use a vether
interface with one address configured as /28 and the others as /32
aliases.
Not directly addressing. I will use "rdr-to" PF rules. Basically I want
to keep my current configuration as much the same as possible but just
adjust enough to handle the new connection.
I think right now what was said is that I don't get a subnet mask (if I
understood correctly) so I will need to provision each IP address
with a /32 or 255.255.255.255, even though they will be providing the
network and broadcast addresses.
Had a flick through vether as you suggested... currently I'm unsure to
be honest. Do I need it? As I'm not using that currently for my current
6x IP block...
To be honest my mindset right now is pointing towards the Cisco
sub-interface way of doing things so I'm probably reading and confusing
a lot :-(
I guess it will be needed judging by the description:
DESCRIPTION
The vether interface simulates a normal Ethernet interface by
encapsulating standard network frames with an Ethernet header,
specifically for use as a member in a bridge(4).
To use vether the administrator needs to configure an addres
Static default route for a subnet
Hi again, so my shiny new fiber has been installed yesterday and currently I can ping the gateway IP address but not much more. It was interesting as they gave me this whole subnet and told me I get a gateway address. What they should have said to eliminate my confusion was that there is a gateway address within the subnet that they have to provision on their end that would have stopped me from trying to provision the vlan that I'm using with an IP address used by them :-S uh - the problem here was wording and terminology used that threw me off. It seems to happen too much currently either it's my medical condition or perhaps they could just create a page on their web portal to show with a diagram the general setup uh :-( Now here again I'm confusing like hell and it's frustrating :-( On my WAN vlan for what I am going to call ISP-B, as ISP-A is existing for a long time. What I'm trying to do right now is set this as a default gateway for a particular subnet. As I have already got many mappings with ISP-A, I don't want to break those just yet and migrate them across then have them not work. I tried searching around for it and found a similar yet I think different situation on the mailing lists: https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route I think the above was more to do with using 2x default routes in a multipath setup rather then simply trying to get one particular subnet to use another ISP specifically. Currently I have provisioned the vlan like so and created these routes on the interface: inet A.A.A.2 255.255.255.240 A.A.A.15 vlan VLAN_ID vlandev trunk0 description "G-NET VLAN" dest 0.0.0.1 !/sbin/route add -mpath A.A.A.0/28 A.A.A.1 !/sbin/route add -mpath x.x.x.1/24 A.A.A.1 Note... that I'm calling my ISP-B subnet: A.A.A.A and my local subnet: x.x.x.x Unfortunately, the above "route add" mappings don't seem to work. Adding this route map does allow me to ping the ISP-B gateway address of A.A.A.1: route add x.x.x.6 A.A.A.1 Do I actually need the 'gateway of last resort' set for this internal subnet and if so where do I provision it? If I provision it system wide then everything will try to go over this way which is not what I want yet I'm pretty sure that what I've hit is a routing problem and not much more, it's just a matter of trying to sort out the confusion about provisioning the system correctly. Also one last note: I'm not using the /etc/mygate at all it was my understanding that when building a router you didn't need it and certainly for now I have never needed it with the VSDL2 link from ISP-A. In the meantime I'm going to try reading the man pages again to see if I can figure anything out ;-) Many thanks. Kaya
Re: Static default route for a subnet
Thanks Stuart!
On 3/28/23 16:19, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman wrote:
On my WAN vlan for what I am going to call ISP-B, as ISP-A is existing
for a long time. What I'm trying to do right now is set this as a
default gateway for a particular subnet.
There's no such thing as "default gateway for a subnet".
One way to do what you want is with PF "route-to" rules applying only
to packets with a source address in the subnet of interest (and likewise
for "reply-to" to handle incoming connections, maybe in conjunction with
rdr-to). This is a little messier config, but if the old setup will be
going away after not too long, it might be easier to handle.
Another way is to use multiple route tables (put the relevant interfaces
in a different rdomain, e.g. "rdomain 2" in the hostname.if files), and
use "-T 2" when adding routes relating to that), this is cleaner/simpler
in some ways, though it can also be more tricky if you're running any
services on the router itself (you may need to run a second instance
bound to the second rdomain).
My mind has Cisco Route-Map pre-programmed in I think :-(
I am looking at rdomains now, which might be the solution.
In addition to the OpenBSD FAQ and MAN pages I found this website too:
https://unfriendlygrinch.info/posts/openbsd-routing-tables-and-routing-domains/
of course taking it with a pinch of salt as the content hosted on
openbsd.org is the correct one ;-)
Also going through this:
https://www.openbsd.org/papers/bsdcan2015-rdomains.pdf - I know an old
paper and probably much has changed in the meantime.
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule... checking with pfctl -ss |grep x.x.x.x does not
show any NAT translations unfortunately.
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
I'm a little bit stuck here. I even tried replacing the $gnet_if with
"rdomain 2" but that didn't seem to work either.
Guess I've got more reading to do
https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route
I think the above was more to do with using 2x default routes in a
multipath setup rather then simply trying to get one particular subnet
to use another ISP specifically.
multipath is not what you're looking for here
Also one last note: I'm not using the /etc/mygate at all it was my
understanding that when building a router you didn't need it and
certainly for now I have never needed it with the VSDL2 link from ISP-A.
that's ok, your default route is over pppoe which you can't do via /etc/mygate.
Re: Static default route for a subnet
On 3/28/23 17:27, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman wrote:
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
I think I can confirm this. Certainly I don't see any difference between
putting the 'rtable' clause at the end of the 'match' statement
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
Stu you were there many years ago when I turned this same box into a
point-of-presence server and used it in conjunction with a DSLAM and
RADIUS backend. I'm sure you've forgotten as you help many people and
have many better things to do *but* your last sentence should be
turned into doctrine :-)
Of course though I plowed through things and managed to get the setup
done, I wasn't aware of my ASD at the time. So that means that we didn't
know or understand that when tuning into FM signals my brain also picks
up iHeart radio hahaha uh
Somehow I'm going in reverse order here lol I added the
'match(log)' entry and it is really helping a lot!!
So far I can definitely hit the NAT. The weird thing is unlike my pppoe0
interface I need to define ACL's (aka PF rules) to be able to access the
NAT in the first place. Right now I'll probably have to re-order the
rules to make the 'match' NAT rule come towards the bottom. Large PF
subsets can become very complicated very quickly and when you've defined
many lines in your fw then things can get a little messy right now
I'm at around ~1000 give or take :-S
Just in case this will help another reader, the current temporary
ruleset I have defined looks like this:
pass out on $gnet_if from $wan_gnet
pass in quick on $vpn_if1
match out on $gnet_if from $vpn_net1 nat-to ($gnet_if)
I'm still trying to figure out what is what as tcpdump is giving me a
few 'block' alarms still, judging from things I think my NAT is
translating forwards but not the other way around yet. So essentially
Internal-IP -> Public-IP -> INTERNET works but what isn't working is the
reverse. Packet responses from INTERNET -> Public-IP -> Internal-IP are
either getting blocked or not translated at all
ps. Quick Note: both interfaces need to be on rdomain 2. I tried what
you suggested to keep my internal IF in rdomain 0 but then it hits the
other NAT rules and gets blocked as the 'match' statement has been
disabled. I could try reordering but for now I just want to get the
basics setup before moving further ahead.
This is what I'm currently seeing from tcpdump:
18:28:58.627858 rule 2/(match) block out on vlan_EXT: 8.8.8.8 > x.x.x.x:
icmp: echo reply
Of course on the external if itself I'm getting:
A.A.A.2 > 8.8.8.8: icmp: x.x.x.x protocol 1 port 34560 unreachable
(again A.A.A.A is public while x.x.x.x is private)
I don't think I want to see my private IP on the external interface
cross comparing with tcpdump -eni pppoe0 , there are no private
addresses to be seen here
Re: Static default route for a subnet
On 3/28/23 17:27, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman wrote:
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
I'm wondering for rdomains as I'm using a vlan as my egress interface,
do I need to use an svlan for Q-in-Q?
Just going through the man 4 vlan doc: https://man.openbsd.org/vlan.4
I rejigged things a bit and created a test vlan with an old laptop as
client that I'm trying to ping one of the Goolge addresses with. Both my
WAN vlan and internal vlan are on rdomain 2 but for some reason I'm not
able to activate NAT at all despite using a modified version of one of
my already existing match ... nat-to rules
So far tcpdump is showing LAN traffic on the external vlan instead of my
public IP which indicates that my NAT rules aren't working actually
I also have pftop -vr running too which isn't showing any packets
hitting the match rule for the G-NET default route.
Unfortunately till now I have not been able to get any traffic working
properly on rdomain 2 :-( and really stuck on what and how to do about
it
Re: Static default route for a subnet
On 3/28/23 17:27, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman wrote:
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
Sorry for the noise just updating everyone here... I have
communication finally!! icmp echo requests are being responded to by the
8.8.8.8 address. Really super happy about this :-D
It's basically a case of a few things that I screwed up duh :-S
PF rules are these:
match on $gnet_if scrub (max-mss 1440)
pass out quick on $gnet_if from $wan_gnet
pass in quick on vlan_if from subnet to !
match out on $gnet_if from subnet to ! nat-to {$wan_gnet}
pass out on $gnet_if from subnet to any nat-to {$wan_gnet} modulate state
pass out on $gnet_if
(do I need to scrub with a max-mss? isn't that for *DSL connections?)
In the meantime I moved the interface across from a vlan over to em2
which was part of a 4 port trunk (lagg) interface provisioned with LACP.
Also I was using a broadcast address in the hostname file which was
incorrect! I was shown a sample recently where the bcast was set to NONE
but because I was given the bcast address my understanding was to use
it, well turned out to be a misunderstanding ;-)
hostname.em2 looks like this now:
inet public_ip 255.255.255.240 NONE description "G-NET"
dest 0.0.0.1
!/sbin/route -T2 add public_subnet/28 public_subnet_gateway
!/sbin/route -T2 add default public_subnet_gateway
Now I just need to figure out how to communicate with the traffic on the
default rdomain then I can start looking further ahead.
Been up all night working on this plus a radius issue, got a bad
headache now... yup I stressed a lot and panicked so now am gona go get
some rest.
Thanks to everyone for your help - you all get a big virtual hug :-) :-)
hopefully there won't be anything more now that I'm gona need - cross
fingers ;-)
Kaya
Understanding PF behavior
Hi guys, So far I have spent a week on this and I feel like I'm not progressing, now I just feel like I'm banging against a brick wall. To start with, I managed to send icmp echos over my WAN link through ISP-B within the same routing domain rdomain 2. I then started looking at inter-Rdomain communication. The only reference material I have got outside of the man pages are a few outdated websites and other material which at least have gotten me in the right direction. From here on I have two issues. The first issue is that my WAN communication for rdomain 2 broke. I haven't adjusted any rules at all so the original working ruleset is still in place. Currently what I can see is tcpdump telling me that I have icmp echo-reply packets on my test vlan for rdomain 2. I have checked pflog0 and the external IF for ISP-B using tcpdump and all seem normal too with lots of "pass" statements and of course NAT is being hit. Unfortunately the machine sending the icmp requests is claiming that there is 100% packet loss. I don't see any relevant "Block" information in tcpdump when initiating "tcpdump -enipflog0 host x.x.x.2" - where x.x.x.2 is my test machine address. What could be going on here? I have considered the fact that it maybe a rule blocking on the outbound side of the interface (local test vlan), but I tried adding a generic: pass out quick on $test_vlan rule which didn't seem to do anything at all :-( The second issue I have is to do with the routing domains. At the moment I have a ruleset which allows me to get from my test vlan to one of the internal vlans on rdomain0. I can verify with tcpdump that the pinged machine can see the icmp packets and respond to them. What I am seeing however in pflog0 is the lo0 is blocking traffic outbound. As this is the reference guide I'm following: https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ I'm using y.y.y.y/24 subnet for the icmp destination in rd0 I created routes to the loopback addresses: route -T 0 add y.y.y/24 127.0.0.1 route -T 2 add y.y.y/24 127.0.0.1 I found that if I didn't add this rule, information to the source of the icmp echos would be routed to my egress interface on ISP-A (existing ISP): route -T 0 add x.x.x/24 127.0.0.1 Now, the unfortunate part is that I am seeing: rule 2/(match) block out on lo0: y.y.y.N > x.x.x.2 icmp: echo reply The thing I don't understand is that adding: pass out log quick on lo0 unfortunately doesn't seem to do anything?? Just to confirm that "set skip on lo" is disabled additionally. If anyone could help in suggesting ideas of what to look at because I have tried many things up till now and none have worked so I'm probably approaching the problem in the wrong way. Another quick question regarding the output of tcpdump. When it says "rule 2" which rule is it referring to and how to tell this information? In the past I recall the rule numbers given by tcpdump where the actual rule line numbers as were written in pf.conf. Now I am completely confused of what this means... If I use "pfctl -sr" to show the rules, the second rule inline is actually: "match in all scrub (no-df)" ??? Many thanks. Kaya
Fwd: Understanding PF behavior
Well... somehow I managed to get inter rdomain forwarding. I have no idea how...? I think things started to work when I changed this statement in PF: block log on rdomain 0 from "block log" Right now I can only communicate between rdomain 2 and rdomain 0. I moved my ISP-B interface onto rdomain 3 and now can't ping the public IP address either from domain 2 or domain 0 I did take a snapshot of the routing tables for each domain and of course pf.conf is unaltered but I should back it up and transfer it locally. Like I wrote previously about using 'tcpdump enipflog'... the rule numbers don't make any sense at all to me. I don't understand why I keep seeing "rule 1" for just about all traffic. - It's definitely strange?? Perhaps my pf.conf file is totally messed up as far as rules go? I am not sure. It would be really nice to see the matched evaluation numbers from: pfctl -vv -sr so something like 'rule 1183' or so Currently I am seriously thinking about just spending $$$ and buying a Cisco router with 3x interfaces to use as a multi WAN gateway, though it's probably more out of frustration then anything else. I'm sure it is possible to get working in OpenBSD as Stu has said already but not making any headway or little headway after so long is well gr lol I guess right now my goal is just to be able to ping the ISP-B interface from rdomain 2. If I can managed that I should have a better path forward. Really what I do need is a test box... something with 2x or 3x physical interfaces that won't cause my whole system to stop working by starting with a clean pf.conf file. That said I the SuperMicro uATX box I have doesn't work either :-( as it's started clicking so no idea where the fault is? M/B or PSU?? More headache :-( Too much crap on my shoulders right now also with 5x HDD failures and a 15 year old Cisco WLC system which is flaky to connect to meaning that more often then not 802.11 devices are not connected. I really wish I could just upgrade to a nice Gen6 system sigh. What a frustrating way to spend a Saturday evening but I guess it won't get any better so bla :-( Anyway will keep trying to solve this darn riddle
rdomains finally working!!
Hey guys, I can't spend too much time right now in writing up what I have done right now as I'm just about to head out of town to a local nature reserve in order to clear my head, but basically things are working!! At this stage with such limited documentation on the topic I wonder if I should do some kind of a writeup of it to share my own experiences? Hopefully later in the week and I'll pop it up on my GDrive maybe it can be turned into part of the doc or faq or an example page on the OBSD website? What I can gloss over right now is that the setup is very sensitive with minute changes having drastic effects. To be honest I don't even know how or when things started working but I checked my laptop test machine and icmp packet responses were being received properly. Running tcpdump on pflog does lie sometimes. It will often suggest "block" when in fact the problem is routing. Another issue that I came across is that the loopback addresses don't inter-route. I don't know how to make that one work at all? Taking an excerpt from the website I was following: https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/ Citing: Creating a loopback interface in rdomain 2 so that Host 1 can talk to Host 2 would look like: ifconfig lo2 rdomain 2 127.0.0.1 route -T 2 add 192.168.1/24 127.0.0.1 Since lo2 is created inside rdomain 2, the IP address assigned to it doesn't conflict with lo0 in rdomain 0. Sure I can see traffic inside one of the loopbacks and tcpdump does claim "pass out" but then nothing else happens. The other loopback interfaces have no traffic in them and the destination network has no traffic either. Over the weekend having gotten completely fedup I decided to try to use one of the rdomains as a transit system and connected my Cisco 2801 BGP/IPSec/GRE test bed to the vlan in question and attempted to use it as a simple WAN Edge gateway. At first I managed to ping the interface of the Cisco, as I set OSPF up so that I didn't need to bother with static routes. As soon as I moved the rdomain of the vlan from 0 over to 3, everything stopped working and I couldn't find a way to use OSPF within two separate routing tables. The man page does have a setting for this in the config but there is no mention if you can use 2x instances between rdomains. After that I fought with static routes and of course the strange behavior kicked in where sending icmp packets between the Cisco and OpenBSD machines just wasn't working. I really didn't understand this at all as they are Next-Hop connected devices. No specific PF rule and a default route was set to be the interface of the Cisco routers internal IP address. I ended up moving the setup back to what I had originally with 3x rdomains and again I could not communicate between rdomain 2 and rdomain 3, though I did have communication to rdomain 0 from rdomain 2. Having done some more thinking about it and looking at the Cisco setup I decided to try creating an extra vlan in rdomain 3 with the intention of using it as a transit vlan. I already had success in pinging the internal IP address of the OpenBSD machine from domain 2 to domain 3, so I figured what the heck I'll give it a try. It did work but I still couldn't ping the public address. I then moved the test machine from rdomain 2 to rdomain 3 to see if that would help with internal communication between the machine and the public IP address. Oddly enough it did work and local traffic sent to rdomain 0 was still working too.. though I was still unable to get any response from public address. This is a bit of a black hole for me because I left the system for a while and came back to find that it actually started to work?? It isn't logical of course but I can't recall if I made changes in the meantime and simply wasn't aware of anything happening. After testing a bit and confirming that in fact things were working and I was *not* sending traffic over my existing PlusNET WAN link, I proceeded to migrate my OpenVPN tunnel across. This proved to be tricky as I kept running into dreaded "tcpdump -enipflog" "block in on tun0" issues in fact that turned out to be a routing problem instead of a PF issue. Currently this is working too but with some strange adjustments to PF. The current 'pass' per port rulesets don't seem to work even with the 'rtable (x)' clause added. What does seem to work however is a generic 'pass to rtable (x)' ruleset I'll probably need to study my rules further in order to try to understand the behavior here Anyway, am gona shoot over to the Warburg Nature Reserve now and continue with my photography to hopefully share more images with the BBOWT later. Oh and of course to try to get rid of my headache too ;-) Thanks to everyone for trying to help on a subject that contains very limited documentation and examples. Like I said hopefully if I can do some
Re: rdomains finally working!!
On 4/3/23 11:25, Claudio Jeker wrote:
On Mon, Apr 03, 2023 at 10:53:26AM +0100, Kaya Saman wrote:
Hey guys,
...
Taking an excerpt from the website I was following:
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/
Citing:
Creating a loopback interface in rdomain 2 so that Host 1 can talk to Host 2
would look like:
ifconfig lo2 rdomain 2 127.0.0.1
route -T 2 add 192.168.1/24 127.0.0.1
Since lo2 is created inside rdomain 2, the IP address assigned to it doesn't
conflict with lo0 in rdomain 0.
Sure I can see traffic inside one of the loopbacks and tcpdump does claim
"pass out" but then nothing else happens. The other loopback interfaces have
no traffic in them and the destination network has no traffic either.
This is very much expected since you probably did not carefully read the
cited website.
You need a special pf.conf setup to make that work. As one caveat
mentioned in the article is that the default pf.conf rulesets skips lo(4)
interfaces and so the traffic will just be dropped (since there is no
state lookup and so no way to bounce the reverse traffic back into the
other rdomain).
In general I would suggest use pair(4) to route traffic between rdomains.
Doing it in pf(4) gives you more control but it requires careful handling
of the rulesets (as you noticed).
Hi Claudio,
thanks for the response and advice on pair (4), I will definitely read it.
Maybe you are correct in that I didn't carefully read or perhaps I
confused things badly I have a mixture of ASD and most likely ADHD
and when the panic kicks in things become difficult including
communication and understanding.
I wish I had a spare system to test things properly and understand
better, unfortunately I am having to adapt a live production system and
with a large number of lines in the PF rule set is not easy.
The caveat you mention about skipping lo (4) I disabled (I think?) as
per changing the 'set skip' to this:
#set skip on { lo, enc0 }
set skip on { enc0 }
so the loopback should be active in PF, further down in my config I have
a clause like this too:
#Allow Internal Communications
pass in on lo0
pass out on lo0
pass in on lo2
pass out on lo2
pass in on lo3
pass out on lo3
Maybe due to my existing PF things might not work properly in anycase, I
just wish I knew more about what I was doing to really have a handle on
the situation.
I'm still eager to contribute with a write up if you are interested but
due to my "circumstances" I maybe the only one with these issues :-(
so maybe writing things up in my case maybe useless and will probably
not be understood by anyone in general.
With PF the biggest handling issue is when mixing and matching using the
'quick' keyword as things get handled differently. Both the websites I
cited do *not* contain the 'quick' keyword at all. My local pf ruleset
contains many "pass in quick" or "block in quick" statements.
I would definitely be extremely happy to hear any more suggestions if
there are any but for now I will look at studying "pair (4)".
Thank you so much for chiming in! I really appreciate it :-D
Best regards,
Kaya
dns priority from different network connections - or disabling?
Hi, I'll ask the second question first as it might be easier to implement... Currently I have found that the dns servers specified in the resolv.conf file are not being used. Instead my machine is prioritizing the ISP obtained servers from the ipcp protocol through the kernel ppp service. Within the hostname.pppoe(x) file is there a way to disable the dns portion of the negotiation? If not, then this leads to my second question of how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? I'm not sure when the behavior changed but it is a recent thing either done by an update or by adding my secondary ISP. Right now my system can't send emails because it's using the wrong dns. Thanks for any ideas. Kaya
Re: dns priority from different network connections - or disabling?
On 4/10/23 11:40, Jonathan Gray wrote: On Mon, Apr 10, 2023 at 11:26:22AM +0100, Kaya Saman wrote: Hi, I'll ask the second question first as it might be easier to implement... Currently I have found that the dns servers specified in the resolv.conf file are not being used. Instead my machine is prioritizing the ISP obtained servers from the ipcp protocol through the kernel ppp service. Within the hostname.pppoe(x) file is there a way to disable the dns portion of the negotiation? If not, then this leads to my second question of how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? in /etc/rc.conf.local resolvd_flags=NO Ok strange! This is already set and before emailing I checked that the resolvd, unbound, unwind, and even nsd services were not running using 'ps'. Just attempted to stop resolvd using: /etc/rc.d/resolvd stop (incase it was running and I missed something) , it said "OK". nslookup still shows the dns servers from ipcp and not the locally defined ones in resolv.conf I'm not sure when the behavior changed but it is a recent thing either done by an update or by adding my secondary ISP. Right now my system can't send emails because it's using the wrong dns. changed in sys/net/if_spppsubr.c rev 1.188 first release with that was OpenBSD 7.1 No no this odd behavior started recently?? I'm on: 7.3 GENERIC.MP#1125 amd64 Maybe I ran: sh /etc/netstart pppoe0 which decided to override the resolv.conf file, I really am not sure but still...
Re: dns priority from different network connections - or disabling?
On 4/10/23 16:24, Daniele B. wrote: Apr 10, 2023 12:52:22 Kaya Saman : how do I override OpenBSD's behavior to explicitly not use the dns servers obtained through ipcp but instead use the ones form the resolv.conf file? My solution both for security reasons (I'm using unbound) for for practical reasons (as per your concerns) is to set immutable resolv.conf by chflags. Not the Solution but a very good workaround. Please investigate also when you can take off the immutable flag too. I take this time to wish you all an Happy Easter and obviously lots of compliments for the 54th release of the ball fish system! Do you mean setting resolv.conf as ReadOnly? My resolv.conf file is fine and has the correct dns servers inside. The issue is that pppoe negotiates the dns servers through ipcp. The dns servers therefor do *not* get loaded into the resolv.conf file but instead show up under: ifconfig pppoe0 This somehow is overriding my resolv.conf file; another words the information is *not* being used from resolv.conf and is instead being used from the ipcp negotiation as part of the pppoe kernel module. The question is how to disable this behavior?
Re: dns priority from different network connections - or disabling?
Thanks Stu, and everyone else who responded :-)
On 4/11/23 09:01, Stuart Henderson wrote:
On 2023-04-10, Kaya Saman wrote:
On 4/10/23 16:24, Daniele B. wrote:
Apr 10, 2023 12:52:22 Kaya Saman :
how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?
My solution both for security reasons (I'm using unbound)
for for practical reasons (as per your concerns) is to set immutable
resolv.conf by chflags.
Not the Solution but a very good workaround. Please investigate also
when you can take off the immutable flag too.
I take this time to wish you all an Happy Easter and obviously
lots of compliments for the 54th release of the ball fish system!
Do you mean setting resolv.conf as ReadOnly?
immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.
Oh ok... I'll check it out - I understood file permissions?
My resolv.conf file is fine and has the correct dns servers inside.
The issue is that pppoe negotiates the dns servers through ipcp. The dns
servers therefor do *not* get loaded into the resolv.conf file but
instead show up under: ifconfig pppoe0
This somehow is overriding my resolv.conf file; another words the
information is *not* being used from resolv.conf and is instead being
used from the ipcp negotiation as part of the pppoe kernel module.
The question is how to disable this behavior?
If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.
If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.
The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?
To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.
Check resolvd and unwind manpages for more info about what each does.
Perhaps I wasn't clear and confused everyone?
In the meantime I read both manpages of resolv.conf and unwind.
As far as I can understand unwind points to a remote resolver unless
something goes wrong where it then looks for one defined locally.
In my resolv.conf I have 3x local dns servers (same subnet I know I
know) defined:
x.x.x.1
x.x.x.2
x.x.x.3
*but* my system was using:
A.A.A.1
A.A.A.2
from my ISP which it acquired through ipcp from pppoe.
Possibly this behavior started while I messed with things and performed
a: sh /etc/netstart pppoe0
Nothing got written to resolv.conf but the system was using the isp
acquired servers.
I ran a quick test of unwind and popped: x.x.x.1 into it. Nothing seemed
to have changed as the resolution was still being carried out on the isp
dns machines.
Re-checking resolv.conf it seemed that the isp entries had actually been
written there in the end? Does unwind do this?
I just simply deleted them and now the system works as before using my
locally defined systems.
Strange issue and behavior but solved for now. Just reconfirmed using
nslookup right now on the obsd box and all is fine :-D
Many thanks.
Kaya
Re: dns priority from different network connections - or disabling?
On 4/12/23 20:20, Theo de Raadt wrote: Stuart Henderson wrote: On 2023-04-11, Theo de Raadt wrote: Kaya Saman wrote: This somehow is overriding my resolv.conf file; another words the information is *not* being used from resolv.conf and is instead being used from the ipcp negotiation as part of the pppoe kernel module. then the pppoe code should submit a RTM_PROPOSAL route message ... it does. i still don't see how this information can *override* resolv.conf But I do not understand what "override" means. resolvd intentionally has NO MECHANISM to allow choice, the list of addresses is chosen by a fixed internal heuristic, INTENTIONALLY without configuration knobs. There is one knob: If one doesn't want resolvd semantics, stop the daemon. So easy. But by default, the system runs with it, because that means 99% of users get the semantics which satisfy 99% of users without having to handle a configuration file. What I don't understand from the complaint is why that ppooe dynamic address doesn't rise to the top of the file, because dynamic requests of that kind always rise to the top. Therefore they get used. So if it isn't in the file, then something else has been broken, probably by the user, right? But it is probably best to ignore this entire discussion because some piece of configuration has been done to BREAK the default behaviour, and then the user owns all the pieces. Hi Theo, I apologize if it sounded like a complaint?? It was not meant to be. honestly. Like I mentioned previously, it may have had something to do with me running: sh /etc/netstart pppoe0 a few times after the system had been booted. I was at the time trying to make use of 2 isp's and route accordingly per subnet or even ip address. It might have even been triggered by my altering of the pf.conf file... they are the only two things that I have been touching. What I meant by *override* is that the default behavior that I had set the machine up for was not being seen. The information which I have input into /etc/resolv.conf has not changed for years. I accept maybe i fiddled with things and caused unwanted behavior... it can happen. All I was trying to figure out is why the resolv.conf file was not being used and instead the information obtained through ipcp was being used for dns lookups. If I had caused it that's fine but I didn't understand what I did to have caused it and was just seeking help and advice that maybe someone might suggest things to try. But as it is, the system is back to how I want it to be so for sure please feel free to ignore the thread. There is no more problem ;-) Thanks for chiming in by the way, it is appreciated. Potentially, would it be a good idea to have setting to disable the dns or other information obtained by ipcp within the kernel ppp codeset? I just might be in the minority here so please feel free to ignore it's fine, I'm just thinking out loud Regards, Kaya
Re: hardware
On 4/20/23 17:12, Katherine Mcmillan wrote: According to ChatGPT, unfortunately, it doesn't work on plants. Me to ChatGPT: Can I run OpenBSD on my ficus? ChatGPT: No, it is not possible to run OpenBSD on a ficus plant. OpenBSD is an operating system designed to run on computer hardware, not on plants. Plants do not have the necessary hardware components or architecture to support an operating system. Additionally, attempting to install an operating system on a plant would be considered nonsensical and impossible. It is important to respect the natural world and not attempt to impose technology on living organisms that are not designed to use it. Bummer, I guess that wasn't the secret behind Audrey 2. Back to the drawing board. Plants have their own OS... it's bio chemical! Just like us though add bio electrical to the mix. To run OpenBSD on a plant you would need one hell of a recompiler to convert digital impulses into chemical ones. I agree in this case with ChatGPT... why bother? Plants are fine as they are - not touched by human hands (at least in the wild)
Re: Network appliance recomendation.
On 08/10/2013 06:01 PM, Francisco Valladolid H. wrote: > On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen wrote: >> On 08/09/13 17:05, Francisco Valladolid H. wrote: >>> Hi folks. >>> >>> Currently I have a Wireless network serving in my town using a small >>> form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache. >>> >>> I need recommendations for a network appliance in rack mode with flash >>> storage and five rj45 ports. >>> >>> Can anyone recommended a solution for my needs ? >> >> Axiomtek NA-320R might be an alternative. Rack mount, 6 gbit ports, >> CF-storage and Atom 1.6 GHz CPU. > Thank you Maurice, excellente recomendation. > >> Maurice > > I know you say "appliance" however, how about an embedded system? Since you already run OpenBSD on a Mini-ITX system, a 1U rack chassis for Mini-ITX plus Intel based Network card should also give up to 6-7GbE ports plus SSD or other flash drive alternative.. e.g. http://www.steatite-embedded.co.uk/ as examples for chassis and systemboard. It might not be what you want since you did say "appliance" but still it is a thought :-) Regards, Kaya
Re: [OT?] I have 4 IPs. How is outbound IP selected, say run lynx URL on server?
On 11/30/18 8:31 PM, Chris Bennett wrote:
I'm just curious. Is there a default method to select on this? Random?
Can I control this somehow?
It's clear how everything else selects IP, but I just wanted to know in
case that ever mattered, say one of my IPs were blocked.
And I wanted to be sure which IP outbound is or is not used for running
something like lynx, etc.
Not terribly important, but at least interesting question for me.
Thanks,
Chris Bennett
If you say 'outbound IP' I am guessing you WAN facing public address.
There are several ways to do this
The first would be to use a NAT Pool. This would effectively pop all
your public addresses a selectable group:
eg. { 1.1.1.1 , 2.2.2.2 , 3.3.3.3 , 4.4.4.4 }
Depending on the pool configuration ie. if there was any weighting put
on for IP selection or it would simply use a round-robbin type of selection.
https://www.openbsd.org/faq/pf/nat.html
https://www.openbsd.org/faq/pf/example1.html
Another method would be to setup a static route. So in the above example
with NAT pool you could simply say something like:
IP 172.16.40.52 -> 1.1.1.1
So your PF rule would then be something like:
match out on $ext_if from 172.16.40.52 to any nat-to {1.1.1.1}
The weighted option or a load balanced option would have something like
this:
https://www.openbsd.org/faq/pf/pools.html
Regards,
Kaya
Re: setup authoritative DNS for myself with nsd + unbound
It really depends on what you want/need. If you would like to host your own DNS servers, then multi location is a good idea: Example: Master NS1 in LA and Slave NS2 in Miami. I have no idea about GoDiddy but my US based domain hosting company let's me specify my own ns servers, as their DNS hosting is a little limited for what I need. Just whack Bind9 onto both systems in master/slave setup, and away you go. DNS isn't really complicated so you should be up and running in no time. ;-) Once that's done a good online tool for checking certain parts of the domain is: https://mxtoolbox.com/ but then don't forget your local tools such as nslookup and dig!! Regards, Kaya On 1/18/19 6:38 PM, Chris Bennett wrote: I have had problems with setting up DNS for myself and I need it to be authoritative. I have my domains registered with Godaddy and they do not support for domains not hosted on their servers. I have been using their DNS without big problems, except that I'm not getting proper results with regards to email. I've got a pretty bad problem with spam. I now have two servers, each with a different company. Will that then solve the problems with PTR, DKIM and DMARC? I also particularly hate the web GUI that Godaddy uses and it's SOA record is much too long timewise. Should I set it up with just one of my servers or both? One is in Los Angeles and the other is in Miami. Do I need to use a different one to cover the other server or can I just use the same one to cover the email stuff like DKIM and DMARC? Since I'm having problems from the ground up, this seems like a good idea to start at. I'm also seeing conflicting advice on whether I should use multiple A records for subdomains, like www. smtp. etc. or CNAME. Plus it's not clear to me whether to use records like _smtp.tcp or not bother with those. I have spent a lot of time reading pages on all of these subjects but I have yet to find a complete example of all DNS records for a site. Would anyone care to share one with me? Thanks, Chris Bennett
FTP proxy not listing certain directories?
Hi, as I have now managed to get back into my OBSD system I have tested ftp again from clients yet still even with the recent upgrade I seem to be unable to list certain directories?? I have checked the option flags for ftpproxy (man ftpproxy) however, couldn't find anything of help. An example is the Shrubbery ftp site: this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/ while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/ tcpdump -eni doesn't show anythng specific: 16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 3015288354> (DF) 16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 129.250.47.99.21 > <***>.54958: . ack 1 win 271 3015288444 0> 16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 1460,sackOK,timestamp 1071558 0,nop,wscale 7> (DF) 16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558> 16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54974 > 129.250.47.99.21: . ack 455 win 229 2400821070> (DF) --> then the report waits I'm just wondering as the last statement is (DF) - the Do Not Fragment flag, could this be an MTU issue?? Though the odd thing is that this was working fine until two upgrades ago which are still quite recent 2017 dated. In PF I have the standard rule: # Proxy rules anchor "ftp-proxy/*" pass in quick on $int_if inet proto tcp to any port ftp \ divert-to 127.0.0.1 port 8021 And as I'm on a VDSL2 line I have: net.inet.tcp.mssdflt=1452 in sysctl.conf and the MTU set on the PPPoE interface as: mtu 1492 All other web based traffic operates fine apart from certain ftp transactions?? Would anyone be able to suggest anything? Many Thanks. Kaya
Re: FTP proxy not listing certain directories?
This is interesting! I have diagnosed the issue thus far: ftpproxy has issues with some directories. that are large from FTP servers. I thought I had run into one of these: CAVEATS pf(4) does not allow the ruleset to be modified if the system is running at a securelevel(7) higher than 1. At that level ftp-proxy cannot add rules to the anchors and FTP data connections may get blocked. Negotiated data connection ports below 1024 are not allowed. The negotiated IP address for active modes is ignored for security reasons. This makes third party file transfers impossible. Since ftp-proxy acts as a man-in-the-middle it breaks explicit FTP TLS connections (RFC 4217). however, it doesn't seem to be the case; I think it is something to do with a timeout somewhere in that the server closes the connection early before the client has a chance to list the directory: -t timeout Number of seconds that the control connection can be idle, before the proxy will disconnect. The maximum is 86400 seconds, which is also the default. Do not set this too low, because the control connection is usually idle when large data transfers are taking place. -> though it seems not the ftp-proxy timeout as that is set to 86400 by default. Not using the proxy is completely possible as PF seems to handle outbound client FTP sessions fine, however, tracking the port usage, it looks as though even if port 21 is opened within the firewall the FTP connection can be made but if other ports are being negotiated in the background eg: # tcpdump -eni pflog0 net 129.250.47.99 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 11:13:23.613052 rule 823/(match) pass out on pppoe0: <***>.52444 > 129.250.47.99.21: S 1808394633:1808394633(0) win 29200 1460,sackOK,timestamp 21801766 0,nop,wscale 7> 11:13:25.026958 rule 823/(match) pass out on pppoe0: <***>.56190 > 129.250.47.99.1070: S 1729383519:1729383519(0) win 29200 1460,sackOK,timestamp 21802190 0,nop,wscale 7> of course the dynamic port allocation won't work if everything else is being blocked. This leads to the question: is there a way to handle opening up extra ports in PF after the condition of "pass in quick to port 21" has been met?? passive [on | off] Toggle passive mode. If passive mode is turned on (default is on), ftp will send a EPSV command for all data connections instead of the usual PORT command. The PASV command requests that the remote server open a port for the data connection and return the address of that port. The remote server listens on that port and the client connects to it. When using the more traditional PORT command, the client listens on a port and sends that address to the remote server, who connects back to it. Passive mode is useful when using ftp through a gateway router or host that controls the directionality of traffic. (Note that though FTP servers are required to support the PASV command by RFC 1123, some do not.) Or simply attempt to use Active ftp on port 20 - though this seems to be now legacy.... ---K On 01/29/2017 04:14 PM, Kaya Saman wrote: Hi, as I have now managed to get back into my OBSD system I have tested ftp again from clients yet still even with the recent upgrade I seem to be unable to list certain directories?? I have checked the option flags for ftpproxy (man ftpproxy) however, couldn't find anything of help. An example is the Shrubbery ftp site: this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/ while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/ tcpdump -eni doesn't show anythng specific: 16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 (DF) 16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 129.250.47.99.21 > <***>.54958: . ack 1 win 271 3015288444 0> 16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 (DF) 16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558> 16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54974 > 129.250.47.99.21: . ack 455 win 229 1077984 2400821070> (D
isakmpd quits out after running ipsec on CURRENT
Hi, for some reason, this seems to have been for a while now; isakmpd will simply quit running after initiating: ipsecctl -f /etc/ipsec.conf Starting isakmpd manually with flags -Kdv doesn't give any indication as to what might be causing the service to crash or segfault and nothing is reported in the logs - I checked both daemon and messages. ipsec.conf consists of standard config: ike passive esp transport \ proto udp from 212.159.80.17 to any port 1701 \ main auth "hmac-sha" enc "aes" group modp1024 \ quick auth "hmac-sha" enc "aes" \ psk "Sclr11XP99" ike passive esp transport \ proto udp from to any port 1701 \ main auth "hmac-sha" enc "aes" group modp1024 \ quick auth "hmac-sha" enc "aes" \ psk "" Basically the setup used to work fine a few upgrades ago while I was on 5.5 but then something seems to have changed and it stopped. Along with the above I'm running npppd for ipsec/l2tp so I can run the native Android VPN client. I do run OpenVPN in addition but their seems to be some issue with routing on some apps so to get round that the choice is either: add default route manually when using OpenVPN / or use native client. I managed to find this thread from the list: http://comments.gmane.org/gmane.os.openbsd.misc/209636 and managed to pretty much validate my config in comparison but for some reason I cannot work this one out. System is up to date as per last night and build is: 5.6 GENERIC.MP#633 amd64 5.6 GENERIC.MP#633 amd64 Would anyone be able to suggest anything? Thanks. Kaya
Re: isakmpd quits out after running ipsec on CURRENT
On 12/03/2014 07:39 PM, Christian Weisgerber wrote: > On 2014-12-03, Josh Grosse wrote: > >>> This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. >>> Check your system logs for "isakmpd: backwards memcpy". >> It may not be that change, since it was only committed two days ago. >> I've >> seen the same symptoms in i386 snapshots from Nov 26 and 30. > Exactly, that change _fixes_ it. In recent snapshots, memcpy() > checks for overlap and aborts. > > For some background, see > http://www.tedunangst.com/flak/post/memcpy-vs-memmove > When you mention the change **fixes** the bug, is there something in addition that needs to be done in order to get isakmpd and ipsec working together? I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 isakmpd: backwards memcpy which is what was stated earlier. Or does the **fix** exaggerate another bug in the code? Regards, Kaya
Re: isakmpd quits out after running ipsec on CURRENT
On 12/04/2014 04:28 PM, Ted Unangst wrote: On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote: On 12/03/2014 07:39 PM, Christian Weisgerber wrote: On 2014-12-03, Josh Grosse wrote: This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56. Check your system logs for "isakmpd: backwards memcpy". It may not be that change, since it was only committed two days ago. I've seen the same symptoms in i386 snapshots from Nov 26 and 30. Exactly, that change _fixes_ it. In recent snapshots, memcpy() checks for overlap and aborts. For some background, see http://www.tedunangst.com/flak/post/memcpy-vs-memmove When you mention the change **fixes** the bug, is there something in addition that needs to be done in order to get isakmpd and ipsec working together? I am seeing this in the logs: Dec 4 09:35:33 Gamma-Ray isakmpd: backwards memcpy Dec 4 09:35:33 isakmpd: backwards memcpy which is what was stated earlier. Or does the **fix** exaggerate another bug in the code? There was *one* fix to isakmpd for *one* bug. There may be more than one bug. There's certainly a lot more than one memcpy in it. Thanks everyone for the responses sorry for the "cross-wires" in understanding the situation at present. Will wait for a fix :-) Regards, Kaya
pppoe(4) slow for Annex M DSL connection
Hi, I've just got my dsl line reprovisioned for Annex M compatibility and the line speed showing currently on the modem is 20Mbps downstream with 2Mbps upstream. Upon the reprovisioning I got ask to do a speed test by my ISP and only ~>5Mbps was shown for downstream while upstream was shown as ~700kbps. The system in place is VDSL2+/ADSL2+(Annex M) router running in RFC2684 ATM to Ethernet bridge mode, linked to a Sun Microsystems Netra T105 - 440MHz, 360MB RAM box. With the Netra I have tested various routing capacities including inter-vlan and dynamic running OSPF and it managed between 80-90Mbps transfer rates for large files. I'm using pppoe(4) with config pretty much taken from the man page: inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \ pppoedev hme0 authproto chap \ authname authkey \ up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 running over the hme0 interface: up mtu 1500 Everything is working fine and I have internet connectivity. Packet Filter is of course taking care of the NAT/PAT side of things and the firewalling. Doing a bit of research on the net I came across a few postings: http://forums.whirlpool.net.au/archive/481579 http://forums.whirlpool.net.au/forum-replies.cfm?t=116165 http://comments.gmane.org/gmane.os.openbsd.misc/196051 which suggested to edit the /etc/sysctl.conf file with some values that aren't available in OBSD5.1 as they are now allocated dynamically. This is what I've got towards the bottom of my sysctl.conf file: net.inet.tcp.mssdflt=1452 #net.inet.tcp.recvspace=131072 #net.inet.tcp.sendspace=131072 net.inet.udp.recvspace=139264 net.inet.udp.sendspace=139264 net.inet.ip.mforwarding=1 ddb.panic=0 kern.bufcachepercent=60 net.inet.ip.ifq.maxlen=512 net.inet.tcp.rfc3390=1 I have also made the necessary adjustments to the pf.conf file: match on $ext_if scrub (max-mss 1440) however, my speeds are still really low :-( The router/modem I'm using is a Cisco 887VA which should be pretty high-performance but I don't trust Cisco's with NAT as they keep running out of memory on me when the number of connections starts going up; then they crash! Is there anything else I can do to get better performance or this simply it for the Netra? I've tried checking with all kinds of tools like nload and darkstat for bandwidth which confirms what the speed-test site claimed. Running netstat -m I get: # netstat -m 111 mbufs in use: 20 mbufs allocated to data 62 mbufs allocated to packet headers 29 mbufs allocated to socket names and addresses 19/88/4096 mbuf 2048 byte clusters in use (current/peak/max) 0/8/4096 mbuf 4096 byte clusters in use (current/peak/max) 0/8/4096 mbuf 8192 byte clusters in use (current/peak/max) 0/14/4102 mbuf 9216 byte clusters in use (current/peak/max) 0/8/4096 mbuf 12288 byte clusters in use (current/peak/max) 0/8/4096 mbuf 16384 byte clusters in use (current/peak/max) 0/8/4096 mbuf 65536 byte clusters in use (current/peak/max) 536 Kbytes allocated to network (12% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines vmstat -i shows: # vmstat -i interrupt total rate com0 49881 hme082113 19 siop090262 hme186683 21 clock 412347 99 Total 595157 144 Netstat -i doesn't come up with any errors on any interfaces either... and finally top doesn't show much cpu usage at all either. Surely the Netra must be able to do more then 4.5Mbps down with 0.7Mbps up??? What about my LAN routing test which got 80-90Mbps? Can anyone suggest anything? Thanks.
Re: pppoe(4) slow for Annex M DSL connection
On 11/01/2012 11:12 PM, Sevan / Venture37 wrote: On 31/10/2012 18:49, Kaya Saman wrote: I've just got my dsl line reprovisioned for Annex M compatibility and the line speed showing currently on the modem is 20Mbps downstream with 2Mbps upstream. Upon the reprovisioning I got ask to do a speed test by my ISP and only ~>5Mbps was shown for downstream while upstream was shown as ~700kbps. The system in place is VDSL2+/ADSL2+(Annex M) router running in RFC2684 ATM to Ethernet bridge mode, linked to a Sun Microsystems Netra T105 - 440MHz, 360MB RAM box. With the Netra I have tested various routing capacities including inter-vlan and dynamic running OSPF and it managed between 80-90Mbps transfer rates for large files. I don't think this is an OpenBSD issue From http://www.cisco.com/en/US/products/ps9565/index.html "ADSl2/2+ over POTS, with annex M support for increased upstream throughput through Cisco 887M models" Sevan / Venture37 Thanks for the response! That's the router I have; connecting directly to the router with it configured as NAT/Gateway produces good results. In addition to that I created a test where I used Packet Filter as a firewall then ran OSPF between the routers, so basically we had: (LAN) Cisco 1801 <-> OpenBSD <-> Cisco 887VA (WAN) Again I had the same speeds. However, hooking the Cisco's together Cisco 1801 <-> Cisco 887VA I now have 18Mbps downstream with 2Mbps upstream. It looks like the throughput on the Sun Netra isn't high for whatever reason?? Or that Packet Filter is simply slow to process? I have a spare Sun Fire V210 so I will try with that and see if the increased CPU power coupled with more memory increases speeds at all. Outside of that I'm slightly puzzled :-S
Dansguardian not working after updating OBSD Current
Hi, I'm not sure what happened but after updating OpenBSD today, then updating the installed packages Dansguardian seems to not be working. My OpenBSD version is: 5.6 GENERIC.MP#376 amd64 as stated just been updated today. then used: pkg_add -vui to update the packages. Just checking one of the mirrors, it seems all packages were "synced" recently, so not sure if that actually refers to being updated. The version available seems to be 2.12.0.3, though checking the Sourceforge page: http://sourceforge.net/projects/dansguardian/files/ it seems that the code hasn't been updated since 2012 The only error in the logs that I can see is: dansguardian[11832]: Error polling child process sockets: Invalid argument dansguardian[11832]: Error polling child process sockets: Invalid argument Upon researching the error I found: http://comments.gmane.org/gmane.comp.web.dansguardian.general/1342 which is way out of date! Changing the settings stated using sysctl didn't help either: kern.shminfo.shmmni=512 kern.shminfo.shmseg=512 I also attempted to compile directly from source incase something went amiss somewhere with my setup. That also didn't seem to work. The port won't build as it throws this error: *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1876 '/var/db/pkg/dansguardian-2.12.0.3/+CONTENTS': @ /usr/bin/env -i PKG_TMPDIR=...) *** Error 1 in /usr/ports/www/dansguardian (/usr/ports/infrastructure/mk/bsd.port.mk:2388 'install') Though checking around previously there was something about the port not being "signed"? Would anyone be able to suggest a fix or help out? Even an 'alternative' more upto date solution would be fine. I'm running it in conjunction with Squid, c-icap, and clamav. So as well as simply filtering websites it also hooks into clam with a virus scan and then the Squid proxy to get to the web. Thanks. Kaya 5.6 GENERIC.MP#376 amd64
Re: Dansguardian not working after updating OBSD Current
On 09/17/2014 03:55 AM, Philip Guenther wrote: On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman wrote: I'm not sure what happened but after updating OpenBSD today, then updating the installed packages Dansguardian seems to not be working. ... The only error in the logs that I can see is: dansguardian[11832]: Error polling child process sockets: Invalid argument dansguardian[11832]: Error polling child process sockets: Invalid argument So the error means that poll() is being passed an nfds argument too large, larger than the process could have open as fds. It looks like the code, for some reason I cannot understand, passes poll() a pollfd structure for each child process...with fd=-1, so that it will be ignored. Uh, why? Why is it passing pollfd structures to the kernel that it *wants* the kernel to ignore? It seems that the code could simply skip over allocating and filling in those pollfd structures and have the exact same effect. As for what changed, well, something changed the number of child processes you're experiencing (load?), or the process fd limit (RLIMIT_NOFILE) for dansguardian changed. Philip Guenther Thanks Philip for the response. It wouldn't be load that's causing this issue as I'm monitoring the machine using multiple monitoring tools. As to the process limit, I've got infinity set for the daemon under login.conf though "root" user is at defaults. Since Dansguardian is being run as it's own user the "root" portion shouldn't apply. The kernel maxproc value is set to 1310 (default??). Outside of modifying the source code is there anything I can try within the system to allow Dansgaurdian to run? I'm not sure if the upgrade changed any default values that may have effected this as the last update went through fine?? Weird! Regards, Kaya
Re: Dansguardian not working after updating OBSD Current
Ok, so this is just a quick follow up. Squid started dying too, checking the logs showed "not enough file descriptors". After looking at both /etc/login.conf "openfiles-cur" and the sysctl kern.maxfiles limits which were set extremely high to begin with turns out that the: ulimit -n was only showing as 64. Changing that over to a value of 1 (overkill but better safe then sorry), Dansguardian managed to start and now both DG and Squid seem to be online and stable! I wonder if it has something to do with the: openfiles parameter in /etc/login.conf? A response by Philip suggests this: http://openbsd.7691.n7.nabble.com/setting-resource-limits-login-conf-and-ulimit-td223656.html Just a quick observation, not sure if by design or other but ulimit doesn't seem to have a man page? man ulimit man: no entry for ulimit in the manual. man ulimit man: no entry for ulimit in the manual. Though I did find a copy here: http://ss64.com/bash/ulimit.html :-) So thanks Philip, looks like you saved my day twice! Regards, Kaya On 09/17/2014 03:55 AM, Philip Guenther wrote: > On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman wrote: >> I'm not sure what happened but after updating OpenBSD today, then >> updating the installed packages Dansguardian seems to not be working. > ... >> The only error in the logs that I can see is: >> >> dansguardian[11832]: Error polling child process sockets: Invalid argument >> dansguardian[11832]: Error polling child process sockets: Invalid argument > So the error means that poll() is being passed an nfds argument too > large, larger than the process could have open as fds. It looks like > the code, for some reason I cannot understand, passes poll() a pollfd > structure for each child process...with fd=-1, so that it will be > ignored. Uh, why? Why is it passing pollfd structures to the kernel > that it *wants* the kernel to ignore? It seems that the code could > simply skip over allocating and filling in those pollfd structures and > have the exact same effect. > > As for what changed, well, something changed the number of child > processes you're experiencing (load?), or the process fd limit > (RLIMIT_NOFILE) for dansguardian changed. > > > Philip Guenther
Re: Dansguardian not working after updating OBSD Current
On 09/17/2014 03:32 PM, Stefan Olsson wrote: Date: Wed, 17 Sep 2014 15:08:48 +0100 From: kayasa...@gmail.com Just a quick observation, not sure if by design or other but ulimit doesn't seem to have a man page? -It is a ksh builtin. man ksh -It would be nice to have it show up when doing apropos though... Thanks for the clarification :-)
Re: Dansguardian not working after updating OBSD Current
On 09/17/2014 03:34 PM, Alexander Hall wrote: On September 17, 2014 4:08:48 PM CEST, Kaya Saman wrote: Ok, so this is just a quick follow up. Squid started dying too, checking the logs showed "not enough file descriptors". After looking at both /etc/login.conf "openfiles-cur" and the sysctl kern.maxfiles limits which were set extremely high to begin with turns out that the: ulimit -n was only showing as 64. Changing that over to a value of 1 (overkill but better safe then For some definition of safe. The limits exists for a reason. ;-) But sure, one size does not fit all. sorry), Dansguardian managed to start and now both DG and Squid seem to be online and stable! I wonder if it has something to do with the: openfiles parameter in /etc/login.conf? A response by Philip suggests this: http://openbsd.7691.n7.nabble.com/setting-resource-limits-login-conf-and-ulimit-td223656.html Just a quick observation, not sure if by design or other but ulimit doesn't seem to have a man page? man ulimit man: no entry for ulimit in the manual. man ulimit man: no entry for ulimit in the manual. Though I did find a copy here: http://ss64.com/bash/ulimit.html Hint is in the url: "bash". ulimit is a shell command, not a binary. man $SHELL /Alexander Yep I see that now :-) Next time will understand better! :-) So thanks Philip, looks like you saved my day twice! Regards, Kaya On 09/17/2014 03:55 AM, Philip Guenther wrote: On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman wrote: I'm not sure what happened but after updating OpenBSD today, then updating the installed packages Dansguardian seems to not be working. ... The only error in the logs that I can see is: dansguardian[11832]: Error polling child process sockets: Invalid argument dansguardian[11832]: Error polling child process sockets: Invalid argument So the error means that poll() is being passed an nfds argument too large, larger than the process could have open as fds. It looks like the code, for some reason I cannot understand, passes poll() a pollfd structure for each child process...with fd=-1, so that it will be ignored. Uh, why? Why is it passing pollfd structures to the kernel that it *wants* the kernel to ignore? It seems that the code could simply skip over allocating and filling in those pollfd structures and have the exact same effect. As for what changed, well, something changed the number of child processes you're experiencing (load?), or the process fd limit (RLIMIT_NOFILE) for dansguardian changed. Philip Guenther
Android 4.4 and L2TP/IPSEC VPN
Hi,
I'm wondering if anyone has had any experience with VPN and Android 4.4??
I used to use OpenVPN with versions 4.1 through 4.3 however, 4.4
apparently broke the tun interface so the app doesn't work now.
As I need vpn access I configured ipsec and npppd however, I keep
getting these errors when trying to establish connection:
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs:
initiator id 2.2.2.2, responder id 1.1.1.1
dropped message from 2.2.2.2 port 500 due to notification type
INVALID_ID_INFORMATION
On the Droid I setup L2TP/IPsec PSK
with server address and IPSec PSK; and my npppd credentials.
The config I have is standard:
ipsec.conf:
ike passive esp transport \
proto udp from any to any port 1701 \
main auth "hmac-sha1" enc "aes" group modp1024 \
quick auth "hmac-sha1" enc "aes" \
psk "some_key"
npppd.conf:
# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file. see npppd.conf(5)
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
#authentication RADIUS type radius {
# authentication-server {
# address 192.168.0.1 secret "hogehoge"
# }
# accounting-server {
# address 192.168.0.1 secret "hogehoge"
# }
#}
tunnel L2TP protocol l2tp {
listen on 0.0.0.0
listen on ::
}
ipcp IPCP {
pool-address
dns-servers
}
# I elected to go with Tun interface over Pipex
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun1 address ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun1
/etc/hostname.tun1
up
Looking through the @Misc archive I found a similar issue:
http://permalink.gmane.org/gmane.os.openbsd.misc/202338
which also incorporates (I assume) working config; very similar to my own.
My version of OpenBSD is: 5.5 GENERIC.MP#50 amd64 (Current as of a few
days ago)
The Phase 2 ID issues usually happen when the devices remote and local
IP addresses aren't what the system is expecting however, I have
configured this to "any".
I do recall a separate issue I had when configuring IPSEC/GRE
site-to-site tunnel with Cisco's where I had to specifically set:
ike esp from 0.0.0.0/0 to 0.0.0.0/0 peer
and then configure hostname.greX accordingly.
Even using the Pipex interface:
#interface pppx0 address ipcp IPCP
#bind tunnel from L2TP authenticated by LOCAL to pppx0
as a test I still get the same error of Invalid Phase 2 ID's.
I have analyzed /var/log/messages which gives above output, and in
addition done a tcpdump -eni (IF) -vvv host (IP) to see what was going
on but found nothing substantial
npppd output:
npppd[10593]: l2tpd ctrl=9 logtype=Started RecvSCCRQ
from=2.2.2.2:46783/udp tunnel_id=9/30318 protocol=1.0 winsize=1
hostname=anonymous vendor=(no vendorname) firm=
npppd[10593]: l2tpd ctrl=9 timeout waiting ack for ctrl packets.
npppd[10593]: l2tpd ctrl=9 logtype=Finished
Could this be a bug with Android 4.4 or is it simply something
misconfigured on my behalf?
...oh and my handset is rooted so I don't know if that makes a difference?
Thanks.
Kaya
High Fan Speed in Current 5.5
Hi, I hope someone can help me with this... For some reason my fans are spinning up at 3000RPM and making a lot of noise. I have a similar chassis m/b combo running FreeBSD 10 which runs almost silent. The processor usage on this machine isn't very high at all and is even being throttled. Here is what I've done so far: Enable APMD with the -C option; taken from the man page - -C Start apmd in cool running performance adjustment mode. In this mode, when CPU idle time falls below 10%, apmd raises hw.setperf as much as necessary. Otherwise when CPU idle time is above 30%, apmd lowers hw.setperf as much as possible to reduce heat, noise, and power consumption. and also enable SENSORSD sysctl output: hw.sensors.cpu0.temp0=51.00 degC hw.sensors.cpu1.temp0=51.00 degC hw.sensors.cpu2.temp0=51.00 degC hw.sensors.cpu3.temp0=51.00 degC hw.sensors.lm1.temp0=34.00 degC hw.sensors.lm1.temp1=57.00 degC hw.sensors.lm1.temp2=33.50 degC hw.sensors.lm1.volt0=1.08 VDC (VCore) hw.sensors.lm1.volt1=12.04 VDC (+12V) hw.sensors.lm1.volt2=3.36 VDC (+3.3V) hw.sensors.lm1.volt3=3.36 VDC (+3.3V) hw.sensors.lm1.volt4=-10.92 VDC (-12V) hw.sensors.lm1.volt5=1.26 VDC hw.sensors.lm1.volt6=1.06 VDC hw.sensors.lm1.volt7=3.33 VDC (3.3VSB) hw.sensors.lm1.volt8=1.60 VDC (VBAT) hw.sensors.lm2.temp0=34.00 degC hw.sensors.lm2.temp1=57.00 degC hw.sensors.lm2.temp2=33.50 degC hw.sensors.lm2.fan0=1622 RPM hw.sensors.lm2.fan1=164 RPM hw.sensors.lm2.fan2=3013 RPM hw.sensors.lm2.fan3=2986 RPM hw.sensors.lm2.fan4=164 RPM hw.sensors.lm2.volt0=1.08 VDC (VCore) hw.sensors.lm2.volt1=12.04 VDC (+12V) hw.sensors.lm2.volt2=3.36 VDC (+3.3V) hw.sensors.lm2.volt3=3.36 VDC (+3.3V) hw.sensors.lm2.volt4=-10.92 VDC (-12V) hw.sensors.lm2.volt5=1.26 VDC hw.sensors.lm2.volt6=1.06 VDC hw.sensors.lm2.volt7=3.33 VDC (3.3VSB) hw.sensors.lm2.volt8=1.60 VDC (VBAT) hw.cpuspeed=1200 hw.setperf=0 hw.vendor=Supermicro hw.product=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F The CPU is a Xeon E5 which the above output tells me it's been downclocked to 1.2GHz (is rated at 3.7GHz) hooked up to a SuperMicro system board and 4U chassis with 80mm?? fans. More output: # apropos fan | grep 4 adl (4) - Andigilog aSC7621 temperature, voltage, and fan sensor adt (4) - Analog Devices ADT7460 temperature, voltage, and fan sensor adtfsm (4) - Analog Devices ADT7462 temperature, voltage, and fan sensor aibs (4) - ASUSTeK AI Booster ACPI ATK0110 temperature, voltage, and fan sensor andl (4) - Andigilog aSC7611 temperature, voltage, and fan sensor fcu (4/macppc) - Apple Fan Control Unit sensor device glenv (4) - Genesys Logic GL518SM temperature, voltage, and fan sensor it (4) - ITE IT87xxF and SiS SiS950 temperature, voltage, and fan sensor with watchdog timer lm (4) - National Semiconductor LM78/79/81 temperature, voltage, and fan sensor lmenv (4) - National Semiconductor LM87 temperature, voltage, and fan sensor lmn (4) - National Semiconductor LM93 temperature, voltage, and fan sensor nvt (4) - Nuvoton W83795G/ADG temperature, voltage, and fan sensor tda (4/sparc64) - Philips TDA8444 fan controller uguru (4) - ABIT temperature, voltage and fan sensors wbenv (4) - Winbond W83L784R/W83L785R/W83L785TS-L temperature, voltage, and fan sensor wbng (4) - Winbond W83793G temperature, voltage, and fan sensor DMESG: OpenBSD 5.5-current (GENERIC.MP) #50: Thu Apr 3 12:37:31 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8537219072 (8141MB) avail mem = 8301203456 (7916MB) warning: no entropy supplied by boot loader mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec640 (117 entries) bios0: vendor American Megatrends Inc. version "3.0" date 07/05/2013 bios0: Supermicro X9SRE/X9SRE-3F/X9SRi/X9SRi-3F acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT HPET PRAD SSDT SPCR EINJ ERST HEST BERT DMAR MCFG acpi0: wakeup devices PS2K(S4) PS2M(S4) P0P9(S1) EUSB(S4) USBE(S4) PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) PEX6(S4) NPE2(S4) NPE4(S4) NPE5(S4) PXHA(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, 3600.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, 3599.99 MHz cpu1: FPU
Re: High Fan Speed in Current 5.5
On 04/20/2014 11:52 AM, Stuart Henderson wrote: On 2014-04-19, Kaya Saman wrote: I hope someone can help me with this... For some reason my fans are spinning up at 3000RPM and making a lot of noise. I have a similar chassis m/b combo running FreeBSD 10 which runs almost silent. The processor usage on this machine isn't very high at all and is even being throttled. I had some machines with a problem like this that was introduced between 5.4 and 5.5 which was tracked down to the mwait idle loop. Do you need to run MP on it? If not, and if mwait is the problem, switching to GENERIC is probably the easiest workaround. Many thanks Stuart for the response. What's the difference between GENERIC and MP I'm guessing MP stands for MultiProcessor? Basically the machine is a router/firewall. Routing is only done on the first core in OpenBSD but things like MySQL and Apache are multi-threaded so I'd like to keep the multi-threading support if possible. Not sure. what would you suggest? Regards, Kaya
Re: High Fan Speed in Current 5.5
On 04/20/2014 03:16 PM, Stuart Henderson wrote: > On 2014/04/20 15:11, Kaya Saman wrote: >> On 04/20/2014 11:52 AM, Stuart Henderson wrote: >>> On 2014-04-19, Kaya Saman wrote: >>>> I hope someone can help me with this... >>>> >>>> For some reason my fans are spinning up at 3000RPM and making a lot of >>>> noise. I have a similar chassis m/b combo running FreeBSD 10 which runs >>>> almost silent. >>>> >>>> The processor usage on this machine isn't very high at all and is even >>>> being throttled. >>> I had some machines with a problem like this that was introduced between >>> 5.4 and 5.5 which was tracked down to the mwait idle loop. >>> >>> Do you need to run MP on it? If not, and if mwait is the problem, >>> switching to GENERIC is probably the easiest workaround. >>> >> Many thanks Stuart for the response. >> >> What's the difference between GENERIC and MP I'm guessing MP stands for >> MultiProcessor? > Yes, right. > >> Basically the machine is a router/firewall. Routing is only done on the >> first core in OpenBSD but things like MySQL and Apache are multi-threaded so >> I'd like to keep the multi-threading support if possible. >> Not sure. what would you suggest? > Well this may (if it works) be a quick easy fix to quieten down the > machine and reduce power consumption if you can live with it.. anything > better than this is probably going to involve digging in to cpu power- > saving states. > > So really it depends what's more important to you. > Hmm. I'll give it a whirl and see what happens. Just read this in the meantime: http://www.openbsd.org/faq/faq4.html and this: http://www.openbsd.org/faq/faq8.html so I am going to try the /bsd image however my system doesn't have a /etc/boot.conf file so if I wanted to make it permanent do I just simply do this (taken from from boot man page): *EXAMPLES* <http://www.openbsd.org/cgi-bin/man.cgi?query=boot&sektion=8&arch=i386#end> Boot the default kernel: boot> boot Remove the 5 second pause at boot-time permanently, causing*boot* to load the kernel immediately without prompting: # echo "boot" > /etc/boot.conf Regards, Kaya
Re: High Fan Speed in Current 5.5
On 04/20/2014 03:16 PM, Stuart Henderson wrote: On 2014/04/20 15:11, Kaya Saman wrote: On 04/20/2014 11:52 AM, Stuart Henderson wrote: On 2014-04-19, Kaya Saman wrote: I hope someone can help me with this... For some reason my fans are spinning up at 3000RPM and making a lot of noise. I have a similar chassis m/b combo running FreeBSD 10 which runs almost silent. The processor usage on this machine isn't very high at all and is even being throttled. I had some machines with a problem like this that was introduced between 5.4 and 5.5 which was tracked down to the mwait idle loop. Do you need to run MP on it? If not, and if mwait is the problem, switching to GENERIC is probably the easiest workaround. Many thanks Stuart for the response. What's the difference between GENERIC and MP I'm guessing MP stands for MultiProcessor? Yes, right. Basically the machine is a router/firewall. Routing is only done on the first core in OpenBSD but things like MySQL and Apache are multi-threaded so I'd like to keep the multi-threading support if possible. Not sure. what would you suggest? Well this may (if it works) be a quick easy fix to quieten down the machine and reduce power consumption if you can live with it.. anything better than this is probably going to involve digging in to cpu power- saving states. So really it depends what's more important to you. Just did the switch: hw.sensors.lm2.fan2=3835 RPM hw.sensors.lm2.fan3=3781 RPM 5.5 GENERIC#46 amd64 The fans have got even noisier?
Re: High Fan Speed in Current 5.5
On 04/20/2014 03:56 PM, Stuart Henderson wrote: On 2014/04/20 15:49, Kaya Saman wrote: On 04/20/2014 03:16 PM, Stuart Henderson wrote: On 2014/04/20 15:11, Kaya Saman wrote: On 04/20/2014 11:52 AM, Stuart Henderson wrote: On 2014-04-19, Kaya Saman wrote: I hope someone can help me with this... For some reason my fans are spinning up at 3000RPM and making a lot of noise. I have a similar chassis m/b combo running FreeBSD 10 which runs almost silent. The processor usage on this machine isn't very high at all and is even being throttled. I had some machines with a problem like this that was introduced between 5.4 and 5.5 which was tracked down to the mwait idle loop. Do you need to run MP on it? If not, and if mwait is the problem, switching to GENERIC is probably the easiest workaround. Many thanks Stuart for the response. What's the difference between GENERIC and MP I'm guessing MP stands for MultiProcessor? Yes, right. Basically the machine is a router/firewall. Routing is only done on the first core in OpenBSD but things like MySQL and Apache are multi-threaded so I'd like to keep the multi-threading support if possible. Not sure. what would you suggest? Well this may (if it works) be a quick easy fix to quieten down the machine and reduce power consumption if you can live with it.. anything better than this is probably going to involve digging in to cpu power- saving states. So really it depends what's more important to you. Just did the switch: hw.sensors.lm2.fan2=3835 RPM hw.sensors.lm2.fan3=3781 RPM 5.5 GENERIC#46 amd64 The fans have got even noisier? I guess it's a different problem then :) My best and easiest solution was to find a 5.25" Fan Controller like they do for 'modified/gamer' chassis but unfortunately none are available for PWM fans. I guess I'm just gona have to look for an acoustic rack enclosure to muffle out the sound. Thanks in any case for all the help! Regards, Kaya
Re: adsl card advice
On 04/25/2014 11:32 AM, Stuart Henderson wrote: [...] About separate adsl router I think they are pretty unsafe and very easy download the firmware from the vendor site, hack it and flash the device. And all the home adsl router u can find are linux based with all security problems that linux has. For these reasons I want make my own obsd router but what other choice I have to connect it to an adsl ?? it's very strange to have so many problems to make a router under openbsd when it should born for it. Personally I use an external router configured as a bridge, and configure pppoe on the OpenBSD side (with baby jumbos and RFC4638 where possible to avoid getting a restricted MTU). That way the router doesn't have external IP connectivity thus avoiding many of the problems you might run into, and meaning that any complex configuration is done on the OpenBSD box; it's then also pretty easy to swap out a spare router in case of hardware failure (which in my experience is more likely to occur for something that connects to a phone line). Even with something like the Solos you still have hardware running some proprietary firmware/dsp code on a processor with potential for bugs. Mind you, it's even the same for a lot of ethernet NICs... I agree with Stuart on this one. Before building my router I considered using an ADSL PCI card. To be honest it's probably a better and easier practice to use ATM-to-Ethernet bridging. That way the OpenBSD box does everything including firewall and NAT so really how secure you make the system is up to you. p.s. am just butting in here as Stuart helped me a lot with that too so am just offering my take :-) Regards, Kaya
Router project on OpenBSD questions
Hi, this is my first posting here :-) I have currently only used OpenBSD as a test vector setup on VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave) using Bind9. So basically in short am an OpenBSD newbee :-) Ok so here goes; I've been using FreeBSD for around 3+ years now and really enjoy it, in comparing OpenBSD to FreeBSD I first would like to get some user experience of the major advantages over it. From my reading it's meant to be more secure, from my (vastly) limited experience it's quite different to work with then FreeBSD. -Could anyone give me any summarized answers to compare the two? Now here comes the major project For the last past 4 years or so I've been hosting various OpenSource projects from home and have a setup similar to the OpenBSD rack pics on the openbsd.org site :-) To fill the role of router I have used till now, a Cisco 857, 877, and 1801 all of who's power I've managed to max out!! :-( As a qualified Cisco engineer but also budding UNIX engineer/enthusiast I've come to understand that Cisco boxes are underpowered and overpriced Graphing the Cisco's using SNMP and RRD tools using Cacti, the CPU's tend to max-out after the TCP/IP flows start reaching 1000+ and so goes the memory too. Then I loose all kind of connectivity as the router either crashes or becomes unstable. So I would like to build a router out of a Quad Core Xeon system. I've selected the hardware for it already and the software barring the base OS. The hardware will run a socket 1366 Xeon using a Supermicro system board. (I'm sure this will be 100% compatible with OpenBSD or FreeBSD whichever I chose) http://www.supermicro.nl/products/motherboard/Xeon3000/X58/X8SAX.cfm Additionally I would like to run a 5.25" LCD in the chassis front to monitor on the fly system output using Lcdproc - this is available on FreeBSD using ports but not sure about OpenBSD though I'm sure can be easily compiled if necessary. Something like the PicoLCD from Mini-Box or Matrix-Orbital displays or similar. --actually I think VFD's are kinda cool but need to find a 5.25" one :-) I also would like to know if anyone knows of any ADSL2+ Annex M standard PCI (/x/) based modem card that I can use to connect to my ISP with instead of using an external device? So far in my search I came across this: http://linitx.com/viewcategory.php?catid=47 Of which manufacturers seem to be: http://www.rocksolidelectronics.com/pages/products.php Are these going to be OpenBSD compatible or are there others??? Does anyone know of a VDSL2 solution like this also? For software I plan to use Quagga/Zebra which should be in the ports or compatible easily coupled with NAT, ACL's, Firewall using PF or so In this case comparing FreeBSD, what's OpenBSD's performance like for Firewall/IDS/IPS systems?? Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco switches? I did discover this already: http://fengnet.com/book/icuna/ch05lev1sec5.html so it would seem so, however I do not know if link-aggregation would work?? As in Cisco Etherchannel to multiple ports on the router. There are many more questions I have but will refrain from asking at this phase as most of them can be got round by researching; like Cisco IPSEC/GRE VPN compatibility et el. i think am just worried about the ADSL2 modem card mainly as most of the above can be got over with testing and trying things out :-) It's just a pain that a Cisco 2901 for example as claimed by Cisco can only route at 75Mbps (ok routing uses PPS but wirespeed is not available unless going carrier grade). Especially now that companies are slowly starting to release Residential Fiber networks upto 1Gbps... would render the Cisco's maxed-out power wise. I know there are a lot of questions here but am hoping that some of them can be answered or at least advise given pre-testing :-) Many thanks and best regards, Kaya
Re: Router project on OpenBSD questions
Good luck Many thanks Christiano for such a quick and comprehensive response :-) Regards, Kaya
Re: Router project on OpenBSD questions
So I would like to build a router out of a Quad Core Xeon system. I've selected the hardware for it already and the software barring the base OS. You want the highest cache and highest frequency cpu you can find. MP will not help you with routing performance at all. Something like this: http://ark.intel.com/products/53580/Intel-Xeon-Processor-E7-8870-%2830M-Cache-2_40-GHz-6_40-GTs-Intel-QPI%29 30MB cache @ 2.4GHz However this does raise the question, 32bit or 64bit??? And what would be the benefit for having multi CPU sockets or cores??? --I mean for an integrated Firewall/router yes one can offload processes and threads per core or socket With this though I'm betting that a Core2Quad Q8400s CPU (which I currently run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any Cisco SMB based router? - I can see it being more powerful then my 8xx or 18xx series in anycase! Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs or VIA processors or Vyatta running standard x86 Multi-core architecture for their appliances; how does this relate to the equation? --K
Re: Router project on OpenBSD questions
With this though I'm betting that a Core2Quad Q8400s CPU (which I currently run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any Cisco SMB based router? - I can see it being more powerful then my 8xx or 18xx series in anycase! I don't know cisco, it's all about how much data you need to route. But if you were concerned about 75mbps, even my sun ultra 5 400mhz can do more than that. Do the math, I'd guess you can do *at least* 300mpps with any fairly modern cpu. Now do 300mpps * 1500bytes, that's your throughput for full sized packets. Hmm I think I OD'd and got a bit excited on the CPU mentioned as I don't even think it's out yet at least not in consumer land Something like this: Intel XeonX3680 Six Core 3.33GHz 12MB Cache might be more cost effective and better suited to my needs :-) Sun Ultra 5... you should have said something earlier ;-P I could then just whack OpenBSD onto my E420r lol - to be honest I was considering going for a used Sun Fire V210 but I don't think there are **any** ADSL modem cards available for SPARC! :-( otherwise that would have been an awsome box!! You may want to read this: http://www.undeadly.org/cgi?action=article&sid=2011101406 Thanks, that was interesting. Ok I know now that I'm going down the right road :-) Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs or VIA processors or Vyatta running standard x86 Multi-core architecture for their appliances; how does this relate to the equation? Those are very weak processors, again, it's all about how much pps you need. for SOHO's not engineers then :-) Thanks for all the support!!! Best regards, Kaya
Re: Router project on OpenBSD questions
On 02/28/2012 01:57 PM, Stuart Henderson wrote: I also would like to know if anyone knows of any ADSL2+ Annex M standard PCI (/x/) based modem card that I can use to connect to my ISP with instead of using an external device? So far in my search I came across this: http://linitx.com/viewcategory.php?catid=47 This is basically an ADSL router on a PCI card presenting as an ethernet interface. iirc, you configure it with telnet/http. In a normal config then this card will be actively routing packets. Personally I prefer to have a separate router/modem that can be swapped out without powering down the machine, and usually connected by a better quality network interface than an rl(4) Main advantage I see with these particular carsd is that if you have a dual-PSU machine you can get some power protection. If you want to terminate ppp in OpenBSD then you can do that just as well with an external box as you can with one of these (configure in bridge mode, run pppoe(4) in OpenBSD). Thanks a lot Stuart for the response!! I think that particular interface isn't around any more as the company that builds them have gone here: http://www.rocksolidelectronics.com/pages/products/v1.php This makes more sense to me personally as I've had Cisco router experience as discussed; unfortunately while 'maxing' out connections Cisco's tend to blow up!!! They crash, get slow and start acting funny What I'm trying to do is replace my Cisco 857, 877, and 1801 as the performance is **not** there for me :-( CPU driven into 100% on all boxes and memory used up also. I was planning on getting a 2901 with VDSL2/ADSL2/2+ Annex M card and 8 port Gb switch card. But after careful consideration I decided against it as it would issue the same problems for me and be more expensive then going down the OpenBSD route as discussed previously. Also 75Mbps is mentioned by Cisco for the 2900 series: http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html which is pathetic as in the UK fiber networks are slowly becoming more available to the masses - in terms of offerings of up to 1Gbps are available for round #50/month ($75/month (US)). Even a VDSL2 solution offers up to 100Mbps - depending on distance between local loop and CPE but I'm sure that the 2900 series or 800 series VDSL provisioned ISR would struggle to meet those speeds. Couple that with 1000+ TCP/IP flows through UDP or TCP packet transactions and any **standard** branch based ISR wouldn't be able to cope :-( Are these going to be OpenBSD compatible or are there others??? Yes should be compatible, it just looks like a nic. On the site even mentions xBSD compatibility as post read now :-) Does anyone know of a VDSL2 solution like this also? Don't know of one. My same comments would apply about preferring a separate box. See my comments above - otherwise wouldn't spend hassle on this design and would have gone directly to a 2901 with VDSL2 card. Other option is this: http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-613481.html and link to OpenBSD based router design... but if telco chipset (modem) of router gets maxed then the whole box will become saturated :-( For software I plan to use Quagga/Zebra which should be in the ports or compatible easily coupled with NAT, ACL's, Firewall using PF or so In OpenBSD there are actually usable routing daemons, OpenBGPD, OpenRIPD and OpenOSPFD. Ugh quagga. Maybe when someone pulls together all the various internally-maintained forks of it it'll be a bit more usable.. The OpenBSD routing daemons are pretty good. Other than that for open-source routing there are some circumstances where BIRD running on Linux might be useful (personally I can't stand the config but I'd rather run this than Quagga..). Coming from FreeBSD background I didn't know of the OpenBSD integration with routing etc... so thanks for the 'wake up call' :-) Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco switches? I'm not familiar with VTP, the rest will be fine. Standard 802.1q works fine - vlan(4) and we also do QinQ (ethertype 0x88a8 only) with svlan(4). We don't do VTP (or GVRP), you need to configure vlans separately. Personally I don't see that as a disadvantage :) STP is for bridging not for vlan support, we do support STP/RSTP but not MSTP though switches should fallback to RSTP in that case. (I try and leave bridging to switches though). I see where you're headed with this! Leave spanning-tree to the switches to block redundant ports and prevent loops but trunk everything to OpenBSD and inter-Vlan route/switch from there. Rather then link aggregation using Etherchannel et el Get a multi port NIC on the OpenBSD box then according to b/w requirements can trunk on different port if needed. I did discover this already: http://fengnet.com/book/icuna/ch05lev1sec5.html so it would seem so, howe
Monitoring PF rules on egress interface not showing pass definitions
Hi,
I created a virtual instance of OpenBSD 5.0 x64 RELEASE edition using
VirtualBox and set it up to be used as router/gateway with NAT.
Taking this:
http://www.openbsd.org/faq/pf/example1.html
as an example for practically getting to know packet filter which I've
never used before and get more familiar with OpenBSD in itself.
Through reading the FAQ on PF and trying to understand the way it works
can someone clarify that the rule weightings are in bottom-up order.
what I'm trying to clarify is that if I use a pseudo Cisco ACL statement:
deny any any
permit ip 1.1.1.1 any ip 2.2.2.2 80
line 2 with permit will **never** get matched because there is an
implicit deny statement before which has full weighting. Therefor one
must first specify the permit then the deny in order for the ACL to have
relevance.
In Pack Filter this seems to be the reverse according to the example
page shown above or the FAQ:
http://www.openbsd.org/faq/pf/filter.html
meaning that using PF syntax, something like:
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
will block everything from the statement: "block in log" but if a "pass"
statement is put after the filter's "block" statement the weighting will
be on the "pass" line and hence a match will try to be determined.
In accordance to the above I activated RIPD, took down packet filter
using: pfctl -d and setup a connection to my router/gateway.
Once everything was working, I activated packet filter again using:
pfctl -e and restarted RIPD for good measure: /etc/rc.d/ripd restart
All was good and RIPD wasn't able to send or receive any updates -
actually due to the customization of Exmaple1 from the FAQ, I think RIP
updates were being sent but not able to be received! --please correct me
if wrong.
So adding the line:
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#-->
pass in on egress inet proto udp from any to (egress) \
port $udp_services
in the mix, RIP information was now being passed internally **to**
OpenBSD (but not through to the other side of the NAT).
The major issue I'm having with all of this is that I can't see anything!
Even SSH'ing into the OBSD instance using tcpdump, from the example
shown here:
http://www.openbsd.org/faq/pf/logging.html
[quote]
>
> # tcpdump -n -e -ttt -r /var/log/pflog port 80
>
> This can be further refined by limiting the display of packets to a
> certain host and port combination:
>
> # tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3
>
> The same idea can be applied when reading from the pflog0 interface:
>
> # tcpdump -n -e -ttt -i pflog0 host 192.168.4.2
>
[/quote]
I get lines stating:
Mar 02 16:38:38.875426 rule 3/(match) block in on em0: 192.168.0.1.520 >
255.255.255.255.520: RIPv2-resp [items 3]: {0.0.0.0}(1)[|rip] [tos 0xc0]
which means that information is being matched by rule 3 and being blocked!
However, running tcpdump without as many restrictions directly on
interface em0 (external interface):
tcpdump port 520 (automatically defaults to int. em0)
16:41:18.563311 OpenBSD.optiplex-networks.com.route >
rip2-routers.mcast.net.route: RIPv2-resp [items 2]:
{88.88.88.0/255.255.254.0}(1) {192.168.0.0/255.255.255.0}(16) [tos 0xc0]
[ttl 1]
16:41:24.354945 192.168.0.1.route > 255.255.255.255.route: RIPv2-resp
[items 3]: {0.0.0.0}(1) {192.168.1.0/255.255.255.0}(1)
{192.168.2.0/255.255.255.0}(1) [tos 0xc0]
Which also doesn't make sense as the router seems to be using Broadcast
for RIP while OpenBSD is sending the updates to a multicast address
located at 224.0.0.9:520.
Neither of which however, tells me what the system is doing in terms
of diagnostic or verbose output of if packet filter is accepting or
rejecting this information.
Taken from: ripctl:
> # ripctl show fib
> flags: * = valid, R = RIP, C = Connected, S = Static
> Flags Destination Nexthop
> *S 0.0.0.0/0192.168.0.1
> *R 0.0.0.0/0192.168.0.1
> *C 88.88.88.0/23link#2
> *S 127.0.0.0/8 127.0.0.1
> *C 127.0.0.1/8 link#0
> * 127.0.0.1/32 127.0.0.1
> *C 192.168.0.0/24 link#1
> *S 192.168.0.55/32 127.0.0.1
> *R 192.168.1.0/24 192.168.0.1
> *R 192.168.2.0/24 192.168.0.1
> *S 224.0.0.0/4 127.0.0.1
> # ripctl show neighbor
> ID State Address Iface Uptime
> 192.168.0.1 ACTIVE/ACTIVE 192.168.0.1 em0 00:00:38
> # ripctl show fib rip
> flags: * = valid, R = RIP, C = Connected, S = Static
> Flags Destination Nexthop
> *R 0.0.0.0/0192.168.0.1
> *R 192.168.1.0/24 192.168.0.1
> *R 192.168.2.0/24 192.168.0.1
Which shows from the rip side of things that everything's fine.
or using:
> # pfctl -ss
> all t
ISAKMP Phase-2 not completing with Cisco ISR - IPSEC over GRE
Hi,
I am trying to create a VPN between my OpenBSD test box running in a
Virtual Box instance, with bridged interface to my NIC and my Cisco 857
router.
I am getting these error messages in /var/log/messages:
Mar 5 21:24:31 OpenBSD isakmpd[27722]: dropped message from 192.168.0.1
port 500 due to notification type INVALID_ID_INFORMATION
Mar 5 21:25:14 OpenBSD isakmpd[27722]: transport_send_messages: giving
up on exchange peer-192.168.0.2, no response from peer 192.168.0.2:500
Mar 5 21:26:41 OpenBSD isakmpd[27722]: responder_recv_HASH_SA_NONCE:
peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0,
responder id 0.0.0.0/0.0.0.0
Running; debug crypto isakmp on the Cisco I get this:
010554: Mar 5 21:45:03.871: ISAKMP:(0): beginning Main Mode exchange
Cisco857W#
010555: Mar 5 21:45:03.871: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010556: Mar 5 21:45:03.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010557: Mar 5 21:45:13.875: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
010558: Mar 5 21:45:13.875: ISAKMP (0:0): incrementing error counter on
sa, attempt 1 of 5: retransmit phase 1
010559: Mar 5 21:45:13.875: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010560: Mar 5 21:45:13.875: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010561: Mar 5 21:45:13.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010562: Mar 5 21:45:23.874: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
010563: Mar 5 21:45:23.874: ISAKMP (0:0): incrementing error counter on
sa, attempt 2 of 5: retransmit phase 1
010564: Mar 5 21:45:23.874: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010565: Mar 5 21:45:23.874: ISAKMP:(0): sending packet to 192.168.0.2
my_port 500 peer_port 500 (I) MM_NO_STATE
010566: Mar 5 21:45:23.874: ISAKMP:(0):Sending an IKE IPv4 Packet.
So far after lots of research and reading I have got this config:
OpenBSD 5.0-RELEASE-x64:
{ipsec.conf}
ike esp transport from 192.168.0.2 to 192.168.0.1 main auth hmac-md5 enc
3des group modp1536 quick auth hmac-md5 enc 3des psk "secret"
ike esp transport from 10.255.255.101 to 10.255.255.102 peer 192.168.0.2
{gre1 interface}
10.255.255.101 10.255.255.102 netmask 0x link0 up
tunnel 192.168.0.2 192.168.0.1
Cisco 857:
{Crypto information}
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 60
crypto isakmp key secret address 192.168.0.2
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile geo-sync-profile-01
set transform-set geo-sync-set-01
!
!
crypto map geo-sync-01 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set geo-sync-set-01
match address 101
{Tunnel interface}
interface Tunnel0
bandwidth 100
ip address 10.255.255.102 255.255.255.252
ip accounting output-packets
ip accounting access-violations
ip rip send version 2
ip rip receive version 2
tunnel source BVI2
tunnel destination 192.168.0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile geo-sync-profile-01
{BVI2}
interface BVI2
description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip rip send version 2
ip rip receive version 2
no ip virtual-reassembly
no ip route-cache
crypto map geo-sync-01
{Access-list 101}
access-list 101 permit udp any host 192.168.0.2 eq isakmp
access-list 101 permit esp any host 192.168.0.1
access-list 101 permit gre host 10.255.255.101 host 10.255.255.102
access-list 101 permit gre any host 192.168.0.1
I'm quite puzzled by where the problem lies as the above Cisco config
was working fine using Cisco<->Cisco between 3 separate gateways.
Could anyone help me identify what the issue could be and define a
resolution??
I do realize that am using internal IP addresses. but this is only a
test bed in preparation for production use later!
Regards,
Kaya
Re: Snappy Answers to Stupid Questions - WTF?
On 03/09/2012 10:35 PM, Ingo Schwarze wrote: Brett wrote on Sat, Mar 10, 2012 at 09:12:11AM +1100: I noticed and think its a great title, because it would never be approved by a marketing department. See, Nick *is* the honorary marketing department. Er... well... among other functions. (He is a bit into support as well, kind of.) And the title *was* approved by the CTO - smilingly, no doubt :). Sorry guys am confused what are you on about? What's OpenBSD? How do I install an OS? My computer doesn't start after I posted on this list? Does OpenBSD have a marketing department, I thought it was opensource free software not a product and end users where supposed to be intelligent? I typed in man but nothing happened How do I connect OpenBSD to the internet? Is OpenBSD the inernet? Installed X11 now firefox doesn't start? Added send/receive RIPv1 to my router, now running ripctl show fib doesn't show my subnets? Why do these types of questions make regular list users swear (sometimes even in their graves)? .et al. ok I feel less stressed! Back to watching Grey's Anatomy :-) Regards, Kaya
Re: Snappy Answers to Stupid Questions - WTF?
On 03/10/2012 08:27 AM, Lars wrote: Kaya Saman wrote: On 03/09/2012 10:35 PM, Ingo Schwarze wrote: Brett wrote on Sat, Mar 10, 2012 at 09:12:11AM +1100: I noticed and think its a great title, because it would never be approved by a marketing department. See, Nick *is* the honorary marketing department. Er... well... among other functions. (He is a bit into support as well, kind of.) And the title *was* approved by the CTO - smilingly, no doubt :). Sorry guys am confused what are you on about? What's OpenBSD? How do I install an OS? My computer doesn't start after I posted on this list? Does OpenBSD have a marketing department, I thought it was opensource free software not a product and end users where supposed to be intelligent? I typed in man but nothing happened Type in woman at your unix terminal or on google images. Problem solved. I typed in woman and plural but each time the machine crashes and turns off??? Is it possible that my kernel maybe gay? touch /usr/bin/woman vi #!/sbin/sh halt -p :-P How do I connect OpenBSD to the internet? Not sure, possibly you mean teh internets and not the internet. Everybody called it the web so I decided to seek out an arachnologist, although she laughed at me at the next thing I knew I was in a white room with no windows and doors :-( Is OpenBSD the inernet? You mean teh internets? Spider Webs! Tried catching fish once but our pond was dry :-( Installed X11 now firefox doesn't start? Not sure what your pet animal has to do with anything, you mean your cat? or an actual fox? Did you set your cat on fire? Or your fox? Hmm. when I moved in the council told us that there would be city foxes living in the garden and cats roaming around wild too. Just didn't expect to see any on X11?? I still can't!
Re: Request for a new list: trolling
On 03/10/2012 01:33 PM, 0xAAA wrote: It is quite interesting that any trolling message gets more attention than a real, OpenBSD related problem (view the threads of the stupid guy which cant read installation instructions...) It could be just that people need to let off steam once in a while and have some fun rather then being all serious. Basically creating an OpenBSD "playground" and "letting the animals out of the zoo for a while" so to speak would be a good idea. My suggestion: We create a new list, eg. "trolling" or "smalltalk" where other users can discuss about senseless questions. misc (miscellaneous) sounds perfect for this: might be better to create a legitimate questi...@openbsd.org list - like we do on FreeBSD, that way people could kinda separate things more clearly Actually as a FreeBSD user for round 3+ years now I'm pretty much signed up to all non-devel based FBSD lists as they all come in useful for legitimate problems and issues. And misc should be about real problems/discussions (like it was before stupid linus-nerds arrived on this list...) Never knew being a nerd was associated with stupidity thought they were spectrally at opposite ends :-P Or is this just an OpenBSD superiority thing?? Hmm. the BSD Daemon insignia. didn't they do that back in 1939??? Look where they got! :-P :-P :-P :-P (sorry for that non-misc related message) P.s. just because am new to OpenBSD and posting back with my thoughts and opinions it doesn't mean that I'm trolling!!! :-) To be honest from what I've seen with OpenBSD to this date: gateway/NAT/router/firewall/VPN concentrator (yep done all this), I really like it and will continue to use it for many years to come and hopefully contribute myself, to help the community. OS wars aside OpenBSD is really cool and as router and network appliance capable OS kicks Cisco right in their ASCII. P.p.s. no lynching me please Regards, Kaya
Which automake and autoconfig versions to compile NTOP v4?
Hi, I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 5.0 x64 but am running into issues regarding automake and autoconfig. Basically I installed: automake-1.11.1p2 autoconf-2.67 The install script comes up saying this: # ./autogen.sh Starting ntop automatic configuration system v.0.2.3 Please be patient, there is a lot to do... 1. Testing gnu tools You must have automake installed to compile ntop. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/automake We recommend version 1.6.3 or higher You must have autoconf installed to compile autogen.sh. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf We recommend version 2.53 or higher It's weird because both packages are installed and have confirmed that running: find / -name auto(conf and make). Can anyone suggest anything? I'm actually puzzled as to why the Ntop version on the public FTP servers are s old and out of date, I mean v1.x? With that there's no Web GUI and actually works more like some of the other cli packet sniffers am used to such as trafshow, jnettop, iptraf-ng etc.. It would be so awsome to see these on the FTP servers so that all one needs to do is just pkg_add them but am stuck now compiling and not sure if it's even gona work Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/11/2012 08:10 PM, Remco wrote: Kaya Saman wrote: Hi, I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 5.0 x64 but am running into issues regarding automake and autoconfig. Basically I installed: automake-1.11.1p2 autoconf-2.67 The install script comes up saying this: # ./autogen.sh Starting ntop automatic configuration system v.0.2.3 Please be patient, there is a lot to do... 1. Testing gnu tools You must have automake installed to compile ntop. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/automake We recommend version 1.6.3 or higher You must have autoconf installed to compile autogen.sh. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf We recommend version 2.53 or higher It's weird because both packages are installed and have confirmed that running: find / -name auto(conf and make). Can anyone suggest anything? try: automake --version autoconf --version The messages should be self-explanatory if you didn't define certain environment variables, e.g., I have this in my environment: $ set |grep AUTO AUTOCONF_VERSION=2.65 AUTOMAKE_VERSION=1.11 automake --version autoconf --version come up with this # automake --version Provide an AUTOMAKE_VERSION environment variable, please # autoconf --version Provide an AUTOCONF_VERSION environment variable, please ?? set |grep AUTO also doesn't display anything??? However, the packages are installed in /usr/local/bin which is confirmed using **find** actually just seeing this now it turns out that automake is proceeded by a version number. So it works then I guess but why can't Ntop install script pick it out?
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/11/2012 08:20 PM, Marc Espie wrote: On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote: Hi, I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 5.0 x64 but am running into issues regarding automake and autoconfig. Basically I installed: automake-1.11.1p2 autoconf-2.67 The install script comes up saying this: # ./autogen.sh Starting ntop automatic configuration system v.0.2.3 Please be patient, there is a lot to do... 1. Testing gnu tools You must have automake installed to compile ntop. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/automake We recommend version 1.6.3 or higher You must have autoconf installed to compile autogen.sh. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf We recommend version 2.53 or higher See how the metaauto port works. autoconf and automake are actually scripts that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right ones. Ok thankyou! .this makes sense now to me. But how to set AUTOCONF_VERSION and AUTOMAKE_VERSION??? You say metaauto port but I thought that in OpenBSD one was not supposed to used ports unlike FreeBSD which I'm used to? hmm # man metaauto man: no entry for metaauto in the manual. looks like I need to do some further Google'ing! Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/11/2012 08:20 PM, Marc Espie wrote: On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote: Hi, I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 5.0 x64 but am running into issues regarding automake and autoconfig. Basically I installed: automake-1.11.1p2 autoconf-2.67 The install script comes up saying this: # ./autogen.sh Starting ntop automatic configuration system v.0.2.3 Please be patient, there is a lot to do... 1. Testing gnu tools You must have automake installed to compile ntop. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/automake We recommend version 1.6.3 or higher You must have autoconf installed to compile autogen.sh. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf We recommend version 2.53 or higher See how the metaauto port works. autoconf and automake are actually scripts that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right ones. Well in mean time I found this: http://openports.se/devel/metaauto although I don't think it's installed as **find** didn't come up with anything. Does this mean that without the metaauto port that the **system** or **any** install script will not know how to handle a basic compile? Am really confused now as I don't understand anything of what's going on! This might be an easier to answer question then: how do I tell the system to use one particular version of autoconf and automake...??? Which files do I need to edit to do that? Am so sorry for being slow but am just so used to running: cd /usr/ports/*/portname make install clean and everything being done in the background for me! Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/11/2012 08:20 PM, Marc Espie wrote: On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote: Hi, I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 5.0 x64 but am running into issues regarding automake and autoconfig. Basically I installed: automake-1.11.1p2 autoconf-2.67 The install script comes up saying this: # ./autogen.sh Starting ntop automatic configuration system v.0.2.3 Please be patient, there is a lot to do... 1. Testing gnu tools You must have automake installed to compile ntop. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/automake We recommend version 1.6.3 or higher You must have autoconf installed to compile autogen.sh. Download the appropriate package for your distribution, or get the source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf We recommend version 2.53 or higher See how the metaauto port works. autoconf and automake are actually scripts that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right ones. Well I actually sort-of figured this out but turned out to be a very messy hack and probably have broken other things. meaning am totally not sure of the implications of my actions! I basically moved the autoconf and automake "scripts" to files called auto*.scr, then symlinked the highest versions of each software to automake and autoconf respectively. i have no idea down-the-line if this will break anything but for now it works :-) Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/11/2012 10:34 PM, Ted Unangst wrote:
On Sun, Mar 11, 2012, Kaya Saman wrote:
try: automake --version
autoconf --version
The messages should be self-explanatory if you didn't define certain
environment variables, e.g., I have this in my environment:
automake --version
autoconf --version
come up with this
# automake --version
Provide an AUTOMAKE_VERSION environment variable, please
# autoconf --version
Provide an AUTOCONF_VERSION environment variable, please
How are those messages not self explanatory? Did you read them?
Sure I read them it's a bit difficult not to!
I also managed to get round them by providing the versions:
eg. automake-1.11 --version
my issue was how to get the Ntop config script to understand that
automake and autoconf **are** installed on the system!!!
Luckily a friendly person did explain that I should first **export** the
versions then run the config gen script which indeed worked!!!
export AUTOMAKE_VERSION=1.11 AUTOCONF_VERSION=2.67
However, please note that am still learning OpenBSD after coming over
from Linux and FreeBSD and additionally I am NOT a programmer or even
good at programming
My main base in fact is network engineering so forgive me if I don't
know the intricate details of the OpenBSD OS
Using FreeBSD I would just do this:
cd /usr/ports/*/ntop
make install clean
and providing my **ports** tree is uptodate it will work flawlessly.
Additionally on Linux for RPM based would be yum install ntop or DEB
based would be apt-get install ntop
Now I do know these without even needing to read the documentation...
however even **IF** I tried to compile on one of those platforms which I
do all the time I never need to adjust system variables or tell the
configure script what compiler or other I'm using as it is intelligent
enough to autodetect it.
I understand OpenBSD is different and I'm trying to get used to it but
please cut new users some slack as not everyone is God's gift to
computing... {I don't say this as an attack or with any bad
intentions just frustration at how unforgiving this list is sometimes}
Regards,
Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/12/2012 12:21 AM, hex wrote:
On Sun, Mar 11, 2012 at 10:48:24PM +, Kaya Saman wrote:
On 03/11/2012 10:34 PM, Ted Unangst wrote:
On Sun, Mar 11, 2012, Kaya Saman wrote:
try: automake --version
autoconf --version
The messages should be self-explanatory if you didn't define certain
environment variables, e.g., I have this in my environment:
automake --version
autoconf --version
come up with this
# automake --version
Provide an AUTOMAKE_VERSION environment variable, please
# autoconf --version
Provide an AUTOCONF_VERSION environment variable, please
How are those messages not self explanatory? Did you read them?
Sure I read them it's a bit difficult not to!
I also managed to get round them by providing the versions:
eg. automake-1.11 --version
my issue was how to get the Ntop config script to understand that
automake and autoconf **are** installed on the system!!!
Luckily a friendly person did explain that I should first **export** the
versions then run the config gen script which indeed worked!!!
That's what providing the environment variable means.
I didn't know that so thanks for pointing that out.
export AUTOMAKE_VERSION=1.11 AUTOCONF_VERSION=2.67
However, please note that am still learning OpenBSD after coming over
from Linux and FreeBSD and additionally I am NOT a programmer or even
good at programming
One exclamation point is enough.
Sorry frustration got the better of me!
My main base in fact is network engineering so forgive me if I don't
know the intricate details of the OpenBSD OS
Those are not intricate details. Environment variables exist in virtually every
operating system available.
I do understand that compiling software is part of UNIX and I accept
that I don't know enough about it but the other types of OS's stated all
work without issues which ok is not the OS fault, rather that
software is mostly being designed for Linux and a really great effort to
**port** the stuff is being done by FreeBSD. But without knowing the
characteristics of an OS it's very difficult to debug issues if one
doesn't understand how it handles certain things.
Using FreeBSD I would just do this:
cd /usr/ports/*/ntop
make install clean
and providing my **ports** tree is uptodate it will work flawlessly.
Additionally on Linux for RPM based would be yum install ntop or DEB
based would be apt-get install ntop
Great story.
Uh sorry was just trying to stress or rather emphasize my point. I
think eventually the only thing that got stressed was me :-(
Now I do know these without even needing to read the documentation...
however even **IF** I tried to compile on one of those platforms which I
do all the time I never need to adjust system variables or tell the
configure script what compiler or other I'm using as it is intelligent
enough to autodetect it.
The configure script is not part of the operating system, it is part of the
package/tarball, if you're using something that needs automake/autoconf you're
probably checking out development versions of software and then complaining to
the OS developers who have nothing to do with it.
Erm I wasn't complaining. I just needed a hand to figure out how to
get the script to interact with the OS. Now it's time to take my case to
the Ntop team as the script is blocking me claiming "unsupported OS".
True though it maybe I would still like to get Ntop (the current
version) working on OpenBSD as unfortunately it's not available natively.
I understand OpenBSD is different and I'm trying to get used to it but
please cut new users some slack as not everyone is God's gift to
computing... {I don't say this as an attack or with any bad
intentions just frustration at how unforgiving this list is sometimes}
I love this list for that.
Uh! :-(
Would it not just be easier and cleaner to create a new list for
newbies? That way the more advanced stuff could be taken care of on this
list and only people willing to help others could post useful comments
and help on the other list.
.actually this list may become really quiet then??? As in all of my
1 week being here not much help goes on just arguments and flames.
Regards
Hektor Oksenberg
Regards,
--K
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/12/2012 09:59 AM, Peter Hessler wrote: On 2012 Mar 12 (Mon) at 00:44:15 + (+), Kaya Saman wrote: :Would it not just be easier and cleaner to create a new list for :newbies? That way the more advanced stuff could be taken care of on :this list and only people willing to help others could post useful :comments and help on the other list. This mailing list does exist. I've been running it (in a very lazy fasion) since 2002. You can sign up for it at http://mailman.theapt.org/listinfo/openbsd-newbies Thanks :-) And additionally I am sorry for annoying almost the whole of this list :-( I didn't mean to rant or to tick anybody off! Using OpenBSD for a bit I really do like but hence need to learn it. Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/12/2012 10:50 AM, Stuart Henderson wrote: On 2012-03-11, Kaya Saman wrote: Now I do know these without even needing to read the documentation... however even **IF** I tried to compile on one of those platforms which I do all the time I never need to adjust system variables or tell the configure script what compiler or other I'm using as it is intelligent enough to autodetect it. You don't usually need to run autoconf to regenerate the configure script unless you edit configure.in or other m4 files. The software authors are supposed to do that for you as part of their release process I eventually figured that one out by reading the scripts themselves, but it seems that a lot of software is unsupported on OpenBSD and the devels don't want to know either as other OS's have larger user bases. Pretty sure there is some selection mechanism for different autoconf versions on FreeBSD as well but maybe they picked a default version (at least by making it an explicit requirement OpenBSD users are less likely to be affected by incompatible autoconf versions). I will keep searching and studying this as it might be just the config scripts as you mentioned above. Regards, Kaya
Re: Which automake and autoconfig versions to compile NTOP v4?
On 03/12/2012 11:21 AM, Stuart Henderson wrote: On 2012-03-11, Kaya Saman wrote: Well in mean time I found this: http://openports.se/devel/metaauto although I don't think it's installed as **find** didn't come up with anything. pkg_info | grep metaauto Also look at locate(1) which uses a database generated weekly(8) to speed up filename searches, and the pkglocate package (a locate database of files from *all* packages, not just the installed ones, also showing the package names). Oh locate is available in OpenBSD? That's good news! ntop is in ports but horribly out of date. Newer versions had some problems, I suspect many of these relating to how our old thread library worked - I might take a look at updating the port sometime now we're using rthreads. If you're looking at building it yourself I would suggest waiting for base and package snapshots to start up again, then upgrade everything to -current, before spending more time on ntop. I'll do just that :-) Regards, Kaya
Re: question_about_OpenBSD_on_ADSL_modems/routers
I think this is what you might be looking for: http://www.rocksolidelectronics.com/pages/products.php Not sure where you are based but if in Europe then Linitx can help you is in the UK however. http://linitx.com/viewcategory.php?catid=148 Regards, Kaya On Mon, Jun 25, 2012 at 9:47 AM, soko.tica wrote: > Hallo list, > > I ask for information about ADSL modems/routers (preferably low-cost) > on which OpenBSD can run. > > I know there was a possibility to get Traverse Technologies Viking PCI > ADSL card on any box, but I have learned recently it is out of > production. > > Thanking you in advance.
