Re: Best way to serve files to Windows?

[Radek]

I have Samba/OpenBSD server at university's labs (VLANs, ~100 
workstations[win7, win10], ~1k users). 
There are few readonly shares that are automatically mounted at windows' 
startup. Users can mount/umount their /homes by "net use..." script 
(user/pass). They can also access their files over the internet via SFTP.
It just works fine, since ~2011.

On Wed, 18 Jul 2018 15:22:59 +0200
Solene Rapenne  wrote:

> 
> John Long writes:
> 
> > Hi,
> >
> > I have minidlna working fine on OpenBSD. However this doens't help with
> > Roon media software since they don't have anything for OpenBSD,
> > unsurprisingly. Roon doesn't want to support dlna.
> >
> > I have my Windows foobar2000 appliance roped-off from my LAN because I
> > don't trust Windows boxes on my network. So I would like to set up some
> > way to serve the files to Windows from OpenBSD. I guess that is
> > CIFS/SAMBA?
> >
> > Is this secure over the network? I have not done this before and I
> > don't know what's involved. Is there an approved CIFS implementation to
> > use?
> >
> > Thanks,
> >
> > /jl
> 
> Hello,
> 
> I would recommend samba. You can also try using NFS, I've heard that
> windows can mount NFS shares.
> 
> About the security thing, I don't know if the protocol used by samba is
> secure between clients, but you can still run a VPN between your openbsd
> box and the Windows client to allow connecting to the samba share
> securely.
> 
> regards
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

payload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.C.77:500 to 1.2.3.119:500 msgid 
0, 329 bytes
config_free_proposals: free 0x7fcc4880
config_free_proposals: free 0x85753900
config_free_proposals: free 0x7fcc03c0
config_free_proposals: free 0x7fcc4080
config_free_proposals: free 0x7fcc4580
config_free_proposals: free 0x825a0a00

Then I get 809 Error.

On Wed, 7 Feb 2018 22:01:16 +0100
Radek  wrote:

> Hi again,
> 
> I'm still trying to make it work for roadwarriors. 
> VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.
> 
> I generated certs:
> 
> # hostname
> serv73
> 
> # ikectl ca vpn create (CN = serv73)
> # ikectl ca vpn install
> 
> # ikectl ca vpn certificate A.B.9.73 create
> # ikectl ca vpn certificate A.B.9.73 install
> 
> # ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
> # ikectl ca vpn certificate A.B.9.76 export 
> 
> After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP 
> address that is in range A.B.9.0/23. 
> 
> I can't connect from IP that is NOT from A.B.9.0/23. 
> I tried to connect from many IPs (public and behind NAT) but every time I got 
> "809 error". 
> 
> Can anyone please help me with solving that problem?
> 
> # cat /etc/iked.conf
> [snip]
> ikev2 "roadWarrior" passive esp \
> from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
> srcid A.B.9.73 \
> config address 10.0.70.128 \
> tag "$name-$id"
> 
> # iked -n
> configuration OK
> 
> # cat /etc.pf.conf 
> ext_if  = "vr0"
> lan_if  = "vr1"# vr1
> lan_local   = $lan_if:network  # 10.0.73.0/24
> ext_ip  = "A.B.9.73"
> bud = "A.B.9.0/25"
> rdkhome_wy  = "YY.YY.YY.YY"
> rdkhome_mon = "XX.XX.XX.XX"
> ssh_port= "1071"
> icmp_types  = "{ echoreq, unreach }"
> table  const { A.B.9.74, A.B.C.75 }
> set skip on { lo, enc0 }
> block return on $ext_if # block stateless traffic
> 
> match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
> 
> pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to 
> $ext_if port $ssh_port \
> set prio (1, 6) keep state
> 
> pass out quick on egress proto esp from (egress:0) to  
>  keep state
> pass out quick on egress proto udp from (egress:0) to  port {500, 
> 4500} keep state
> pass  in quick on egress proto esp from  to (egress:0) 
>  keep state
> pass  in quick on egress proto udp from  to (egress:0) port {500, 
> 4500} keep state
> pass out quick on trust received-on enc0 keep state
> pass out log proto tcp set prio (1, 6) keep state
> pass log proto udp set prio (1, 6) keep state
> 
> pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
> pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep 
> state
> 
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> 
> 
> # iked -dvv
> ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 
> policy 'roadWarrior' id 0, 528 bytes
> ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x
> ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
> ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 
> 528 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
> ikev2_pld_sa: more than one proposal specified
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group MODP_1024 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
> ikev2

Re: ikev2 and road warriors setup

[Radek]

 initiator auth data length 574
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 574
sa_stateok: SA_INIT flags 0x, require 0x0009 cert,auth
config_free_proposals: free 0x79d91600
ca_getreq: found CA 
/C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
ca_getreq: found local certificate 
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com
ca_setauth: auth length 272
ikev2_getimsgdata: imsg 20 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 
initiator 1 sa valid type 4 data length 961
ikev2_dispatch_cert: cert type X509_CERT length 961, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 25 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 
initiator 1 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 127 nextpayload CERT
ikev2_next_payload: length 966 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
pfkey_sa_getspi: spi 0xda769508
pfkey_sa_init: new spi 0xda769508
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1530
ikev2_msg_encrypt: padded length 1536
ikev2_msg_encrypt: length 1531, padding 5, output length 1568
ikev2_next_payload: length 1572 nextpayload IDi
ikev2_msg_integr: message length 1600
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d 
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1600 
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1572
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1536
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 5
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 
127
ikev2_pld_id: id 
ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com 
length 123
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 
length 966
ikev2_pld_cert: type X509_CERT length 961
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 
length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 
280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 
xforms 7 spi 0xda769508
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 1.2.3.119 end 1.2.3.119
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.0.255
ikev2_msg_send: IKE_AUTH request from 1.2.3.119:500 to A.B.C.77:500 msgid 1, 
1600 bytes
ikev2_init_ike_sa: "home" is already active

$ ipsecctl -sa
FLOWS:
flow esp out from ::/0 to ::/0 type deny

SAD:

I really do not know what I am doing wrong.



On Wed, 31 Oct 2018 11:50:25 +0100
Kim Zeitler  wrote:

> On 10/28/18 3:04 PM, Radek wrote:
> > Hello,
> > I really need your help.
> > I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road 
> > warriors clients (Windows).
> > The problem is that it works ONLY if clients are in the same subnet as VPN 
> > Gateway (A.B.C.0/23).
> > Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish 
> > the connection (809 Error). It does not matter if they are behind NAT or 
> > not, tried different IS

Fw: Re: ikev2 and road warriors setup

[Radek]

Hello Kim, 

> Could you post your pf.conf?
My VPN_server's(A.B.C.77/23) pf.conf is:

(1)
$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)

match out on egress from lan:network to any nat-to egress
#match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types  = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

I also tested my setup with this:
(2)
$ pfctl -s rules
pass all flags S/SA

and this:
(3)
$ pfctl -d
pfctl: pf not enabled

For (1), (2) and (3) VPN is working just fine with Win7_warrior and 
puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if 
warrior has public IP or it is behind NAT). The rest of the world fails to 
connect the VPN_server.

> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?

!A.B.C.0/23 I mean:
A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior 
and puffy_warrior
GSM network - only NATed connections, warrior: Win7_warrior

Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA):

### Win7_warrior, behind NAT:
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65-> msgid:  len: 528
18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid:  len: 329
^C
811 packets received by filter
0 packets dropped by kernel

### Win7_warrior, public IP
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d-> msgid:  len: 528
18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid:  len: 329
^C
292 packets received by filter
0 packets dropped by kernel

### puffy_warrior (pfctl -d), behind NAT
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF)
18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2-> msgid:  len: 510
18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid:  len: 471

Thanks!

On Mon, 5 Nov 2018 09:27:25 +0100
Kim Zeitler  wrote:

> Hello Radek,
> 
> 
> On 11/2/18 10:16 PM, Radek wrote:
> > Thank you for your response,
> > 
> > Following your suggestion I removed IP from enc0 and changed iked.conf as 
> > below:
> > 
> > $ cat /etc/iked.conf
> > dns1 = "8.8.8.8"
> > dns2 = "8.8.4.4"
> > ikev2 "roadWarrior" ipcomp esp \
> >   from 0.0.0.0/0 to 0.0.0.0/0 \
> >   local A.B.C.77 peer any \
> >   srcid 
> > "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \
> >   config address 10.0.1.0/24 \
> >   config netmask 255.255.255.0 \
> >   config name-server $dns1 \
> >   config name-server $dns2 \
> >   config access-server A.B.C.77 \
> >   config protected-subnet 0.0.0.0/0 \
> >   tag "$id"
> > 
> > It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
> I know this set-up to be working, as it is currently running here in 
> production.
> 
> 
> > 
> > I also tried another scenario: puffy_server <-> puffy_warrior
> > The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN 
> > works fine for clients from A.B.C.0/23.
> > Both machines are 6.3/i386.
> Your set-up is still a bit 'unclear', I would rather say you have a 
> firewall/routing problem than an IPSec problem. Error 809 means no data 
> received.
> 
> Could you post your pf.conf?
> How do you connect to networks !A.B.C.0/23
> Is your IPSec connection NATed?
> 
> Cheers
> Kim
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Hello Kim,

> My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.

> How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the 
whole network structure, devices, security policies... but I have never noticed 
that any ports were blocked.

I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works 
like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.

I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my 
Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is 
not any Router/FW problem. 

On Tue, 6 Nov 2018 07:48:37 +0100
Kim Zeitler  wrote:

> Good morning Radek,
> 
> I have a suspicion ...
> 
> > For (1), (2) and (3) VPN is working just fine with Win7_warrior and 
> > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if 
> > warrior has public IP or it is behind NAT). The rest of the world fails to 
> > connect the VPN_server.
> My question was concerning the VPN_server, is the server NATed?
> How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
> 
> Cheers,
> Kim
> 
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Yesterday I tried this scenario:

Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
VPN_IKEv2 - A.B.C.77/23, not NATed

I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two 
active VPN conn in one time.
Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine. 

When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting 
VPN_L2TP - I got 809.

Removing home_router which is between Win7_warrior and 1.2.3.119 does not 
change anything.
 
Another thing:
I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I 
move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I 
missed something in network conf that is important for OpenIKED?

Any idea?


On Tue, 6 Nov 2018 11:21:52 +0100
Radek  wrote:

> Hello Kim,
> 
> > My question was concerning the VPN_server, is the server NATed?
> A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
> 
> > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
> I only have switches in my building.
> All routers/firewalls of my network are in another building, I do not know 
> the whole network structure, devices, security policies... but I have never 
> noticed that any ports were blocked.
> 
> I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works 
> like a charm.
> https://community.riocities.com/openike_openbsd.html
> But I can not setup a VPN_server for road warriors.
> 
> I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect 
> my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
> L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it 
> is not any Router/FW problem. 
> 
> On Tue, 6 Nov 2018 07:48:37 +0100
> Kim Zeitler  wrote:
> 
> > Good morning Radek,
> > 
> > I have a suspicion ...
> > 
> > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and 
> > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter 
> > > if warrior has public IP or it is behind NAT). The rest of the world 
> > > fails to connect the VPN_server.
> > My question was concerning the VPN_server, is the server NATed?
> > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
> > 
> > Cheers,
> > Kim
> > 
> > 
> 
> 
> -- 
> radek


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

I've been playing around with netcat. 
I noticed that the netcat process on my VPN_server does not show any "X" on 
stdout for ports 4500 and 1701.

May it be relevant to my VPN issue?

VPN_serv is A.B.C.77/23 (it is not behind NAT):

$ pfctl -s rules
pass all flags S/SA

$ nc -u -l 500


X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
A.B.C.69/23$ nc -vuz A.B.C.77 4500
$ nc -u -l 4500
NOTHING IS HERE

$ nc -u -l 4499


$ nc -u -l 4501


X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
A.B.C.69/23$ nc -vuz A.B.C.77 1701
$ nc -u -l 1701
NOTHING IS HERE

$ nc -u -l 22


$ nc -u -l 1234


On Wed, 7 Nov 2018 12:17:09 +0100
Radek  wrote:

> Yesterday I tried this scenario:
> 
> Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> VPN_IKEv2 - A.B.C.77/23, not NATed
> 
> I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two 
> active VPN conn in one time.
> Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working 
> fine. 
> 
> When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting 
> VPN_L2TP - I got 809.
> 
> Removing home_router which is between Win7_warrior and 1.2.3.119 does not 
> change anything.
>  
> Another thing:
> I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then 
> I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. 
> Maybe I missed something in network conf that is important for OpenIKED?
> 
> Any idea?
> 
> 
> On Tue, 6 Nov 2018 11:21:52 +0100
> Radek  wrote:
> 
> > Hello Kim,
> > 
> > > My question was concerning the VPN_server, is the server NATed?
> > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
> > 
> > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall 
> > > ...
> > I only have switches in my building.
> > All routers/firewalls of my network are in another building, I do not know 
> > the whole network structure, devices, security policies... but I have never 
> > noticed that any ports were blocked.
> > 
> > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it 
> > works like a charm.
> > https://community.riocities.com/openike_openbsd.html
> > But I can not setup a VPN_server for road warriors.
> > 
> > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect 
> > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
> > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that 
> > it is not any Router/FW problem. 
> > 
> > On Tue, 6 Nov 2018 07:48:37 +0100
> > Kim Zeitler  wrote:
> > 
> > > Good morning Radek,
> > > 
> > > I have a suspicion ...
> > > 
> > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and 
> > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not 
> > > > matter if warrior has public IP or it is behind NAT). The rest of the 
> > > > world fails to connect the VPN_server.
> > > My question was concerning the VPN_server, is the server NATed?
> > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall 
> > > ...
> > > 
> > > Cheers,
> > > Kim
> > > 
> > > 
> > 
> > 
> > -- 
> > radek
> 
> 
> -- 
> radek


-- 
radek

Supermicro X7SPA-HF D510 and OpenBSD

[Radek]

Hello, 
does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510? 
Does it work well together?

I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack case 
for better cooling. RAID is not needed. 
It must be as silent as possible. Low power consumption is also welcomed.

Thanks!
-- 
radek

Re: Supermicro X7SPA-HF D510 and OpenBSD

[Radek]

Thanks for your answers. Probably I will buy one and check it out.

> Everything seems to work just fine, only problems are that it can't 
> support a lot of graphical modes (xenocara will run, just not very well, 
> since the gpu only has 8 MB of memory and it comes from the main pool of 
> memory anyway).
It does not matter to me. 8MB is OK for OS installation. I am not gonna use X, 
serial console and ssh is all I need. 

On Thu, 22 Nov 2018 12:01:36 -0800
Misc User  wrote:

> On 11/22/2018 6:13 AM, Stuart Henderson wrote:
> > On 2018-11-22, Radek  wrote:
> >> Hello,
> >> does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF 
> >> D510?
> >> Does it work well together?
> >>
> >> I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack 
> >> case for better cooling. RAID is not needed.
> >> It must be as silent as possible. Low power consumption is also welcomed.
> >>
> >> Thanks!
> > 
> > Not sure if I have that *exact* board but I have something very similar,
> > I wouldn't expect any problems with this.
> > 
> >
> 
> I am running the X7SPA-HF-D525 version (Same board, different chip.  The 
> D525 and D510 are really just the same chip anyway, just that the D510 
> has a slightly different set of bits burned into the configuration fuses).
> 
> Everything seems to work just fine, only problems are that it can't 
> support a lot of graphical modes (xenocara will run, just not very well, 
> since the gpu only has 8 MB of memory and it comes from the main pool of 
> memory anyway).  That and you can't communicate with the IPMI interface 
> from within the OS (But doesn't prevent you from using the IPMI 
> interface, you'd just need to do any configuration of it via BIOS or the 
> IPMI's web interface).
> 
> dmesg from my system is below
> 
> 
> OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018
>  
> r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4277665792 (4079MB)
> avail mem = 4138745856 (3947MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (19 entries)
> bios0: vendor American Megatrends Inc. version "1.2" date 09/14/11
> bios0: Supermicro X7SPA-HF
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST
> acpi0: wakeup devices P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) 
> EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) 
> P0P7(S4) P0P8(S4) P0P9(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.30 MHz, 06-1c-0a
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu0: 512KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 207MHz
> cpu0: mwait min=64, max=64, C-substates=0.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1872.00 MHz, 06-1c-0a
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu1: 512KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins, remapped
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xe000, bus 0-255
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 4 (P0P1)
> acpiprt2 at acpi0: bus 1 (P0P4)
> acpiprt3 at acpi0: bus -1 (P0P5)
> acpiprt4 at acpi0: bus -1 (P0P6)
> acpiprt5 at acpi0: bus -1 (P0P7)
> acpiprt6 at acpi0: bus 2 (P0P8)
> acpiprt7 at acpi0: bus 3 (P0P9)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpicmos0 at acpi0
> acpibtn0 at acpi0: PWRB
> ipmi at mainbus0 not configured
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02
> ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: msi
> pci1 at ppb0 bus 1
> ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
> 00:25

[OpenIKED] current session list

[Radek]

Hi @misc,
is there any equivalent of "npppctl sessions all/brief" for iked(8)?
How can I get the list of currently connected roadwarriors? They use CA.
"ipsecctl -sa" shows IPs only, but I need to know who is who.

-- 
Radek

Re: [OpenIKED] current session list

[Radek]

On Wed, 1 Apr 2020 08:50:41 - (UTC)
Stuart Henderson  wrote:

> On 2020-04-01, Radek  wrote:
> > Hi @misc,
> > is there any equivalent of "npppctl sessions all/brief" for iked(8)?
> > How can I get the list of currently connected roadwarriors? They use CA.
> > "ipsecctl -sa" shows IPs only, but I need to know who is who.
> 
> If you're not running recent -current, update (either the whole OS or
> just iked+ikectl), something changed recently (possibly "Copy EAP ID to
> new SA when rekeying IKE SA") that resulted in me seeing EAP-MSCHAPv2
> usernames in a typical ipsecctl -sa, hopefully it will help for CA client
> certs too. (Perhaps not surprisingly there have been quite a lot of
> recent improvements to iked in -current).
> 
> 
Thank you Stuart. I'm running 6.6. Unfortunately, the VPN box became quite 
important because of recent remote work policy and I don't wan't to "touch" it 
now as it works as expected. I manage this box remotely and I can't take the 
risk that sth goes wrong with update.

This box has recently got increase the number of iked(8) users and I just 
wanted to have a better view of them. That was the reason of my question. 
I will wait for the next release and replace the box in - hopefully - better 
circumstances.
It is good to see that iked(8) improves regularly from one release to another.

-- 
Radek

Re: Ajust or set OpenIKED renegotiation timeout manually if remote ISP reset connections

[Radek]

On Thu, 02 Apr 2020 13:16:13 +
Martin  wrote:

> Remote VPS hoster reset connections after some amount of data has been 
> transferred to/from remote VPS.
> 
> May I adjust OpenIKED renegotiation timeout down to 1-2s in some way? 
> Currently it takes ~3-4m to reconnect.
> Right after each 'connection reset' issued by VPS hoster I can restart iked 
> manually by "rcctl restart iked" and iked renegotiate the link immediately 
> after it.
> 
> The question is how to automate it to have minimal connection loss?
> 
> Martin
Hi Martin, 
maybe that is not exactly what you asked but I used to fight with that problem:
http://openbsd-archive.7691.n7.nabble.com/OpenIKED-Network-traffic-over-VPN-site-to-site-tunnel-stalls-few-times-a-day-td372267.html

I used ping to monitor the other site of VPN:
#!/bin/sh
# 10.0.17.254 - local LAN gateway 
# 172.16.1.254 - remote LAN gateway
while true
do
vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " 
'{print $4}'`

if [ "${vpn}" -eq 0 ] ; then
mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print 
$4}'`
wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`

if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through 
VPN RACTEST-MON! restartng iked!" em...@example.com
rcctl restart iked
fi
fi
sleep 32
done

You can trim the sleep time as you need but remember to give some time to 
restart/renegotiation/resync...
I hope it helps.

-- 
Radek

Re: Wine for OpenBSD?

[Radek]

On Sun, 12 Apr 2020 07:24:09 +
slackwaree  wrote:

> You don't want wine anyway. That is the shining example of badly written 
> software which sucked 15 years ago the same way it does today. They tried to 
> make it better with cedega, crossover office and what not and failed 
> miserably. All you could get out of it is to run basic apps like notepad or 
> calc even those with tons of bugs like borders, frames missing, broken fonts, 
> crashes etc. They claimed it can run game X,Y,Z but who cares about it when 
> Windows can run all games perfectly. This is ain't the 90's man everyone can 
> afford to have 2-3 or more PCs at home and with all these virtualization 
> supports like vmware, virtualbox around which just runs perfectly windows 
> applications in windows I even ask the question why is wine still exist, 
> probably it's someones pet project who don't want to let it go...
> 
> 
> 
> ‐‐‐ Original Message ‐‐‐
> On Saturday, April 11, 2020 12:15 PM, Nikita Stepanov 
>  wrote:
> 
> > Wine for OpenBSD?
> 
> 

> All you could get out of it is to run basic apps like notepad or calc even 
> those with tons of bugs like borders, frames missing, broken fonts, crashes 
> etc.
I used to have FreeBSD on my old office desktop till 2018, WINE was the only 
way to run MT4 [1] on it. MT4 worked flawlessly with WINE, no frames missing, 
no broken fonts, not even one crash for few years... 

> This is ain't the 90's man everyone can afford to have 2-3 or more PCs at 
> home 
But sometimes you have to be outside the home.

[1] https://www.metatrader4.com/

Cheers!
-- 
Radek

[OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[Radek]

Hello,

I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs 
(OpenIKED).
Both gws are fully syspatched, have public IPs and the same iked/pf 
configuration.

Unfortunately, the network traffic over the VPN tunnel stalls few times a day. 

On the one side I use a script to monitor VPN tunnel with ping, it restarts 
iked and emails me if there is no ping over the VPN tunnel.
Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)


In 6.3/i386 I have the same problem, but more frequently.
Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)

Do I have any bugs/deficiencies in my configs, missed something? 
Is there any way to make it work uninterruptedly?
I would be very greatful if you could help me with this case.

$cat /etc/hostname.enc0
up

$cat /etc/hostname.vr3
inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
group trust

$cat /etc/iked.conf
local_gw_RAC17  = "10.0.17.254" # lan_RAC
local_lan_RAC17 = "10.0.17.0/24"
remote_gw_MON   = "1.2.3.5" # fw_MON
remote_lan_MON  = "172.16.1.0/24"
ikev2 quick active esp \
from $local_gw_RAC17 to $remote_gw_MON \
from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
childsa enc chacha20-poly1305 \
psk "psk"

$cat /etc/pf.conf
# RAC-fwTEST
ext_if  = "vr0"
lan_rac_if  = "vr3" # vr3 -
lan_rac_local   = $lan_rac_if:network # 10.0.17.0/24
backup_if   = "vr2" # vr2 - lewy port
backup_local= $backup_if:network # 10.0.117/24

bud = "1.2.3.0/25"
rdk_wy  = "1.2.3.4"
rdk_mon = "1.2.3.5"
panac_krz   = "1.2.3.6"
panac_rac   = "1.2.3.7"

set fingerprints "/dev/null"
set skip on { lo, enc0 }
set block-policy drop
set optimization normal
set ruleset-optimization basic

antispoof quick for {lo0, $lan_rac_if, $backup_if }

match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to $ext_if 
set prio (3, 7)

block all

match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
pass out on egress keep state

pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 
7) keep state

ssh_port= "1071"
table  const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, 
10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
table  persist counters
block from 
pass in log quick inet proto tcp from  to $ext_if port $ssh_port 
flags S/SA \
set prio (7, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload  flush 
global)

icmp_types  = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types \
set prio (7, 7) keep state

table  const { $rdk_mon, $panac_rac, $panac_krz }
pass out quick on egress proto esp from (egress:0) to
   set prio (6, 7) keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} set prio (6, 7) keep state
pass  in quick on egress proto esp from  to (egress:0)   
   set prio (6, 7) keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} set prio (6, 7) keep state
pass out quick on trust received-on enc0 set prio (6, 7) keep state

pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} 
set prio (6,7) keep state
pass in on egress proto {ah,esp} set prio (6,7) keep state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

$cat iked_monitor.sh
#!/bin/sh
while true
do
vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " 
'{print $4}'`

if [ "${vpn}" -eq 0 ] ; then
mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print 
$4}'`
wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`

if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through 
VPN RACTEST-MON! restartng iked!" em...@example.com
rcctl restart iked
fi
fi
sleep 32
done


-- 
Radek

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[radek]

Hello Patrick,

> Does your ISP implement authoritative DNS?
> Do you suspect a UDP issue?
My VPN is configured with IPs, not with domain names. Does DNS and/or UDP 
matter anyway?

> Is a managed (switch) involved?
No, it is not. I do not use any switches in my testing setup.
GW1--ISP1_modem--.--ISP2_modem--GW2

Has duplex ever been an issue?
I have never noticed any duplex issue.


On Sun, 18 Aug 2019 16:07:14 -0500
Patrick Dohman  wrote:

> Does your ISP implement authoritative DNS?
> Do you suspect a UDP issue?
> Is a managed (switch) involved? Has duplex ever been an issue?
> Regards
> Patrick  
> 
> > On Aug 18, 2019, at 1:03 PM, Radek  wrote:
> > 
> > Hello,
> > 
> > I have two testing gateways (6.5/i386) with site-to-side VPN between its 
> > LANs (OpenIKED).
> > Both gws are fully syspatched, have public IPs and the same iked/pf 
> > configuration.
> > 
> > Unfortunately, the network traffic over the VPN tunnel stalls few times a 
> > day. 
> > 
> > On the one side I use a script to monitor VPN tunnel with ping, it restarts 
> > iked and emails me if there is no ping over the VPN tunnel.
> > Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
> > 
> > 
> > In 6.3/i386 I have the same problem, but more frequently.
> > Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
> > Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
> > 
> > Do I have any bugs/deficiencies in my configs, missed something? 
> > Is there any way to make it work uninterruptedly?
> > I would be very greatful if you could help me with this case.
> > 
> > $cat /etc/hostname.enc0
> > up
> > 
> > $cat /etc/hostname.vr3
> > inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
> > group trust
> > 
> > $cat /etc/iked.conf
> > local_gw_RAC17  = "10.0.17.254" # lan_RAC
> > local_lan_RAC17 = "10.0.17.0/24"
> > remote_gw_MON   = "1.2.3.5" # fw_MON
> > remote_lan_MON  = "172.16.1.0/24"
> > ikev2 quick active esp \
> > from $local_gw_RAC17 to $remote_gw_MON \
> > from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
> > childsa enc chacha20-poly1305 \
> > psk "psk"
> > 
> > $cat /etc/pf.conf
> > # RAC-fwTEST
> > ext_if  = "vr0"
> > lan_rac_if  = "vr3" # vr3 -
> > lan_rac_local   = $lan_rac_if:network # 10.0.17.0/24
> > backup_if   = "vr2" # vr2 - lewy port
> > backup_local= $backup_if:network # 10.0.117/24
> > 
> > bud = "1.2.3.0/25"
> > rdk_wy  = "1.2.3.4"
> > rdk_mon = "1.2.3.5"
> > panac_krz   = "1.2.3.6"
> > panac_rac   = "1.2.3.7"
> > 
> > set fingerprints "/dev/null"
> > set skip on { lo, enc0 }
> > set block-policy drop
> > set optimization normal
> > set ruleset-optimization basic
> > 
> > antispoof quick for {lo0, $lan_rac_if, $backup_if }
> > 
> > match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to 
> > $ext_if set prio (3, 7)
> > 
> > block all
> > 
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > pass out on egress keep state
> > 
> > pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio 
> > (3, 7) keep state
> > 
> > ssh_port= "1071"
> > table  const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, 
> > 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
> > table  persist counters
> > block from 
> > pass in log quick inet proto tcp from  to $ext_if port $ssh_port 
> > flags S/SA \
> >set prio (7, 7) keep state \
> >(max-src-conn 15, max-src-conn-rate 2/10, overload  
> > flush global)
> > 
> > icmp_types  = "{ echoreq, unreach }"
> > pass inet proto icmp all icmp-type $icmp_types \
> >set prio (7, 7) keep state
> > 
> > table  const { $rdk_mon, $panac_rac, $panac_krz }
&g

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[radek]

scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 
MHz, 05-0a-02
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
mtrr: K6-family MTRR support (2 registers)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 
00:0d:b9:1e:85:8c
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 
00:0d:b9:1e:85:8d
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 
00:0d:b9:1e:85:8e
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
maxtmp0 at iic0 addr 0x4c: lm86
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, 
legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
nvram: invalid checksum
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (83b335c3c86bb80c.a) swap on wd0b dump on wd0b
clock: unknown CMOS layout

On Mon, 19 Aug 2019 18:17:48 -0500
Patrick Dohman  wrote:

> Do you consider memory an issue?
> What is the speed of your memory?
> Unix load average can occasionally be deceiving.
> What make of Ethernets are you running?
> Regards
> Patrick
> 
> > On Aug 19, 2019, at 5:28 AM, radek  wrote:
> > 
> > Hello Patrick,
> > 
> >> Does your ISP implement authoritative DNS?
> >> Do you suspect a UDP issue?
> > My VPN is configured with IPs, not with domain names. Does DNS and/or UDP 
> > matter anyway?
> > 
> >> Is a managed (switch) involved?
> > No, it is not. I do not use any switches in my testing setup.
> > GW1--ISP1_modem--.--ISP2_modem--GW2
> > 
> > Has duplex ever been an issue?
> > I have never noticed any duplex issue.
> > 
> > 
> > On Sun, 18 Aug 2019 16:07:14 -0500
> > Patrick Dohman  wrote:
> > 
> >> Does your ISP implement authoritative DNS?
> >> Do you suspect a UDP issue?
> >> Is a managed (switch) involved? Has duplex ever been an issue?
> >> Regards
> >> Patrick  
> >> 
> >>> On Aug 18, 2019, at 1:03 PM, Radek  wrote:
> >>> 
> >>> Hello,
> >>> 
> >>> I have two testing gateways (6.5/i386) with site-to-side VPN between its 
> >>> LANs (OpenIKED).
> >>> Both gws are fully syspatched, have public IPs and the same iked/pf 
> >>> configuration.
> >>> 
> >>> Unfortunately, the network traffic over the VPN tunnel stalls few times a 
> >>> day. 
> >>> 
> >>> On the one side I use a script to monitor VPN tunnel with ping, it 
> >>> restarts iked and emails me if there is no ping over the VPN tunnel.
> >>> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
> >>> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
> >>> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
> >>> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
> >>> 
> >>&

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[radek]

ask16  24803 1 0 1 1 0 80
nchpl 88   2969920 3895   115288787 0 80
ffsino   184   2807560 6231   34662   284   284 0 80
dino1pl  128   2807560 6231   23641   195   195 0 80
dirhash 1024 13970  22080512929 0 80
art_node   8  1030   29 1 0 1 1 0 80
art_table 24  1170  105 1 0 1 1 0 80
art_heap4128  1160  104 4 0 4 4 0 80
art_heap8   2048101 1 0 1 1 0 80
pfrule  1212  7000   3815 9 6 7 0 80
pfsrctr  124   20021211 1 1 0 80
pfsnitem   8   23021211 1 1 0 80
pfstate  2361453804   622   621 1 2 0 80
pfstkey   801484904   611   610 1 1 0 80
pfstitem  121484904   611   610 1 1 0 80
pfruleitem 84835804   861   860 1 1 0 80
pftag 80500 3 3 0 1 0 80
pfrktable   1288   7305 1 0 1 1 0 80
pfrke_plain   96  2220   12 1 0 1 1 0 80
pfosfpen 1081570800   414   414 020 0 80
pfosfp28 9306006363 0 3 0 80
pffrent   24   16704400   304   303 1 1 0 81
pffrnode  648352200   304   303 1 1 0 81
pffrag   1328352200   304   303 1 1 0341
cryptop  276   22471300 13859 13858 1 3 0 81
rttmr 40200 2 2 0 1 0 80
tcpcb396  7860   10 4 2 2 2 0 80
tcpqe 16 2749001918 1 1 0 81
syncache 196   29002928 1 1 0 81
rtentry   76  1030   29 1 0 1 1 0 80
plimitpl 148  4290   23 1 0 1 1 0 80
inpcbpl  200225750   25 5 3 2 2 0 80
arp   36   7705 1 0 1 1 0 80
ipsec policy 252 211005   280   279 1 2 0 80

In use 5679K, total allocated 6336K; utilization 89.6%






On Thu, 22 Aug 2019 19:12:55 -0500
Patrick Dohman  wrote:

> Radek
> 
> I’ve found that fast networking is actually CPU & memory intensive. 
> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my 
> opinion.
> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with a 
> commercial router.
> 
> What are your context switches & interrupts doing while the VPN is up & 
> traffic is flowing?
> 
> vmstat -w 4
> 
> What is your memory high water mark during a peak traffic?
> 
> vmstat -m
> 
> Regards
> Patrick
> 
> > On Aug 21, 2019, at 12:34 AM, radek  wrote:
> > 
> > Hello Patrick,
> > I am sorry for the late reply.
> > 
> >> Do you consider memory an issue?
> > No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, 
> > that I use for VPN testing.
> > Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
> > Production set (6.3/i386) is net5501-70 <-> ALIX2d2
> > Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
> > It is unlikely that every box has any hardware issue.
> > 
> >> Unix load average can occasionally be deceiving.
> > I did not know.
> > 
> >  net5501-70 
> > $top -d1 | head -n 4
> > load averages:  0.05,  0.01,  0.00RAC-fw65-test.PRAC 10:58:14
> > 38 processes: 1 running, 35 idle, 1 dead, 1 on processor  up 3 days, 18:02
> > CPU states:  0.5% user,  0.0% nice,  0.4% sys,  0.0% spin,  0.2% intr, 
> > 98.8% idle
> > Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
> > 
> >  ALIX2d3 
> > $top -d1 | head -n 4
> > load averages:  0.00,  0.00,  0.00mon65.home 07:30:05
> > 37 processes: 1 running, 35 idle, 1 on processor  up 13:46
> > CPU states:  0.3% user,  0.0% nice,  1.1% sys,  0.0% spin,  0.4% intr, 
> > 98.3% idle
> > Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M
> > 
> > 
> > 
> >&

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[Radek]

Hello Patrick, 

> In my opinion your net5501’s system calls per interval are relatively high.
> The (traps sys) column on my firewall hovers between 40 & 50 quite 
> consistently.
> My understanding is that system calls are things like program calls & library 
> access.
Is there any way to decrease these values?
 
> Many commercial routers run a customized kernel & rely on a striped down 
> user-land.
> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
> things like storage or virtualization.
> The OpenBSD O.S includes all the user-land tools such as ping & top in 
> addition to a standardized precompiled kernel. 
Ok, I get it.


On Fri, 23 Aug 2019 21:12:35 -0500
Patrick Dohman  wrote:

> In my opinion your net5501’s system calls per interval are relatively high.
> The (traps sys) column on my firewall hovers between 40 & 50 quite 
> consistently.
> My understanding is that system calls are things like program calls & library 
> access.
> 
> In addition your net5501’s memory requests per second seem heavy.
> You have fifty eight million 1024 bucket requests per second.
> My firewall has a max of one hundred thousand 128 bucket requests per second.
> 
> Many commercial routers run a customized kernel & rely on a striped down 
> user-land.
> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
> things like storage or virtualization.
> The OpenBSD O.S includes all the user-land tools such as ping & top in 
> addition to a standardized precompiled kernel. 
> Regards
> Patrick
> .
> > 
> > 
> > On Thu, 22 Aug 2019 19:12:55 -0500
> > Patrick Dohman  wrote:
> > 
> >> Radek
> >> 
> >> I’ve found that fast networking is actually CPU & memory intensive. 
> >> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in 
> >> my opinion.
> >> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio 
> >> with a commercial router.
> >> 
> >> What are your context switches & interrupts doing while the VPN is up & 
> >> traffic is flowing?
> >> 
> >> vmstat -w 4
> >> 
> >> What is your memory high water mark during a peak traffic?
> >> 
> >> vmstat -m
> >> 
> >> Regards
> >> Patrick
> >> 
> >>> On Aug 21, 2019, at 12:34 AM, radek  wrote:
> >>> 
> >>> Hello Patrick,
> >>> I am sorry for the late reply.
> >>> 
> >>>> Do you consider memory an issue?
> >>> No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, 
> >>> that I use for VPN testing.
> >>> Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
> >>> Production set (6.3/i386) is net5501-70 <-> ALIX2d2
> >>> Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
> >>> It is unlikely that every box has any hardware issue.
> >>> 
> >>>> Unix load average can occasionally be deceiving.
> >>> I did not know.
> >>> 
> >>>  net5501-70 
> >>> $top -d1 | head -n 4
> >>> load averages:  0.05,  0.01,  0.00RAC-fw65-test.PRAC 10:58:14
> >>> 38 processes: 1 running, 35 idle, 1 dead, 1 on processor  up 3 days, 18:02
> >>> CPU states:  0.5% user,  0.0% nice,  0.4% sys,  0.0% spin,  0.2% intr, 
> >>> 98.8% idle
> >>> Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
> >>> 
> >>>  ALIX2d3 
> >>> $top -d1 | head -n 4
> >>> load averages:  0.00,  0.00,  0.00mon65.home 07:30:05
> >>> 37 processes: 1 running, 35 idle, 1 on processor  up 13:46
> >>> CPU states:  0.3% user,  0.0% nice,  1.1% sys,  0.0% spin,  0.4% intr, 
> >>> 98.3% idle
> >>> Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M
> >>> 
> >>> 
> >>> 
> >>>> What is the speed of your memory?
> >>>> What make of Ethernets are you running?
> >>> Dmesgs below
> >>> 
> >>>  net5501-70 
> >>> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
> >>>   r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> >>> real mem  = 536363008 (511MB)
> >>> avail mem = 511311872 (487MB)
> >>> mpath0 at root
> >>> scsibus0 at mpath0: 256 targets
> >>> mainbus0 at root
> >>> bios0 at mainbus0: d

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[radek]

Hello Patrick,
I am sorry for the late reply.

I have replaced my ALIX/Soekris production routers with APU1C and with PC box 
(cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). 
Both are running 6.5/amd64 and both are fully syspatched.

A also added "inet proto { tcp, udp, icmp }" to my match rule on the both sides:
match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, 
$backup_local } nat-to $ext_if set prio (3, 7)

It does not make any changes. VPN still needs to be restarted with similar freq.
Date: Thu, 19 Sep 2019 23:15:39 +0200 (CEST)
Date: Fri, 20 Sep 2019 01:49:59 +0200 (CEST)
Date: Fri, 20 Sep 2019 03:37:15 +0200 (CEST)
Date: Fri, 20 Sep 2019 06:12:31 +0200 (CEST)
Date: Fri, 20 Sep 2019 08:46:45 +0200 (CEST)
Date: Fri, 20 Sep 2019 11:25:08 +0200 (CEST)
Date: Fri, 20 Sep 2019 13:59:06 +0200 (CEST)


> In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
But at the time of VPN issue both sides can ping each other on public IPs. Only 
the VPN tunnel does not work as expected, untill restart of iked.

> It appears that you have ICMP allow rules which is a good idea in my opinion.
> Have you ever done any logging of these packets. Is there any legitimate 
> requests from your ISP?
No, there are not any ICMP requests from my ISP.
TCPDUMP shows only some pings from the world, mostly from Amazon's IPs.
The following was logged just before VPN traffic stalls:
13:38:09.194783 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:38:09.194845 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40]
13:39:51.130602 18.138.136.9 > A.A.A.A: icmp: echo request (DF)
13:39:51.130665 A.A.A.A > 18.138.136.9: icmp: echo reply
13:42:42.825866 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:42:42.825938 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40]
13:44:17.474364 18.136.167.37 > A.A.A.A: icmp: echo request (DF)
13:44:17.474434 A.A.A.A > 18.136.167.37: icmp: echo reply
13:47:55.225820 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:47:55.225883 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40]
13:49:30.624877 18.138.136.9 > A.A.A.A: icmp: echo request (DF)
13:49:30.624945 A.A.A.A > 18.138.136.9: icmp: echo reply
13:53:45.675943 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40]
13:53:45.676008 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40]
13:55:02.593285 18.136.167.37 > A.A.A.A: icmp: echo request (DF)
13:55:02.593347 A.A.A.A > 18.136.167.37: icmp: echo reply
13:55:31.703602 18.228.131.118 > A.A.A.A: icmp: echo request (DF)
13:55:31.703671 A.A.A.A > 18.228.131.118: icmp: echo reply

On the other side of VPN ICMP logs are similar.

> Do you have an alternate DNS server you can test against? Are you using your 
> ISP’s DNS?
On the one side I can use any DNS I want. I was using google's 8.8.8.8 and 
ISP's DNS. If I change to 1.1.1.1 and 1.0.0.1 my problem still occurs.
On the other side the ISP redirects all DNS requests to its own DNS. 

Any idea?

On Sun, 25 Aug 2019 20:28:27 -0500
Patrick Dohman  wrote:

> Radek
> In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
> I also believe that defining specific proto's in your nat rule can decrease 
> interrupts. 
> You might consider the following to modification to your nat rule to 
> specificity allow UDP & ICMP.
> 
> match out log on $ext_if inet proto { tcp, udp, icmp } rom { $lan_rac_local, 
> $backup_local } nat-to $ext_if set prio (3, 7)
> 
> It appears that you have ICMP allow rules which is a good idea in my opinion.
> Have you ever done any logging of these packets. Is there any legitimate 
> requests from your ISP?
> Do you have an alternate DNS server you can test against? Are you using your 
> ISP’s DNS?
> Perhaps the new OpenBSD unwind package is worth investigating ;)
> ]Regards
> Patrick
> 
> > On Aug 25, 2019, at 1:31 PM, Radek  wrote:
> > 
> > Hello Patrick, 
> > 
> >> In my opinion your net5501’s system calls per interval are relatively high.
> >> The (traps sys) column on my firewall hovers between 40 & 50 quite 
> >> consistently.
> >> My understanding is that system calls are things like program calls & 
> >> library access.
> > Is there any way to decrease these values?
> > 
> >> Many commercial routers run a customized kernel & rely on a striped down 
> >> user-land.
> >> The kernel is also recompiled to run TCP/IP4 only & can no longer execute 
> >> things like storage or virtualization.
> >> The OpenBSD O.S includes all the user-land tools such as ping & top in 
> >> addition to a standardized precompiled kernel. 
> > Ok, I get it.
> > 
> > 
> > On F

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[Radek]

Thank you Stuart.
I can't touch/upgrade these routers, but I have a bunch of Soekris/net5501 that 
I can use for testing -current. Unfortunately, they are i386. I hope the arch 
doesn't matter in this case.
I'll try -current asap.

Am I the only one @misc who's facing this kind of iked issue? Nobody else 
reports having the same issue here...

On Fri, 20 Sep 2019 16:55:02 - (UTC)
Stuart Henderson  wrote:

> On 2019-09-20, radek  wrote:
> > Hello Patrick,
> > I am sorry for the late reply.
> >
> > I have replaced my ALIX/Soekris production routers with APU1C and with PC 
> > box (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). 
> > Both are running 6.5/amd64 and both are fully syspatched.
> 
> Please try a -current snapshot for starters, quite a number of iked bugs
> have been fixed since then including some which would cause connectivity
> problems during rekeying. (If you *really* can't update the whole thing,
> it should work to build -current iked on a 6.5 system, but no guarantees).
> 
> 


-- 
Radek

Moving IKED certificates between routers

[radek]

Hello, 

I'm going to replace 6.5 router with new 6.6 box. Is it necessary to generate 
new iked certificates in every new installation or there is a way to move and 
use "old" certificates in new install? Road warriors would be happy with that.

Thank you for guiding me on this journey.

-- 
Radek

Re: Moving IKED certificates between routers

[Radek]

Hi Stuart, 
I have played around with copying them across but no luck (I get error 13801 in 
win7). I don't know what I'm doing wrong.

Do I need to set the same hostname (/etc/myname) in new box to make old certs 
working?

In my *old* box certs were created as below:
[1]ikectl ca vpn create #(CN = hostname)
[2]ikectl ca vpn install
[3]ikectl ca vpn certificate 1.2.3.4 create
[4]ikectl ca vpn certificate 1.2.3.4 install
[5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac)
[6]ikectl ca vpn certificate rdk.6501.rac export

What steps do I need to re-run and what exactly files should be copied/edited 
(/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in new box?


On Fri, 8 Nov 2019 11:59:56 - (UTC)
Stuart Henderson  wrote:

> On 2019-11-08, radek  wrote:
> > Hello, 
> >
> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to 
> > generate new iked certificates in every new installation or there is a way 
> > to move and use "old" certificates in new install? Road warriors would be 
> > happy with that.
> >
> > Thank you for guiding me on this journey.
> >
> 
> Just copy them across.
> 
> 


-- 
Radek

Re: Moving IKED certificates between routers

[Radek]

My new box has the same /etc/myname.

I copied:
/etc/iked/ca/ca.crt
/etc/iked/certs/1.2.3.4.crt
/etc/iked/crls/ca.crl
/etc/ssl/vpn/*

What did I do wrong/miss?

Windows shows error 13826: Failed to verify signature.

On Sun, 10 Nov 2019 13:30:24 - (UTC)
Stuart Henderson  wrote:

> On 2019-11-10, Radek  wrote:
> > Hi Stuart, 
> > I have played around with copying them across but no luck (I get error 
> > 13801 in win7). I don't know what I'm doing wrong.
> >
> > Do I need to set the same hostname (/etc/myname) in new box to make old 
> > certs working?
> >
> > In my *old* box certs were created as below:
> > [1]ikectl ca vpn create #(CN = hostname)
> > [2]ikectl ca vpn install
> > [3]ikectl ca vpn certificate 1.2.3.4 create
> > [4]ikectl ca vpn certificate 1.2.3.4 install
> > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac)
> > [6]ikectl ca vpn certificate rdk.6501.rac export
> >
> > What steps do I need to re-run and what exactly files should be 
> > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in 
> > new box?
> 
> Oh, I understood from your email that you were just replacing it 
> like-for-like.
> If you change the hostname then yes you'll need to a certificate with the
> new hostname, but then of course you will need to change clients to connect
> to the new name.
> 
> 
> >
> > On Fri, 8 Nov 2019 11:59:56 - (UTC)
> > Stuart Henderson  wrote:
> >
> >> On 2019-11-08, radek  wrote:
> >> > Hello, 
> >> >
> >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to 
> >> > generate new iked certificates in every new installation or there is a 
> >> > way to move and use "old" certificates in new install? Road warriors 
> >> > would be happy with that.
> >> >
> >> > Thank you for guiding me on this journey.
> >> >
> >> 
> >> Just copy them across.
> >> 
> >> 
> >
> >
> 


-- 
Radek

Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day

[radek]

After upgrading my two endpoints to i386/6.6 it started to work flawlessly. 
There wasn't even one IKED restart within first two days of running.
Thank you Patrick, Stuart and everyone involved in making IKED work as 
expected. I really appreciate it.

# vmstat -m | head -n 17 
Memory statistics by bucket size
Size   In Use   Free   Requests  HighWater  Couldfree
  16  528752 1253321280  0
  32 1470 66 105757 640  5
  64  6001682554483 320  0
 128  124 36  42106 160  0
 256  446 18  51276  80  0
 512  108  4 166303  40  0
1024   46  6  48352  20  0
2048   13  3 74  10  0
4096   16  2  84574   5  0
8192   21  1 44   5  0
   163846  0505   5  0
   327686  0 11   5  0
   655362  0  12333   5  0
  5242881  0  1   5  0

# vmstat -w 4
 procsmemory   pagedisk traps  cpu
 r   s   avm fre  flt  re  pi  po  fr  sr wd0  int   sys   cs us sy id
 2  53   29M313M   54   0   0   0   0   0   0  27560  109  0  2 98
 0  57   30M312M  140   0   0   0   0   0   0  378   131  470  0  4 96
 0  55   29M313M   30   0   0   0   0   0   0  38343  547  0  3 97
 0  55   29M313M2   0   0   0   0   0   0  38017  529  0  3 97
 0  57   30M312M  140   0   0   0   0   0   0  374   124  512  0  5 94


On Sun, 22 Sep 2019 17:11:20 +0200
Radek  wrote:

> Thank you Stuart.
> I can't touch/upgrade these routers, but I have a bunch of Soekris/net5501 
> that I can use for testing -current. Unfortunately, they are i386. I hope the 
> arch doesn't matter in this case.
> I'll try -current asap.
> 
> Am I the only one @misc who's facing this kind of iked issue? Nobody else 
> reports having the same issue here...
> 
> On Fri, 20 Sep 2019 16:55:02 - (UTC)
> Stuart Henderson  wrote:
> 
> > On 2019-09-20, radek  wrote:
> > > Hello Patrick,
> > > I am sorry for the late reply.
> > >
> > > I have replaced my ALIX/Soekris production routers with APU1C and with PC 
> > > box (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). 
> > > Both are running 6.5/amd64 and both are fully syspatched.
> > 
> > Please try a -current snapshot for starters, quite a number of iked bugs
> > have been fixed since then including some which would cause connectivity
> > problems during rekeying. (If you *really* can't update the whole thing,
> > it should work to build -current iked on a 6.5 system, but no guarantees).
> > 
> > 
> 
> 
> -- 
> Radek
> 


-- 
Radek

Re: Moving IKED certificates between routers

[Radek]

So.. finally I made it working.

Files to copy:
/etc/iked/ca/ca.crt
/etc/iked/certs/1.2.3.4.crt
/etc/iked/crls/ca.crl
/etc/ssl/vpn/*
/etc/iked/local.pub
/etc/iked/private/local.key

> > If you change the hostname then yes you'll need to a certificate with the
> > new hostname, but then of course you will need to change clients to connect
> > to the new name.
Just for test I changed the hostname to some_new_hostname in /etc/myname and 
rebooted the box. I can still connect to *new* box with my *old* rdk.6501.rac 
certificate.

Tested on Win7 and Win10. 
New box is 6.6/i386.

On Sun, 10 Nov 2019 15:00:58 +0100
Radek  wrote:

> My new box has the same /etc/myname.
> 
> I copied:
> /etc/iked/ca/ca.crt
> /etc/iked/certs/1.2.3.4.crt
> /etc/iked/crls/ca.crl
> /etc/ssl/vpn/*
> 
> What did I do wrong/miss?
> 
> Windows shows error 13826: Failed to verify signature.
> 
> On Sun, 10 Nov 2019 13:30:24 -0000 (UTC)
> Stuart Henderson  wrote:
> 
> > On 2019-11-10, Radek  wrote:
> > > Hi Stuart, 
> > > I have played around with copying them across but no luck (I get error 
> > > 13801 in win7). I don't know what I'm doing wrong.
> > >
> > > Do I need to set the same hostname (/etc/myname) in new box to make old 
> > > certs working?
> > >
> > > In my *old* box certs were created as below:
> > > [1]ikectl ca vpn create #(CN = hostname)
> > > [2]ikectl ca vpn install
> > > [3]ikectl ca vpn certificate 1.2.3.4 create
> > > [4]ikectl ca vpn certificate 1.2.3.4 install
> > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac)
> > > [6]ikectl ca vpn certificate rdk.6501.rac export
> > >
> > > What steps do I need to re-run and what exactly files should be 
> > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in 
> > > new box?
> > 
> > Oh, I understood from your email that you were just replacing it 
> > like-for-like.
> > If you change the hostname then yes you'll need to a certificate with the
> > new hostname, but then of course you will need to change clients to connect
> > to the new name.
> > 
> > 
> > >
> > > On Fri, 8 Nov 2019 11:59:56 - (UTC)
> > > Stuart Henderson  wrote:
> > >
> > >> On 2019-11-08, radek  wrote:
> > >> > Hello, 
> > >> >
> > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to 
> > >> > generate new iked certificates in every new installation or there is a 
> > >> > way to move and use "old" certificates in new install? Road warriors 
> > >> > would be happy with that.
> > >> >
> > >> > Thank you for guiding me on this journey.
> > >> >
> > >> 
> > >> Just copy them across.
> > >> 
> > >> 
> > >
> > >
> > 
> 
> 
> -- 
> Radek


-- 
Radek


-- 
Radek

Disabling ACPI permanently

[Radek]

Hello,
I'm trying to permanently disable acpi doing the following steps[1].
After the first reboot OS boots fine.
After the second reboot acpi seems to be re-enabled at boot - I get [2].
What Am I doing wrong?

[1]
boot -c
UKC>disable acpi
444 acpi0 disabled
UKC>quit
Continuing...
[...]
mv /bsd /bsd.old
config -e -o /bsd /bsd.old
OpenBSD 6.6 (GENERIC) #3: Thu Nov 21 01:58:46 MST 2019
r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
Enter 'help' for information
ukc> disable acpi
444 acpi0 disabled
ukc> quit
Saving modified kernel.

[2]
OpenBSD 6.6 (GENERIC) #3: Thu Nov 21 01:58:46 MST 2019
r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1047724032 (999MB)
avail mem = 1003417600 (956MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfcd70 (77 entries)
bios0: vendor Intel Corp. version "BA72210A.86B.0228.2005.1122.2349" date 
11/22/2005
bios0: MAXDATA PLATINUM 100 I M5
acpi0 at bios0: ACPI 2.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG ASF! WDDT
acpi0: wakeup devices PEGP(S4) P0P2(S4) AC97(S4) USB0(S1) USB1(S1) USB2(S1) 
USB3(S1) USB7(S1) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) AZAL(S4) PWRB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU 3.06GHz, 3067.28 MHz, 0f-04-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR,NXE,LONG,LAHF,MELTDOWN
cpu0: 256KB 64b/line 4-way L2 cache
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEGP)
acpiprt2 at acpi0: bus 6 (P0P2)
acpiprt3 at acpi0: bus 5 (PEX1)
acpiprt4 at acpi0: bus 4 (PEX2)
acpiprt5 at acpi0: bus 3 (PEX3)
acpicpu0 at acpi0: C1(@1 halt!)
acpipwrres0 at acpi0: URP1
acpipwrres1 at acpi0: FDDP
acpipwrres2 at acpi0: LPTP
acpipwrres3 at acpi0: URP2
acpipci0 at acpi0 PCI0panic: malloc: allocation too large, type = 33, size = 
292057776136

Stopped at  db_enter+0x10:  popq%rbp
TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
* 0  0  0 0x1  0x2000  swapper
db_enter(10,82281280,202,8,812c2e00,82281280) at db_ent
er+0x10
panic(81c2af40,81c2af40,8007a088,21,0,440008) at pa
nic+0x128
malloc(440008,21,9,440008,8642e84c095b2331,8007a088) at malloc+
0x6d9
aml_parse(8007a088,74,0,8007a088,e233b61729a271c4,8007a
088) at aml_parse+0x1734
aml_parse(8007a088,54,c,8007a088,e233b61729a286b7,8007a
088) at aml_parse+0x54c
aml_eval(0,80072608,74,82281700,82281700,0) at aml_eval
+0x33f
aml_evalnode(800725ac,80072588,4,82281700,82281
820,800725ac) at aml_evalnode+0xb5
acpipci_attach(80021400,80079d80,82281970,80021
400,f736340b0bc20316,80021400) at acpipci_attach+0xf7
config_attach(80021400,81f06328,82281970,81aa8a
50,472b3934561bab9a,80041708) at config_attach+0x1ee
acpi_foundhid(80041708,80021400,c02f249ab5605f64,81aabc
c0,80021400,80041188) at acpi_foundhid+0x2dc
aml_find_node(80041188,81c413d0,81aabcc0,800214
00,c1874c1cd841fb5c,81aabcc0) at aml_find_node+0x84
aml_find_node(80023a88,81c413d0,81aabcc0,800214
00,c1874c1cd841fb5c,81aabcc0) at aml_find_node+0xb1
aml_find_node(81f90200,81c413d0,81aabcc0,800214
00,c1874c1cd8e35490,82281b50) at aml_find_node+0xb1
acpi_attach_common(80021400,f5600,f55897af781bc332,80023180,fff
f82281c58,81f31230) at acpi_attach_common+0x7ad
end trace frame: 0x82281c40, count: 0
https://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
ddb>

-- 
Radek

Re: Disabling ACPI permanently

[Radek]

Hello Philip,

This box has installed the newest BIOS firmware. 

Following your suggestion I sent a bug report to b...@openbsd.org
https://marc.info/?l=openbsd-bugs&m=157747038309405&w=2


On Mon, 23 Dec 2019 08:25:13 -0800
Philip Guenther  wrote:

> On Mon, Dec 23, 2019 at 5:10 AM Radek  wrote:
> 
> > I'm trying to permanently disable acpi doing the following steps[1].
> > After the first reboot OS boots fine.
> > After the second reboot acpi seems to be re-enabled at boot - I get [2].
> > What Am I doing wrong?
> >
> 
> First, you should also check whether there's a newer BIOS firmware for this
> box, as there's a good chance Intel has fixed issues and issued a new one.
> If so, installing that may totally resolve the issue.
> 
> If not, or if upgrading the firmware doesn't resolve this, then you should
> next send a bug report to b...@openbsd.org using sendbug.  To get the most
> data when you do so, disable _just_ the acpipci device (using boot -c)
> instead of all of acpi and then run sendbug as root on that system.  The
> bug report will then include the data from the ACPI tables, so that the
> driver can be fixed to deal with this.
> 
> ...
> 
> > acpipci0 at acpi0 PCI0panic: malloc: allocation too large, type = 33, size
> > = 292057776136
> >
> 
> 
> Philip Guenther


-- 
Radek

Traffic prioritization inside VPN

[radek]

Hello,

I have the following scenario:
[box_rac][fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz]

[box_rac] pulls (rsync) "big data" from [box_krz] through VPN.
I need to put this traffic to the total background, making way for any other 
packets going through VPN, NICs, from/to any other boxes on both sides.

I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific 
rules [1] and setting the lowest priority fot it. 
Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared 
roughly equally with other traffic (tested with pushing data (netcat) through 
VPN in the same time).

I would appreciate your advice or any clues on what I have done wrong. Thank 
you.

[fw_rac] and [fw_krz] have analogical rulesets [2].

[1]
[fw_rac]:
pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state

[fw_krz]:
pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state

[2] pf.conf [fw_rac]:
ext_if  = "vr0"
lan_rac_if  = "vr2" #
lan_rac_local   = $lan_rac_if:network # 10.0.15.0/24
backup_if   = "vr3" #
backup_local= $backup_if:network # 10.0.115/24

box_rac = "10.0.115.151"
box_krz = "10.0.100.151"

set fingerprints "/dev/null"
set skip on { lo, enc0 }
set block-policy drop
set optimization normal
set ruleset-optimization basic
antispoof quick for {lo0, $lan_rac_if, $backup_if }
match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, 
$backup_local } nat-to $ext_if set prio (3, 7)
block all 
match out all scrub (no-df random-id)
pass out on egress keep state

pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state

pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 
7) keep state

ssh_port= "1071"
table  const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24, 
10.0.15.0/24, 10.0.100.0/24 } 
table  persist counters
block from 
pass in log quick inet proto tcp from  to $ext_if port $ssh_port 
flags S/SA \
set prio (7, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload  flush 
global)

icmp_types  = "{ echoreq, unreach }" 
pass inet proto icmp all icmp-type $icmp_types \
set prio (7, 7) keep state

table  const { $krz_wan }
pass out quick on egress proto esp from (egress:0) to
   set prio (6, 7) keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} set prio (6, 7) keep state
pass  in quick on egress proto esp from  to (egress:0)   
   set prio (6, 7) keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} set prio (6, 7) keep state

pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} 
set prio (6,7) keep state
pass in on egress proto {ah,esp} set prio (6,7) keep state
block return in on ! lo0 proto tcp to port 6000:6010


-- 
Radek

Re: Traffic prioritization inside VPN

[Radek]

> what about working directly on rsync side, specifying the maximum
> transfer rate? (--bwlimit option)

Setting the hard transfer rate/limit on the rsync side is not what I need. I 
want my boxes to be able to use whole available bandwidth anytime. I mean if 
other services need some bandwitdh they just get it with higher priority and my 
boxes always can use *the rest*. If there is a quiet it the network my boxes 
can use the whole highway.

On Thu, 2 Jan 2020 17:57:19 +0100
fRANz  wrote:

> On Thu, Jan 2, 2020 at 3:51 PM radek  wrote:
> 
> > I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by 
> > specific rules [1] and setting the lowest priority fot it.
> > Unfortunately it doesn't seem to work as expected. Bandwidth seems to be 
> > shared roughly equally with other traffic (tested with pushing data 
> > (netcat) through VPN in the same time).
> > I would appreciate your advice or any clues on what I have done wrong. 
> > Thank you.
> 
> what about working directly on rsync side, specifying the maximum
> transfer rate? (--bwlimit option)
> -f
> 


-- 
Radek

ikev2 and road warriors setup

[Radek]

Hello,

I have configured OpenIKED Site-to-Site VPN between two gateways:
serv73 - OBSD6.1, IP A.B.C.73,
serv75 - OBSD6.2, IP A.B.C.75.
I seems to work fine.

I'm trying to set up VPN for a few road warriors in one of these gateways. As 
much as it is possible authorisation should be users's IP independent. If I get 
it right certificate is always binded to cetrain IP so I need to use login and 
password authentication.
After spending some time with playing around that I can not find the proper 
configutarion.
I know the reason for that is a lack of certificate (I don't have any idea what 
cert it is) but maybe something else that I have missed or did it wrong.
I have read manuals but not everything is clear for me.

On win7 I got 809 error.
Client is configured as below:
https://hide.me/en/vpnsetup/windows7/ikev2/

Any help appreciated :)

My configs:

[root@@serv75/home/rdk:]iked -dv
ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 
policy 'roadwarrior' id 0, 528 bytes
ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 
325 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
policy 'roadwarrior' id 1, 764 bytes
ca_getreq: no valid local certificate found
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
policy 'roadwarrior' id 1, 764 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
policy 'roadwarrior' id 1, 764 bytes


root@@serv75/home/rdk:]cat /etc/iked.conf
remote_gw73 = "A.B.C.73" # serv33
remote_lan73= "10.0.73.0/24"
local_gw= "10.0.75.254" # serv75
local_lan   = "10.0.75.0/24"
dns1= "8.8.8.8"

ikev2 active esp from $local_gw to $remote_gw73 \
from $local_lan to $remote_lan73 peer $remote_gw73 \
psk "test123"

user "test" "pass1234"
ikev2 "roadwarrior" passive esp \
from 0.0.0.0/0 to 10.0.75.0/24 \
local any peer any \
eap "mschap-v2" \
config address 10.0.75.123 \
config name-server 8.8.8.8 \
tag "$name-$id"

[root@@serv75/home/rdk:]cat /etc/pf.conf
ext_if  = "vr0"
lan_if  = "vr1"# vr1
lan_local   = $lan_if:network  # 10.0.75.0/24
ext_ip  = "A.B.C.75"
bud = "A.B.C.0/25"
rdkhome_wy  = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port= "1071"
icmp_types  = "{ echoreq, unreach }"
table  const { A.B.C.73, A.B.C.74 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to 
$ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to
   keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} keep state
pass  in quick on egress proto esp from  to (egress:0)   
   keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep 
state
block return in on ! lo0 proto tcp to port 6000:6010

[root@@serv75/home/rdk:]cat /etc/hostname.vr0
inet A.B.C.75 255.255.254.0 NONE description "WAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.vr1
inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.enc0
up

[root@@serv75/home/rdk:]cat /etc/rc.conf.local
iked_flags=YES
ntpd_flags="-s"
dhcpd_flags="vr1 vr2 vr3"

[root@@serv75/home/rdk:]cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

77a4400d017d93f 
A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f 
E.F.G.H:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid 0, 
325 bytes
config_free_proposals: free 0x8134e000

Generating and installing certificate for E.F.G.H doesn't make any change.


On Sat, 27 Jan 2018 19:55:46 +0100
Radek  wrote:

> Hello,
> 
> I have configured OpenIKED Site-to-Site VPN between two gateways:
> serv73 - OBSD6.1, IP A.B.C.73,
> serv75 - OBSD6.2, IP A.B.C.75.
> I seems to work fine.
> 
> I'm trying to set up VPN for a few road warriors in one of these gateways. As 
> much as it is possible authorisation should be users's IP independent. If I 
> get it right certificate is always binded to cetrain IP so I need to use 
> login and password authentication.
> After spending some time with playing around that I can not find the proper 
> configutarion.
> I know the reason for that is a lack of certificate (I don't have any idea 
> what cert it is) but maybe something else that I have missed or did it wrong.
> I have read manuals but not everything is clear for me.
> 
> On win7 I got 809 error.
> Client is configured as below:
> https://hide.me/en/vpnsetup/windows7/ikev2/
> 
> Any help appreciated :)
> 
> My configs:
> 
> [root@@serv75/home/rdk:]iked -dv
> ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 
> policy 'roadwarrior' id 0, 528 bytes
> ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 
> 0, 325 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
> policy 'roadwarrior' id 1, 764 bytes
> ca_getreq: no valid local certificate found
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
> policy 'roadwarrior' id 1, 764 bytes
> ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 
> policy 'roadwarrior' id 1, 764 bytes
> 
> 
> root@@serv75/home/rdk:]cat /etc/iked.conf
> remote_gw73 = "A.B.C.73" # serv33
> remote_lan73= "10.0.73.0/24"
> local_gw= "10.0.75.254" # serv75
> local_lan   = "10.0.75.0/24"
> dns1  = "8.8.8.8"
> 
> ikev2 active esp from $local_gw to $remote_gw73 \
> from $local_lan to $remote_lan73 peer $remote_gw73 \
> psk "test123"
> 
> user "test" "pass1234"
> ikev2 "roadwarrior" passive esp \
> from 0.0.0.0/0 to 10.0.75.0/24 \
> local any peer any \
> eap "mschap-v2" \
> config address 10.0.75.123 \
> config name-server 8.8.8.8 \
> tag "$name-$id"
> 
> [root@@serv75/home/rdk:]cat /etc/pf.conf
> ext_if  = "vr0"
> lan_if  = "vr1"# vr1
> lan_local   = $lan_if:network  # 10.0.75.0/24
> ext_ip  = "A.B.C.75"
> bud = "A.B.C.0/25"
> rdkhome_wy  = "YY.YY.YY.YY"
> rdkhome_mon = "XX.XX.XX.XX"
> ssh_port= "1071"
> icmp_types  = "{ echoreq, unreach }"
> table  const { A.B.C.73, A.B.C.74 }
> set skip on { lo, enc0 }
> block return on $ext_if # block stateless traffic
> match out log on $ext_if from $lan_local nat-to $ext_if set prio (1

[6.2] Forwarding root mails to user+al...@gmail.com

[Radek]

Hello misc,

I'm trying to forward root mails to user+al...@gmail.com and then label them in 
gmail and move to alias_folder, but all mails are delivered to gmail with 
header "To: root@RAC_fw.PRAC" and go to main inbox of u...@gmail.com instead.

I think mails need to have "To: user+al...@gmail.com" if I want gmail to label 
them correctly. 

How can I make it work the way I want it?

# grep -C1 Well /etc/mail/aliases

# Well-known aliases -- these should be filled in!
root:user+al...@gmail.com


# grep "^[^#;]" /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
listen on lo0
accept for local alias  #deliver to mbox
accept from local for any relay as user+al...@gmail.com

Thanks for help!

-- 
radek

OpenBSD + Firebird Server

[Radek]

Hi,
is it possible to install Firebird Server in OpenBSD? I can't find any info 
about that anywhere. 
Thanks! 

-- 
Radek

Re: OpenBSD + Firebird Server

[Radek]

> Assuming you mean the SQL database,
Yes, I mean Firebird SQL db.

> Firebird required pthread_condattr_setpshared
> and pthread_mutexattr_setpshared, which OpenBSD doesn't implement.
Does anybody know if there is a plan to implement it?

On Tue, 24 Nov 2020 21:37:51 -0800
Jeremy Evans  wrote:

> On Tue, Nov 24, 2020 at 9:27 PM Radek  wrote:
> 
> > Hi,
> > is it possible to install Firebird Server in OpenBSD? I can't find any
> > info about that anywhere.
> > Thanks!
> 
> 
> Assuming you mean the SQL database, when last I looked into this years ago,
> Firebird required pthread_condattr_setpshared
> and pthread_mutexattr_setpshared, which OpenBSD doesn't implement.
> 
> Thanks,
> Jeremy


-- 
Radek

npppd - problem with simultaneous sessions

[Radek]

Microsoft firm=0601
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvSCCN
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendZLB
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICRQ session_id=1
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendICRP 
session_id=11788
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICCN 
session_id=1 calling_number= tx_conn_speed=1 framing=sync
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 logtype=PPPBind ppp=1
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base logtype=Started 
tunnel=L2TP(A.B.C.D:1701)
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendZLB
Jan  6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp logtype=Opened 
mru=1360/1400 auth=MS-CHAP-V2 magic=9699e1a6/244d01eb
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb 
text=MSRASV5.20
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb 
text=MSRAS-0-X
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb 
text=.*.(...N.Z68
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=chap proto=mschap_v2 
logtype=Success username="rdk-test" realm=LOCAL
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe mismatch 
our=40bit,128bit,56bit,stateless peer=stateless
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp IP Address peer=0.0.0.0 
our=10.109.4.11.
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp logtype=Opened 
ip=10.109.4.11 assignType=dynamic
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base logtype=TUNNELSTART 
user="rdk-test" duration=1sec layer2=L2TP layer2from=A.B.C.D:1701 
auth=MS-CHAP-V2  ip=10.109.4.11 iface=pppx0
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe logtype=Opened 
our=128bit,stateless peer=128bit,stateless
Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base Using pipex=yes

-- 
Radek

Re: npppd - problem with simultaneous sessions

[radek]

Hi, 

> It seems that only last person can use the tunnel.  This reminds me 
> problems through NAT.
True. Can it be caused by wrong PF rules?

> Both sessions seem to be connected from A.B.C.D.  Are the clients 
> behind a NAT?
Yes, both client are behind the same router/NAT.
I have a 66/i386 box running npppd on producion and my two clients can be 
connected the same time flawlessly.

> How about the npppd side?  Does the client directly connect to
> 
> > tunnel L2TP protocol l2tp {
> > listen on X.Y.Z.13
> > }
> 
> X.Y.Z.13 ?  Or a NAT is there?
It is directly connected do X.Y.Z.13, no NAT.

On Thu, 07 Jan 2021 16:27:57 +0900 (JST)
YASUOKA Masahiko  wrote:

> Hi,
> 
> On Wed, 6 Jan 2021 21:33:49 +0100
> Radek  wrote:
> > I have a box with relatively fresh install of 68/amd64, fully 
> > syspatched. There is a npppd server running on it. The problem is 
> > that I can have only one nppp session at one time. If the second 
> > vpn user connects the box, the first nppp session hangs/drops. I 
> > probably have missed something obvious in my setup but I really 
> > can't find what it is.
> 
> It seems that only last person can use the tunnel.  This reminds me 
> problems through NAT.
> 
> > Jan  6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base 
> > logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.1 iface=pppx0
> 
> > Jan  6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base 
> > logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP 
> > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2  ip=10.109.4.11 iface=pppx0
> 
> Both sessions seem to be connected from A.B.C.D.  Are the clients 
> behind a NAT?
> 
> How about the npppd side?  Does the client directly connect to
> 
> > tunnel L2TP protocol l2tp {
> > listen on X.Y.Z.13
> > }
> 
> X.Y.Z.13 ?  Or a NAT is there?
> 
> On Wed, 6 Jan 2021 21:33:49 +0100
> Radek  wrote:
> > Hi @misc,
> >
> > I have a box with relatively fresh install of 68/amd64, fully 
> > syspatched. There is a npppd server running on it. The problem is 
> > that I can have only one nppp session at one time. If the second 
> > vpn user connects the box, the first nppp session hangs/drops. I 
> > probably have missed something obvious in my setup but I really 
> > can't find what it is.
> >
> > Please help me to solve the problem.
> > Thank you.
> >
> > $cat /etc/npppd/npppd.conf
> > authentication LOCAL type local {
> > users-file "/etc/npppd/npppd-users"
> > }
> > tunnel L2TP protocol l2tp {
> > listen on X.Y.Z.13
> > }
> > ipcp IPCP {
> > pool-address 10.109.4.1-10.109.4.32
> > dns-servers 1.1.1.1
> > }
> > # use pppx(4) interface.  use an interface per a ppp session.
> > interface pppx0 address 10.109.4.254 ipcp IPCP
> > bind tunnel from L2TP authenticated by LOCAL to pppx0
> >
> > $cat /etc/hostname.enc0
> > up
> >
> >
> > $cat /etc/sysctl.conf
> > net.inet.ip.forwarding=1
> > net.inet.ipcomp.enable=1
> > net.inet.esp.enable=1
> > net.inet.gre.allow=1
> > net.pipex.enable=1
> >
> > $cat /etc/rc.conf.local
> > ipsec=YES
> > ipsec_rules=/etc/ipsec.conf
> > isakmpd_flags="-K"
> > npppd_flags=""
> >
> > $cat /etc/ipsec.conf
> > wan_ipv4 = X.Y.Z.13
> > ike passive esp transport \
> >  proto udp from $wan_ipv4 to any port 1701 \
> >  main auth "hmac-sha1" enc "3des" group modp1024 \
> >  quick auth "hmac-sha1" enc "aes" group modp1024 \
> >  psk "pskpskpsk"
> >
> > $cat /etc/pf.conf
> > [...]
> > vpn_if = "pppx"
> > vpn_local  = "10.109.4.0/24"
> >
> > pass in on $ext_if proto udp from any to (egress:0) port 
> > {isakmp,ipsec-nat-t,l2tp}
> > pass in on $ext_if proto {ah,esp}
> > pass log proto { gre } from any to any keep state
> >
> > # filter all IPSec traffic on the enc interface
> > pass on enc0 keep state (if-bound)
> >
> > # allow all trafic in on and out to the VPN network
> > pass on $vpn_if from $vpn_local
> > pass on $vpn_if to $vpn_local
> >
> > # NAT VPN traffic going out on the public interface with the public 
> > IP
> > match out log on $ext_if inet proto { tcp, udp, icmp } from 
> > $vpn_local nat-to ($ext_if) set prio (3,7)
> >
> > some logs...
> >
> > Jan  6 20:53:14 fw-u last message re

Re: npppd - problem with simultaneous sessions

[Radek]

Hi,

> When the problem is happening, is the counter "dropped due to missing 
> IPsec protection" incremented?
Yes, it is.

No VPN session:
$ netstat -sp udp
udp:
360413 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
39898 with no checksum
108780 input packets software-checksummed
135430 output packets software-checksummed
187992 dropped due to no socket
50819 broadcast/multicast datagrams dropped due to no socket
970 dropped due to missing IPsec protection
0 dropped due to full socket buffers
121602 delivered
222326 datagrams output
285255 missed PCB cache

First VPN session:
$ netstat -sp udp
udp:
360863 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
40104 with no checksum
108780 input packets software-checksummed
135518 output packets software-checksummed
188056 dropped due to no socket
50885 broadcast/multicast datagrams dropped due to no socket
970 dropped due to missing IPsec protection
0 dropped due to full socket buffers
121922 delivered
222532 datagrams output
285534 missed PCB cache

Second VPN session (the first ses. was disconencted)
[root@@fw-u/home/rdk:]netstat -sp udp
udp:
361306 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
40446 with no checksum
108780 input packets software-checksummed
135660 output packets software-checksummed
188109 dropped due to no socket
50888 broadcast/multicast datagrams dropped due to no socket
977 dropped due to missing IPsec protection
0 dropped due to full socket buffers
122309 delivered
222708 datagrams output
285800 missed PCB cache

and after ~2 minutes:
[root@@fw-u/home/rdk:]netstat -sp udp
udp:
361814 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
40862 with no checksum
108780 input packets software-checksummed
135837 output packets software-checksummed
188150 dropped due to no socket
50900 broadcast/multicast datagrams dropped due to no socket
1005 dropped due to missing IPsec protection
0 dropped due to full socket buffers
122764 delivered
222912 datagrams output
286078 missed PCB cache

On Fri, 08 Jan 2021 18:15:37 +0900 (JST)
YASUOKA Masahiko  wrote:

> Hi,
> 
> >> It seems that only last person can use the tunnel.  This reminds me
> >> problems through NAT.
> > True. Can it be caused by wrong PF rules?
> 
> No, I don't think so.
> 
> I suppose I could repeat the problem.
> 
> When the problem is happening, is the counter "dropped due to missing 
> IPsec protection" incremented?
> 
>% netstat -sp udp
>udp:
>655 datagrams received
>0 with incomplete header
>0 with bad data length field
>0 with bad checksum
>297 with no checksum
>356 input packets software-checksummed
>236 output packets software-checksummed
>46 dropped due to no socket
>0 broadcast/multicast datagrams dropped due to no socket
>3 dropped due to missing IPsec protection
>0 dropped due to full socket buffers
>609 delivered
>236 datagrams output
>354 missed PCB cache
> 
> I started looking into this problem.
> 
> On Thu, 7 Jan 2021 09:45:07 +0100
> radek  wrote:
> > Hi,
> >
> >> It seems that only last person can use the tunnel.  This reminds me
> >> problems through NAT.
> > True. Can it be caused by wrong PF rules?
> >
> >> Both sessions seem to be connected from A.B.C.D.  Are the clients
> >> behind a NAT?
> > Yes, both client are behind the same router/NAT.
> > I have a 66/i386 box running npppd on producion and my two clients 
> > can be connected the same time flawlessly.
> >
> >> How about the npppd side?  Does the client directly connect to
> >>
> >> > tunnel L2TP protocol l2tp {
> >> > listen on X.Y.Z.13
> >> > }
> >>
> >> X.Y.Z.13 ?  Or a NAT is there?
> > It is directly connected do X.Y.Z.13, no NAT.
> >
> > On Thu, 07 Jan 2021 16:27:57 +0900 (JST)
> > YASUOKA Masahiko  wrote:
> >
> >> Hi,
> >>
> >> On Wed, 6 Jan 2021 21:33:49 +0100
> >> Radek  wrote:
> >> > I have a box with relatively fresh install

How to request a specific IP address from DHCP server

[Radek]

Hi,
I can't manage to request a specific IP address from DHCP server.  It is just a 
testing lab, the requiested IP address (.104) isn't used by any other client. 
What I'm doing wrong?

$ cat /etc/hostname.vr0
-inet
dhcp

$ cat /etc/dhclient.conf
send dhcp-requested-address 192.168.1.104;

$ sh /etc/netstart vr0
vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15)

$ dhclient -v vr0
vr0: DHCPREQUEST to 255.255.255.255
vr0: DHCPACK from 192.168.1.1 (b0:48:7a:a5:86:15)
vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15)

Thanks for any help.

-- 
Radek

Re: How to request a specific IP address from DHCP server

[Radek]

> You're using the wrong tool for the job, use an address reservation
> bound to the client MAC on the DHCP server instead.
I don't have an access to the DHCP server side. That's the problem and I'm 
trying to find a way to have the same IP address at any time. The client is 
permanently connected to the network. 

> configuration changes at the server end.
Nobody touches the server end.

On Tue, 19 Jan 2021 21:05:21 +
Peter Kay  wrote:

> On Tue, 19 Jan 2021 at 20:57, Radek  wrote:
> >
> > Hi,
> > I can't manage to request a specific IP address from DHCP server.  It is 
> > just a testing lab, the requiested IP address (.104) isn't used by any 
> > other client. What I'm doing wrong?
> You're using the wrong tool for the job, use an address reservation
> bound to the client MAC on the DHCP server instead.
> 
> Whether or not requesting an address client side works, at any time it
> could fail due to a change in leases allocated to other clients, or
> configuration changes at the server end. If a specific IP is needed,
> use reservations instead.
> 
> PK
> 


-- 
Radek

Re: How to request a specific IP address from DHCP server

[Radek]

> Instead of requesting a specific address, have you tried to supersede
> the given one with your address in /etc/dhclient.conf?
Yes, I have tried, but it doesn't work as expected. 
$ cat /etc/dhclient.conf
supersede dhcp-requested-address 192.168.1.104;

$ dhclient -v vr0
vr0: DHCPREQUEST to 255.255.255.255
vr0: DHCPACK from 192.168.1.1 (b0:48:7a:a5:86:15)
vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15)

Even if "supersede option" changes the gives IP address to the my_address I'm 
afraid it's not what I need because the given IP address is in 
/var/db/dhcpd.leases (instead of the my_addrees) and DHCPD can give my_address 
to other client. Am I rigth?


On Wed, 20 Jan 2021 09:38:13 +0100
Marco Scholz  wrote:

> On Tue, Jan 19, 2021 at 08:56:39PM +0100, Radek wrote:
> > I can't manage to request a specific IP address from DHCP server.
> [...]
> 
> Instead of requesting a specific address, have you tried to supersede
> the given one with your address in /etc/dhclient.conf?
> 
> man dhclient.conf
> 
> 
> Marco.
> 


-- 
Radek

Fw: Re: How to request a specific IP address from DHCP server

[Radek]

Forward.

Begin forwarded message:

Date: Thu, 21 Jan 2021 16:32:55 +0100
From: Radek 
To: Allan Streib 
Subject: Re: How to request a specific IP address from DHCP server


> Can you configure a permanent IP address in the client configuration
> (hostname.if file) that is outside the range that DHCP allocates, but
> still on the same network?
I'm trying to find a way to use a permanent IP address that is inside the 
dynamic DHCP range and I want to configure it on the client side. I just want 
to know if there is any way to do it.


On Tue, 19 Jan 2021 23:25:29 -0500
Allan Streib  wrote:

> Radek  writes:
> 
> > I don't have an access to the DHCP server side. That's the problem and
> > I'm trying to find a way to have the same IP address at any time. The
> > client is permanently connected to the network.
> 
> Can you configure a permanent IP address in the client configuration
> (hostname.if file) that is outside the range that DHCP allocates, but
> still on the same network?
> 
> Allan


-- 
Radek


-- 
Radek

Re: OpenSMTPD is not sending e-mail.

[Radek]

Hi, 
a few days ago all my boxes using the same ISP stopped to send me emails from 
local users and daemons (daily outputs and any other cronjob reports) to 
@gmail.com.
I have tried to send email to a few not_gmail mailboxes - the same problem. 
If i send emails from other boxes (using other ISP), they are received 
correctly.

Telnet test doesn't show the "220 mx.google." line. Does is mean that port 
25 is blocked by the ISP?

$ telnet gmail-smtp-in.l.google.com 25
Trying 173.194.220.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
Connection closed by foreign host.


$ smtpctl remove all
14 envelopes removed
$ echo test-123 | mail -s test-123 a...@gmail.com
$ tail -n 30 /var/log/maillog
Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp connected 
address=local host=fw66-krz.krz
Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp message 
msgid=ba93721b size=331 nrcpt=1 proto=ESMTP
Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp envelope 
evpid=ba93721b7de7a76f from= to=
Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp disconnected 
reason=quit
Jan 28 20:06:57 fw66-krz smtpd[69953]: 717b8138ac37b4db mta error 
reason=Connection closed unexpectedly
Jan 28 20:06:57 fw66-krz smtpd[69953]: smtp-out: Disabling route [] <-> 
142.250.96.27 (142.250.96.27) for 15s
Jan 28 20:07:12 fw66-krz smtpd[69953]: smtp-out: Enabling route [] <-> 
142.250.96.27 (142.250.96.27)
Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b8139462f1927 mta error 
reason=Connection closed unexpectedly
Jan 28 20:07:14 fw66-krz smtpd[69953]: smtp-out: Disabling route [] <-> 
108.177.112.27 (108.177.112.27) for 15s
Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b813c3c64b02d mta connecting 
address=smtp://142.250.96.27:25 host=142.250.96.27
Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b813c3c64b02d mta connected
Jan 28 20:07:29 fw66-krz smtpd[69953]: smtp-out: Enabling route [] <-> 
108.177.112.27 (108.177.112.27)
Jan 28 20:07:30 fw66-krz smtpd[69953]: 717b813ddb20a2c5 mta connecting 
address=smtp://108.177.112.27:25 host=108.177.112.27
Jan 28 20:07:30 fw66-krz smtpd[69953]: 717b813ddb20a2c5 mta connected




On Tue, 26 Jan 2021 11:26:17 - (UTC)
Stuart Henderson  wrote:

> On 2021-01-25, latincom  wrote:
> > It had worked for many years; but this time OpenBSD 6.8; server and 
> > Laptop, are not working as the man page says.
> >
> > I did an empiric test, because i am not qualified for a real test.
> >
> > Both are not able to send messages (e-mails), to other machines.
> > The message at maillog is the same:
> >
> > result="TempFail" stat="Network error on destination MXs"
> 
> Perhaps your ISP blocks port 25. What do you get if you type
> "telnet gmail-smtp-in.l.google.com 25"? It should go something
> like this:
> 
> $ telnet gmail-smtp-in.l.google.com 25
> Trying 66.102.1.27...
> Connected to gmail-smtp-in.l.google.com.
> Escape character is '^]'.
> 220 mx.google.com ESMTP k2si3832128wrm.242 - gsmtpquit    
>   221 2.0.0 closing 
> connection k2si3832128wrm.242 - gsmtp
> Connection closed by foreign host.
> 
> 



-- 
Radek

npppd - changing clients' route table

[Radek]

Hi, 
I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 
10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 
10.109.4.254

client> route print 
Network Destination   Netmask  Gateway  Interface Metric
  0.0.0.0  0.0.0.0   192.168.1.1192.168.1.101   
  20
10.0.0.0  255.0.0.0 10.109.4.254  10.109.4.1
 21
10.109.4.1  255.255.255.255 On-link10.109.4.1276
[...]

I need to redirect the traffic to 10.109.4.254 only if it goes to the remote 
LAN (10.109.3.0/24), the rest should go via def gw.
How can I configure it on the router/server side ?

$ cat /etc/npppd/npppd.conf
# $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
# sample npppd configuration file.  see npppd.conf(5)

set max-session 200
set user-max-session 4

authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP protocol l2tp {
listen on X.X.X.X
}

ipcp IPCP {
pool-address 10.109.4.1-10.109.4.32
dns-servers 1.1.1.1
}

# use pppx(4) interface.  use an interface per a ppp session.
interface pppx0 address 10.109.4.254 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0

$ cat /etc/npppd/npppd-users
rdk:\
:password=pasword:\
:framed-ip-address=10.109.4.1:
#:framed-ip-netmask=255.255.255.0:

$ dmesg | head
OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021

r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

-- 
Radek

Fw: Re: npppd - changing clients' route table

[Radek]

Hello,

> The interface which terminate the tunnel has "192.168.4.254".
> Right?
Do you mean the other end of the tunnel? It is 10.109.4.254
interface pppx0 address 10.109.4.254 ipcp IPCP

> How about if you configure the npppd-users
> 
> rdk:
>   :password=pasword:\
>   :framed-ip-address=10.109.4.254:\
>   :framed-ip-netmask=255.255.255.0:
> 
> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> session authenticated by the above "rdk".
I have tried to configure npppd-users with netmask /24, but it doesnt make any 
changes. Still have all traffic to 10.0.0.0/8 going across the tunnel to 
10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 through the 
tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through default gw or 
sometimes some traffic to 10.0.0.0/8 through another tunnel at the same time. 
Now if the PPP tunnel is established the VPN catches all the 10.0.0.0/8 traffic.
The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw.

Example:
I have a public, static IP. There is configured route to 10.55.0.0/24 at the 
ISP's side and I dont need any VPN tunnel to access 10.55.. Somewhere over 
the rainbow is a router with LAN 10.109.3.0/24 and npppd.
If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I can't 
access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel.


On Sun, 21 Feb 2021 23:18:19 +0900 (JST)
YASUOKA Masahiko  wrote:

> Hello,
> 
> On Sat, 20 Feb 2021 21:14:24 +0100
> Radek  wrote:
> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 
> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes 
> > via 10.109.4.254
> > 
> > client> route print 
> > Network Destination   Netmask  Gateway  Interface Metric
> >   0.0.0.0  0.0.0.0   192.168.1.1
> > 192.168.1.101 20
> > 10.0.0.0  255.0.0.0 10.109.4.254  
> > 10.109.4.1 21
> > 10.109.4.1  255.255.255.255 On-link10.109.4.1   
> >  276
> > [...]
> 
> The interface which terminate the tunnel has "192.168.4.254".
> Right?
> 
> > $ cat /etc/npppd/npppd-users
> > rdk:\
> > :password=pasword:\
> > :framed-ip-address=10.109.4.1:
> > #:framed-ip-netmask=255.255.255.0:
> 
> How about if you configure the npppd-users
> 
> rdk:
>   :password=pasword:\
>   :framed-ip-address=10.109.4.254:\
>   :framed-ip-netmask=255.255.255.0:
> 
> ?
> 
> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP
> session authenticated by the above "rdk".
> 
> 
> On Sat, 20 Feb 2021 21:14:24 +0100
> Radek  wrote:
> > Hi, 
> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 
> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254.
> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes 
> > via 10.109.4.254
> > 
> > client> route print 
> > Network Destination   Netmask  Gateway  Interface Metric
> >   0.0.0.0  0.0.0.0   192.168.1.1
> > 192.168.1.101 20
> > 10.0.0.0  255.0.0.0 10.109.4.254  
> > 10.109.4.1 21
> > 10.109.4.1  255.255.255.255 On-link10.109.4.1   
> >  276
> > [...]
> > 
> > I need to redirect the traffic to 10.109.4.254 only if it goes to the 
> > remote LAN (10.109.3.0/24), the rest should go via def gw.
> > How can I configure it on the router/server side ?
> > 
> > $ cat /etc/npppd/npppd.conf
> > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $
> > # sample npppd configuration file.  see npppd.conf(5)
> > 
> > set max-session 200
> > set user-max-session 4
> > 
> > authentication LOCAL type local {
> > users-file "/etc/npppd/npppd-users"
> > }
> > tunnel L2TP protocol l2tp {
> > listen on X.X.X.X
> > }
> > 
> > ipcp IPCP {
> > pool-address 10.109.4.1-10.109.4.32
> > dns-servers 1.1.1.1
> > }
> > 
> > # use pppx(4) interface.  use an interface per a ppp session.
> > interface pppx0 address 10.109.4.254 ipcp IPCP
> > bind tunnel from L2TP authenticated by LOCAL to pppx0
> > 
> > $ cat /etc/npppd/npppd-users
> > rdk:\
> > :password=pasword:\
> > :framed-ip-address=10.109.4.1:
> > #:framed-ip-netmask=255.255.255.0:
> > 
> > $ dmesg | head
> > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021
> > 
> > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > 
> > -- 
> > Radek
> > 
> 
-- 
Radek

DHCPd - option capwap (code 138)

[Radek]

Hello,
I want to use dhcpd server to push Wireless Controller's IP address to the APs.

According to this:
http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html
https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/
I need to add *option capwap* to /etc/dhcpd.conf

option capwap code 138 = ip-address; #Custom Option capwap
option capwap 192.168.1.110; #WLAN-Controller-IP

I can't find the capwap option in dhcp-options(5) i OpenBSD.
How can I do what I need using other options/configuration? 
Thanks!

-- 
Radek

Re: DHCPd - option capwap (code 138)

[Radek]

Thank you Denis,Stu,

I added option-138, the syntax is correct now but the AP doesn't connect to the 
Controller. 
Did I missed any other option(s) in my dhcpd.conf or should I look for the 
reason at the Controller side?

subnet 10.109.3.0 netmask 255.255.255.0 {
option routers 10.109.3.254;
range 10.109.3.201 10.109.3.220;
#option option-138 10.109.3.100;
option option-138 A:6D:3:64;

host [...]

On Thu, 6 May 2021 11:45:43 +0200
Denis Fondras  wrote:

> Le Thu, May 06, 2021 at 10:48:55AM +0200, Radek a écrit :
> > Hello,
> > I want to use dhcpd server to push Wireless Controller's IP address to the 
> > APs.
> > 
> > According to this:
> > http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html
> > https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/
> > I need to add *option capwap* to /etc/dhcpd.conf
> > 
> > option capwap code 138 = ip-address; #Custom Option capwap
> > option capwap 192.168.1.110; #WLAN-Controller-IP
> > 
> 
> Have you tried something like :
> 
> option option-138 C0:A8:01:6E;
> 
> ?
> 


-- 
Radek

Re: DHCPd - option capwap (code 138)

[Radek]

Update.
My conf seems to work as expected, but it took a few hours for APs to find the 
controller. Since then even new APs find the controlles in a few minutes.
Controller: Alcatel-Lucent OmniVista 2500
APs: OAW-AP1321-RW

Thanks for your help!

On Mon, 10 May 2021 15:30:01 +0200
Radek  wrote:

> Thank you Denis,Stu,
> 
> I added option-138, the syntax is correct now but the AP doesn't connect to 
> the Controller. 
> Did I missed any other option(s) in my dhcpd.conf or should I look for the 
> reason at the Controller side?
> 
> subnet 10.109.3.0 netmask 255.255.255.0 {
> option routers 10.109.3.254;
> range 10.109.3.201 10.109.3.220;
> #option option-138 10.109.3.100;
> option option-138 A:6D:3:64;
> 
> host [...]
> 
> On Thu, 6 May 2021 11:45:43 +0200
> Denis Fondras  wrote:
> 
> > Le Thu, May 06, 2021 at 10:48:55AM +0200, Radek a écrit :
> > > Hello,
> > > I want to use dhcpd server to push Wireless Controller's IP address to 
> > > the APs.
> > > 
> > > According to this:
> > > http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html
> > > https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/
> > > I need to add *option capwap* to /etc/dhcpd.conf
> > > 
> > > option capwap code 138 = ip-address; #Custom Option capwap
> > > option capwap 192.168.1.110; #WLAN-Controller-IP
> > > 
> > 
> > Have you tried something like :
> > 
> > option option-138 C0:A8:01:6E;
> > 
> > ?
> > 
> 
> 
> -- 
> Radek
> 


-- 
Radek

VLANs isolation

[Radek]

Hello,
I'm going to build a router with +40 vlans.
I need to block access from every vlan to each other (and then enable traffic 
between certain vlans as needed).

How can I do this? Is there any one liner pf block rule to do this?  
-- 
Radek

Re: VLANs isolation

[Radek]

Thank you Claudio for pointing me in the right direction.

My testing pf.conf seems to work as expected:
- vlan1002:network can ping vlan1003:network only
- vlan1003:network can't ping vlan1002:network
- there is no routing between other vlans

set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress vlan }
block all
pass in on egress inet proto tcp to egress port 22
pass out quick on egress inet
pass on vlan inet to !vlan
pass quick on vlan1003 inet from vlan1002:network to vlan1003:network
block out on vlan received-on vlan

Any other pf tweeks and suggestion would be appreciated.

On Tue, 13 Jul 2021 12:25:32 +0200
Claudio Jeker  wrote:

> On Tue, Jul 13, 2021 at 11:34:28AM +0200, Radek wrote:
> > Hello,
> > I'm going to build a router with +40 vlans.
> > I need to block access from every vlan to each other (and then enable 
> > traffic between certain vlans as needed).
> > 
> > How can I do this? Is there any one liner pf block rule to do this?  
> 
> Not really but you can try:
> 
> block out on vlan received-on vlan
> 
> It really matters in how you want to build your filters (outbound or
> inbound filtering). Maybe it is better to just start with a block all rule
> and slowly allow traffic back. You can use interface groups and pf tags to
> help with rule writing.
> 
> -- 
> :wq Claudio
> 


-- 
Radek

NAT on CARP interface

[Radek]

Hi everyone,
it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm trying 
to configure the master box. On the LAN side I have created carp2 on vlan2 
interface and it works as expected.
On the WAN side I can't figure out how to make NAT work on carp0 interface.
Can someone tell me where I have the wrong or missing configuration?

OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

# cat /etc/hostname.em1
-inet
up

# cat /etc/hostname.vlan2
-inet
vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up

# cat /etc/hostname.carp2
-inet
inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2 
pass test54321


# cat /etc/hostname.em0
-inet
up

# cat /etc/hostname.carp0
-inet
inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 
advskew 0 carpdev em0 pass test678


# cat /etc/pf.conf
ext_if = "carp0"
lan_if = "carp2"
pfsync_if = "em3"
internal_if = "vlan1010"
set skip on { lo0 vlan em3}
# pfsync and carp
pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
pass on { $internal_if } proto carp keep state (no-sync)
# nat
match out on $ext_if from $lan_if:network to any nat-to $ext_if
pass out

# pfctl -s rules
pass quick on em3 proto pfsync all
pass on vlan1010 proto carp all keep state (no-sync)
match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
pass out all flags S/SA

# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
224/4  127.0.0.1  URS0   72 32768 8 lo0
10.0.2/24  10.0.2.254 UCn10 -19 carp2
10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18 carp2
10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1 carp2
10.0.2.255     10.0.2.254 UHb04 - 1 carp2
[snip]

Radek

Re: NAT on CARP interface

[Radek]

Thank you for all your hints.
 
> match out on egress from $lan_if:network to any nat-to (egress:0)
This rule doesn't work.

> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
This rule works as expected.


On Wed, 24 Apr 2024 17:14:49 -0400
Mike  wrote:

> This command should help but you may need to add some "log" to your rules:
> 
> tcpdump -nettti pflog0 will probably tell you.
> 
> I don't have a bsd VM around to test but your int_if and ext_if should
> still refer to the underlying interface, not the carp.
> 
> I'd change:
> 
> ext_if=em0
> int_if=vlan2
> ext_carpIf=carp0
> 
> match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf
> 
> 
> 
> 
> 
> 
> On Wed, Apr 24, 2024, 4:50 PM Radek  wrote:
> 
> > Hi everyone,
> > it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm
> > trying to configure the master box. On the LAN side I have created carp2 on
> > vlan2 interface and it works as expected.
> > On the WAN side I can't figure out how to make NAT work on carp0 interface.
> > Can someone tell me where I have the wrong or missing configuration?
> >
> > OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024
> > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > # cat /etc/hostname.em1
> > -inet
> > up
> >
> > # cat /etc/hostname.vlan2
> > -inet
> > vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up
> >
> > # cat /etc/hostname.carp2
> > -inet
> > inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev
> > vlan2 pass test54321
> >
> >
> > # cat /etc/hostname.em0
> > -inet
> > up
> >
> > # cat /etc/hostname.carp0
> > -inet
> > inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1
> > advskew 0 carpdev em0 pass test678
> >
> >
> > # cat /etc/pf.conf
> > ext_if = "carp0"
> > lan_if = "carp2"
> > pfsync_if = "em3"
> > internal_if = "vlan1010"
> > set skip on { lo0 vlan em3}
> > # pfsync and carp
> > pass quick on { $pfsync_if } proto pfsync #keep state (no-sync)
> > pass on { $internal_if } proto carp keep state (no-sync)
> > # nat
> > match out on $ext_if from $lan_if:network to any nat-to $ext_if
> > pass out
> >
> > # pfctl -s rules
> > pass quick on em3 proto pfsync all
> > pass on vlan1010 proto carp all keep state (no-sync)
> > match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216
> > pass out all flags S/SA
> >
> > # route -n show
> > Routing tables
> >
> > Internet:
> > Destination    GatewayFlags   Refs  Use   Mtu  Prio
> > Iface
> > 224/4  127.0.0.1  URS0   72 32768 8 lo0
> > 10.0.2/24  10.0.2.254 UCn10 -19
> > carp2
> > 10.0.2.201 18:03:73:b4:fa:c1  UHLc   011815 -18
> > carp2
> > 10.0.2.254 00:00:5e:00:01:02  UHLl   0   36 - 1
> > carp2
> > 10.0.2.255 10.0.2.254 UHb04 - 1
> > carp2
> > [snip]
> >
> > Radek
> >
> >


Radek

Re: NAT on CARP interface

[Radek]

> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work 
> as the rule you say works.
I made minor changes and tested the egress version.

ext_if = "em0"
ext_carpif = "carp0"
int_if = "carp2"
This rule works for me:
match out log on $ext_if from $int_if:network to any nat-to $ext_carpif

It seems it should work fine as well but it doesn't:
match out log on egress from $int_if:network to any nat-to $ext_carpif


On Thu, 25 Apr 2024 13:53:32 -0700
obs...@loopw.com wrote:

> 
> 
> > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> > 
> > Thank you for all your hints.
> > 
> >> match out on egress from $lan_if:network to any nat-to (egress:0)
> > This rule doesn't work.
> 
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work 
> as the rule you say works.
> 
> 
> fwiw, the $lan_if came from your configs existing “match”
> 
> https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface” you 
> can find out about “egress”.  I definitely prefer it to hard coding an 
> interface in yet another line of a pf.conf
> 
> I was presuming you didnt mind matching to $ext_if’s ip for new sessions 
> outbound, hence (egress:0).  Matching to the carp ip works.  (this is 
> basically a source nat rule in commercial-network-vendor speak)
> 
> 
> > 
> >> ext_if=em0
> >> int_if=vlan2
> >> ext_carpIf=carp0
> 
> >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf
> > This rule works as expected.
> 


Radek

Re: NAT on CARP interface

[Radek]

> Nevertheless, writing egress or $ext_If, what difference does it really
> make? You're just repeating a different word. Lol
It doesn't make any difference for me. 

Being curious I added em0 do egress group and restarted all intefaces. However, 
em0 seems not to be in ergess group and the rule with egress still doesn't 
work: 
match out log on egress from $int_if:network to any nat-to $ext_carpif

# cat /etc/hostname.em0
-inet
group egress
up

# ifconfig em0
em0: flags=8b43 mtu 
1500
lladdr 00:0d:b9:59:e0:90
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active

# ifconfig egress
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255

# ifconfig carp0
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255

> Does that rule you posted error out or are you just seeing blocks with it?
Just seeing blocks.

> https://www.openbsd.org/faq/pf/filter.html#syntax
> 
> "The egress group, which contains the interface(s) that holds the default 
> route(s)."
So.. carp0 contains default route, carp0 is in egress group.
carp0 refers to em0.
But...
match out log on carp0... - doesn't work
match out log on egress... - doesn't work
match out log on em0... - works!
I dont know...

On Sun, 28 Apr 2024 13:44:05 -0400
Mike  wrote:

> Oh now I remember, you might need to add it to the egress interface group.
> 
> Does that rule you posted error out or are you just seeing blocks with it?
> 
> 
> On Sun, Apr 28, 2024, 12:49 PM Mike  wrote:
> 
> > If I remember right, you can run 'ifconfig' and see if that interface is
> > marked as an egress interface or not. I can't remember how OBSD determines
> > what interfaces are egress or not but your em0 seems to be in a private
> > network so it might not be classifying itself as egress.
> >
> > Nevertheless, writing egress or $ext_If, what difference does it really
> > make? You're just repeating a different word. Lol
> >
> > On Sun, Apr 28, 2024, 12:08 PM Radek  wrote:
> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> I made minor changes and tested the egress version.
> >>
> >> ext_if = "em0"
> >> ext_carpif = "carp0"
> >> int_if = "carp2"
> >> This rule works for me:
> >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
> >>
> >> It seems it should work fine as well but it doesn't:
> >> match out log on egress from $int_if:network to any nat-to $ext_carpif
> >>
> >>
> >> On Thu, 25 Apr 2024 13:53:32 -0700
> >> obs...@loopw.com wrote:
> >>
> >> >
> >> >
> >> > > On Apr 25, 2024, at 10:36 AM, Radek  wrote:
> >> > >
> >> > > Thank you for all your hints.
> >> > >
> >> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
> >> > > This rule doesn't work.
> >> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> >
> >> >
> >> > fwiw, the $lan_if came from your configs existing “match”
> >> >
> >> > https://www.openbsd.org/faq/pf/filter.html#syntax  - under “interface”
> >> you can find out about “egress”.  I definitely prefer it to hard coding an
> >> interface in yet another line of a pf.conf
> >> >
> >> > I was presuming you didnt mind matching to $ext_if’s ip for new
> >> sessions outbound, hence (egress:0).  Matching to the carp ip works.  (this
> >> is basically a source nat rule in commercial-network-vendor speak)
> >> >
> >> >
> >> > >
> >> > >> ext_if=em0
> >> > >> int_if=vlan2
> >> > >> ext_carpIf=carp0
> >> >
> >> > >> match out on $ext_if inet from $int_if:network to any nat-to
> >> $ext_carpIf
> >> > > This rule works as expected.
> >> >
> >>
> >>
> >> Radek
> >>
> >>


Radek

How to announce over OSPF only one IP address

[Radek]

Hello,
is it possible to announce over OSPF only one (or a few specific) IP address 
instead of the whole subnet?
If yes.. an ospfd.conf example would be appreciated.

$ cat /etc/hostname.vr3
inet 10.1.111.1 255.255.255.0

$ cat /etc/ospfd.conf
router-id 10.109.3.15
redistribute connected

area 0.0.0.0 {
interface vr0
interface vr3
}

Thanks, 
Radek

Re: How to announce over OSPF only one IP address

[Radek]

Hello Diederik, hello Tom,
this is a simple lab/testing configuration, that's why there is no "passive" 
and other...
The purpose of this configuration is to allow access to certain IP address and 
restrict access to the rest of the subnet.
I can use PF to block/pass what I need... but I'm trying make sure if I can do 
it by announcing "not more than needed" over OSPF.

"redistribute 10.1.111.11/32" seems to be what I need, but probally I missed 
something, because this option doesn't work for me as expected.

$ cat /etc/ospfd.conf
router-id 10.109.3.15
redistribute 10.1.111.11/32

area 0.0.0.0 {
interface vr0
interface vr3
}

Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end network.

On the far router I can see the whole subnet instead of somthing like " *O  
 32 10.1.111.11/2410.109.3.15".

$ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags  Prio Destination  Nexthop
*S8 0.0.0.0/010.109.3.254
*O   32 10.1.111.0/2410.109.3.15

Any clues?

On Sat, 4 Feb 2023 23:16:57 +
Tom Smyth  wrote:

> Hi Radek,
> 
> it is better practice to add ospf network statements  to ospfd.conf
> (if you dont want to send / recieve ospf messages on an interface set the
> interface to passive in ospfd.conf
> avoid redistribute connected
> (add the network you want to be added to your ospf network) and leave the
> other network ommitted from your ospfd.conf
> 
> 
> I hope this helps,
> 
> 
> On Sat, 4 Feb 2023 at 20:02, Radek  wrote:
> 
> > Hello,
> > is it possible to announce over OSPF only one (or a few specific) IP
> > address instead of the whole subnet?
> > If yes.. an ospfd.conf example would be appreciated.
> >
> > $ cat /etc/hostname.vr3
> > inet 10.1.111.1 255.255.255.0
> >
> > $ cat /etc/ospfd.conf
> > router-id 10.109.3.15
> > redistribute connected
> >
> > area 0.0.0.0 {
> > interface vr0
> > interface vr3
> > }
> >
> > Thanks,
> > Radek
> >
> >
> 
> -- 
> Kindest regards,
> Tom Smyth.


Radek

Re: How to announce over OSPF only one IP address

[Radek]

Hello,
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
I reloaded and restarted OSPFd on both sides - nothing changes. Then, I 
rebooted routers on both sides - nothing changes.
I still can see/ping the whole 10.1.111.0/24 subnet from the far end.

[10.109.3.15]$ ospfctl show database router

Router Link States (Area 0.0.0.0)

LS age: 238
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.15
Advertising Router: 10.109.3.15
LS Seq Number: 0x8016
Checksum: 0x6d0a
Length: 48
Flags: *|*|*|*|*|-|E|-
Number of Links: 2

Link connected to: Stub Network
Link ID (Network ID): 10.1.111.0
Link Data (Network Mask): 255.255.255.0
Metric: 10

Link connected to: Transit Network
Link ID (Designated Router address): 10.109.3.16
Link Data (Router Interface address): 10.109.3.15
Metric: 10

LS age: 239
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.16
Advertising Router: 10.109.3.16
LS Seq Number: 0x8016
Checksum: 0xb058
Length: 36
Flags: *|*|*|*|*|-|E|-
Number of Links: 1

Link connected to: Transit Network
Link ID (Designated Router address): 10.109.3.16
Link Data (Router Interface address): 10.109.3.16
Metric: 10


[10.109.3.16]$ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags  Prio Destination  Nexthop
*S8 0.0.0.0/010.109.3.254
*O   32 10.1.111.0/2410.109.3.15


On Sun, 5 Feb 2023 22:20:07 +0100
Diederik Schouten  wrote:

> Hello,
> 
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
> Then check again which link state advertisements are in the database.
> To make sure you now get the /32 advertised.
> 
> Sent from my iPhone
> 
> > On 5 Feb 2023, at 21:15, Radek  wrote:
> > 
> > Hello Diederik, hello Tom,
> > this is a simple lab/testing configuration, that's why there is no 
> > "passive" and other...
> > The purpose of this configuration is to allow access to certain IP address 
> > and restrict access to the rest of the subnet.
> > I can use PF to block/pass what I need... but I'm trying make sure if I can 
> > do it by announcing "not more than needed" over OSPF.
> > 
> > "redistribute 10.1.111.11/32" seems to be what I need, but probally I 
> > missed something, because this option doesn't work for me as expected.
> > 
> > $ cat /etc/ospfd.conf
> > router-id 10.109.3.15
> > redistribute 10.1.111.11/32
> > 
> > area 0.0.0.0 {
> >interface vr0
> >interface vr3
> > }
> > 
> > Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end 
> > network.
> > 
> > On the far router I can see the whole subnet instead of somthing like " *O  
> >  32 10.1.111.11/2410.109.3.15".
> > 
> > $ ospfctl show fib
> > flags: * = valid, O = OSPF, C = Connected, S = Static
> > Flags  Prio Destination  Nexthop
> > *S8 0.0.0.0/010.109.3.254
> > *O   32 10.1.111.0/2410.109.3.15
> > 
> > Any clues?
> > 
> >> On Sat, 4 Feb 2023 23:16:57 +
> >> Tom Smyth  wrote:
> >> 
> >> Hi Radek,
> >> 
> >> it is better practice to add ospf network statements  to ospfd.conf
> >> (if you dont want to send / recieve ospf messages on an interface set the
> >> interface to passive in ospfd.conf
> >> avoid redistribute connected
> >> (add the network you want to be added to your ospf network) and leave the
> >> other network ommitted from your ospfd.conf
> >> 
> >> 
> >> I hope this helps,
> >> 
> >> 
> >>> On Sat, 4 Feb 2023 at 20:02, Radek  wrote:
> >>> 
> >>> Hello,
> >>> is it possible to announce over OSPF only one (or a few specific) IP
> >>> address instead of the whole subnet?
> >>> If yes.. an ospfd.conf example would be appreciated.
> >>> 
> >>> $ cat /etc/hostname.vr3
> >>> inet 10.1.111.1 255.255.255.0
> >>> 
> >>> $ cat /etc/ospfd.conf
> >>> router-id 10.109.3.15
> >>> redistribute connected
> >>> 
> >>> area 0.0.0.0 {
> >>>interface vr0
> >>>interface vr3
> >>> }
> >>> 
> >>> Thanks,
> >>> Radek
> >>> 
> >>> 
> >> 
> >> -- 
> >> Kindest regards,
> >> Tom Smyth.
> > 
> > 
> > Radek
> > 
> 


Radek

Re: How to announce over OSPF only one IP address

[Radek]

Hello Bradley,
thank you, your setup works the way I need.

I can't deal with adding the static route permanently. I have to add the static 
route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot. 
Did I missed something?

[10.109.3.15] $ cat /etc/hostname.vr0
-inet
dhcp
#inet 10.109.3.15 255.255.255.0
!sleep 60
!route add 10.1.111.11/32 10.1.111.1

After reboot it looks like this:

[10.109.3.15] $ route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.109.3.254   UGS5   15 - 8 vr0
224/4  127.0.0.1  URS0   59 32768 8 lo0
10.1.100/2410.1.100.1 Cn 00 - 4 vr1
10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
10.1.111/2410.1.111.1 UCn10 - 4 vr3
10.1.111.1 00:00:24:cb:4f:cf  UHLl   03 - 1 vr3
10.1.111.1100:00:24:cb:4f:d0  UHLc   02 - 3 vr3
10.1.111.255   10.1.111.1 UHb00 - 1 vr3
10.1.222/2410.109.3.16UG 00 -32 vr0
10.109.3/2410.109.3.15UCn3   40 - 4 vr0
10.109.3.10a4:bb:6d:d6:5a:a4  UHLc   1   29 - 3 vr0
10.109.3.1500:00:24:cb:4f:cc  UHLl   0   13 - 1 vr0
10.109.3.1600:00:24:cd:90:10  UHLch  1   26 - 3 vr0
10.109.3.254   00:0d:b9:35:39:29  UHLch  1   31 - 3 vr0
10.109.3.255   10.109.3.15UHb00 - 1 vr0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo0


On Tue, 7 Feb 2023 17:54:27 +1100
Bradley Latus  wrote:

> Hi all,
> 
> I have done an experiment.
> 
> If your interface is part of an area, it will be advertised always.
> 
> If you wanted to advertise only /32 this is how I got mine to work.
> Ensure your interface vr3 is not in your ospf area
> 
> Add a static route to the one you wish to advertise, it appears that unless
> a route exists on the machine you cannot redistribute a random ip.
> 
> So  route add 10.1.111.11/32 10.1.111.1
> 
> Then you can redistribute your /32
> 
> 
> 
> router-id 10.109.3.15
> redistribute 10.1.111.11/32
> 
> area 0.0.0.0 {
>   interface vr0
> }
> 
> 
> 
> On Tue, 7 Feb 2023, 02:46 Radek,  wrote:
> 
> > Hello,
> > > I’d check the databases on both sides.
> > > And flush/reload the config and fibs.
> > I reloaded and restarted OSPFd on both sides - nothing changes. Then, I
> > rebooted routers on both sides - nothing changes.
> > I still can see/ping the whole 10.1.111.0/24 subnet from the far end.
> >
> > [10.109.3.15]$ ospfctl show database router
> >
> > Router Link States (Area 0.0.0.0)
> >
> > LS age: 238
> > Options: -|-|-|-|-|-|E|-
> > LS Type: Router
> > Link State ID: 10.109.3.15
> > Advertising Router: 10.109.3.15
> > LS Seq Number: 0x8016
> > Checksum: 0x6d0a
> > Length: 48
> > Flags: *|*|*|*|*|-|E|-
> > Number of Links: 2
> >
> > Link connected to: Stub Network
> > Link ID (Network ID): 10.1.111.0
> > Link Data (Network Mask): 255.255.255.0
> > Metric: 10
> >
> > Link connected to: Transit Network
> > Link ID (Designated Router address): 10.109.3.16
> > Link Data (Router Interface address): 10.109.3.15
> > Metric: 10
> >
> > LS age: 239
> > Options: -|-|-|-|-|-|E|-
> > LS Type: Router
> > Link State ID: 10.109.3.16
> > Advertising Router: 10.109.3.16
> > LS Seq Number: 0x8016
> > Checksum: 0xb058
> > Length: 36
> > Flags: *|*|*|*|*|-|E|-
> > Number of Links: 1
> >
> > Link connected to: Transit Network
> > Link ID (Designated Router address): 10.109.3.16
> > Link Data (Router Interface address): 10.109.3.16
> > Metric: 10
> >
> >
> > [10.109.3.16]$ ospfctl show fib
> > flags: * = valid, O = OSPF, C = Connected, S = Static
> > Flags  Prio Destination  Nexthop
> > *S8 0.0.0.0/010.109.3.254
> > *O   32 10.1.111.0/2410.109.3.15
> >
> >
> > On Sun, 5 Feb 2023 22:20:07 +0100
> > Diederik Schouten  wrote:
> >
> > > Hello,
> > >
> > > I’d check the databases on both sides.
> > > And flush/reload the config and fibs.
> > > Then check again which link state a

Re: How to announce over OSPF only one IP address

[Radek]

Hello Bradley,
if I add that route to /etc/hostname.vr3 I have no access to 10.1.111.11, even 
from the local router.
After reboot I have to delete and add that route again by hand to make 
everything work (sometimes I have to repeat delete/add few times to make it 
work). It's 7.2/i386.
Any idea?

[10.109.3.15] $ cat /etc/hostname.vr3
inet 10.1.111.1 255.255.255.0
!sleep 60
!route add 10.1.111.11 10.1.111.1 

[10.109.3.15] $ route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.109.3.254   UGS5   10 - 8 vr0
224/4  127.0.0.1  URS0   56 32768 8 lo0
10.1.100/2410.1.100.1 Cn 00 - 4 vr1
10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
10.1.111/2410.1.111.1 UCn00 - 4 vr3
10.1.111.1 00:00:24:cb:4f:cf  UHLhl  12 - 1 vr3
10.1.111.1110.1.111.1 UGHS   0  104 - 8 vr3
10.1.111.255   10.1.111.1 UHb00 - 1 vr3
10.1.222/2410.109.3.16UG 00 -32 vr0
10.109.3/2410.109.3.15UCn3   18 - 4 vr0
10.109.3.10a4:bb:6d:d6:5a:a4  UHLc   1   11 - 3 vr0
10.109.3.1500:00:24:cb:4f:cc  UHLl   0   13 - 1 vr0
10.109.3.1600:00:24:cd:90:10  UHLch  1   11 - 3 vr0
10.109.3.254   00:0d:b9:35:39:29  UHLch  1   16 - 3 vr0
10.109.3.255   10.109.3.15UHb00 - 1 vr0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo0

then...
[10.109.3.15] $ route delete 10.1.111.11 10.1.111.1
delete host 10.1.111.11: gateway 10.1.111.1
[10.109.3.15] $ route add 10.1.111.11 10.1.111.1
add host 10.1.111.11: gateway 10.1.111.1

[10.109.3.15] $ route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.109.3.254   UGS5   11 - 8 vr0
224/4  127.0.0.1  URS0  137 32768 8 lo0
10.1.100/2410.1.100.1 Cn 00 - 4 vr1
10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
10.1.111/2410.1.111.1 UCn10 - 4 vr3
10.1.111.1 00:00:24:cb:4f:cf  UHLhl  1   15 - 1 vr3
10.1.111.1100:00:24:cb:4f:d0  UHLc   0  172 - 3 vr3
10.1.111.1110.1.111.1 UGHS   00 - 8 vr3
10.1.111.255   10.1.111.1 UHb00 - 1 vr3
10.1.222/2410.109.3.16UG 0  170 -32 vr0
10.109.3/2410.109.3.15UCn3   28 - 4 vr0
10.109.3.10a4:bb:6d:d6:5a:a4  UHLc   1   22 - 3 vr0
10.109.3.1500:00:24:cb:4f:cc  UHLl   0   24 - 1 vr0
10.109.3.1600:00:24:cd:90:10  UHLch  1   33 - 3 vr0
10.109.3.254   00:0d:b9:35:39:29  UHLch  1   24 - 3 vr0
10.109.3.255   10.109.3.15UHb00 - 1 vr0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo0



On Thu, 9 Feb 2023 07:47:33 +1100
Bradley Latus  wrote:

> Hi,
> I see a small mistake
> 
> You need to add that route to vr3 interface when you bring it up,  vr0 will
> most likely be up before vr3 so that is why your route adding in the
> hostname.vr0 is wrong.
> 
> Cheers
> 
> On Thu, 9 Feb 2023, 01:36 Radek,  wrote:
> 
> > Hello Bradley,
> > thank you, your setup works the way I need.
> >
> > I can't deal with adding the static route permanently. I have to add the
> > static route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot.
> > Did I missed something?
> >
> > [10.109.3.15] $ cat /etc/hostname.vr0
> > -inet
> > dhcp
> > #inet 10.109.3.15 255.255.255.0
> > !sleep 60
> > !route add 10.1.111.11/32 10.1.111.1
> >
> > After reboot it looks like this:
> >
> > [10.109.3.15] $ route -n show
> > Routing tables
> >
> > Internet:
> > DestinationGatewayFlags   Refs  Use   Mtu  Prio
> > Iface
> > default10.109.3.254   UGS5   15 - 8 vr0
> > 224/4  127.0.0.1  URS0   59 32768 8 lo0
> > 10.1.10

Re: How to announce over OSPF only one IP address

[Radek]

Hello Bradley,

> It will look silly but maybe it works?
It looks silly, but it works well, thank you.

[10.109.3.15] $ cat /etc/hostname.vr0
-inet
inet 10.109.3.15 255.255.255.0

[10.109.3.15] $ cat /etc/hostname.vr3
inet 10.1.111.1 255.255.255.0
!route add 10.1.111.11 10.1.111.11
!route add 10.1.111.16 10.1.111.16

[10.109.3.15] $ cat /etc/ospfd.conf
router-id 10.109.3.15
#redistribute connected
redistribute 10.1.111.11/32
redistribute 10.1.111.16/32

area 0.0.0.0 {
interface vr0
}

At the far end I looks as follows.

[10.109.3.16] $ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags  Prio Destination  Nexthop
*S8 0.0.0.0/010.109.3.254
*O   32 10.1.111.11/32   10.109.3.15
*O   32 10.1.111.16/32   10.109.3.15
 C4 10.1.200.0/2410.1.200.1
 C4 10.1.222.0/2410.1.222.1
*C4 10.109.3.0/2410.109.3.16
*C0 127.0.0.0/8  link#0
*S8 127.0.0.0/8  127.0.0.1
* 1 127.0.0.1/32 127.0.0.1
*S8 224.0.0.0/4  127.0.0.1


On Fri, 10 Feb 2023 11:24:50 +1100
Bradley Latus  wrote:

> Hello
> 
> Maybe try doing the IP of the host you want to go to?
> 
> It will look silly but maybe it works?
> 
> Aka
> !route add 10.1.111.11 10.1.111.11
> 
> That worked on my attempt even without sleeping
> 
> See if that helps.
> 
> 
> 
> 
> On Thu, 9 Feb 2023, 22:59 Radek,  wrote:
> 
> > Hello Bradley,
> > if I add that route to /etc/hostname.vr3 I have no access to 10.1.111.11,
> > even from the local router.
> > After reboot I have to delete and add that route again by hand to make
> > everything work (sometimes I have to repeat delete/add few times to make it
> > work). It's 7.2/i386.
> > Any idea?
> >
> > [10.109.3.15] $ cat /etc/hostname.vr3
> > inet 10.1.111.1 255.255.255.0
> > !sleep 60
> > !route add 10.1.111.11 10.1.111.1
> >
> > [10.109.3.15] $ route -n show
> > Routing tables
> >
> > Internet:
> > DestinationGatewayFlags   Refs  Use   Mtu  Prio
> > Iface
> > default10.109.3.254   UGS5   10 - 8 vr0
> > 224/4  127.0.0.1  URS0   56 32768 8 lo0
> > 10.1.100/2410.1.100.1 Cn 00 - 4 vr1
> > 10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
> > 10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
> > 10.1.111/2410.1.111.1 UCn00 - 4 vr3
> > 10.1.111.1 00:00:24:cb:4f:cf  UHLhl  12 - 1 vr3
> > 10.1.111.1110.1.111.1 UGHS   0  104 - 8 vr3
> > 10.1.111.255   10.1.111.1 UHb00 - 1 vr3
> > 10.1.222/2410.109.3.16UG 00 -32 vr0
> > 10.109.3/2410.109.3.15UCn3   18 - 4 vr0
> > 10.109.3.10a4:bb:6d:d6:5a:a4  UHLc   1   11 - 3 vr0
> > 10.109.3.1500:00:24:cb:4f:cc  UHLl   0   13 - 1 vr0
> > 10.109.3.1600:00:24:cd:90:10  UHLch  1   11 - 3 vr0
> > 10.109.3.254   00:0d:b9:35:39:29  UHLch  1   16 - 3 vr0
> > 10.109.3.255   10.109.3.15UHb00 - 1 vr0
> > 127/8  127.0.0.1  UGRS   00 32768 8 lo0
> > 127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo0
> >
> > then...
> > [10.109.3.15] $ route delete 10.1.111.11 10.1.111.1
> > delete host 10.1.111.11: gateway 10.1.111.1
> > [10.109.3.15] $ route add 10.1.111.11 10.1.111.1
> > add host 10.1.111.11: gateway 10.1.111.1
> >
> > [10.109.3.15] $ route -n show
> > Routing tables
> >
> > Internet:
> > DestinationGatewayFlags   Refs  Use   Mtu  Prio
> > Iface
> > default10.109.3.254   UGS5   11 - 8 vr0
> > 224/4  127.0.0.1  URS0  137 32768 8 lo0
> > 10.1.100/2410.1.100.1 Cn 00 - 4 vr1
> > 10.1.100.1 00:00:24:cb:4f:cd  UHLl   00 - 1 vr1
> > 10.1.100.255   10.1.100.1 Hb 00 - 1 vr1
> > 10.1.111/2410.1.111.1 UCn10 - 4 vr3
> > 10.1.111.1 00:00:24:cb:4f:cf  UHLhl  1   15 - 1 vr3
> > 10.1.111.1100:00:24:cb:4f:d0  UHLc   0  172 - 3 vr3
> > 10.1.111.1110.1.111.1 UGHS 

[7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Hello,
I am getting the following error message when I try to run pf-badhost script 
[1] at fresh install 7.3/i386. Have I missed something?

1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt

test73# doas -u _pfbadhost pf-badhost -O openbsd
doas (r...@test73.my.domain) password:
Illegal instruction
Illegal instruction
Illegal instruction
Illegal instruction
Illegal instruction
Illegal instruction
Illegal instruction (core dumped)
Illegal instruction (core dumped)
Illegal instruction (core dumped)
Illegal instruction (core dumped)

No blocklist changes...
Illegal instruction (core dumped)

pf-badhost:
IPv4 addresses in table:  0


Radek

Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Hello and sorry for the late reply,

> Did you contact the individual who provides pf-bafhost script?  He has always 
> responded to me when I contacted him.
No, I didn't. Jordan shared his scripts here, I hope he reads misc@. 

> what program dumped core?
Some parts of [1]. How can I determine which lines do it?

> dmesg?
OpenBSD 7.3 (GENERIC) #0: Wed May 24 13:42:36 CEST 2023
r...@test73.my.domain:/usr/src/sys/arch/i386/compile/GENERIC
real mem  = 536363008 (511MB)
avail mem = 509431808 (485MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 
MHz, 05-0a-02
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
mtrr: K6-family MTRR support (2 registers)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 
00:00:24:cb:4f:c8
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 
00:00:24:cb:4f:c9
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 
00:00:24:cb:4f:ca
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 
00:00:24:cb:4f:cb
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, 
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbc0: unable to establish interrupt for irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (660c82c04771c00d.a) swap on wd0b dump on wd0b



On Thu, 25 May 2023 18:17:49 - (UTC)
Stuart Henderson  wrote:

> On 2023-05-25, Radek  wrote:
> > Hello,
> > I am getting the following error message when I try to run pf-badhost 
> > script [1] at fresh install 7.3/i386. Have I missed something?
> >
> > 1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt
> >
> > test73# doas -u _pfbadhost pf-badhost -O openbsd
> > doas (r...@test73.my.domain) password:
> > Illegal instruction
> > Illegal instruction
> > Illegal instruction
> > Illegal instruction
> > Illegal instruction
> > Illegal instruction
> > Illegal instruction (core dumped)
> > Illegal instruction (core dumped)
> > Illegal instruction (core dumped)
> > Illegal instruction (core dumped)
> >
> > No blocklist changes...
> > Illegal instruction (core dumped)
> 
> dmesg?
> 
> what program dumped core?
> 
> 


Radek

Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Hello Diana,
> I realize he shared it here, but this an OpenBSD mailing list.  I strongly 
> suggest you contact the author, don't just "hope" he regularly monitors this 
> list.
> 
> I've contacted him before at his email address and he was very prompt in 
> reply.

If I don't solve the problem here (public list) I'll contact Jordan.


On Tue, 30 May 2023 19:29:33 -0600
"deich...@placebonol.com"  wrote:

> I realize he shared it here, but this an OpenBSD mailing list.  I strongly 
> suggest you contact the author, don't just "hope" he regularly monitors this 
> list.
> 
> I've contacted him before at his email address and he was very prompt in 
> reply.
> 
> 73
> diana 
> KI5PGJ 
> 
> On May 30, 2023 8:05:04 AM MDT, Radek  wrote:
> >Hello and sorry for the late reply,
> >
> >> Did you contact the individual who provides pf-bafhost script?  He has 
> >> always responded to me when I contacted him.
> >No, I didn't. Jordan shared his scripts here, I hope he reads misc@. 
> >
> 


Radek

Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Hello Stuart,

> What is the name of the core dump file?
Actually there isn't any .core file.
test73# find / -name '*.core'
test73#


On Tue, 30 May 2023 14:41:37 - (UTC)
Stuart Henderson  wrote:

> On 2023-05-30, Radek  wrote:
> > Hello and sorry for the late reply,
> >
> >> Did you contact the individual who provides pf-bafhost script?  He has 
> >> always responded to me when I contacted him.
> > No, I didn't. Jordan shared his scripts here, I hope he reads misc@. 
> >
> >> what program dumped core?
> > Some parts of [1]. How can I determine which lines do it?
> 
> pf-badhost is a fairly large ksh script which calls a bunch of various
> other programs depending on what's present (3 different awks, 4
> different file fetching tools, 3 search tools, etc).
> 
> It isn't likely to be the script itself which is SIGILLing but one of those
> other programs.
> 
> What is the name of the core dump file?
> 
> >> dmesg?
> > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 
> > 500 MHz, 05-0a-02
> > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> 
> so no SSE, etc.
> 
> 


Radek

Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Just realized that if I edit the subject it will create a new thread in 
marc.info.
So.. closing the thread, the solution is here:
https://marc.info/?l=openbsd-misc&m=168594789107213&w=2
Sorry for the mess.

On Sat, 3 Jun 2023 17:37:08 -0500
Andrew Daugherity  wrote:

> Unfortunately it looks like sh -x does not trace into functions, and
> it is something inside "main" which is crashing:
> 
> > > set -x or something.
> > Sorry, I should have started with that.
> >
> > test73# doas -u _pfbadhost pf-badhost -O openbsd
> > [ ... ]
> > + command -v typeset
> > + > /dev/null
> > + 2>&1
> > + main -O openbsd
> > Illegal instruction
> > [ ... ]
> > Illegal instruction (core dumped)
> >
> > No blocklist changes...
> > Illegal instruction (core dumped)
> 
> Both sh and ksh seem to behave that way, but bash will trace inside
> functions.  Try calling the script with 'bash -x' and hopefully you
> can pinpoint which binary called by main() is crashing.
> 
> -Andrew
> 


Radek

Re: SOLVED [7.3/i386] pf-badhost - Illegal instruction (core dumped)

[Radek]

Hello,
> Either build from ports with the MODCARGO_RUSTFLAGS line changed to this:
> 
> MODCARGO_RUSTFLAGS =  -C debuginfo=0 -C target-cpu=i586
I get some errors trying to build it from port: 
===>  Configuring for ripgrep-13.0.0p3
Illegal instruction (core dumped)
*** Error 132 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2921 
'do-configure': @mkdir -p /usr/ports/pobj/ripgrep-13.0.0/.cargo;   echo "[...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2941 
'/usr/ports/pobj/ripgrep-13.0.0/build-i386/.configure_done': @cd /usr/ports/...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2132 
'/usr/ports/packages/i386/all/ripgrep-13.0.0p3.tgz': @cd /usr/ports/textproc...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2621 
'_internal-package': @case X${_DEPENDS_CACHE} in  X) _DEPENDS_CACHE=$( mktem...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2600 'package': @:; 
cd /usr/ports/textproc/ripgrep && PKGPATH=textproc/ripgrep ma...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2153 
'/var/db/pkg/ripgrep-13.0.0p3/+CONTENTS': @cd /usr/ports/textproc/ripgrep &&...)
*** Error 2 in /usr/ports/textproc/ripgrep 
(/usr/ports/infrastructure/mk/bsd.port.mk:2600 'install': 
@lock=ripgrep-13.0.0p3;  export _LOCKS_...)
test73#


> or try the binary at https://junkpile.org/rg
This binary causes code dumps too.

On Mon, 5 Jun 2023 12:43:53 - (UTC)
Stuart Henderson  wrote:

> On 2023-06-05, Radek  wrote:
> > RipGrep caused my issue. When I replaced ripgrep with ggrep the script 
> > started to work fine.
> 
> Can you try a new ripgrep binary built with a different target-cpu type
> for me please? The default for the rust compiler is to use SSE instructions
> which aren't present on your Alix.
> 
> Either build from ports with the MODCARGO_RUSTFLAGS line changed to this:
> 
> MODCARGO_RUSTFLAGS =  -C debuginfo=0 -C target-cpu=i586
> 
> or try the binary at https://junkpile.org/rg
> 
> If this helps then it might be a good idea to change the default in
> lang/rust/patches/patch-compiler_rustc_target_src_spec_i686_unknown_openbsd_rs
> so that other rust programs are compiled that way (currently it uses
> "pentiumpro" which I understand disables SSE2 but not SSE).
> 
> 


Radek

npppd sessions log

[Radek]

Hi @misc, 

I can't find any way/option to log npppd sessions on a VPN gateway. 
What I need to log: 
- username
- user's source_IP
- user's VPN_internal_IP
- session start_time
- session end_time

Current npppd sessions I can see via "npppctl session all/brief" but I need a 
history log.

Thanks for help,
Radek 

Re: npppd sessions log

[Radek]

It was my fault. 
I started "npppd -d" (for test only), so logs went to stdout and there was 
nothing in /var/log/*. 
If I start it as a daemon, session logs go to /var/log/daemon and 
/var/log/messages.

>I do accounting, as well as authentication, by help of radius server.
VPN with RADIUS  - it's in my TODO list.
Thanks!

On Tue, 13 Aug 2013 07:33:20 -0500
Vijay Sankar  wrote:

> Quoting Radek :
> 
> > Hi @misc,
> >
> > I can't find any way/option to log npppd sessions on a VPN gateway.
> > What I need to log:
> > - username
> > - user's source_IP
> > - user's VPN_internal_IP
> > - session start_time
> > - session end_time
> >
> > Current npppd sessions I can see via "npppctl session all/brief" but  
> > I need a history log.
> >
> > Thanks for help,
> > Radek
> >
> >
> 
> /var/log/messages or /var/log/daemon has all those details.
> 
> 
> 
> Vijay Sankar, M.Eng., P.Eng.
> ForeTell Technologies Limited
> vsan...@foretell.ca
> 
> -
> This message was sent using ForeTell-POST 4.9
> 
> 
Radek

Re: ikev2 and road warriors setup

[Radek]

Hello, 

Thank all of you for your time and your help in this matter!
I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. 
I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty 
fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv.
Site-to-Site VPN is doing its job.

The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use 
default gateway on remote network" is set. 
I need to make road_warriors:
- reaching GW88_LAN_machines 192.168.2.254/24 
- reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
- force road_warriors to use its own gateway for the rest of traffic - unticked 
"use default gateway on remote network".
 
I was playing around with iked.conf and pf.conf but I did not find the way to 
make it work.
I will be grateful if anyone could help me with that.

My network diagram and configs of GW88:

GW88$ cat /etc/hostname.enc0 
inet 10.0.1.254 255.255.255.0

GW88$ cat /etc/iked.conf
#
ikev2 "roadWarrior" passive esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24 
#
#
remote_gw_GW119 = "1.2.3.119" # fw_GW119   
remote_lan_GW119_1  = "172.16.1.0/24"
remote_lan_GW119_2  = "172.16.2.0/24"

local_gw_GW88_2  = "192.168.2.254"
local_lan_GW88_2 = "192.168.2.0/24"

ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
psk "pkspass"

ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
psk "pskpass"


GW88$ cat /etc/pf.conf
set skip on {lo, enc}

match in all scrub (no-df random-id)
match out all scrub (no-df random-id)

match out on egress from lan:network to any nat-to egress

block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan

table  persist counters
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags 
S/SA \
 set prio (6, 7) keep state \
 (max-src-conn 15, max-src-conn-rate 2/10, overload  flush 
global)

icmp_types  = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types



   ++
   |road_warrior|
 +-+10.0.1.0/24 |
 | ++
 |
   ikev2
 |
 |
 v

  4.5.6.881.2.3.119
+-+  +--+
|   |
|  GW88   | <--+site-to-site VPN+--> |  GW119   |
+--+--+  +---+--+
   | |
   +-+192.168.1.254/24   |
   | |
   |   172.16.1.254/24---+
   | |
   +---+-+192.168.2.254/24   |
   |   | |
   |   |   +---+ |
   |   +---+192.168.2.1|   172.16.2.254/24---|
   |   ++
   |
   |+192.168.3.254/24

Thanks!

On Thu, 8 Nov 2018 14:04:23 +0100
Radek  wrote:

> I've been playing around with netcat. 
> I noticed that the netcat process on my VPN_server does not show any "X" on 
> stdout for ports 4500 and 1701.
> 
> May it be relevant to my VPN issue?
> 
> VPN_serv is A.B.C.77/23 (it is not behind NAT):
> 
> $ pfctl -s rules
> pass all flags S/SA
> 
> $ nc -u -l 500
> 
> 
> X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
> A.B.C.69/23$ nc -vuz A.B.C.77 4500
> $ nc -u -l 4500
> NOTHING IS HERE
> 
> $ nc -u -l 4499
> 
> 
> $ nc -u -l 4501
> 
> 
> X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
> A.B.C.69/23$ nc -vuz A.B.C.77 1701
> $ nc -u -l 1701
> NOTHING IS HERE
> 
> $ nc -u -l 22
> 
> 
> $ nc -u -l 1234
> 
> 
> On Wed, 7 Nov 2018 12:17:09 +0100
> Radek  wrote:
> 
> > Yesterday I tried this scenario:
> > 
> > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
> > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
> > VPN_IKEv2 - A.B.C.77/23, not NATed
> > 
> > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having 
> > two active VPN conn in one time.
> > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working 
> > fine. 
> > 
> > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting 
> > VPN_L2TP - I got 809.
> > 
> > Removing home_router which is between Win7_warrior and 1.2.3.119 does not 
> > 

Re: iked : pf.conf rule for outgoing traffic

[Radek]

> I'm confused how to replace "$some_address". Isn't it "(egress)" ?
"(egress)" or your_WAN_IP

On Fri, 7 Dec 2018 10:00:07 +0100
Thuban  wrote:

> * Stuart Henderson  le [06-12-2018 13:44:50 +]:
> > On 2018-12-06, Thuban  wrote:
> > > * Thuban  le [02-12-2018 19:16:09 +0100]:
> > >> Hi,
> > >> I need help to write a correct rule in pf.conf.
> > >> 
> > >> I want : 
> > >> 
> > >> A ->  B --> web
> > >> 
> > >> The appearing IP of A is the B's one on the web.
> > >> 
> > >> I managed to configure iked on A and B using default pubkeys according
> > >> to Stuart Henderson advices.
> > >> 
> > >> iked.conf on A : 
> > >> 
> > >>  ikev2 active ipcomp esp \
> > >>  from 192.168.100.0/16 to 0.0.0.0/0 \
> > >>  peer "xx.xx.xx.xx" \
> > >>  srcid "m...@moria.lan" \
> > >>  dstid "B-hostname.tld" \
> > >>  tag IKED
> > >> 
> > >> iked.conf on B : 
> > >> 
> > >>  ikev2 "warrior" passive esp \
> > >>  from 0.0.0.0/0 to 0.0.0.0/0 \
> > >>  local xx.xx.xx.xx peer any \
> > >>  srcid "B-hostname.tld" \
> > >>  tag IKED
> > >> 
> > >> Auth works as expected : 
> > >> 
> > >> # iked -vvd
> > >> ..
> > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 
> > >> 192.168.100.122:4500 policy 'policy1'
> > >> ..
> > >> 
> > >> 
> > >> But I can't reach internet from A through B.
> > >> 
> > >> Here is the pf.conf on B (at least a small part of it)
> > >> 
> > >> pass out on egress \
> > >> from any to any tagged IKED \
> > >> nat-to (egress)
> > >> 
> > >> 
> > >
> > > I'm still stuck at the same point.
> > > Can someone give me an example of a working configuration natting ot
> > > Internet?
> > 
> > I used this,
> > 
> > pass in on enc0 inet from $some_net
> > pass out quick on egress inet received-on enc0 nat-to $some_address
> > 
> > Also I don't remember what you've already said you checked, but
> > make sure you have sysctl net.inet.ip.forwarding=1.
> > 
> 
> Thank you.
> Yes, I do have ip.forwarding=1.
> 
> I'm confused how to replace "$some_address". Isn't it "(egress)" ?
> 
> Regards.
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Hello,

I am still almost in the same point. 
If I want to reach my GW88_LAN I have to check "use default gateway on remote 
network" box (Windows roadwarrior), but this option makes me reaching the 
internet through GW88.

I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local" 
gateway for the rest of the traffic - unchecked box "use default gateway on 
remote network". 
If the box is unchecked I am not able to access 192.168.2.0/24.

What should I change in my confs to get it working in this manner?

GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass out quick on egress inet received-on enc0 nat-to (egress)
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
 

GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive esp \
from 0.0.0.0/0 to 10.0.1.0/24 \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server 8.8.8.8

On Fri, 30 Nov 2018 15:06:28 +0100
Radek  wrote:

> Hello, 
> 
> Thank all of you for your time and your help in this matter!
> I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. 
> I have moved VPN server and clients out of A.B.C.0/23. They can connect 
> pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to 
> VPN serv.
> Site-to-Site VPN is doing its job.
> 
> The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if 
> "use default gateway on remote network" is set. 
> I need to make road_warriors:
> - reaching GW88_LAN_machines 192.168.2.254/24 
> - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> - force road_warriors to use its own gateway for the rest of traffic - 
> unticked "use default gateway on remote network".
>  
> I was playing around with iked.conf and pf.conf but I did not find the way to 
> make it work.
> I will be grateful if anyone could help me with that.
> 
> My network diagram and configs of GW88:
> 
> GW88$ cat /etc/hostname.enc0 
> inet 10.0.1.254 255.255.255.0
> 
> GW88$ cat /etc/iked.conf
> #
> ikev2 "roadWarrior" passive esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.0/24 
> #
> #
> remote_gw_GW119 = "1.2.3.119" # fw_GW119   
> remote_lan_GW119_1  = "172.16.1.0/24"
> remote_lan_GW119_2  = "172.16.2.0/24"
> 
> local_gw_GW88_2  = "192.168.2.254"
> local_lan_GW88_2 = "192.168.2.0/24"
> 
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> psk "pkspass"
> 
> ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> psk "pskpass"
> 
> 
> GW88$ cat /etc/pf.conf
> set skip on {lo, enc}
> 
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> 
> match out on egress from lan:network to any nat-to egress
> 
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
> 
> table  persist counters
> pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags 
> S/SA \
>  set prio (6, 7) keep state \
>  (max-src-conn 15, max-src-conn-rate 2/10, overload  
> flush global)
> 
> icmp_types  = "{ echoreq, unreach }"
> pass inet proto icmp all icmp-type $icmp_types
> 
> 
> 
>++
>|road_warrior|
>  +-+10.0.1.0/24 |
>  | ++
>  |
>ikev2
>  |
>  |
>  v
> 
>   4.5.6.881.2.3.119
> +-+  +--+
> |   |
> |  GW88   | <--+site-to-site VPN+--> |  GW119   |
> +--+--+  +---+--+
>| |
>+-+192.168.1.254/24   |
>| |
>|   172.16.1.254/24---+
>| |
>+---+-+192.168.2.254/24 

Re: sh /etc/netstart interface counter intuitive behaviour with multiple inet aliases 6.4 and 6.3

[Radek]

10.134.91.235
> >>> inet 10.134.91.237 netmask 0xfffc broadcast 10.134.91.239
> >>> inet 10.134.91.241 netmask 0xfffc broadcast 10.134.91.243
> >>> inet 10.134.91.245 netmask 0xfffc broadcast 10.134.91.247
> >>> inet 10.134.91.249 netmask 0xfffc broadcast 10.134.91.251
> >>> inet 10.134.91.253 netmask 0xfffc broadcast 10.134.91.255
> >>> 
> >>>
> >>> after commenting out the last 2 inet aliases , and running sh 
> >>> /etc/netstart vio4
> >>>
> >>> the ifconfig output is as follows  (i have highlighted with ***  the 
> >>> addresses
> >>> which I think should have been removed
> >>>
> >>> vio4: flags=8843 mtu 1500
> >>> lladdr 16:2c:a4:f2:b4:e3
> >>> index 5 priority 0 llprio 3
> >>> media: Ethernet autoselect
> >>> status: active
> >>> ** inet 10.134.91.249 netmask 0xfffc broadcast 10.134.91.251
> >>> ** inet 10.134.91.253 netmask 0xfffc broadcast 10.134.91.255
> >>> inet 10.94.0.1 netmask 0x broadcast 10.94.255.255
> >>> inet 10.134.91.65 netmask 0xfffc broadcast 10.134.91.67
> >>> inet 10.134.91.69 netmask 0xfffc broadcast 10.134.91.71
> >>> inet 10.134.91.73 netmask 0xfffc broadcast 10.134.91.75
> >>> inet 10.134.91.85 netmask 0xfffc broadcast 10.134.91.87
> >>> inet 10.134.91.89 netmask 0xfffc broadcast 10.134.91.91
> >>> inet 10.134.91.93 netmask 0xfffc broadcast 10.134.91.95
> >>> inet 10.134.91.161 netmask 0xfffc broadcast 10.134.91.163
> >>> inet 10.134.91.165 netmask 0xfffc broadcast 10.134.91.167
> >>> inet 10.134.91.169 netmask 0xfffc broadcast 10.134.91.171
> >>> inet 10.134.91.173 netmask 0xfffc broadcast 10.134.91.175
> >>> inet 10.134.91.193 netmask 0xfffc broadcast 10.134.91.195
> >>> inet 10.134.91.197 netmask 0xfffc broadcast 10.134.91.199
> >>> inet 10.134.91.201 netmask 0xfffc broadcast 10.134.91.203
> >>> inet 10.134.91.205 netmask 0xfffc broadcast 10.134.91.207
> >>> inet 10.134.91.209 netmask 0xfffc broadcast 10.134.91.211
> >>> inet 10.134.91.213 netmask 0xfffc broadcast 10.134.91.215
> >>> inet 10.134.91.217 netmask 0xfffc broadcast 10.134.91.219
> >>> inet 10.134.91.221 netmask 0xfffc broadcast 10.134.91.223
> >>> inet 10.134.91.225 netmask 0xfffc broadcast 10.134.91.227
> >>> inet 10.134.91.229 netmask 0xfffc broadcast 10.134.91.231
> >>> inet 10.134.91.233 netmask 0xfffc broadcast 10.134.91.235
> >>> inet 10.134.91.237 netmask 0xfffc broadcast 10.134.91.239
> >>> inet 10.134.91.241 netmask 0xfffc broadcast 10.134.91.243
> >>> inet 10.134.91.245 netmask 0xfffc broadcast 10.134.91.247
> >>>
> >>> This behaviour is counter intuitive  as it is different to sh 
> >>> /etc/netstart
> >>> behaviour on the configuration of  inet addresses
> >>> im wondiring is this a feature or a bug ...  or me misunderstanding the
> >>> use of netstart script to reset / reload the configuration of an interface
> >>>
> >>> Thanks
> >>>
> >>> Tom Smyth
> >>>
> >>
> >> --
> >> I'm not entirely sure you are real.
> > 
> > 
> > 
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Hello again, 

I am using PPTP VPN (npppd) and it works as expected on windows clients - 
traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The 
"rest" is going through clients' gateway - DO NOT "use default gateway on 
remote network".

I have been playing around with iked.conf, pf.conf and ipsec.conf - still 
cannot get it working in this manner. 
I do not want to use OpenIKED as a internet gateway, VPN is needed only to 
access "LAN behind that VPNgateway".

Could someone please help me with this problem? Christmas is coming...

Many thanks!

On Fri, 7 Dec 2018 20:20:21 +0100
Radek  wrote:

> Hello,
> 
> I am still almost in the same point. 
> If I want to reach my GW88_LAN I have to check "use default gateway on remote 
> network" box (Windows roadwarrior), but this option makes me reaching the 
> internet through GW88.
> 
> I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's 
> "local" gateway for the rest of the traffic - unchecked box "use default 
> gateway on remote network". 
> If the box is unchecked I am not able to access 192.168.2.0/24.
> 
> What should I change in my confs to get it working in this manner?
> 
> GW88# grep "^[^#;]" /etc/pf.conf
> set skip on {lo, enc}
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> match out on egress from lan:network to any nat-to egress
> block log all
> pass out quick on egress inet received-on enc0 nat-to (egress)
> pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
>  
> 
> GW88# grep "^[^#;]" /etc/iked.conf
> ikev2 "roadWarrior" passive esp \
> from 0.0.0.0/0 to 10.0.1.0/24 \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.0/24 \
> config netmask 255.255.255.0 \
> config name-server 8.8.8.8
> 
> On Fri, 30 Nov 2018 15:06:28 +0100
> Radek  wrote:
> 
> > Hello, 
> > 
> > Thank all of you for your time and your help in this matter!
> > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. 
> > I have moved VPN server and clients out of A.B.C.0/23. They can connect 
> > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to 
> > VPN serv.
> > Site-to-Site VPN is doing its job.
> > 
> > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if 
> > "use default gateway on remote network" is set. 
> > I need to make road_warriors:
> > - reaching GW88_LAN_machines 192.168.2.254/24 
> > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > - force road_warriors to use its own gateway for the rest of traffic - 
> > unticked "use default gateway on remote network".
> >  
> > I was playing around with iked.conf and pf.conf but I did not find the way 
> > to make it work.
> > I will be grateful if anyone could help me with that.
> > 
> > My network diagram and configs of GW88:
> > 
> > GW88$ cat /etc/hostname.enc0 
> > inet 10.0.1.254 255.255.255.0
> > 
> > GW88$ cat /etc/iked.conf
> > #
> > ikev2 "roadWarrior" passive esp \
> > from 192.168.2.0/24 to 10.0.1.0/24 \
> > local 4.5.6.88 peer any \
> > srcid 4.5.6.88 \
> > config address 10.0.1.0/24 
> > #
> > #
> > remote_gw_GW119 = "1.2.3.119" # fw_GW119   
> > remote_lan_GW119_1  = "172.16.1.0/24"
> > remote_lan_GW119_2  = "172.16.2.0/24"
> > 
> > local_gw_GW88_2  = "192.168.2.254"
> > local_lan_GW88_2 = "192.168.2.0/24"
> > 
> > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
> > psk "pkspass"
> > 
> > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
> > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
> > psk "pskpass"
> > 
> > 
> > GW88$ cat /etc/pf.conf
> > set skip on {lo, enc}
> > 
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > 
> > match out on egress from lan:network to any nat-to egress
> > 
> > block log all
> > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> >

Cheaper alternatives for APC UPS

[Radek]

Hello,

could you recommend me any UPS brands *cheaper* than APC that are fully 
supported in OpenBSD?
I always use APC, managing them via USB and apcupsd(both servers and clients) 
and PowerChute(windows clients). It works like a charm.  APC is quite expensive 
brand so I am looking for any cheaper alternatives.

Thanks!

-- 
radek

Re: Cheaper alternatives for APC UPS

[Radek]

Thank you for all your comprehensive technical references. I just wanted to 
know if there is any way to save some money buying other brands than APC. 
After reading your posts I will definitely stay with APC.

Salicru, OpenUPS - I have never heard about these brands/solutions. Thanks.

> I am not sure about "supported",
I wanted to say that you can manage it smoothly using OpenBSD. 

BTW, do you have any experience with 12V DC small UPS that can be smoothly use 
with routers only (PCEngines/Soekris). I am looking for an "out of the box" 
small, silent and low power consumption device that can shutdown my home 
OpenBSD router when the power is loss.
I would like not to use 230V device fot that purpose, which consumes more power 
when compare to 12V devices.


On Tue, 18 Dec 2018 20:19:20 +0100
Juan Francisco Cantero Hurtado  wrote:

> On Mon, Dec 17, 2018 at 09:47:25PM +0100, Radek wrote:
> > Hello,
> > 
> > could you recommend me any UPS brands *cheaper* than APC that are fully 
> > supported in OpenBSD?
> > I always use APC, managing them via USB and apcupsd(both servers and 
> > clients) and PowerChute(windows clients). It works like a charm.  APC is 
> > quite expensive brand so I am looking for any cheaper alternatives.
> 
> Salicru is a good brand. The home models use a third party protocol
> supported by one of our ports (I don't remember the names). The
> professional product lines have support for USB HID.
> 
> I've used a couple of basic models. The batteries lasted for 3 years and
> I never had a leak.
> 
> The windows software is the biggest crap ever done. Use a third party
> application.
> 
> 
> -- 
> Juan Francisco Cantero Hurtado http://juanfra.info


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Hello,

finally I solved my problem as follows:
1. Uncheck "use default gateway on remote network" in warrior (Windows)
2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 10.0.1.123
3. Run route192.bat as administrator (when vpn connection is established)
It works as expected, traffic to 192.168.2.0 goes through VPN, the rest through 
warrior's local gateway.
# When using PPTP (npppd) I do not need to add extra route to "LAN behind 
VPNgateway" (2.) - it works by default. Why?

GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.123 \
tag "$id" tap enc0

GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan



On Wed, 12 Dec 2018 21:45:25 +0100
Radek  wrote:

> Hello again, 
> 
> I am using PPTP VPN (npppd) and it works as expected on windows clients - 
> traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The 
> "rest" is going through clients' gateway - DO NOT "use default gateway on 
> remote network".
> 
> I have been playing around with iked.conf, pf.conf and ipsec.conf - still 
> cannot get it working in this manner. 
> I do not want to use OpenIKED as a internet gateway, VPN is needed only to 
> access "LAN behind that VPNgateway".
> 
> Could someone please help me with this problem? Christmas is coming...
> 
> Many thanks!
> 
> On Fri, 7 Dec 2018 20:20:21 +0100
> Radek  wrote:
> 
> > Hello,
> > 
> > I am still almost in the same point. 
> > If I want to reach my GW88_LAN I have to check "use default gateway on 
> > remote network" box (Windows roadwarrior), but this option makes me 
> > reaching the internet through GW88.
> > 
> > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's 
> > "local" gateway for the rest of the traffic - unchecked box "use default 
> > gateway on remote network". 
> > If the box is unchecked I am not able to access 192.168.2.0/24.
> > 
> > What should I change in my confs to get it working in this manner?
> > 
> > GW88# grep "^[^#;]" /etc/pf.conf
> > set skip on {lo, enc}
> > match in all scrub (no-df random-id)
> > match out all scrub (no-df random-id)
> > match out on egress from lan:network to any nat-to egress
> > block log all
> > pass out quick on egress inet received-on enc0 nat-to (egress)
> > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
> > pass in on egress proto {ah,esp}
> > pass out on egress
> > pass on lan
> >  
> > 
> > GW88# grep "^[^#;]" /etc/iked.conf
> > ikev2 "roadWarrior" passive esp \
> > from 0.0.0.0/0 to 10.0.1.0/24 \
> > from 192.168.2.0/24 to 10.0.1.0/24 \
> > local 4.5.6.88 peer any \
> > srcid 4.5.6.88 \
> > config address 10.0.1.0/24 \
> > config netmask 255.255.255.0 \
> > config name-server 8.8.8.8
> > 
> > On Fri, 30 Nov 2018 15:06:28 +0100
> > Radek  wrote:
> > 
> > > Hello, 
> > > 
> > > Thank all of you for your time and your help in this matter!
> > > I think that the ISP of A.B.C.0/23 is filtering/blocking some 
> > > certificates. 
> > > I have moved VPN server and clients out of A.B.C.0/23. They can connect 
> > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect 
> > > to VPN serv.
> > > Site-to-Site VPN is doing its job.
> > > 
> > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY 
> > > if "use default gateway on remote network" is set. 
> > > I need to make road_warriors:
> > > - reaching GW88_LAN_machines 192.168.2.254/24 
> > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
> > > - force road_warriors to use its own gateway for the rest of traffic - 
> > > unticked "use default gateway on remote network".
> > >  
> > > I was playing around with iked.conf and pf.conf but I did not find the 
> > > way to make it work.
> > > I will be grateful if anyone could help me with that.
> > > 
> > > My network diagram and configs of GW88:
> > > 
> > > GW88$ cat /etc/hostnam

Re: Cheaper alternatives for APC UPS

[Radek]

Thanks for your hints, Stuart.
I hope to get one OpenUPS soon and give it a try.

On Sun, 23 Dec 2018 12:13:12 + (UTC)
Stuart Henderson  wrote:

> On 2018-12-19, Radek  wrote:
> > Thank you for all your comprehensive technical references. I just wanted to 
> > know if there is any way to save some money buying other brands than APC. 
> > After reading your posts I will definitely stay with APC.
> 
> I have had APCs that required a crowbar to remove the batteries before ;)
> Whatever brand, it's probably a good idea to schedule a battery inspection
> from time to time.
> 
> > Salicru, OpenUPS - I have never heard about these brands/solutions. Thanks.
> >
> >> I am not sure about "supported",
> > I wanted to say that you can manage it smoothly using OpenBSD. 
> >
> > BTW, do you have any experience with 12V DC small UPS that can be smoothly 
> > use with routers only (PCEngines/Soekris). I am looking for an "out of the 
> > box" small, silent and low power consumption device that can shutdown my 
> > home OpenBSD router when the power is loss.
> > I would like not to use 230V device fot that purpose, which consumes more 
> > power when compare to 12V devices.
> 
> OpenUPS is perfect for this. Or there are cheap chinese boxes that
> work with 18650 batteries and are meant for this sort of use too (but
> no monitoring with those like you get with OpenUPS).
> 
> 


-- 
radek

Re: ikev2 and road warriors setup

[Radek]

Another question araised in my random walk: How can I assign static IPs to more 
than one client?

I played around with DSTID but when I add DSTID to my policy then auth stops 
working.
ikev2 "roadWarrior" passive ipcomp esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
dstid "/C.../CN=win7/emailAddress=r...@123.com" \
config address 10.0.1.123 \
tag "$id" tap enc0

The only working way I have found is to assign static IP to specific peer (IP 
or network)
local 4.5.6.88 peer 1.2.3.4/32
or 
local 4.5.6.88 peer 1.2.3.0/24
but this in NOT what I need.

I need to do sth like this:
policy1, peer any, warrior1/CA1/ASN11, config address IP1
policy2, peer any, warrior2/CA2,ASN12, config address IP2
policy3, peer any, warrior3/CA3,ASN13, config address IP3
...
policyN "catch the rest"  config address 10.0.11/24 \

Any help appreciated!


On Fri, 28 Dec 2018 10:41:22 +0100
Radek  wrote:

> Hello,
> 
> finally I solved my problem as follows:
> 1. Uncheck "use default gateway on remote network" in warrior (Windows)
> 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 
> 10.0.1.123
> 3. Run route192.bat as administrator (when vpn connection is established)
> It works as expected, traffic to 192.168.2.0 goes through VPN, the rest 
> through warrior's local gateway.
> # When using PPTP (npppd) I do not need to add extra route to "LAN behind 
> VPNgateway" (2.) - it works by default. Why?
> 
> GW88# grep "^[^#;]" /etc/iked.conf
> ikev2 "roadWarrior" passive ipcomp esp \
> from 192.168.2.0/24 to 10.0.1.0/24 \
> local 4.5.6.88 peer any \
> srcid 4.5.6.88 \
> config address 10.0.1.123 \
> tag "$id" tap enc0
> 
> GW88# grep "^[^#;]" /etc/pf.conf
> set skip on {lo, enc}
> match in all scrub (no-df random-id)
> match out all scrub (no-df random-id)
> match out on egress from lan:network to any nat-to egress
> block log all
> pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
> pass in on egress proto {ah,esp}
> pass out on egress
> pass on lan
> 
> 
> 
> On Wed, 12 Dec 2018 21:45:25 +0100
> Radek  wrote:
> 
> > Hello again, 
> > 
> > I am using PPTP VPN (npppd) and it works as expected on windows clients - 
> > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. 
> > The "rest" is going through clients' gateway - DO NOT "use default gateway 
> > on remote network".
> > 
> > I have been playing around with iked.conf, pf.conf and ipsec.conf - still 
> > cannot get it working in this manner. 
> > I do not want to use OpenIKED as a internet gateway, VPN is needed only to 
> > access "LAN behind that VPNgateway".
> > 
> > Could someone please help me with this problem? Christmas is coming...
> > 
> > Many thanks!
> > 
> > On Fri, 7 Dec 2018 20:20:21 +0100
> > Radek  wrote:
> > 
> > > Hello,
> > > 
> > > I am still almost in the same point. 
> > > If I want to reach my GW88_LAN I have to check "use default gateway on 
> > > remote network" box (Windows roadwarrior), but this option makes me 
> > > reaching the internet through GW88.
> > > 
> > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's 
> > > "local" gateway for the rest of the traffic - unchecked box "use default 
> > > gateway on remote network". 
> > > If the box is unchecked I am not able to access 192.168.2.0/24.
> > > 
> > > What should I change in my confs to get it working in this manner?
> > > 
> > > GW88# grep "^[^#;]" /etc/pf.conf
> > > set skip on {lo, enc}
> > > match in all scrub (no-df random-id)
> > > match out all scrub (no-df random-id)
> > > match out on egress from lan:network to any nat-to egress
> > > block log all
> > > pass out quick on egress inet received-on enc0 nat-to (egress)
> > > pass in on egress proto udp from any to (egress:0) port 
> > > {isakmp,ipsec-nat-t}
> > > pass in on egress proto {ah,esp}
> > > pass out on egress
> > > pass on lan
> > >  
> > > 
> > > GW88# grep "^[^#;]" /etc/iked.conf
> > > ikev2 "roadWarrior" passive esp \
> > > from 0.0.0.0/0 to 10.0.1.0/24 \
> > > from 192.168.2.0/24 to 10.0.1.0/24 \
> > > local 4.5.6.88 peer any \
> > > srcid 4.5.6.88 \
> > > config address 10.0.1.0/24 \
> > > config netmask 255.255.255.0 \
> > > config 

Re: Blocking "shodan.io" - What are my options?

[Radek]

> A little ncat, sed, pfctl, and a dash of cron are able to do 
> the job just fine.  cron is just there to start the ncat processes at 
> boot and run an hourly script to do a pfctl -T expire  86400 to 
> keep the table clean of old attackers.
Sounds good. Could you share your script here?

On Thu, 3 Jan 2019 15:20:44 -0800
Misc User  wrote:

> On 1/3/2019 3:06 PM, Jordan Geoghegan wrote:
> > Hello,
> > 
> > I wrote a small script called 'pf-badhost' to block shodan and other 
> > annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html 
> > to see the script.
> > 
> > pf-badhost also blocks ssh bruteforcers and other annoyances by loading 
> > a list of regularly updated badhost lists from trusted sources. If you 
> > only want to block shodan specifically, just comment out the few lines 
> > that download the other blocklists, and you should be good to go. I've 
> > had a number of people give good feedback on it, and they've reported it 
> > blocking the scanners and baddies quite effectively; BSDNow also did a 
> > piece about it, so it seems to work alright.
> > 
> > 
> > Cheers,
> > 
> > Jordan
> > 
> > 
> > On 01/02/19 22:15, Antonino Sidoti wrote:
> >> Hi,
> >>
> >> I wish to block all attempts by "shodan.io". Basically I run an 
> >> OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of 
> >> traffic all stemming from "shodan.io". I have PF configured so I was 
> >> wondering how to block such a domain from making any attempts to 
> >> connect to my server. There is little information about Public IP 
> >> addresses being used by "shodan.io" scanner, so making an IP list for 
> >> PF may be futile.
> >>
> >> Could someone suggest a possible option? I was thinking along the 
> >> lines of "relayd" or "squid proxy". My server is hosted at Vultr and 
> >> has a single WAN interface with Public IP. There is no internal LAN 
> >> interface.
> >>
> >> For those who do not know about "shodan.io", please do a search and 
> >> you will discover what it does.
> >>
> >> Regards
> >>
> >> Nino
> >>
> > 
> 
> 
> I've always been a fan of just setting up a simple script to open a 
> couple ports with ncat, then when a client connects to the port, it gets 
> shoved into pf table that has a `drop' rule attached to it.  No messing 
> about with blocklists or proxies or anything else.
> 
> ncat listens on various low-number ports that nothing is using on my 
> servers.  A little ncat, sed, pfctl, and a dash of cron are able to do 
> the job just fine.  cron is just there to start the ncat processes at 
> boot and run an hourly script to do a pfctl -T expire  86400 to 
> keep the table clean of old attackers.
> 
> Shodan isn't the only scanner out there, so there is no point in just 
> blocking it.  And I figure if someone is trying to connect to unused 
> ports on my system, they probably aren't up to any good.  If you aren't 
> aware that my machine isn't legitimately listening on 22 or 23, or 443, 
> I don't want to talk to you.
> 
> I usually just run on port 22 and move sshd to a different port, that 
> seems to stop >95% of attackers.
> 
> 


-- 
radek

Polish localization

[Radek]

Hello,

I'm trying to set Polish locales in my new desktop (6.4/amd64, xenodm, 
WindowMaker).

$ cat /etc/kbdtype 
pl

$ cat /etc/wsconsctl.conf 
keyboard.encoding=pl

$ grep LC ~/.xsession
export LC_CTYPE="pl_PL.UTF-8"

$ grep LC ~/.profile 
export LC_CTYPE="pl_PL.UTF-8"

It doesn't work as expected. I can't type Polish characters anywhere (console, 
X). I have English menu bars in Firefox and in claws-mail.

Then, I changed LC_CTYPE to LC_ALL
I still can't type Polish characters anywhere but now I have Polish menu bar in 
claws-mail.
Did I miss something?

$ locale
LANG=
LC_COLLATE="C"
LC_CTYPE="C"
LC_MONETARY="C"
LC_NUMERIC="C"
LC_TIME="C"
LC_MESSAGES="C"
LC_ALL=

Any help appreciated. Thanks!

-- 
radek

Re: Polish localization

[Radek]

> Don't know about the console, 
Sorry, I meant XTERM.

>but to set (default) Polish keyboard in X 
>you need to run "setxkbmap pl", eg. in your .xsession file.
Thank you, that is exactly what I need! 
I just want to be able to type and display Polish characters in X. Polish 
interfaces are not obligatorily needed.

On Tue, 8 Jan 2019 17:29:22 +0200
Dumitru Moldovan  wrote:

> On Tue, Jan 08, 2019 at 02:52:21PM +, Radek wrote:
> >Hello,
> >
> >I'm trying to set Polish locales in my new desktop (6.4/amd64, xenodm, 
> >WindowMaker).
> >
> > […]
> 
> Don't know about the console, but to set (default) Polish keyboard in X 
> you need to run "setxkbmap pl", eg. in your .xsession file.
> 
> To have Polish interface displayed (when available) you need to set LANG 
> and LC_MESSAGES as pl_PL.UTF-8 (not sure if both or only one of it).  
> Setting LC_ALL will do that too (and more).
> 
> For Firefox there is a separate package for the Polish localization: 
> firefox-i18n-pl.  For the other program, I don't know…  Maybe nobody 
> localized it or the translation was removed?
> 
> HTH!
> 


-- 
radek

Re: Blocking "shodan.io" - What are my options?

[Radek]

Hi,

I would gladly play with your script. Would you please share it @misc. Maybe 
our community could develope it further...

On Sun, 13 Jan 2019 12:43:15 -0600
ed...@pettijohn-web.com wrote:

> On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > suspicion that you'd need something to listen on that port.  Is there
> > a way to achieve what we seek, in that case, without userland tools?
> > 
> > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson  
> > wrote:
> > >
> > > On 2019-01-09, Aaron Mason  wrote:
> > > > Hi Jordan
> > > >
> > > > I've set it up to try it, but I'm not having much luck.  Even when I
> > > > trigger more than one, it still doesn't populate the bad_hosts table,
> > > > even again when I extend the rate period to 86400 seconds.  I've added
> > > > logging so I know the rule is triggering.  See below.
> > >
> > > max-src-conn-rate is only triggered when a TCP connection is
> > > established, you need to have something listening (and it will only
> > > trigger on the *second* connection).
> > >
> > >
> > 
> > 
> > -- 
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
> >
> 
> I wrote a little daemon to do what we're looking for. It listens on
> specified ports, accepts the connection and executes a script so you can
> either use something like logger or pfctl, etc to do what you want with
> the address it connected from. If anyone wants to play with it let me
> know and I'll send you the tarball.
> 
> Edgar
> 


-- 
radek

Re: Blocking "shodan.io" - What are my options?

[Radek]

Sorry, I haven't tried it yet. I'll do it ASAP. 

On Tue, 15 Jan 2019 21:05:32 -0600
ed...@pettijohn-web.com wrote:

> On Sun, Jan 13, 2019 at 01:39:13PM -0600, ed...@pettijohn-web.com wrote:
> > On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote:
> > > Hi,
> > > 
> > > I would gladly play with your script. Would you please share it @misc. 
> > > Maybe our community could develope it further...
> 
> Just curious if anyone has tried it out. I've been running it for about
> 48 hours now and it doesn't appear to be having any issues. Plus my pf
> table is growing.
> 
> $ doas pfctl -t badguys -T show | wc -l
>  697
> 
> I have it running on about 10 ports. Obviously the majority of the scans
> are on 22, but I was surprised to see so many on 23.
> 
> $ egrep "23$" /var/log/messages | wc -l
>  247
> 
> Edgar
> 
> > > 
> > > On Sun, 13 Jan 2019 12:43:15 -0600
> > > ed...@pettijohn-web.com wrote:
> > > 
> > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote:
> > > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking
> > > > > suspicion that you'd need something to listen on that port.  Is there
> > > > > a way to achieve what we seek, in that case, without userland tools?
> > > > > 
> > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson 
> > > > >  wrote:
> > > > > >
> > > > > > On 2019-01-09, Aaron Mason  wrote:
> > > > > > > Hi Jordan
> > > > > > >
> > > > > > > I've set it up to try it, but I'm not having much luck.  Even 
> > > > > > > when I
> > > > > > > trigger more than one, it still doesn't populate the bad_hosts 
> > > > > > > table,
> > > > > > > even again when I extend the rate period to 86400 seconds.  I've 
> > > > > > > added
> > > > > > > logging so I know the rule is triggering.  See below.
> > > > > >
> > > > > > max-src-conn-rate is only triggered when a TCP connection is
> > > > > > established, you need to have something listening (and it will only
> > > > > > trigger on the *second* connection).
> > > > > >
> > > > > >
> > > > > 
> > > > > 
> > > > > -- 
> > > > > Aaron Mason - Programmer, open source addict
> > > > > I've taken my software vows - for beta or for worse
> > > > >
> > > > 
> > > > I wrote a little daemon to do what we're looking for. It listens on
> > > > specified ports, accepts the connection and executes a script so you can
> > > > either use something like logger or pfctl, etc to do what you want with
> > > > the address it connected from. If anyone wants to play with it let me
> > > > know and I'll send you the tarball.
> > > > 
> > > > Edgar
> > > > 
> > > 
> > > 
> > > -- 
> > > radek
> > 
> > It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz
> > 
> > The manual isn't quite complete. The supplied script could really use
> > some help as well as an rc script. The makefile is also cobbled
> > together. It is pledged and unveiled. I think it can have a few of the
> > pledges removed, but I haven't gotten that far. I think it is unveiled
> > correctly, but this was my first time playing with it.
> > 
> > The only requirement is libevent2 to aid in portability, which was the
> > driving force behind executing a script so that it could tie into
> > whatever packet filter is in use. Any constructive suggestions and
> > patches are more than welcome.
> > 
> > Enjoy.
> > 
> > Edgar
> > 


-- 
radek

Re: Slow VPN Performance

[Radek]

I have configured Site-to-Site ikev2 VPN between two routers (Soekris 
net5501-70).
Over the internet my transfer speed between these machines is up to 5000KB/s 
(it is OK).
Over the VPN it is up to 400KB/s only.

Is there any way to squeeze more performance out from these hardware and speed 
up the VPN?

Tested with netcat:
$ nc 10.0.15.254 1234 < 49MB.test
$ nc -l 1234 > 49MB.test

$ cat /etc/iked.conf
ikev2 quick active esp from $local_gw to $remote_gw \
from $local_lan to $remote_lan peer $remote_gw \
psk "pass"

$ dmesg | head
OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 536363008 (511MB)
avail mem = 512651264 (488MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40


On Wed, 24 Oct 2012 10:28:43 + (UTC)
Stuart Henderson  wrote:

> On 2012-10-24, Michael Sideris  wrote:
> > Also, OpenBSD 5.2 is around the corner and you never know what that might 
> > bring.
> 
> There's a commit from just after 5.2 which is relevant to some
> packet forwarding setups, which might be of interest..
> 
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_input.c?r1=1.197;f=h#rev1.197
> 


-- 
radek

Re: Slow VPN Performance

[Radek]

To be more precise:
I use net/ifstat for current bw testing.
If I push data by netcat over public IPs, it is up to 5MB/s. 
If I push data by netcat through VPN, it is up to 400KB/s.
Endusers in LANs also complain about VPN bw.

> You should use curl + nginx (with tmpfs) or iperf for bw testing.
I do not need to get very exact bw. My "netcat test" shows that data transfer 
over VPN is ~10 times slower.

> Have you tried your NC on the loopback as a reference ?
$ time nc -N 127.0.0.1 1234 < 50MB.test
0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w

> is the HEADER compression activated ?
I do not know. How can I check it out?

> just drop the all sendbug data if you actually want to help.
OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem  = 536363008 (511MB)
avail mem = 512651264 (488MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
mtrr: K6-family MTRR support (2 registers)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
0:20:0: io address conflict 0x6100/0x100
0:20:0: io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 
00:00:24:cd:90:10
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 
00:00:24:cd:90:11
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 
00:00:24:cd:90:12
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 
00:00:24:cd:90:13
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, 
model 0x0034
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 
3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, 
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbc0: unable to establish interrupt for irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
ugen0 at uhub1 port 1 "American Power Conversion Smart-UPS C 1500 FW:UPS 10.0 / 
ID=1005" rev 2.00/1.06 addr 2
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (3f37e17802c01339.a) swap on wd0b dump on wd0b

> You should use curl + nginx (with tmpfs) or iperf for bw testing.
> 
> don't  drop data, maybe the driver of the ethernet card is crappy ?
> 
> just drop the all sendbug data if you actually want to help.
> 
> Have you tried your NC on the loopback as a reference ?
> is the HEADER compression activated ?


On Fri, 18 Jan 2019 09:28:45 -0500
sven falempin  wrote:

> On Fri, Jan 18, 2019 at 8:58 AM Radek  wrote:
> 
> > I have configured Site-to-Site ikev2 VPN between two routers (Soekris
> > net5501-70).
> > Over the internet my transfer speed between these machines is up to
> > 5000KB/s (it is OK).
> > Over t

Re: Slow VPN Performance

[Radek]

I changed default crypto to:

ikev2 quick active esp from $local_gw to $remote_gw \
from $local_lan to $remote_lan peer $remote_gw \
ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
childsa enc aes-128-ctr \
psk "pass"

That increased VPN throughput up to 750KB/s but it is still too slow.
Mayba some sysctl tweaks would also help with this? 

Any hint would be appreciated. Thank you.


$ ifstat -i vr0 
   vr0
 KB/s in  KB/s out
4.48100.64
   24.14503.63
   15.32237.62
0.33  6.32
   27.37516.81
   25.92548.57
   25.36516.66
   23.49514.80
   30.79594.94
   37.45583.15
   34.16621.32
   31.54653.58
   31.40659.72
   33.00667.91
   40.15753.08
   34.54738.35
   32.15639.13
   35.11621.26
   34.78733.43
   34.59728.21

On Fri, 18 Jan 2019 18:25:11 +0100
Radek  wrote:

> To be more precise:
> I use net/ifstat for current bw testing.
> If I push data by netcat over public IPs, it is up to 5MB/s. 
> If I push data by netcat through VPN, it is up to 400KB/s.
> Endusers in LANs also complain about VPN bw.
> 
> > You should use curl + nginx (with tmpfs) or iperf for bw testing.
> I do not need to get very exact bw. My "netcat test" shows that data transfer 
> over VPN is ~10 times slower.
> 
> > Have you tried your NC on the loopback as a reference ?
> $ time nc -N 127.0.0.1 1234 < 50MB.test
> 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w
> 
> > is the HEADER compression activated ?
> I do not know. How can I check it out?
> 
> > just drop the all sendbug data if you actually want to help.
> OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
> rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 
> 500 MHz
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> real mem  = 536363008 (511MB)
> avail mem = 512651264 (488MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
> pcibios0 at bios0: rev 2.0 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc8000/0xa800
> cpu0 at mainbus0: (uniprocessor)
> mtrr: K6-family MTRR support (2 registers)
> amdmsr0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> 0:20:0: io address conflict 0x6100/0x100
> 0:20:0: io address conflict 0x6200/0x200
> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 
> 00:00:24:cd:90:10
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 
> 00:00:24:cd:90:11
> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 
> 00:00:24:cd:90:12
> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 
> 00:00:24:cd:90:13
> ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
> 0x004063, model 0x0034
> glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 
> 3579545Hz timer, watchdog, gpio, i2c
> gpio0 at glxpcib0: 32 pins
> iic0 at glxpcib0
> pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 
> wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 
> 1.0, legacy support
> ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
> addr 1
> isa0 at glxpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbc0: unable to establish interrupt for irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: 

Re: Slow VPN Performance

[Radek]

Thank you Stuart and Christian.
>In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum
> throughput on this hardware.
It gives me up to 700KB/s.

> Try chacha20-poly1305 instead of aes-128-ctr, it may help a little.
"childsa enc chacha20-poly1305" does the trick. It gives me up to 3MB/s. I 
think it is throughput I need, but what about security with CHACHA vs AES? 
Should I buy new routers ASAP and change enc to AES or stay calm with CHACHA?

> Do you have any other hardware you can use? If buying new, apu2/apu4
> would be good/easy options for running OpenBSD on, but if you have
> anything with enough NICs and AES (or at least PCLMUL) showing in
> the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use
> suitable ciphers (try "quick enc aes-128-gcm"), it should be
> way better than the 5501.
No, I don't have any - that's the problem. I'm trying *not* to buy new APUs 
because it seems to be quite expensive (very small company, only 3 endusers at 
remote location). I think 3MB/s over VPN is sufficient. If not - I (they) will 
have no choice. 
Will APU.2D2 be OK for that purpose or other board, considering 
price/performance?
https://www.pcengines.ch/apu2d2.htm

> The best test would be run between LAN machines rather than the routers.
> Generating traffic on the router itself means it's constantly switching
> between kernel and userland which won't be helping. Still, your test is
> good enough to show that things are much slower with IPsec enabled.
True. I use LAN machine on the one side in my netcat tests, but I don't have 
any on the other side, so I have to use router.

On Mon, 21 Jan 2019 13:52:41 + (UTC)
Stuart Henderson  wrote:

> On 2019-01-21, Radek  wrote:
> > I changed default crypto to:
> >
> > ikev2 quick active esp from $local_gw to $remote_gw \
> > from $local_lan to $remote_lan peer $remote_gw \
> > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
> > childsa enc aes-128-ctr \
> > psk "pass"
> >
> > That increased VPN throughput up to 750KB/s but it is still too slow.
> > Mayba some sysctl tweaks would also help with this? 
> 
> Try chacha20-poly1305 instead of aes-128-ctr, it may help a little.
> I don't think any sysctl is likely to help.
> 
> 750KB/s is maybe a bit slower than I'd expect but that 10+ year old
> net5501 is *not* a fast machine. You might be able to squeeze a bit more
> from it but probably not a lot, it won't be getting anywhere near your
> line speed even with larger packets, and will be terribly overloaded
> for small packets e.g. voip.
> 
> Do you have any other hardware you can use? If buying new, apu2/apu4
> would be good/easy options for running OpenBSD on, but if you have
> anything with enough NICs and AES (or at least PCLMUL) showing in
> the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use
> suitable ciphers (try "quick enc aes-128-gcm"), it should be
> way better than the 5501.
> 
> >> To be more precise:
> >> I use net/ifstat for current bw testing.
> >> If I push data by netcat over public IPs, it is up to 5MB/s. 
> >> If I push data by netcat through VPN, it is up to 400KB/s.
> >> Endusers in LANs also complain about VPN bw.
> 
> The best test would be run between LAN machines rather than the routers.
> Generating traffic on the router itself means it's constantly switching
> between kernel and userland which won't be helping. Still, your test is
> good enough to show that things are much slower with IPsec enabled.
> 
> >> > is the HEADER compression activated ?
> >> I do not know. How can I check it out?
> 
> I don't know what compression that would be. There is ROHCoIPsec (RFC5856)
> but OpenBSD doesn't support that.
> 
> There is ipcomp (packet compression) which can be configured in iked,
> but the last thing you want to do on this hardware is add more cpu load
> by compressing. (it is not configured in the sample you sent).
> 


-- 
radek

Re: Printing problem

[Radek]

Hello, 

I can print from LibreOffice without any problems, but I canNOT print from 
textproc/xpdf 

If I print from textproc/xpdf (command: /usr/bin/lpr -P Kyocera_Mita_FS-6020) I 
get error:
lpr: connect: No such file or directory
jobs queued, but cannot start daemon.

It worked for me in FreeBSD, but maybe I have missed something in my new 
desktop.

This is a network printer. 
$ lpstat -d -p
system default destination: Kyocera_Mita_FS-6020
printer Kyocera_Mita_FS-6020 is idle.  enabled since Wed Jan 23 08:55:43 2019

$ cat /etc/printcap 
Kyocera_Mita_FS-6020|:rm=desk.pk:rp=Kyocera_Mita_FS-6020:

$ cat .cups/lpoptions 
Default Kyocera_Mita_FS-6020

$ rcctl check cupsd
cupsd(ok)

OpenBSD 6.4 (GENERIC.MP) #0: Thu Jan 10 13:55:24 CET 2019
r...@desk.pk:/usr/src/sys/arch/amd64/compile/GENERIC.MP


Thanks for help. 


On Fri, 21 Feb 2014 07:47:28 -0800
Jeremy Evans  wrote:

> On Fri, Feb 21, 2014 at 3:54 AM, Jan Stary  wrote:
> 
> > On Feb 19 13:20:07, chrisbenn...@bennettconstruction.us wrote:
> > > I don't print from my laptop often, but all was fine until recently.
> > > I did not have any problems previously.
> > > I haven't made any changes either.
> > > I am using commands of
> > > lpr -Plp estimate_details_for_customer
> > > or
> > > lpr -Paps1 estimate_details_for_customer
> >
> > On Feb 19 12:32:36, jeremyeva...@gmail.com wrote:
> > > Known issue with that snapshot.  Already fixed in -current.
> >
> > Indeed. Out of curiosity, what was it? I couldn't find anything under
> > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/
> > that would break and fix this.
> >
> 
> Remote printing with lpd was broken from January 20 to February 7.
> 
> usr.sbin/lpr/lpd/printjob.c (broken by r1.50, fixed by r1.52)
> 
> Thanks,
> Jeremy
> 


-- 
radek

Re: Printing problem

[Radek]

Thank you Stuart.
If I use /usr/local/bin/lpr printing works as expected.

$ grep Kyocera /etc/xpdfrc 
psFile  "|/usr/local/bin/lpr -P Kyocera_Mita_FS-6020"



On Wed, 23 Jan 2019 14:33:15 - (UTC)
Stuart Henderson  wrote:

> On 2019-01-23, Radek  wrote:
> > Hello, 
> >
> > I can print from LibreOffice without any problems, but I canNOT print from 
> > textproc/xpdf 
> >
> > If I print from textproc/xpdf (command: /usr/bin/lpr -P 
> > Kyocera_Mita_FS-6020) I get error:
> > lpr: connect: No such file or directory
> > jobs queued, but cannot start daemon.
> 
> /usr/bin/lpr is lpr from the base OS. Since you are using CUPS you need
> to use /usr/local/bin/lpr instead, you can either set this in xpdf (e.g.
> /etc/xpdfrc), or you could adjust your PATH so that /usr/local/bin comes
> before /usr/bin.
> >
> 


-- 
radek

Re: vlan problem

[Radek]

This works for me:
$cat /etc/hostname.vr1
up

$cat /etc/hostname.vlan2
inet 10.0.2.254 255.255.255.0 NONE vlan 2 vlandev vr1

$cat /etc/hostname.vlan100
inet 10.0.100.254 255.255.255.0 NONE vlan 100 vlandev vr1

OpenBSD 6.3 (GENERIC) #3: Thu Dec 20 09:35:15 MST 2018
t...@syspatch-63-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC

As Josh mentioned, you also need 802.1Q managed switch. Then you have to 
configure your VLANs on your switch.
Example:
let's have any 16ports switch:
16p - configure as uplink for vlan2 and vlan100
1-10p - configure as ports of vlan2
11-15p - configure as ports of vlan100

Then connect 16p to your vlanNIC of openbsd box.

On Mon, 28 Jan 2019 20:02:19 +0800
johnw  wrote:

> My system is:
> 
> OpenBSD 6.4-current (GENERIC.MP) #639: Sun Jan 27 14:27:05 MST 2019 
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> 
> Thanks.
> 
> On 2019年1月28日 19:57:01 [GMT+08:00], johnw  wrote:
> >hi, I want create vlan network, I create two files
> >
> >hostname.vio0
> >up
> >
> >hostname.vlan0
> >inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10
> >
> >then reboot
> >
> >I can not ping 10.10.10.1
> >
> >If I create bridge0, and add vio0 and vlan0 to bridge0, then I can ping
> >10.10.10.1
> >
> >Or if I just use vio0 without vlan,
> >hostname.vio0
> >inet 10.10.10.101 255.255.255.0 10.10.10.255
> >I can also ping 10.10.10.1.
> >
> >Why vlan0 not linked vio0(parent) without create bridge?
> >
> >Is this normal? AM I miss understand vlan?
> >
> >(eg: I also tried on real machine with hostname.em0 card, same result)
> >
> >Thanks.
> >
> >
> >
> >
> >
> >Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC
> 
> 
> Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC


-- 
radek

problem with site-to-site VPN between local machine and remote LAN (OpenIKED)

[Radek]

Hello,
 
I have a local_machine and testing remote_gateway/NAT with one 
remoteLAN_machine behind it. All the boxes are running OpenBSD. I can log in 
(ssh) to remoteLAN_machine through port forwarded on remote_gateway/NAT.

I'm trying to setup Site-To-Site VPN between local_machine and the remote LAN.
When I set it up (iked) the local_machine can ping (only ping) 
remoteLAN_machine through VPN tunnel. 
I CANNOT log in (ssh) to remoteLAN_machine from local_machine, both through VPN 
and from outside (on gateway's public IP and forwarded port). 
I need to have both ways access to behind_NAT services/boxes. I don't know what 
I'm doing wrong.

Could you shed some light on my problem/configs please?
Thank you!


local_machine# cat /etc/iked.conf | grep "^[^#;]"
remote_gw_FW70 = "240.240.10.70"
remote_lan_FW70= "10.0.100.0/24"
ikev2 quick active esp from egress to $remote_lan_FW70 \
peer $remote_gw_FW70 \
psk "aaa"



local_machine# cat /etc/pf.conf | grep "^[^#;]"
set skip on lo
block all
table  const {240.240.10.96, 240.240.10.70 }
pass out quick on egress proto esp from (egress:0) to
   keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} keep state
pass  in quick on egress proto esp from  to (egress:0)   
   keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild


local_machine# ipsecctl -sa
FLOWS:
flow esp in from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.70 srcid 
FQDN/desk.pk dstid FQDN/fw63 type use
flow esp out from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.70 srcid 
FQDN/desk.pk dstid FQDN/fw63 type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth 
hmac-sha2-256 enc aes-256



remote_gateway/NAT# cat /etc/iked.conf | grep "^[^#;]"
local_lan_FW70 = "10.0.100.0/24"
remote_desk_RDK= "240.240.10.69"
ikev2 quick active esp \
from $local_lan_FW70 to $remote_desk_RDK peer $remote_desk_RDK \
psk "aaa"


remote_gateway/NAT# cat /etc/pf.conf | grep "^[^#;]"
sql_soe = "10.0.100.123"
ssh_port= "1071"
icmp_types  = "{ echoreq, unreach }"
ssh_soe_int = "1071"
ssh_soe_ext = "22123"
set block-policy drop   
set optimization normal 
set ruleset-optimization basic  
set skip on lo
set fingerprints "/dev/null"
antispoof quick for lo0
block all
match out log on egress from vr3:network nat-to egress:0
match in all scrub (no-df random-id)
match out all scrub (no-df random-id) 
table  const {240.240.10.96, 240.240.10.69 }
pass out quick on egress proto esp from (egress:0) to
   keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} keep state
pass  in quick on egress proto esp from  to (egress:0)   
   keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp keep state
pass log proto udp keep state
pass in log quick inet proto tcp from any to egress port $ssh_port flags S/SA 
keep state
pass in log quick on egress inet proto tcp from any to egress port $ssh_soe_ext 
rdr-to $sql_soe port $ssh_soe_int keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass log inet proto { tcp, udp, esp } from vr3:network to any keep state 
block in log on ! lo0 proto tcp to port 6000:6010


remote_gateway/NAT# ipsecctl -sa
FLOWS:
flow esp in from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.69 srcid 
FQDN/fw63 dstid FQDN/desk.pk type use
flow esp out from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.69 srcid 
FQDN/fw63 dstid FQDN/desk.pk type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x09952f16 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x216a3871 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x62c0615a auth 
hmac-sha2-256 enc aes-256
esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x97cc9e5f auth 
hmac-sha2-256 enc aes-256



remoteLAN_machine# cat /etc/pf.conf | grep "^[^#;]"
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
pass all




-- 
radek

Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2

[Radek]

> There is a longstanding bug there that causes the ikeds to lose 
> synchronization.
Is this bug fixed or not in 6.5?


On Wed, 9 Nov 2016 15:19:49 + (UTC)
Christian Weisgerber  wrote:

> On 2016-11-09, "Comète"  wrote:
> 
> > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C
> > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get 
> > a
> > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, 
> > very
> > low for an AES-NI enabled processor.
> 
> Well, it still is a slow processor.  For best performance, I'd add
> "childsa enc aes-128-gcm" to the iked configuration.  The default
> cipher is aes-256-cbc with hmac-sha2-256, and the latter has a
> noticeable performance impact.
> 
> > And about 30 seconds after the test is
> > started, I don't know why, the connection is lost and I have restart IKED
> > daemon on the "passive" host.
> 
> Every half gigabyte of transferred data, iked rekeys.  There is a
> longstanding bug there that causes the ikeds to lose synchronization.
> They will eventually resync on their own, but it takes several
> minutes.
> 
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de
> 


-- 
Radek

Multiple web servers behind NAT

[Radek]

Hi, 
I have one web_serwer_1 behind OpenBSD 5.9 router/NAT with single IP. 

web_serwer_1 -apache,virtualhosts- (10.0.8.11):
1.domain.com
2.domain.com
3.domain.com

pf.conf:
pass in log quick on $ext_if inet proto tcp from any to $ext_if port 80 rdr-to 
$web_serwer_1 port 80 set prio (1, 6) keep state
pass in log quick on $ext_if inet proto tcp from any to $ext_if port 443 rdr-to 
$web_serwer_1 port 443 set prio (1, 6) keep state

Everything works fine.

Now, I need to add another web_serwer_2. It would be the "main" web server.
 
web_serwer_2 - native httpd,virtualhosts- (10.0.8.22):
4.domain.com
5.domain.com
6.domain.com

How can I make it work?
Any help appreciated.

-- 
radek

Re: Multiple web servers behind NAT

[Radek]

Yes, my servers share the same ext IP. 
It is 5.9. I am trying to configure relayd. I commented out previous "rdr-to" 
rules from /etc/pf.conf and added as below.
10.0.30.101, 10.0.30.201 - it is not a mistake - ( 10.0.8.11, 10.0.8.22 was 
just an exemplary IP)
All websites are unreachable now.

#grep relayd /etc/pf.conf
anchor "relayd/*"

#relayd -n
configuration OK

#cat /etc/relayd.conf
ext_addr="msk0" 
host1="10.0.30.101" 
host2="10.0.30.201" 

table  { $host1 } 
table  { $host2 } 

http protocol "web_one" { 
   return error
   pass
   match request header "Host" value "1.domain.com" forward to  
} 

http protocol "web_two" { 
   return error
   pass
   match request header "Host" value "4.domain.com" forward to  
} 

relay relay_one { 
   listen on $ext_addr port 80 
   protocol "web_one" 
   forward to  check tcp port 80 
} 

relay relay_two { 
   listen on $ext_addr port 80 
   protocol "web_two" 
   forward to  check tcp port 80
}

#/etc/rc.d/relayd -df restart
doing _rc_parse_conf
doing _rc_quirks
relayd_flags empty, using default ><
doing _rc_read_runfile
doing _rc_parse_conf
doing _rc_quirks
relayd_flags empty, using default ><
doing _rc_read_runfile
doing rc_check
relayd
doing rc_stop
doing _rc_wait stop
doing rc_check
doing rc_check
doing _rc_rm_runfile
(ok)
doing _rc_parse_conf
doing _rc_quirks
relayd_flags empty, using default ><
doing _rc_read_runfile
doing rc_check
relayd
doing rc_pre
configuration OK
doing rc_start
doing _rc_wait start
doing rc_check
doing _rc_write_runfile
(ok)


On Fri, 30 Sep 2016 07:26:22 -0400
Josh Grosse  wrote:

> On Fri, Sep 30, 2016 at 11:42:11AM +0200, Radek wrote:
> > Hi, 
> > I have one web_serwer_1 behind OpenBSD 5.9 router/NAT with single IP. 
> > 
> > web_serwer_1 -apache,virtualhosts- (10.0.8.11):
> > 1.domain.com
> > 2.domain.com
> > 3.domain.com
> > 
> > pf.conf:
> > pass in log quick on $ext_if inet proto tcp from any to $ext_if port 80 
> > rdr-to $web_serwer_1 port 80 set prio (1, 6) keep state
> > pass in log quick on $ext_if inet proto tcp from any to $ext_if port 443 
> > rdr-to $web_serwer_1 port 443 set prio (1, 6) keep state
> > 
> > Everything works fine.
> > 
> > Now, I need to add another web_serwer_2. It would be the "main" web server.
> >  
> > web_serwer_2 - native httpd,virtualhosts- (10.0.8.22):
> > 4.domain.com
> > 5.domain.com
> > 6.domain.com
> > 
> > How can I make it work?
> > Any help appreciated.
> 
> If the two web servers share the same external IP address, use relayd(8),
> as it is designed to inspect HTTP URLs.
> 


-- 
radek

Re: Multiple web servers behind NAT

[Radek]

relay_tls   active
3   table   www_101:443 active (1 hosts)
3   host10.0.30.101 100.00% up
4   table   www_201:443 active (1 hosts)
4   host10.0.30.201 100.00% up

Websites (https://4.domain, https://5.domain, https://6.domain) started to show 
the content of 1.domain.com 

If I changed the order of "forward" websites (https://1.domain, 
https://2.domain, https://3.domain) started to show content of 4.domain.com 

relay relay_tls { 
   listen on 127.0.0.1 port 8443 tls
   protocol "web_tls" 
   forward with tls to  check tcp port 443
   forward with tls to  check tcp port 443
}

All domains use relay_machine's certificate instead of the specific domain's 
cert.

What am I doing wrong?

On Wed, 5 Oct 2016 09:57:49 -0400

"trondd"  wrote:

> On Wed, October 5, 2016 8:43 am, Radek wrote:
> > Yes, my servers share the same ext IP.
> > It is 5.9. I am trying to configure relayd. I commented out previous
> > "rdr-to" rules from /etc/pf.conf and added as below.
> > 10.0.30.101, 10.0.30.201 - it is not a mistake - ( 10.0.8.11, 10.0.8.22
> > was just an exemplary IP)
> > All websites are unreachable now.
> >
> > #grep relayd /etc/pf.conf
> > anchor "relayd/*"
> >
> > #relayd -n
> > configuration OK
> >
> > #cat /etc/relayd.conf
> > ext_addr="msk0"
> > host1="10.0.30.101"
> > host2="10.0.30.201"
> >
> > table  { $host1 }
> > table  { $host2 }
> >
> > http protocol "web_one" {
> >return error
> >pass
> >match request header "Host" value "1.domain.com" forward to 
> 
> I think you need "pass request header..."
> 
> > }
> >
> > http protocol "web_two" {
> >return error
> >pass
> >match request header "Host" value "4.domain.com" forward to 
> > }
> 
> You should combine the two protocols into one.  You can have multiple pass
> lines.  Last match wins, unless you use "quick".  You can define a default
> that way.
> 
> >
> > relay relay_one {
> >listen on $ext_addr port 80
> >protocol "web_one"
> >forward to  check tcp port 80
> > }
> >
> > relay relay_two {
> >listen on $ext_addr port 80
> >protocol "web_two"
> >forward to  check tcp port 80
> > }
> 
> You should have only one relay defined, you can't have two things
> listening on the same port.  Just put the two "forward to" lines in the
> same relay block.
> 
> 
> >
> > #/etc/rc.d/relayd -df restart
> > doing _rc_parse_conf
> > doing _rc_quirks
> > relayd_flags empty, using default ><
> > doing _rc_read_runfile
> > doing _rc_parse_conf
> > doing _rc_quirks
> > relayd_flags empty, using default ><
> > doing _rc_read_runfile
> > doing rc_check
> > relayd
> > doing rc_stop
> > doing _rc_wait stop
> > doing rc_check
> > doing rc_check
> > doing _rc_rm_runfile
> > (ok)
> > doing _rc_parse_conf
> > doing _rc_quirks
> > relayd_flags empty, using default ><
> > doing _rc_read_runfile
> > doing rc_check
> > relayd
> > doing rc_pre
> > configuration OK
> > doing rc_start
> > doing _rc_wait start
> > doing rc_check
> > doing _rc_write_runfile
> > (ok)
> >
> 
> relayctl is your friend here.  See if the relays are actually up:
> 'relayctl show relays' and 'relayctl show summary'
> 
> 


-- 
radek

Serial console on Sunix 40XX (PCI)

[Radek]

kbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
it0 at isa0 port 0x2e/2: IT8720F rev 8, EC port 0x290
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (89317412504155d9.a) swap on sd0b dump on sd0b
bnx0: address 00:0a:f7:3a:63:fc
brgphy0 at bnx0 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8
bnx1: address 00:0a:f7:3a:63:fe
brgphy1 at bnx1 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8

# pcidump -v 
[...]
 4:0:0: Sunix 40XX
0x: Vendor ID: 1409 Product ID: 7168
0x0004: Command: 0081 Status: 0280
0x0008: Class: 07 Subclass: 00 Interface: 02 Revision: 01
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 00
0x0010: BAR io addr: 0xdf00/0x0020
0x0014: BAR empty ()
0x0018: BAR empty ()
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 1409 Product ID: 4025
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 00 Max Lat: 00



-- 
radek

Re: Serial console on Sunix 40XX (PCI)

[Radek]

I set comaddr: 

machine comaddr 0xdf00/0x0020
set tty com4 

but I only got some kind of trash on my console output 
(ŃuBÓZ6ÁÂ$őďNŚO%âăÔkşľŚÚĄy). 

I replaced my PCIcard with other one: 

# pcidump -v
4:0:0: NetMos Nm9835
0x: Vendor ID: 9710 Product ID: 9835
0x0004: Command: 0001 Status: 0280
0x0008: Class: 07 Subclass: 80 Interface: 00 Revision: 01
0x000c: BIST: 00 Header Type: 00 Latency Timer: 20 Cache Line Size: 10
0x0010: BAR io addr: 0xdf00/0x0008
0x0014: BAR io addr: 0xde00/0x0008
0x0018: BAR io addr: 0xdd00/0x0008
0x001c: BAR io addr: 0xdc00/0x0008
0x0020: BAR io addr: 0xdb00/0x0008
0x0024: BAR io addr: 0xda00/0x0010
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 1000 Product ID: 0012
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0c Min Gnt: 00 Max Lat: 00

# cat /etc/boot.conf
machine comaddr 0xdf00/0x0008
set tty com4

# dmesg
pci4 at ppb3 bus 4
puc0 at pci4 dev 0 function 0 "NetMos Nm9835" rev 0x01: ports: 2 com, 1 lpt
com4 at puc0 port 0 apic 2 int 16: ns16550a, 16 byte fifo
com4: console
com5 at puc0 port 1 apic 2 int 16: ns16550a, 16 byte fifo
lpt3 at puc0 port 2 apic 2 int 16

My serial console works well now. Thanks!


On Mon, 16 Feb 2015 10:23:25 -0800
Mike Larkin  wrote:

> man boot
> 
> search for 'comaddr'. You probably need to set that up.
> 
> Also, the bootloader may not understand the 16750.
> 
> -ml
> 
> 
> On Mon, Feb 16, 2015 at 10:50:35AM +0100, Radek wrote:
> > I'm trying to setup a serial console. My RS-232 is an old PCIcard. 
> > 
> > I tried this way:
> > boot> set tty com4
> > 
> > /etc/ttys:
> > tty00   "/usr/libexec/getty std.9600"   vt220   on secure
> > tty04   "/usr/libexec/getty std.9600"   vt220   on secure
> > 
> > but can't connect to console and the system doesn't boot. 
> > What am I doing wrong?
> > 
> > 
> > # dmesg 
> > OpenBSD 5.6 (GENERIC.MP) #1: Wed Feb 11 11:23:16 CET 2015
> > r...@samba56.prac:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > cpu0: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz ("GenuineIntel" 686-class) 
> > 3.38 GHz
> > cpu0: 
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
> > real mem  = 3487911936 (3326MB)
> > avail mem = 3418468352 (3260MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: AT/286+ BIOS, date 08/24/10, BIOS32 rev. 0 @ 0xfa810, 
> > SMBIOS rev. 2.4 @ 0xf0100 (39 entries)
> > bios0: vendor Award Software International, Inc. version "F2" date 
> > 08/24/2010
> > bios0: Gigabyte Technology Co., Ltd. X58-USB3
> > acpi0 at bios0: rev 0
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP MCFG EUDS MATS TAMG APIC SSDT
> > acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) 
> > HUB0(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USBE(S3) 
> > USE2(S3) AZAL(S5) [...]
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpimcfg0 at acpi0 addr 0xf000, bus 0-63
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 134MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.1.1.0, IBE
> > cpu1 at mainbus0: apid 2 (application processor)
> > cpu1: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz ("GenuineIntel" 686-class) 
> > 3.24 GHz
> > cpu1: 
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
> > cpu2 at mainbus0: apid 4 (application processor)
> > cpu2: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz ("GenuineIntel" 686-class) 
> > 3.24 GHz
> > cpu2: 
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,LAHF,PERF,ITSC
> > cpu3 at mainbus0: apid 6 (application processor)
> > cpu3: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz ("GenuineIntel" 686-class) 
> > 3.24 GHz
> > cpu3: 
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,M

VLAN in 5.9 - NAT problem

[Radek]

c 1 int 16
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
1:3:0: mem address conflict 0xfffc/0x4
em0 at pci1 dev 3 function 0 "Intel 82546EB" rev 0x01: apic 1 int 20, address 
00:11:0a:62:f3:42
em1 at pci1 dev 3 function 1 "Intel 82546EB" rev 0x01: apic 1 int 21, address 
00:11:0a:62:f3:43
rl0 at pci1 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 22, address 
00:0b:6a:cf:6f:2d
rlphy0 at rl0 phy 0: RTL internal PHY
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 
0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1 int 
17
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1 int 
17, ICH5 AC97
ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+)
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm1 at wbsio0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (e8a3ba715d004629.a) swap on wd0b dump on wd0b

-- 
radek

Re: VLAN in 5.9 - NAT problem

[Radek]

 88 fixed ranges
> cpu0: apic clock running at 133MHz
> cpu0: mwait min=64, max=64
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
> ioapic0: misconfigured as apic 0, remapped to apid 1
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (P0P4)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpibtn0 at acpi0: PWRB
> acpibtn1 at acpi0: SLPB
> bios0: ROM list: 0xc/0xa000!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
> inteldrm0 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xf000, size 0x800
> inteldrm0: apic 1 int 16
> inteldrm0: 1920x1080
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
> uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 19
> uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 18
> uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
> ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1 int 
> 23
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
> pci1 at ppb0 bus 1
> 1:3:0: mem address conflict 0xfffc/0x4
> em0 at pci1 dev 3 function 0 "Intel 82546EB" rev 0x01: apic 1 int 20, address 
> 00:11:0a:62:f3:42
> em1 at pci1 dev 3 function 1 "Intel 82546EB" rev 0x01: apic 1 int 21, address 
> 00:11:0a:62:f3:43
> rl0 at pci1 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 22, address 
> 00:0b:6a:cf:6f:2d
> rlphy0 at rl0 phy 0: RTL internal PHY
> ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
> pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, 
> channel 0 configured to compatibility, channel 1 configured to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
> atapiscsi0 at pciide0 channel 0 drive 1
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  ATAPI 
> 5/cdrom removable
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
> pciide0: channel 1 disabled (no drives)
> ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1 
> int 17
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
> spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
> auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1 int 
> 17, ICH5 AC97
> ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+)
> audio0 at auich0
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb2 at uhci1: USB revision 1.0
> uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb3 at uhci2: USB revision 1.0
> uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> usb4 at uhci3: USB revision 1.0
> uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> isa0 at ichpcib0
> isadma0 at isa0
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
> lm1 at wbsio0 port 0x290/8: W83627HF
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on wd0a (e8a3ba715d004629.a) swap on wd0b dump on wd0b
> 
> --
> radek

-- 
radek

Re: VLAN in 5.9 - NAT problem

[Radek]

SOLVED!
The problem was in /etc/hostname.vlan* (not in /etc/pf.conf) 
I removed VLAN's MAC addresses and NAT started to work. 

BEFORE (5.4):
#cat /etc/hostname.trunk0 
trunkproto lacp trunkport em0 trunkport em1 lladdr 00:01:02:03:11:11
up
#cat /etc/hostname.vlan*
inet 10.0.30.254 255.255.255.0 NONE vlan 300 vlandev trunk0 lladdr 
00:01:02:03:03:00 description "Interface VLAN-SERV"
inet 10.0.8.254 255.255.255.0 NONE vlan 308 vlandev trunk0 lladdr 
00:01:02:03:03:08  description "Interface VLAN-308I"
inet 10.0.9.254 255.255.255.0 NONE vlan 309 vlandev trunk0 lladdr 
00:01:02:03:03:09 description "Interface VLAN-309I"
inet 10.0.10.254 255.255.255.0 NONE vlan 310 vlandev trunk0 lladdr 
00:01:02:03:03:10 description "Interface VLAN-310I"
inet 10.0.11.254 255.255.255.0 NONE vlan 311 vlandev trunk0 lladdr 
00:01:02:03:03:11 description "Interface VLAN-311I"
inet 10.0.40.254 255.255.255.0 NONE vlan 400 vlandev trunk0 lladdr 
00:01:02:03:04:00 description "Interface VLAN-PRAC"

AFTER (5.9):
#cat /etc/hostname.trunk0 
trunkproto lacp trunkport em0 trunkport em1 lladdr 00:01:02:03:11:11
up
#cat /etc/hostname.vlan*
inet 10.0.30.254 255.255.255.0 NONE vlan 300 vlandev trunk0 description 
"Interface VLAN-SERV"
inet 10.0.8.254 255.255.255.0 NONE vlan 308 vlandev trunk0 description 
"Interface VLAN-308I"
inet 10.0.9.254 255.255.255.0 NONE vlan 309 vlandev trunk0 description 
"Interface VLAN-309I"
inet 10.0.10.254 255.255.255.0 NONE vlan 310 vlandev trunk0 description 
"Interface VLAN-310I"
inet 10.0.11.254 255.255.255.0 NONE vlan 311 vlandev trunk0 description 
"Interface VLAN-311I"
inet 10.0.40.254 255.255.255.0 NONE vlan 400 vlandev trunk0 description 
"Interface VLAN-PRAC"

All vlan* interfaces have trunk0's MAC now (all the same). Hope it is not a 
problem.


On Tue, 19 Apr 2016 15:27:21 +0200
Radek  wrote:

> Thanks for all your replies.
> 
> > I think dhcpd.interfaces is a relic?  For the longest time I've simply
> > been specifying my interfaces in dhcpd_flags.
> Good idea, but deleting /etc/dhcpd.interfaces does not make any change.
> 
> > Since you did not submit a full pf.conf, I have no chance of knowing if you 
> > do a later pass that changes the NAT state.
> This is my full /etc/pf.conf now:
> pass out on rl0 inet from vlan309:network to any nat-to rl0
> 
> I have noticed that my NAT is working if there is running #tcpdump -i vlan309
> NAT works with:
> pass out on rl0 inet from vlan309:network to any nat-to rl0
> or with:
> match out on rl0 inet from vlan309:network nat-to rl0
> pass out on rl0
> 
> If I terminate #tcpdump -i vlan309, NAT stops working too.
> 
> Any idea?
> 
> 
> On Mon, 18 Apr 2016 16:42:00 -0400
> "Brian S. Vangsgaard"  wrote:
> 
> > pass out on rl0 inet from vlan309:network to any nat-to rl0
> > 
> > match out on rl0 inet from vlan:309:network nat-to rl0
> > pass out on rl0
> > 
> > Since you did not submit a full pf.conf, I have no chance of knowing if you 
> > do a later pass that changes the NAT state.
> > 
> > You could use tags for more fine-grained control.
> > 
> > 
> > #cat /etc/rc.conf.local
> > dhcpd_flags="vlan300 vlan308 vlan309 vlan310 vlan311 vlan400"
> > pf_rules=/etc/pf.conf
> > 
> > #cat /etc/dhcpd.interfaces
> > vlan300
> > vlan308
> > vlan309
> > vlan310
> > vlan311
> > vlan400
> > 
> > #cat /etc/hostname.em0
> > up
> > 
> > #cat /etc/hostname.em1
> > up
> > 
> > #cat /etc/hostname.trunk0
> > trunkproto lacp trunkport em0 trunkport em1 lladdr 00:01:02:03:11:11
> > up
> > 
> > #cat /etc/hostname.vlan300
> > inet 10.0.30.254 255.255.255.0 NONE vlan 300 vlandev trunk0 lladdr 
> > 00:01:02:03:03:00 description "Interface VLAN-SERV"
> > 
> > #cat /etc/hostname.vlan308
> > inet 10.0.8.254 255.255.255.0 NONE vlan 308 vlandev trunk0 lladdr 
> > 00:01:02:03:03:08 description "Interface VLAN-308I"
> > 
> > #cat /etc/hostname.vlan309
> > inet 10.0.9.254 255.255.255.0 NONE vlan 309 vlandev trunk0 lladdr 
> > 00:01:02:03:03:09 description "Interface VLAN-309I"
> > [...]
> > 
> > 
> > 
> > @2. Then I removed trunk0. DHCPserver works, clients get IP. NAT does not 
> > work still.
> > 
> > #cat /etc/pf.conf [changed to very short and simple for tests]
> > pass out on rl0 inet from vlan309:network to any nat-to rl0
> > 
> > #cat /etc/rc.conf.local
> > dhcpd_flags="vlan300 vlan308 vlan309 vlan310 vlan311 vlan400"
> > pf_rules=/etc/pf.conf

Unable to open UPS device. [apcupsd]

[Radek]

 rev 0x02
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0xf000, size 0x800
inteldrm0: apic 1 int 16
inteldrm0: 1024x768
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
1:3:0: mem address conflict 0xfffc/0x4
em0 at pci1 dev 3 function 0 "Intel 82546EB" rev 0x01: apic 1 int 20, address 
00:11:0a:62:f3:42
em1 at pci1 dev 3 function 1 "Intel 82546EB" rev 0x01: apic 1 int 21, address 
00:11:0a:62:f3:43
rl0 at pci1 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 22, address 
00:0b:6a:cf:6f:2d
rlphy0 at rl0 phy 0: RTL internal PHY
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA, channel 
0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1 int 
17
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0
auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1 int 
17, ICH5 AC97
ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+)
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm1 at wbsio0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
uhidev0 at uhub2 port 1 configuration 1 interface 0 "American Power Conversion 
Smart-UPS 2200 FW:UPS 09.3 / ID=18" rev 2.00/1.06 addr 2
uhidev0: iclass 3/0, 146 report ids
upd0 at uhidev0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (e8a3ba715d004629.a) swap on wd0b dump on wd0b
upd0 detached
uhidev0 detached
uhidev0 at uhub1 port 2 configuration 1 interface 0 "American Power Conversion 
Smart-UPS 2200 FW:UPS 09.3 / ID=18" rev 2.00/1.06 addr 2
uhidev0: iclass 3/0, 146 report ids
upd0 at uhidev0

-- 
radek