RE: Getting CARP to broadcast on a different interface

One of the purposes of the CARP announcements is to announce the location of the virtual mac address to the upstream switch fabric. Since CARP uses a virtual mac that floats between multiple ports, you need to have the CARP master continually assert that its particular port is the target that s

Blank Emails (example: D6689: tcp/lro: Implement hash table for LRO entries.)

I keep receiving blank emails like this one. Is everyone else? Is there something wrong with the bug tracking system? -Original Message- From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-...@freebsd.org] On Behalf Of sepherosa_gmail.com (Sepherosa Ziehau) Sent: Thursday, June 0

RE: ifconfig creates a bogus(?) route

ance, the route would be called a "connected" route, showing that not only do you have an IP on the subnet, but by virtue of the netmask, you are "connected" to every other IP in the same subnet range, through that interface. It will cause your system to send ARP requests thro

RE: ssh over WAN: TCP window too small

On 8/26/15 1:24 AM, John-Mark Gurney wrote: > > 94146 ssh 6.686140 CALL read(0x4,0x7fff6c70,0x4000) > > 94146 ssh 6.686154 GIO fd 4 read 4096 bytes > >[ read of stdin (/dev/zero) snipped) > > It would be interesting to know how long from the read of stdin (and is > it reall

RE: Netmap problem with e1000e driver

Actually, Luigi has specifically requested that all users of netmap (Linux or BSD) use this list to field all of their questions. -Original Message- From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-...@freebsd.org] On Behalf Of Jack Vogel Sent: Wednesday, May 27, 2015 11:22 AM

RE: Problems with DNSSEC -- answer in fragmented UDP doesn't work

o forward the later fragments based on port number. You can only see the Src/Dest IP and Protocol number in the fragment. -- David DeSimone == f...@verio.net == Network Admin "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate i

RE: igb Could not setup receive structures (again)

Would it be possible for the driver to report how many clusters it calculated that it needs, whenever it runs into this memory shortage during attach? That way an administrator might have some idea how much to increase their tunables in order to meet the driver's requirements. As it is, it's m

RE: FreeBSD 10.0-R connected to Cisco switch (in 'trunk' mode with native VLAN) - doesn't work?

We use exactly the sort of configuration you showed, and it works perfectly with our FreeBSD systems. It is possible you are running afoul of spanning-tree behavior on the port. Access ports are treated as "edge" ports and can activate right away, while trunk ports must go through the full lis

RE: Say me, please, how I can transfer between servers ZFS-partitions larger than 20Gb.

Mark Martinec just reported this problem a few days ago, and he found a work-around. See the following: http://lists.freebsd.org/pipermail/freebsd-net/2014-July/039347.html -Original Message- From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-...@freebsd.org] On Behalf Of V

Re: Question regarding security run output

ces in memory on these devices, or some other data leak propogating through the stack on them? It is probably worth capturing the odd packets and analyzing them further to see why they look the way they do. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, a

Re: ARP: Error Message in if_ether.c "arprequest: cannot find matching address"

omeone is inserting hosts with wrong IP's on your network, and they start trying to ARP for one another. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it.&

Re: if_vr(4) and DFE520-TX

found online > claimed the CD contains drivers for Linux. Those might be useful for > determining which chipset these adapters use. On D-Link's web site there is a link to a Linux driver, which appears to be Donald Becker's driver: /* rtl8139.c: A RealTek RTL8129/8139 Fast Eth

Re: Issue with igb and lagg (was Re: Problem with link aggregation + sshd)

an0" > ifconfig_lagg0_alias0="inet 10.0.0.4 netmask 0xff00" > > I use aliasX to add the address and netmask. > > -- > DE -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I

Re: Problem with link aggregation + sshd

cross two 3560 switches. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom i

Re: [stable-9]

o pointing to igb1, I can't see how the system woudl ever forward traffic out igb1, unless it was directed to the local /25. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I j

Re: invalid MAC addresses?

se, (such as 22:44:66:11:22:33) and then other systems will believe that the mac is acceptable for unicast. However, it's clear that your NIC's eeprom has been programmed with an incorrect mac setting, which it sounds like you are already trying to fix. -- David DeSimone == Network Adm

Re: Filtering on IPSEC

e was invented, so I can't speak to how the traffic flow works exactly, but it still seems to me that using gif is needlessly complicating your setup, so you may want to simplify it. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don&#x

Re: FreeBSD 9 and ARP multicast source address error messages

ement is the reason why multicast ARP replies are problematic, and why Microsoft's NLB implementation often causes heartburn within the network. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I

Re: IPFW shows me Strangeness in fresh 8.2-RELEASE system

eiving these packets. Ethernet cards filter their traffic based on MAC address, not based on IP address. Use tcpdump -e to examine the destination MAC of the packets you are receiving, in order to determine whether you should receive them. -- David DeSimone == Network Admin == f...@verio.net

Re: Carp vhid with vlan id's alignment

he VHID is there to help differentiate multiple CARP implementations on the same broadcast domain. If you are only going to have one CARP instance on each vlan, they can all use the same VHID in every vlan, without conflicting. -- David DeSimone == Network Admin == f...@verio.net "I don&#x

Re: IPSec Routing

all depends on the networking in between. If you were using tunnel mode, the encrypted packet would change its source and destination IP's, specifying your gateway as the source, and your vendor's gateway as the destination, so intervening routers would have no difficulty delivering the p

Re: tcp/ip stack sending icmp "ttl exceeded in traffic" back through gre \w ipsec-esp encryption tunnels.

f it back, unencrypted. This could potentially provide an attacker with some known plaintext with which to attack your VPN's encryption keys. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I&#x

Re: CARP Failover

firewalls cannot hear each other's CARP announcements. Test with tcpdump; do you see the CARP packets coming from the other firewall? If not, you have a switching problem, like the two firewalls are not in the same VLAN together. If you do see the packets arriving, it probably means that

Re: Strange FreeBSD behavior when trying to forward beetween ipsec crypted gif's. May be a problem with ICMP unreach packets at all

mpting to guess session keys, among other information exposed. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intend

Re: Kernel (7.3) crash due to mbuf leak?

lt-in means of tracking which other subsystems are requesting memory, so that perhaps a clever gdb script can build a histogram of which subsystems are consuming large amounts of mbuf's? This would give me a pointer in the right direction to start investigating the cause of the leak. David DeSim

Re: Kernel (7.3) crash due to mbuf leak?

Steve Polyack wrote: > > On 07/30/10 14:10, David DeSimone wrote: > >After upgrading a couple of our systems from 7.2-RELEASE to 7.3-RELEASE, > >we have started to see them running out of mbuf's and crashing every > >month or so. The panic string is: > ... > &

Kernel (7.3) crash due to mbuf leak?

XX:XX:XX inet XXX.XXX.XXX.XX netmask 0xfff8 broadcast XXX.XXX.XXX.XX media: Ethernet autoselect (1000baseTX ) status: active What can I do to troubleshoot this problem? Is there any accounting system built into the mbuf subsystem to help me with this? -- David DeSim

Re: vpn trouble

set up the tunnel first - check whether both 10. are accessible > from both sides, then you "cover" communication between them with IPSEC. Will this sort of GIF tunnel interoperate with Cisco and/or Checkpoint VPN equipment? In our tests we were able to use pure IPSEC tunnel encapsulati

Re: vpn trouble

om your peer is generally very difficult. I would suggest that your peer access his Cisco device logs and tell you if he sees any error messages related to your IP. He might easily be blocking your IP by failing to enter it into an access list somewhere, and you will not be able to tell, from your

Re: vpn trouble

p: phase 1 I > ident > 15:57:39.067765 IP 78.x.x.x.isakmp > 95.x.x.x.isakmp: isakmp: phase 1 I > ident My first thought was that your IPSEC policy attempts to encrypt all traffic between you and your peers, but the IKE traffic is also traffic between you and your peers, so doesn'

Re: How does rpc.lockd know where to send a request

ing to swap. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has bee

Re: GIF MTU parmeter is needed

ig gif0 up I wonder if the problem you're seeing is due to the MTU attached to the static route that you're adding rather than the MTU of the interface. Try different command sequences and perform a "route get" to find out what MTU is being applied to the routes, to see if t

Re: Racoon site-to site

imetime3600 sec; > encryption_algorithmdes; > authentication_algorithmhmac_md5,hmac_sha1; > compression_algorithm deflate; > } My hunch is that you have a PFS mismatch, so that the first tunnel negotiates, but the second SA negotiation fails, then the third succee

Re: question regarding IPSEC Setup

0.10.30.40 0.0.0.255 permit ip 10.20.50.70 0.0.0.255 10.10.30.50 0.0.0.255 -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email

Re: question regarding IPSEC Setup

go when I set up my IPSEC. What you probably want is the security/ipsec-tools port, which contains the original racoon IKE daemon. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I

Re: question regarding IPSEC Setup

ep. Never assume that your peer has configured everything right. :) Make sure your ipsec.keys file is not readable by anyone but root, or raccoon will silently ignore it. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, becaus

Re: [PATCH] SYN issue

f a SYN from your IP and source port and force your connection to be torn down? -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This emai

Re: Can pfsync be used over router or WAN?

rovide routing for a firewalled connection. A device far across a WAN doesn't seem like it would be able to provide redundant service. But that's up to your design, I suppose. Syncing across a LAN could make sense, but you will want to take steps to secure the traffic. -- David

Re: MTU or Fragmentation Problems on 7.0?

ld snoop on your BSD1 box to see if they are sending larger frames and whether your BSD1 box is sending ICMP responses back to them. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, a

Re: MTU or Fragmentation Problems on 7.0?

essage make it thorugh the firewalls that are surely guarding the remote server? Let's hope so! This is something that is not really under your control, so it's difficult to say. Your best method of troubleshooting this might be to test from a host outside your network to see if the ICMP pack

Re: +ipsec_common_input: no key association found for SA

's it thinks are supposed to be in use. They appear to be getting out of sync. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This

Re: +ipsec_common_input: no key association found for SA

". Though this may just be an information-hiding typo on your part. -- David DeSimone == Network Admin == f...@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email messag

Re: [help]strange problem about gethostbyname/getaddrinfo

descriptors larger than 1024. -- David DeSimone == Network Admin == [EMAIL PROTECTED] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to

Re: FreeBSD 6.3 gre and tracerouteo

Stephen Clark <[EMAIL PROTECTED]> wrote: > > switch (proto) { > case IPPROTO_GRE: > hlen += sizeof(struct gre_h); > + > + m->m_flags &= ~(M_DECRYPTED); > + Are there security implications from removing this flag? -

Re: Closing connection from an accept_filter(9)

quest body without first accepting the connection? -- David DeSimone == Network Admin == [EMAIL PROTECTED] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for

Re: permissions on /etc/namedb

;t you just modify /etc/mtree/BIND.chroot.dist so that it sets the permissions you desire? - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally pr

Re: arplookup x.x.x.x failed: host is not on local network

out. I don't know why the box feels moved to complain about this, however. I would think it should not care. In this case, however, the user claims that the box is indeed a member of the 192.168.169 subnet, and therefore it should not be complaining. - -- David DeSimone == Network Admin == [EM

Re: arplookup x.x.x.x failed: host is not on local network

ply. Have not tested it though. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have rec

Re: IP-forwarding (help)

192.168 network even when they go to the 172.16 network? Perhaps the box you reach does not know how to route back to you when you source from that IP. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been s

Re: Dual stack with multiple addresses in rc.conf

, it is more correct to put IPV6 settings in a separate entry. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are

Re: carp and vlan interfaces recovery issue

net.inet.carp.preempt=1 ? - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have re

Re: Problems with netgraph

defense, the only symptom that started this was this info from ps: PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 29 root1 -68- 0K16K CPU5 5 196:41 100.00% em0 taskq So tracking it down to mpd has been a process of elimination in figuri

Re: problems interacting on TCP level with K5JB

t was 1217851052). The RST shows that FreeBSD doesn't know what your system is talking about. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential

Re: Frequent pauses with Linux-based router

link must use the same settings, either both forced, or both auto. It turns out that speed settings can be reliably detected by the other end of the link, but duplex can NOT. A duplex mismatch is thus a very common condition, and is usually only detected by "slow network response" bei

Re: Frequent pauses with Linux-based router

errors. > The pause always seemed to be for packets from the router to the > computer. Yep, whenever the router would try to send, if your end happened to be sending a frame, the router's NIC would stop to avoid the collision, leading to packet loss. This is a classic duplex-mismatch sc

Re: RELENG-7 tcp connectivity problems with certain clients

is pointing out some bad checksums in your outgoing packets. Maybe you should try ifconfig -txcsum? - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confiden

Re: Path MTU Problem

and src/dest port numbers, as tcpdump shows you. But tcpdump cannot decode past the end of the returned frame, so it shows an error. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain i

Re: help

5.255) > > instead of the usual netmask. > > Surely this configuration will cause all the reply's to be routed out > of re0 without some form of pfil layer manipulation? If both nic's are connected to the same broadcast domain, what difference does it make which nic sends the tra

Re: NATD problem

eBSD tools. There is no reason the kernel could not do it; it is just a missing feature in the toolset. Many people argue that Host B should "know" that it should not contact Host A using the external IP. Either a host file, or special internal DNS server, or some other such mechani

Re: Interface address sourced packets go thru default gateway on another interface

's not how it works. In the absence of policy-routing options, packets are always routed ONLY by destination address. Binding to a particular interface only set's the source IP that will be attached to the packet, and will influence routing on the *return* trip of any replies. - -- Dav

Re: tcp analysis tool?

It will point out (and colorize) tcp packets with bad checksums, as well as retransmitted frames. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential

Re: ftp daemon fails

pd): > Socket operation on non-socket Your ftpd is thinking it was launched from inetd, and expected to get a socket on standard input. I think you need to add the -D flag to get a stand-alone daemon. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifte

Re: IPSEC connection drops and doesn't recover

rted, you may have some IKE session lifetime discrepancies that you need to work out. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famou

Re: 6.2 mtu now limits size of incomming packet

g the problem by getting someone else to fix their network is generally too hard. If MTU == MRU was forced behavior, the viability of this workaround would be removed, one less tool in the toolbag, so to speak. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen

Re: 6.2 mtu now limits size of incomming packet

why do you want this feature? - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -BEGIN PGP SIGNATURE

Re: 6.2 mtu now limits size of incomming packet

s not mean "limit what someone else can transmit to me." - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Ben

Re: kern/112710: [re] if_re driver detects incorrect b243a405a405 MAC address on SMC9452TX-1 pci gigabit cards

_eewidth = RL_9346_ADDR_LEN; /* 9346 EEPROM commands */ +#define RL_9346_ADDR_LEN 6 /* 93C46 1K: 128x16 */ +#define RL_9356_ADDR_LEN 8 /* 93C56 2K: 256x16 */ It looks to me like 6 was replaced with 8, and vice versa. In other words, a real bug fix. :) - -- Da

Re: fxp(4) not responding to arp requests (aliases)

problem with host2, instead of host1. Also where did this 200.X.Y.7 IP come from? I thought there were only two hosts here. Maybe you could present a more complete description of which host is attempting to send where, and what both hosts see, at the exact same time. - -- David DeSimone == Networ

Re: VLANs and routing

case. But a forwarded packet already has a source address, which can be left unchanged. As long as routing is working (ARP is not needed, destination is clear, etc), the intermediate interface need not have an IP. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifte

Status of sasyncd for IPSEC?

ine that racoon(8) would have to take on that role, and I am curious if any work has been done to facilitate this. If there is any further work needed, I would like to look into completing it, but I don't want to start from scratch unless I have to. Please let me know what info is available.

Re: VPN with FAST_IPSEC and ipsec tools

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David DeSimone <[EMAIL PROTECTED]> wrote: > > Hmm... In examining my kernel configuration I found these options: > > options IPSEC > options IPSEC_ESP > options IPSEC_DEBUG > # options IPSE

Re: VPN with FAST_IPSEC and ipsec tools

sion of FreeBSD are you using? Hmm... In examining my kernel configuration I found these options: options IPSEC options IPSEC_ESP options IPSEC_DEBUG # options IPSEC_FILTERGIF # options FAST_IPSEC So it appears that I am NOT using FAST_IPSEC. For some reason

Re: VPN with FAST_IPSEC and ipsec tools

nel, then magically appears decrypted on the internal interface for the first time. Your firewall will not understand this and will block the traffic unless you add a rule like this: # VPN traffic appears here...? pass out quick on { $INT } to $INT:network keep state So, traffic appear

Re: VPN with FAST_IPSEC and ipsec tools

> use GIF running on top of IPSEC _transport_ mode (e.g. those running > routing protocols like OSPF over tunnels) The main reason to use IPSEC tunnel mode and avoid GIF is that such a config is interoperable with other IPSEC implementations (Cisco, Checkpoint, etc), and thus is much more useful

Re: How to force full sync using pfsync?

David DeSimone <[EMAIL PROTECTED]> wrote: > > When I reboot one of the cluster members, the state tables do > synchronize and populate with some of the same connection states, but > not all of them. I still have not figured out why this condition comes about. > In particula

How to force full sync using pfsync?

ion updates are being sent between the cluster members. There is no "full sync" done at startup. Do I misunderstand? Is there a misconfiguration that can lead to this strange behavior? -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discov

Re: IPSEC Interop problem with Cisco using multiple SA's

utiple tunnels are now fully operational. Thank you for the help with this! -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert

IPSEC Interop problem with Cisco using multiple SA's

nd how the ipsec modules interrelate to the rest of the networking code. Thanks for any assistance you can give. -- David DeSimone == Network Admin == [EMAIL PROTECTED] "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that