On 2025-01-29, louise9...@gmail.com wrote:
> I have IGMP Snooping enabled on both my access points and my switch. Should I
> disable them or keep them enabled?
IGMP snooping is to reduce the forwarding of multicast frames by
listening to group membership requests and _only_ forwarding mcast
to
I have IGMP Snooping enabled on both my access points and my switch. Should I
disable them or keep them enabled?
Thank you,
Lewis Ingraham
On Sat, Jan 25, 2025 at 10:15:59PM -0800, louise9...@gmail.com wrote:
> Hi thank you for answering! Thanks to your advice I was able to get
> airplay working successfully! However SSDP discovery on the Roku app
> doesn’t seem to be working despite me having enabled it as well as
> communication fro
Hi thank you for answering! Thanks to your advice I was able to get airplay
working successfully! However SSDP discovery on the Roku app doesn’t seem to be
working despite me having enabled it as well as communication from the networks
on the needed ports for the Rokus to be recognized in the Ro
louise9...@gmail.com wrote:
> Hi I have a firewall that I’m trying to get working with mdns across
> different vlans. Chrome on the main network(ix0:network) doesn’t even pick up
> the chromecast and I have tried to allow MDNS as well as setting up openmdns
> but it still doesn’t
Hi I have a firewall that I’m trying to get working with mdns across different
vlans. Chrome on the main network(ix0:network) doesn’t even pick up the
chromecast and I have tried to allow MDNS as well as setting up openmdns but it
still doesn’t work. On the IOS Devices(vlan2) AirPlay correctly
Дана 24/11/11 10:13AM, Peter N. M. Hansteen написа:
> or with G's trackers
That's where ungoogled-chromium (thankfully available as an official
package in OpenBSD) with uMatrix[1] addon come in handy.
[1]: https://github.com/gorhill/uMatrix
On Mon, Nov 11, 2024 at 08:37:13AM +, Richard Bostrom wrote:
> I would like to build a music server using samba, minidlna, navidrome, maybe
> jellyfin.
> I need to know the simple firewall rules to open up the firewall for inbound
> traffic for samba, jellyfin etc.
>
> I
Sirs and ladies.
I would like to build a music server using samba, minidlna, navidrome, maybe
jellyfin.
I need to know the simple firewall rules to open up the firewall for inbound
traffic for samba, jellyfin etc.
I am used to ufw. I don't know the pf commands. Grateful for any help.
I was able to configure /32 for ipv4.
in the example below, I use vlan10 and a private address for testing.
Each host in separated using PVLAN.
On the openbsd (router) side, I just do
ifconfig vlan10 inet 172.16.216.1/32
route add -inet 172.16.216.0/24 -llinfo -link -static -iface vlan10
On
On Sat, Sep 28, 2024 at 01:24:46PM -, Stuart Henderson wrote:
> On 2024-09-28, Nicolas Goy wrote:
> > On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
> >>
> >> using a /32 on each host with a single shared gateway ip for the
> >> subnet should work too. the config on the protected hos
On 2024-09-28, Nicolas Goy wrote:
> On Fri Sep 27, 2024 at 5:45 AM CEST, David Gwynne wrote:
>>
>> using a /32 on each host with a single shared gateway ip for the
>> subnet should work too. the config on the protected host side sounded
>> fiddly though, especially if you have multiple hosts on pr
ver) and set up carp on it, and it works.
>
> the only problem is if you want the hosts to be able to talk to
> each other. in that situation you'll want to steer all the traffic to
> the firewalls.
Yes, I'd like to apply the "normal" firewall rules to this traffic
On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> Hello,
>
> I want to use OpenBSD as firewall for a configuration where every hosts is
> isolated.
cool.
> For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
>
> I want each host to have
er host) and allow firewall rules between hosts. The Ipv6 part is easier to
> manage as I can spawn as many subnet as I want.
>
> And the reason is that the hosts are untrusted and must be firewalled between
> them, so I need layer 2 isolation.
If the total number of hosts (virtual or
On 9/26/24 15:44, Nicolas Goy wrote:
[trimmed]
I might not have been clear enough, the 1.0.0.0/24 example is a public /24
routable network, not a 10.0.0.0/8 network.
What I want is to be able to use as much as this network as possible (here 2 ip
per host) and allow firewall rules between hosts
On Thu Sep 26, 2024 at 8:57 PM CEST, Peter N. M. Hansteen wrote:
> On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> > Hello,
> >
> > I want to use OpenBSD as firewall for a configuration where every hosts is
> > isolated.
> >
> > For example,
On Thu, Sep 26, 2024 at 07:21:38PM +0200, Nicolas Goy wrote:
> Hello,
>
> I want to use OpenBSD as firewall for a configuration where every hosts is
> isolated.
>
> For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
>
> I want each host to have a
Hello,
I want to use OpenBSD as firewall for a configuration where every hosts is
isolated.
For example, let's say I have 1.0.0.0/24 subnet and 2000::/56 subnet.
I want each host to have a single ip for ipv4, and a /64 for ipv6.
On the layer 2 side, I can configure a single VLAN for each
the woods, and apparently I can get
10 Gbit/s there. My good old APU4 firewall is barely keeping up with
100 Mbit/s so I need to look for an alternative.
It won't do 10Gbps but you should be able to do significantly better
than 100Mbps
My APU4C4 seems to have no trouble routing/filtering
> On 24 Aug 2024, at 10:23, jslee wrote:
>
> Hi,
>
> On Sat, 24 Aug 2024, at 09:15, Anders Andersson wrote:
>> I bought an 85 year old house in the woods, and apparently I can get 10
>> Gbit/s there. My good old APU4 firewall is barely keeping up with 100 Mbit/s
On Sat, 24 Aug 2024 01:15:53 +0200
Anders Andersson wrote:
> I bought an 85 year old house in the woods, and apparently I can get
> 10 Gbit/s there. My good old APU4 firewall is barely keeping up with
> 100 Mbit/s so I need to look for an alternative.
>
> My goal is an OpenBSD
Hi,
On Sat, 24 Aug 2024, at 09:15, Anders Andersson wrote:
> I bought an 85 year old house in the woods, and apparently I can get 10
> Gbit/s there. My good old APU4 firewall is barely keeping up with 100 Mbit/s
> so I need to look for an alternative.
It won't do 10Gbps but you
I bought an 85 year old house in the woods, and apparently I can get 10
Gbit/s there. My good old APU4 firewall is barely keeping up with 100
Mbit/s so I need to look for an alternative.
My goal is an OpenBSD firewall/router that can do the packet filtering and
some VLAN and routing without
u want and FORGET ABOUT interface 1,
> and then 2 for admin, and 3 for nas, etc.
>
> What is it that you want to do and go from there.
>
> Define your needs and then address them ONE by ONE.
>
> Fix one, test and then go to the next one.
>
> And FORGET ABOUT BRIDGE SETUP
en go to the next one.
And FORGET ABOUT BRIDGE SETUP PLEASE!!!
You have absolutely NO need for this with what you say so far in any of
your communications.
Example of thinking.
I see you try to use MANY macros, do you really need that? It's suppose
to be to make things simpler
This is my dmesg, if anyone is interested:
OpenBSD 7.4 (GENERIC.MP) #3: Wed Feb 28 06:23:33 MST 2024
r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4047122432 (3859MB)
avail mem = 3904729088 (3723MB)
random: good seed from bootblocks
mpath0 at root
scs
want
to hurt anyone.
Second, the firewall. This is set up as a bridge with the following
hardware:
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
The Ethernet connections ETH1 ... ETH4 are translated by OpenBSD to igc0
... igc3. Connection igc0 is the input that goe
; status: no carrier
>
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip igc2
> up
>
> /etc/hostname.igc0:
> up
>
> /etc/hostname.igc1:
> up
>
> /etc/hostname.igc2:
> up
>
Either Stuart is right, and
I give up.
The obviously incomplete, hand edited ifconfig output shows three
interfaces that are (or appear to be, judging from the excerpts that
we are given) not configured with IP addresses, two of which
have a link, while the last does not.
For reasons unknown these three are joined in a thre
On 2024-04-15, Karel Lucas wrote:
> /etc/hostname.bridge0:
> add igc0 add igc1 add igc2 blocknonip igc0 blocknonip igc1 blocknonip
> igc2 up
bridging with PF is an advanced topic, please get familiar with PF on a standard
routed firewall first
--
Please keep replies on the mailing list.
Op 15-04-2024 om 22:20 schreef Peter N. M. Hansteen:
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
That's a possibility I hadn't thought of yet. But how do I do that, and
on which page can I find that in your book?
Op 15-04-2024 om 22:17 schreef Peter N. M. Hansteen:
The other option - if your network layout is such that it makes
sense to treat them to the same rule criteria - would be to ma
Op 14-04-2024 om 21:57 schreef Jens Kaiser:
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are sy
On Mon, Apr 15, 2024 at 10:09:31PM +0200, Karel Lucas wrote:
> This gives the following error messages when booting:
> no IP address found for igc1:network
> /etc/pf.conf:41: could not parse host specification
> no IP address found for igc2:network
> /etc/pf.conf:42: could not parse host specificat
On Mon, Apr 15, 2024 at 10:01:59PM +0200, Karel Lucas wrote:
> They both give a syntax error by booting.
>
> Op 14-04-2024 om 17:45 schreef Zé Loff:
> > pass in on $int_if proto udp to port 53
> > pass in on $int_if proto udp to $nameservers port 53
You're not giving us a lot to work wi
This gives the following error messages when booting:
no IP address found for igc1:network
/etc/pf.conf:41: could not parse host specification
no IP address found for igc2:network
/etc/pf.conf:42: could not parse host specification
Op 14-04-2024 om 19:59 schreef Peter N. M. Hansteen:
On Sun, Ap
They both give a syntax error by booting.
Op 14-04-2024 om 17:45 schreef Zé Loff:
pass in on $int_if proto udp to port 53
pass in on $int_if proto udp to $nameservers port 53
I'm a long time network engineer/firewall admin/make things work on our network
when it is broken.
First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an
Echo Request to a host using it's IP address. The fact that DNS host
resolution fails has nothing
> On Apr 14, 2024, at 08:09, Karel Lucas wrote:
>
> Hi all,
Hi.
> So let's start simple and then proceed step by step. I want to continue with
> ping so that I can test the connection to the internet. This works: ping -c
> 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. A
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loade
On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the inter
There is a typo on the second line of the martians definition (spurious comma
and space).
Michael
> On Apr 14, 2024, at 11:09, Karel Lucas wrote:
>
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help is
> appreciated. So let's start simple and then procee
o do that. What else do I need to get ping
> to work correctly?
You are blocking everything by default, with the "block log all" on top
of your ruleset. This means that _everything_ needs to be explicitely
allowed in and out of your firewall.
If you want to resolve hostnames, you
53.207: icmp: echo
> request
> ...
>
> output from "pfctl -sr -R 4":
> pass log inet proto icmp all icmp-type echoreq
CAVEAT: I assume that 17.253.53.207 is NOT the address of igc0, and that
you are trying to ping a host on the internet. If this is not true
(i.e. if you are ping
Hi all,
Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: p
# for IPv4
pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
Your final four rules (for traceroute) only apply to the $ext_if, so I
am assuming you are trying to traceroute _from_ the firewall itself to
some
This makes no difference.
Op 13-04-2024 om 22:06 schreef Peter J. Philipp:
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
What should I add then, considering my PF ruleset? To be honest, all of this
is very unclear to me at the moment, so any help is appreciated.
How about:
pass
What should I add to get it working?
Op 13-04-2024 om 02:39 schreef Alexis:
Karel Lucas writes:
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
suspect this has to do with DNS servers, but I don't know where to
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
> What should I add then, considering my PF ruleset? To be honest, all of this
> is very unclear to me at the moment, so any help is appreciated.
How about:
pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state
What should I add then, considering my PF ruleset? To be honest, all of
this is very unclear to me at the moment, so any help is appreciated.
Op 13-04-2024 om 02:39 schreef Alexis:
Karel Lucas writes:
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doe
w.apple.com. I suspect
> > this has to do with DNS servers, but I don't know where to start
> > troubleshooting. Can someone help me?
>
> If the below pf.conf it your total firewall config, then you are only
> letting icmp through, and not DNS queries.
> Perhaps you mea
lp) and see which rule the traceroute packets hit.
> Adapt and extend your pf.conf accordingly to allow the traffic you
> want to let through.
"match log(matches)", perhaps with an ip/proto/port restriction if the
other traffic is too noisy, is good for diagnosing firewall rules
Den fre 12 apr. 2024 kl 20:22 skrev Karel Lucas :
> Traceroute still won't work.
> Can
> anyone give me some starting points here?
Put "log" on all your block/pass rules, read the logs (man pflog for
help) and see which rule the traceroute packets hit.
Adapt and extend your pf.conf accordingly to
start
> troubleshooting. Can someone help me?
If the below pf.conf it your total firewall config, then you are only
letting icmp through, and not DNS queries.
Perhaps you meant to use the "client_out" macro for a pass rule and forgot it?
> /etc/pf.conf:
>
> ext_if = igc0
Karel Lucas writes:
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
suspect this has to do with DNS servers, but I don't know where
to start troubleshooting.
Indeed, you appear to have no rules allowing outgoi
On 2024-04-12 13:04, Karel Lucas wrote:
Hi all,
Traceroute still won't work. I'm playing around with the rules and
wondering what's right and what's wrong with the traceroute rules. Can
anyone give me some starting points here?
Start with: tcpdump -nettti pflog0. Adjust to suit your needs
pass in on $ext_if inet proto udp to port 33433:33626 # for IPv4
> pass log out on $ext_if inet proto udp to port 33433:33626 # for IPv4
> pass in on $ext_if inet6 proto udp to port 33433:33626 # for IPv6
> pass log out on $ext_if inet6 proto udp to port 33433:33626 # for IPv
Hi all,
Traceroute still won't work. I'm playing around with the rules and
wondering what's right and what's wrong with the traceroute rules. Can
anyone give me some starting points here?
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }" # Intern i
Hi all,
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect
this has to do with DNS servers, but I don't know where to start
troubleshooting. Can someone help me?
/etc/pf.conf:
ext_if = igc0
On Thu, Apr 11, 2024 at 07:45:18PM +0200, Karel Lucas wrote:
> The typos have been fixed, and PF's ruleset will be put under a magnifying
> glass.
This is a bit of a personal preference, but (assuming you trust any
traffic generated on the firewall itself), I find it helpful to
PF's ruleset will be put under a magnifying glass.
Op 11-04-2024 om 11:09 schreef Peter N. M. Hansteen:
On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote:
pass log out on egress inet proto udp to port 33433:33626 # for IPv4
pass log out on egress inet6 proto udp to port 33433:33626 # for
The typos have been fixed, and PF's ruleset will be put under a
magnifying glass.
Op 11-04-2024 om 10:34 schreef Zé Loff:
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
Hi all,
With the new firewall I am setting up I cannot connect to the internet. That
starts with trace
I do get the following error message: sysctl: toplevel name net/inet6 in
net/inet6.ip6.forwarding is invalid
Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen:
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
With the new firewall I am setting up I cannot connect to the internet
ved. I'm going to apply a "step by step"
approach to the rules in pf.conf.
Op 11-04-2024 om 09:49 schreef Peter N. M. Hansteen:
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
With the new firewall I am setting up I cannot connect to the internet. That
starts wit
On Thu, Apr 11, 2024 at 09:34:15AM +0100, Zé Loff wrote:
> > pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> >
> > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> > to port $
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
> Hi all,
>
> With the new firewall I am setting up I cannot connect to the internet. That
> starts with traceroute, so let's start there. Ping works fine. Below I have
> listed my pf.conf file.
>
>
>
On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
>
> With the new firewall I am setting up I cannot connect to the internet. That
> starts with traceroute, so let's start there. Ping works fine. Below I have
> listed my pf.conf file.
This sounds like you have a link
Hi all,
With the new firewall I am setting up I cannot connect to the internet.
That starts with traceroute, so let's start there. Ping works fine.
Below I have listed my pf.conf file.
/etc/pf.conf:
ext_if = igc0 # Extern interface
int_if = "{ igc1, igc2 }&quo
On Wed, Apr 10, 2024 at 11:01:18PM +0200, Peter N. M. Hansteen wrote:
> Another gentle introduction can be found in the latest PF tutorial,
> the slides for the AsiaBSDCon 2024 version can be found as
> https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has
> references to various usefu
ant to make my own BSD/PF firewall/router.
The Book of PF was meant to be accessible to people with only basic
networking knowledge, but anyway -
I'd start with the official PF user guide at
https://www.openbsd.org/faq/pf/index.html
and look up the relevant man pages.
Another gentle intro
loaded.
>> How abot showing what you did, showing the actual error messages so
>> people here can actually help you? Just saying "it does not work" does
>> not get you anywhere.
>>
>> -Otto
>>> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:
&
08:39:08AM +0200, Karel Lucas
wrote:
Hi all, For the first time I tested my new
firewall with ping, and it is blocked. I don't
know what the reason is, you can find the
information b
In /etc/pf.conf:
table persist file "/etc/martians"
In /etc/martians:
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
169.254.0.0/16
192.0.2.0/24
0.0.0.0/8
240.0.0.0/4
Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
I defin
The example I'm referring to is how to define a table (page 42), and I
applied that to the martians example (page 91).
Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
I defined the table as stated in your book (3rd edition, page
On Apr 09 08:39, Karel Lucas wrote:
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4,
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46,
I can assure you that I did not use capital letters in the macro names,
and used the '<' and '>'.
Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
I defined the table as stated in your book (3rd edition, page 42). However,
that g
I managed to get ping through. The error was the "log" words in the
lines. But this is just the beginning. Now I have another problem with
traceroute, as well as with all the normal internet traffic that has to
go through it. In the traceroute rules I replaced "$ext_if" with
"egress", but that
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46,
howing the actual error messages so
people here can actually help you? Just saying "it does not work" does
not get you anywhere.
-Otto
Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
Hi all,
For the first time I
M. Hansteen:
> > On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> > > Hi all,
> > >
> > > For the first time I tested my new firewall with ping, and it is blocked.
> > > I
> > > don't know what the reason is, you can find the
4 om 08:53 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
Hi all,
For the first time I tested my new firewall with ping, and it is blocked. I
don't know what the reason is, you can find the information below. I have a
network with only regular
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
>
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no serv
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
>
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no serv
Hi all,
For the first time I tested my new firewall with ping, and it is
blocked. I don't know what the reason is, you can find the information
below. I have a network with only regular clients, so no servers. I'm
still using OpenBSD V7.4, and will upgrade once the firewall is up an
On 4/3/24 18:19, Karel Lucas wrote:
I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Furthermore, I
would like to use ETH4 for the update/upgrade of the firewall. Remove
the connection from ETH1, plug it into ETH4, and update/upgrade. Then
the
On 4/3/24 12:19, Karel Lucas wrote:
Hi all,
I am creating a bridging firewall with OpenBSD and the following
hardware:
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
OpenBSD is already installed. I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for
On Wed, Apr 03, 2024 at 06:19:29PM +0200, Karel Lucas wrote:
> Hi all,
>
> I am creating a bridging firewall with OpenBSD and the following hardware:
> https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
> OpenBSD is already installed. I want to use ETH1 fo
Hi all,
I am creating a bridging firewall with OpenBSD and the following
hardware:
https://www.amazon.nl/dp/B0B6J89MXJ?ref=ppx_pop_dt_b_asin_image&th=1.
OpenBSD is already installed. I want to use ETH1 for the input from my
ADSL modem, ETH2 and ETH3 for the output to my network. Further
r and slightly
> > varying results. guess i should go back and test ix with LRO off on
> > the pf box.
>
> Sorry, I don't get your problem. You changed your firewall NICs from
> ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying
> between 0.9 gbps
t; the pf box.
Sorry, I don't get your problem. You changed your firewall NICs from
ix(4) to mcx(4) and the throughput got slower? Or, the speed it varying
between 0.9 gbps and 1.0 gbps?
huh, after i migrated nat fw from 82599 (ix) with LRO on (default) to
a CX4121A (mcx) flashed to latest nvidia firmware and now i'm getting
900mbps on single tcp throughput (endpoints still using lro on
em and ix) and very consistently getting close to the full 1gbps
thruoghput on single tcp conne
On Wed, Dec 20, 2023 at 12:23:31AM +0100, Karel Lucas wrote:
>Dear Mr. Henderson,
>
>From your answer I understand that to use the ntp daemon the interfaces still
>need an IP address. Unfortunately, a GPS unit is not available or desirable,
>so it seems to me that I will have to do it without a cal
Den tis 19 dec. 2023 kl 23:57 skrev Karel Lucas :
>
> Hi all,
>
> I am creating a bridging firewall, and am wondering if it is possible to
> use the ntp daemon to ensure that all log files are timed correctly. Is
> there a way to achieve that despite the fact that the network
&g
om 00:04 schreef Stuart Henderson:
On 2023-12-19, Karel Lucas wrote:
Hi all,
I am creating a bridging firewall, and am wondering if it is possible to
use the ntp daemon to ensure that all log files are timed correctly. Is
there a way to achieve that despite the fact that the network
connections
On 2023-12-19, Karel Lucas wrote:
>
> Hi all,
>
> I am creating a bridging firewall, and am wondering if it is possible to
> use the ntp daemon to ensure that all log files are timed correctly. Is
> there a way to achieve that despite the fact that the network
> connecti
Hi all,
I am creating a bridging firewall, and am wondering if it is possible to
use the ntp daemon to ensure that all log files are timed correctly. Is
there a way to achieve that despite the fact that the network
connections do not have an IP address?
Hello!
Please advise me hardware for an OpenBSD firewall:
- 8 gigabit ethernet interfaces,
- >= 4 Gbps throughput.
Thanks,
Alexei
> 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6
> won’t get out either from my internal networks. Literally nothing from
> internal networks gets out except icmpv4 to gateway, icmp from internal lan
> to internal lan, icmp from internal lan t
1 - 100 of 1020 matches
Mail list logo
