Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards

forts (believe me I would if i could!).. Thanks for your time and a great community. Andy.

Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards

understand their are some huge technical chalenges associated with developing an SMP kernel without undermining the security, but how is progress coming along? Andy (An OBSD fanboy! ;) On Wed, 15 May 2013 11:53:18 +0200, Peter Hessler wrote: > On 2013 May 15 (Wed) at 10:29:24 +0100 (+0100), andy wr

Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards

OBSD :) Humbly yours, Andy. On Wed, 15 May 2013 12:01:08 +0200, Peter Hessler wrote: > On 2013 May 15 (Wed) at 10:29:24 +0100 (+0100), andy wrote: > :I run 12 OpenBSD firewalls, and I have an issue on my highest throughput > :boxes. I have HP DL160 G6 boxes with Intel ET2 4 port NIC

openospfd vs bird vs quagga etc on OpenBSD for OSPF interoperating with IOS XE (v4 & v6)

be more closely coupled with OpenBSD development? Thank you in advance for your time. Kind regards, Andy.

Re: openospfd vs bird vs quagga etc on OpenBSD for OSPF interoperating with IOS XE (v4 & v6)

te a BGP domain in BIRD on those primary DC firewalls. Thank you for reading this far, I hope this all clear. And thanks again for your thoughts and ideas, they are greatly appreciated. Humbly yours, Andrew Lemin On Thu, 16 May 2013 22:15:40 +0000 (UTC), Stuart Henderson wrote: > On 2013-05-16,

Re: openospfd vs bird vs quagga etc on OpenBSD for OSPF interoperating with IOS XE (v4 & v6)

me luck and thank you everyone for all your comments! :) Andrew Lemin On Sat, 18 May 2013 22:33:21 +0100, Stuart Henderson wrote: > On 2013/05/18 18:10, andy wrote: >> Hi, >> Sorry for the slow reply, have just got back home from the RIPE 66 >> conference in Dublin. Which

Re: Problem with a startup script

I had a similar problem when writing my own rc.d start script for Snort (compiled instead of package version), and it turned out to be becuase the rc.d script did not implicity incude the variables in 'rc.conf.local' and 'rc.conf' any more. So I just added the following to the top of the rc.d s

Re: ALTQ(32bit)

Hi, We're really looking forward to improvements in ALTQ too. And we are /really/ hoping that the queues can either be shared across interfaces (so your WAN downstream bandwidth doesn't have to be sliced up and divided up across all the internal interfaces), or that you can create queues on th

Re: ALTQ(32bit)

to say more about HFSC best practices or anything else if anyone is interested. Thanks for your time and reading this far, Andrew Lemin On 03/06/13 17:43, Chris Cappuccio wrote: Andy [a...@brandwatch.com] wrote: Hi, We're really looking forward to improvements in ALTQ too. And we are

Re: ALTQ(32bit)

Hi Stuart, On 04/06/13 09:32, Stuart Henderson wrote: On 2013-06-03, Chris Cappuccio wrote: Andy [a...@brandwatch.com] wrote: Hi, We're really looking forward to improvements in ALTQ too. And we are /really/ hoping that the queues can either be shared across interfaces (so you

Re: intermittent network failures with openbsd 5.3

does 'ifconfig' and 'route show' provide during the problem? These might help give you clues. Andy On 10/06/13 22:20, Jason Wong wrote: Been having some strange issues with a system recently upgraded to 5.3. Previously this computer was running OpenBSD 5.1, and was rock soli

Re: Is openbsd.org down??

Sounds like a BGP issue somewhere maybe if some can and some can't ;) From the UK (which works); host www.openbsd.org => 129.128.5.194 whois 129.128.5.194 => ASN 3359 A quick check on http://visibility.it.uc3m.es shows ASN 3359 does have some limited visibility prefixes, but not one including

Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards

rtion 0 0.00 limit counter overload flush states 0 0.00 Thanks for your time and reading this far :) Kind regards, Andrew Lemin On Wed 26 Jun 2013 11:32:18 BST, Henning Brauer wrote: > * andy [2013-05-15 11:31]: >> I run 12 OpenBSD firewalls, and I have a

Re: Performance limits with OpenBSD, ToE, offloading, Intel ET2 cards

Thank you, this clarification is important to know that it is nothing I am doing that is damaging performance. Bigger hardware it is then :) Andy. On Fri 28 Jun 2013 07:55:21 BST, Peter Hessler wrote: On 2013 Jun 26 (Wed) at 17:06:09 +0100 (+0100), Andy wrote: :Someone did previously (and

IPSec VPNs when traffic originates from a daemon on the OBSD firewall

Hi misc, We have what should be a simple VPN routing issue but I can't figure out what to do with the IPSec config. We have many remote office firewalls with IPSec tunnels linking to our head office (hub and spoke topology), each defining Phase 2 policies mapping the remote internal networks t

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

Hi, Yes that does work and is the problem as mentioned, but I don't know how to change the source address for the 'netcat' command payload? Ping was just a test to see what is going on.. Cheers, Andy. On Thu 04 Jul 2013 14:08:41 BST, Anders Berggren wrote: When I try

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

PS; Its also not limited to netcat (if it were I would just use the -s switch on netcat).. I have other daemons on the remote firewalls that I need to also 'phone home', and so I believe I need to do it by either changing/adding the VPN policies or packet mangling with PF.. I'd rather not ha

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

oint encryption. It would probably work, because unlike IPsec flows, it's not "source routed". Ah ha!!! Of course!! Thank you :D Andy.

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

I don't know why, but for some reason it just didn't occur to me that doing that would set the source IP but of course it would. Hand -> Face slap! ;) Thanks :) On Fri 05 Jul 2013 11:51:39 BST, Todd T. Fries wrote: Penned by Andy on 20130704 9:25.40, we have: | On Thu 04 Jul

Re: Management of pf.conf

Hi, I use 'puppet' for this to manage over 20 OpenBSD firewalls now. I don't know how I would manage without it to be honest ;) Puppet manages all my pf's (by simply defining multiple files, each containing different common parts for different zones/roles etc, and then site specific files etc.

Re: Management of pf.conf

mate tests on them. >> >> That works fine at work (PF + cisco + checkpoint), but there are some >> limitations (see the doc...) >> >> My next step is a tool to managed security policies. I mean if someone >> asks to open a port, we should be able to track this

pflow all traffic in a queue

e which is screwing with our VoIP traffic :( Does anyone know of how I can view the pflow or even just the states for /all/ traffic in just one queue? Thanks in advance, Andy.

Re: pflow all traffic in a queue

I remember.. Thanks, Andy. On Tue 16 Jul 2013 16:43:44 BST, Stuart Henderson wrote: On 2013-07-16, Peter N. M. Hansteen wrote: Andy writes: I have an issue where one of my 'real-time' queues is much busier than it should be. I suspect that someone is running something on the network

CARP on Switch ports without port fast leading to double master-master problems

Hi, Others have discussed our problem but I cannot see that this has been implement (I cannot find a man page referring to this). http://openbsd.7691.n7.nabble.com/carp-init-delay-td226187.html I.e. When a firewall boots up, the connected switch port starts STP and is initially blocked, causing

Re: CARP on Switch ports without port fast leading to double master-master problems

at), plugging it back in results in double master and thus it takes over! :( A CARP INIT pause seems like the obvious solution.. Thanks for your thoughts :) Andy. On Thu 18 Jul 2013 12:34:11 BST, Andy wrote: Hi, Others have discussed our problem but I cannot see that this has been implemen

Re: CARP on Switch ports without port fast leading to double master-master problems

If you happen to have the code base nearby I would really appreciate so much if you could throw a sleep in after CARP moves to INIT. Thanks everyone, Andy. On Thu 18 Jul 2013 13:04:01 BST, Andy wrote: Ok, sadly adding the !sleep 5 is not helping and made it even worse :( E.g. the reboot

IPSec tunnel doesn't work after CARP fail over (no fast fail over).

Hi, I hope this is helpful to someone else and maybe a dev could add this solution (or an improvement thereof) into the code as standard. - I found an issue with IPSec and OpenBSD with CARP during fail-over, whereby a fail over with the default recommended set-up results in broken IPSec tunn

Re: CARP on Switch ports without port fast leading to double master-master problems

nly a problem in some locations) where they wont enable port fast/configure as static access ports. Andy. On Mon 22 Jul 2013 12:44:08 BST, Marko Cupać wrote: On Mon, 22 Jul 2013 12:12:30 +0100 Andy wrote: I.e. When a firewall boots up, the connected switch port starts STP and is initially bl

Re: CARP on Switch ports without port fast leading to double master-master problems

ather than have an unstable set-up. Thanks for letting me know. Andy. On Mon 22 Jul 2013 13:46:35 BST, Camiel Dobbelaar wrote: On 7/22/13 1:12 PM, Andy wrote: I messed up and added '!sleep 5' to the hostname.carp instead of the physical interface.. None the less I'm surprised

Re: CARP on Switch ports without port fast leading to double master-master problems

ce 'hostname.if', and then adding sleep 120 ifconfig -g carp -carpdemote 3 ifconfig -g pfsync -carpdemote 3 NB; There are 3 physical interfaces (INT, EXT, and PFSYNC's pysical interface). Completely stabilises a flapping pfsync interface during reboots :) Cheers, Andy. On 22/07/13

Re: CARP on Switch ports without port fast leading to double master-master problems

l taking over when a cable is plugged back in/WAN provider resets/kills/asserts/misconfigures one of their WAN switches (we have redundant connections across their switch fabric). Cheers, Andy. On 23/07/13 10:34, Henning Brauer wrote: * Andy [2013-07-22 13:14]: None the less I'm surprised t

Re: CARP on Switch ports without port fast leading to double master-master problems

That would be really useful :) One of the things that made it hard to debug was logging. I tried all the net.inet.carp.log levels ;) Andy. On Tue 23 Jul 2013 17:00:58 BST, Theo de Raadt wrote: I agree, that's why I spent a long time trying to get all the switches configured correctly

Re: OpenBSD pxe automated install

kernel lock, and reworking ALTQ and PF to name our worst and most serious pain points than have them work on stuff that we can easily 'work around'.. :) Andy On Tue 13 Aug 2013 12:52:02 BST, Nick Holland wrote: On 08/13/13 07:13, Marian Hettwer wrote: ... This is sad :-/ For any mass

Re: PF+ALTQ and real time monitoring

On Mon, 26 Aug 2013 14:24:12 -0400, Andres Chavez wrote: > Hi, can anyone tell me the best or at least the most used real time > bandwith monitoring tool, when using the PF+ALTQ solution please? > > thanks in advance. We use Graphite for the display of data received by statsd, we then run the fo

Re: how to "aggregate" a single TCP connection, is posible?

This is a question with many solutions, each with their own benefits and disadvantages and is a subject of some history. If you are connecting two servers directly together without using a switch in-between them, then round-robin is for you. However if you need to have switches in the mix there a

OpenBSD 5.3, CARP and IPv6

ng IPv6 with OpenBSD's pf (packet filter)". Thanks for your time, Andy.

Re: OpenBSD 5.3, CARP and IPv6

PS; I don't have MLD capable switches in all locations if that is a factor here regarding CARP messages being via IPv6 Multicast. On Thu 29 Aug 2013 15:57:29 BST, Andy wrote: Hi everyone, I'm hoping someone can help me as I'm not having much luck with adding IPv6 to the mix

Re: OpenBSD 5.3, CARP and IPv6

Thanks, I'll give that a try. I have got it working with separate CARP interfaces for v4 and v6 but was hoping to have it working under one interface. Cheers, Andy. On Thu 29 Aug 2013 17:13:37 BST, Loïc Blot wrote: Hello Andy, here is on of my working configuration (OpenBSD 5.2)

Re: OpenBSD 5.3, CARP and IPv6

On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote: Penned by Andy on 20130829 9:57.29, we have: | Hi everyone, | | I'm hoping someone can help me as I'm not having much luck with adding | IPv6 to the mix of our already working IPv4 setup. | | What should /etc/hostname.carpX look l

Re: OpenBSD 5.3, CARP and IPv6

On 29/08/13 18:37, Todd T. Fries wrote: Penned by Andy on 20130829 9:57.29, we have: | Hi everyone, | | I'm hoping someone can help me as I'm not having much luck with adding | IPv6 to the mix of our already working IPv4 setup. | | What should /etc/hostname.carpX look like for an IPv6

Re: OpenBSD 5.3, CARP and IPv6

on Cisco; interface GigabitEthernet0/0/1 ip address 18.2.32.1 255.255.255.0 ipv6 address a00:7e0::1/64 ipv6 unicast-routing Cheers, Andy. On 30/08/13 11:18, Stefan Sperling wrote: On Fri, Aug 30, 2013 at 10:08:56AM +0100, Andy wrote: Hi guys, Adding the inet6 as an alias didn't work fo

Re: OpenBSD 5.3, CARP and IPv6

and speed(does it improve the speed of CARP setup/detection etc)? Thanks for your help :) Andy On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote: On 2013-08-30, Andy wrote: cat /etc/hostname.carp0 inet 18.2.32.10 255.255.255.0 18.2.32.255 inet6 a00:7e0::a 64 carpdev em0 carppeer 18.2.32.1

10GBit OpenBSD Firewall

e has had some great success with for a reasonable price (~2,000 GBP)? Thanks for your time and I'm sorry for bringing this question up again, but hardware changes regularly and I greatly value the opinions of others on this list. Regards, Andy.

Re: 10GBit OpenBSD Firewall

as chatting to Theo briefly a few weeks back and he said I should ask for the code but I cannot remember who in the team he said I should message for this? I'm not a coder but I'm happy to contribute as and where I can :) Andy. On Mon 02 Sep 2013 13:02:42 BST, Kenneth R Westerback wrote:

Re: 10GBit OpenBSD Firewall

will be our WAN edge), and so to add active-active CARP load balancing could prove very problematic??? Anyone with any experience on BGP and OSPF with active-active? Cheers, andy. > > On 09/02/2013 09:53 AM, Andy wrote: >> If only you could 'buy' more time or make days

Re: 10GBit OpenBSD Firewall

6) up stream, OSPFv4 up, OSPFv6 up and down, and CARP (v4 and v6) up and down.. (I.e, RFC1918 internally so v4 with NAT, but v6 fully routed). All this considered I think we should stick with active-backup. Andy > > > 2013/9/4 andy > >> On Mon, 02 Sep 2013 09:56:46 -0400,

Re: OpenBSD 5.3, CARP and IPv6

should the first inet6 have an 'alias' when it is not an alias address to the v4 address? Sorry to obsess about the details on this but want to get this completely correct in the eyes of the developers? Cheers, Andy. On Sun, 01 Sep 2013 13:55:27 +0100, Andy wrote: > Hi Stuart, yea I rea

Re: OpenBSD 5.3, CARP and IPv6

On 04/09/13 21:33, Todd T. Fries wrote: Penned by andy on 20130904 15:21.22, we have: | Hi, one last question. | | I am reading through lots of examples and documentation on OpenBSD and v6 | and most seem to refer to adding the v6 address to /etc/hostname.X as an | 'alias', e.g.; | ine

Exploits

paper/bh-usa-07-ortega-WP.pdf Cheers, Andy.

Re: Exploits

rg/errata40.html On Sat, Sep 7, 2013 at 8:13 AM, andy wrote: Hi everyone, I have a feeling that I may get some strong opinions on this question, so please don't flame me or anything, I'm asking because I don't know. Does this document still hold any truth with current OpenBSD;

Re: pf set prio

I love Henning's slides ;) On Tue 10 Sep 2013 08:29:12 BST, Peter N. M. Hansteen wrote: On Tue, Sep 10, 2013 at 11:17:58AM +0400, ?? ?? wrote: where can I read more about "set prio" in pf? man pf.conf tends to be the best source, you could also browse http://home.nuug.no/~peter/pf/ne

Re: pf set prio

PS; Thanks for your great work Henning (and others of course). Hoping and keeping fingers crossed the new subsystem will make it into 5.4 :) Andy On 10/09/13 08:29, Peter N. M. Hansteen wrote: On Tue, Sep 10, 2013 at 11:17:58AM +0400, ?? ?? wrote: where can I read more about &quo

Re: pf set prio

Ah I feared as much as its so close to the 5.4 release date. "Good things come to those who wait" Thanks, Andy On Tue 10 Sep 2013 10:47:18 BST, Peter N. M. Hansteen wrote: On Tue, Sep 10, 2013 at 10:37:17AM +0100, Andy wrote: PS; Thanks for your great work Henning (and others

Re: Quick question on PFS in ipsec

use the local hostname as the identity of the local peer, if not specified by the srcid parameter." Dynamic is required to negotiate PFS with the other side I believe. Cheers, Andy On Thu 12 Sep 2013 08:07:55 BST, Janne Johansson wrote: You are going to see (if you

Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

g cards which have the '82599ES' controller. Quite excited at the thought of building a 3.5GHz Ivy Bridge-EP based 10GBit OpenBSD firewall with DDR3-1866MHz RAM :) Planning to test Hennings new ALTQ subsystem diff on OpenBSD 5.4 with this hardware :D Thanks, Andy.

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

On Tue 17 Sep 2013 08:58:12 BST, Peter Hessler wrote: On 2013 Sep 16 (Mon) at 16:42:26 +0100 (+0100), Andy wrote: :I know that OpenBSD runs on any CPU which is based on the AMD64 :architecture, however someone has worried me and said that this CPU and :chipset is different somehow and might not

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

On Tue 17 Sep 2013 13:48:45 BST, Stuart Henderson wrote: On 2013-09-16, Andy wrote: Planning to test Hennings new ALTQ subsystem diff on OpenBSD 5.4 with this hardware :D pardon the pedantry, but it's not altq.. Lol, yes sorry ;) *ALTQ's replacement.. Does it have a name y

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

Oh yea, just look at the slides.. Dohh ;) On Tue 17 Sep 2013 14:54:12 BST, Jiri B wrote: On Tue, Sep 17, 2013 at 02:35:48PM +0100, Andy wrote: On Tue 17 Sep 2013 13:48:45 BST, Stuart Henderson wrote: On 2013-09-16, Andy wrote: Planning to test Hennings new ALTQ subsystem diff on OpenBSD 5.4

Re: This 48 core box...

On Tue 17 Sep 2013 18:09:15 BST, Michael Chen wrote: I'm considering bidding on this 48-core box: http://www.ebay.com/itm/Supermicro-A-Server-1042G-TF-1U-H8QG6-4-CPUS-48-cores-2-2Ghz-128GB-RAM-/151119828428?pt=COMP_EN_Servers&hash=item232f7195cc Does anyone have experience with it and can I us

Re: just the new queueing subsystem [Was: Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support]

My vote -> *HENQ Chickens lined up.. On Thu 19 Sep 2013 11:34:03 BST, MERIGHI Marcus wrote: pkesh...@gmail.com (patrick keshishian), 2013.09.19 (Thu) 09:39 (CEST): On Thursday, September 19, 2013, Ted Unangst wrote: On Thu, Sep 19, 2013 at 09:14, Henning Brauer wrote: *ALTQ's replacement.. D

OpenOSPFd and CARP Masters

and OpenBGPD', but this only shows an example where the internal LAN connection is a CARP. I have no choice but to run these as both firewalls and routers and I must have CARP for redundancy etc. Any advice or good URLs would be greatly appreciated. Thanks, Andy.

Re: OpenOSPFd and CARP Masters

, and back-haul). Thanks :) Andy On Tue 01 Oct 2013 09:19:20 BST, Andy wrote: Hello, I have started deploying OSPF in our test environment before deploying it out to the production network. We have two Cisco ASR 1002 IOS XE routers in the middle of our Area 0 which have the Transit connections

Re: OpenOSPFd and CARP Masters

On 01/10/13 14:32, Brian Hechinger wrote: On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote: Also is there no way to have the CARP IP be the IP which is advertised as the neighbor ensuring that traffic is always sent to the CARP IP instead (I would MUCH prefer this!). I spent an enormous

Re: OpenOSPFd and CARP Masters

On Tue 01 Oct 2013 15:01:32 BST, Andy wrote: On 01/10/13 14:32, Brian Hechinger wrote: On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote: Also is there no way to have the CARP IP be the IP which is advertised as the neighbor ensuring that traffic is always sent to the CARP IP instead (I

Re: how to "aggregate" a single TCP connection, is posible?

In their tests the devs managed to get a single TCP connection to run at upto 53Gbit across 6 10Bgit links. The patch is very simple to apply. Andy. On Wed 02 Oct 2013 09:58:02 BST, Stuart Henderson wrote: On 2013/10/01 23:02, Abel Abraham Camarillo Ojeda wrote: On Fri, 23 Aug 2013 18:39:29

Re: OpenOSPFd and CARP Masters

ly what I'm after :) (assuming that the carp backup announces with a higher cost..) Thanks for your thoughts everyone, would spend a lot more time walking around in the dark if it wasn't for peoples insights on this list :) Cheers, Andy. On Tue 01 Oct 2013 22:42:15 BST, Stuart Hende

Re: OpenOSPFd and CARP Masters

On 02/10/13 12:31, Stuart Henderson wrote: > On 2013/10/02 12:26, Andy wrote: >> "No, but does it matter anyway?" - Good point.. What I should have >> really asked is how can I ensure that the route with the lowest >> metric/cost is the one pointing to the master.. &

Re: altq on multiple interfaces

h only one rule. NB; I use '_local_kernel' for local CARP traffic etc, and '_local_data' for traffic which is not distined for the WAN link but other local networks and so can run at wire speed. And _wan_* for the wan based traffic.. Hope this helps, Andy. On 09/10/13 07:47

Re: altq on multiple interfaces

On Wed 09 Oct 2013 12:29:48 BST, Leonardo Lombardo wrote: Thanks for your reply Andy. What if I have: - multiple VLANs on an internal IF Just have a different set of queues for each 'on vlanX' etc. - have a limited bandwidth on external (say 10/10Mbit/s) Do as was suggest

Delay starting OpenOSPFd and OpenBGPd

Hi, It seems that OSPF starts quite early in the boot process before other things have finished booting. Is their a way to delay the start so that it only starts announcing once all the start up scripts have run etc? Cheers, Andy.

Re: Delay starting OpenOSPFd and OpenBGPd

d be a better solution and stop any loops. I appreciate this problem is being born out of the fact that I am trying to run the boxes as both firewalls /and/ routers. Does this make sense, and does anyone have an idea of how to cope with this dual-stack scenario? Cheers, Andy. PS; ignore all t

Re: altq on multiple interfaces

On Wed 09 Oct 2013 13:53:06 BST, Andy wrote: On Wed 09 Oct 2013 12:29:48 BST, Leonardo Lombardo wrote: Thanks for your reply Andy. What if I have: - multiple VLANs on an internal IF Just have a different set of queues for each 'on vlanX' etc. - have a limited bandwidth on extern

Re: altq on multiple interfaces

get my new hardware in November. Cheers, Andy. On 09/10/13 16:14, Andy wrote: On Wed 09 Oct 2013 13:53:06 BST, Andy wrote: On Wed 09 Oct 2013 12:29:48 BST, Leonardo Lombardo wrote: Thanks for your reply Andy. What if I have: - multiple VLANs on an internal IF Just have a different set of

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

which matches one of the queues on that interface the queue will be used. So you look ok to me. Try adding the 'upperlimit' property to your hfsc properties. NB; I haven't tested Hennings new queuing subsystem yet so just guessing. Cheers, Andy. On Tue, 15 Oct 2013 16:32:16 +0400,

Re: altq on multiple interfaces

On Mon 21 Oct 2013 10:45:41 BST, Henning Brauer wrote: * Andy [2013-10-09 17:14]: After-all the packets egress the physical underlying interface so I wonder if its possible to 'queue' on the physical interface 'on emX' for example underneath the 802.1Q tagging, such that

Notifies on CARP failover

this the right tool for this? and if so could someone throw me an example if you have one? Thanks, Andy.

OSPF and BGP Administrative distances

while OSPF is 100. This means that it would prefer the eBGP path, rather than use the OSPF learnt routes. How can I change this in OpenBGPD and OpenOSPFD? Cheers, Andy.

Request to OpenBSD Dev's - Beer on offer

can be torn down etc thus allowing for sub-second re-convergence of i/eBGP! I can only offer a crate of beer to anyone who has the skills and is willing :) '+1's welcome from others who would be interested to show signs of support/interest.. Cheers, Andy.

Re: Request to OpenBSD Dev's - Beer on offer

gt; > Sincerely, > > Dan Farrell > > > On Mon, Oct 28, 2013 at 12:54 PM, Andy <mailto:a...@brandwatch.com>> wrote: > > Hi all, > > Would any of the esteemed OpenBSD developers be interested in > adding support for BFD (Bidirectional Forward De

Re: Request to OpenBSD Dev's - Beer on offer

Code snippets can be seen on; http://sourceforge.net/projects/kbfd/ http://sourceforge.net/projects/bfdd/ Editing these to compile and work on OpenBSD and run 'bgpctl neighbor $bfdpeer down' etc is beyond my skills.. Thanks for reading, Andy. On Tue 29 Oct 2013 11:16:20 GMT,

Re: Notifies on CARP failover

Thanks for ideas and examples guys :) Cheers, Andy. On 24/10/13 14:18, Comète wrote: I use ifstated for that. This is my config file: init-state auto carp_up = "carp3.link.up && carp10.link.up && carp101.link.up && carp100.link.up && carp254.link

Re: Request to OpenBSD Dev's - Beer on offer

On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: On 13-10-28 11:54 AM, Andy wrote: Would any of the esteemed OpenBSD developers be interested in adding support for BFD (Bidirectional Forward Detection) to OpenBSD. [...] '+1's welcome from others who would be interested to sho

Re: Request to OpenBSD Dev's - Beer on offer

So this is an ICMP ping with some authentification (on the gateway of a > route) ?? > > Why is this not overkill ? > > > On Tue, Oct 29, 2013 at 11:01 AM, Andy wrote: > >> On Tue 29 Oct 2013 14:55:05 GMT, Adam Thompson wrote: >> >>> On 13-10-28 11:54 AM, A

Re: Request to OpenBSD Dev's - Beer on offer

ep you going now the cold months are here.. :) Cheers, Andy.

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

Will be testing in the next week or two. On Tue 05 Nov 2013 00:42:44 GMT, Chris Cappuccio wrote: Pedro Federico [pedfre...@gmail.com] wrote: Andy, did you finally get that server? If so, is OpenBSD running fine? I am interested in that server too. I have some Xeon 55xx with intel C6xx chi

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

Hi back in the office now. On Thu 07 Nov 2013 20:54:20 GMT, Chris Cappuccio wrote: Andy Lemin [a...@brandwatch.com] wrote: Hi, sadly OpenBSD does not boot with the latest Ivy Bridge EP (E5-2637v2) with 'Power Technology' in the supermicro BIOS set to 'Max Performance',

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

On Fri 08 Nov 2013 10:42:52 GMT, Peter Hessler wrote: On 2013 Nov 08 (Fri) at 10:31:56 + (+), Andy wrote: :On Thu 07 Nov 2013 20:54:20 GMT, Chris Cappuccio wrote: :>Andy Lemin [a...@brandwatch.com] wrote: :>>Hi, sadly OpenBSD does not boot with the latest Ivy Bridge EP (E5-2637

BGP changes to support CARP better

if you could define every BGP attribute which you can already set now with values according to CARP state. Cheers, Andy.

Re: BGP changes to support CARP better

ather this than risk insecurity.. Thanks for reading :) On Fri 08 Nov 2013 11:44:58 GMT, Andy wrote: Hi, We have upgraded to 5.4 in production and now have our OSPF routes being announced from our CARP 'backup' with a max value metric, and the CARP 'master' announcing with the

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

OpenBSD I was really hoping that Turbo+ would work as that gives me a few hundred extra MHz on top of the default 3.5GHz Ivy clock in a single core etc. Please let me know if a commit for this is done and I will test using a snapshot :) Thanks for your time, Andy. On Fri 08 Nov 2013 17:05:33

Re: Ivy Bridge-EP Xeon (E5-2637v2) and Intel C602 Patsburg-A Chipset support

On Fri 08 Nov 2013 18:28:38 GMT, Chris Cappuccio wrote: Andy [a...@brandwatch.com] wrote: Hi Chris, Yea that makes sense, as you say its pretty trivial and a divide by zero check is a common coding practice... I will try again as I only tried 'Max Performance' but it might mean unt

Re: BGP changes to support CARP better

On Sat 09 Nov 2013 15:57:14 GMT, athom...@athompso.net wrote: PS; We are against 'sloppy state' so much because we cannot sanitize the sessions anywhere else (these firewalls connect to raw Transit). In the meantime I think we're going to be forced to use ifstated to shutdown OpenBGPd on the bac

Re: carp+pfsync+relayd question

; > header append "$REMOTE_ADDR" to "X-Forwarded-For" > > } > > ## Definicion de los relays > > #relay site1 { > #listen on $address2 port 80 > #protocol "httpSite1" > #forward to port 80 mode roundrobin ch

Re: SNMPD Source Address Issues

Sent from a teeny tiny keyboard, so please excuse typos > On 23 Sep 2016, at 20:24, Jeremie Courreges-Anglas wrote: > > Andy Lemin writes: > >> Hi, >> >> TLDR; Is there a way of fixing the "source address" that SNMPD should use? >> >> >&

missing snmp OID's

t, OPENBSD-CARP-MIB.txt, OPENBSD-MEM-MIB.txt, OPENBSD-RELAYD-MIB (pending 5.7), and OPENBSD-SENSORS-MIB.txt. What do we need to do to enable these? Or is snmpwalk just missing them? I'm being dumb? Cheers, Andy.

Re: Happy Birthday, Theo

/happy birthday Theo, You share the same bday as my mum ;) haha Andy On Mon, 19 May 2014 12:58:46 +, Артур Истомин wrote: > On Mon, May 19, 2014 at 12:03:37PM +0200, Marcus MERIGHI wrote: >> Happy Birthday, Theo. Thanks for doing your thing. >> >> Others: please r

Re: Pflow granularity

I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf Cheers, Andy. On Mon 02 Jun 2014 14:38:33 BST, BARDOU

Re: 5.5 pf priority

side during egress. Theoretically the packets dropped due to CPU thrashing would be limited to the lower prio packets..?!? Thoughts/abuse/suggestions :) Cheers, Andy. On Sat 31 May 2014 00:39:21 BST, Adam Thompson wrote: On 14-05-30 05:07 PM, sven falempin wrote: Just curious. Because TCP

Re: sasyncd usable or not?

On 12/05/14 21:11, Alexander Hall wrote: On 05/12/14 13:11, andy wrote: NB; My 'patches' are not really patches as they are not code diff's. They are just suggested changes i've posted on the lists. When I get more time (I'm a one man band at the mo for my com

Re: 5.4 hanging when used as hostap [obviated by upgrade]

On Tue, 2014-03-25 at 12:46 +0100, Stefan Sperling wrote: > On Mon, Mar 24, 2014 at 06:35:29PM -0700, andy wrote: [description of ral-related hangs on 5.4] > The diff below backs out my changes for ral from 5.3->5.4. > Can you test this? I doubt it will have any effect but if i

  1   2   3   4   5   >