Re: ACK filtering?

2023-07-25 Thread Rozhuk Ivan 
On Tue, 18 Jul 2023 00:03:59 -0400
Mason Loring Bliss  wrote:

> I'm likely going to have to move to an Internet connection with
> asymmetric bandwidth soon, and I want to be proactive with the
> firewalling to avoid the connection choking on itself.
> 
> There's a fair amount of documentation out there for bumping the
> priority on acks with pf and altq, and that seems reasonable, but is
> there anything equivalent I can do with ipfw? I'd prefer ipfw if
> possible, but I'll switch if I need to.
> 

You can use ng_bpf for matching TCP ACK (if ipfw can not, I have no idea about 
ipfw).
https://reviews.freebsd.org/D30175
http://netlab.dhis.org/wiki/software:freebsd:igmpproxy_on_netgraph

ipfw can work with netgraph so you may adop these samples from raw ethernet
frames to ip packets.

Next step is put all non TCP ACKs to dumminet with limit to 90% of upstream 
bandwith
and pass TCP ACKs to upstream directly.


Also DNS, ICMP good to have high prio.
For links > 10mbps probably you will not see diff.
I stop play with that years ago )

Re: Bug in MAC filter on IGB/if_vlan?

2021-11-09 Thread Rozhuk Ivan 
On Tue, 9 Nov 2021 13:30:46 -0500
Ryan Stone  wrote:

> You're trying to use different MACs with each vlan.  I don't believe
> that this is really a support configuration in our stack, although
> putting the interface into promiscuous I guess works.

I try to look into if_vlan code and if I understand correct it try to set
MAC to parent adapter and read parent adapter MAC change.

But it must add/remove MAC addr to/from H/W MAC filter, not change only one.
It done for multicast join/leave, but not done for if_vlan and probably some 
other cases.

Re: Bug in MAC filter on IGB/if_vlan?

2021-11-09 Thread Rozhuk Ivan 
On Tue, 9 Nov 2021 08:39:12 -0600
Kevin Bowling  wrote:

> > I have in rc.conf:
> >
> > =
> > vlans_igb0="vlan77 vlan86 vlan87"
> > create_args_vlan87="vlan 87"
> > create_args_vlan86="vlan 86"
> > create_args_vlan77="vlan 77"
> > ifconfig_vlan87="inet 185.44.68.92 netmask 255.255.252.0 mtu 1500
> > down up" ifconfig_vlan87_alias0="link 00:aa:fa:dd:44:55"
> > ifconfig_vlan86="DHCP mtu 1500"
> > ifconfig_vlan86_alias0="link 00:ff:fa:dd:44:55"
> > ifconfig_vlan77="inet 192.168.0.254 netmask 255.255.255.0"
> > ifconfig_vlan77_alias0="link 00:0f:43:48:67:fe"
> > ifconfig_vlan77_ipv6="inet6 2001:470:2345:555::1/64 prefixlen 64
> > auto_linklocal"
> > ifconfig_igb0="-lro -tso -vlanhwtso mtu 9000 down up"
> >
> > =
> >
> > There is 4 different MAC addresses.
> > System is unavailable after boot until: ifconfig igb0 promisc down
> > up
> >
> > FreeBSD 13 build from fresh sources.
> >
> >
> > Is this a bug or this is normal?  
> 
> 
> Which chip?  Please post uname -a or git rev.

igb0@pci0:8:0:0:class=0x02 rev=0x03 hdr=0x00 vendor=0x8086 
device=0x1539 subvendor=0x1849 subdevice=0x1539
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class  = network
subclass   = ethernet

514a095250b178ad81319bf8c30938c3f08dd16f
few days old build from 13 branch.


> Why do you have “down up” in the stateful config, please remove
> “down” and the MTU change and report back findings

It from some posts that recomend to use
ifconfig em0 mtu 2345 down up
to force mtu apply.

if_vlan allow to set incorrect mtu

2021-11-07 Thread Rozhuk Ivan 
Hi!


Why if_vlan allow to set same MTU size or bigger as on parrent nic?


Setup:
- workstation with MTU 9000 and IPv4 on h/w nic
- server with MTU 9000 on h/w nic and IPv4 on vlan nic with MTU 9000 (set by 
defauil on iface creation)

This setup have issue:
- big packets from server->wks - OK
- big packets from wks->server - FAIL.

Server init sequence:
1. Create vlans
2. Set MTU lower than default on parent nic

Result: vlan have bigger or same MTU as parrent nic, but parrent nic reports 
IFCAP_VLAN_MTU.
Probably this is if_em driver issue or iflib.



This is rc.conf, vlan77 - where I got MTU 9000 and fail to receive packets:
=
vlans_igb0="vlan77 vlan86 vlan87"
create_args_vlan87="vlan 87"
create_args_vlan86="vlan 86"
create_args_vlan77="vlan 77"
ifconfig_vlan87="inet 15.44.77.2 netmask 255.255.252.0 mtu 1500 down up"
ifconfig_vlan87_alias0="link 00:aa:fa:dd:44:55"
ifconfig_vlan86="DHCP mtu 1500"
ifconfig_vlan86_alias0="link 00:ff:fa:dd:44:55"
ifconfig_vlan77="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_vlan77_alias0="link 00:0f:43:48:67:fe"
ifconfig_vlan77_ipv6="inet6 2001:470:2345:555::1/64 prefixlen 64 auto_linklocal"
ifconfig_igb0="-lro -tso -vlanhwtso mtu 9000 down up"
=

Bug in MAC filter on IGB/if_vlan?

2021-11-06 Thread Rozhuk Ivan 
Hi!

I have in rc.conf:
=
vlans_igb0="vlan77 vlan86 vlan87"
create_args_vlan87="vlan 87"
create_args_vlan86="vlan 86"
create_args_vlan77="vlan 77"
ifconfig_vlan87="inet 185.44.68.92 netmask 255.255.252.0 mtu 1500 down up"
ifconfig_vlan87_alias0="link 00:aa:fa:dd:44:55"
ifconfig_vlan86="DHCP mtu 1500"
ifconfig_vlan86_alias0="link 00:ff:fa:dd:44:55"
ifconfig_vlan77="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_vlan77_alias0="link 00:0f:43:48:67:fe"
ifconfig_vlan77_ipv6="inet6 2001:470:2345:555::1/64 prefixlen 64 auto_linklocal"
ifconfig_igb0="-lro -tso -vlanhwtso mtu 9000 down up"
=

There is 4 different MAC addresses.
System is unavailable after boot until: ifconfig igb0 promisc down up

FreeBSD 13 build from fresh sources.


Is this a bug or this is normal?

Re: TCP connection ignore RST

2021-09-07 Thread Rozhuk Ivan 
On Tue, 7 Sep 2021 10:47:01 +0200
Michael Tuexen  wrote:

> >>> I have strange case: FreeBSD 12.2 ignore TCP RST from windows host
> >>> and continue retransmitting packets. sockstat show that socket
> >>> connected even after many tcp rst packets received.
> >>> 
> >>> Any ideas how to fix it?
> >> Where is the trace taken? On the Windows side or on the FreeBSD
> >> side or somewhere else? Could you provide the .pcap file?
> >>   
> > 
> > From FreeBSD side.
> > 
> > https://reviews.freebsd.org/D28142
> > e82353f84c58da9a5c38bd471a09936c16a5b6ea
> > https://reviews.freebsd.org/D28143
> > d05d908d6d3c85479c84c707f931148439ae826b sysctl
> > net.inet.tcp.tolerate_missing_ts=1 this fixes issue for me.  
> That was my first guess, but after double checking, this code is not
> present in FreeBSD 12.2. However, it is present in stable/12.
> So could it be that you are using stable/12 and not 12.2?
> 

System build from:
commit 8c01699f9194cfa3805ac734ae912529a10c063a
CommitDate: Wed Jan 20 14:40:13 2021 +0100
Add some examples to script.1...

It is not "clean" 12.2, and it is a bit early than commits with fixes.

Re: TCP connection ignore RST

2021-09-06 Thread Rozhuk Ivan 
On Sat, 4 Sep 2021 13:19:52 +0200
Michael Tuexen  wrote:

> > On 4. Sep 2021, at 01:37, Rozhuk Ivan  wrote:
> > 
> > Hi!
> > 
> > 
> > I have strange case: FreeBSD 12.2 ignore TCP RST from windows host
> > and continue retransmitting packets. sockstat show that socket
> > connected even after many tcp rst packets received.
> > 
> > Any ideas how to fix it?  
> Where is the trace taken? On the Windows side or on the FreeBSD side
> or somewhere else? Could you provide the .pcap file?
> 

From FreeBSD side.

https://reviews.freebsd.org/D28142 e82353f84c58da9a5c38bd471a09936c16a5b6ea
https://reviews.freebsd.org/D28143 d05d908d6d3c85479c84c707f931148439ae826b
sysctl net.inet.tcp.tolerate_missing_ts=1
this fixes issue for me.

TCP connection ignore RST

2021-09-03 Thread Rozhuk Ivan 
Hi!


I have strange case: FreeBSD 12.2 ignore TCP RST from windows host and continue 
retransmitting packets.
sockstat show that socket connected even after many tcp rst packets received.

Any ideas how to fix it?


System build from:
commit 8c01699f9194cfa3805ac734ae912529a10c063a
CommitDate: Wed Jan 20 14:40:13 2021 +0100
Add some examples to script.1...


root@sa# sockstat -P tcp -v -s -S -p 389
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS   
PATH STATE   CONN STATE   STACK   
as  2583  35 tcp4   192.168.33.89:62284   192.168.33.200:389
 ESTABLISHED  freebsd



root@sa# tcpdump -n - -i vmx0 tcp port 389
tcpdump: listening on vmx0, link-type EN10MB (Ethernet), capture size 262144 
bytes
01:32:19.128521 IP (tos 0x0, ttl 128, id 40117, offset 0, flags [none], proto 
TCP (6), length 60)
192.168.33.89.62284 > 192.168.33.200.389: Flags [S], cksum 0xc4a0 
(incorrect -> 0x4ba5), seq 3223907587, win 65535, options [mss 1460,nop,wscale 
10,sackOK,TS val 3640114415 ecr 0], length 0
01:32:19.128918 IP (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP 
(6), length 60)
192.168.33.200.389 > 192.168.33.89.62284: Flags [S.], cksum 0xca32 
(correct), seq 1489249264, ack 3223907588, win 8192, options [mss 
1460,nop,wscale 8,sackOK,TS val 124116297 ecr 3640114415], length 0
01:32:19.128949 IP (tos 0x0, ttl 128, id 42613, offset 0, flags [none], proto 
TCP (6), length 52)
192.168.33.89.62284 > 192.168.33.200.389: Flags [.], cksum 0xc498 
(incorrect -> 0x10ff), seq 1, ack 1, win 2049, options [nop,nop,TS val 
3640114415 ecr 124116297], length 0
01:32:19.129431 IP (tos 0x0, ttl 128, id 24596, offset 0, flags [none], proto 
TCP (6), length 86)
192.168.33.89.62284 > 192.168.33.200.389: Flags [P.], cksum 0xc4ba 
(incorrect -> 0xe4b3), seq 1:35, ack 1, win 2049, options [nop,nop,TS val 
3640114415 ecr 124116297], length 34
01:32:19.130310 IP (tos 0x0, ttl 128, id 1, offset 0, flags [DF], proto TCP 
(6), length 74)
192.168.33.200.389 > 192.168.33.89.62284: Flags [P.], cksum 0x35bb 
(correct), seq 1:23, ack 35, win 260, options [nop,nop,TS val 124116297 ecr 
3640114415], length 22
01:32:19.131230 IP (tos 0x0, ttl 128, id 54687, offset 0, flags [none], proto 
TCP (6), length 163)
192.168.33.89.62284 > 192.168.33.200.389: Flags [P.], cksum 0xc507 
(incorrect -> 0x37f8), seq 35:146, ack 23, win 2049, options [nop,nop,TS val 
3640114415 ecr 124116297], length 111
01:32:19.131560 IP (tos 0x0, ttl 128, id 2, offset 0, flags [DF], proto TCP 
(6), length 585)
192.168.33.200.389 > 192.168.33.89.62284: Flags [P.], cksum 0x943d 
(correct), seq 23:556, ack 146, win 259, options [nop,nop,TS val 124116297 ecr 
3640114415], length 533
01:32:19.133323 IP (tos 0x0, ttl 128, id 50714, offset 0, flags [none], proto 
TCP (6), length 198)
192.168.33.89.62284 > 192.168.33.200.389: Flags [P.], cksum 0xc52a 
(incorrect -> 0x0ba5), seq 146:292, ack 556, win 2049, options [nop,nop,TS val 
3640114415 ecr 124116297], length 146
01:32:19.133861 IP (tos 0x0, ttl 128, id 3, offset 0, flags [DF], proto TCP 
(6), length 471)
192.168.33.200.389 > 192.168.33.89.62284: Flags [P.], cksum 0x3b5d 
(correct), seq 556:975, ack 292, win 259, options [nop,nop,TS val 124116298 ecr 
3640114415], length 419
01:32:19.135305 IP (tos 0x0, ttl 128, id 43284, offset 0, flags [none], proto 
TCP (6), length 115)
192.168.33.89.62284 > 192.168.33.200.389: Flags [P.], cksum 0xc4d7 
(incorrect -> 0xac6a), seq 292:355, ack 975, win 2049, options [nop,nop,TS val 
3640114415 ecr 124116298], length 63
01:32:19.135900 IP (tos 0x0, ttl 128, id 4, offset 0, flags [DF], proto TCP 
(6), length 1500)
192.168.33.200.389 > 192.168.33.89.62284: Flags [.], cksum 0x5ffb 
(correct), seq 975:2423, ack 355, win 258, options [nop,nop,TS val 124116298 
ecr 3640114415], length 1448
01:32:19.135913 IP (tos 0x0, ttl 128, id 5, offset 0, flags [DF], proto TCP 
(6), length 299)
192.168.33.200.389 > 192.168.33.89.62284: Flags [P.], cksum 0x7cb3 
(correct), seq 2423:2670, ack 355, win 258, options [nop,nop,TS val 124116298 
ecr 3640114415], length 247
01:32:19.135935 IP (tos 0x0, ttl 128, id 32903, offset 0, flags [none], proto 
TCP (6), length 52)
192.168.33.89.62284 > 192.168.33.200.389: Flags [.], cksum 0xc498 
(incorrect -> 0x0530), seq 355, ack 2670, win 2048, options [nop,nop,TS val 
3640114415 ecr 124116298], length 0
01:32:19.139239 IP (tos 0x0, ttl 128, id 64896, offset 0, flags [none], proto 
TCP (6), length 148)
192.168.33.89.62284 > 192.168.33.200.389: Flags [P.], cksum 0xc4f8 
(incorrect -> 0xd163), seq 355:451, ack 2670, win 2049, options [nop,nop,TS val 
3640114425 ecr 124116298], length 96
01:32:19.139753 IP (tos 0x0, ttl 128, id 6, offset 0, flags [DF], proto TCP 
(6), length 1218)
192.168.33.200.389 > 192.168.33.89.62284: Flags [P.], cksum 0x1c85 
(correct), seq 2670:3836, ack 451, win 258, options

Re: How to run script on network address change?

2021-06-22 Thread Rozhuk Ivan 
On Tue, 22 Jun 2021 09:52:18 -0600
Warner Losh  wrote:

> These two patches appear to be good (I’ll need to do a little testing)
> 
> But, can you update devd.conf(5) man page to include these new events
> in the IFNET section? If so, I’ll land this in the tree...
> 

This is updated version, they add param name for last arg, so:
"!system=IFNET subsystem=lan0 type=RENAME lan1" -> "!system=IFNET 
subsystem=lan0 type=RENAME name=lan1"
"!system=IFNET subsystem=lan0 type=ADDR_ADD 192.168.1.1" -> "!system=IFNET 
subsystem=lan0 type=ADDR_ADD address=192.168.1.1"

https://reviews.freebsd.org/D30839
https://reviews.freebsd.org/D30840

Re: How to run script on network address change?

2021-06-20 Thread Rozhuk Ivan 
On Sun, 20 Jun 2021 08:42:46 -0600
Ian Lepore  wrote:

> > I have FreeBSD 13@amd64 router with DHCP client on uplink.
> > 
> > How to run script on IP address change?
> > 
> > 
> > I do not see events from devd, only:
> > !system=IFNET subsystem=em3 type=LINK_DOWN
> > !system=IFNET subsystem=em3 type=LINK_UP
> > 
> >   
> 
> You could use /etc/dhclient-exit-hooks script to take action after an
> IP address is bound.  See the manpage for dhclient-script for more
> info.


Thanks, I see some forum posts with this.

Re: How to run script on network address change?

2021-06-20 Thread Rozhuk Ivan 
On Sun, 20 Jun 2021 16:23:38 +0200
"dmilith ."  wrote:

> Have you tried `route monitor`?
 
No, and I do not want keep running some daemon that will parse output.

But thanks, I found good place to add devctl_notify() calls.
Now devd have new events.


run:
ifconfig lan0 alias 192.168.1.1/24
ifconfig lan0 -alias 192.168.1.1
ifconfig lan0 inet6 ::

devd output:
!system=IFNET subsystem=lan0 type=ADDR_ADD 192.168.1.1
!system=IFNET subsystem=lan0 type=ADDR_DEL 192.168.1.1
!system=IFNET subsystem=lan0 type=ADDR_ADD ::


And even for netif rename:
ifconfig lan0 name lan1
ifconfig lan1 name lan0

devd output:
!system=IFNET subsystem=lan0 type=RENAME lan1
!system=IFNET subsystem=lan1 type=RENAME lan0
>From 18a08c5f17d3b54f029a4e8c9ffbcd1370dbf3b1 Mon Sep 17 00:00:00 2001
From: Rozhuk Ivan 
Date: Sun, 20 Jun 2021 19:10:36 +0300
Subject: [PATCH] sys/net/if.c: add RENAME devctl event

!system=IFNET subsystem=lan0 type=RENAME lan1
!system=IFNET subsystem=lan1 type=RENAME lan0
---
 sys/net/if.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/net/if.c b/sys/net/if.c
index f6926c43ef9..8c8a7f6f4f0 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -2681,6 +2681,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 		EVENTHANDLER_INVOKE(ifnet_departure_event, ifp);
 
 		if_printf(ifp, "changing name to '%s'\n", new_name);
+		devctl_notify("IFNET", ifp->if_xname, "RENAME", new_name);
 
 		IF_ADDR_WLOCK(ifp);
 		strlcpy(ifp->if_xname, new_name, sizeof(ifp->if_xname));
>From ece5aba37afe51e7ffa1ec14b4cf9b3430a608b4 Mon Sep 17 00:00:00 2001
From: Rozhuk Ivan 
Date: Sun, 20 Jun 2021 19:22:55 +0300
Subject: [PATCH] sys/net/route.c: add devctl event handler

ifconfig lan0 alias 192.168.1.1/24
ifconfig lan0 -alias 192.168.1.1

output:
!system=IFNET subsystem=lan0 type=ADDR_ADD 192.168.1.1
!system=IFNET subsystem=lan0 type=ADDR_DEL 192.168.1.1
---
 sys/net/route.c | 22 ++
 1 file changed, 22 insertions(+)

diff --git a/sys/net/route.c b/sys/net/route.c
index f07cb3f6581..4c1fed90caa 100644
--- a/sys/net/route.c
+++ b/sys/net/route.c
@@ -50,6 +50,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -67,6 +68,7 @@
 
 #include 
 #include 
+#include 
 
 VNET_PCPUSTAT_DEFINE(struct rtstat, rtstat);
 
@@ -693,6 +695,8 @@ rt_maskedcopy(struct sockaddr *src, struct sockaddr *dst, struct sockaddr *netma
 int
 rt_addrmsg(int cmd, struct ifaddr *ifa, int fibnum)
 {
+	struct sockaddr *sa = ifa->ifa_addr;
+	struct ifnet *ifp = ifa->ifa_ifp;
 
 	KASSERT(cmd == RTM_ADD || cmd == RTM_DELETE,
 	("unexpected cmd %d", cmd));
@@ -701,6 +705,24 @@ rt_addrmsg(int cmd, struct ifaddr *ifa, int fibnum)
 
 	EVENTHANDLER_DIRECT_INVOKE(rt_addrmsg, ifa, cmd);
 
+#ifdef INET
+	if (sa->sa_family == AF_INET) {
+		char addrstr[INET_ADDRSTRLEN];
+		inet_ntoa_rstruct sockaddr_in*)sa)->sin_addr),
+		addrstr);
+		devctl_notify("IFNET", ifp->if_xname,
+		(cmd == RTM_ADD) ? "ADDR_ADD" : "ADDR_DEL", addrstr);
+	}
+#endif
+#ifdef INET6
+	if (sa->sa_family == AF_INET6) {
+		char addrstr[INET6_ADDRSTRLEN];
+		ip6_sprintf(addrstr, IFA_IN6(ifa));
+		devctl_notify("IFNET", ifp->if_xname,
+		(cmd == RTM_ADD) ? "ADDR_ADD" : "ADDR_DEL", addrstr);
+	}
+#endif
+
 	if (V_rt_add_addr_allfibs)
 		fibnum = RT_ALL_FIBS;
 	return (rtsock_addrmsg(cmd, ifa, fibnum));

How to run script on network address change?

2021-06-20 Thread Rozhuk Ivan 
Hi!


I have FreeBSD 13@amd64 router with DHCP client on uplink.

How to run script on IP address change?


I do not see events from devd, only:
!system=IFNET subsystem=em3 type=LINK_DOWN
!system=IFNET subsystem=em3 type=LINK_UP

Re: TCP Connection hang - MSS again

2021-04-05 Thread Rozhuk Ivan 
On Mon, 5 Apr 2021 13:04:19 +0200
tue...@freebsd.org wrote:

> > As I understand, in some cases remote host does not reply with MSS
> > option, and host behind router continue use mss 8960, that dropped
> > by router.  
> If the peer does not provide an MSS option, your local FreeBSD based
> host should use an MSS of net.inet.tcp.mssdflt bytes. The default is
> 536. So I don't think this should be a problem.

Thats it!
Thanks, it was ~64k in mine config.

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: TCP Connection hang - MSS again

2021-04-05 Thread Rozhuk Ivan 
On Mon, 5 Apr 2021 17:23:39 +0700
Eugene Grosbein  wrote:

> > Is any other other options to work around this?  
> 
> Yes. Each entry in the routing table has "mtu" attribute limiting TCP
> MSS, too. You should use default route with -mtu 1500 attribute. For
> example, in /etc/rc.conf:
> 
> defaultroute="X.X.X.X -mtu 1500"
> 

This help only if I do this on all hosts in network, this is to many management.


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: TCP Connection hang - MSS again

2021-04-05 Thread Rozhuk Ivan 
On Mon, 5 Apr 2021 12:44:50 +0300
Rozhuk Ivan  wrote:


> FreeBSD 13 desktop have no known problems with other websites.
> Only with one remonte FreeBSD 12 with same sysctl.conf and mtu 9k.

Forgot.
FreeBSD 12 reply with MSS 8960, and I fix it in PF:
> scrub in on $ext_v4_if0 all max-mss 1400

so only https://online.sberbank.ru/CSAFront/index.do#/
time to time reply without mss option.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

TCP Connection hang - MSS again

2021-04-05 Thread Rozhuk Ivan 
Hi!


TCP Connection hang then I try to open 
https://online.sberbank.ru/CSAFront/index.do#/

FreeBSD 13 desktop + FreeBSD 13 router (pf).
http://www.netlab.linkpc.net/download/software/os_cfg/FBSD/13/base/etc/sysctl.conf
FreeBSD 13 desktop have no known problems with other websites.
Only with one remonte FreeBSD 12 with same sysctl.conf and mtu 9k.
If I set mtu to 1500 on desktop - issue is gone.

Router pf.conf contain:
scrub out on $ext_v4_if0 all random-id min-ttl 128 max-mss 1400
scrub in on $ext_v4_if0 all max-mss 1400


Android 9 and FreeBSD 12.2 have no this issue (both @WiFi).


As I understand, in some cases remote host does not reply with MSS option, and 
host behind
router continue use mss 8960, that dropped by router.

(pf scrub rules disabled for this log), tcpdump | grep mss:
176.99.179.102.60903 > 194.54.14.131.443: Flags [S], cksum 0xd0a2 
(correct), seq 3696980106, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 3763275954 ecr 0], length 0
176.99.179.102.60719 > 194.54.14.131.443: Flags [S], cksum 0xd796 
(correct), seq 232307963, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1963519951 ecr 0], length 0
176.99.179.102.50146 > 194.54.14.131.443: Flags [S], cksum 0x1aa9 
(correct), seq 3968469659, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 3417199378 ecr 0], length 0
176.99.179.102.50646 > 194.54.14.131.443: Flags [S], cksum 0xb3ba 
(correct), seq 3774081696, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1089629786 ecr 0], length 0
176.99.179.102.56843 > 194.54.14.131.443: Flags [S], cksum 0xc4dd 
(correct), seq 647662718, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 4054756545 ecr 0], length 0
194.54.14.131.443 > 176.99.179.102.56843: Flags [S.], cksum 0x35dd 
(correct), seq 186241788, ack 647662719, win 65535, options [mss 
1380,nop,wscale 3,nop,nop,sackOK,nop,nop,TS val 2541298941 ecr 4054756545], 
length 0
176.99.179.102.65364 > 194.54.14.131.443: Flags [S], cksum 0x17a0 
(correct), seq 1603248650, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1794142451 ecr 0], length 0
176.99.179.102.59862 > 194.54.14.131.443: Flags [S], cksum 0x2736 
(correct), seq 4000339086, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 4084903147 ecr 0], length 0
176.99.179.102.60915 > 194.54.14.131.443: Flags [S], cksum 0xd964 
(correct), seq 95236311, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1297197380 ecr 0], length 0
176.99.179.102.58717 > 194.54.14.131.443: Flags [S], cksum 0xf92e 
(correct), seq 1785704794, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1392944917 ecr 0], length 0
194.54.14.131.443 > 176.99.179.102.58717: Flags [S.], cksum 0xe020 
(correct), seq 2800465814, ack 1785704795, win 65535, options [mss 
1380,nop,wscale 3,nop,nop,sackOK,nop,nop,TS val 2541366941 ecr 1392944917], 
length 0
176.99.179.102.53377 > 194.54.14.131.443: Flags [S], cksum 0x8fdd 
(correct), seq 3235103847, win 65535, options [mss 8960,nop,wscale 10,sackOK,TS 
val 1359134165 ecr 0], length 0


Is it possible to force FreeBSD always ask with tcp mss option?
Is any other other options to work around this?






Full connections log:

12:06:44.205766 70:85:c2:43:67:5b > 78:da:6e:28:c9:c0, ethertype IPv4 (0x0800), 
length 74: (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP (6), length 
60)
176.99.179.102.54064 > 194.54.14.131.443: Flags [S], cksum 0xca3f 
(correct), seq 980200339, win 65535, options [mss 1400,nop,wscale 10,sackOK,TS 
val 1268859625 ecr 0], length 0
12:06:44.206997 78:da:6e:28:c9:c0 > 70:85:c2:43:67:5b, ethertype IPv4 (0x0800), 
length 60: (tos 0x0, ttl 59, id 57535, offset 0, flags [none], proto TCP (6), 
length 40)
194.54.14.131.443 > 176.99.179.102.54064: Flags [S.], cksum 0x5d05 
(correct), seq 2754330417, ack 980200340, win 0, length 0
12:06:44.207126 70:85:c2:43:67:5b > 78:da:6e:28:c9:c0, ethertype IPv4 (0x0800), 
length 54: (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP (6), length 
40)
176.99.179.102.54064 > 194.54.14.131.443: Flags [.], cksum 0x5d06 
(correct), seq 1, ack 1, win 65535, length 0
12:06:44.210824 78:da:6e:28:c9:c0 > 70:85:c2:43:67:5b, ethertype IPv4 (0x0800), 
length 60: (tos 0x0, ttl 59, id 45037, offset 0, flags [DF], proto TCP (6), 
length 40)
194.54.14.131.443 > 176.99.179.102.54064: Flags [.], cksum 0x5d06 
(correct), seq 1, ack 1, win 65535, length 0
12:06:44.211130 70:85:c2:43:67:5b > 78:da:6e:28:c9:c0, ethertype IPv4 (0x0800), 
length 571: (tos 0x0, ttl 128, id 0, offset 0, flags [DF], proto TCP (6), 
length 557)
176.99.179.102.54064 > 194.54.14.131.443: Flags [P.], cksum 0x7667 
(correct), seq 1:518, ack 1, win 65535, length 517
12:06:44.214366 78:da:6e:28:c9:c0 > 70:85:c2:43:67:5b, ethertype IPv4 (0x0800), 
length 60: (tos 0x0, ttl 53, id 45320, offset 0, flags [DF], proto TCP (6), 
length 40)
194.54.14.131.443 > 176.99.179.102.54064: Flags [.], cksum 0x5d06 
(correct), seq 1,

Re: Multicast issue, interface not leaving Mutlicast Group

2021-04-02 Thread Rozhuk Ivan 
On Fri, 7 Aug 2020 15:25:25 +0200
Abelenda Diego  wrote:

> Hello,
> 
> I have discovered that I had a multicast issue for years I did not
> know about. I use a FreeBSD (opnsense) setup as router for my home
> network and have igmpproxy for IPTV. Somehow everything seems to
> work, until I realized that my ISP was making a DoS with multicast.
> It is pretty much what was described years ago here:
> https://forum.netgate.com/topic/62591/igmp-issues-causing-isp-to-perform-multicast-dos-on-my-pfsense/7.
> But the solution of not using FreeBSD seem weird. So dug a lot
> learning about Multicast IGMPv{2,3} etc in the process. Here is an
> abstract of what I found:
> 
> 
> igmpproxy is performing "correctly" in that it will act upon to
> IGMPv2 Join request from the TV box by joining the multicast groups
> correctly. When the TV Box sends an IGMPv2 Leave request, igmpproxy
> will remove the source IP from the multicast table on the interface
> (the code is here
> https://github.com/pali/igmpproxy/blob/b7940fc75b36d5bcc3a07654fc1af76f179302a9/src/mcgroup.c#L58-L60
> this same call is used for joining and leaving).
> 

You can drop all this and just forward (bridge) all multicast:
http://netlab.dhis.org/wiki/ru:software:freebsd:igmpproxy_on_netgraph
https://lists.freebsd.org/pipermail/freebsd-net/2011-December/030643.html
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

WiFi with AC on FreeBSD

2020-06-09 Thread Rozhuk Ivan 
Hi!

For peoples who want to use linux WiFi drivers on FreeBSD with minimum support 
overhead :)

This "how-to" (draft) describes how to use OpenWRT as driver with web GUI for 
WiFi adapters.
No more pain with slow speed, no strange wpa_supplicant gui tools :)

This upgrades WiFi speed from
media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11a
to 866Mbps on my notebook with intel 8265.


Resourses required:
- 256 Mb ram
- 128 Mb on hard drive
- IOMMU support
- FreeBSD AMD64


1. Download EFI based build.
WWW: https://openwrt.org/docs/guide-developer/uefi-bootable-image
cd /root/
fetch 
https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-squashfs-combined-efi.img.gz
gunzip openwrt-x86-64-generic-squashfs-combined-efi.img.gz


2. Install sysutils/bhyve-firmware from ports.
CSM not required.
Patch required to build port (last attached):
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211074


3. Configure system:
WWW:
https://www.freebsd.org/doc/handbook/virtualization-host-bhyve.html
https://wiki.freebsd.org/bhyve/pci_passthru

echo 'net.link.tap.up_on_open=1' >> /etc/sysctl.conf


/etc/rc.conf:
kld_list="nmdm vmm"
cloned_interfaces="tap0"
ifconfig_tap0_name="wifi0"
ifconfig_wifi0="DHCP up"
ifconfig_wifi0_ipv6="inet6 accept_rtadv auto_linklocal -ifdisabled"


/boot/loader.conf
# bhyve PCI device passthru.
# "1/0/0" - PCI dev ident, see: pciconf -lv
pptdevs="1/0/0"

# For AMD systems
hw.vmm.amdvi.enable="1"


4. Start OpenWRT

/usr/sbin/bhyvectl --destroy --vm=owrt
/usr/sbin/bhyve \
-A \
-H \
-c 2 \
-m 256M \
-S \
-s 0:0,hostbridge \
-s 1:0,lpc -l com1,stdio \
-s 3:0,ahci-hd,openwrt-x86-64-generic-squashfs-combined-efi.img \
-s 5:0,e1000,tap0,mac=00:be:fa:76:45:01 \
-s 7,passthru,1/0/0 \
-l bootrom,/usr/local/share/uefi-firmware/BHYVE_UEFI.fd \
owrt

To disable output remove: "-l com1,stdio"
"1/0/0" - PCI dev ident, same as in loader.conf.


5. Configure OpenWRT:
uci set network.lan.ipaddr='172.16.0.49'
uci set network.lan.netmask='255.255.255.0'
uci set network.lan.gateway='172.16.0.254'
uci add_list network.lan.dns='172.16.0.254'
uci commit network
/etc/init.d/network restart

opkg update
opkg install luci

Now web GUI can be used to install wpad*, hostapd*, WiFi driver and other staff.

If you want use OpenWRT as bridge - read this: 
https://openwrt.org/docs/guide-user/network/wifi/relay_configuration
Better to start with simple rourer+nat mode.



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Multicast/SSDP not working (on VLAN interface)

2018-03-19 Thread Rozhuk Ivan 
On Mon, 19 Mar 2018 16:11:05 -0700 (PDT)
"Rodney W. Grimes"  wrote:

> Are you running with "firewall_type="simple""?
> If so it is set to block all 224/4 packets, see this part
> of /etc/rc.firewall:
> # And stop draft-manning-dsua-03.txt (1 May 2000) nets
> (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST
> (class D), and class E) # on the outside interface
> ${fwcmd} table ${BAD_ADDR_TBL} add 0.0.0.0/8
> ${fwcmd} table ${BAD_ADDR_TBL} add 169.254.0.0/16
> ${fwcmd} table ${BAD_ADDR_TBL} add 192.0.2.0/24
> ${fwcmd} table ${BAD_ADDR_TBL} add 224.0.0.0/4
> ${fwcmd} table ${BAD_ADDR_TBL} add 240.0.0.0/4
> 
>   ${fwcmd} add deny all from any to "table($BAD_ADDR_TBL)" via
> ${oif}
> 
> Your route effected this as your packets are no longer trying to
> use an all interfaces path, but a specific interface, and that is
> probably not ${oif} of your firewall.
> 

One more fw tip: pf by default drops all IP packets with options, so IGMP does 
not work.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Multicast/SSDP not working (on VLAN interface)

2018-03-19 Thread Rozhuk Ivan 
On Mon, 19 Mar 2018 22:29:12 +0100
Andreas Scherrer  wrote:

> Now, if I (manually) add a static route for 224.0.0.0/4 via the 
> interface the M-SEARCH messages are coming in, everything starts to
> work!
> 
> route add -net 224.0.0.0/4 -iface re1.32
> 
> The (main) problem here is that I have multiple networks with clients
> in them. So a static route does not REALLY solve my problem.
> 
> Also I do not (yet?) understand why the route should be required.
> 
> What I see is that ifmcstat -f inet -i re1.32 does not list a
> membership for 239.255.255.250 when it is not working, but does list
> the membership when it is working...

That is because many software use old dumb multicast socket api.
It requres that use add route to mc net via one net iface.
If no mc route present then OS will send all mc packets to default gw, using 
unicast gw mac addr instead of specific mc mac addr.
On linux all same.

Mine https://github.com/rozhuk-im/ssdpd can send and receive mc packet via many 
net ifaces.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: upnp/dlna

2016-01-15 Thread Rozhuk Ivan 
On Fri, 15 Jan 2016 14:52:25 +0100
Gerrit Kühn  wrote:

> So I have the strange feeling that my FreeBSD boxes ignore multicast
> packages on the receiving end. The only thing that works is sending a
> multicast package from the box. I did not change the default
> configuration of the network devices in any way, and actually they
> appear to be ok (I think):

...
You can also try my SSDP announcer: 
http://www.netlab.linkpc.net/wiki/en:software:ssdpd:index
It can announce any server, but you need to download xml from mediatomb with 
services description and pass in to config file.

At my home SSDPd + nginx + php = DLNA server works fine.


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: upnp/dlna

2016-01-15 Thread Rozhuk Ivan 
On Fri, 15 Jan 2016 14:52:25 +0100
Gerrit Kühn  wrote:

> I have two FreeBSD boxes running mediatomb and minidlna. I also have a
> couple of clients, mostly internet radios by different manufacturers
> (Sangean, Philips, Renkforce...).
> I have the (weird) issue that neither mediatomb nor minidlna appears
> to see the multicasts discovery messages (not even with tcpdump!)
> sent by the clients. Subsequently they never answer them and are not
> found by the client devices.

PF by default drop all ip packets with options.
IGMP use ip options -> pf drop all igmp.


pass in quick inet6 proto icmp6 no state allow-opts # mld (igmp6) also here
pass out quick inet6 proto icmp6 no state allow-opts # mld (igmp6) also here

pass out quick inet proto udp to 224.0.0.0/4 no state allow-opts
pass out quick inet proto igmp to 224.0.0.0/4 no state allow-opts
pass out quick inet proto icmp no state allow-opts
pass out quick inet6 proto udp to ff00::/8 no state allow-opts # Allow send 
multicast
pass out quick inet6 proto icmp6 no state allow-opts # mld (igmp6) also here
pass out quick flags S/SA allow-opts

## Rules exception
pass in quick inet proto udp to 224.0.0.0/4 no state # Allow receive multicast
pass in quick inet proto igmp to 224.0.0.0/4 no state allow-opts
pass in quick inet proto icmp no state
pass in quick inet6 proto udp to ff00::/8 no state # Allow receive multicast
pass in quick inet6 proto icmp6 no state allow-opts # mld (igmp6) also here

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

LAGG on netgraph + rc.d script

2015-07-21 Thread Rozhuk Ivan 
Hi!


if_lagg together with two multicast igb at more than 100 megabits led
to 100% CPU interrupts one of the igb.
The problem is not reproduced on other systems without igb adapters.
So I gathered on lagg netgraph and with him there is no problem.


Manual on russian: 
http://netlab.dhis.org/wiki/ru:software:freebsd:lagg_on_netgraph


ng_lagg script
http://netlab.linkpc.net/download/software/FreeBSD/ng_lagg/ng_lagg.sh

Example
Create: ng_lagg.sh start xxxLAGG em0 em1 igb0
Destroy: ng_lagg.sh stop ngeth0
Add network adapter: ng_lagg.sh if_add xxxLAGG igb1
Remove network adapter: ng_lagg.sh if_del em0


rc.d script
http://netlab.linkpc.net/download/software/FreeBSD/ng_lagg/ng_lagg

Example:
ng_lagg_enable=YES
ng_lagg_interfaces=lagg0 xyzlagg
ng_lagg_lagg0=em0 em1
ng_lagg_xyzlagg=xl0 igb1
ifconfig_lagg0=inet 192.168.11.77 netmask 255.255.255.0
ifconfig_xyzlagg=inet 192.168.22.77 netmask 255.255.255.0

vlans_lagg0=vlan1234
create_args_vlan1234=vlan 1234
ifconfig_vlan1234=inet 192.168.0.77 netmask 255.255.255.0

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

ng_vlan improvements

2011-06-24 Thread Rozhuk Ivan 

Diffs

 
--
Rozhuk Ivan
  




ng_vlan.h.orig.patch
Description: Binary data


ng_vlan.c.orig.patch
Description: Binary data
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

kern/152141: [vlan] encapsulate vlan in ng_ether before output to if

2010-12-02 Thread Rozhuk Ivan 
Hi!


This is a patch for ng_ether_rcv_lower function in ng_ether.c to encapsulate
vlan before send to net.

 
--
Rozhuk Ivan
  



ng_ether.patch
Description: Binary data
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

struct sockaddr_in6 ia_net - unused

2010-11-22 Thread Rozhuk Ivan 
Hi!

/usr/src/sys/netinet6/in6_var.h:struct  sockaddr_in6 ia_net;/*
network number of interface */

Looks like unused in inet6: defined but never used in code.



firewall# grep -r ia_net /usr/src/sys

grep: warning: /usr/src/sys/modules/netgraph/viface/@: recursive directory
loop
/usr/src/sys/netinet/in.c:  if ((i  ia-ia_netmask) ==
ia-ia_net) {
/usr/src/sys/netinet/in.c:  ia-ia_netmask = IN_CLASSA_NET;
/usr/src/sys/netinet/in.c:  ia-ia_netmask = IN_CLASSB_NET;
/usr/src/sys/netinet/in.c:  ia-ia_netmask = IN_CLASSC_NET;
/usr/src/sys/netinet/in.c:  ia-ia_subnetmask = ia-ia_netmask;
/usr/src/sys/netinet/in.c:  ia-ia_netmask = ia-ia_subnetmask;
/usr/src/sys/netinet/in.c:  ia-ia_net = i  ia-ia_netmask;
/usr/src/sys/netinet/in.c:  ia-ia_netbroadcast.s_addr =
/usr/src/sys/netinet/in.c:  htonl(ia-ia_net | ~
ia-ia_netmask);
/usr/src/sys/netinet/in.c:   in.s_addr ==
ia-ia_netbroadcast.s_addr ||
/usr/src/sys/netinet/in.c:   t == ia-ia_subnet || t ==
ia-ia_net) 
/usr/src/sys/netinet/in_debug.c:IA_DB_RPINTF(0x%08lx, ia_net);
/usr/src/sys/netinet/in_debug.c:IA_DB_RPINTF(0x%08lx, ia_netmask);
/usr/src/sys/netinet/in_debug.c:IA_DB_RPINTF(0x%08x,
ia_netbroadcast.s_addr);
/usr/src/sys/netinet/in_var.h:  u_long  ia_net; /* network
number of interface */
/usr/src/sys/netinet/in_var.h:  u_long  ia_netmask; /* mask of
net part */
/usr/src/sys/netinet/in_var.h:  struct  in_addr ia_netbroadcast; /* to
recognize net broadcasts */
/usr/src/sys/netinet/ip_input.c:if
(ia-ia_netbroadcast.s_addr == ip-ip_dst.s_addr) {
/usr/src/sys/netinet6/in6_var.h:struct  sockaddr_in6 ia_net;/*
network number of interface */
/usr/src/sys/netipx/ipx_if.h:   struct  sockaddr_ipx ia_netmask;/*
space for my network mask */

 
--
Rozhuk Ivan
  



___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

kern/152141: [vlan] encapsulate vlan in ng_ether before output to if

2010-11-14 Thread Rozhuk Ivan 
This is a patched version of original function

code
/*
 * If underlying interface can not do VLAN tag insertion itself
 * then attach a packet tag that holds it.
 */
if ((m-m_flags  M_VLANTAG) 
(ifp-if_capenable  IFCAP_VLAN_HWTAGGING) == 0) {
m = ether_vlanencap(m, m-m_pkthdr.ether_vtag);
if (m == NULL) {
ifp-if_oerrors++;
return (ENOBUFS);
}
m-m_flags = ~M_VLANTAG;
}


was added

 
--
Rozhuk Ivan
  



___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org