Re: IP "routing" issue

2020-09-16 Thread John-Mark Gurney 
Abelenda Diego wrote this message on Wed, Sep 16, 2020 at 18:21 +0200:
> Thank you for your input.
> 
> Due to how convoluted the change in the configuration of FreeBSD would have
> been I had to completely change my infrastructure to match the vision my
> datacenter unilaterally imposed on me... So now I don't have this need 
> anymore.

Ok.  Glad you were able to solve your problem, though obviously not the way you
wanted to.

Just for the archives, this style of routing should work fine in FreeBSD.

> On Tue, 15 Sep 2020 12:10:52 -0700
> John-Mark Gurney  wrote:
> 
> > Abelenda Diego wrote this message on Thu, Sep 10, 2020 at 18:54 +0200:
> > > Hello,
> > > 
> > > Thank you for pointing route "-iface" however I can't seem to manage what 
> > > I
> > > want.
> > > 
> > > When I use:
> > > "route add -host $IP_NOT_IN_SUBNET -iface bce0"
> > > 
> > > I get "netstat -rn" to say someting like:
> > > 
> > > Internet:
> > > DestinationGateway   Flags Netif Expire
> > > default$UPSTREAM_GW  UGSbce0
> > > 10.0.0.1   link#7UHS lo0
> > > $IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHSbce0
> > > 
> > > 
> > > Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I
> > > get:
> > > 
> > > root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
> > > PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
> > > 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).
> > > 
> > > Which doesn't seem appropriate at all wrt the routing table...
> > > 
> > > Did I use "route add" wrong?
> > > 
> > > Also I want to keep the setup simple, going through private IPs on the
> > > public VLAN of the datacenter might get me in trouble with them, and using
> > > other VLANs for that will be a pain.  
> > 
> > Can you provide a diagram of the network layout, and where the
> > configuration needs to go?  Because if it's just the opnsense box that
> > needs the IP addresses, adding them as an alias to bce is enough to
> > make it work.
> > 
> > If you're trying to do something else, like have boxes behind the
> > opnsense box have those IP addresses, then:
> > route add $IP_NO_IN_SUBNET $IP_OF_BOX_WITH_IP_NO_IN_SUBNET
> > 
> > would just work.
> > 
> > I just noticed the 10.0.0.1 IP on lo0, and that's a bit odd to have...
> > 
> > > On Wed, 9 Sep 2020 17:35:45 +0200
> > > kaycee gb  wrote:
> > >   
> > > > Le Wed, 9 Sep 2020 16:42:54 +0200,
> > > > Abelenda Diego  a écrit :
> > > >   
> > > > > Hello,
> > > > > 
> > > > > I've got a FreeBSD installation in a DataCenter that provided me with 
> > > > > a
> > > > > single address IPv4 with an upstream gateway (cidr is fine the 
> > > > > upstream
> > > > > gateway works everything is nice and running). I use this machine for
> > > > > Masquerading an private infrastructure.
> > > > > 
> > > > > Now I need other machines with public IPv4 and when I requested the
> > > > > additional IPv4 to the DataCenter, they gave me a bunch of /32 
> > > > > addresses
> > > > > saying that my previous IPv4 MUST be configured as next-hop on their
> > > > > side. From my understanding in FreeBSD the route command is unable to
> > > > > perform this kind of configuration where you tell that the IPv4 /32 is
> > > > > available without next-hop (no via) on a specific link. I know the
> > > > > linux "ip route add $IP dev $LINK" configures this, but I cannot seem
> > > > > to map this knowledge to FreeBSD.
> > > > > 
> > > > > Is it possible to perform this very special setup with any command on
> > > > > FreeBSD? If yes what is that command?
> > > > > 
> > > > > Best regards,
> > > > > Diego Abelenda
> > > > 
> > > > Hi,
> > > > 
> > > > Do the other machines have a private address ? Is it a problem if they
> > > > have one ? 
> > > > If it is possible, you can route via this private address on your 
> > > > FreeBSD
> > > > installation to the new one and assign a public/32 to the last.
> > > > 
> > > > Alternatively to doing routing like above, if you have a firewall 
> > > > enabled
> > > > on the first machine, you can do address forwarding between the first 
> > > > and
> > > > the new one. 
> > > > 
> > > > And last, maybe with something like -iface from "route" you can achieve
> > > > what you want.   


-- 
  John-Mark Gurney  Voice: +1 415 225 5579

 "All that I will do, has been done, All that I have, has not."


signature.asc
Description: PGP signature

Re: IP "routing" issue

2020-09-16 Thread Abelenda Diego 
Hello,

Thank you for your input.

Due to how convoluted the change in the configuration of FreeBSD would have
been I had to completely change my infrastructure to match the vision my
datacenter unilaterally imposed on me... So now I don't have this need anymore.

Best regards,
Diego Abelenda

On Tue, 15 Sep 2020 12:10:52 -0700
John-Mark Gurney  wrote:

> Abelenda Diego wrote this message on Thu, Sep 10, 2020 at 18:54 +0200:
> > Hello,
> > 
> > Thank you for pointing route "-iface" however I can't seem to manage what I
> > want.
> > 
> > When I use:
> > "route add -host $IP_NOT_IN_SUBNET -iface bce0"
> > 
> > I get "netstat -rn" to say someting like:
> > 
> > Internet:
> > DestinationGateway   Flags Netif Expire
> > default$UPSTREAM_GW  UGSbce0
> > 10.0.0.1   link#7UHS lo0
> > $IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHSbce0
> > 
> > 
> > Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I
> > get:
> > 
> > root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
> > PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
> > 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).
> > 
> > Which doesn't seem appropriate at all wrt the routing table...
> > 
> > Did I use "route add" wrong?
> > 
> > Also I want to keep the setup simple, going through private IPs on the
> > public VLAN of the datacenter might get me in trouble with them, and using
> > other VLANs for that will be a pain.  
> 
> Can you provide a diagram of the network layout, and where the
> configuration needs to go?  Because if it's just the opnsense box that
> needs the IP addresses, adding them as an alias to bce is enough to
> make it work.
> 
> If you're trying to do something else, like have boxes behind the
> opnsense box have those IP addresses, then:
> route add $IP_NO_IN_SUBNET $IP_OF_BOX_WITH_IP_NO_IN_SUBNET
> 
> would just work.
> 
> I just noticed the 10.0.0.1 IP on lo0, and that's a bit odd to have...
> 
> > On Wed, 9 Sep 2020 17:35:45 +0200
> > kaycee gb  wrote:
> >   
> > > Le Wed, 9 Sep 2020 16:42:54 +0200,
> > > Abelenda Diego  a écrit :
> > >   
> > > > Hello,
> > > > 
> > > > I've got a FreeBSD installation in a DataCenter that provided me with a
> > > > single address IPv4 with an upstream gateway (cidr is fine the upstream
> > > > gateway works everything is nice and running). I use this machine for
> > > > Masquerading an private infrastructure.
> > > > 
> > > > Now I need other machines with public IPv4 and when I requested the
> > > > additional IPv4 to the DataCenter, they gave me a bunch of /32 addresses
> > > > saying that my previous IPv4 MUST be configured as next-hop on their
> > > > side. From my understanding in FreeBSD the route command is unable to
> > > > perform this kind of configuration where you tell that the IPv4 /32 is
> > > > available without next-hop (no via) on a specific link. I know the
> > > > linux "ip route add $IP dev $LINK" configures this, but I cannot seem
> > > > to map this knowledge to FreeBSD.
> > > > 
> > > > Is it possible to perform this very special setup with any command on
> > > > FreeBSD? If yes what is that command?
> > > > 
> > > > Best regards,
> > > > Diego Abelenda
> > > 
> > > Hi,
> > > 
> > > Do the other machines have a private address ? Is it a problem if they
> > > have one ? 
> > > If it is possible, you can route via this private address on your FreeBSD
> > > installation to the new one and assign a public/32 to the last.
> > > 
> > > Alternatively to doing routing like above, if you have a firewall enabled
> > > on the first machine, you can do address forwarding between the first and
> > > the new one. 
> > > 
> > > And last, maybe with something like -iface from "route" you can achieve
> > > what you want.   
> 



pgpIydq97MXm0.pgp
Description: OpenPGP digital signature

Re: IP "routing" issue

2020-09-15 Thread John-Mark Gurney 
Abelenda Diego wrote this message on Thu, Sep 10, 2020 at 18:54 +0200:
> Hello,
> 
> Thank you for pointing route "-iface" however I can't seem to manage what I
> want.
> 
> When I use:
> "route add -host $IP_NOT_IN_SUBNET -iface bce0"
> 
> I get "netstat -rn" to say someting like:
> 
> Internet:
> DestinationGateway   Flags Netif Expire
> default$UPSTREAM_GW  UGSbce0
> 10.0.0.1   link#7UHS lo0
> $IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHSbce0
> 
> 
> Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I get:
> 
> root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
> PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
> 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).
> 
> Which doesn't seem appropriate at all wrt the routing table...
> 
> Did I use "route add" wrong?
> 
> Also I want to keep the setup simple, going through private IPs on the public 
> VLAN of the datacenter might get me in trouble with them, and using other 
> VLANs for that will be a pain.

Can you provide a diagram of the network layout, and where the
configuration needs to go?  Because if it's just the opnsense box that
needs the IP addresses, adding them as an alias to bce is enough to
make it work.

If you're trying to do something else, like have boxes behind the
opnsense box have those IP addresses, then:
route add $IP_NO_IN_SUBNET $IP_OF_BOX_WITH_IP_NO_IN_SUBNET

would just work.

I just noticed the 10.0.0.1 IP on lo0, and that's a bit odd to have...

> On Wed, 9 Sep 2020 17:35:45 +0200
> kaycee gb  wrote:
> 
> > Le Wed, 9 Sep 2020 16:42:54 +0200,
> > Abelenda Diego  a écrit :
> > 
> > > Hello,
> > > 
> > > I've got a FreeBSD installation in a DataCenter that provided me with a
> > > single address IPv4 with an upstream gateway (cidr is fine the upstream
> > > gateway works everything is nice and running). I use this machine for
> > > Masquerading an private infrastructure.
> > > 
> > > Now I need other machines with public IPv4 and when I requested the
> > > additional IPv4 to the DataCenter, they gave me a bunch of /32 addresses
> > > saying that my previous IPv4 MUST be configured as next-hop on their side.
> > > From my understanding in FreeBSD the route command is unable to perform 
> > > this
> > > kind of configuration where you tell that the IPv4 /32 is available 
> > > without
> > > next-hop (no via) on a specific link. I know the linux "ip route add $IP 
> > > dev
> > > $LINK" configures this, but I cannot seem to map this knowledge to 
> > > FreeBSD.
> > > 
> > > Is it possible to perform this very special setup with any command on
> > > FreeBSD? If yes what is that command?
> > > 
> > > Best regards,
> > > Diego Abelenda  
> > 
> > Hi,
> > 
> > Do the other machines have a private address ? Is it a problem if they have
> > one ? 
> > If it is possible, you can route via this private address on your FreeBSD
> > installation to the new one and assign a public/32 to the last.
> > 
> > Alternatively to doing routing like above, if you have a firewall enabled on
> > the first machine, you can do address forwarding between the first and the
> > new one. 
> > 
> > And last, maybe with something like -iface from "route" you can achieve what
> > you want. 

-- 
  John-Mark Gurney  Voice: +1 415 225 5579

 "All that I will do, has been done, All that I have, has not."


signature.asc
Description: PGP signature

Re: IP "routing" issue

2020-09-10 Thread Eugene Grosbein 
10.09.2020 23:54, Abelenda Diego wrote:

> Thank you for pointing route "-iface" however I can't seem to manage what I
> want.
> 
> When I use:
> "route add -host $IP_NOT_IN_SUBNET -iface bce0"
> 
> I get "netstat -rn" to say someting like:
> 
> Internet:
> DestinationGateway   Flags Netif Expire
> default$UPSTREAM_GW  UGSbce0
> 10.0.0.1   link#7UHS lo0
> $IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHSbce0
> 
> 
> Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I get:
> 
> root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
> PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
> 36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).
> 
> Which doesn't seem appropriate at all wrt the routing table...

Such route means that an attempt to send any packet to the IP in question
results in broadcast ARP query for destination IP sent out of bce0.

It seems your upstream has arp proxy enabled, so it sends ARP reply with its 
MAC address
making your host send IP packet to $UPSTREAM_GW, but its routing table points 
back
to your $PUBLIC_IP_OF_BCE0, hence redirection is generated.

You should not use "-iface bce0" but right interface name pointing to host 
having target IP address.
And if your own host has it, you do not need to add any route at all,
but assign additional IP as alias to bce0.
 
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: IP "routing" issue

2020-09-10 Thread Abelenda Diego 
Hello,

Thank you for pointing route "-iface" however I can't seem to manage what I
want.

When I use:
"route add -host $IP_NOT_IN_SUBNET -iface bce0"

I get "netstat -rn" to say someting like:

Internet:
DestinationGateway   Flags Netif Expire
default$UPSTREAM_GW  UGSbce0
10.0.0.1   link#7UHS lo0
$IP_NO_IN_SUBNET   $MAC_ADDRESS_OF_BCE0  UHSbce0


Which seem somehow appropriate, so I try to ping $IP_NOT_IN_SUBNET and I get:

root@opnsense2:~ # ping $IP_NOT_IN_SUBNET
PING $IP_NOT_IN_SUBNET ($IP_NOT_IN_SUBNET): 56 data bytes
36 bytes from $UPSTREAM_GW: Redirect Host(New addr: $PUBLIC_IP_OF_BCE0).

Which doesn't seem appropriate at all wrt the routing table...

Did I use "route add" wrong?

Also I want to keep the setup simple, going through private IPs on the public 
VLAN of the datacenter might get me in trouble with them, and using other VLANs 
for that will be a pain.

Best regards,
Diego Abelenda


On Wed, 9 Sep 2020 17:35:45 +0200
kaycee gb  wrote:

> Le Wed, 9 Sep 2020 16:42:54 +0200,
> Abelenda Diego  a écrit :
> 
> > Hello,
> > 
> > I've got a FreeBSD installation in a DataCenter that provided me with a
> > single address IPv4 with an upstream gateway (cidr is fine the upstream
> > gateway works everything is nice and running). I use this machine for
> > Masquerading an private infrastructure.
> > 
> > Now I need other machines with public IPv4 and when I requested the
> > additional IPv4 to the DataCenter, they gave me a bunch of /32 addresses
> > saying that my previous IPv4 MUST be configured as next-hop on their side.
> > From my understanding in FreeBSD the route command is unable to perform this
> > kind of configuration where you tell that the IPv4 /32 is available without
> > next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
> > $LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.
> > 
> > Is it possible to perform this very special setup with any command on
> > FreeBSD? If yes what is that command?
> > 
> > Best regards,
> > Diego Abelenda  
> 
> Hi,
> 
> Do the other machines have a private address ? Is it a problem if they have
> one ? 
> If it is possible, you can route via this private address on your FreeBSD
> installation to the new one and assign a public/32 to the last.
> 
> Alternatively to doing routing like above, if you have a firewall enabled on
> the first machine, you can do address forwarding between the first and the
> new one. 
> 
> And last, maybe with something like -iface from "route" you can achieve what
> you want. 
> 
> K.
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



pgp160I9Yaio2.pgp
Description: OpenPGP digital signature

Re: IP "routing" issue

2020-09-09 Thread Eugene Grosbein 
09.09.2020 21:42, Abelenda Diego wrote:

> I've got a FreeBSD installation in a DataCenter that provided me with a single
> address IPv4 with an upstream gateway (cidr is fine the upstream gateway works
> everything is nice and running). I use this machine for Masquerading an 
> private
> infrastructure.
> 
> Now I need other machines with public IPv4 and when I requested the additional
> IPv4 to the DataCenter, they gave me a bunch of /32 addresses saying that
> my previous IPv4 MUST be configured as next-hop on their side.
> From my understanding in FreeBSD the route command is unable to perform this
> kind of configuration where you tell that the IPv4 /32 is available without
> next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
> $LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.
> 
> Is it possible to perform this very special setup with any command on FreeBSD?
> If yes what is that command?

This setup is not special and FreeBSD can do it, of course.

route add 1.1.1.1/32 2.2.2.2
route add 1.1.2.1/32 -iface vtnet0

In this example 2.2.2.2 plays role of your old public IP and 1.1.X.X are for 
new addresses
routed via 2.2.2.2 or directly to interface vtnet0. And there is rc.conf 
settings "static_routes" to create such setup:

static_routes="host1 host2 host3"
route_host1="1.1.1.1/32 2.2.2.2"
route_host2="1.1.2.1/32 -iface vtnet0"

This is documented with route(8) and rc.conf(5) manual pages.

In case of P2P interface such variants have no real difference other than
used way to specify outgoing interface: by next-hop address or by interface 
name.
P2P interface may have no address assigned for remote side.

In case of Ethernet-link interface the difference is related to underlying ARP 
protocol cache,
will it be asked for MAC address of specified next-hop or directly for MAC 
address of target like 1.1.2.1.


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: IP "routing" issue

2020-09-09 Thread kaycee gb 
Le Wed, 9 Sep 2020 16:42:54 +0200,
Abelenda Diego  a écrit :

> Hello,
> 
> I've got a FreeBSD installation in a DataCenter that provided me with a single
> address IPv4 with an upstream gateway (cidr is fine the upstream gateway works
> everything is nice and running). I use this machine for Masquerading an
> private infrastructure.
> 
> Now I need other machines with public IPv4 and when I requested the additional
> IPv4 to the DataCenter, they gave me a bunch of /32 addresses saying that
> my previous IPv4 MUST be configured as next-hop on their side.
> From my understanding in FreeBSD the route command is unable to perform this
> kind of configuration where you tell that the IPv4 /32 is available without
> next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
> $LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.
> 
> Is it possible to perform this very special setup with any command on FreeBSD?
> If yes what is that command?
> 
> Best regards,
> Diego Abelenda

Hi,

Do the other machines have a private address ? Is it a problem if they have one
? 
If it is possible, you can route via this private address on your FreeBSD
installation to the new one and assign a public/32 to the last.

Alternatively to doing routing like above, if you have a firewall enabled on the
first machine, you can do address forwarding between the first and the new one. 

And last, maybe with something like -iface from "route" you can achieve what
you want. 

K.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: IP "routing" issue

2020-09-09 Thread Abelenda Diego 
Hello Cristian,

Thank you for your pointer, however if I quote part of my question:
> From my understanding in FreeBSD the route command is unable to perform this
> kind of configuration where you tell that the IPv4 /32 is available without
> next-hop (no via) on a specific link.

I imply there that I read the man, tried quite a few things with the
"route" command and could not get anything out of it.

Best regards,
Diego Abelenda


On Wed, 9 Sep 2020 11:48:58 -0300
Cristian Cardoso  wrote:

> Hi
> The equivalent command in FreeBSD for the ip route is the route,
> follow manpage https://www.freebsd.org/cgi/man.cgi?route
> 
> Em qua., 9 de set. de 2020 às 11:43, Abelenda Diego
>  escreveu:
> >
> > Hello,
> >
> > I've got a FreeBSD installation in a DataCenter that provided me with a
> > single address IPv4 with an upstream gateway (cidr is fine the upstream
> > gateway works everything is nice and running). I use this machine for
> > Masquerading an private infrastructure.
> >
> > Now I need other machines with public IPv4 and when I requested the
> > additional IPv4 to the DataCenter, they gave me a bunch of /32 addresses
> > saying that my previous IPv4 MUST be configured as next-hop on their side.
> > From my understanding in FreeBSD the route command is unable to perform this
> > kind of configuration where you tell that the IPv4 /32 is available without
> > next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
> > $LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.
> >
> > Is it possible to perform this very special setup with any command on
> > FreeBSD? If yes what is that command?
> >
> > Best regards,
> > Diego Abelenda  



pgp1IPXqHWPpk.pgp
Description: OpenPGP digital signature

Re: IP "routing" issue

2020-09-09 Thread Cristian Cardoso 
Hi
The equivalent command in FreeBSD for the ip route is the route,
follow manpage https://www.freebsd.org/cgi/man.cgi?route

Em qua., 9 de set. de 2020 às 11:43, Abelenda Diego
 escreveu:
>
> Hello,
>
> I've got a FreeBSD installation in a DataCenter that provided me with a single
> address IPv4 with an upstream gateway (cidr is fine the upstream gateway works
> everything is nice and running). I use this machine for Masquerading an 
> private
> infrastructure.
>
> Now I need other machines with public IPv4 and when I requested the additional
> IPv4 to the DataCenter, they gave me a bunch of /32 addresses saying that
> my previous IPv4 MUST be configured as next-hop on their side.
> From my understanding in FreeBSD the route command is unable to perform this
> kind of configuration where you tell that the IPv4 /32 is available without
> next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
> $LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.
>
> Is it possible to perform this very special setup with any command on FreeBSD?
> If yes what is that command?
>
> Best regards,
> Diego Abelenda
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

IP "routing" issue

2020-09-09 Thread Abelenda Diego 
Hello,

I've got a FreeBSD installation in a DataCenter that provided me with a single
address IPv4 with an upstream gateway (cidr is fine the upstream gateway works
everything is nice and running). I use this machine for Masquerading an private
infrastructure.

Now I need other machines with public IPv4 and when I requested the additional
IPv4 to the DataCenter, they gave me a bunch of /32 addresses saying that
my previous IPv4 MUST be configured as next-hop on their side.
From my understanding in FreeBSD the route command is unable to perform this
kind of configuration where you tell that the IPv4 /32 is available without
next-hop (no via) on a specific link. I know the linux "ip route add $IP dev
$LINK" configures this, but I cannot seem to map this knowledge to FreeBSD.

Is it possible to perform this very special setup with any command on FreeBSD?
If yes what is that command?

Best regards,
Diego Abelenda


pgpE8UJnpiooh.pgp
Description: OpenPGP digital signature

[Differential] D8904: inet: Fix routing issue by calling if_up()

2017-01-05 Thread sepherosa_gmail.com (Sepherosa Ziehau) 
sepherosa_gmail.com abandoned this revision.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, rwatson, 
karels, glebius
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Differential] D8904: inet: Fix routing issue by calling if_up()

2017-01-05 Thread glebius (Gleb Smirnoff) 
glebius added a comment.


  I don't think that the patch is in the right direction. The problem comes 
from historical behavior that assigning an address is implicit UP. For a modern 
networking equipment it is a normal administrative situation that sysadmin 
wants to assign an address or an alias and at the same time don't implicitly 
bring the interface up. The problem get worse when you add CARP into the mix.
  
  For the sake of historical behavior preservation, I would prefer to see hacks 
to ifconfig(8) rather than to in_control(). Ifconfig could issue SIOCSIFFLAGS 
after SIOCAIFADDR for the sake of compatibility.
  
  In the projects/ifnet branch this all is somewhat resolved. The only place 
that writes IFF_UP is if_up() and drivers aren't allowed to do that. The 
if_init method disappears and logic of initing and assigning address is split. 
You may look into that branch.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, rwatson, 
karels, glebius
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Differential] D8904: inet: Fix routing issue by calling if_up()

2017-01-05 Thread sepherosa_gmail.com (Sepherosa Ziehau) 
sepherosa_gmail.com added a comment.


  In https://reviews.freebsd.org/D8904#185970, @karels wrote:
  
  > I think the change is a step in the right direction.  Certainly, "ifconfig 
xxN down" followed by an implicit UP should not cause any change to the routing 
table.  Does anyone know why the "down" is removing the route?  That seems 
wrong to me.
  
  
  IMHO, it's mainly because the radix tree only uses the target address to do 
the search.  So if you don't remove the prefix routes when bringing down the 
interface, radix search will end up w/ the route w/ a stopped interface; 
callers of the radix search don't have options to change this behaviour.
  
  If we don't delete the prefix routes if the interface is down, the following 
senario will not work:
  
GW --- NET_A --- if0 HOST1
 |if1
 | |
 + NET_B --+
  
  Given HOST1's default gwy is GW.  If if1 is brought down, but the NET_B's 
prefix route is not deleted, HOST1 will not be able to reach NET_B anymore, 
since the radix search always ends up w/ the route backed by if1.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Differential] D8904: inet: Fix routing issue by calling if_up()

2016-12-31 Thread karels (Mike Karels) 
karels added a comment.


  I think the change is a step in the right direction.  Certainly, "ifconfig 
xxN down" followed by an implicit UP should not cause any change to the routing 
table.  Does anyone know why the "down" is removing the route?  That seems 
wrong to me.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[SOLVED] IPSec tunnel, VNET jail and routing issue

2016-12-27 Thread Michael Grimm 
Michael Grimm  wrote:

Nevermind, I solved my issue. I has been a minor typo with major consequences.

> Configuration (shown for hostA, only):
> 
>   setkey.conf
>   #  hostA  hostB 
>   hostA   hostB 
>   spdadd 10.1.1.0/2410.2.2.0/24 any -P out ipsec 
> esp/tunnel/1.2.3.4-10.20.30.40/require;

Contrarily to this example line above, my real setkey.conf has had an "in" 
instead of "out" :-( 

> Achieved sofar:
> 
>   #) Allowing arpproxy_all="YES" will satisfy ARP (MACs from opposite 
> VNET jails will become assigned). 
>I do not know if that is needed, but now ping from jails to the 
> opposite jails will at least start to send ICMP packages.

Now I have to state: yes, ARP proxying is mandatory in my setup.

Hmm, I need to learn more about ARP. Because now I do observe a lot of lines 
like …

|  mike kernel: arp: proxy: ignoring request from 10.1.1.1 
via epair1a

… and I do not know if I do have to be concerned about those. Do I?


Sorry for the noise!

Regards,
Michael

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

IPSec tunnel, VNET jail and routing issue

2016-12-26 Thread Michael Grimm 
Hi --

I am referring to the following (simplified) setup:

[hostA /ix0 / 2001:dead::1 / 1.2.3.4] <= IPsec tunnel => [hostB / ix0 / 
2001:beef::10 / 10.20.30.40]
   || 
   ||
[jail1 / bridge0 / fd00:a::1 / 10.1.1.1] [jail1 / 
bridge0 / fd00:b::2 / 10.2.2.2]

All my jails are VNET jails, that use the bridge0 (epair) device. Thus, all 
IPv4 and IPv6 addresses of my local networks an A and B are bound to the 
bridge0 interface! But, the IPsec tunnel (via racoon) is anchored at public 
IPv4 addresses on ix0 at both hosts.

Task:
route all local traffic from hostA to hostB via the tunnel.

Working:
IPv6 traffic is running fine, meaning, that I can reach every jail from 
every host. That has been working for years.

Issue:
I recently wanted to extend my setup to local IPv4 addresses of my 
jails, and failed miserably.

Configuration (shown for hostA, only):

setkey.conf
#  hostA  hostB 
  hostA   hostB 
spdadd fd00:a::/64fd00:b::/64 any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
spdadd fd00:a::/642001:beef::/56  any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
spdadd 2001:dead::/56 fd00:b::/64 any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
#  hostB  hostA 
  hostB   hostA 
spdadd fd00:b::/64fd00:a::/64 any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;
spdadd fd00:b::/642001:dead::/56  any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;
spdadd 2001:beef::/56 fd00:a::/64 any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;
#  hostA  hostB 
  hostA   hostB 
spdadd 10.1.1.0/2410.2.2.0/24 any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
spdadd 10.1.1.0/2410.20.30.40 any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
spdadd 1.2.3.410.2.2.0/24 any -P out ipsec 
esp/tunnel/1.2.3.4-10.20.30.40/require;
#  hostB  hostA 
  hostB   hostA 
spdadd 10.2.2.0/2410.1.1.0/24 any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;
spdadd 10.2.2.0/241.2.3.4 any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;
spdadd 10.20.30.4010.1.1.0/24 any -P in  ipsec 
esp/tunnel/10.20.30.40-1.2.3.4/require;

There is no specific routing regarding the tunnel defined. All should 
be done by this spdadd's.

Achieved sofar:

#) I can reach each jail at the other site from the host.

#) Allowing arpproxy_all="YES" will satisfy ARP (MACs from opposite 
VNET jails will become assigned). 
   I do not know if that is needed, but now ping from jails to the 
opposite jails will at least start to send ICMP packages.

Unsolved issue:

I cannot reach opposite jails from another host's jail; e.g.: ping 
10.20.30.40 in jail1@hostA will not work.

Observations so far:

#) tcpdump shows for "ping 10.2.2.2 in jail1@hostA" ICMP traffic at the 
bridge0 at hostA:
IP 10.1.1.1 > 10.2.2.2: ICMP echo request, id 20099, seq 0, 
length 64 
   and at bridge0 at hostB:
IP 10.1.1.1 > 10.2.2.2: ICMP echo request, id 15233, seq 6, 
length 64 
IP 10.2.2.2 > 10.1.1.1: ICMP echo reply, id 15233, seq 6, 
length 64 

Hmm: hostA doesn't get an echo replay, although hostB did send one. 

#) tcpdump shows for "ping 10.2.2.2 at hostA" *no* ICMP traffic at 
hostA@bridge0 or hostA@ix0 but ICMP traffic at hostB@bridge0:
IP 1.2.3.4 > 10.2.2.2: ICMP echo request, id 60543, seq 0, 
length 64 
IP 10.2.2.2 > 1.2.3.4: ICMP echo reply, id 60543, seq 0, length 
64 

Hmm: it's working.

#) It looks to me as if the tunnel does not recognise "spdadd 
10.1.1.0/24 10.2.2.0/24" and vice versa settings because those IPs are bound to 
the bridge.

#) Whenever an IP bound to ix0 is involved (host to jail) the 
corresponding spdadd parts are recognised.

#) adding static routes like "add route 10.2.2.0/24 1.2.3.4" and alike 
do not solve my issue. 

Questions:

    #) Is this an issue with IPsec/racoon?
#) Is this a routing issue?
#) Why does IPv6 address space work (identical configuration regarding 
jails, firewalling, routing, et al.)
#) Any other idea?

S

[Differential] D8904: inet: Fix routing issue by calling if_up()

2016-12-25 Thread sepherosa_gmail.com (Sepherosa Ziehau) 
sepherosa_gmail.com added a comment.


  In https://reviews.freebsd.org/D8904#184430, @hrs wrote:
  
  > The cause is that the prefix route was removed by in_scrubprefix() in the 
PRC_IFDOWN handler and never reinstalled upon PRC_IFUP because the 
reinstallation  is done only for ifa passed to SIOCAIFADDR.  Just calling 
if_up(ifp) looks too heavy to me because it causes extra pr_ctlinput() calls of 
each protocol, not only inetdomain, in order to recover the routes.  What do 
you think about adding reinstalltion of the prefix routes in the protocol 
specific PRC_IFUP handler instead?
  
  
  Well, I believe it mirrors the behavior of 'ifconfig iface0 up'; w/o the 
if_up(), we just bring the interface up w/o notifying any domains, which 
probably is not intended.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Differential] D8904: inet: Fix routing issue by calling if_up()

2016-12-25 Thread hrs (Hiroki Sato) 
hrs added a comment.


  The cause is that the prefix route was removed by in_scrubprefix() in the 
PRC_IFDOWN handler and never reinstalled upon PRC_IFUP because the 
reinstallation  is done only for ifa passed to SIOCAIFADDR.  Just calling 
if_up(ifp) looks too heavy to me because it causes extra pr_ctlinput() calls of 
each protocol, not only inetdomain, in order to recover the routes.  What do 
you think about adding reinstalltion of the prefix routes in the protocol 
specific PRC_IFUP handler instead?

REVISION DETAIL
  https://reviews.freebsd.org/D8904

EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels
Cc: hrs, freebsd-net-list
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Differential] D8904: inet: Fix routing issue by calling if_up()

2016-12-25 Thread sepherosa_gmail.com (Sepherosa Ziehau) 
sepherosa_gmail.com created this revision.
sepherosa_gmail.com added reviewers: delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels.
sepherosa_gmail.com added a subscriber: freebsd-net-list.

REVISION SUMMARY
This is mainly intended to fix the following case at least:

ifconfig iface0 192.168.5.1
ifconfig iface0 down
ifconfig iface0 alias 192.168.6.1

Before this commit, the related part of the routing table is:
192.168.5.1link#3 UHS lo0
192.168.6.0/24 link#3 U   hn1
192.168.6.1link#3 UHS lo0

The 192.168.5.0/24 can't be reached.

After this fix, the related part of the routing table is:
192.168.5.0/24 link#3 U   hn1
192.168.5.1link#3 UHS lo0
192.168.6.0/24 link#3 U   hn1
192.168.6.1link#3 UHS lo0

Everything works as expected.

REVISION DETAIL
  https://reviews.freebsd.org/D8904

AFFECTED FILES
  sys/netinet/in.c

CHANGE DETAILS

diff --git a/sys/netinet/in.c b/sys/netinet/in.c
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -228,7 +228,7 @@
struct sockaddr_in *addr = (struct sockaddr_in *)>ifr_addr;
struct ifaddr *ifa;
struct in_ifaddr *ia;
-   int error;
+   int error, was_up = 0;
 
if (ifp == NULL)
return (EADDRNOTAVAIL);
@@ -250,9 +250,13 @@
return (error);
case OSIOCAIFADDR:  /* 9.x compat */
case SIOCAIFADDR:
+   if (ifp->if_flags & IFF_UP)
+   was_up = 1;
sx_xlock(_control_sx);
error = in_aifaddr_ioctl(cmd, data, ifp, td);
sx_xunlock(_control_sx);
+   if (!was_up && (ifp->if_flags & IFF_UP))
+   if_up(ifp);
return (error);
case SIOCSIFADDR:
case SIOCSIFBRDADDR:



EMAIL PREFERENCES
  https://reviews.freebsd.org/settings/panel/emailpreferences/

To: sepherosa_gmail.com, delphij, royger, decui_microsoft.com, 
honzhan_microsoft.com, howard0su_gmail.com, adrian, bz, gnn, hiren, glebius, 
rwatson, karels
Cc: freebsd-net-list
diff --git a/sys/netinet/in.c b/sys/netinet/in.c
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -228,7 +228,7 @@
 	struct sockaddr_in *addr = (struct sockaddr_in *)>ifr_addr;
 	struct ifaddr *ifa;
 	struct in_ifaddr *ia;
-	int error;
+	int error, was_up = 0;
 
 	if (ifp == NULL)
 		return (EADDRNOTAVAIL);
@@ -250,9 +250,13 @@
 		return (error);
 	case OSIOCAIFADDR:	/* 9.x compat */
 	case SIOCAIFADDR:
+		if (ifp->if_flags & IFF_UP)
+			was_up = 1;
 		sx_xlock(_control_sx);
 		error = in_aifaddr_ioctl(cmd, data, ifp, td);
 		sx_xunlock(_control_sx);
+		if (!was_up && (ifp->if_flags & IFF_UP))
+			if_up(ifp);
 		return (error);
 	case SIOCSIFADDR:
 	case SIOCSIFBRDADDR:

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Bug 207877] routing issue (some routes seem to stop being effective after some period)

2016-04-04 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207877

Mark Linimon  changed:

   What|Removed |Added

   Assignee|freebsd-b...@freebsd.org|freebsd-net@FreeBSD.org

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: routing issue

2016-03-04 Thread Pakhom Golynga 



04.03.2016 22:16, Julian Elischer пишет:

On 3/03/2016 2:38 AM, Pakhom Golynga wrote:

Hello all!

Please help me to investigate this issue.
I have problem on 10.2-RELEASE-p12 with multiple network interfaces 
and PF (rules, NAT)

# ifconfig
<--cut-->
em0: flags=8843 metric 0 mtu 
1500
options=4209b 


ether 00:25:90:64:14:50
inet 172.27.27.254 netmask 0xff00 broadcast 172.27.27.255
inet 172.27.27.240 netmask 0x broadcast 172.27.27.240
inet 172.27.27.252 netmask 0x broadcast 172.27.27.252
inet 172.27.27.251 netmask 0x broadcast 172.27.27.251
inet 172.27.27.250 netmask 0x broadcast 172.27.27.250
inet 172.27.27.249 netmask 0x broadcast 172.27.27.249
inet 172.27.27.248 netmask 0x broadcast 172.27.27.248
inet 172.27.27.247 netmask 0x broadcast 172.27.27.247
inet 172.27.27.246 netmask 0x broadcast 172.27.27.246
inet 172.27.27.245 netmask 0x broadcast 172.27.27.245
inet 172.27.27.244 netmask 0x broadcast 172.27.27.244
inet 172.27.27.243 netmask 0x broadcast 172.27.27.243
inet 172.27.27.242 netmask 0x broadcast 172.27.27.242
inet 172.27.27.241 netmask 0x broadcast 172.27.27.241
inet 172.27.27.239 netmask 0x broadcast 172.27.27.239
inet 172.27.27.238 netmask 0x broadcast 172.27.27.238
inet 172.27.27.237 netmask 0x broadcast 172.27.27.237
inet 172.27.27.236 netmask 0x broadcast 172.27.27.236
inet 172.27.27.235 netmask 0x broadcast 172.27.27.235
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8943 
metric 0 mtu 1500
options=4209b 


ether 00:25:90:64:14:51
inet 10.24.44.50 netmask 0xfc00 broadcast 10.24.47.255
media: Ethernet autoselect (100baseTX )
status: active
<--cut-->

em0 - local network. Aliases on em0 for Jail's
em1 - connected to ISP

This configuration successfully operate a long time but recently (for 
no apparent reason) suddenly became manifest bug with routing.
Regardless from uptime (sometimes 12 hours, and maybe a couple of 
days) after a certain time the traffic running between jails begins 
to route via em1 (instead lo0 (net.link.ether.inet.useloopback=1)):


this sounds much like another report we have seen.
you may be able to fix it by re-adding your routes..

The report  I have seen suggested that some routes seem to stop being 
effective after some period.

It's  still not understood.



Can I help with it? The issue is often reproduce on my system.



# tcpdump -n -e -ttt -i em1 host 172.27.27.252 or host 172.27.27.247 
or host 172.27.27.248
00:00:00.054989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags 
[S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161568673 ecr 0], length 0
00:00:00.318036 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.60176: Flags 
[.], ack 772660872, win 1275, options [nop,nop,TS val 1737287913 ecr 
161568991], length 0
00:00:00.036971 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.33080: Flags 
[.], ack 1, win 1275, options [nop,nop,TS val 1701623130 ecr 
161568238], length 0
00:00:00.050001 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.40200: Flags 
[.], ack 1, win 1275, options [nop,nop,TS val 1477098721 ecr 
161568288], length 0
00:00:02.794992 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags 
[S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161571873 ecr 0], length 0
00:00:03.312026 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags 
[S], seq 1217253021, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161575185 ecr 0], length 0
00:00:02.887982 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags 
[S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161578073 ecr 0], length 0
00:00:00.111989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags 
[S], seq 1217253021, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161578185 ecr 0], length 0
00:00:03.471007 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length

Re: routing issue

2016-03-04 Thread Julian Elischer 

On 3/03/2016 2:38 AM, Pakhom Golynga wrote:

Hello all!

Please help me to investigate this issue.
I have problem on 10.2-RELEASE-p12 with multiple network interfaces 
and PF (rules, NAT)

# ifconfig
<--cut-->
em0: flags=8843 metric 0 mtu 
1500
options=4209b 


ether 00:25:90:64:14:50
inet 172.27.27.254 netmask 0xff00 broadcast 172.27.27.255
inet 172.27.27.240 netmask 0x broadcast 172.27.27.240
inet 172.27.27.252 netmask 0x broadcast 172.27.27.252
inet 172.27.27.251 netmask 0x broadcast 172.27.27.251
inet 172.27.27.250 netmask 0x broadcast 172.27.27.250
inet 172.27.27.249 netmask 0x broadcast 172.27.27.249
inet 172.27.27.248 netmask 0x broadcast 172.27.27.248
inet 172.27.27.247 netmask 0x broadcast 172.27.27.247
inet 172.27.27.246 netmask 0x broadcast 172.27.27.246
inet 172.27.27.245 netmask 0x broadcast 172.27.27.245
inet 172.27.27.244 netmask 0x broadcast 172.27.27.244
inet 172.27.27.243 netmask 0x broadcast 172.27.27.243
inet 172.27.27.242 netmask 0x broadcast 172.27.27.242
inet 172.27.27.241 netmask 0x broadcast 172.27.27.241
inet 172.27.27.239 netmask 0x broadcast 172.27.27.239
inet 172.27.27.238 netmask 0x broadcast 172.27.27.238
inet 172.27.27.237 netmask 0x broadcast 172.27.27.237
inet 172.27.27.236 netmask 0x broadcast 172.27.27.236
inet 172.27.27.235 netmask 0x broadcast 172.27.27.235
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8943 
metric 0 mtu 1500
options=4209b 


ether 00:25:90:64:14:51
inet 10.24.44.50 netmask 0xfc00 broadcast 10.24.47.255
media: Ethernet autoselect (100baseTX )
status: active
<--cut-->

em0 - local network. Aliases on em0 for Jail's
em1 - connected to ISP

This configuration successfully operate a long time but recently 
(for no apparent reason) suddenly became manifest bug with routing.
Regardless from uptime (sometimes 12 hours, and maybe a couple of 
days) after a certain time the traffic running between jails begins 
to route via em1 (instead lo0 (net.link.ether.inet.useloopback=1)):


this sounds much like another report we have seen.
you may be able to fix it by re-adding your routes..

The report  I have seen suggested that some routes seem to stop being 
effective after some period.

It's  still not understood.


# tcpdump -n -e -ttt -i em1 host 172.27.27.252 or host 172.27.27.247 
or host 172.27.27.248
00:00:00.054989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: 
Flags [S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161568673 ecr 0], length 0
00:00:00.318036 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.60176: 
Flags [.], ack 772660872, win 1275, options [nop,nop,TS val 
1737287913 ecr 161568991], length 0
00:00:00.036971 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.33080: 
Flags [.], ack 1, win 1275, options [nop,nop,TS val 1701623130 ecr 
161568238], length 0
00:00:00.050001 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.40200: 
Flags [.], ack 1, win 1275, options [nop,nop,TS val 1477098721 ecr 
161568288], length 0
00:00:02.794992 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: 
Flags [S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161571873 ecr 0], length 0
00:00:03.312026 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: 
Flags [S], seq 1217253021, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161575185 ecr 0], length 0
00:00:02.887982 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: 
Flags [S], seq 2075254199, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161578073 ecr 0], length 0
00:00:00.111989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: 
Flags [S], seq 1217253021, win 65535, options [mss 16344,nop,wscale 
6,sackOK,TS val 161578185 ecr 0], length 0
00:00:03.471007 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype 
IPv4 (0x0800), length 108: 172.27.27.247.80 > 172.27.27.248.26056: 
Flags [FP.], seq 1448:1490, ack 1, win 1275, options [nop,nop,TS

routing issue

2016-03-03 Thread Pakhom Golynga 

Hello all!

Please help me to investigate this issue.
I have problem on 10.2-RELEASE-p12 with multiple network interfaces and 
PF (rules, NAT)

# ifconfig
<--cut-->
em0: flags=8843 metric 0 mtu 1500
options=4209b 


ether 00:25:90:64:14:50
inet 172.27.27.254 netmask 0xff00 broadcast 172.27.27.255
inet 172.27.27.240 netmask 0x broadcast 172.27.27.240
inet 172.27.27.252 netmask 0x broadcast 172.27.27.252
inet 172.27.27.251 netmask 0x broadcast 172.27.27.251
inet 172.27.27.250 netmask 0x broadcast 172.27.27.250
inet 172.27.27.249 netmask 0x broadcast 172.27.27.249
inet 172.27.27.248 netmask 0x broadcast 172.27.27.248
inet 172.27.27.247 netmask 0x broadcast 172.27.27.247
inet 172.27.27.246 netmask 0x broadcast 172.27.27.246
inet 172.27.27.245 netmask 0x broadcast 172.27.27.245
inet 172.27.27.244 netmask 0x broadcast 172.27.27.244
inet 172.27.27.243 netmask 0x broadcast 172.27.27.243
inet 172.27.27.242 netmask 0x broadcast 172.27.27.242
inet 172.27.27.241 netmask 0x broadcast 172.27.27.241
inet 172.27.27.239 netmask 0x broadcast 172.27.27.239
inet 172.27.27.238 netmask 0x broadcast 172.27.27.238
inet 172.27.27.237 netmask 0x broadcast 172.27.27.237
inet 172.27.27.236 netmask 0x broadcast 172.27.27.236
inet 172.27.27.235 netmask 0x broadcast 172.27.27.235
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8943 metric 0 
mtu 1500
options=4209b 


ether 00:25:90:64:14:51
inet 10.24.44.50 netmask 0xfc00 broadcast 10.24.47.255
media: Ethernet autoselect (100baseTX )
status: active
<--cut-->

em0 - local network. Aliases on em0 for Jail's
em1 - connected to ISP

This configuration successfully operate a long time but recently (for no 
apparent reason) suddenly became manifest bug with routing.
Regardless from uptime (sometimes 12 hours, and maybe a couple of days) 
after a certain time the traffic running between jails begins to route 
via em1 (instead lo0 (net.link.ether.inet.useloopback=1)):
# tcpdump -n -e -ttt -i em1 host 172.27.27.252 or host 172.27.27.247 or 
host 172.27.27.248
00:00:00.054989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161568673 ecr 0], length 0
00:00:00.318036 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.60176: Flags [.], 
ack 772660872, win 1275, options [nop,nop,TS val 1737287913 ecr 
161568991], length 0
00:00:00.036971 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.33080: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1701623130 ecr 161568238], length 0
00:00:00.050001 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.40200: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1477098721 ecr 161568288], length 0
00:00:02.794992 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161571873 ecr 0], length 0
00:00:03.312026 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161575185 ecr 0], length 0
00:00:02.887982 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578073 ecr 0], length 0
00:00:00.111989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578185 ecr 0], length 0
00:00:03.471007 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 108: 172.27.27.247.80 > 172.27.27.248.26056: Flags 
[FP.], seq 1448:1490, ack 1, win 1275, options [nop,nop,TS val 
2142270801 ecr 161575507], length 42


In the same time:
# route -vn get -host
RTA_DST: inet 172.27.27.247; RTA_IFP: link ; RTM_GET: Report Metrics: 
len 224, pid: 0, seq 1, errno 0, flags:

locks:  inits:
sockaddrs: 
 172.27.27.247 link#0
   route

routing issue

2016-03-03 Thread Pakhom Golynga 

Hello all!

Please help me to investigate this issue.
I have problem on 10.2-RELEASE-p12 with multiple network interfaces and 
PF (rules, NAT)

# ifconfig
<--cut-->
em0: flags=8843 metric 0 mtu 1500
options=4209b 


ether 00:25:90:64:14:50
inet 172.27.27.254 netmask 0xff00 broadcast 172.27.27.255
inet 172.27.27.240 netmask 0x broadcast 172.27.27.240
inet 172.27.27.252 netmask 0x broadcast 172.27.27.252
inet 172.27.27.251 netmask 0x broadcast 172.27.27.251
inet 172.27.27.250 netmask 0x broadcast 172.27.27.250
inet 172.27.27.249 netmask 0x broadcast 172.27.27.249
inet 172.27.27.248 netmask 0x broadcast 172.27.27.248
inet 172.27.27.247 netmask 0x broadcast 172.27.27.247
inet 172.27.27.246 netmask 0x broadcast 172.27.27.246
inet 172.27.27.245 netmask 0x broadcast 172.27.27.245
inet 172.27.27.244 netmask 0x broadcast 172.27.27.244
inet 172.27.27.243 netmask 0x broadcast 172.27.27.243
inet 172.27.27.242 netmask 0x broadcast 172.27.27.242
inet 172.27.27.241 netmask 0x broadcast 172.27.27.241
inet 172.27.27.239 netmask 0x broadcast 172.27.27.239
inet 172.27.27.238 netmask 0x broadcast 172.27.27.238
inet 172.27.27.237 netmask 0x broadcast 172.27.27.237
inet 172.27.27.236 netmask 0x broadcast 172.27.27.236
inet 172.27.27.235 netmask 0x broadcast 172.27.27.235
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8943 metric 0 
mtu 1500
options=4209b 


ether 00:25:90:64:14:51
inet 10.24.44.50 netmask 0xfc00 broadcast 10.24.47.255
media: Ethernet autoselect (100baseTX )
status: active
<--cut-->

em0 - local network. Aliases on em0 for Jail's
em1 - connected to ISP

This configuration successfully operate a long time but recently (for no 
apparent reason) suddenly became manifest bug with routing.
Regardless from uptime (sometimes 12 hours, and maybe a couple of days) 
after a certain time the traffic running between jails begins to route 
via em1 (instead lo0 (net.link.ether.inet.useloopback=1)):
# tcpdump -n -e -ttt -i em1 host 172.27.27.252 or host 172.27.27.247 or 
host 172.27.27.248
00:00:00.054989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161568673 ecr 0], length 0
00:00:00.318036 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.60176: Flags [.], 
ack 772660872, win 1275, options [nop,nop,TS val 1737287913 ecr 
161568991], length 0
00:00:00.036971 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.33080: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1701623130 ecr 161568238], length 0
00:00:00.050001 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.40200: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1477098721 ecr 161568288], length 0
00:00:02.794992 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161571873 ecr 0], length 0
00:00:03.312026 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161575185 ecr 0], length 0
00:00:02.887982 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578073 ecr 0], length 0
00:00:00.111989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578185 ecr 0], length 0
00:00:03.471007 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 108: 172.27.27.247.80 > 172.27.27.248.26056: Flags 
[FP.], seq 1448:1490, ack 1, win 1275, options [nop,nop,TS val 
2142270801 ecr 161575507], length 42


In the same time:
# route -vn get -host
RTA_DST: inet 172.27.27.247; RTA_IFP: link ; RTM_GET: Report Metrics: 
len 224, pid: 0, seq 1, errno 0, flags:

locks:  inits:
sockaddrs: 
 172.27.27.247 link#0
   route

routing issue

2016-03-03 Thread Pakhom Golynga 

Hello all!

Please help me to investigate this issue.
I have problem on 10.2-RELEASE-p12 with multiple network interfaces and 
PF (rules, NAT)

# ifconfig
<--cut-->
em0: flags=8843 metric 0 mtu 1500
options=4209b 


ether 00:25:90:64:14:50
inet 172.27.27.254 netmask 0xff00 broadcast 172.27.27.255
inet 172.27.27.240 netmask 0x broadcast 172.27.27.240
inet 172.27.27.252 netmask 0x broadcast 172.27.27.252
inet 172.27.27.251 netmask 0x broadcast 172.27.27.251
inet 172.27.27.250 netmask 0x broadcast 172.27.27.250
inet 172.27.27.249 netmask 0x broadcast 172.27.27.249
inet 172.27.27.248 netmask 0x broadcast 172.27.27.248
inet 172.27.27.247 netmask 0x broadcast 172.27.27.247
inet 172.27.27.246 netmask 0x broadcast 172.27.27.246
inet 172.27.27.245 netmask 0x broadcast 172.27.27.245
inet 172.27.27.244 netmask 0x broadcast 172.27.27.244
inet 172.27.27.243 netmask 0x broadcast 172.27.27.243
inet 172.27.27.242 netmask 0x broadcast 172.27.27.242
inet 172.27.27.241 netmask 0x broadcast 172.27.27.241
inet 172.27.27.239 netmask 0x broadcast 172.27.27.239
inet 172.27.27.238 netmask 0x broadcast 172.27.27.238
inet 172.27.27.237 netmask 0x broadcast 172.27.27.237
inet 172.27.27.236 netmask 0x broadcast 172.27.27.236
inet 172.27.27.235 netmask 0x broadcast 172.27.27.235
media: Ethernet autoselect (1000baseT )
status: active
em1: flags=8943 metric 0 
mtu 1500
options=4209b 


ether 00:25:90:64:14:51
inet 10.24.44.50 netmask 0xfc00 broadcast 10.24.47.255
media: Ethernet autoselect (100baseTX )
status: active
<--cut-->

em0 - local network. Aliases on em0 for Jail's
em1 - connected to ISP

This configuration successfully operate a long time but recently (for no 
apparent reason) suddenly became manifest bug with routing.
Regardless from uptime (sometimes 12 hours, and maybe a couple of days) 
after a certain time the traffic running between jails begins to route 
via em1 (instead lo0 (net.link.ether.inet.useloopback=1)):
# tcpdump -n -e -ttt -i em1 host 172.27.27.252 or host 172.27.27.247 or 
host 172.27.27.248
00:00:00.054989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161568673 ecr 0], length 0
00:00:00.318036 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.60176: Flags [.], 
ack 772660872, win 1275, options [nop,nop,TS val 1737287913 ecr 
161568991], length 0
00:00:00.036971 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.33080: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1701623130 ecr 161568238], 
length 0
00:00:00.050001 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 66: 172.27.27.247.80 > 172.27.27.248.40200: Flags [.], 
ack 1, win 1275, options [nop,nop,TS val 1477098721 ecr 161568288], 
length 0
00:00:02.794992 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161571873 ecr 0], length 0
00:00:03.312026 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161575185 ecr 0], length 0
00:00:02.887982 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.24868 > 172.27.27.252.25: Flags [S], 
seq 2075254199, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578073 ecr 0], length 0
00:00:00.111989 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 74: 172.27.27.247.29581 > 172.27.27.252.25: Flags [S], 
seq 1217253021, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 
161578185 ecr 0], length 0
00:00:03.471007 00:25:90:64:14:51 > 68:bd:ab:5f:ea:d8, ethertype IPv4 
(0x0800), length 108: 172.27.27.247.80 > 172.27.27.248.26056: Flags 
[FP.], seq 1448:1490, ack 1, win 1275, options [nop,nop,TS val 
2142270801 ecr 161575507], length 42


In the same time:
# route -vn get -host
RTA_DST: inet 172.27.27.247; RTA_IFP: link ; RTM_GET: Report Metrics: 
len 224, pid: 0, seq 1, errno 0, flags:

locks:  inits:
sockaddrs: 
 172.27.27.247 link#0

Re: IPSEC MTU routing issue

2015-01-23 Thread VANHULLEBUS Yvan 
Hi.

On Wed, Jan 21, 2015 at 03:16:21PM +0100, Andrei Brezan wrote:
 Weird subject, maybe.
 
 I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for
 IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet
 appliance.
 
 The IPSEC tunnel comes up and on a quick test it seems to be
 working, icmp between networks is ok, you can successfully telnet on
 services on the other side. However when you need to transfer some
 data strange things happen. I'm really trying to wrap my head around
 it and I still don't understand why it happens
 (http://pastebin.com/NAspcM9w). The packets smaller than 1260 and
 larger than 1417 are delivered to vlan103, the ones in between are
 not.

I'm not sure why do you have this strange issue.
Having a look at your IPsec/ESP related kernel stats may give a first
idea.


But I know that, even if you find a fix for this, you'll have very
poor performances as soon as packets start to be fragmented, and your
data transferts may just stall forever.

So, the usual way of solving that is to change the TCPMSS low enough
on the fly for all IPsec related trafic.
1300 is a common value, low enough to avoid fragmentation, and high
enough to keep good throughput.

Of course, this will only works for TCP, but most big packets / long
flows are done on TCP.


Yvan.

 If anyone has any idea why this might happen please shed some light.
 
 # tcpdump -nttti gif0
 
 00:00:00.00 IP a.b.c.d  e.f.g.h: ICMP echo request, id
 21034, seq 1, length 1108
 00:00:43.603248 IP a.b.c.d  e.f.g.h: ICMP echo request, id
 22826, seq 1, length 1308
 
 # tcpdump -nttti enc0
 
 00:00:00.00 (authentic,confidential): SPI 0x0d06e35d: IP
 109.235.79.81  193.239.202.174: IP a.b.c.d  e.f.g.h: ICMP echo
 request, id 21034, seq 1, length 1108 (ipip-proto-4)
 00:00:00.000139 (authentic,confidential): SPI 0x86741d6b: IP
 e.f.g.h  a.b.c.d: ICMP echo reply, id 21034, seq 1, length 1108
 00:00:00.06 (authentic,confidential): SPI 0x86741d6b: IP
 193.239.202.174  109.235.79.81: IP e.f.g.h  a.b.c.d: ICMP echo
 reply, id 21034, seq 1, length 1108 (ipip-proto-4)
 00:00:43.603102 (authentic,confidential): SPI 0x0d06e35d: IP
 109.235.79.81  193.239.202.174: IP a.b.c.d  e.f.g.h: ICMP echo
 request, id 22826, seq 1, length 1308 (ipip-proto-4)
 
 # tcpdump -nttti vlan103 host a.b.c.d
 
 00:00:00.00 IP a.b.c.d  e.f.g.h: ICMP echo request, id
 21034, seq 1, length 1108
 00:00:00.000109 IP e.f.g.h  a.b.c.d: ICMP echo reply, id 21034,
 seq 1, length 1108
 
 Thanks,
 
 -- 
 Andrei
 ___
 freebsd-net@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

IPSEC MTU routing issue

2015-01-21 Thread Andrei Brezan 

Weird subject, maybe.

I'm running FreeBSD-10.0-RELEASE with PF as firewall and racoon for 
IPSEC. The IPSEC tunnel is between the FreeBSD box and a Fortinet appliance.


The IPSEC tunnel comes up and on a quick test it seems to be working, 
icmp between networks is ok, you can successfully telnet on services on 
the other side. However when you need to transfer some data strange 
things happen. I'm really trying to wrap my head around it and I still 
don't understand why it happens (http://pastebin.com/NAspcM9w). The 
packets smaller than 1260 and larger than 1417 are delivered to vlan103, 
the ones in between are not.


If anyone has any idea why this might happen please shed some light.

# tcpdump -nttti gif0

00:00:00.00 IP a.b.c.d  e.f.g.h: ICMP echo request, id 21034, 
seq 1, length 1108
00:00:43.603248 IP a.b.c.d  e.f.g.h: ICMP echo request, id 22826, 
seq 1, length 1308


# tcpdump -nttti enc0

00:00:00.00 (authentic,confidential): SPI 0x0d06e35d: IP 
109.235.79.81  193.239.202.174: IP a.b.c.d  e.f.g.h: ICMP echo 
request, id 21034, seq 1, length 1108 (ipip-proto-4)
00:00:00.000139 (authentic,confidential): SPI 0x86741d6b: IP e.f.g.h  
a.b.c.d: ICMP echo reply, id 21034, seq 1, length 1108
00:00:00.06 (authentic,confidential): SPI 0x86741d6b: IP 
193.239.202.174  109.235.79.81: IP e.f.g.h  a.b.c.d: ICMP echo 
reply, id 21034, seq 1, length 1108 (ipip-proto-4)
00:00:43.603102 (authentic,confidential): SPI 0x0d06e35d: IP 
109.235.79.81  193.239.202.174: IP a.b.c.d  e.f.g.h: ICMP echo 
request, id 22826, seq 1, length 1308 (ipip-proto-4)


# tcpdump -nttti vlan103 host a.b.c.d

00:00:00.00 IP a.b.c.d  e.f.g.h: ICMP echo request, id 21034, 
seq 1, length 1108
00:00:00.000109 IP e.f.g.h  a.b.c.d: ICMP echo reply, id 21034, seq 
1, length 1108


Thanks,

--
Andrei
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-04-07 Thread Andreas Nilsson 
On Wed, Mar 26, 2014 at 5:42 PM, Andreas Nilsson andrn...@gmail.com wrote:

  ... snip ...


 I'm wondering what's happening on the outbound path, most of your rules
 handle inbound (to kernel) and it seems that rule 65535 deals with most
 outbound, except those specifically acting on both paths.

 So do I :)


 Maybe try adding to the above:
 ipfw add 63510 count log ip from table(1) to any out recv table(8)
 and
 ipfw add 64510 count log ip from table(1) to any out recv table(8)

 which should catch them on the outbound path before the default rule;
 outbound packets have both receive and transmit interfaces available.

 They never get that far :( Those rules log nothing. So I see the packet
 coming in, triggering the skipto, triggering the count log ... in recv but
 not the count log ... out.


 I guess you're sure that these packets are actually going out to some
 external address, not a localhost or alias address (which of course are
 received and not sent out anywhere)?

 Yes, when the go through they go to external address, which is in the
 routing table.


 I guess the above new log lines should show the interface (if any)
 these packets are leaving on, after routing (maybe a routing issue?)

 Good luck hunting.  If in doubt, throw ever more logging at it! :)  And
 please let the list know if you solve it - or not!

 cheers, Ian


 To make it even more interesting, it tested this on another machine,
 where I'm unable to reproduce this problem. I'm thinking that a reboot
 might help, but this is kind of fascinating so I would like to actually
 find the cause. I will investigate further.

 Best regards
 Andreas


 And now it happened on another machine, but different type of traffic.
 Traffic triggering the divert rule work fine, some traffic not triggering
 the divert rule does not. After everything works as expected.

 Before reboot I flushed the firewall so that only default rule was in play
 ( allow all from any to any ), and then *no* traffic for that destination
 went out of the box.

 There are something like ~1000 routes in the routing table. Routes are
 added and removed according to some triggers, so during uptime of the
 machine there is a bit of messing with the routing table. At this stage I'm
 at a loss on how to continue investigating this, so I'll just implement the
 forwarding via fwd rules in ipfw and altogether ignore the routing table.

 Best regards
 Andreas


Ok, found the culprit:

-# $FreeBSD: releng/9.1/etc/rc.d/netif 212579 2010-09-13 19:55:40Z hrs $

+# $FreeBSD: releng/9.2/etc/rc.d/netif 253238 2013-07-12 01:34:24Z hrs $

+ if [ -f /etc/rc.d/routing -a -n $cmdifn ] ; then

+ for _if in $cmdifn; do

+  /etc/rc.d/routing start any $_if

+ done
+ fi

etc/rc.d/routing enforces gateway_enable setting in rc.conf which does not
play well with setting net.inet.ip.forwarding=1 in sysctl.conf directly.
Very annoying.

I can find nothing i UPDATING on the subject. Even more annoying.

Best regards
Andreas
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-26 Thread Andreas Nilsson 
 ... snip ...


 I'm wondering what's happening on the outbound path, most of your rules
 handle inbound (to kernel) and it seems that rule 65535 deals with most
 outbound, except those specifically acting on both paths.

 So do I :)


 Maybe try adding to the above:
 ipfw add 63510 count log ip from table(1) to any out recv table(8)
 and
 ipfw add 64510 count log ip from table(1) to any out recv table(8)

 which should catch them on the outbound path before the default rule;
 outbound packets have both receive and transmit interfaces available.

 They never get that far :( Those rules log nothing. So I see the packet
 coming in, triggering the skipto, triggering the count log ... in recv but
 not the count log ... out.


 I guess you're sure that these packets are actually going out to some
 external address, not a localhost or alias address (which of course are
 received and not sent out anywhere)?

 Yes, when the go through they go to external address, which is in the
 routing table.


 I guess the above new log lines should show the interface (if any)
 these packets are leaving on, after routing (maybe a routing issue?)

 Good luck hunting.  If in doubt, throw ever more logging at it! :)  And
 please let the list know if you solve it - or not!

 cheers, Ian


 To make it even more interesting, it tested this on another machine, where
 I'm unable to reproduce this problem. I'm thinking that a reboot might
 help, but this is kind of fascinating so I would like to actually find the
 cause. I will investigate further.

 Best regards
 Andreas


And now it happened on another machine, but different type of traffic.
Traffic triggering the divert rule work fine, some traffic not triggering
the divert rule does not. After everything works as expected.

Before reboot I flushed the firewall so that only default rule was in play
( allow all from any to any ), and then *no* traffic for that destination
went out of the box.

There are something like ~1000 routes in the routing table. Routes are
added and removed according to some triggers, so during uptime of the
machine there is a bit of messing with the routing table. At this stage I'm
at a loss on how to continue investigating this, so I'll just implement the
forwarding via fwd rules in ipfw and altogether ignore the routing table.

Best regards
Andreas
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-14 Thread Andreas Nilsson 
... snip ...


 Ah.  Well it was good to see the rules listed anyway, always helps.

   Was the count rules something like:
  
   1 901  46132 skipto 63000 ip from table(1) to any in recv
   table(8)
  
   ... same as before ...
  
   63500 895  45844 count log logamount 100 ip from table(1) to
 any in
   recv table(8)
  
   64000   0  0 fwd tablearg ip from table(12) to any
  
   64500 895  45844 count log logamount 100 ip from table(1) to
 any in
   recv table(8)
   65535 3849164 1234591611 allow ip from any to any
  
   So everything looks nice enough, but still no go. Interestingly enough,
   since this is a production machine I can't fool around to much ( that's
 why
   it took a while to get the above results ) I tried to reproduce this on
   another machine. Lo and behold, I couldn't. There it worked with the
   skipto-version. I'll investigate this and see if I can find any
 differences.

 I'm wondering what's happening on the outbound path, most of your rules
 handle inbound (to kernel) and it seems that rule 65535 deals with most
 outbound, except those specifically acting on both paths.

So do I :)


 Maybe try adding to the above:
 ipfw add 63510 count log ip from table(1) to any out recv table(8)
 and
 ipfw add 64510 count log ip from table(1) to any out recv table(8)

 which should catch them on the outbound path before the default rule;
 outbound packets have both receive and transmit interfaces available.

 They never get that far :( Those rules log nothing. So I see the packet
coming in, triggering the skipto, triggering the count log ... in recv but
not the count log ... out.


 I guess you're sure that these packets are actually going out to some
 external address, not a localhost or alias address (which of course are
 received and not sent out anywhere)?

Yes, when the go through they go to external address, which is in the
routing table.


 I guess the above new log lines should show the interface (if any)
 these packets are leaving on, after routing (maybe a routing issue?)

 Good luck hunting.  If in doubt, throw ever more logging at it! :)  And
 please let the list know if you solve it - or not!

 cheers, Ian


To make it even more interesting, it tested this on another machine, where
I'm unable to reproduce this problem. I'm thinking that a reboot might
help, but this is kind of fascinating so I would like to actually find the
cause. I will investigate further.

Best regards
Andreas
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Raimundo Santos 
Hello, Andreas.

If table(12) is empty, how will fwd know where to send the packets that
hits it?

Best regards,
Raimundo


On 4 March 2014 02:58, Andreas Nilsson andrn...@gmail.com wrote:

 Hello,

 I'm having a strange problem with ipfw and/or routing. I've only tested
 this on 9.2-RELEASE-p3, amd64. The machine is sort of acting as router. The
 ruleset is like (ipfw defaults to accept):

 $cmd=ipfw -fq 

 $cmd add 1 skipto 65534 log all from table(1) to any in recv table(8)

 ...

 $cmd add 65534 fwd tablearg all from table(12) to any

 Table 1 contains prefixes that should skip the normal rules and just pass
 through the box.

 Table 8 contains interface names.

 Table 12 is empty (so far).

 What happens is that packets that trigger the first rule never get to their
 destination. After looking at /var/log/security is see that packets trigger
 the rule, never to be seen again. There is a route (ie not default) for
 the destination, but a tcpdump on the corresponding interface shows
 nothing.


 On changing the ruleset to
 $cmd=ipfw -fq 

 $cmd add 1 skipto 65533 log all from table(1) to any in recv table(8)

 ...

 $cmd add 65533 fwd x.y.z.w ip from table(1) to any in recv table(8)

 $cmd add 65534 fwd tablearg all from table(12) to any

 packets get to where they should.


 Why do I need the explict fwd rule? As far as I can see the ipfw man page
 says nothing about skipto changing the packets, and since the 65533 rule in
 the second ruleset triggers on the same thing as the skipto rule it would
 seem like packets are intact. Why does the kernel not forward those
 packets?


 Best regards

 Andreas Nilsson
 ___
 freebsd-net@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-net
 To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Andreas Nilsson 
Hello Raimundo

On Wed, Mar 5, 2014 at 2:26 PM, Raimundo Santos rait...@gmail.com wrote:

 Hello, Andreas.

 If table(12) is empty, how will fwd know where to send the packets that
 hits it?

My understanding is that the rule should not be triggered, as the ... from
table(12) will not match any packets. Other packets on the box that
traverse the ruleset goes out just fine.


 Best regards,
 Raimundo




___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Andrey V. Elsukov 
On 04.03.2014 09:58, Andreas Nilsson wrote:
 Why do I need the explict fwd rule? As far as I can see the ipfw man page
 says nothing about skipto changing the packets, and since the 65533 rule in
 the second ruleset triggers on the same thing as the skipto rule it would
 seem like packets are intact. Why does the kernel not forward those
 packets?

What is the last rule? I suspect it is deny all?

-- 
WBR, Andrey V. Elsukov
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Andreas Nilsson 
On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov bu7c...@yandex.ru wrote:

 On 04.03.2014 09:58, Andreas Nilsson wrote:
  Why do I need the explict fwd rule? As far as I can see the ipfw man page
  says nothing about skipto changing the packets, and since the 65533 rule
 in
  the second ruleset triggers on the same thing as the skipto rule it would
  seem like packets are intact. Why does the kernel not forward those
  packets?

 What is the last rule? I suspect it is deny all?


No, last rule is allow any from any set via loader tunable
net.inet.ip.fw.default_to_accept=1

For clarity :

10  0 skipto 65534 log all from table(1) to any in recv
table(8)

2  6331546  601809038 skipto 13 ip from any to any in recv table(8)

3   821402  247261846 allow ip from table(2) to any

40  0 allow ip from table(3) to me dst-port 2121

50  0 allow ip from table(4) to me dst-port 161

60  0 allow ip from me to table(4) dst-port 162

70  0 allow ip from me to table(5) dst-port 514

8208657823308 allow ip from table(6) to any dst-port 179

9  6331564  753767359 allow { gre or ipencap } from table(6) to any

00010 3270 294972 allow icmp from table(7) to any

000114617 allow icmp from any to me icmptypes 3

00012 5075 323759 deny ip from any to me

000131656214  123067475 divert tablearg tcp from any to any in recv
table(8)

655340  0 fwd tablearg ip from table(12) to any

65535 11389470 1158795869 allow ip from any to any

With the above ruleset a packet
1) triggering the first rule ( ie skipto no-op and the allow from any to
any ) is lost.
2) triggering the second rule (ie skipto divert rule which returns it to
the stack ) is forwarded.

Best regards
Andreas


 --
 WBR, Andrey V. Elsukov

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Andrey V. Elsukov 
On 05.03.2014 23:44, Andreas Nilsson wrote:
 With the above ruleset a packet
 1) triggering the first rule ( ie skipto no-op and the allow from any to
 any ) is lost.
 2) triggering the second rule (ie skipto divert rule which returns it to
 the stack ) is forwarded.

So, I don't see in the code how it can affect routing.
Make sure:
1. net.inet.ip.forwarding=1 (gateway_enable=YES in rc.conf)
2. you have route and gateway is reachable (route get/arp -n).

-- 
WBR, Andrey V. Elsukov
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: ipfw / routing issue on 9.2-RELEASE

2014-03-05 Thread Ian Smith 
On Wed, 5 Mar 2014 20:44:51 +0100, Andreas Nilsson wrote:
  On Wed, Mar 5, 2014 at 7:49 PM, Andrey V. Elsukov bu7c...@yandex.ru wrote:
  
   On 04.03.2014 09:58, Andreas Nilsson wrote:
Why do I need the explict fwd rule? As far as I can see the ipfw man page
says nothing about skipto changing the packets, and since the 65533 rule
   in
the second ruleset triggers on the same thing as the skipto rule it would
seem like packets are intact. Why does the kernel not forward those
packets?
  
   What is the last rule? I suspect it is deny all?
  
  
  No, last rule is allow any from any set via loader tunable
  net.inet.ip.fw.default_to_accept=1
  
  For clarity :
  
  10  0 skipto 65534 log all from table(1) to any in recv
  table(8)
  
  2  6331546  601809038 skipto 13 ip from any to any in recv table(8)
  
  3   821402  247261846 allow ip from table(2) to any
  
  40  0 allow ip from table(3) to me dst-port 2121
  
  50  0 allow ip from table(4) to me dst-port 161
  
  60  0 allow ip from me to table(4) dst-port 162
  
  70  0 allow ip from me to table(5) dst-port 514
  
  8208657823308 allow ip from table(6) to any dst-port 179
  
  9  6331564  753767359 allow { gre or ipencap } from table(6) to any
  
  00010 3270 294972 allow icmp from table(7) to any
  
  000114617 allow icmp from any to me icmptypes 3
  
  00012 5075 323759 deny ip from any to me
  
  000131656214  123067475 divert tablearg tcp from any to any in recv
  table(8)
  
  655340  0 fwd tablearg ip from table(12) to any
  
  65535 11389470 1158795869 allow ip from any to any
  
  With the above ruleset a packet
  1) triggering the first rule ( ie skipto no-op and the allow from any to
  any ) is lost.

The count on rule 1 is zero, so no packets matched it, not were 'lost'?

  2) triggering the second rule (ie skipto divert rule which returns it to
  the stack ) is forwarded.
  
  Best regards
  Andreas
  
  
   --
   WBR, Andrey V. Elsukov

If at some other times rule 1 IS matched, I suggest some renumbering so 
you can put 'count log' rules both before and after the 'fwd tablearg' 
rule; then if they 'disappear' you can see exactly where.

cheers, Ian
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

ipfw / routing issue on 9.2-RELEASE

2014-03-03 Thread Andreas Nilsson 
Hello,

I'm having a strange problem with ipfw and/or routing. I've only tested
this on 9.2-RELEASE-p3, amd64. The machine is sort of acting as router. The
ruleset is like (ipfw defaults to accept):

$cmd=ipfw -fq 

$cmd add 1 skipto 65534 log all from table(1) to any in recv table(8)

...

$cmd add 65534 fwd tablearg all from table(12) to any

Table 1 contains prefixes that should skip the normal rules and just pass
through the box.

Table 8 contains interface names.

Table 12 is empty (so far).

What happens is that packets that trigger the first rule never get to their
destination. After looking at /var/log/security is see that packets trigger
the rule, never to be seen again. There is a route (ie not default) for
the destination, but a tcpdump on the corresponding interface shows nothing.


On changing the ruleset to
$cmd=ipfw -fq 

$cmd add 1 skipto 65533 log all from table(1) to any in recv table(8)

...

$cmd add 65533 fwd x.y.z.w ip from table(1) to any in recv table(8)

$cmd add 65534 fwd tablearg all from table(12) to any

packets get to where they should.


Why do I need the explict fwd rule? As far as I can see the ipfw man page
says nothing about skipto changing the packets, and since the 65533 rule in
the second ruleset triggers on the same thing as the skipto rule it would
seem like packets are intact. Why does the kernel not forward those
packets?


Best regards

Andreas Nilsson
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

tun setup (routing?) issue in head

2010-01-25 Thread Andriy Gapon 

I've updated my HEAD amd64 system from December's sources to something more 
recent
and I've got problems with security/vpnc. To be precise vpnc itself seems to 
work
as good as before but its post-connect script is now failing:

$ ifconfig tun0 inet 10.99.15.144 10.99.15.144 netmask 255.255.255.255 mtu 1412 
up
ifconfig: ioctl (SIOCAIFADDR): File exists

Where tun0 is an interface created by vpnc.
ktrace gives this:
ifconfig CALL  socket(PF_INET,SOCK_DGRAM,IPPROTO_IP)
ifconfig RET   socket 3
ifconfig CALL  ioctl(0x3,SIOCSIFMTU,0x525a60)
ifconfig RET   ioctl 0
ifconfig CALL  ioctl(0x3,SIOCGIFFLAGS,0x7fffda30)
ifconfig RET   ioctl 0
ifconfig CALL  ioctl(0x3,SIOCSIFFLAGS,0x7fffda30)
ifconfig RET   ioctl 0
ifconfig CALL  ioctl(0x3,SIOCDIFADDR,0x525380)
ifconfig RET   ioctl -1 errno 49 Can't assign requested address
ifconfig CALL  ioctl(0x3,SIOCAIFADDR,0x525340)
ifconfig RET   ioctl -1 errno 17 File exists
ifconfig CALL  write(0x2,0x7fffd2d0,0xa)

So, what's happening?
Do you I have to update the ifconfig command?
Or is there some issue in the networking code?

BTW, I also get the following messages in the system log when vpnc is started:
kernel: tun0: link state changed to UP
kernel: ifa_add_loopback_route: insertion failed
I have net.link.tap.up_on_open=1 in sysctl.conf if that matters.

-- 
Andriy Gapon
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: tun setup (routing?) issue in head

2010-01-25 Thread Andriy Gapon 
on 25/01/2010 17:52 Li, Qing said the following:
 Yes, the failure is due to route installation. To make a long story short, 
 many of the
 scripts that worked before not necessary because of the right reasons. 
  
 I have been very busy at work, but I do have a patch and I will try to get it 
 finalized shortly.

I see, cool!
Perhaps there is some interim work-around for this issue?
I can not access my work VPN because of this and I don't like having to roll 
back
my kernel.

 From: owner-freebsd-curr...@freebsd.org on behalf of Andriy Gapon
 Sent: Mon 1/25/2010 4:47 AM
 To: freebsd-net@freebsd.org; freebsd-curr...@freebsd.org
 Subject: tun setup (routing?) issue in head
 
 
 
 
 I've updated my HEAD amd64 system from December's sources to something more 
 recent
 and I've got problems with security/vpnc. To be precise vpnc itself seems to 
 work
 as good as before but its post-connect script is now failing:
 
 $ ifconfig tun0 inet 10.99.15.144 10.99.15.144 netmask 255.255.255.255 mtu 
 1412 up
 ifconfig: ioctl (SIOCAIFADDR): File exists
 
 Where tun0 is an interface created by vpnc.
 ktrace gives this:
 ifconfig CALL  socket(PF_INET,SOCK_DGRAM,IPPROTO_IP)
 ifconfig RET   socket 3
 ifconfig CALL  ioctl(0x3,SIOCSIFMTU,0x525a60)
 ifconfig RET   ioctl 0
 ifconfig CALL  ioctl(0x3,SIOCGIFFLAGS,0x7fffda30)
 ifconfig RET   ioctl 0
 ifconfig CALL  ioctl(0x3,SIOCSIFFLAGS,0x7fffda30)
 ifconfig RET   ioctl 0
 ifconfig CALL  ioctl(0x3,SIOCDIFADDR,0x525380)
 ifconfig RET   ioctl -1 errno 49 Can't assign requested address
 ifconfig CALL  ioctl(0x3,SIOCAIFADDR,0x525340)
 ifconfig RET   ioctl -1 errno 17 File exists
 ifconfig CALL  write(0x2,0x7fffd2d0,0xa)
 
 So, what's happening?
 Do you I have to update the ifconfig command?
 Or is there some issue in the networking code?
 
 BTW, I also get the following messages in the system log when vpnc is started:
 kernel: tun0: link state changed to UP
 kernel: ifa_add_loopback_route: insertion failed
 I have net.link.tap.up_on_open=1 in sysctl.conf if that matters.
 
 --
 Andriy Gapon
 ___
 freebsd-curr...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-current
 To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
 
 


-- 
Andriy Gapon
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Strange Routing issue

2005-08-01 Thread Hendry 
Hello networkers,

  We have a strange issue that currently happened at our router.


  information:
  OS : FreeBSD 4.11-STABLE #1: Tue Jun  7 19:21:04 WIT 2005
  Routing Software : quagga-0.98.3 (compiling from ports)
  Network: Running eBGP (with full international route 16k prefix)
   1 Neighbor, route about 6-8 Mbps traffic.

  here's the issue:
--
from quagga BGPD
--
BGPD-gw-int-2 sh ip bgp 216.136.204.117
BGP routing table entry for 216.136.204.0/24
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
  202.69.98.3
  18059 7473 10310 26085, (aggregated by 26085 66.163.160.248)
202.43.160.77 from 202.78.192.161 (64.110.188.178)
  Origin IGP, localpref 100, valid, external, best
  Last update: Tue Aug  2 05:18:56 2005

--
from zebra daemon
--
ZEBRA-gw-int-2# sh ip route 216.136.204.117
Routing entry for 216.136.204.0/24
  Known via bgp, distance 20, metric 0, best
  Last update 00:58:07 ago
  * 202.43.160.77, via fxp0

--
From the command line
--
ro-gw-int-2# route -n get 216.136.204.117
route: writing to routing socket: No such process

--
results from another terminal while run above command,
--

ro-gw-int-2# route -nv monitor
got message of size 164 on Tue Aug  2 06:12:58 2005
RTM_GET: Report Metrics: len 164, pid: 68487, seq 1, errno 3, 
flags:UP,GATEWAY, HOST,STATIC
locks:  inits:
sockaddrs: DST,IFP
 216.136.204.117

 ro-gw-int-2# netstat -nrfinet | grep 216.136.204 (null result)

 --
 unmatched result
 --
 
BGPD-gw-int-2#sh ip bgp sum
BGP router identifier 202.69.96.214, local AS number 9785
27551 BGP AS-PATH entries
0 BGP community entries

NeighborVAS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
202.78.192.161  4   215377  61070   0  0   04d05h38m   165166

ro-gw-int-2#netstat -nrfinet | wc -l
  148886

ro-gw-int-2#netstat -m
899/1424/131072 mbufs in use (current/peak/max):
899 mbufs allocated to data
896/1024/32768 mbuf clusters in use (current/peak/max)
2404 Kbytes allocated to network (2% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
  

is there any suggestion? we're just having a plan to increased the
the amount of memory tomorrow night from 512Mb to 1G.
but for sure this router have been quite stable for about half year
without any problem. not sure though whether its quagga or freebsd
issue.



--
cheers
hendry

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to [EMAIL PROTECTED]