Re: iwi firmware error on snapshot
On 4/7/07, James Turner [EMAIL PROTECTED] wrote: I'm running OpenBSD -current from the snapshot dated 04-06. Everytime I bring my thinkpad x40 out of sleep I get iwi0: fatal firmware error. I'm running the generic kernel and have a intel 2200bg card. Yep..the card sucks. I have the same issues on 4.0. ~J -- IEEE Student Branch President Wentworth Institute of Technology 550 Huntington Ave. Boston, MA. 02115 401.837.8417 [EMAIL PROTECTED]
voce recebeu um video legal
visualizar cartco http://uolca rtoes123m.vila.bol.com.br/cartao_uol.html
tcp fast retrans for high packet loss network
Hi list! Simple(?) question: How do I enable tcp fast retransmissions? I've got a wireless network with a lot of interference which results in about 30% packet loss. Fast retransmission should help here, right? However: * Counter for fast retrans in 'netstat -s' is always zero. * Nothing appropriate in 'sysctl -a' Is TCP_FACK (commented out in conf/GENERIC) what I'm looking for? But I've got the suspicion that TCP_FACK is outdated (dead?) code: * TCP_FACK was reenabled in plus26.html but this is obviously outdated and not accurate anymore. * Google lists references to TCP_FACK in 3.2,3.3 and 3.4 FAQs but nothing in recent FAQs. Are there any other network settings to tweak for networks with high packet loss? Regards, Walter
Re: fileserver lockups: no ddb
[EMAIL PROTECTED] wrote: have had this machine, with bioctl and dmesg posted below, lockup on me both this saturday and last weekend as well. its console is com0 by default and there is no serial console output (e.g. ddb). when viewing it over KVM (/dev/ttyC0) the cursor keeps blinking but it won't receive any kb input. best guess right now is that it'll be fixed by a 4.1 upgrade based on this 4.0 - 4.1 change: Revert PAE pmap for now, stops freezes commonly seen on amd64 machines running in i386 mode. any other guesses are welcome. none of the logs contain useful clues. the machine runs samba-3.0.21bp4, nrpe-2.5.2 and is a kerberos KDC. have not yet tried upgrading to current and would prefer to go release-to-release on this machine. any guesses as to what happened or how to prepare for next time to find out more would be appreciated. cheers, jake
problem on setting up ntpd
Hi all, I was just trying to setup an ntpd server for my home network so it could sync with each other. So here's what I have in my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on 192.168.1.1 # sync to a single server #server ntp.example.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers asia.pool.ntp.org and here's the log from /var/log/daemon after I run the service: Apr 8 21:09:32 blowfish ntpd[14921]: listening on 192.168.1.1 Apr 8 21:09:32 blowfish ntpd[14921]: ntp engine ready Apr 8 21:09:51 blowfish ntpd[14921]: peer 203.123.49.3 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 202.155.248.218 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 61.129.66.79 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 202.71.97.92 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 60.56.119.79 now valid Apr 8 21:09:55 blowfish ntpd[14921]: peer 218.75.4.130 now valid Apr 8 21:09:56 blowfish ntpd[14921]: peer 61.129.90.164 now valid Even though it seems to be working, I still can't get the date to sync from clients. When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. But the daemon is running on the server: % ps auxw | grep ntpd root 24933 0.0 0.2 428 600 ?? Is 9:09PM0:00.00 ntpd: [priv] (ntpd) _ntp 14921 0.0 0.2 388 648 ?? S 9:09PM0:00.02 ntpd: ntp engine (ntpd) Can anyone pleae help me out? Thanks in advance.
Re: problem on setting up ntpd
It will take some time before ntpd begins with syncing. Don't ask me why, but it took a day for me before my ntpd was beginning with syncing. On 4/8/07, Reza Muhammad [EMAIL PROTECTED] wrote: Hi all, I was just trying to setup an ntpd server for my home network so it could sync with each other. So here's what I have in my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on 192.168.1.1 # sync to a single server #server ntp.example.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers asia.pool.ntp.org and here's the log from /var/log/daemon after I run the service: Apr 8 21:09:32 blowfish ntpd[14921]: listening on 192.168.1.1 Apr 8 21:09:32 blowfish ntpd[14921]: ntp engine ready Apr 8 21:09:51 blowfish ntpd[14921]: peer 203.123.49.3 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 202.155.248.218 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 61.129.66.79 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 202.71.97.92 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 60.56.119.79 now valid Apr 8 21:09:55 blowfish ntpd[14921]: peer 218.75.4.130 now valid Apr 8 21:09:56 blowfish ntpd[14921]: peer 61.129.90.164 now valid Even though it seems to be working, I still can't get the date to sync from clients. When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. But the daemon is running on the server: % ps auxw | grep ntpd root 24933 0.0 0.2 428 600 ?? Is 9:09PM0:00.00 ntpd: [priv] (ntpd) _ntp 14921 0.0 0.2 388 648 ?? S 9:09PM0:00.02 ntpd: ntp engine (ntpd) Can anyone pleae help me out? Thanks in advance.
Re: problem on setting up ntpd
On 4/8/07, Reza Muhammad [EMAIL PROTECTED] wrote: ... Even though it seems to be working, I still can't get the date to sync from clients. You're running ntpd or ntpdate on the clients with 192.168.1.1 as their server? When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. The NTP protocol is only used with UDP and not with TCP. As such, you can't connect to it with telnet. To see whether the server is listening for UDP packets on port 123, use netstat -f inet -na | grep udp.*\.123. If it is indeed listening and yet ntpdate doesn't work on the clients, then check your PF rules to verify that the packets are being let through in both directions. Philip Guenther
snort any interface and 2.6.1.4 mysql problem
Hi All, I have more than one interface I need to monitor with snort. I've read http://www.snort.org/docs/faq/1Q05/node35.html, To do that, I've created bridge0 and added both interfaces. Since I need to assign IP addresses to each interface, I could not just up the interfaces and add them to the bridge. Perhaps that's the reason, but I don't see alarms triggered with -i bridge0 (snort warns that no IP is assigned to bridge0 anyways). Do I need to do anything else? Using 0.0.0.0 or any as HOME_NET (as mentioned somewhere) doesn't help at all. Perhaps http://www.monkey.org/openbsd/archive/misc/0203/msg01194.html could be helpful, but I can't see how. I couldn't find how to create an any interface on OpenBSD, I would appreciate any links/comments. Otherwise, what I do is to run multiple instances of snort for each interface, which wastes my shared memory. Also, I've compiled 2.6.1.4 mysql enabled, but for some reason snort complains that it cannot connect to mysql via mysql.sock file. But on the same system I don't have any problem connecting to mysql using mysql-enabled 2.4.5 package, so I don't believe there is any problem with my mysql settings or file permissions (I cannot use 2.4.5-mysql due to timestamp problems I mentioned on another post). To make sure I'm not doing anything wrong, I've modified the ports Makefile and compiled using ports, but I have the same problem. Isn't it enough to configure snort with --with-mysql? And if the build is successful, what can be wrong? I'm sorry if I'm asking too many snort related questions. Thanks,
Re: problem on setting up ntpd
On Sun, Apr 08, 2007 at 04:38:49PM +0200, Mispunt wrote: It will take some time before ntpd begins with syncing. Don't ask me why, but it took a day for me before my ntpd was beginning with syncing. I think this is different, because it's reporting Connection Refused rather than allowing connections but reporting as not synced. On 4/8/07, Reza Muhammad [EMAIL PROTECTED] wrote: # Addresses to listen on (ntpd does not listen by default) listen on 192.168.1.1 snip and here's the log from /var/log/daemon after I run the service: Apr 8 21:09:32 blowfish ntpd[14921]: listening on 192.168.1.1 Apr 8 21:09:32 blowfish ntpd[14921]: ntp engine ready Apr 8 21:09:51 blowfish ntpd[14921]: peer 203.123.49.3 now valid snip Even though it seems to be working, I still can't get the date to sync from clients. When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. But the daemon is running on the server: Have you enabled pf on the machine running ntpd? From your configuration and logs it does seem that ntpd is configured and running correctly. Best guess is that you have block return for that port, or as the default. The easiest test would be to temporarily disable pf (pfctl -d) and try your telnet test again. If that works then it's your pf rules... -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: fileserver lockups: no ddb
cpu0: AMD Sempron(tm) Processor 3000+ (AuthenticAMD 686-class, 256KB L2 cache) 1.60 GHz That's interesting. How long have you been running OBSD 4.0 on that machine? I have the mobile version of this cpu, and my laptop started locking up erratically (also w/o ddb) shortly after upgrading from 3.9 to 4.0. After about a week of that craziness and no way to troubleshoot further (short of running memtest86 and 'make build', neither of which revealed any hardware issues), I went back to 3.9, and it's been as rock-solid as it used to be. -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
Re: problem on setting up ntpd
His problem was not about ntpd not syncing. At any rate, Reza, do you have any firewalls that could be blocking the port? If you switch listen on 192.168.1.1 to listen on * does that change your situation? On 4/8/07, Mispunt [EMAIL PROTECTED] wrote: It will take some time before ntpd begins with syncing. Don't ask me why, but it took a day for me before my ntpd was beginning with syncing. On 4/8/07, Reza Muhammad [EMAIL PROTECTED] wrote: Hi all, I was just trying to setup an ntpd server for my home network so it could sync with each other. So here's what I have in my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on 192.168.1.1 # sync to a single server #server ntp.example.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers asia.pool.ntp.org and here's the log from /var/log/daemon after I run the service: Apr 8 21:09:32 blowfish ntpd[14921]: listening on 192.168.1.1 Apr 8 21:09:32 blowfish ntpd[14921]: ntp engine ready Apr 8 21:09:51 blowfish ntpd[14921]: peer 203.123.49.3 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 202.155.248.218 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 61.129.66.79 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 202.71.97.92 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 60.56.119.79 now valid Apr 8 21:09:55 blowfish ntpd[14921]: peer 218.75.4.130 now valid Apr 8 21:09:56 blowfish ntpd[14921]: peer 61.129.90.164 now valid Even though it seems to be working, I still can't get the date to sync from clients. When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. But the daemon is running on the server: % ps auxw | grep ntpd root 24933 0.0 0.2 428 600 ?? Is 9:09PM0:00.00 ntpd: [priv] (ntpd) _ntp 14921 0.0 0.2 388 648 ?? S 9:09PM0:00.02 ntpd: ntp engine (ntpd) Can anyone pleae help me out? Thanks in advance.
Re: problem on setting up ntpd
On Sun, Apr 08, 2007 at 09:14:04PM +0700, Reza Muhammad wrote: Hi all, I was just trying to setup an ntpd server for my home network so it could sync with each other. So here's what I have in my /etc/ntpd.conf: # $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) listen on 192.168.1.1 # sync to a single server #server ntp.example.org # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers servers asia.pool.ntp.org and here's the log from /var/log/daemon after I run the service: Apr 8 21:09:32 blowfish ntpd[14921]: listening on 192.168.1.1 Apr 8 21:09:32 blowfish ntpd[14921]: ntp engine ready Apr 8 21:09:51 blowfish ntpd[14921]: peer 203.123.49.3 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 202.155.248.218 now valid Apr 8 21:09:51 blowfish ntpd[14921]: peer 61.129.66.79 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 202.71.97.92 now valid Apr 8 21:09:53 blowfish ntpd[14921]: peer 60.56.119.79 now valid Apr 8 21:09:55 blowfish ntpd[14921]: peer 218.75.4.130 now valid Apr 8 21:09:56 blowfish ntpd[14921]: peer 61.129.90.164 now valid Even though it seems to be working, I still can't get the date to sync from clients. When I try to telnet to 192.168.1.1 on port 123, it says Connection Refused. But the daemon is running on the server: % ps auxw | grep ntpd root 24933 0.0 0.2 428 600 ?? Is 9:09PM0:00.00 ntpd: [priv] (ntpd) _ntp 14921 0.0 0.2 388 648 ?? S 9:09PM0:00.02 ntpd: ntp engine (ntpd) Can anyone pleae help me out? Thanks in advance. [Fix your mail client, please: 72 columns or less, at least on normal text.] ntpd uses UDP, telnet uses TCP, so telnet isn't the proper tool for testing if the server actually receives packets. In addition, ntpd will only sync to a server that is itself synchronized; this would be the delay Mispunt mentioned. If this is the case, you should see something to that effect in the clients' logs. You might want to investigate -s and/or one of the external timesensors (nmea(4) and co). Joachim -- PotD: x11/xmbdfed - Motif tool for editing X11 bitmap fonts
Re: fileserver lockups: no ddb
On Sat, Apr 07, 2007 at 10:49:00PM -0500, [EMAIL PROTECTED] wrote: have had this machine, with bioctl and dmesg posted below, lockup on me both this saturday and last weekend as well. its console is com0 by default and there is no serial console output (e.g. ddb). when viewing it over KVM (/dev/ttyC0) the cursor keeps blinking but it won't receive any kb input. none of the logs contain useful clues. the machine runs samba-3.0.21bp4, nrpe-2.5.2 and is a kerberos KDC. have not yet tried upgrading to current and would prefer to go release-to-release on this machine. any guesses as to what happened or how to prepare for next time to find out more would be appreciated. cheers, jake No idea, can anything interesting be found in /var/log/*? -- TFMotD: malloc (9) - kernel memory allocator # bioctl ami0 Volume Status Size Device ami0 0 Online 198999801856 sd0 RAID1 0 Online 199977074688 0:0.0 noencl WDC WD2000JD-22HBC0 08.0 1 Online 199977074688 0:1.0 noencl WDC WD2000JD-22HBC0 08.0 ami0 1 Online 749991886848 sd1 RAID5 0 Online 500035485696 0:2.0 noencl WDC WD5000AAKS-00TMA12.0 1 Online 500035485696 0:3.0 noencl WDC WD5000AAKS-00TMA12.0 2 Online 500035485696 0:4.0 noencl WDC WD5000AAKS-00TMA12.0 3 Online 500035485696 0:5.0 noencl WDC WD5000AAKS-00TMA12.0 ami0 2 Online 750007615488 sd2 RAID5 0 Online 500035485696 0:2.0 noencl WDC WD5000AAKS-00TMA12.0 1 Online 500035485696 0:3.0 noencl WDC WD5000AAKS-00TMA12.0 2 Online 500035485696 0:4.0 noencl WDC WD5000AAKS-00TMA12.0 3 Online 500035485696 0:5.0 noencl WDC WD5000AAKS-00TMA12.0 ami0 3 Online 49834112 sd3 RAID1 0 Online 500035485696 0:6.0 noencl WDC WD5000AAKS-00TMA12.0 1 Online 500035485696 0:7.0 noencl WDC WD5000AAKS-00TMA12.0 OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC RTC BIOS diagnostic error 1ememory_size,fixed_disk,invalid_time cpu0: AMD Sempron(tm) Processor 3000+ (AuthenticAMD 686-class, 256KB L2 cache) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16 real mem = 1073246208 (1048092K) avail mem = 971010048 (948252K) using 4256 buffers containing 53764096 bytes (52504K) of memory RTC BIOS diagnostic error 1ememory_size,fixed_disk,invalid_time mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 09/25/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf9100 (61 entries) pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf49b0/208 (11 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1166 product 0x0205 pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x2200 ipmi0 at mainbus0ipmi0: bmc_io_wait_cold fails : *v=ff m=02 b=00 write_cmd : unable to send get device id command cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) ppb0 at pci0 dev 1 function 0 ServerWorks HT-1000 PCI rev 0x00 pci1 at ppb0 bus 1 ppb1 at pci1 dev 13 function 0 ServerWorks HT-1000 PCIX rev 0xc0 pci2 at ppb1 bus 2 ppb2 at pci2 dev 3 function 0 Intel IOP331 PCIX-PCIX rev 0x07 pci3 at ppb2 bus 3 ami0 at pci3 dev 14 function 0 Symbios Logic MegaRAID SATA 4x/8x rev 0x07: irq 7 ami0: LSI 3008, 32b, FW 813G, BIOS vH425, 128MB RAM ami0: 1 channels, 0 FC loops, 4 logical drives scsibus0 at ami0: 40 targets sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 189781MB, 189781 cyl, 64 head, 32 sec, 512 bytes/sec, 388671488 sec total sd1 at scsibus0 targ 1 lun 0: AMI, Host drive #01, SCSI2 0/direct fixed sd1: 715248MB, 715248 cyl, 64 head, 32 sec, 512 bytes/sec, 1464827904 sec total sd2 at scsibus0 targ 2 lun 0: AMI, Host drive #02, SCSI2 0/direct fixed sd2: 715263MB, 715263 cyl, 64 head, 32 sec, 512 bytes/sec, 1464858624 sec total sd3 at scsibus0 targ 3 lun 0: AMI, Host drive #03, SCSI2 0/direct fixed sd3: 476837MB, 476837 cyl, 64 head, 32 sec, 512 bytes/sec, 976562176 sec total scsibus1 at ami0: 16 targets pciide0 at pci1 dev 14 function 0 ServerWorks SATA rev 0x00: DMA pciide0: using irq 11 for native-PCI interrupt pciide0: port 0: PHY offline pciide0: port 1: PHY offline pciide0: port 2: PHY offline pciide0: port 3: PHY offline pciide1 at pci1 dev 14 function 1 ServerWorks SATA rev 0x00 piixpm0 at pci0 dev 2 function 0 ServerWorks HT-1000 rev 0x00: polling iic0 at piixpm0 adt0 at iic0 addr 0x2e: adt7476 rev 0x69 unknown at iic0 addr 0x2f not configured pciide2 at pci0 dev 2 function 1 ServerWorks HT-1000 IDE rev 0x00: DMA pcib0 at pci0 dev 2 function 2 ServerWorks HT-1000 LPC rev 0x00 ohci0 at pci0 dev 3 function 0 ServerWorks HT-1000 USB rev
xenocara via cvsup
hello, does anyone know if it is possible to get the cvsup sources via cvsup, if so, which server? thanks a lot! didier
Re: fileserver lockups: no ddb
Stephen Takacs wrote: cpu0: AMD Sempron(tm) Processor 3000+ (AuthenticAMD 686-class, 256KB L2 cache) 1.60 GHz That's interesting. How long have you been running OBSD 4.0 on that machine? I have the mobile version of this cpu, and my laptop started locking up erratically (also w/o ddb) shortly after upgrading from 3.9 to 4.0. After about a week of that craziness and no way to troubleshoot further (short of running memtest86 and 'make build', neither of which revealed any hardware issues), I went back to 3.9, and it's been as rock-solid as it used to be. What you are describing is almost certainly the i386-on-amd64 problem. Solution is to do one of the following (in my order of preference, your criteria may be different than mine, of course!) : * run OpenBSD/amd64 (where this problem doesn't exist) * wait for 4.1 (where it is fixed) * run -current (where it is fixed) fixed is probably not quite the right word, several people suspect the PAE support was PROVOKING a real problem elsewhere, but backing out the PAE support seems to have either quit provoking it or pushed it down to unseen levels. But then, it's an amd64, if you have no reason to run i386 code on it, I'd recommend running amd64 on it... Nick.
Re: GRE over IPsec
I may have been mistaken. I just pulled this information from this document which Gregory Lebovitz from Netscreen co-authored back in 2003. On page 46 he talks about using GRE to create a virtual routing interfaces AKA tunnel interface. I have configure route-based VPNs between a Netscreen and FortiGate which interop just fine, which leads me to believe that they are using the same approach to tunnel interfaces. I have yet to get this to work between an OpenBSD box and a FortiGate/Netscreen. I will look into the gif option to see if this will work. -Chris On 4/7/07, Stephen J. Bevan [EMAIL PROTECTED] wrote: Chris Jones writes: Fortigates and Netscreens both use GRE interaces as tunnel interfaces when creating route-based VPN tunnels. FortiGates do not use GRE interface when creating route-based VPN tunnels. The route-based VPN on a FortiGate creates packets that are identical to IPsec tunnel mode i.e. IP|ESP|IP. As far as I'm aware, Netscreen do the same. Are you sure you don't have any Cisco's in your network? They use GRE for IPsec unless you've got a farily recent version of IOS that supports the virtual interface approach. Right now I have a hub-and-spoke VPN network using static routes to route traffic across the VPN. Each spoke endpoint has a static destination route of 10.1.0.0/16 which is sent over GRE interface. The only exception to the hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels to every spoke network I need access to (quite painfull). On my OpenBSD box I would like to be able to use a single static destination route of 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of the VPN network. Since the FortiGate doesn't use GRE for IPsec (unless you configured it for some reason) then there is no need to use GRE on OpenBSD. Just define a normal tunnel based IPsec connection (as if the other end was another OpenBSD box). If you really want an interface so that you can route over it, then you'd have better luck with a gif interface. In that case if you can get the tunnel to come up you could run RIP/OSPF/iBGP on the OpenBSD gif interface and on the FortiGate IPsec interface and not use static routing at all.
Re: GRE over IPsec
This link would probably help ;)
http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf
On 4/8/07, Chris Jones [EMAIL PROTECTED] wrote:
I may have been mistaken. I just pulled this information from this
document which Gregory Lebovitz from Netscreen co-authored back in 2003. On
page 46 he talks about using GRE to create a virtual routing interfaces AKA
tunnel interface. I have configure route-based VPNs between a Netscreen and
FortiGate which interop just fine, which leads me to believe that they are
using the same approach to tunnel interfaces.
I have yet to get this to work between an OpenBSD box and a
FortiGate/Netscreen. I will look into the gif option to see if this will
work.
-Chris
On 4/7/07, Stephen J. Bevan [EMAIL PROTECTED] wrote:
Chris Jones writes:
Fortigates and Netscreens both use GRE interaces as
tunnel interfaces when creating route-based VPN tunnels.
FortiGates do not use GRE interface when creating route-based VPN
tunnels.
The route-based VPN on a FortiGate creates packets that are identical
to IPsec tunnel mode i.e. IP|ESP|IP. As far as I'm aware, Netscreen do
the same. Are you sure you don't have any Cisco's in your network?
They use GRE for IPsec unless you've got a farily recent version of
IOS that supports the virtual interface approach.
Right now I have a hub-and-spoke VPN network using static routes to
route
traffic across the VPN. Each spoke endpoint has a static destination
route
of 10.1.0.0/16 which is sent over GRE interface. The only exception to
the
hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN
tunnels
to every spoke network I need access to (quite painfull). On my
OpenBSD box
I would like to be able to use a single static destination route of
10.1.0.0/16 to send this traffic over a GRE interface to get to the
rest of
the VPN network.
Since the FortiGate doesn't use GRE for IPsec (unless you configured
it for some reason) then there is no need to use GRE on OpenBSD. Just
define a normal tunnel based IPsec connection (as if the other end was
another OpenBSD box). If you really want an interface so that you can
route over it, then you'd have better luck with a gif interface. In
that case if you can get the tunnel to come up you could run
RIP/OSPF/iBGP on the OpenBSD gif interface and on the FortiGate IPsec
interface and not use static routing at all.
Re: carp, ospf can't see carp state
FranC'ois Rousseau wrote:
But how I'm suppose to annonce the route for the right carp interface?
Right now my servers can always reach the router because of the CARP
interface but the router can't always reach the servers...
If I unplug the cable of my CARP interface (bge2 for example), all
traffic from this router (directly from him or from my upstream
provider) can't reach the servers because the router still have only 1
route going directly to his bge2 interface (the interface with carp)
and he have no clue of the MASTER interface.
Maybe I'm worng and OSPF is not the solution.
What I try to do is to have a redundant gateway for my servers (CARP)
and I want to have 2 upstreams provider with BGP (multihoming)
I need a way for this 2 routers to talk to each other and share their
internal routes to know how to reach both of the exit point (route
to both upstream provider) and how to reach the MASTER interface of
every CARP group.
Any idea?
Your situation is different from mine, I am new to OSPF, and my
information may not help you any, but here it is:
I have a set up with two external routers and two internal routers. Both
external routers uplink to the same ISP unlike in your situation. They
share a carp'd external/inet IP and the status of this carp interface
(and other path/interface failures determines which external router is
used as the main uplink. My main problem setting this up is somewhat
similar to yours in terms of getting the internal routers to know which
external router to use for default route/external ISP access. The key
for me was to have the ospf directives redistribute connected and
redistribute default in the external routers' ospf.conf. Then I made
sure that the internal routers did NOT have a statically assigned
default route by removing /etc/mygate (since static routes take
precedence over ospf-learned routes). This enabled me to have failover
of my external/uplink routers.
External router ospf.conf:
primaryInlink=bge0
backupInlink=bge1
inet=carp0
dmz=carp1
# global configuration
router-id 0.0.0.40
fib-update yes
redistribute connected
redistribute default
auth-type crypt
auth-md 1 scrubbedForPosting
auth-md-keyid 1
# areas
area 0 {
interface $primaryInlink {
}
interface $backupInlink {
metric 100
}
interface $inet {
passive
}
interface $dmz {
passive
}
}
The dual Inlinks are because my setup is fully connected via dedicated
links, all inter-router traffic only goes through these dedicated pair
links, not through a switch.
Hope this helps,
Chris
Re: xenocara via cvsup
Didier Wiroth [EMAIL PROTECTED] wrote: does anyone know if it is possible to get the cvsup sources via cvsup, if so, which server? Yes, it is. Any server offering OpenBSD via CVSup should include xenocara. If a particular server doesn't, poke the admin. They probably forgot to add the collection. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: GRE over IPsec
Chris Jones writes: I may have been mistaken. I just pulled this information from this document which Gregory Lebovitz from Netscreen co-authored back in 2003. No FortiGate model supported GRE in 2003, it wasn't added until 2006. On page 46 he talks about using GRE to create a virtual routing interfaces AKA tunnel interface. I have configure route-based VPNs between a Netscreen and FortiGate which interop just fine, which leads me to believe that they are using the same approach to tunnel interfaces. They are using the same approach, it just isn't GRE based. Both FortGate and Netscreen allow you to define a IPsec interface which has the routing benefits described in http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf but which is also compatible with anything that supports tunnel mode IPsec. I have yet to get this to work between an OpenBSD box and a FortiGate/Netscreen. I will look into the gif option to see if this will work. It isn't clear to me why you don't just use tunnel mode IPsec on OpenBSD, it is compatible with both FortiGate and Netscreen. The gif approach is going to be a problem unless you have an IKE daemon that can negotiate tunnel mode (because that's what the FortiGate will expect) but actually use tranport+IPIP as per the RFC draft referenced in the above.
Re: GRE over IPsec
On 2007/04/08 14:43, Stephen J. Bevan wrote: On page 46 he talks about using GRE to create a virtual routing interfaces AKA tunnel interface. I have configure route-based VPNs between a Netscreen and FortiGate which interop just fine, which leads me to believe that they are using the same approach to tunnel interfaces. They are using the same approach, it just isn't GRE based. Both FortGate and Netscreen allow you to define a IPsec interface which has the routing benefits described in http://www.isi.edu/div7/presentation_files/dynamic_routing.pdf but which is also compatible with anything that supports tunnel mode IPsec. interesting; if my understanding of this and the RFC that the referenced 'touch' draft was published as (rfc3884), at one end you can configure one side in *transport* mode carrying ipip encapsulated packets - gif(4) with net.inet.ipip.allow=1, afaict - and the other side in tunnel mode as usual. this could be useful for either running routing protocols over IPsec, or for redistributing IPsec routes into an IGP (the latter being something I've been wondering about how to handle in some way that's a little more flexible than configure all of concentrator X's tunnels within 10.X/16 and all of concentrator Y's tunnels within 10.Y/16...)
Re: GRE over IPsec
Stuart Henderson writes: interesting; if my understanding of this and the RFC that the referenced 'touch' draft was published as (rfc3884), at one end you can configure one side in *transport* mode carrying ipip encapsulated packets - gif(4) with net.inet.ipip.allow=1, afaict - and the other side in tunnel mode as usual. That's the idea, though the IKE daemon on the transport+IPIP side has to actually offer tunnel mode or the other end will typically reject the negotiation. this could be useful for either running routing protocols over IPsec, or for redistributing IPsec routes into an IGP (the latter being something I've been wondering about how to handle in some way that's a little more flexible than configure all of concentrator X's tunnels within 10.X/16 and all of concentrator Y's tunnels within 10.Y/16...) It is useful for all of the above.
Re: fileserver lockups: no ddb
On Sun, Apr 08, 2007 at 12:11:37PM -0400, Nick Holland wrote: What you are describing is almost certainly the i386-on-amd64 problem. Solution is to do one of the following (in my order of preference, your criteria may be different than mine, of course!) : * run OpenBSD/amd64 (where this problem doesn't exist) * wait for 4.1 (where it is fixed) * run -current (where it is fixed) Unfortunately, my cpu is one of the lame Sempron chips which isn't a true AMD64. It can be pretty hard to tell them apart, given all the revisions: http://en.wikipedia.org/wiki/Sempron I'll definitely give 4.1 a shot and see though... -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
Re: fileserver lockups: no ddb
Stephen Takacs wrote: On Sun, Apr 08, 2007 at 12:11:37PM -0400, Nick Holland wrote: What you are describing is almost certainly the i386-on-amd64 problem. Solution is to do one of the following (in my order of preference, your criteria may be different than mine, of course!) : * run OpenBSD/amd64 (where this problem doesn't exist) * wait for 4.1 (where it is fixed) * run -current (where it is fixed) Unfortunately, my cpu is one of the lame Sempron chips which isn't a true AMD64. It can be pretty hard to tell them apart, given all the revisions: http://en.wikipedia.org/wiki/Sempron I'll definitely give 4.1 a shot and see though... In that case, could you provide a full dmesg on the thing? This sounds interesting, I'd really love to know what -current does on it, though I guess we can wait a few weeks for 4.1-release. :) (not like I'm the guy who has the knowledge to troubleshoot what's going on here...) Did you actually try amd64 on it? Nick.
Kernel tuning on routers
A quick google hasn't been very helpful ... are there any guides to tuning OpenBSD kernel in 4.x for optimum performance on routers? We're starting to see some bizarre behaviour and memory issues on some of our busier border routers Things such as (note the minus 59% usage) [EMAIL PROTECTED] netstat -m 9637 mbufs in use: 9557 mbufs allocated to data 74 mbufs allocated to packet headers 6 mbufs allocated to socket names and addresses 9546/15752/32768 mbuf clusters in use (current/peak/max) 34148 Kbytes allocated to network (-59% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines [EMAIL PROTECTED] netstat -m 7336 mbufs in use: 7256 mbufs allocated to data 74 mbufs allocated to packet headers 6 mbufs allocated to socket names and addresses 7242/15752/32768 mbuf clusters in use (current/peak/max) 34036 Kbytes allocated to network (47% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines and also things like this appear in dmesg WARNING: mclpool limit reached; increase kern.maxclusters (which we've done) These boxes tend to have 3 or 4 full copies of the routing table as well as 150-200 peering sessions with an average of 20 prefixes on each [EMAIL PROTECTED] bgpctl s r me RDE memory statistics 217634 IPv4 network entries using 6.6M of memory 1 IPv6 network entries using 44B of memory 1951183 prefix entries using 59.5M of memory 363941 BGP path attribute entries using 26.4M of memory 118297 BGP AS-PATH attribute entries using 3.5M of memory, and holding 363941 references 12390 BGP attributes entries using 290K of memory and holding 408122 references 12389 BGP attributes using 444K of memory RIB using 96.8M of memory [EMAIL PROTECTED] bgpctl s r me RDE memory statistics 217589 IPv4 network entries using 6.6M of memory 671 IPv6 network entries using 28.8K of memory 672388 prefix entries using 20.5M of memory 128149 BGP path attribute entries using 9.3M of memory 48874 BGP AS-PATH attribute entries using 1.4M of memory, and holding 128149 references 4066 BGP attributes entries using 95.3K of memory and holding 126566 references 4065 BGP attributes using 25.0K of memory RIB using 38.0M of memory -- Jon Morby fido.net - the internet made simple!
Re: fileserver lockups: no ddb
Nick Holland wrote: In that case, could you provide a full dmesg on the thing? This sounds interesting, I'd really love to know what -current does on it, though I guess we can wait a few weeks for 4.1-release. :) (not like I'm the guy who has the knowledge to troubleshoot what's going on here...) Here's an old 4.0 dmesg from back in November: http://archives.neohapsis.com/archives/openbsd/2006-11/0385.html Did you actually try amd64 on it? I hadn't tried it before, so today I burned the amd64 cd40.iso, just in case... It didn't get very far though. The second-stage bootloader ran okay: OpenBSD/amd64 CDBOOT 1.06 booting cd0a:/4.0/amd64/bsd.rd [0xblahblah etc.] entry point at 0x1001e0 [0xblahblah etc.] _ But that's where it stopped (imagine the _ above is a blinking cursor). No blue kernel messages ever appeared on the console. -- Stephen Takacs [EMAIL PROTECTED] http://perlguru.net/ 4149 FD56 D078 C988 9027 1EB4 04CC F80F 72CB 09DA
