Re: Detailed statistics on em(4) driver

[Bernd]

Hi,

I've got problems with increasing Ierrs on several machines with
several em(4) interfaces. Is there a way to get *detailed* information
on these?

# netstat -I em3 -d
NameMtu   Network Address  Ipkts IerrsOpkts
Oerrs Colls Drop
em3 1500  Link  de:ad:be:ef  95655063 435896
63427593 0 00
em3 1500  fe80::%em3/ fe80::xx:ff:ffe  95655063 435896
63427593 0 00

is not that verbose.


We hacked the kernel. The interface(s) just miss packets, see 
screenshot:


http://imageshack.us/f/96/fkad.png/

Customer urged to move from OpenBSD to Ubuntu for BGP routing.


Thanks in advance,

Bernd

Re: trunk-ing + carp-ing

[Ganguin Michel]

Hi again,

Thanks for your responses.

I found a setup that satisfies me:

* SRV: trunk in failover mode
* O1, O2: trunk in broadcast mode

As only one link at a time is active on SRV, I don't get duplicates. And as it 
is the only one being in failover mode, no need of ifstated.

Best Regards
Michel

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Ganguin Michel
Sent: mercredi, 19. juin 2013 11:45
To: misc@openbsd.org
Subject: trunk-ing + carp-ing

Hi misc,

I have the following setup:

* O1 and O2: two openbsd firewall/routers with:

  * carp-ed client side interface
  * trunked server side interfaces + carp-ed trunk device

* SRV: server with trunked interfaces (for testing I'm using one server, but 
there will be 2 servers cross connected to the switches)

* s: two switches with no inter switch link capability

 ++ +---+
  +--+ O1 +-+ s +--+
  |  |+--\   /--+   |  |  +-+
+-+   |  ++   \ /   +---+  +--+ SRV |
| CLI +---+X   +--+ |
+-+   |  ++   / \   +---+  |  +-+
  |  | O2 +--/   \--+ s |  |
  +--++-+   +--+
 ++ +---+

So SRV uses carp ip address as route and CLI uses the external carp ip address 
as route to reach SRV. And my high availability setup is transparent for the 
client. Each hardware (cables, routers, switches) may fail and my service is 
still reachable.

My questions are:

* what trunk to use? Without inter switch aggregation support I tried failover 
and broadcast

  * failover works fine, but active/failover interfaces needs to be switched 
manually in case of failure to select to correct active path, if think it could 
be automated with ifstated but I didn't test it yet.
  * broadcast works fine too, but the client receives packets duplicated 4 
times, I don't know if it is normal behavior, shouldn't duplicates be filtered 
by the trunk device? Or is there a way to filter them?

* Is my design correct, or did I miss something? Is there another (simpler) way 
to achieve my high availability goal?

Config:

O1 ifconfig  
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
vr0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 
1500
lladdr 00:0d:b9:2d:0f:54
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe2d:f54%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 
1500
lladdr 00:0d:b9:2d:0f:55
priority: 0
trunk: trunkdev trunk0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe2d:f54%vr1 prefixlen 64 scopeid 0x2
vr2: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 
1500
lladdr 00:0d:b9:2d:0f:55
priority: 0
trunk: trunkdev trunk0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::20d:b9ff:fe2d:f54%vr2 prefixlen 64 scopeid 0x3
enc0: flags=0
priority: 0
groups: enc
status: active
pflog0: flags=141UP,RUNNING,PROMISC mtu 33196
priority: 0
groups: pflog
trunk0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:0d:b9:2d:0f:55
priority: 0
trunk: trunkproto broadcast
trunkport vr2 active
trunkport vr1 master,active
groups: trunk
media: Ethernet autoselect
status: active
inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255
inet6 fe80::20d:b9ff:fe2d:f55%trunk0 prefixlen 64 scopeid 0x7
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: BACKUP carpdev trunk0 vhid 1 advbase 1 advskew 0
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x8
inet 192.168.10.10 netmask 0xff00 broadcast 192.168.10.255
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: BACKUP carpdev vr0 vhid 2 advbase 1 advskew 0
groups: carp
status: backup
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x9
inet 10.0.0.10 netmask 0xff00 broadcast 10.0.0.255

O1 netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.0.0.1   UGS02 - 8 vr0 
10.0.0/24  link#1 UC 00 

Re: Detailed statistics on em(4) driver

[Philip Guenther]

On Wed, Jun 19, 2013 at 11:38 PM, Bernd be...@kroenchenstadt.de wrote:
 I've got problems with increasing Ierrs on several machines with
 several em(4) interfaces. Is there a way to get *detailed* information
 on these?

 # netstat -I em3 -d
 NameMtu   Network Address  Ipkts IerrsOpkts
 Oerrs Colls Drop
 em3 1500  Link  de:ad:be:ef  95655063 435896
 63427593 0 00
 em3 1500  fe80::%em3/ fe80::xx:ff:ffe  95655063 435896
 63427593 0 00

 is not that verbose.

 We hacked the kernel. The interface(s) just miss packets, see screenshot:

 http://imageshack.us/f/96/fkad.png/

No dmesg (which would have included the output of your printfs, in
text form!), fail to describe your kernel hacks, and then you *upload
a picture of your console*?!?


 Customer urged to move from OpenBSD to Ubuntu for BGP routing.

Good luck with that!


Philip Guenther

Re: Detailed statistics on em(4) driver

[Otto Moerbeek]

On Thu, Jun 20, 2013 at 08:38:11AM +0200, Bernd wrote:

 Hi,
 
 I've got problems with increasing Ierrs on several machines with
 several em(4) interfaces. Is there a way to get *detailed* information
 on these?
 
 # netstat -I em3 -d
 NameMtu   Network Address  Ipkts IerrsOpkts
 Oerrs Colls Drop
 em3 1500  Link  de:ad:be:ef  95655063 435896
 63427593 0 00
 em3 1500  fe80::%em3/ fe80::xx:ff:ffe  95655063 435896
 63427593 0 00
 
 is not that verbose.
 
 We hacked the kernel. The interface(s) just miss packets, see
 screenshot:
 
 http://imageshack.us/f/96/fkad.png/
 
 Customer urged to move from OpenBSD to Ubuntu for BGP routing.
 
 Thanks in advance,
 
 Bernd

What does 

sysctl net.inet.ip.ifq 

say?

On a side note: you are not sharing *any* details, so expect your
emails to be ignored by most people here. And with good reason.

-Otto

Re: Detailed statistics on em(4) driver

[Christiano F. Haesbaert]

On 20 June 2013 08:38, Bernd be...@kroenchenstadt.de wrote:
 Hi,

 I've got problems with increasing Ierrs on several machines with
 several em(4) interfaces. Is there a way to get *detailed* information
 on these?

 # netstat -I em3 -d
 NameMtu   Network Address  Ipkts IerrsOpkts
 Oerrs Colls Drop
 em3 1500  Link  de:ad:be:ef  95655063 435896
 63427593 0 00
 em3 1500  fe80::%em3/ fe80::xx:ff:ffe  95655063 435896
 63427593 0 00

 is not that verbose.


 We hacked the kernel. The interface(s) just miss packets, see screenshot:

 http://imageshack.us/f/96/fkad.png/

 Customer urged to move from OpenBSD to Ubuntu for BGP routing.


Missed packets means the ring buffer is full and the card has to drop
the packet.
In other words, you're not fast enough.

Send a dmesg, and we need an idea of the packet rate you're pushing,
chances are you're hitting our stack limit.

Re: setting ttl

[Henning Brauer]

* Chris Smith obsd_m...@chrissmith.org [2013-06-19 16:20]:
 On Wed, Jun 19, 2013 at 6:43 AM, Henning Brauer lists-open...@bsws.de wrote:
  no
 Thanks.
 Any plans to implement this?

no.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Re: Squid3 in intercept mode

[Stuart Henderson]

On 2013-06-19, Lars Nooden lars.noo...@gmail.com wrote:
 On Wed, 19 Jun 2013, Reyk Floeter wrote:
 Anyway, you should make sure to use divert-to instead of rdr-to in
 your pf.conf.  rdr-to is considered to be obsolete for userland
 proxies (except for spamd).

 That solved it exactly.  I had not seen the change and had been trying 
 rdr-to instead of divert-to.  

Did you find any official instructions with out-of-date information?
I have made sure that the pkg-readme and also Squid's wiki have correct
information for interception proxies.

Re: USB temperature sensors

[Stuart Henderson]

On 2013-06-19, rafaello konfekte peleekaiskardina...@gmail.com wrote:
 Hello,

 Thanks Barry, this was exactly what I was looking for. Been using it now
 for a couple of days with TEMPer sensor on both 5.3 stable and current by
 using this patch written by SASANO Takayoshi:
   http://www2192ue.sakura.ne.jp/~uaa/gomitext/2013/20130331/20130331.diff

 Any ideas when this could go into source tree?



 http://marc.info/?l=openbsd-techm=136472023131435w=2
 http://marc.info/?l=openbsd-techm=136762807930749w=2



There is a newer version here,
http://www.uaa.org.uk/gomitext/2013/20130513/20130513.diff

mpi found a few more issues to fix, I have an additional diff to
go over the top of the above which fixes some but not all of these:
http://junkpile.org/ugold-20130513-patches.diff

Though even with the issues it is still more reliable than uthum.

Re: pf looses skip on tun0 after OpenVPN startup

[Stuart Henderson]

On 2013-06-19, Ryan Slack r...@evine.ca wrote:
 In pf.conf I've got skip on {lo,tun0}, however after openvpn starts,
 skip is removed from tun0. Is there a way to avoid this?
 In the mean time I've added pass quick on tun0 to pf.conf.

You will probably need to reload pf.conf, I believe openvpn re-creates
the tun interface.

Re: Squid3 in intercept mode

[Lars Nooden]

On Thu, 20 Jun 2013, Stuart Henderson wrote:
 On 2013-06-19, Lars Nooden lars.noo...@gmail.com wrote:
  On Wed, 19 Jun 2013, Reyk Floeter wrote:
  Anyway, you should make sure to use divert-to instead of rdr-to in
  your pf.conf.  rdr-to is considered to be obsolete for userland
  proxies (except for spamd).
 
  That solved it exactly.  I had not seen the change and had been trying 
  rdr-to instead of divert-to.  
 
 Did you find any official instructions with out-of-date information?
 I have made sure that the pkg-readme and also Squid's wiki have correct
 information for interception proxies.

No. It was my fault for going through the README but not catching 
'divert-to' I had gotten the two confused with what I had once (last) set 
up with 4.2 or 4.1.  I did notice that pf.conf(5) has several examples for 
rdr-to which seem on the surface to do what I was aiming for, but none for 
divert-to.

Regards,
/Lars

Re: CWM crash

[Rodrigo Mosconi]

Thanks Okan,

I use the selfont config,   Just removed it, and worked! I will wait the
next snapshot.

Att,


2013/6/19 Okan Demirmen o...@demirmen.com

 On Wed 2013.06.19 at 22:04 -0400, Okan Demirmen wrote:
  On Wed 2013.06.19 at 22:34 -0300, Rodrigo Mosconi wrote:
   Hello Misc,
  
   The Jun18/19 snapshot have a break version of CWM
  
   It`s always crash when I try to resize a window (just click M-M1, and
 then
   its segfaults).
  
   Follow dmesg and GDB
  
   Thanks
  
  
   tales:mosconi {102} gdb cwm
   GNU gdb 6.3
   Copyright 2004 Free Software Foundation, Inc.
   GDB is free software, covered by the GNU General Public License, and
 you are
   welcome to change it and/or distribute copies of it under certain
   conditions.
   Type show copying to see the conditions.
   There is absolutely no warranty for GDB.  Type show warranty for
 details.
   This GDB was configured as i386-unknown-openbsd5.3...
   (no debugging symbols found)
  
   (gdb) run
   Starting program: /usr/X11R6/bin/cwm
   (no debugging symbols found)
   (no debugging symbols found)
   (no debugging symbols found)
  
   Program received signal SIGSEGV, Segmentation fault.
   0x097a2574 in XftDrawStringUtf8 () from /usr/X11R6/lib/libXft.so.8.0
   (gdb)
 
  gah - do you have 'color selfont some color' defined in your .cwmrc?

 fix just committed; thanks for the report.  if you can't build -current,
 just comment out color selfont until then.

 thanks,
 okan

carp hung at INIT after update to current snapshot--followup #2

[Jeff Ross]

Followup #2.

I tried booting the older kernels available to me to see if I could 
narrow down the range of the time this problem began.


The kernel from June 9 boots as expected and carp moves to master status 
as it should.


The kernel from June 13 boots but carp stays stuck in INIT.

The most recent snapshot also boots with carp staying in INIT.

I hope that narrows the range down enough to provide a clue.

Thanks again.

Jeff


Followup:

When running sh -x /etc/netstart, I get the following on the firewall 
stuck in INIT:


+ ifmstart trunk svlan vlan carp
ifconfig: SIOCAIFADDR: No buffer space available
ifconfig: SIOCAIFADDR: No buffer space available

The normally backup firewall running /etc/netstart from
OpenBSD 5.3-current (GENERIC.MP) #148: Tue Apr 30 11:41:58 MDT 2013
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
shows this instead

+ ifmstart  trunk svlan vlan carp gif gre pfsync pppoe tun bridge

Hope that helps!

Jeff


Hi all,

Tonight I updated to the June 17 snapshot on my primary firewall. Before 
updating carp has been working flawlessly, with this server the primary 
and its twin the secondary.  When I'd reboot the primary the secondary 
would become master but only until the primary had finished rebooting. 
After updating and reboot the primary's carp0 and carp1 interfaces 
remain in INIT.


I did run sysmerge and don't see anything apropos in the Running 
-current section of the FAQ.


My secondary firewall took over as carp master on reboot but I'm a 
little leery of updating or even rebooting it to see if the primary will 
take over--I'm 650 miles from the server room :-)


dmesg, ifconfig -a and /etc/hostname* follow.

Thanks,

Jeff Ross

OpenBSD 5.3-current (GENERIC.MP) #7: Mon Jun 17 12:17:04 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,LONG,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR,LAHF,PERF

real mem  = 3757490176 (3583MB)
avail mem = 3684646912 (3513MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/29/05, BIOS32 rev. 0 @ 0xf0010, 
SMBIOS rev. 2.3 @ 0xfa380 (61 entries)

bios0: vendor American Megatrends Inc. version 080010 date 03/29/2005
bios0: SiMech R200
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB
acpi0: wakeup devices PXHA(S4) PXHB(S4) EPA0(S4) EPA1(S4) EPB0(S4) 
EPB1(S4) EPC0(S4) P0P1(S4) MC97(S4) USB1(S1) USB2(S1) EUSB(S4) PS2K(S4) 
PS2M(S4) P0PC(S4) SLPB(S4)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,LONG,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR,LAHF,PERF

cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,LONG,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR,LAHF,PERF

cpu3 at mainbus0: apid 7 (application processor)
cpu3: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,LONG,SSE3,DTES64,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR,LAHF,PERF

ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 11 pa 0xfec1, version 20, 24 pins
ioapic1: misconfigured as apic 9, remapped to apid 11
ioapic2 at mainbus0: apid 9 pa 0xfec8, version 20, 24 pins
ioapic2: misconfigured as apic 10, remapped to apid 9
ioapic3 at mainbus0: apid 10 pa 0xfec80400, version 20, 24 pins
ioapic3: misconfigured as apic 11, remapped to apid 10
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (EPA0)
acpiprt2 at acpi0: bus 3 (PXHA)
acpiprt3 at acpi0: bus 2 (PXHB)
acpiprt4 at acpi0: bus 4 (EPA1)
acpiprt5 at acpi0: bus 6 (P0P1)
acpiprt6 at acpi0: bus 5 (P0PC)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc8800/0x1000 0xc9800/0x1000
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel E7320 Host rev 0x0c
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x0c
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel 6700PXH PCIE-PCIX rev 0x09
pci2 at ppb1 bus 3
mpi0 at pci2 dev 5 function 0 Symbios Logic 53c1030 rev 0xc1: msi
scsibus0 at mpi0: 16 targets, initiator 7
ppb2 at pci1 dev 0 function 2 

xl2tpd lost packets

[Михаил Швецов]

help me. What i'm doing wrong?

pkg_add xl2tpd (OK)

pf - disabled

vi /etc/xl2tpd/xl2tpd.conf

[lac beeline]

lns = vpn.dzer.b2b.local

redial = yes

autodial = yes

vi /etc/ppp/options

name user

vi /etc/ppp/chap-secrets

user * password

vi /etc/ppp/pap-secrets

user * password

vi /etc/rc.conf.local

pkg_scripts=xl2tpd

route -n show -inet

Routing tables

Internet:

Destination Gateway Flags Refs Use Mtu Prio Iface

default 195.98.58.194 UGS 10 1509230 - 6 ppp0

default 10.55.254.65 UGS 1 1514844 - 8 em0

10.55.254.64/26 link#1 UC 1 0 - 4 em0

10.55.254.65 00:22:b0:2f:eb:34 UHLc 2 3109 - 4 em0

10.55.254.126 127.0.0.1 UG 0 0 33152 56 lo0

127/8 127.0.0.1 UGRS 0 0 33152 8 lo0

127.0.0.1 127.0.0.1 UH 3 2177215 33152 4 lo0

172.18.255.15 10.55.254.65 UGHS 0 2950 - 8 em0

192.168.10/24 link#2 UC 3 0 - 4 em1

192.168.10.50 f4:6d:04:dd:45:9a UHLc 3 11486133 - 4 em1

192.168.10.62 link#2 UHLc 1 94544 - 4 em1

192.168.10.255 link#2 UHLc 2 247 - 4 em1

195.98.58.194 XXX.XXX.XXX.XXX UH 1 3177 - 4 ppp0

224/4 127.0.0.1 URS 0 0 33152 8 lo0

# ifconfig

em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500

lladdr 00:1e:8c:f2:13:7a

priority: 0

media: Ethernet autoselect (100baseTX full-duplex)

status: active

inet6 fe80::21e:8cff:fef2:137a%em0 prefixlen 64 scopeid 0x1

inet 10.55.254.126 netmask 0xffc0 broadcast 10.55.254.127

em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500

lladdr 00:1b:21:39:84:fb

priority: 0

media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)

status: active

inet 192.168.10.1 netmask 0xff00 broadcast 192.168.10.255

inet6 fe80::21b:21ff:fe39:84fb%em1 prefixlen 64 scopeid 0x2

ppp0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1464

priority: 0

groups: ppp egress

inet XXX.XXX.XXX.XXX -- 195.98.58.194 netmask 0xff00
Check link to gateway ISP(em0) and to vpn.dzer.b2b.local (172.18.255.15) -
GOOD

mtu (1472+28=1500)

and when

# ping -D -s 1472 10.55.254.65

PING 10.55.254.65 (10.55.254.65): 1472 data bytes

1480 bytes from 10.55.254.65: icmp_seq=0 ttl=255 time=2.028 ms

1480 bytes from 10.55.254.65: icmp_seq=1 ttl=255 time=2.225 ms

1480 bytes from 10.55.254.65: icmp_seq=2 ttl=255 time=2.060 ms

1480 bytes from 10.55.254.65: icmp_seq=3 ttl=255 time=2.073 ms

# ping -D -s 1472 172.18.255.15

PING 172.18.255.15 (172.18.255.15): 1472 data bytes

1480 bytes from 172.18.255.15: icmp_seq=0 ttl=252 time=0.982 ms

1480 bytes from 172.18.255.15: icmp_seq=1 ttl=252 time=0.944 ms

1480 bytes from 172.18.255.15: icmp_seq=2 ttl=252 time=0.936 ms

1480 bytes from 172.18.255.15: icmp_seq=3 ttl=252 time=0.936 ms

# tcpdump -i em0 icmp

tcpdump: listening on em0, link-type EN10MB

tcpdump: WARNING: compensating for unaligned libpcap packets

21:15:57.299040 10.55.254.126  10.55.254.65: icmp: echo request (DF)

21:15:57.301029 10.55.254.65  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:15:58.303589 10.55.254.126  10.55.254.65: icmp: echo request (DF)

21:15:58.305759 10.55.254.65  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:15:59.313555 10.55.254.126  10.55.254.65: icmp: echo request (DF)

21:15:59.315579 10.55.254.65  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:16:00.323548 10.55.254.126  10.55.254.65: icmp: echo request (DF)

21:16:00.325562 10.55.254.65  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:25:00.365887 10.55.254.126  172.18.255.15: icmp: echo request (DF)

21:25:00.366809 172.18.255.15  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:25:01.368684 10.55.254.126  172.18.255.15: icmp: echo request (DF)

21:25:01.369586 172.18.255.15  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:25:02.378666 10.55.254.126  172.18.255.15: icmp: echo request (DF)

21:25:02.379578 172.18.255.15  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

21:25:03.388677 10.55.254.126  172.18.255.15: icmp: echo request (DF)

21:25:03.389563 172.18.255.15  10.55.254.126: icmp: echo reply (DF) [tos
0x28]

===

Check link to gateway ISP(ppp0) - BAD

mtu (1436+28=1464)

mtu (972+28=1000) but some sites does not open or slow open.

mtu (548+28=576) site open (which in mtu 1000 does not). But internet slow
and
some pockets lost(i think so)

and when

# ping -D -s 1436 195.98.58.194

PING 195.98.58.194 (195.98.58.194): 1436 data bytes

# tcpdump -i ppp0 icmp

tcpdump: listening on ppp0, link-type PPP

21:29:54.656277 XXX.XXX.XXX.XXX  195.98.58.194: icmp: echo request (DF)

21:29:55.666047 XXX.XXX.XXX.XXX  195.98.58.194: icmp: echo request (DF)

21:29:56.676027 XXX.XXX.XXX.XXX  195.98.58.194: icmp: echo request (DF)

21:29:57.686021 XXX.XXX.XXX.XXX  195.98.58.194: icmp: echo request (DF)

# ping -D -s 972 195.98.58.194

PING 195.98.58.194 (195.98.58.194): 972 data bytes

980 bytes from 195.98.58.194: icmp_seq=0 ttl=255 time=0.907 ms

980 bytes from 195.98.58.194: icmp_seq=1 ttl=255 time=0.910 ms

980 bytes from 195.98.58.194: icmp_seq=2 ttl=255 time=0.837 ms

980 bytes from 

Re: Problem with icmp state creation on 5.3 PF

[Stuart Henderson]

On 2013-06-18, Wiesław Herr hers...@makhleb.net wrote:
 Hi misc@!

 After deploying a new OpenBSD 5.3 firewall today I ran into a strange
 problem. The first rule in my ruleset is one NAT-ing ICMP packets from my
 host to Google's DNS IP (8.8.8.8):

 fw1a-spt # pfctl -sr -R0
 pass out log quick inet proto icmp from 192.168.5.96 to 8.8.8.8 nat-to
 195.182.23.4

I suspect you may have an issue where state is not being created where
you expect it.

It's now recommended (and we've changed the sample pf.conf to match)
to start your ruleset with an explicit block (or block log) rule to
ensure that you don't accidentally allow any traffic to pass without
keeping state.

Re: pf looses skip on tun0 after OpenVPN startup

[Aner Perez]

On 06/20/2013 09:03 AM, Stuart Henderson wrote:

On 2013-06-19, Ryan Slack r...@evine.ca wrote:

In pf.conf I've got skip on {lo,tun0}, however after openvpn starts,
skip is removed from tun0. Is there a way to avoid this?
In the mean time I've added pass quick on tun0 to pf.conf.


You will probably need to reload pf.conf, I believe openvpn re-creates
the tun interface.



I believe the persist-tun option in server.conf can help in this case.

- Aner

Re: smtpd aliases

[Denis]

Hi William,

I would suggest trying these things first:

- have you checked smtpd main page to Modify the current mailwrapper(8)
  settings?
- stop smtpd and run it in foreground smtpd -d -v, so all the info will go
  to stderr
- try to exclude dovecot and check that smtpd can deliver messages to local
  user's mbox first.

This should give you enough info to find the root cause of your error, if not
- I would be interested to see the output of above.

I am using OpenSMTPD for almost a 6 months now, it rocks - nice powerful and
simple program!

Thank you and good luck with your mail setup,

-- 
Sincerely yours,
Denis
=
The Bible for command line people.
http://www.read-and-think.org/kjv.html
=

Re: Problem with icmp state creation on 5.3 PF

[Raimundo Santos]

On 20 June 2013 16:53, Stuart Henderson s...@spacehopper.org wrote:

 On 2013-06-18, Wiesław Herr hers...@makhleb.net wrote:

 I suspect you may have an issue where state is not being created where
 you expect it.

 It's now recommended (and we've changed the sample pf.conf to match)
 to start your ruleset with an explicit block (or block log) rule to
 ensure that you don't accidentally allow any traffic to pass without
 keeping state.


In case of a tproxy, which does no-evil and necessary IP spoofing, how will
states be treated?

My PF is in production, so I can not test now, but I had same issue
(packets that bypass nat)  with route-to from an interface to another and
nat-to in the later. I have disabled states to test, and well... nat-to
does not work without it... so I leave everything without states, only
nat-to, but the same problem ocurred.

By now in our ISP we have made a choice for the felxibility of FreeBSD
IPFW, but I really like OpenBSD correctness and the shinny match PF rules,
and ALTQ being removed/reconstructed in a new way.

Re: xl2tpd lost packets

[Михаил Швецов]

and in /var/log/messages
Jun 20 10:26:33 main pppd[19445]: Protocol-Reject for unsupported protocol 
0xbe6b
Jun 20 10:26:42 main last message repeated 2 times
Jun 20 11:01:33 main pppd[19445]: Protocol-Reject for unsupported protocol 
0xd0d2
Jun 20 11:27:51 main pppd[19445]: Protocol-Reject for unsupported protocol 
0xba44
Jun 20 13:29:10 main pppd[19445]: Protocol-Reject for unsupported protocol 
0xb694
Jun 20 13:29:16 main pppd[19445]: Protocol-Reject for unsupported protocol 
0xb694
Jun 21 05:47:45 main pppd[19445]: Protocol-Reject for unsupported protocol 
0x9e07