Re: Low throughput with 1 GigE interface

[livio]

Thank you @Noth.

You are right. The OpenBSD PF FAQ also says:
> PF will only use one processor, so multiple processors (or multiple cores)
WILL NOT improve PF performance.

For PC Engines APU users, I can highly recommend to update the BIOS. It improved
my networking performance quite a bit:
https://pcengines.github.io/

When testing with iperf3 I now get 450Mbit/s instead of 200Mbit/s (with pf
enabled). With pf disabled, I get ~750Mbit/s. Copying files from one to another
machine (same physical NIC on APU, with VLANs and PF enabled) gave me around
930Mbit/s.

Again, many thanks for all your help and inputs!

On 2/5/2020 12:56 AM, Noth wrote:
> According to the manufacturer of the APU2, the problem is with OpenBSD not
> using all cores for network traffic management:
> https://teklager.se/en/knowledge-base/apu2c0-ipfire-throughput-test-much-faster-pfsense/

Kibana/Elasticsearch fail

[Eric Zylstra]

I’ve installed the ELK packages (Elasticsearch, Logstash, Kibana) using 
pkg_add.  Installs went fine.  I checked out the pkg documentation (pkg_reames) 
and followed the steps for those that had documentation to follow.

When I boot, Logstash and Kibana fail.  I can use rcctl to start Logstash with 
no problem.  When I try to start Kibana, the following is what I see:

# rcctl -d start kibana
doing _rc_parse_conf
doing _rc_quirks
kibana_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/kibana
doing _rc_quirks
doing rc_check
kibana
doing rc_start
doing _rc_wait start
doing rc_check
No home directory /nonexistent!
Logging in with home = "/".
Kibana does not support the current Node.js version v10.16.3. Please use 
Node.js v>=10.15.0 <10.16.
doing _rc_rm_runfile
(failed)


I’m not sure what to do with this.  Why is Logstash not starting on reboot?  
Why does Kibana fail?  I assume there is some config that need be done, because 
that Node.js error wouldn’t have made it to distribution, right?

Thanks,

EZ

Re: Process Isolation

[Cal Ledsham]

Sent via BlackBerry® from Telstra

-Original Message-
From: "Johnathan M." 
Sender: owner-m...@openbsd.org
Date: Thu, 6 Feb 2020 08:26:05 
To: Charlie Burnett
Cc: 
Subject: Re: Process Isolation

On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett  wrote:

> Hey y'all,
>
> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can.
>

Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD
would be vmm/vmd.

>

Re: no pcap file from isakmpd in OBSD6.6

[Marko Cupać]

Christoph Leser  wrote:


Hi,

after upgrading openbsd6.5 to oopenbsd6.6 using sysupgrade isakmpd 
does no longer write pcap files in /var/run.


In /var/log/messages we see the following message:

isakmpd[7385]: log_packet_init: fopen ("/var/run/isakmpd.pcap", "w") 
failed: Permission denied


On 2019-12-03 19:30, Theo de Raadt wrote:

m_priv_local_sanitize_path() contains some realpath() checks.

I think this is either exposing realpath() abuse( as a result of the
new in-kernel realpath to support unveil better), or it is hitting the
realpath() bug which was fixed post-release?


I get similar message when trying to report information about SAs to
isakmpd.results through isakmpd.fifo on 6.6.

echo "S" > /var/run/isakmpd.fifo

...(as root) doesn't return anything, doesn't create results file, and
gives error message in log:

Feb  6 21:20:16 kerber isakmpd[36105]: ui_open_result: fopen() failed: 
Permission denied


If someone knows about some workaround for obtaining isakmpd.results
on 6.6 I'd be very grateful (or at least binary patch :D )

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: permissiomns of /dev/fd* and others

[Theo de Raadt]

Cannot reproduce this issue, and the MAKEDEV script in question
has had only minor unrelated changes.

Something is messed up on your system, and you can diagnose this
better yourself.

Jan Stary  wrote:

> With the latest two upgrades (this week and the last),
> the daily security complains about the permissions under /dev (below).
> On other machines, these belong to root:operator - is it intended
> that the snapshot changed them to root:wheel?
> 
> dmesg at bottom
> 
>   Jan
> 
> 
> On Feb 06 01:44:10, r...@stare.cz wrote:
> > 
> > Running security(8):
> > 
> > Checking disk ownership and permissions.
> > Disk /dev/fd0Ba is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Bb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Bc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Bi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ca is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Cb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Cc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ci is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Da is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Db is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Dc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Di is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ea is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Eb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ec is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ei is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Fa is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Fb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Fc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Fi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ga is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Gb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Gc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Gi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Ha is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Hb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Hc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0Hi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0a is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0b is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0c is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd0i is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ba is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Bb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Bc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Bi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ca is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Cb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Cc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ci is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Da is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Db is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Dc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Di is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ea is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Eb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ec is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ei is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Fa is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Fb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Fc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Fi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ga is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Gb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Gc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Gi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Ha is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Hb is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Hc is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1Hi is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1a is user root, group wheel, permissions brw-r-.
> > Disk /dev/fd1b is user root, group wheel, 

Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out

[krishh61]

Hi again,

Disabling inteldrm has stopped the ERROR messages to show up but of course
OpenBSD will not switch into higher resolution since then.


Regards

Kris



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Re: chroot vs unveil

[Theo de Raadt]

Kevin Chadwick  wrote:

> I am considering replacing all chroot use with unveil in my processes even 
> where
> no filesystem access is required.

I am discouraging this.

unveil is a complicated mechanism, and we may still discover a bug in
it.

Almost all the chroot in the tree are to empty unwriteable directories,
in which case chroot is very secure and a very simple mechanism.

Re: is there a 2GB limit on amd64 link?

[j]

Yes, that (-mcmodel=medium) is the solution.  Thanks!


John

On 2020-02-05 22:03, Philip Guenther wrote:

On Wed, Feb 5, 2020 at 7:38 PM  wrote:


I am encountering a linker error when compiling with ports-gcc
Fortran:

ld: error: lbug2.f90:(function MAIN__: .text+0x80): relocation
R_X86_64_PC32 out o
f range: 2456507324 is not in [-2147483648, 2147483647]

The code has several large arrays, the total size of which exceeds
2GB.

Is this a linker issue, a gcc fortran issue, or a pebkac?


It's at least a gnu fortran issue: it needs to generate object code in
a larger "model" than it currently is.  I've never used gnu fortran,
but it might accept the -mcmodel=medium option like gcc and generate
code sequences for data symbols that don't limit them to the bottom
2GB (or to within 2GB of the involved code, depending on gcc's choices
in implementing the model).

If it doesn't accept that option, then you'll need to work with the
the docs, mailling lists, etc of the upstream gnu fortran project
about how to have it generate code for the medium or large data models
per the amd64 ABI.

Philip Guenther

Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out

[krishh61]

OK, will give it a go. 
I have already tried to disable drm* and drm0 and that just caused the
laptop to hang during boot. 

Will give you a shout what happened when I disable inteldrm.


Cheers



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Re: Can't install OpenBSD 6.6 on apu4d4

[Kevin Chadwick]

On 2020-02-06 07:56, mabi wrote:
> Thanks Mischa! I should have thought about that but I couldn't remember 
> having done this with previous APU models and OpenBSD versions.

I expect you known but you can add this into /etc/boot.conf
I also recently forgot or found I had to edit /etc/ttys too to get a getty 
login.

chroot vs unveil

[Kevin Chadwick]

I am considering replacing all chroot use with unveil in my processes even where
no filesystem access is required. Is there any guidance on whether that is the
best practice, where you only intend to run on OpenBSD?

Re: Process Isolation

[Johnathan M.]

On Thu, Feb 6, 2020, 4:22 AM Charlie Burnett  wrote:

> Hey y'all,
>
> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can.
>

Qubes uses a hypervisor like kvm/qemu iirc, and the equivalent for OpenBSD
would be vmm/vmd.

>

Re: Process Isolation

[Kevin Chadwick]

On 2020-02-06 07:59, Charlie Burnett wrote:
> I apologize if this was a question I've somehow missed the answer to!

OpenBSD takes a more fine grained approach in isolating functions rather than
whole programs ideally by the person best suited to do the job (the program
developer). Isolating whole programs has proven not to work very well,
especially on Intel ;)

https://www.openbsd.org/papers/bsdcan2019-unveil/index.html

Re: Process Isolation

[Janne Johansson]

Den tors 6 feb. 2020 kl 10:22 skrev Charlie Burnett :

> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
> program which is seemingly the gold standard for process isolation when you
> can't be bothered to go to the extent Qubes does. I've been trying to read
> as much OpenBSD source as I can as I find some of the security tricks
> y'all've come up with damn interesting. I know that once upon a time we had
> sysjail, but nowadays we have just have chroot which most systems do. What
> is OpenBSD's solution to this? I'm sure I've read through it I just didn't
> realize the purpose.
>
> I apologize if this was a question I've somehow missed the answer to!
>

Almost looks like you missed the question while posting the answer.
You list some-linux does X, fbsd does Y, obsd does Z (which you find damn
interesting!) and then ask "what is openbsds solution to this?".

As of now, Z is the list of mitigations openbsd does, and that is.. the
solution to "this".

-- 
May the most significant bit of your life be positive.

Re: permissiomns of /dev/fd* and others

[Jan Stary]

With the latest two upgrades (this week and the last),
the daily security complains about the permissions under /dev (below).
On other machines, these belong to root:operator - is it intended
that the snapshot changed them to root:wheel?

dmesg at bottom

Jan


On Feb 06 01:44:10, r...@stare.cz wrote:
> 
> Running security(8):
> 
> Checking disk ownership and permissions.
> Disk /dev/fd0Ba is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Bb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Bc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Bi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ca is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Cb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Cc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ci is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Da is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Db is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Dc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Di is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ea is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Eb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ec is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ei is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Fa is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Fb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Fc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Fi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ga is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Gb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Gc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Gi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Ha is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Hb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Hc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0Hi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0a is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0b is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0c is user root, group wheel, permissions brw-r-.
> Disk /dev/fd0i is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ba is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Bb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Bc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Bi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ca is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Cb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Cc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ci is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Da is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Db is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Dc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Di is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ea is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Eb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ec is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ei is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Fa is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Fb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Fc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Fi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ga is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Gb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Gc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Gi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Ha is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Hb is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Hc is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1Hi is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1a is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1b is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1c is user root, group wheel, permissions brw-r-.
> Disk /dev/fd1i is user root, group wheel, permissions brw-r-.
> Disk /dev/rd0a is user root, group wheel, permissions brw-r-.
> Disk /dev/rd0c is user root, group wheel, permissions brw-r-.
> Disk /dev/sd0a is user root, group wheel, permissions brw-r-.
> 

Re: bad ip cksum 0! -> in enc interface

[Janne Johansson]

Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :

> I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
> root@ganesha:/etc# cat hostname.enc0
>
> root@smigol:/etc# cat hostname.enc0
> inet 172.16.44.2/32
> up
>

Why are you setting up hostname.enc0?
What guide is recommending you to do that?


> I cannot find solution in Internet and the real think is that in many
> others post people copy and paste packets and this error is visible but no
> one think that is in effect an error or do not speak about.
>

Please set a vpn up like the openbsd faq on IPSec VPNs shows, and take it
from there.
It never mentions adding ip to enc0 (and that is not the purpose of enc0)
so I don't see why you should.

enc(4) is a debug and filtering tool not a config part of vpns.

-- 
May the most significant bit of your life be positive.

Re: bad ip cksum 0! -> in enc interface

[Riccardo Giuntoli]

Hi there Janne.

Result is the same in both endpoints. With or without ipcomp.

Any others suggestions?

Nice regards to you all misc@

On Thu, Feb 6, 2020 at 8:10 AM Janne Johansson  wrote:

> Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :
>
>> If i sniff traffic over enc0 interface I found a strange error about ip
>> chksum:
>>
>>  (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip
>> cksum 0! -> c48a)
>> This is the error as you can review.
>>
>> I cannot find solution in Internet and the real think is that in many
>> others post people copy and paste packets and this error is visible but no
>> one think that is in effect an error or do not speak about.
>>
>
> You often see 0 in packet checksum fields if the packet is heading out on
> a device
> which claims to do ipv4 checksum offloading in hardware. In such cases,
> the OS will
> not spend time doing software checksums, but the hardware will do it just
> before the
> packet leaves for the network, so that is why the software sniffer will
> see 0 there, but
> the remote end (you do look for errors from both ends, right?) will see
> something else
> there.
>
> --
> May the most significant bit of your life be positive.
>


-- 
Name: Riccardo Giuntoli
Email: tag...@gmail.com
Location: Canyelles, BCN, España
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net

Process Isolation

[Charlie Burnett]

Hey y'all,

Sorry if this has been answered before but I couldn't find a satisfactory
answer searching for it, and this is more of an academic question. So
security focused Linux distros like Qubes go to extremes to
compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
program which is seemingly the gold standard for process isolation when you
can't be bothered to go to the extent Qubes does. I've been trying to read
as much OpenBSD source as I can as I find some of the security tricks
y'all've come up with damn interesting. I know that once upon a time we had
sysjail, but nowadays we have just have chroot which most systems do. What
is OpenBSD's solution to this? I'm sure I've read through it I just didn't
realize the purpose.

I apologize if this was a question I've somehow missed the answer to!

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

[Denis]

Brian,

I'm going to set vnetid 100 to tag VLAN and connect physical em0 to L3
switch "uplink" port (port 10 in my case) with "Tagged" mark.

# /etc/hostname.vlan100
description 'Untrusted'
inet 192.168.155.1 255.255.255.240 192.168.155.15 lladdr
32:f6:02:c4:1A:88 vlandev em0 vnetid 100

Ports 1-3 on L3 switch will be used for IoT connection and marked as
"Untagged".

Do you think will it be right?

Denis

On 2/5/2020 10:19 PM, Brian Brombacher wrote:
> The OP’s hostname.vlan* files never specify a vnetid.  I get an error trying 
> to configure and bring up the second vlan interface the same way without 
> vnetid specified.  Regardless of my error, the ifconfig(8) man page says 
> without vnetid specified, vlan tag 0 will be used.  You need to specify two 
> different vlan tags.
> 
> All of that aside: VLANs don’t give you any more security.  If the client 
> host is on the same physical network as your two VLANs, the only thing 
> stopping them from jumping between VLANs would be physical devices (switches, 
> etc.) configured to prevent that.  From what I gathered, you don’t have this 
> level of control.  Therefore, you gain nothing by segmenting the networks 
> with VLANs.
> 
> -Brian
> 
>> On Feb 5, 2020, at 11:58 AM, Christian Weisgerber  wrote:
>>
>> On 2020-02-05, Janne Johansson  wrote:
>>
 # /etc/hostname.vlan101
 description 'WLAN attached untrusted hosts'
 inet 192.168.156.0/24 255.255.255.0 vlandev run0
>>> VLANs and wifi sounds like a non-starter.
>>
>> Yep, if you're building your access point with OpenBSD.
>>
>> More generally, though, any AP in the business segment has support
>> for multiple SSIDs that can be assigned to different VLANs on the
>> Ethernet side.
>>
>> -- 
>> Christian "naddy" Weisgerber  na...@mips.inka.de
> 

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

[Denis]

Thank you for all the replies.

Christian right, I didn't familiar with VLANs before my conceptual
question about IoT isolation, so I have no knowledge how do VLANs work
before his answer.

Thanks to documentation, articles, and vlan(4), in OpenBSD for any of
physical Ethernet device can be attached multiple VLANs but L3 switch
with IEEE 802.1Q protocol supported must be present.

Hopefully, GS110TP has L3 compatibility but requires to point "Tagged" &
"Untagged" for each of VLAN port during VLANs allocation. If I
understand the concepts right, I should _tag_ each /etc/hostname.vlan1xx
outgoing traffic and connect physical Ethernet cable to specially
allocated port on L3 switch for "Tagged" VLAN traffic. I'd like to call
it as "Uplink" port on L3 switch to connect to OBSD box physical
Ethernet port. Any group of ports intended for IoT connection (L3 switch
ports 1-3 in my case) should be marked as "Untagged" to connect IoT
devices. Please correct me if I've been mistaken.

As for "access point", it works well and actively use for a long time.
Second SSID is a good idea to make some isolation for untrusted and
filter in PF by some indication but I don't know which indication for
now. I think it will be the next step forward to wireless IoT isolation.

Denis

On 2/5/2020 5:53 PM, Christian Weisgerber wrote:
> On 2020-02-05, Janne Johansson  wrote:
> 
>>> # /etc/hostname.vlan101
>>> description 'WLAN attached untrusted hosts'
>>> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>>
>> VLANs and wifi sounds like a non-starter.
> 
> Yep, if you're building your access point with OpenBSD.
> 
> More generally, though, any AP in the business segment has support
> for multiple SSIDs that can be assigned to different VLANs on the
> Ethernet side.
>