Re: Slow Wireless, Fast Copper
I saw a similar problem and I got it fixed changing the frequency channel of the wireless box. Did you try this already? On 8/10/08, ropers [EMAIL PROTECTED] wrote: 2008/8/6 OpenBSD Misc [EMAIL PROTECTED]: Hi. I'm at my wits end. My original configuration: I have a laptop (HP Pavillion dv9700). It comes with an integrated Intel Wireless WiFi Link 4965AGN adapter and is running Vista Home Premium. I have a D-Link DWL-2200AP wireless access point. I have an old Gateway computer with a P3 processor running at 650 MHz and five NICs that was running FreeBSD 7. I have a Westell DSL modem with 3000/768 service through Verizon. The Gateway is set up as a firewall with ipf. The notebook connects wirelessly to the WAP, which is cabled into a NIC in the firewall, which is cabled to the DSL modem through a different NIC. The problem: I noticed that my wireless was running slowly. Verizon has a speed testing website, so I test my speed with it. My upload speed nearly maxes out at 700 Kbps no matter what my configuration is. My download speed doesn't typically get above 90 Kbps. BUT, I have a PC running Windows XP Pro connected to a third NIC in the firewall, and the speed test nearly maxes out both upload and download speeds. What I did: Okay, something's wrong with the wireless link. I connect the WAP directly to the DSL modem and retest my speed. I'm running at FULL speed, so the problem isn't with the wireless connection between the laptop and the WAP. So I reconnect the WAP to the firewall with a different (new, prefab, unopened) ethernet cable and retest. Download speed sucks again; it's not a cabling issue. So I move to a different NIC and retest. Download speed still sucks; it's not the NIC. So I move to the NIC to which my XP PC was connected (which got fast download speeds) and retested. Download speed STILL sucks. I buy a D-Link DAP-1522 wireless access point and replace the DWL-2200AP. I retest and get sucky download speeds. I've been wanting to move to OpenBSD and pf for some time now, so I install OpenBSD 4.3 on the firewall, set up my DSL connection, DNS service, and DHCP service. I configure pf with a minimal configuration that basically lets all outbound traffic pass and blocks all inbound traffic from the internet. I test connectivity, and my Vista laptop and XP PC both connect to the Internet and can talk to each other. The firewall can talk to everything. I put all cables back to their original configuration; everything's connected as it was when I first noticed the problem except for the new WAP, the new OS, and the new cable. I retest my speeds. I'm back where I started: XP PC gets full speed internet service, laptop gets sucky download speeds through the wireless link. So with OpenBSD on the Gateway I retry everything I just described above with the new WAP and new cable and get the same results. I put everything back to the original configuration again except the WAP, OS, and cable. I test the speed over the wireless link again and get sucky download speeds. I copy a large file from my XP PC to my laptop (which is still connected to the firewall wirelessly all this time) and I get GREAT transfer speeds. Conclusion: So I can talk through my WAP and through my firewall to anything else on my side of the internet connection at full speed, and everything that's not wireless can talk through the firewall to the internet at full speed. But I cannot talk through my WAP and through my firewall to the Internet at full speed. I can talk through my WAP to the Internet (not through the firewall) at full speed. Can anyone please offer some assistance? Thank you... Additional information: The three NICs in the firewall that I tried use the vr, xl, and ne drivers. The vr has a VIA Rhine or RhineII chipset. The xl is a 3Com 3c905, and the ne is a generic card using the Realtek 8029 chipset. snip / I'm clueless as to your actual problem, but I did have the following thoughts: The question is whether this problem is OS/software/configuration-specific. The fact that you've encountered the same problem with FreeBSD and OpenBSD seems to suggest that it's not OS/software-specific, but there are some commonalities between the various *BSDs, and there is more common code between Free- and OpenBSD than between Linux and OpenBSD. I don't know^W^W^WAccording to http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-apps.html , FreeBSD uses IPF, IPFW and PF. Which did you use when you tried FreeBSD? If you used PF both on OpenBSD and FreeBSD, then it might be a PF problem. This may be a bit of work to even try, but are you encountering the same problems with the other firewalls under FreeBSD? If yes, then you could try to rule out problems because of common code in the OpenBSD and FreeBSD OSes by trying Linux/IPtables and
GRE or gif keepalive
Hey Everybody, Do you know if GRE or gif is having a keepalive option? I searched with google and the archives and I didn't find anything like that. The problem that I have is as I run GRE over IPSec and I would like to know when the IPSec tunnel is down with the help of GRE interface which it should go down if there is sort of of a keepalive mechanism. -- Alex
Re: GRE or gif keepalive
Thanks Stuart, I heard about this command. I ain't using OSPF for the link state I use BGP. My GRE interface never goes down when the IPsec goes down. Is this normal? Cosmetic bug? Thanks, Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 13:46, Alex Berdan wrote: Do you know if GRE or gif is having a keepalive option? Not directly, but you can add one using ospfd(8) or ifstated(8). -- Alex
Re: GRE or gif keepalive
Thanks anyway! I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives and I can have SNMP traps in case the IPSec tunnel is down (GRE interface is down). The BGP works just fine and the routes converge exactly as I wanted. Is OpenBSD having any plans with this GRE keepalives? (Unfortunately my environment is not all CISCO) Thanks, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 17:11, Alex Berdan wrote: I heard about this command. I ain't using OSPF for the link state I use BGP. Well, you could lower your timers then... My GRE interface never goes down when the IPsec goes down. That's normal, gre doesn't know about link state.
Re: GRE or gif keepalive
This is a nice feature which can be used in cases where you don't run any dynamic routing protocol over GRE/IPSec tunnel. If you have OpenBSD as VPN concentrator you can have SNMP traps when the tunnel is down and take any action etc. Here is the CISCO implementation: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html Hopefully someone will see this and eventually purpose a alternate solution or implement keepalives in the distribution. Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 18:02, Alex Berdan wrote: I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives Unfortunately, despite GRE being documented across a number of RFCs, there's no mention of this. Looks like it's probably a cisco- proprietary extension, I couldn't find any docs on packet formats or implementation. Have you come across any? -- Alex
can CARP monitor an interface?
Hi, Is it possible to make CARP to monitor an interface and if that interface is down to switch to slave from master? (I know this is possible with HSRP) Thanks -- Alex
NAT-ing on enc0
Hi, I have 2 OpenBSDs having a VPN tunnel between them. One of the peer is having behind it a spam filter. All the SMTP traffic for that is getting redirected from internet internal to spam filter machine, then filtered and delivered to the mail server. One the second BSD I have the SMTP backup for the main SMTP server located on the first BSD. When the SMTP server located on the first BSD fails the second is taking the mails and as soon as the primary SMTP servers comes up it delivers the traffic but because of the VPN tunnel, the traffic is not getting filtered by the spam filter (the traffic is not getting redirect anymore as is coming from other interface). Is there a way to rdr the traffic which comes on the tunnel to a different server then the one which is coming to? I tried with: rdr pass on enc0 proto tcp from any to $ext port 25 - spam filter IP address but it didn't work. Could you please help me out? Thanks -- Alex
GRE tunnel setup problem?
Hi All, I set up a GRE tunnel between two sites to have the broadcast/multicast passing between the two but nothing is passing! I'm not using for the moment any firewall and the configuration straight forward as per man gre. 192.168.1.2/24 | | | |-- 192.168.1.1/24 Gateway A 10.0.0.1/24 |--- | internet | |--- 172.16.2.2 Gateway B 192.168.3.1/24 |-- | | | 192.168.3.2/24 On Gateway A I have: ifconfig gre0 create ifconfig gre0 192.168.1.1 192.168.3.1 netmask 255.255.255.255 link1 up ifconfig gre0 tunnel 10.0.0.1 172.16.2.2 For the Gateway B I have: ifconfig gre0 create ifconfig gre0 192.168.3.1 192.168.1.1 netmask 255.255.255.255 link1 up ifconfig gre0 tunnel 172.16.2.2 10.0.0.1 The Windows broadcast that I have behind 192.168.1.0/24 is not passing through the GRE tunnel which is UP and running. Also the OSPF which is multicasting is not passing through the gre0 interface. Pinging the internal interfaces in both sites is working. Tcpdump on the gre0 interface is not showing anything. Could you please can you give me any clue on how should I debug? Alex
Re: GRE tunnel setup problem?
Yes, I fully agree with you but this is why I want to have GRE tunnel in place. I want the broadcast/multicast to pass my gre0 tunnel and reach from one side to the other. I have even added the 224.0.0.0/4 with gateway 192.168.3.1 on Gateway A and 224.0.0.0/24 with gateway 192.168.1.1 on gateway B and still doesn't cross any multicast or broadcast. Do you have any idea? Alex You have different logical networks on either side of the tunnel, which means routing is involved. Broadcasts do not cross network routers by default, which prevents everyone's broadcasts from crossing the entire Internet (a good thing).
Re: GRE tunnel setup problem?
Most likely it will work fine as a bridged network over the tunnel. But in this can I still don't understand the purpose of the GRE!? I though that is passing both the broadcasts/multicasts in order to run for ex. EIGRP or OSPF in a mesh VPN environment. On 8/1/06, Will H. Backman [EMAIL PROTECTED] wrote: Do you have the option of bridging between the two networks, and configuring both networks as if they were the same network? Think of the bridge as a long ethernet cable. -Original Message- From: Alex Berdan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 01, 2006 4:00 PM To: Will H. Backman Subject: Re: GRE tunnel setup problem? Yes, I fully agree with you but this is why I want to have GRE tunnel in place. I want the broadcast/multicast to pass my gre0 tunnel and reach from one side to the other. I have even added the 224.0.0.0/4 with gateway 192.168.3.1 on Gateway A and 224.0.0.0/24 with gateway 192.168.1.1 on gateway B and still doesn't cross any multicast or broadcast. Do you have any idea? Alex You have different logical networks on either side of the tunnel, which means routing is involved. Broadcasts do not cross network routers by default, which prevents everyone's broadcasts from crossing the entire Internet (a good thing). -- Alex -- Alex
Re: GRE tunnel setup problem?
My point in here is to have a controlled multicast server over some IPSec tunnels (8 end points are in the picture). As I was trying with 2 end-points I saw that nothing is passing through. For the moment I'm having static routes and I want to switch over OSPF on all locations but I need the multicast(broadcast) passing through the VPN tunnels (IPSec) Can gif(4) help me in achieving this? Tks, Alex Gre(4) multicast code is broken -- at least it was so in May when I last tested it. I invested once some time to debug it but got distracted by real life issues. I fixed gif(4) so there mutlicasting will work. If you can give gif(4) a try. -- :wq Claudio -- Alex
borrowing in 3.8
Hi All,
It's been a long time since I'm trying to do borrowing with pf and
altq from OpenBSD and seams that it's not working for me.
Here is what I do:
altq on pcn0 cbq bandwidth 10Mb queue { std, ftp }
queue std bandwidth 1024Kb cbq(default)
queue ftp bandwidth 1Mb cbq { low, big }
queue big bandwidth 80% priority 3 cbq(borrow)
queue low bandwidth 64Kb priority 1 cbq(borrow)
pass in quick on lo0
pass out quick on lo0
pass in quick on pcn0 inet proto tcp from any to pcn0 port 80 keep
state queue low
pass in quick on pcn0 inet proto tcp from any to pcn0 port 22 keep
state queue big
I run a apache and I'm sharing a 20MB file.
When I download from the OpenBSD box I'm getting something like 8.31KB/Sec.
If I take a look in the pfctl -vv -sq I get something like:
queue big bandwidth 800Kb priority 3 cbq( borrow )
[ pkts:573 bytes: 87942 dropped pkts: 0 bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 4.2 packets/s, 5.19Kb/s ]
queue low bandwidth 64Kb cbq( borrow )
[ pkts:778 bytes:1104998 dropped pkts: 0 bytes: 0 ]
[ qlength: 11/ 50 borrows:556 suspends:132 ]
[ measured: 6.0 packets/s, 67.82Kb/s ]
It seams that it's borrowing but not everything! Do you have any idea why?
Do you have a working example?
Thank you in advanced.
Alex
