Loading of pf rule hangs

2022-03-19 Thread Axel Rau 
I just installed the recent fixes for 6.0 with syspatch.
After reboot my pf rules have not been installed.
pfctl -nvvf pf.conf shows rule loading hangs between these rules:
- - -
table  persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from  flags any
- - -
After a minute rule loading completes.

The file exists and contains valid ips.
At the end there was an empty line.
May this be the reason?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

Re: functional difference of isakmpd and iked

2022-03-11 Thread Axel Rau 



> Am 11.03.2022 um 14:32 schrieb Tobias Heider :
> 
> looks like your setup should also work with iked.
So I will try this in a few weeks and report back.

Thanks for responding,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

Re: functional difference of isakmpd and iked

2022-03-11 Thread Axel Rau 



> Am 09.03.2022 um 11:44 schrieb Axel Rau :
> 
> are both able to support the same network topologies with both IPv4 and IPv6?
Seems to be a difficult question.
What can I do to get an answer / a comment of one of the experts?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

functional difference of isakmpd and iked

2022-03-09 Thread Axel Rau 
Hi all,

are both able to support the same network topologies with both IPv4 and IPv6?

The application uses 3 VPN gateways (all OpenBSD) and connects several public 
nets behind both gateways.
Some private nets are served without NAT to other VPN members.
One gateway uses a fixed IPv4 address, the other 2 are road warriors, where IP 
of others changes about once a month.

As this is an operational setup, moving from isakmpd to iked seems to be a 
challenge. (-:

Can the transition be done without loosing functionality?

Axel
PS: To illustrate further, I include the connections from isakmpd.conf

gw with fixed address: 

[CON_2_2]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_IH4
Remote-ID=  NET_M4_PRIVATE
PF-Tag= FROM_VPN

[CON_2_3]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_DEFAULT4
Remote-ID=  NET_M4_LRAU
PF-Tag= FROM_VPN

[CON_2_4]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_N6_GLOBAL_UNICAST
Remote-ID=  NET_M6_LRAU
PF-Tag= FROM_VPN

[CON_2_5]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_N6_GLOBAL_UNICAST
Remote-ID=  NET_M6_WLAN_LRAU
PF-Tag= FROM_VPN

# --
[CON_3_1]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_IH4
Remote-ID=  NET_N4_PRIVATE
PF-Tag= FROM_VPN

[CON_3_2]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_N6_GLOBAL_UNICAST
Remote-ID=  NET_N6_LRAU
PF-Tag= FROM_VPN

# --
[CON_23_1]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_M4_PRIVATE
Remote-ID=  NET_N4_PRIVATE
PF-Tag= FROM_VPN

[CON_23_2]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_N4_PRIVATE
Remote-ID=  NET_M4_PRIVATE
PF-Tag= FROM_VPN

One of 2 road warriors: -

# ---
[CON_2_2]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Flags=  Active-only
Remote-ID=  NET_IH4
Local-ID=   NET_M4_PRIVATE
PF-Tag= FROM_VPN

# ---
[CON_2_3]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Flags=  Active-only
Remote-ID=  NET_DEFAULT4
Local-ID=   NET_M4_LRAU
PF-Tag= FROM_VPN

# ---
[CON_2_4]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Flags=  Active-only
Remote-ID=  NET_N6_GLOBAL_UNICAST
Local-ID=   NET_M6_LRAU
PF-Tag= FROM_VPN

# ---
[CON_2_5]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Flags=  Active-only
Remote-ID=  NET_N6_GLOBAL_UNICAST
Local-ID=   NET_M6_WLAN_LRAU
PF-Tag= FROM_VPN

# --
[CON_23_1]
Phase=  2
ISAKMP-peer=CON_1
Configuration=  quick-mode
Local-ID=   NET_M4_PRIVATE
Remote-ID=  NET_N4_PRIVATE
PF-Tag= FROM_VPN


---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Axel Rau 


> Am 05.05.2021 um 16:20 schrieb Stuart Henderson  >:
> 
> This is usually best dealt with in your DNS server software e.g. by using
> the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
> section in BIND.

Yes, I have this in place now, but I try to let the fw drop them:
This seems not working:
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload 
 flush global )'
…
pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"

Is this not possible with udp?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

fighting amplification attack --was: Re: pf: block drop not working

2021-05-05 Thread Axel Rau 


> Am 05.05.2021 um 13:30 schrieb Tom Smyth :
> 
> black_whole vs black_hole
> 
> check the table name …

But even with the correct table name I had to flush states to get it working.

Does anyone has a script handy to update the table to black hole dns clients 
which repeat same query with high frequency?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: pf: block drop not working

2021-05-05 Thread Axel Rau 

> Am 05.05.2021 um 13:30 schrieb Tom Smyth  >:
> 
> black_whole vs black_hole
> 
> check the table name …

Thanks a lot!
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

pf: block drop not working

2021-05-05 Thread Axel Rau 
Hi all,

in pf.conf, I have at the beginning:
- - -
table  persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from  flags any

fw1# pfctl -s rules  | head -3
block drop in quick on em2 from  to any

fw1# pfctl -t black_hole -T show
. . .
   146.168.0.0/16
. . .

But responses still going out from my ns:

 0800 532: x.y.z.71.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 
63, id 10399, len 518)
 0800 72: 146.168.163.94.443 > x.y.z.21.53: [no udp cksum] 1+ RRSIG? 
pizzaseo.com.(30) (ttl 249, id 3922, len 58)
 0800 532: x.y.z.21.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 
63, id 38336, len 518)
 0800 72: 146.168.163.94.443 > x.y.z.171.53: [no udp cksum] 1+ RRSIG? 
pizzaseo.com.(30) (ttl 249, id 55913, len 58)
 0800 532: x.y.z.171.53 > 146.168.163.94.443: [udp sum ok] 1- 0/13/14(490) (ttl 
62, id 53578, len 518)


What is wrong in my setup?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

[RESOLVED] Re: Neighbor Solicitation packets try to go out on enc0

2020-12-24 Thread Axel Rau 

>   inet6 ??:??:??:34::a prefixlen 64


I forgot the reflexive bypassrule:
flow esp out from ??:??:??:30::/60 to ??:??:??:30::/60 type bypass

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: Neighbor Solicitation packets try to go out on enc0

2020-12-16 Thread Axel Rau 
Routers don't forward neighbour solicitation messages.
So this is a bug?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Neighbor Solicitation packets try to go out on enc0

2020-12-12 Thread Axel Rau 
Hello

I have a router, running rad(8).
SLAAC works as expected, but I see:
- - -
11:40:58.374264 rule 16/(match) [uid 0, pid 97445] block out on enc0: \
??:??:??:34::a > ??:??:??:34:3551:6e57:d90b:5a77: \
icmp6: neighbor sol: who has ??:??:??:34:3551:6e57:d90b:5a77\
(src lladdr: 00:60:e0:5a:75:43) [bad icmp6 cksum 0! -> b7e4] (len 32, hlim 255)
- - -
related if:
- - -
vlan14: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 16 priority 0 llprio 3
encap: vnetid 14 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.14.1 netmask 0xff00 broadcast 172.16.14.255
inet6 fe80::260:e0ff:fe5a:7543%vlan14 prefixlen 64 scopeid 0x10
inet6 ??:??:??:34::a prefixlen 64

What is going wrong here?
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

[RESOLVED] Re: Wrong net in vlan

2020-11-18 Thread Axel Rau 
Hi Stuart,

> Am 18.11.2020 um 13:20 schrieb Stuart Henderson :
> 
> On 2020/11/18 12:48, Axel Rau wrote:
>> From /etc/dhcpd.conf:
>> - - -
>> shared-network WLAN-NET {
> 
> This is your problem.

Oh yes. The art of carefully reading . . .

Thanks a lot,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: Wrong net in vlan

2020-11-18 Thread Axel Rau 


> Am 18.11.2020 um 11:00 schrieb Stuart Henderson :
> 
> On 2020-11-18, Axel Rau  wrote:
>> I think, the problem is that all vlans share the same lladr (see recent 
>> ifconfigs).
>> To allow dhcpd to distinguish the vlans, I have to set the mac addresses 
>> manually.
>> Will try this later.
> 
> No this is totally normal, there is no need to touch the MAC address.
> All you need to do is configure the parent interface "up", set the
> tag and parent interface, add the subnet to dhcpd.conf (and add the
> interface to dhcpd_flags if you don't let it pick them automatically).

AFAIK, that was exactly, what I did:

dhcpd_flags="em0 em3 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16"

gw1# ifconfig vlan
vlan11: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 13 priority 0 llprio 3
encap: vnetid 11 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.11.1 netmask 0xff00 broadcast 172.16.11.255
inet6 fe80::260:e0ff:fe5a:7543%vlan11 prefixlen 64 scopeid 0xd
inet6 :::16:11::a prefixlen 80
vlan12: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 14 priority 0 llprio 3
encap: vnetid 12 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.12.1 netmask 0xff00 broadcast 172.16.12.255
inet6 fe80::260:e0ff:fe5a:7543%vlan12 prefixlen 64 scopeid 0xe
inet6 :::16:12::a prefixlen 80
vlan13: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 15 priority 0 llprio 3
encap: vnetid 13 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.13.1 netmask 0xff00 broadcast 172.16.13.255
inet6 fe80::260:e0ff:fe5a:7543%vlan13 prefixlen 64 scopeid 0xf
inet6 :::16:13::a prefixlen 80
vlan14: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 16 priority 0 llprio 3
encap: vnetid 14 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.14.1 netmask 0xff00 broadcast 172.16.14.255
inet6 fe80::260:e0ff:fe5a:7543%vlan14 prefixlen 64 scopeid 0x10
inet6 :::16:14::a prefixlen 80
vlan15: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 17 priority 0 llprio 3
encap: vnetid 15 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.15.1 netmask 0xff00 broadcast 172.16.15.255
inet6 fe80::260:e0ff:fe5a:7543%vlan15 prefixlen 64 scopeid 0x11
inet6 :::16:15::a prefixlen 80
vlan16: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 18 priority 0 llprio 3
encap: vnetid 16 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.16.1 netmask 0xff00 broadcast 172.16.16.255
inet6 fe80::260:e0ff:fe5a:7543%vlan16 prefixlen 64 scopeid 0x12
inet6 :::16:16::a prefixlen 80
gw1# ifconfig em3
em3: flags=8b43 mtu 
1500
lladdr 00:60:e0:5a:75:43
index 4 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.63.1 netmask 0xff00 broadcast 172.16.63.255
inet6 fe80::260:e0ff:fe5a:7543%em3 prefixlen 64 scopeid 0x4
inet6 :::16::a prefixlen 80
gw1# ifconfig carp3
carp3: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:04
index 12 priority 15 llprio 3
carp: MASTER carpdev em3 vhid 4 advbase 1 advskew 0
groups: carp
status: master
inet 172.16.63.9 netmask 0xff00 broadcast 172.16.63.255
inet6 fe80::200:5eff:fe00:104%carp3 prefixlen 64 scopeid 0xc
inet6 :::16::c prefixlen 80

>From /etc/dhcpd.conf:
- - -
shared-network WLAN-NET {
option  domain-name "wlan.chaos1.de";
option  domain-name-servers 192.1.2.3, 80.12.4.171;
option  ntp-servers 192.1.2.4, 80.12.4.170;

subnet  172.16.63.0 netmask 255.255.255.0 {
option routers 172.16.63.1;
option  ntp-servers 192.1.2.4, 80.12.4.170;

range 172.16.63.200 172.16.63.230;

#   cap01 MikroTik WLAN Access Point
host static-client {
hardware ethernet 4a:0b:bc:54:0c:fa;
fixed-address 172.16.63.11;
}
#   cap02 MikroTik WLAN Access Point

Re: Wrong net in vlan

2020-11-18 Thread Axel Rau 
I think, the problem is that all vlans share the same lladr (see recent 
ifconfigs).
To allow dhcpd to distinguish the vlans, I have to set the mac addresses 
manually.
Will try this later.

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6   computing @ chaos claudius


> Am 18.11.2020 um 00:09 schrieb Stuart Henderson :
> 
> On 2020-11-17, Axel Rau  wrote:
>> 
>> 
>> --Apple-Mail=_AD48A584-E586-4B64-9277-CAE8E8103BC1
>> Content-Type: text/plain;
>>charset=utf-8
>> Content-Transfer-Encoding: 8bit
>> 
>> Hi all.
>> 
>>>> Am 16.11.2020 um 11:09 schrieb Axel Rau :
>>> 
>>> - - -
>>> From /etc/rc.conf.local:
>>> - - -
>>> dhcpd_flags="em0 em3 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16"
>>> - - -
>> 
>> I have still no resolution. dhcpd preovides always an address from the 
>> subnet 172.16.11/24 regardless from which vlan comes the request.
>> 172.16.11/24 is the subnet associated with the 1st vlan on em3 (vlan11)
> 
> Your emails are a bit confusing. You have sent one email showing
> current config from ifconfig for vlan11 and vlan13, another email
> showing hostname.if files for vlan11 and vlan12, an excerpt from
> your dhcpd.conf file showing configs for the subnets you showed
> on vlan11 and vlan12, and log from an example request on vlan13.
> 
> Check your configuration methodically, make sure you have sections
> in dhcpd.conf for all the networks you have told it to listen to
> that match the networks configured in hostname.if files.
> 
> Is dhcpd.conf just missing a subnet section for 172.16.13.0?
> 
> If things may have got confused during testing, restart the system to
> make sure the interfaces are configured as set in the files.
> 
>> - - -
>> hardware-type must be the name of a hardware interface type. Currently, the 
>> ethernet, token-ring and fddi physical interface types are recognized, 
>> although support for DHCP-over-IPsec virtual interface type ipsec-tunnel is 
>> provided. The hardware-address should be a set of colon-separated 
>> hexadecimal octets (0-ff) or a hostname that can be looked up in ethers(5) 
>> <https://man.openbsd.org/ethers.5> when the configuration is read.
>> - - -
> 
> You are unlikely to need to set this. In any event a vlan is an
> ethernet interface type.
> 
>> Are vlans aresupported by dhcpd at all?
> 
> It doesn't need any special support, they just appear as a normal
> ethernet-like interface.
> 
>> 
>> Axel
>> ---
>> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>> 
>> 
>> --Apple-Mail=_AD48A584-E586-4B64-9277-CAE8E8103BC1
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: attachment;
>>filename=signature.asc
>> Content-Type: application/pgp-signature;
>>name=signature.asc
>> Content-Description: Message signed with OpenPGP
>> 
>> 
>> --Apple-Mail=_AD48A584-E586-4B64-9277-CAE8E8103BC1--
>> 
>> 
>

Re: Wrong net in vlan

2020-11-17 Thread Axel Rau 
Hi all.

> Am 16.11.2020 um 11:09 schrieb Axel Rau :
> 
> - - -
> From /etc/rc.conf.local:
> - - -
> dhcpd_flags="em0 em3 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16"
> - - -

I have still no resolution. dhcpd preovides always an address from the subnet 
172.16.11/24 regardless from which vlan comes the request.
172.16.11/24 is the subnet associated with the 1st vlan on em3 (vlan11)
- - -
gw1# ifconfig vlan11
vlan11: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 13 priority 0 llprio 3
encap: vnetid 11 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.11.1 netmask 0xff00 broadcast 172.16.11.255
inet6 fe80::260:e0ff:fe5a:7543%vlan11 prefixlen 64 scopeid 0xd
inet6 2a05:bec0:26:16:11::a prefixlen 80
gw1# ifconfig vlan13
vlan13: flags=8843 mtu 1500
lladdr 00:60:e0:5a:75:43
index 15 priority 0 llprio 3
encap: vnetid 13 parent em3 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.13.1 netmask 0xff00 broadcast 172.16.13.255
inet6 fe80::260:e0ff:fe5a:7543%vlan13 prefixlen 64 scopeid 0xf
inet6 2a05:bec0:26:16:13::a prefixlen 80
- - -
- - -
DHCPREQUEST for 172.16.11.106 from d6:b5:e4:2a:3a:1c via vlan13
Nov 17 19:00:47 gw1 dhcpd[12274]: DHCPACK on 172.16.11.106 to d6:b5:e4:2a:3a:1c 
via vlan13
- - -
The client receives a IPv6 address from the correct subnet via rad.

In DHCPD.CONF(5), I read:
- - -
hardware-type must be the name of a hardware interface type. Currently, the 
ethernet, token-ring and fddi physical interface types are recognized, although 
support for DHCP-over-IPsec virtual interface type ipsec-tunnel is provided. 
The hardware-address should be a set of colon-separated hexadecimal octets 
(0-ff) or a hostname that can be looked up in ethers(5) 
<https://man.openbsd.org/ethers.5> when the configuration is read.
- - -

Are vlans aresupported by dhcpd at all?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: Wrong net in vlan

2020-11-16 Thread Axel Rau 


> Am 15.11.2020 um 22:33 schrieb Mihai Popescu :
> 
> Hint: show some dhcpd configs.
>From /etc/dhcpd.conf:
- - -
subnet  172.16.11.0 netmask 255.255.255.0 {
option routers 172.16.11.1;
range 172.16.11.100 172.16.11.200;
}
subnet  172.16.12.0 netmask 255.255.255.0 {
option routers 172.16.12.1;
range 172.16.12.100 172.16.12.200;
}
- - -
>From /etc/rc.conf.local:
- - -
dhcpd_flags="em0 em3 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16"
- - -

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Wrong net in vlan

2020-11-15 Thread Axel Rau 
Hi all,

in hostname.vlan11, I have:
- - -
vnetid 11 parent em3
inet 172.16.11.1 255.255.255.0 NONE
- - -
in hostname.vlan12, I have:
- - -
vnetid 12 parent em3
inet 172.16.12.1 255.255.255.0 NONE
- - -

but dhcpd logs:
- - -
DHCPOFFER on 172.16.11.106 to d6:b5:e4:2a:3a:1c via vlan12
- - -

What is wrong here?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: Routing between VPNs broken

2020-11-01 Thread Axel Rau 
Hi Rudy,

thanks for answering.
I have a default route and I had success while using localhost as gateway in 
the past.
But static routes do no longer help. I tried your proposal with a fictive 
gateway. No chance.

Would be interesting, if the same bug happens with wireguard.

> Am 01.11.2020 um 02:10 schrieb Rudy Baker :
> 
> I might be off, maybe the problem was fixed in later releases but on OpenBSD 
> 5 if I had an IPsec tunnel to a network with no actual route in the routing 
> table for that network (and no default gateway), things wouldn't be routed 
> through the tunnel.
I’m not aware of any fix or official statement since 4.x
Time to move away from OpenBSD. )-:
> 
> I could even set up a route that led to a bogus gateway just so that there 
> was a route to the network in the table and it would obey the tunnel. A 
> default gateway would fix the issue too since that traffic would match that.
> 
> So I would say make sure you have a route to the network across the tunnel or 
> even a default gateway set. It sounds dumb since on every other os on the 
> planet IPsec creates routes but seems on BSD, you need to have a real route 
> defined before it falls through to the IPsec routes and sends the traffic 
> through that.
> 
> It's a long shot but hope it helps

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: Routing between VPNs broken

2020-10-30 Thread Axel Rau 
After rebooting the client, everything works as expected.
Until next re-keeing, where it stops working.

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Routing between VPNs broken

2020-10-30 Thread Axel Rau 
Hi all,

I have 3 firewalls, all running OpenBSD 6.7, 2 are IPsec-clients one is the 
server.
After installing (unrelated?) syspatches (67-19, 67-20, 67-23 und 67-24) on the 
server and rebooting it after 2 months of uptime, I noticed, that routing 
between VPNs has been broken:

fw1# ipsecctl -s all
FLOWS:
flow esp in from 91.?.?.128/25 to 0.0.0.0/0 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 91.?.?.0/25 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.220.0/22 to 192.168.230.0/23 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 192.168.230.0/23 to 192.168.220.0/22 peer 217.?.?.? srcid 
fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 0.0.0.0/0 to 91.?.?.128/25 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 91.?.?.0/25 to 192.168.220.0/22 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp out from 192.168.220.0/22 to 192.168.230.0/23 peer 217.?.?.? srcid 
fw.bu.some.domain dstid router.nussberg.de type require
flow esp out from 192.168.230.0/23 to 192.168.220.0/22 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require
flow esp in from 2a05:?:?:10::/60 to 2000::/3 peer 80.?.?.? srcid 
fw.bu.some.domain dstid gw.mu.some.domain type require

On the server, when I ping one client, it tries to bypass the IPsec flow and 
gos out upstream, which is blocked by pf.
It seems, routing continues to work between one client side and net on the 
server after re-keying if there exist tcp connections between the nets.
On the other client side, often the VPN is idle und routing gets lost, even if 
tried to work around with a host route.

I refused to use routing protocols in the past, because I dont’t like them on 
the firewall.

What is the recommended reliable solution for this scenario? ospf?

Any help very appreciated,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

CARP with /30 ?

2019-10-24 Thread Axel Rau 
Hi all,

does a CARP setup with 2 firewll boxes with an upstream /30 transfer net i 
feasible?
E.g.

5.6.7.232/30

5.6.7.232 if box1
5.6.7.233 upstream router
5.6.7.234 if box2
5.6.7.235 if CARP

Quick answer would be very helpfull.

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP

Re: ping blocked for 12 minutes

2018-05-20 Thread Axel Rau 

> Am 17.05.2018 um 11:47 schrieb Axel Rau <axel@chaos1.de>:
> 
> Hi,
> 
> a firewall box blocks ICMP packets (from icinga2 hostalive4 check_command) 
> for 12 minutes.
> This happens nearly every night. mtr shows 100% loss on the last hop.


Forwarded traffic is not affected but all traffic to the box itself is blocked 
during these periods.
A reboot after 63 days of uptime seems to have cleared the affect.

Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

ping blocked for 12 minutes

2018-05-17 Thread Axel Rau 
Hi,

a firewall box blocks ICMP packets (from icinga2 hostalive4 check_command) for 
12 minutes.
This happens nearly every night. mtr shows 100% loss on the last hop.

The ICMP echo requests (10/minute) are directed to the firewall box itself.
If this is from a rate-limiting feature, how can I adjust it?
My related sysctls are:

net.inet.icmp.maskrepl=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.errppslimit=1000
net.inet.icmp.rediraccept=0
net.inet.icmp.redirtimeout=600
net.inet.icmp.tstamprepl=1

Also I see ierrs on external and internal interface:

NameMtu   Network Address  Ipkts IerrsOpkts Oerrs Colls

em0 150000:60:e0:5a:75:34 377973673  4274 322178969 0 0
em0 1500  91.216.35.1 91.216.35.124 377973673  4274 322178969 0 0
em0 1500  fe80::%em0/ fe80::260:e0ff:fe 377973673  4274 322178969 0 0
em0 1500  2a05:bec0:2 2a05:bec0:26:2::a 377973673  4274 322178969 0 0
em1*150000:60:e0:5a:75:350 00 0 0
em2 150000:60:e0:5a:75:36 587989351  4377 408807684 0 0
em2 1500  109.230.225 109.230.225.234   587989351  4377 408807684 0 0
em2 1500  fe80::%em2/ fe80::260:e0ff:fe 587989351  4377 408807684 0 0
em2 1500  2a05:bec0:f 2a05:bec0:ff::27  587989351  4377 408807684 0 0

Are they related?

If this is no rate-limiting feature, what else may be the reason?

Any help appreciated,
Axel

PS:
# dmesg
OpenBSD 6.2 (GENERIC.MP) #6: Wed Feb 28 21:13:02 CET 2018

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4264062976 (4066MB)
avail mem = 4127748096 (3936MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f98a000 (53 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 05/19/2014
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT HEST BERT ERST 
EINJ
acpi0: wakeup devices PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) EHC1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1750.32 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1750319340 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1750.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (PEX2)
acpiprt3 at acpi0: bus 3 (PEX3)
acpiprt4 at acpi0: bus 4 (PEX4)
acpicpu0 at acpi0: C2(350@41 mwait.3@0x51), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(350@41 mwait.3@0x51), C1(1000@1 mwait.1), PSS
"PNP0003" at acpi0 not configured
"PNP0C33" at acpi0 not configured
cpu0: Enhanced SpeedStep 1750 MHz: speeds: 1744, 1743, 1660, 1577, 1494, 1411, 
1328, 1245, 1162 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0e rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I210" rev 0x03: msi, address 
00:60:e0:5a:75:34
ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I210" rev 0x03: msi, address 
00:60:e0:5a:75:35
ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci4 at ppb3 bus 4
vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor, 
rev 0x02) at pci0 dev 11 function 0 not configured
pchb1 at pci0 dev 14 function 0 "Intel Atom C2000 RAS" rev 0x02
"Intel Atom C2000 RCEC" rev 0x02 at pci0 dev 15 function 0 not configured
"Intel Atom C2000 SMBus" rev 0x02 at pci0 dev 19 function 0 not configured
em2 at pci0 dev 20 function 0 "Intel I354 SGMII" rev 0x03: msi, address 
00:60:e0:5a:75:36
em3 at pci0 dev 20

Re: Message arrived but could not be stored

2018-04-19 Thread Axel Rau 
Hi,

could you please fix your MUA?
The argument of the header „Content-Language“ in your mails violates RFC 1766.
My IMAP server http://aox.org/  can’t store your mails.


> Am 19.04.2018 um 12:37 schrieb Kapetanakis Giannis 
> :
> 
> The appended message was received, but could not be stored in the mail 
> database on imap.lrau.net.
> 
> The error detected was: Content-Language: Unparseable value: "English & Greek"
> 
> Here are a few header fields from the message (possibly corrupted due to 
> syntax errors):
> 
> From: Kapetanakis Giannis 
> Subject: upgrade 6.2 snapshots to 6.3 release
> To: "misc@openbsd.org" 
> 
> The complete message as received is appended.
> <1524134256-7446-4192_4_2526>



Thanks, Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

[RESOLVED] Re: 6.0 sppp does not answer PPPoE-Discovery code offer

2017-01-09 Thread Axel Rau 
Updating the firmware of the Vigor130 box from 3.7.9_m7 to 3.7.9.4_m7
solved the problem.

> . . .


> It seems that sppp does not work with vlan pseudi device.

Anybody fixing that?

Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

Re: 6.0 sppp does not answer PPPoE-Discovery code offer

2017-01-09 Thread Axel Rau 
> Am 07.01.2017 um 20:01 schrieb Axel Rau <axel@chaos1.de>:
>
> Hi,
>
> while trying to switch my Vigor130 to pppoe pass through and let my
> OpenBSD firewall handle the pppoe stuff, I get:

Turning on debug shows:

Jan  8 17:48:05 gw1 /bsd: pppoe0 (8863) state=1, session=0x0 output ->
ff:ff:ff:ff:ff:ff, len=18
Jan  8 17:48:05 gw1 /bsd: pppoe0: wrong interface, not accepting host unique
Jan  8 17:48:05 gw1 /bsd: pppoe: received PADO but could not find request for
it
Jan  8 17:49:05 gw1 /bsd: pppoe0: timeout

Setting pppoedev to a physical device (em5) and let the Vigor 130
do the vlan tagging advances the state to
code Request:

18:45:32.630667 00:60:e0:5a:75:45 ff:ff:ff:ff:ff:ff 8863 32: PPPoE-Discovery
code Initiation, version 1, type 1, id 0x, length 12
tag Service-Name, length 0
tag Host-Uniq, length 4 \203\017\224\371
18:45:33.674682 00:30:88:1f:18:9a 00:60:e0:5a:75:45 8863 83: PPPoE-Discovery
code Offer, version 1, type 1, id 0x, length 63
tag Host-Uniq, length 4 \203\017\224\371
tag AC-Name, length 27 FFMR71-se800-B2224180702381
tag AC-Cookie, length 16
\347\212\027\206\367\214\026\211i\277\311\267\010d!\026
tag Service-Name, length 0
18:45:33.749614 00:60:e0:5a:75:45 00:30:88:1f:18:9a 8863 52: PPPoE-Discovery
code Request, version 1, type 1, id 0x, length 32
tag Service-Name, length 0
tag AC-Cookie, length 16
\347\212\027\206\367\214\026\211i\277\311\267\010d!\026
tag Host-Uniq, length 4 \203\017\224\371
18:45:38.840790 00:60:e0:5a:75:45 00:30:88:1f:18:9a 8863 52: PPPoE-Discovery
code Request, version 1, type 1, id 0x, length 32
tag Service-Name, length 0
tag AC-Cookie, length 16
\347\212\027\206\367\214\026\211i\277\311\267\010d!\026
tag Host-Uniq, length 4 \203\017\224\371

It seems that sppp does not work with vlan pseudi device.

I also tried this on a different hardware box with
em5 at pci0 dev 20 function 3 „Intel I354 SGMII“ rev 0x03: \
msi, address 00:60:e0:5a:75:45
instead of
em5 at pci5 dev 11 function 0 „Intel 82541GI“ rev 0x05: \
apic 2 int 18, address 00:0f:c9:04:db:87
which made no difference.

hostname.pppoe0 in use:

inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em5 \ authproto pap \
authname ‚some_u...@t-online.de‘ authkey some_pw up
dest 0.0.0.1
debug

Anybody using pppoe with 6.0-STABLE?

Axel
> ---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

6.0 sppp does not answer PPPoE-Discovery code offer

2017-01-07 Thread Axel Rau 
Hi,

while trying to switch my Vigor130 to pppoe pass through and let my
OpenBSD firewall handle the pppoe stuff, I get:

1:31:42.085747 00:0f:c9:04:db:87 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri 3
PPPoE-Discovery
code Initiation, version 1, type 1, id 0x, length 12
tag Service-Name, length 0
tag Host-Uniq, length 4 \372\250u'
11:31:42.129253 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8863 83: PPPoE-Discovery
code Offer, version 1, type 1, id 0x, length 63
tag Host-Uniq, length 4 \372\250u'
tag AC-Name, length 27 FFMR71-se800-B2224180702381
tag AC-Cookie, length 16
\200g\260jE\320\217\020\334w\265\223\372\020\000\331
tag Service-Name, length 0
11:31:52.050263 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4018 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 7, len 144)
11:32:02.050725 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4086 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 8, len 144)
11:32:12.051056 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4163 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 9, len 144)
11:32:22.051519 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4249 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 10, len 144)
11:32:32.051848 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4344 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 11, len 144)
11:32:42.052309 00:1d:aa:8b:5f:ac ff:ff:ff:ff:ff:ff 0800 158: 0.0.0.0.4448 >
255.255.255.255.4944: [udp sum ok] udp 116 (ttl 254, id 12, len 144)
11:32:42.090628 00:0f:c9:04:db:87 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri
3 PPPoE-Discovery
code Initiation, version 1, type 1, id 0x, length 12
tag Service-Name, length 0
tag Host-Uniq, length 4 \372\250u'
11:32:42.131758 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8863 83: PPPoE-Discovery
code Offer, version 1, type 1, id 0x, length 63
tag Host-Uniq, length 4 \372\250u'
tag AC-Name, length 27 FFMR71-se800-B2224180702381
tag AC-Cookie, length 16
\200g\260jE\320\217\020\334w\265\223\372\020\000\331
tag Service-Name, length 0
. . .

Any help appreciated.

Thanks, Axel


PS: Details:

root@gw2:/etc # cat hostname.em5
# em5
inet 192.168.178.3 255.255.255.0 NONE
up
description "description "port 2 - 2nd from right - uplink to Vigor130 +
vlan7"
root@gw2:/etc # cat hostname.vlan7
vlan 7 vlandev em5
root@gw2:/etc # cat hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vlan7 \
authproto pap \
authname 'some_user' authkey some_pw up
dest 0.0.0.1
!route add -inet -label default -ifp ${if} default 0.0.0.1
root@gw2:/etc #


root@gw2:~ # ifconfig pppoe0
pppoe0: flags=8851 mtu 1492
index 14 priority 0 llprio 3
dev: vlan7 state: PADI sent
sid: 0x0 PADI retries: 7 PADR retries: 0
sppp: phase establish authproto pap authname "some_user"
groups: pppoe egress
status: no carrier
inet 0.0.0.0 --> 0.0.0.1 netmask 0x
root@gw2:~ # ifconfig vlan7
vlan7: flags=8843 mtu 1500
lladdr 00:0f:c9:04:db:87
index 9 priority 0 llprio 3
vlan: 7 parent interface: em5
vnetid: 7
parent: em5
groups: vlan
status: active
root@gw2:~ # ifconfig em5
em5: flags=8b43 mtu
1500
lladdr 00:0f:c9:04:db:87
index 6 priority 0 llprio 3
media: Ethernet autoselect (100baseTX half-duplex)
status: active
inet 192.168.178.3 netmask 0xff00 broadcast 192.168.178.255


OpenBSD 6.0 (GENERIC.MP) #1: Wed Jan  4 21:44:59 CET 2017
r...@vm-obsd-32-build.in.chaos1.de:/usr/src/sys/arch/i386/compile/GENERIC
.MP
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,A
CPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE
3,xTPR,PDCM,MOVBE,LAHF,PERF,SENSOR
real mem  = 2137407488 (2038MB)
avail mem = 2083766272 (1987MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 08/25/09, BIOS32 rev. 0 @ 0xfa7d0, SMBIOS rev. 2.2 @
0xf (45 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/25/2009
bios0: PhoenixAward 945GSE
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP MCFG APIC SSDT
acpi0: wakeup devices PEG1(S3) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5)
PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3)
USBE(S3) AC97(S5) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic

Re: kernel logs "v_type 1" and "f_type 1"

2016-05-09 Thread Axel Rau 
Hi Ville,

> Am 09.05.2016 um 18:04 schrieb Ville Valkonen <weezeld...@gmail.com>:
> 
> On 9 May 2016 at 16:03, Axel Rau <axel@chaos1.de> wrote:
>> A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current
> (GENERIC.MP)
>> #1219)
>> suddenly started logging
>>v_type 1
>>f_type 1
>> (up to 40 times/sec) and stopped routing.
>> 
>> The effect went away after disconnecting all but one nic.
>> 
>> Any help appreciated,

> Hi,
> 
> you forgot to attach:
> - dmesg
> - routes
> - netstat
> 
> and probably something else.

Thanks for answering.

I attach:
dmesg with above error logs (startup protocol did not fit) . . .
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 1
f_type 1
v_type 4
bad fd type
syslogd(6521): syscall 27
.
Historical dmesg, showing hardware [fw2:/etc] root# dmesg
OpenBSD 4.7 (GENERIC.MP) #1: Sat May 29 21:00:26 CEST 2010
r...@openbsd.in.chaos1.de:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR
real mem  = 2137485312 (2038MB)
avail mem = 2062290944 (1966MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/25/09, BIOS32 rev. 0 @ 0xfa7d0, SMBIOS 
rev. 2.2 @ 0xf (45 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/25/2009
bios0: PhoenixAward 945GSE
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP MCFG APIC SSDT
acpi0: wakeup devices PEG1(S3) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) 
PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) 
USBE(S3) AC97(S5) AZAL(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG1)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus 2 (PEX1)
acpiprt4 at acpi0: bus 3 (PEX2)
acpiprt5 at acpi0: bus 4 (PEX3)
acpiprt6 at acpi0: bus -1 (PEX4)
acpiprt7 at acpi0: bus -1 (PEX5)
acpiprt8 at acpi0: bus 5 (HUB0)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpitz0 at acpi0: critical temperature 70 degC
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xe400! 0xef000/0x1000!
cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1067, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03
vga1 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd000, size 0x1000
inteldrm0 at vga1: apic 2 int 16 (irq 5)
drm0 at inteldrm0
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 2 int 16 
(irq 5)
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
16 (irq 5), address 00:0f:c9:04:da:7a
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 2 int 17 
(irq 11)
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
17 (irq 11), address 00:0f:c9:04:da:7b
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 2 int 18 
(irq 10)
pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 "Intel PRO/1000 MT (82574L)" rev 0x00: apic 2 int 
18 (irq 10), address 00:0f:c9:04:da:7c
ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 2 int 19 
(irq 15)
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 "Intel PRO/1000 PF (82572EI)" rev 0x06: apic 2 int 
19 (irq 15), address 00:0f:c9:04:da:7d
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 2 int 23 
(irq 15)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 2 int 19 
(irq 15)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 2 int 18 
(irq 10)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 2 int 16 
(irq 5)
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 2 int 23 
(irq 15)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "In

kernel logs "v_type 1" and "f_type 1"

2016-05-09 Thread Axel Rau 
A firewall box (dual Atom N270, 2GB, 5 nics, running 5.8-current (GENERIC.MP)
#1219)
suddenly started logging
v_type 1
f_type 1
(up to 40 times/sec) and stopped routing.

The effect went away after disconnecting all but one nic.

Any help appreciated,
Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

Re: pppoe broken on either 5.7 or on if Intel 82541GI ?

2015-06-13 Thread Axel Rau 
Am 05.06.2015 um 12:40 schrieb Axel Rau axel@chaos1.de:

 A similar box with identical configuration running 5.7-RELEASE on
   „Intel 82541GI rev 0x05:
 hardware fails so:
Anybody running 5.7 successfully on an Intel 82541GI interface?

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

pppoe broken on either 5.7 or on if Intel 82541GI ?

2015-06-05 Thread Axel Rau 
Hi,

I have a box running with 5.6 and a pppoe device on vlan on em with
„Intel I354 SGMII“ rev 0x03: msi
hardware:
- - -
20:21:26.689948 00:60:e0:5a:75:45 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri
3 PPPoE-Discovery
code Initiation, version 1, type 1, id 0x, length 12
tag Service-Name, length 0
tag Host-Uniq, length 4 \376\012?\264
20:21:26.718782 00:30:88:1f:18:9a 00:60:e0:5a:75:45 8100 87: 802.1Q vid 7 pri
6 PPPoE-Discovery
code Offer, version 1, type 1, id 0x, length 63
tag Host-Uniq, length 4 \376\012?\264
tag AC-Name, length 27 FFMR71-se800-B2224180702381
tag AC-Cookie, length 16 \206\221lvg}\351\201Bv\243\211;8\037
tag Service-Name, length 0
20:21:26.718803 00:60:e0:5a:75:45 00:30:88:1f:18:9a 8100 56: 802.1Q vid 7 pri
3 PPPoE-Discovery
code Request, version 1, type 1, id 0x, length 32
tag Service-Name, length 0
tag AC-Cookie, length 16 \206\221lvg}\351\201Bv\243\211;8\037
tag Host-Uniq, length 4 \376\012?\264
20:21:26.853607 00:30:88:1f:18:9a 00:60:e0:5a:75:45 8100 67: 802.1Q vid 7 pri
6 PPPoE-Discovery
code Confirm, version 1, type 1, id 0x29fc, length 43
tag Service-Name, length 0
tag Host-Uniq, length 4 \376\012?\264
tag AC-Name, length 27 FFMR71-se800-B2224180702381
20:21:26.853628 00:60:e0:5a:75:45 00:30:88:1f:18:9a 8100 40: 802.1Q vid 7 pri
3 PPPoE-Session
code Session, version 1, type 1, id 0x29fc, length 16
LCP: Configure-Request, Magic-Number=1773963538,
Max-Rx-Unit=1492[|lcp]
20:21:26.872368 00:30:88:1f:18:9a 00:60:e0:5a:75:45 8100 60: 802.1Q vid 7 pri
6 PPPoE-Session
code Session, version 1, type 1, id 0x29fc, length 20
LCP: Configure-Request, Max-Rx-Unit=1492, Auth-Prot PAP,
Magic-Number=1567081095, Vendor-Ext
20:21:26.872386 00:60:e0:5a:75:45 00:30:88:1f:18:9a 8100 44: 802.1Q vid 7 pri
3 PPPoE-Session
code Session, version 1, type 1, id 0x29fc, length 20
LCP: Configure-Ack, Max-Rx-Unit=1492, Auth-Prot PAP,
Magic-Number=1567081095[|lcp]
20:21:26.872611 00:30:88:1f:18:9a 00:60:e0:5a:75:45 8100 60: 802.1Q vid 7 pri
6 PPPoE-Session
code Session, version 1, type 1, id 0x29fc, length 16
LCP: Configure-Ack, Magic-Number=1773963538, Max-Rx-Unit=1492,
Vendor-Ext

- - -
A similar box with identical configuration running 5.7-RELEASE on
„Intel 82541GI rev 0x05:
hardware fails so:
- - -
17:56:41.323171 00:0f:c9:04:db:87 ff:ff:ff:ff:ff:ff 8100 36: 802.1Q vid 7 pri
3 PPPoE-Discovery
code Initiation, version 1, type 1, id 0x, length 12
tag Service-Name, length 0
tag Host-Uniq, length 4 \260\272\327\214
17:56:41.354542 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8100 87: 802.1Q vid 7 pri
6 PPPoE-Discovery
code Offer, version 1, type 1, id 0x, length 63
tag Host-Uniq, length 4 \260\272\327\214
tag AC-Name, length 27 FFMR71-se800-B2224180702381
tag AC-Cookie, length 16 \347\030G\245\270#z Cd0=\2339{\225
tag Service-Name, length 0
17:56:41.354589 00:0f:c9:04:db:87 00:30:88:1f:18:9a 8100 56: 802.1Q vid 7 pri
3 PPPoE-Discovery
code Request, version 1, type 1, id 0x, length 32
tag Service-Name, length 0
tag AC-Cookie, length 16 \347\030G\245\270#z Cd0=\2339{\225
tag Host-Uniq, length 4 \260\272\327\214
17:56:41.491217 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8100 67: 802.1Q vid 7 pri
6 PPPoE-Discovery
code Confirm, version 1, type 1, id 0x49b6, length 43
tag Service-Name, length 0
tag Host-Uniq, length 4 \260\272\327\214
tag AC-Name, length 27 FFMR71-se800-B2224180702381
17:56:41.491275 00:0f:c9:04:db:87 00:30:88:1f:18:9a 8100 40: 802.1Q vid 7 pri
3 PPPoE-Session
code Session, version 1, type 1, id 0x49b6, length 16
LCP: Configure-Request, Magic-Number=864862261,
Max-Rx-Unit=1492[|lcp]
17:56:41.509576 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8100 60: 802.1Q vid 7 pri
6 PPPoE-Session
code Session, version 1, type 1, id 0x49b6, length 20
LCP: Configure-Request, Max-Rx-Unit=1492, Auth-Prot PAP,
Magic-Number=1077747764, Vendor-Ext
17:56:41.509623 00:0f:c9:04:db:87 00:30:88:1f:18:9a 8100 34: 802.1Q vid 7 pri
3 PPPoE-Session
code Session, version 1, type 1, id 0x49b6, length 10
LCP: Configure-Reject, Auth-Prot PAP[|lcp]
17:56:41.509701 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8100 60: 802.1Q vid 7 pri
6 PPPoE-Session
code Session, version 1, type 1, id 0x49b6, length 16
LCP: Configure-Ack, Magic-Number=864862261, Max-Rx-Unit=1492,
Vendor-Ext
17:56:41.528690 00:30:88:1f:18:9a 00:0f:c9:04:db:87 8100 60: 802.1Q vid 7 pri
6 PPPoE-Session
code Session, version 1, type 1, id 0x49b6, length 21
LCP: Configure-Request, Max-Rx-Unit=1492, Auth-Prot CHAP/MD5,
Magic-Number=1077747764, Vendor-Ext
17:56:41.528729 00:0f:c9:04:db:87 00:30:88:1f:18:9a 8100 35: 802.1Q vid 7 pri
3 PPPoE-Session
code Session, version

pf on 5.6: rule counter with proto esp not working

2015-02-16 Thread Axel Rau 
Hi,

I failed to setup a queue on outgoing esp traffic and noticed that the rule 
counters are all 0 and do not advance:

@155 pass out quick on vlan2 inet proto esp from any to road_worrier_nets:8 
set ( queue vpn ) keep state (if-bound)
 [ Evaluations: 0 Packets: 0 Bytes: 0   States: 0 ]
 [ Inserted: uid 0 pid 28769 State Creations: 0 ]

This is the IPSEC gateway. On the IPSEC client, it works:

@284 pass in quick on pppoe0 inet proto esp from some.gateway to (pppoe0:1) 
keep state (if-bound)
 [ Evaluations: 434   Packets: 11134879  Bytes: 8621504380  States: 1 ]
 [ Inserted: uid 0 pid 2528 State Creations: 1 ]

I could not find any preceding rule with proto esp (or empty proto).

What am I doing wrong?

Axel
PS: Cross posted from p...@benzedrine.cx, where mail did not show up
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-11-18 Thread Axel Rau 
I tested this on other hardware: It has nothing to do with i354.
It’s a bug in the vlan driver which has already been reported here
http://marc.info/?l=openbsd-miscm=139903544321689w=2

Axel

Am 02.09.2014 um 15:45 schrieb Axel Rau axel@chaos1.de:

 Am 30.08.2014 um 13:46 schrieb Axel Rau axel@chaos1.de:
 
 Am 29.08.2014 um 08:11 schrieb Jonathan Gray j...@jsg.id.au:
 
 Initial support for the i347 phy was added back in March but that wasn't
 part of 5.5.  I suspect you want something along the lines of the
 following patch:
 Yes, this patch worked (does at least initialization of em2-em5,
 more testing to follow).
 Next problem shows up with sppp over vlan from MAC 00:60:e0:5a:75:45:
 - - - -
 13:49:38.170666 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
 13:49:38.313082 00:30:88:1f:18:9a  00:60:e0:5a:75:39, ethertype 802.1Q 
 (0x8100)
, length 87: vlan 7, p 6, ethertype PPPoE D, PPPoE PADO
[Host-Uniq 0x95F818D3] [AC-Name FFMR71-se800-B2224180702381]
[AC-Cookie ..lvg}..Bv..;8.] [Service-Name]
 13:49:38.313093 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.]
[Host-Uniq 0x95F818D3]
 13:49:43.310779 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.] 
[Host-Uniq 0x95F818D3]
 13:49:53.311256 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
 13:49:53.339482 00:30:88:1f:18:9a  00:60:e0:5a:75:39, ethertype 802.1Q 
 (0x8100)
, length 87: vlan 7, p 6, ethertype PPPoE D, PPPoE PADO 
[Host-Uniq 0x95F818D3] [AC-Name FFMR71-se800-B2224180702381]
[AC-Cookie ..lvg}..Bv..;8.] [Service-Name]
 13:49:53.339492 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.]
[Host-Uniq 0x95F818D3]
 13:50:01.214264 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q 
 (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
 - - -
 The i347 device (em5) has a hardware-MAC of 00:60:e0:5a:75:45, but shows up
 above as 00:60:e0:5a:75:39.
 The answer to the pppoe server with MAC address 00:30:88:1f:18:9a is being
 sent to MAC 00:30:75:39:00:30 instead.
 
 Do I need more patches (perhaps VLAN related) for the i347 ?
 
 Any help welcome,
 Axel
 ---
 PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius
 

---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-09-03 Thread Axel Rau 
Am 02.09.2014 um 15:45 schrieb Axel Rau axel@chaos1.de:

 The i347 device (em5) has a hardware-MAC of 00:60:e0:5a:75:45, but shows up
 above as 00:60:e0:5a:75:39.
 The answer to the pppoe server with MAC address 00:30:88:1f:18:9a is being
 sent to MAC 00:30:75:39:00:30 instead.
Nobody any idea?

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-09-02 Thread Axel Rau 
Am 30.08.2014 um 13:46 schrieb Axel Rau axel@chaos1.de:

 Am 29.08.2014 um 08:11 schrieb Jonathan Gray j...@jsg.id.au:
 
 Initial support for the i347 phy was added back in March but that wasn't
 part of 5.5.  I suspect you want something along the lines of the
 following patch:
 Yes, this patch worked (does at least initialization of em2-em5,
 more testing to follow).
Next problem shows up with sppp over vlan from MAC 00:60:e0:5a:75:45:
- - - -
13:49:38.170666 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
13:49:38.313082 00:30:88:1f:18:9a  00:60:e0:5a:75:39, ethertype 802.1Q (0x8100)
, length 87: vlan 7, p 6, ethertype PPPoE D, PPPoE PADO
[Host-Uniq 0x95F818D3] [AC-Name FFMR71-se800-B2224180702381]
[AC-Cookie ..lvg}..Bv..;8.] [Service-Name]
13:49:38.313093 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.]
[Host-Uniq 0x95F818D3]
13:49:43.310779 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.] 
[Host-Uniq 0x95F818D3]
13:49:53.311256 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
13:49:53.339482 00:30:88:1f:18:9a  00:60:e0:5a:75:39, ethertype 802.1Q (0x8100)
, length 87: vlan 7, p 6, ethertype PPPoE D, PPPoE PADO 
[Host-Uniq 0x95F818D3] [AC-Name FFMR71-se800-B2224180702381]
[AC-Cookie ..lvg}..Bv..;8.] [Service-Name]
13:49:53.339492 00:60:e0:5a:75:39  00:30:75:39:00:30, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADR
[Service-Name] [AC-Cookie ..lvg}..Bv..;8.]
[Host-Uniq 0x95F818D3]
13:50:01.214264 00:60:e0:5a:75:39  ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100)
, length 60: vlan 7, p 3, ethertype PPPoE D, PPPoE PADI
[Service-Name] [Host-Uniq 0x95F818D3]
- - -
The i347 device (em5) has a hardware-MAC of 00:60:e0:5a:75:45, but shows up
above as 00:60:e0:5a:75:39.
The answer to the pppoe server with MAC address 00:30:88:1f:18:9a is being
sent to MAC 00:30:75:39:00:30 instead.

Do I need more patches (perhaps VLAN related) for the i347 ?

Any help welcome,
Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

[RESOLVED] Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-08-30 Thread Axel Rau 
Am 29.08.2014 um 08:11 schrieb Jonathan Gray j...@jsg.id.au:

 Initial support for the i347 phy was added back in March but that wasn't
 part of 5.5.  I suspect you want something along the lines of the
 following patch:
Yes, this patch worked (does at least initialization of em2-em5,
more testing to follow).

Thanks, Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-08-28 Thread Axel Rau 
Hi All,

while installing 5.5-RELEASE on a ATOM C2000 based Axiomtek NA361,
I get
em2 at pci0 dev 20 function 0 „Intel I354 SGMII“ rev 0x03: msiem2: Hardware 
Initialization Failedem2: Unable to initialize the hardware
on all 4 nics.

Installing a recent snapshot from 5.5-CURRENT does not show this problem.

Looking at HEAD
--- src/sys/dev/pci/if_em.c 2014/02/22 04:41:31 1.277
+++ src/sys/dev/pci/if_em.c 2014/08/26 11:01:21 1.288
shows lot og activity.

Any patch for 5.5 welcome.

Thanks, Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-08-28 Thread Axel Rau 
Am 28.08.2014 um 12:36 schrieb Gregor Best g...@ring0.de:

 since you seem to be deploying a new setup, I'd simply install a
 snapshot. The release of 5.6 is soon(-ish), so I doubt there will
 be lots of functional changes until then, and it'd be wise to upgrade
 anyway once 5.6 is out.
Ports/packages are not yet ready for 5.6 and I wanted to avoid the porting
effort, which was significant in the past.

I’m just trying a patch against CURRENT. . .

Axel
-—
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: Intel i354 Quad GbE network adapter failed on 5.5-RELEASE

2014-08-28 Thread Axel Rau 
Am 28.08.2014 um 13:51 schrieb Jonathan Gray j...@jsg.id.au:

 Start with the following patch, perhaps there needs to be
 some additional i347 specific handling.
I’m seeing now:
- - -
em_set_phy_type
Invalid PHY ID 0x1410DC0
 
Error, did not detect valid phy.
 
em2: Hardware Initialization Failedem2: Unable to initialize the hardware
- - -
Complete debug output available on request.

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

Re: routing problem with 2nd default route via ipsec

2011-07-31 Thread Axel Rau 
Am 28.07.2011 um 13:23 schrieb Axel Rau:

 all CARP traffic from its carp2) go to enc0, like this:
What may cause IPv4 CARP traffic to not go out on its parent device but on
enc0 instead?
IPv6 CARP and other CARP devises behave as expected.

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Re: IPsec 4.94.9 VPN

2011-07-28 Thread Axel Rau 
Am 22.07.2011 um 00:13 schrieb Mikeal Clark:

 163350.058716 Default ike_phase_1_recv_ID: received remote ID other than
 expected 1.2.3.4
I think, you need
 srcid 1.2.3.4 dstid 5.6.7.8
on site A ike.

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

routing problem with 2nd default route via ipsec

2011-07-28 Thread Axel Rau 
Hi all,

I have a routing firewall, which is also a ipsec client like this:

   ppp uplink (IPv4)
  |
   dc3|pppoe0
 +++
 |+|dc1
 |   enc0  +- DMZ2
 | |
 | |dc0
 | +- DMZ1
 | |
 +++
  | em0
  Intranet

DMZ2 has public address space (here named 11.222.33.128/25). Outgoing traffic
from this net should go through the ipsec tunnel.

IPv4 traffic from Intranet and DMZ1 to none-local and none 11.222.33/24 uses
default route via NAT and pppoe0 as expected.

What drives me nuts is: All traffic to  11.222.33/24 from em0 and dc1
(including
all CARP traffic from its carp2) go to enc0, like this:

11:10:19.428653 rule 18/(match) [uid 0, pid 15367] block out on enc0: \
carp 11.222.33.132  224.0.0.18: CARPv2-advertise 36: vhid=3 advbase=1 \
advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 59211, len 56, bad cksum 0!)


What's going on here?

route-to in pf.conf seem of no influence.


Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
11.222.33.64/260 172.16.9/240 0
111.222.111.222/esp/use/in
172.16.9/240 11.222.33.64/260 0
111.222.111.222/esp/require/out
11.222.33.16/280 192.168.110/24 0 0
111.222.111.222/esp/use/in
192.168.110/24 0 11.222.33.16/280 0
111.222.111.222/esp/require/out
default0 2001:a12:d:10::/60 0
0 111.222.111.222/esp/use/in
2001:a12:d:10::/60 0 default0
0 111.222.111.222/esp/require/out
default0 11.222.33.128/25   0 0
111.222.111.222/esp/use/in
11.222.33.128/25   0 default0 0
111.222.111.222/esp/require/out
11.222.33.64/260 192.168.110/24 0 0
111.222.111.222/esp/use/in
192.168.110/24 0 11.222.33.64/260 0
111.222.111.222/esp/require/out

root# ifconfig dc1
dc1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:80:c8:b9:04:ce
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 11.222.33.132 netmask 0xff80 broadcast 11.222.33.255
inet6 fe80::280:c8ff:feb9:4ce%dc1 prefixlen 64 scopeid 0x3
inet6 2001:a12:d:18::b prefixlen 64

carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:03
priority: 0
carp: MASTER carpdev dc1 vhid 3 advbase 1 advskew 0
groups: carp
status: master
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xd
inet 11.222.33.139 netmask 0xff80 broadcast 11.222.33.255
inet6 2001:a12:d:18::c prefixlen 64

This is a GENERIC snapshot from about 2011-06-08.
I have net.inet.ip.multipath=1

What am I doing wrong?
Time to start using rdomains / multiple rtables?

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

Re: routing problem with 2nd default route via ipsec

2011-07-28 Thread Axel Rau 
Am 28.07.2011 um 16:06 schrieb Gregory Edigarov:

 let me guess
 I think you just need to allow traffic on enc0

 set skip on enc0
No, its not that easy. (-;
I block carp multicast messages on enc0 and just showed that.
A tcpdump on enc0 would have shown the same.
The problem is that those multicasts should go out on dc1 not come in.

Axel
---
PGP-Key:29E99DD6  b +49 151 2300 9283  b computing @ chaos claudius

instable vpn after upgrading to 4.8

2010-12-20 Thread Axel Rau 

Hi all,

this ipsec tunnel configuration has 2 endpoints of CARPed pairs of
obsd 4.8 boxes each with pfsync and sasyncd.
After upgrading to 4.8 (stable) the vpn starts blocking in one
direction after 2 days of uptime of the gateway pair.
When this happens, netstat -rn shows flows as usual and ipsecctl -s sa
-v shows no difference of SA, but lifetimes and additional old SAs
during renegotiation.
Usually it helps to reboot CARP slave on the gateway side to fix it
for 1-2 days.
lifetimes are set to defaults in isakmpd.conf.
sasyncd.conf has nothing special:

listen on fxp1 inet port 500
interface carp0
flushmode startup
sharedkey 0xdeadbeefdeadbeefdeadbeefdeadbeef
peer   172.16.127.2
# PR6357: sasyncd(8) treats whitespace after comments as EOF in
sasyncd.conf
# sasyncd.conf at gw1


Any help welcome,
Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: instable vpn after upgrading to 4.8

2010-12-20 Thread Axel Rau 

Am 20.12.2010 um 12:50 schrieb Axel Rau:


After upgrading to 4.8 (stable) the vpn starts blocking in one
direction after 2 days of uptime of the gateway pair.

Today it took only 2 hours to start blocking.
Blocking cab be prevented by keeping a ping running.

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: Migrating from isakmpd to iked: interface name not recognized

2010-12-14 Thread Axel Rau 

Am 13.12.2010 um 18:50 schrieb Axel Rau:


no IP address found for pppoe0

This happens with all devices, I have tried.
Anybody succeeded in using an interface name as argument of option
local?

This is 4.8 stable on i386 generic.

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: Migrating from isakmpd to iked: interface name not recognized

2010-12-14 Thread Axel Rau 

Am 14.12.2010 um 17:23 schrieb Mike Belopuhov:


mask2prefixlen functions are taken from bgpd.  OK?

Thanks, Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Migrating from isakmpd to iked: interface name not recognized

2010-12-13 Thread Axel Rau 

Hi all,

in the man page for iked.conf, I read:
Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names.

In my iked.conf, I have
   local pppoe0
but iked -vn complains:
no IP address found for pppoe0
/etc/iked.conf: 26: could not parse host specification
.
ifconfig pppoe0 | grep inet
shows:
inet 79.243.41.99 -- 87.186.224.28 netmask 0x

Clueless: Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-22 Thread Axel Rau 

Am 21.05.2010 um 01:53 schrieb Tomoyuki Sakurai:


You need additional two OSPF routers for L3 redundancy (claudio@
explained why in a paper).

Thanks for the hint, Tomoyuki.
I have now ospfd running on both firewalls, which was one necessary
stop towards success.

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-22 Thread Axel Rau 

Am 21.05.2010 um 12:55 schrieb Axel Rau:


Am 20.05.2010 um 22:07 schrieb Reyk Floeter:

I will try the following with unmanaged switches, no RST:




On fbsd:

fbsd# ifconfig em0 up
fbsd# ifconfig em1 up
fbsd# ifconfig lagg0 create
fbsd# ifconfig lagg0 laggproto failover laggport em0 laggport em1 up
fbsd# ifconfig vlan2 create
fbsd# ifconfig vlan2 vlan 2 vlandev lagg0 10.1.2.10 netmask
255.255.255.0 up

This started working with 2 unmanaged switches after applying a patch
to fbsd.8.0 (bug with vlan on top of lagg).

Thanks again Reyk for your help,
Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-21 Thread Axel Rau 

Am 20.05.2010 um 22:07 schrieb Reyk Floeter:

I will try the following with unmanaged switches, no RST:

 +---+  +--+
 |fw1|+-+   |  |
 +em1++ sw1 +---+  |
carp0|em2+--+ +-+-+-+em0|  |
 |   |  |   | | |  |
 +-+-+  |  ++ | |  |
   ||  |  | |Server|
 +-+-+  +--|+ | | fbsd |
 |fw2| || | |  |
 |em1+-+  +-+-+-+   |  |
 +em2++ sw2 +---+  |
carp0|   |+-+em1|  |
 +---+  +--+
  vlan1+vlan2  vlan2

fw1# ifconfig em0 up
fw1# ifconfig em1 up
fw1# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover up
fw1# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.2/24
fw1# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.2/24
fw1# ifconfig carp1 vhid 1 carpdev vlan1 10.1.1.1/24
fw1# ifconfig carp2 vhid 2 carpdev vlan2 10.1.2.1/24

fw2# ifconfig em0 up
fw2# ifconfig em1 up
fw2# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover up
fw2# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.3/24
fw2# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.3/24
fw2# ifconfig carp1 vhid 1 carpdev vlan1 advskew 100 10.1.1.1/24
fw2# ifconfig carp2 vhid 2 carpdev vlan2 advskew 100 10.1.2.1/24


On fbsd:

fbsd# ifconfig em0 up
fbsd# ifconfig em1 up
fbsd# ifconfig lagg0 create
fbsd# ifconfig lagg0 laggproto failover laggport em0 laggport em1 up
fbsd# ifconfig vlan2 create
fbsd# ifconfig vlan2 vlan 2 vlandev lagg0 10.1.2.10 netmask
255.255.255.0 up

fbsd# route add default 10.1.2.1

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-20 Thread Axel Rau 

Am 20.05.2010 um 00:04 schrieb Henning Brauer:


* Axel Rau axel@chaos1.de [2010-05-19 10:34]:

Now the question: Can I put a trunk on top of a carp?


you put carp on top of the trunk of course.

OK.
Can I have a trunk connected to 2 different switches then?

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-20 Thread Axel Rau 

Am 20.05.2010 um 20:17 schrieb Henning Brauer:



However, if you need to ask if you can run a trunk on top of a carp,

This was an academic question to keep the thread running (-;

do
yourself a favor and use a single switch. There will be less
downtime.


that is something i could subscribe to :)

I try to keep things simple usually. Thanks to all for the advice.

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-20 Thread Axel Rau 

Thanks for this detailed elaboration, Reyk.
A few questions:

Am 20.05.2010 um 22:07 schrieb Reyk Floeter:


On Thu, May 20, 2010 at 07:02:23PM +0200, Axel Rau wrote:

Now the question: Can I put a trunk on top of a carp?


you put carp on top of the trunk of course.

OK.
Can I have a trunk connected to 2 different switches then?



yes, i did this many times using trunk in failover mode.  this is
actually the main reason why i implemented failover mode: for l2
redundancy.  i even normally use it in combination with VLANs.

to explain it using your artwork:

 +---+  +--+
 |   |+-+   |  |
 +fw1++ sw1 +---+  |
carp0|   +--+ +-+-+-+em0|  |
 |   |  |   |   |  |
 +-+-+  |  ++   |  |
   ||  ||Server|
 +-+-+  +--|--+ | fbsd |
 |   | |  | |  |
 |   +-+  +-+-+-+   |  |
 +fw2++ sw2 +---+  |
carp0|   |+-+em1|  |
 +---+  +--+

let's assume that fw1 and fw2 are connected with em1 and em2, em1 is
connected to sw1 and em2 is connected to sw2 on each fw.  fbsd server
sits in vlan2, the uplink is in vlan1 connected to the same switches
(you might also have other physical switches for the uplink, which is
also fairly common, which would just require to move vlan1 to another
trunk or physical iface).

the switches don't need any special configuration, no trunks on the
switch and no stacking or similar.  they just need to be in the same
VLANs, so a simple interlink between them is all you need.

You mean a physical connection between sw1 and sw2?

 failover
mode means that the trunk only uses one active link at a time (the
first trunkport you add and so on) as long as the link is up.  this is
works nicely with any kind of switches, is safe to use and doesn't
cause any loops, address conflicts etc..  i use procurve switches
(now: hp networking e-series), but there is no need for distributed
trunking or tricks like this with failover mode.

fw1# ifconfig em0 up
fw1# ifconfig em1 up
fw1# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover
up
fw1# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.2/24
fw1# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.2/24
fw1# ifconfig carp1 vhid 1 carpdev vlan1 10.1.1.1/24
fw1# ifconfig carp2 vhid 2 carpdev vlan2 10.1.2.1/24

fw2# ifconfig em0 up
fw2# ifconfig em1 up
fw2# ifconfig trunk0 trunkport em0 trunkport em1 trunkproto failover
up
fw2# ifconfig vlan1 vlandev trunk0 descr UPLINK 10.1.1.3/24
fw2# ifconfig vlan2 vlandev trunk0 descr SERVERLAN 10.1.2.3/24
fw2# ifconfig carp1 vhid 1 carpdev vlan1 advskew 100 10.1.1.1/24
fw2# ifconfig carp2 vhid 2 carpdev vlan2 advskew 100 10.1.2.1/24


On fbsd, I set default gw to 10.1.1.1 ?

But a trunk would have no counter parts. How does this fit in?

fbsd# ifconfig em0 up
fbsd# ifconfig em1 up
fbsd# ifconfig lagg0 laggproto failover laggport em0 laggport em1 \
10.1.2.10 netmask 255.255.255.0
?

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-19 Thread Axel Rau 

Am 19.05.2010 um 07:59 schrieb Guido Tschakert:


What problem are you trying to resolve?



I will clarify:

  +---+  +--+
  |   |+-+   |  |
  +fw1++ sw1 +---+  |
 carp0|   +--+ +-+-+-+em0|  |
  |   |  |   |   |  |
  +-+-+  |  ++   |  |
||  ||Server|
  +-+-+  +--|--+ | fbsd |
  |   | |  | |  |
  |   +-+  +-+-+-+   |  |
  +fw2++ sw2 +---+  |
 carp0|   |+-+em1|  |
  +---+  +--+

Server uses fw1/fw2 as default gateway(s).
Server has a bunch of IPs. I can't add these as aliases to either em0
or em1 (would be single point o failure).
I need a virtual interface, like a trunk, to which I can tie the IPs.

A trunk connects 2 hosts (AFAIK), in my case, I have 3.
I could reduce the pair fw1/fw2 to one virtual system, using 2 carp
interfaces.
This way, I would have a valid configuration of 2 hosts for the trunk,
with 2 interfaces on each side.

Now the question: Can I put a trunk on top of a carp?
AFAIK No.
What do you mean?

Are there other possibilities to connect the boxes with the above
functionality?

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

HA: pair of firewalls, 2 switches and 1 server

2010-05-18 Thread Axel Rau 

Hi all,

I have a pair of redundant firewalls (obsd 4.6) and a server (fbsd 8.0):

   +---+  +--+
   |   |  |  |
   +fw1+--+ +-+  |
  carp0|   |carp1 | |  em0|  |
   |   |  | | |  |
   +-+-++-+-+-+   |  |
 |  | sw  |   |Server|
   +-+-++-+-+-+   | fbsd |
   |   |  | | |  |
   +fw2+--+ +-+  |
  carp0|   |carp1  em1|  |
   |   |  |  |
   +---+  DMZ +--+

We all know, the switch is the sigle point of failure.
Even worse, when it fails the carp0 pair starts flapping, disturbing
other firewall traffic.
So, how to resolve this?

Trunking would only be possible between 2 boxes, not 3.
Carp on top of trunk?
2 Carp pairs on the firewalls and 1 pair at the server?

If I get it right, the physical LAN should look like this:

   +---+  +--+
   |   |+-+   |  |
   +fw1++ sw1 +---+  |
  carp0|   +--+ +-+-+-+em0|  |
   |   |  |   |   |  |
   +-+-+  |  ++   |  |
 ||  ||Server|
   +-+-+  +--|--+ | fbsd |
   |   | |  | |  |
   |   +-+  +-+-+-+   |  |
   +fw2++ sw2 +---+  |
  carp0|   |+-+em1|  |
   +---+  +--+

Switches must have Spanning Tree support (RSTP), so I hope a pair of
Netgear GS108T can do this.

Any proposals highly appreciated,
Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-18 Thread Axel Rau 
Am 18.05.2010 um 14:20 schrieb Leonardo Carneiro - Veltrac:

 IMHO, the second scenario you draw solves the problem in a very elegant way.
Beside, STP and RSTP-enabled switches are becoming less expansive in the last
years.
Yes, but what carps/trunks do I need?

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @ chaos
claudius

Re: HA: pair of firewalls, 2 switches and 1 server

2010-05-18 Thread Axel Rau 
Am 18.05.2010 um 14:11 schrieb Guido Tschakert:

 I would say your Server is __the__ single point of failure (sure the
 switch is also a spof but normally I'm more worried about servers then
 switches)
Yes, but it has 2 power supplies and redundant disks. If the mini pwr supply
of the single switch dies, I'm loosing.
Also a 2nd server is in the pipeline...

Axel
---
axel@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @ chaos
claudius