Re: How does OpenBSD compare to Ubuntu Server?
You mean systemd! You'd need udev in the core system. And everybody knows daemontools/runit is the past, present, and future of init systems.
Re: IPv4 routing fails after IPv6 default route is added
Hi, On 2011.06.10 16:35:43 +, Stuart Henderson wrote: I would suggest being more specific with your nat rule. If you have a default v6 route on gre, this is in group egress too, and might get picked as the interface to try and nat packets to, but it doesn't have a v4 address so the nat can't work. Because you're using (egress:0) rather than just egress:0 to track address changes, you won't be able to see what's going on using the standard tools (pfctl -vf /etc/pf.conf, pfctl -sr, etc) which might otherwise clarify things. Thanks. That seems to have fixed it. I assumed the skip gre0 would be enough to disable all rules on the interface/route going over that interface. Regards, Benjamin Kiessling
IPv4 routing fails after IPv6 default route is added
Hi again, I've got an issue related to my earlier problems with GRE tunnels and OSPF. My OpenBSD box acts as a (NAT) router between my local network and the IPv4 Internet. Additionally there is a GRE tunnel between the box and a server over which I route into the IPv6 internet. What happens is that after I add the IPv6 default route on gre0 I loose IPv4 connectivity on the local network. The whole setup looks like this: GRE (fe80::acfa:ffa0) GRE (fe80...) _ __ IPv6 Router --- IPv6 Internet / \ / LAN -- OpenBSD - Modem --- IPv4 Internet (172.22.94.64/27) 172.22.94.1 2001:470:9ed3:1423:: The GRE tunnel endpoints don't have public IPv6 addresses and I add the default route on the Router via route -n add -inet6 default fe80::acfa:ffa0%gre0. ICMPv4 still works on LAN but establishing TCP connections fails initially, hinting that my firewall config is somewhat skewed. On the first connection request to an IPV4 host on the Internet the router doesn't NAT the packets, forwarding them with the LAN IPv4 address to the modem. Subsequent requests get NATed correctly. My pf.conf looks like this: set skip on lo set skip on enc0 set skip on gre0 pass match out on egress inet from !(egress:network) to any nat-to (egress:0) pass out quick I'm still not that familiar with OpenBSD, but I've read all relevant man pages and couldn't find an explanation for this behavior. Regards, Benjamin Kiessling [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Upgrade experience.
Hi, A new measure of the ease of install - who is the youngest person to do an OpenBSD install? :-) The Debian guys measure it by the number of kernels you have to put on the enter key (even chickens can install Debian). With OpenBSD you'll probably hit a lower bound when people get to young to read 'press A for autoformat'. ;) Regards, Benjamin [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Multicast and GRE
Hi,
ospfd does not need any of the multicast options. ospfd uses the
IP_MULTICAST_IF socket option and bypasses the routing table lookup by
doing so. rtadvd and many other daemons do it in a similar way.
The multicast_host option is only needed for applications that do not use
the special multicast setsockopt()s.
Thanks for enlightening me.
E.g. gre(4) needs the net.inet.gre.allow sysctl to be set to 1.
The key has been set to one and when I run tcpdump on the interface I see the
LSAs from the router on the opposite end but the local ospfd doesn't emit any.
Running:
ramen:~ ospfctl show interfaces
Interface AddressState HelloTimer Linkstate Uptimenc ac
vr0 172.22.94.67/27DOWN - active 00:00:00 0 0
gre0172.22.94.67/32P2P00:00:02 unknown09:49:30 0 0
I see what I think I'm supposed to see. Starting ospfd in debug mode doesn't
reveal any anything of value:
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vr0
if_fsm: event UP resulted in action START and changing state for interface vr0
from DOWN to DOWN
orig_rtr_lsa: area 0.0.0.0
orig_rtr_lsa: stub net, interface vr0
orig_rtr_lsa: stub net, interface gre0
if_fsm: event UP resulted in action START and changing state for interface
gre0 from DOWN to P2P
spf_calc: area 0.0.0.0 calculated
The config looks like this:
router-id 172.22.94.67
fib-update yes
auth-type none
hello-interval 10
retransmit-interval 5
router-dead-time 40
transmit-delay 1
# areas
area 0.0.0.0 {
interface gre0 { metric 10 }
interface vr0 { passive }
}
Any ideas where I could have misconfigured anything?
Best Regards,
Benjamin Kiessling
Re: Multicast and GRE
Hi, Are you sure that you're not blocking the ospf or gre packets with pf? The hello timer is running and so hello packets should be generated and sent. Since there are no errors from ospf when sending packets I assume that the problem is in gre(4). Can you ping the remote end of the gre tunnel? I had set skip on gre0 in my pf.conf all along. Additionally I tried disabling pf completely to no prevail. As I wrote in my first email unicast packets seem to traverse the tunnel in both directions just fine. When adding the routes OSPF should create manually IPv4 traffic works as expected. Is there a way to increase OpenOSPFd debugging output even further? Best Regards, Benjamin Kiessling [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Multicast and GRE
Hi, I've been trying to get OpenOSPFd working on OpenBSD 4.8 using an GRE over IPsec approach. The GRE tunnel is working for unicast IPv4 packets. I've seen that there are reject routes for 224.0.0.0/4 in the default configuration and set multicast_host to yes which adds the route to the default interface (vr1 in my case). Adding this route to the gre0 device either manually or with the multicast_host key fails. As I just installed OpenBSD a few days ago I'm clueless about how to proceed. What is the proper way to enable multicast on gre devices? Additionally, if I understand the configuration correctly multicast is only supported on one device simultaneously (can't really believe that). How would I then use OSPF on one interface and an IPv6 router advertisement demon on another? I apologize if these questions seem rather basic and/or if solutions are provided in the documentation (coming from the Linux world I have to say OpenBSDs man pages are even more marvellous than sliced bread). Best Regards, Benjamin Kiessling [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
