Backup ISP

2024-02-28 Thread Lars Bonnesen 
I now have two ISPs

A primary on vmx2 and a backup (4G) on vmx4

Both needs to initiate connection with a dhcp request, so I have:
inet autoconf description Internet
in hostname.vmx2
and
inet autoconf description Internet4Gbackup
in hostname.vmx4

My idea is to have an active/passive setup being able to ssh from the
internet to both vmx2 and vmx4

Seems that I am only able to access vmx2 from the internet

vmx2: flags=808843 mtu
1500
lladdr 00:0c:29:e0:88:a6
description: Internet
index 3 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (10GbaseT)
status: active

vmx4: flags=808843 mtu
1500
lladdr 00:0c:29:e0:88:7e
description: Internet4Gbackup
index 5 priority 0 llprio 3
media: Ethernet autoselect (10GbaseT)
status: active


I cannot see "egress" under vmx4 - I guess this is part of the problem.

How do I get incoming traffic via vmx2 to return out via vmx2 and visa
versa incoming traffic via vmx4 to return out vmx4

Regards, Lars.

Re: Two parent NICs for VLAN

2023-12-19 Thread Lars Bonnesen 
Ah, ok... and then you assign the IP address to that vport... thanks...
will try that out later.

On Tue, Dec 19, 2023 at 2:42 PM Zé Loff  wrote:

>
> On Tue, Dec 19, 2023 at 02:25:01PM +0100, Lars Bonnesen wrote:
> > That is exactly what I want.
> >
> > Ah, veb... although I cannot make it work. I see a lot of arp'ing not
> > getting any replies. So devices that working before tries to arp for the
> > gateway and not getting any replies.even though they are on the same
> layer2
> > net:
> >
> > 12:28:54.101968 arp who-has 172.18.14.1 tell 172.18.14.201
> > 12:28:54.573677 arp who-has 172.18.14.1 tell 172.18.14.101
> > 12:28:55.101913 arp who-has 172.18.14.1 tell 172.18.14.201
> > 12:28:55.597716 arp who-has 172.18.14.1 tell 172.18.14.101
> > 12:28:56.101910 arp who-has 172.18.14.1 tell 172.18.14.201
>
> Apologies, there was a missing detail on my suggestion: it is meant to
> completely bypass the router, which plays no part in that vlan's
> traffic (more details below, if needed).
>
> If you want the router/gateway to be connected to that VLAN, you need to
> create a vport interface and add it to the veb, as noted on veb's man
> page.
>
>
> Unecessary details:
> I get thee VLANs from my ISP on the same wire: internet, VoIP and IPIV.
> I need to manage the internet connection, but not the rest, so I used
> the veb to simply forward all traffic (DHCP, etc) on the VoIP VLAN
> directly to the VoIP phone.  This means that the firewall/gateway plays
> no part in it, other than blindly forwarding at L2.  I could to this
> simply putting the managed switch before the firewall, but the idea of
> having a managed switch directly connected to the internet, makes me
> itchy.
>
>

Re: Two parent NICs for VLAN

2023-12-19 Thread Lars Bonnesen 
That is exactly what I want.

Ah, veb... although I cannot make it work. I see a lot of arp'ing not
getting any replies. So devices that working before tries to arp for the
gateway and not getting any replies.even though they are on the same layer2
net:

12:28:54.101968 arp who-has 172.18.14.1 tell 172.18.14.201
12:28:54.573677 arp who-has 172.18.14.1 tell 172.18.14.101
12:28:55.101913 arp who-has 172.18.14.1 tell 172.18.14.201
12:28:55.597716 arp who-has 172.18.14.1 tell 172.18.14.101
12:28:56.101910 arp who-has 172.18.14.1 tell 172.18.14.201


On Tue, Dec 19, 2023 at 10:09 AM Zé Loff  wrote:

> On Tue, Dec 19, 2023 at 09:33:18AM +0100, Lars Bonnesen wrote:
> > I have a physical switch with a number of VLANs and a NIC connected to a
> > wireless setup. I want to have those two separated except for one
> > particular VLAN that I want on the physical switch as well as on the APs.
> >
> > So I have vmx1 connected to the APs and vmx3 to the switch.
> >
> > Then some vlans that each has one of these as parents.
> >
> > But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they
> > have joint custody?
> >
> > I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3
> > bridged for vlan 860. Does it make sense?
> >
> > How to achieve this? Something similar to:
> >
> >
> >
> >
> >
> >
> >
> >
> > *vlan860: flags=8943 mtu
> > 1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex
> > 27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1
> txprio
> > packet rxprio outergroups: vlanmedia: Ethernet autoselect
> > (10GbaseT)status: active*
> >
> > ... which of coarse does not work.
> >
> > Regards, Lars.
>
> I'm not entirely sure if this is what you are asking, but I achieved
> something like this by
>
> - Creating one vlan interface on each physical interface *with the same
>   vnetid, but with different names (obviously):
> - veb-ing the two vlan interfaces:
>
> I.e.:
>
> $ cat /etc/hostname.vlan1010
> description "VoIP WAN"
> vnetid 101 parent re1
> -inet6
> up
>
> $ cat /etc/hostname.vlan1011
> description "VoIP DMZ"
> vnetid 101 parent re2
> -inet6
> up
>
> $ cat /etc/hostname.veb1
> add vlan1010
> add vlan1011
> up
>
> Hope this helps
>
> --
>
>

Two parent NICs for VLAN

2023-12-19 Thread Lars Bonnesen 
I have a physical switch with a number of VLANs and a NIC connected to a
wireless setup. I want to have those two separated except for one
particular VLAN that I want on the physical switch as well as on the APs.

So I have vmx1 connected to the APs and vmx3 to the switch.

Then some vlans that each has one of these as parents.

But then for VLAN 860, I want both vmx1 and vmx3 as parent... Can't they
have joint custody?

I could of course bridge vmx1 and vmx3 - but I only want vmx1 and vmx3
bridged for vlan 860. Does it make sense?

How to achieve this? Something similar to:








*vlan860: flags=8943 mtu
1500lladdr 00:0c:29:e0:88:9cdescription: IoTindex
27 priority 0 llprio 3encap: vnetid 860 parent vmx3 AND VMX1 txprio
packet rxprio outergroups: vlanmedia: Ethernet autoselect
(10GbaseT)status: active*

... which of coarse does not work.

Regards, Lars.

Re: Performance optimizing OpenBSD 7.2

2023-02-15 Thread Lars Bonnesen 
systat tells me

One box:
  89450
IPKTS
  19438
OPKTS

The other:
  68814
IPKTS
  87939
OPKTS

As the box are doing L2VPN, the NIC's for the vlans that are being
stretched are in promiscuous mode - thus all traffic on the networks are
hitting this box I have default block saying block drop
I guess this causes the box to care as little as possible about packages it
really shouldn't care about.



On Wed, Feb 15, 2023 at 5:52 PM Stuart Henderson 
wrote:

> On 2023-02-15, Lars Bonnesen  wrote:
> > lbo@PLOSLOL2VPN:/etc$ pfctl -s info
> > Status: Enabled for 0 days 00:06:49  Debug: err
> >
> > State Table  Total Rate
> >   current entries   149331
> >   half-open tcp   5333
> >   searches  4462647255 1098.0/s
> >   inserts 78143904   191060.9/s
> >   removals77994573   190695.8/s
> > Counters
> >   match  250452866   612354.2/s
> >   bad-offset 00.0/s
> >   fragment   10.0/s
> >   short  00.0/s
> >   normalize  10.0/s
> >   memory   524795412831.2/s
> >   bad-timestamp  00.0/s
> >   congestion  14693.6/s
> >   ip-option  30.0/s
> >   proto-cksum 30127.4/s
> >   state-mismatch 145502864   355752.7/s
> >   state-insert 3050.7/s
> >   state-limit00.0/s
> >   src-limit  00.0/s
> >   synproxy   00.0/s
> >   translate  00.0/s
> >   no-route   00.0/s
>
> oof, how many packets/sec is the machine doing? ("systat ifs", IPKT/OPKT
> columns)
>
> mismatches are still really high.
>
> does this machine see packets in both directions of the traffic
> that it's passing? no active/active setup where the traffic is getting
> split, or asymmetric routing where it only sees traffic in one
> direction?
>
>
>
>

Re: Performance optimizing OpenBSD 7.2

2023-02-15 Thread Lars Bonnesen 
I think that I am now hitting a bottleneck somewhere else.

Thanks for the help so far... I might come back thirsty for more later...
(-:

Regards, Lars.

On Wed, Feb 15, 2023 at 4:13 PM Lars Bonnesen 
wrote:

> lbo@PLOSLOL2VPN:/etc$ pfctl -s info
> Status: Enabled for 0 days 00:06:49  Debug: err
>
> State Table  Total Rate
>   current entries   149331
>   half-open tcp   5333
>   searches  4462647255 1098.0/s
>   inserts 78143904   191060.9/s
>   removals77994573   190695.8/s
> Counters
>   match  250452866   612354.2/s
>   bad-offset 00.0/s
>   fragment   10.0/s
>   short  00.0/s
>   normalize  10.0/s
>   memory   524795412831.2/s
>   bad-timestamp  00.0/s
>   congestion  14693.6/s
>   ip-option  30.0/s
>   proto-cksum 30127.4/s
>   state-mismatch 145502864   355752.7/s
>   state-insert 3050.7/s
>   state-limit00.0/s
>   src-limit  00.0/s
>   synproxy   00.0/s
>   translate  00.0/s
>   no-route   00.0/s
>
> On Wed, Feb 15, 2023 at 2:15 PM Claudio Jeker 
> wrote:
>
>> On Wed, Feb 15, 2023 at 01:01:10PM -, Stuart Henderson wrote:
>> > On 2023-02-15, Lars Bonnesen  wrote:
>> > > One says:
>> > >
>> > > # pfctl -s info
>> > > Status: Enabled for 0 days 10:56:43  Debug: err
>> > >
>> > > State Table  Total Rate
>> > >   current entries91680
>> >
>> > Lots of entries, close to the default:
>> >
>> > $ doas pfctl -sm
>> > stateshard limit   10
>> > src-nodes hard limit1
>> > frags hard limit65536
>> > tableshard limit 1000
>> > table-entries hard limit   20
>> > pktdelay-pkts hard limit1
>> > anchors   hard limit  512
>> >
>> > >   half-open tcp   4032
>> > >   searches  313230429479494.1/s
>> > >   inserts 60916552 1546.0/s
>> > >   removals60824872 1543.7/s
>> > > Counters
>> > >   match   79164265 2009.1/s
>> > >   bad-offset 00.0/s
>> > >   fragment   10.0/s
>> > >   short  00.0/s
>> > >   normalize  00.0/s
>> > >   memory   1768012   44.9/s
>> >
>> > And this most likely means that you've been bumping into the
>> > state limit plenty of times already.
>> >
>> > >   bad-timestamp  00.0/s
>> > >   congestion  12010.0/s
>> > >   ip-option  00.0/s
>> > >   proto-cksum  3870.0/s
>> > >   state-mismatch  82794949 2101.2/s
>> >
>> > Loads of state mismatches and, looking at the rate, this is
>> > probably on an ongoing basis.
>> >
>> > Check to make sure that all packets match either a "pass" or "block"
>> > rule (the easiest way to do this is usually to have a simple "block"
>> > or "block log" as the first rule) - if you don't have any matching
>> > rule in the config, there is an implicit default which passes traffic
>> > *without* creating state.
>> >
>> > (One particularly common result of this is that TCP window scaling
>> > isn't handled properly such that longer lived or fast TCP connections
>> > are likely to slow down or stall.)
>> >
>> > You might also need to bump the state limit, but I'd check the above
>> > first because the high number of states might be caused because of
>> > mismatches.
>>
>> I think the state-mismatch is a result of hitting the state limit and not
>> the other way around.  At over 90'000 states the default timeouts are
>> reduced by more than 50% and so states are removed too soon resulting in a
>> state-mismatch.
>>
>> So first bump the limit up and then look at the counters again.
>>
>> --
>> :wq Claudio
>>
>>

Re: Performance optimizing OpenBSD 7.2

2023-02-15 Thread Lars Bonnesen 
lbo@PLOSLOL2VPN:/etc$ pfctl -s info
Status: Enabled for 0 days 00:06:49  Debug: err

State Table  Total Rate
  current entries   149331
  half-open tcp   5333
  searches  4462647255 1098.0/s
  inserts 78143904   191060.9/s
  removals77994573   190695.8/s
Counters
  match  250452866   612354.2/s
  bad-offset 00.0/s
  fragment   10.0/s
  short  00.0/s
  normalize  10.0/s
  memory   524795412831.2/s
  bad-timestamp  00.0/s
  congestion  14693.6/s
  ip-option  30.0/s
  proto-cksum 30127.4/s
  state-mismatch 145502864   355752.7/s
  state-insert 3050.7/s
  state-limit00.0/s
  src-limit  00.0/s
  synproxy   00.0/s
  translate  00.0/s
  no-route   00.0/s

On Wed, Feb 15, 2023 at 2:15 PM Claudio Jeker 
wrote:

> On Wed, Feb 15, 2023 at 01:01:10PM -, Stuart Henderson wrote:
> > On 2023-02-15, Lars Bonnesen  wrote:
> > > One says:
> > >
> > > # pfctl -s info
> > > Status: Enabled for 0 days 10:56:43  Debug: err
> > >
> > > State Table  Total Rate
> > >   current entries91680
> >
> > Lots of entries, close to the default:
> >
> > $ doas pfctl -sm
> > stateshard limit   10
> > src-nodes hard limit1
> > frags hard limit65536
> > tableshard limit 1000
> > table-entries hard limit   20
> > pktdelay-pkts hard limit1
> > anchors   hard limit  512
> >
> > >   half-open tcp   4032
> > >   searches  313230429479494.1/s
> > >   inserts 60916552 1546.0/s
> > >   removals60824872 1543.7/s
> > > Counters
> > >   match   79164265 2009.1/s
> > >   bad-offset 00.0/s
> > >   fragment   10.0/s
> > >   short  00.0/s
> > >   normalize  00.0/s
> > >   memory   1768012   44.9/s
> >
> > And this most likely means that you've been bumping into the
> > state limit plenty of times already.
> >
> > >   bad-timestamp  00.0/s
> > >   congestion  12010.0/s
> > >   ip-option  00.0/s
> > >   proto-cksum  3870.0/s
> > >   state-mismatch  82794949 2101.2/s
> >
> > Loads of state mismatches and, looking at the rate, this is
> > probably on an ongoing basis.
> >
> > Check to make sure that all packets match either a "pass" or "block"
> > rule (the easiest way to do this is usually to have a simple "block"
> > or "block log" as the first rule) - if you don't have any matching
> > rule in the config, there is an implicit default which passes traffic
> > *without* creating state.
> >
> > (One particularly common result of this is that TCP window scaling
> > isn't handled properly such that longer lived or fast TCP connections
> > are likely to slow down or stall.)
> >
> > You might also need to bump the state limit, but I'd check the above
> > first because the high number of states might be caused because of
> > mismatches.
>
> I think the state-mismatch is a result of hitting the state limit and not
> the other way around.  At over 90'000 states the default timeouts are
> reduced by more than 50% and so states are removed too soon resulting in a
> state-mismatch.
>
> So first bump the limit up and then look at the counters again.
>
> --
> :wq Claudio
>
>

Re: Performance optimizing OpenBSD 7.2

2023-02-15 Thread Lars Bonnesen 
One says:

# pfctl -s info
Status: Enabled for 0 days 10:56:43  Debug: err

State Table  Total Rate
  current entries91680
  half-open tcp   4032
  searches  313230429479494.1/s
  inserts 60916552 1546.0/s
  removals60824872 1543.7/s
Counters
  match   79164265 2009.1/s
  bad-offset 00.0/s
  fragment   10.0/s
  short  00.0/s
  normalize  00.0/s
  memory   1768012   44.9/s
  bad-timestamp  00.0/s
  congestion  12010.0/s
  ip-option  00.0/s
  proto-cksum  3870.0/s
  state-mismatch  82794949 2101.2/s
  state-insert 2300.0/s
  state-limit00.0/s
  src-limit  00.0/s
  synproxy   00.0/s
  translate  00.0/s
  no-route   00.0/s

The other says:

# pfctl -s info
Status: Enabled for 0 days 10:39:38  Debug: err

State Table  Total Rate
  current entries93847
  half-open tcp   8441
  searches  3900545422   101634.9/s
  inserts 69463584 1810.0/s
  removals69369737 1807.5/s
Counters
  match  75220369719599.9/s
  bad-offset 00.0/s
  fragment   00.0/s
  short  00.0/s
  normalize  20.0/s
  memory2124545.5/s
  bad-timestamp  00.0/s
  congestion 00.0/s
  ip-option  00.0/s
  proto-cksum00.0/s
  state-mismatch  33380332  869.8/s
  state-insert   00.0/s
  state-limit00.0/s
  src-limit  00.0/s
  synproxy   00.0/s
  translate  00.0/s
  no-route   00.0/s

What does that tell us?

Regards, Lars.

On Wed, Feb 15, 2023 at 9:16 AM Otto Moerbeek  wrote:

> On Tue, Feb 14, 2023 at 11:04:57PM +0100, Lars Bonnesen wrote:
>
> > What can be done to optimize obsd 7.2 running on top of ESXi 7 with
> >
> > 7 vmx "phys" ifs
> > 3 em "phys" ifs
> > 22 virtual ifs
> >
> > Very simply pf ruleset - the box is only running VPN solution between two
> > sites up against a similar configured obsd 7.2
> >
> > I came across https://calomel.org/network_performance.html which has a
> > section concerning obsd 5.1 "and later" - is this also valid for 7.2? I
> did
> > implement the suggestions adapted to the setup, but I can't really see
> any
> > noticeable difference.
>
> This site is genereally regarded as garbage. Do not use it.
>
> >
> > I configured the box with 8 vCPUs and 8 gig RAM and after running for
> some
> > time getting more and more load, I started to face massive package loss
> > both for packages between the two sites but also from the obsd and to the
> > rest of the world. CPU was far from reaching any critical level and loads
> > of memory left
> >
> > I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd
> > now seems to hold the packages decently. But for instance when pinging
> > 1.1.1.1, I sometimes get:
> >
> > # ping 1.1.1.1
> > PING 1.1.1.1 (1.1.1.1): 56 data bytes
> > ping: sendmsg: Permission denied
> > ping: wrote 1.1.1.1 64 chars, ret=-1
> > ping: sendmsg: Permission denied
> > ping: wrote 1.1.1.1 64 chars, ret=-1
> > ping: sendmsg: Permission denied
> > ping: wrote 1.1.1.1 64 chars, ret=-1
> > 64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms
> > 64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms
> > 64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms
> >
> > Some permissions denied and then it continu

Performance optimizing OpenBSD 7.2

2023-02-14 Thread Lars Bonnesen 
What can be done to optimize obsd 7.2 running on top of ESXi 7 with

7 vmx "phys" ifs
3 em "phys" ifs
22 virtual ifs

Very simply pf ruleset - the box is only running VPN solution between two
sites up against a similar configured obsd 7.2

I came across https://calomel.org/network_performance.html which has a
section concerning obsd 5.1 "and later" - is this also valid for 7.2? I did
implement the suggestions adapted to the setup, but I can't really see any
noticeable difference.

I configured the box with 8 vCPUs and 8 gig RAM and after running for some
time getting more and more load, I started to face massive package loss
both for packages between the two sites but also from the obsd and to the
rest of the world. CPU was far from reaching any critical level and loads
of memory left

I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd
now seems to hold the packages decently. But for instance when pinging
1.1.1.1, I sometimes get:

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendmsg: Permission denied
ping: wrote 1.1.1.1 64 chars, ret=-1
ping: sendmsg: Permission denied
ping: wrote 1.1.1.1 64 chars, ret=-1
ping: sendmsg: Permission denied
ping: wrote 1.1.1.1 64 chars, ret=-1
64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms

Some permissions denied and then it continues to ping

Sometimes when trying to ping a FQDN, I get:
ping: no address associated with name
as it cannot resolve the name

The name is of course registered correctly in DNS.

We are planning to put even more load on the setup, but I am not sure that
it is a good idea

The ESX server has hyperthreading enabled.There are many discussions about
this, and what I can summarize is that apart from a security perspective,
hyperthreading should be left enabled

How to get better performance?

Regards, Lars.

Zabbix: Support for PSK was not compiled in

2023-02-08 Thread Lars Bonnesen 
Installed zabbix-agent

but when doing "./zabbix_agentd -d start", I get:

ERROR: value of parameter "TLSConnect" requires support of encrypted
connection with PSK but support for PSK was not compiled in

How do I add support for Preshared key?

Regards, Lars.

Max number of NICs

2023-01-23 Thread Lars Bonnesen 
How many physical NICs can you add to an OpenBSD host (vmx)

I am asking because I am running an OpenBSD on a VMware host but apparently
OpenBSD can only see 8 of them.

Can I raise the limit somehow?

Regards, Lars.

Re: Stretch/L2VPN between two datacenters

2023-01-19 Thread Lars Bonnesen 
I have been fighting with this for a while now, trying to make it work
reading man pages... But it does not work as I want it to work. tcpdump can
see a lot of arp requests on bridge0, egre0, vlan172 - but nothing seems to
get to wg0. This is my ifconfig filtered for public IPs:

lo0: flags=8049 mtu 32768
index 5 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
vmx0: flags=8843 mtu 1500
lladdr 00:50:56:b4:a5:ab
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (10GbaseT)
status: active
inet qq.ww.ee.rr netmask 0xff00 broadcast ee.rr.tt.yy
vmx1: flags=8802 mtu 1500
lladdr 00:50:56:b4:0d:26
index 2 priority 0 llprio 3
media: Ethernet autoselect (10GbaseT)
status: active
vmx2: flags=8b43
mtu 1600
lladdr 00:50:56:b4:ef:b4
description: corp
index 3 priority 0 llprio 3
media: Ethernet autoselect (10GbaseT)
status: active
enc0: flags=0<>
index 4 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141 mtu 33136
index 6 priority 0 llprio 3
groups: pflog
lo1: flags=8008 rdomain 1 mtu 32768
index 8 priority 0 llprio 3
groups: lo
wg0: flags=80c3 mtu 1420
index 9 priority 0 llprio 3
wgport 51820
wgpubkey GIWFxfaaxt1VmURRvEtJkG/mZQgVLNtHuEtPa6vt/kM=
wgpeer MSS4DjJjPtp9DsTpMbNQ1ict6jEx07DICfipOpnOUR4=
wgendpoint aa.bb.cc.dd 51820
tx: 1690108800, rx: 2934539600
last handshake: x seconds ago
wgaip 192.168.5.1/32
groups: wg
inet 192.168.5.2 netmask 0xff00 broadcast 192.168.5.255
egre0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:31:5b
index 14 priority 0 llprio 3
encap: vnetid 172 txprio 0 rxprio packet
groups: egre
tunnel: inet 172.24.90.92 --> 172.24.90.91 ttl 64 nodf
vlan172: flags=8943 mtu 1500
lladdr 00:50:56:b4:ef:b4
index 24 priority 0 llprio 3
encap: vnetid 172 parent vmx2 txprio packet rxprio outer
groups: vlan
media: Ethernet autoselect (10GbaseT)
status: active
inet 172.24.90.94 netmask 0xff00 broadcast 172.24.90.255
bridge0: flags=41 mtu 1500
index 25 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
vlan172 flags=3
port 24 ifpriority 0 ifcost 0
egre0 flags=3
port 14 ifpriority 0 ifcost 0
vmx2 flags=3
port 3 ifpriority 0 ifcost 0

On the other end the ifconfig is similar

wg0 is working. I can ping 192.168.5.1 from 192.168.5.2 and visa versa.

172.24.90.0/24 (vlan172) is the network that I want to strech... and is
presented to the obsd as vmx2 connected to an access port on a switch

Can anyone guide me in the right direction, thx?

Regards, Lars.

On Wed, Jan 4, 2023 at 7:24 AM Lars Bonnesen 
wrote:

> Thanks for your replies. It has been Xmas and I have been delayed, but I
> have now read up upon it. I am going for the tpmr(4). We are going to
> replicate a lot of live data from Site1 to Site2, and my experiences with
> OpenVPN is that it is great, but not high performing. So I have established
> a WireGuard connection with one OBSD on each site, and I am planning to
> tunnel tpmr through this - I guess that tpmr itself is not encrypted in any
> way?
>
> Regards, Lars.
>
> On Fri, Dec 16, 2022 at 4:30 PM deich...@placebonol.com <
> deich...@placebonol.com> wrote:
>
>> I've run L2 over an IPsec tunnel using egre (gre(4)) and bridge (bridge
>> (4)) to connect systems in different locations together.
>>
>> This was done before David Gwynne created tpmr(4).  I've been to lazy to
>> reimplement my current configuration.
>>
>> 73
>> diana
>>
>

Best USB NIC for obsd7.2

2023-01-09 Thread Lars Bonnesen 
Which 1Gbit USB 3.0A NIC is performing best with obsd 7.2?

I am aware of the hardware list, but I am asking personal experience from
users in here

Regards, Lars.

Re: Stretch/L2VPN between two datacenters

2023-01-03 Thread Lars Bonnesen 
Thanks for your replies. It has been Xmas and I have been delayed, but I
have now read up upon it. I am going for the tpmr(4). We are going to
replicate a lot of live data from Site1 to Site2, and my experiences with
OpenVPN is that it is great, but not high performing. So I have established
a WireGuard connection with one OBSD on each site, and I am planning to
tunnel tpmr through this - I guess that tpmr itself is not encrypted in any
way?

Regards, Lars.

On Fri, Dec 16, 2022 at 4:30 PM deich...@placebonol.com <
deich...@placebonol.com> wrote:

> I've run L2 over an IPsec tunnel using egre (gre(4)) and bridge (bridge
> (4)) to connect systems in different locations together.
>
> This was done before David Gwynne created tpmr(4).  I've been to lazy to
> reimplement my current configuration.
>
> 73
> diana
>

Stretch/L2VPN between two datacenters

2022-12-16 Thread Lars Bonnesen 
We are about to migrate VM's from one datacenter to another and the VMware
L2VPN we are using for this is simply not stable for some reason that we
cannot figure out why.

I have used GRE-tunneling before on a software router that I actually
cannot remember the name of now, but if OpenBSD can do the same, I would
rather deploy one OpenBSD on each site and have that task handled by
OpenBSD.

Each site should be able to use the other site gateway over a
L2-network.and VMs on each site should be able to see each other as they
are on the same LAN

Where to start reading?

Regards, Lars.

axen0 sometimese "lost"

2022-08-21 Thread Lars Bonnesen 
sh /etc/netstart sometimes just ends in a hanging network state... I need
to boot from console, and then we are fine again.

Sometimes, I get:


ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured

and the ifconfig doesn't report anything about axen0

ifconfig axen0 up doesn't change anything... if I reboot, maybe we are fine
again.

It seems to me that the axen0 is very unstable. It is a USB-NIC. Any ideas
to make it more stable? Can I disable powermanagement or similar on this
USB-port?`

Regards, Lars.

Re: No Authen::PAM for perl?

2022-08-15 Thread Lars Bonnesen 
Ok, I am sorry... I found the port openvpn_bsdauth

via-env never worked, but using via-file and tmp-dir, I am now able to auth.

Does a similar solution exist for additional MFA-solutions? Google Auth?

Regards, Lars.


On Mon, Aug 15, 2022 at 7:47 PM Lars Bonnesen 
wrote:

> Setting up an OpenVPN-box in a network with no central user database, and
> I would like an extra layer of security than just the certificate.
>
> As I can't use LDAP (unless I install this), I found the auth-pam.pl
> script, but using this OpenVPN complains:
>
> Can't locate Authen/PAM.pm in @INC (you may need to install the
> Authen::PAM module) (@INC contains: /usr/at /etc/openvpn/auth-pam.pl line
> 30.
>
> Googled som non-OpenBSD ways to install the Authen::PAM module, but they
> all failed. Anyone has succeeded in this?
>
> Regards, Lars
>

Trunking two usb-nics

2022-08-15 Thread Lars Bonnesen 
Yeah, I agree... any other solution than USB is better for this, but this
is what I have. Startech - they are on the supported hcl list

Running tagged VLANs on top of one of these goes well, but if I create a
trunk against a cisco catalyst switch, I get random USB IOERRORs and
similar.

The trunk comes up, but not data passes

Cisco has this:

interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 51
 switchport mode trunk
 channel-group 1 mode active
!
interface GigabitEthernet1/0/2
 switchport trunk allowed vlan 51
 switchport mode trunk
 channel-group 1 mode active
!
interface GigabitEthernet1/0/3
 switchport access vlan 51
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 51
 switchport mode trunk
!


Trunk comes up:

Switch#sh etherchannel detail
Channel-group listing:
--

Group: 1
--
Group state = L2
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol:   LACP
Minimum Links: 0
Ports in the group:
---
Port: Gi1/0/1


Port state= Up Mstr Assoc Not-in-Bndl
Channel group = 1   Mode = Active  Gcchange = -
Port-channel  = Po1 GC   =   - Pseudo port-channel = Po1
Port index= 0   Load = 0x00Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast
LACPDUs.
A - Device is in active mode.P - Device is in passive mode.

Local information:
LACP port Admin OperPortPort
Port  Flags   State Priority  Key   Key Number
 State
Gi1/0/1   SA  bndl  32768 0x1   0x1 0x102   0xD

Partner's information:

  LACP portAdmin  Oper   Port
 Port
Port  Flags   Priority  Dev ID  AgekeyKeyNumber
 State
Gi1/0/1   SA  32768 0024.9b76.24c7  29s0x00x403C 0x5
0x75

Age of the port in the current state: 0d:00h:00m:27s

Port: Gi1/0/2


Port state= Up Mstr Assoc Not-in-Bndl
Channel group = 1   Mode = Active  Gcchange = -
Port-channel  = Po1 GC   =   - Pseudo port-channel = Po1
Port index= 0   Load = 0x00Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast
LACPDUs.
A - Device is in active mode.P - Device is in passive mode.

Local information:
LACP port Admin OperPortPort
Port  Flags   State Priority  Key   Key Number
 State
Gi1/0/2   SA  bndl  32768 0x1   0x1 0x103   0xD

Partner's information:

  LACP portAdmin  Oper   Port
 Port
Port  Flags   Priority  Dev ID  AgekeyKeyNumber
 State
Gi1/0/2   SA  32768 0024.9b76.24c7  28s0x00x403C 0x6
0x75

Age of the port in the current state: 0d:00h:00m:26s

Port-channels in the group:
---

Port-channel: Po1(Primary Aggregator)



Age of the Port-channel   = 0d:02h:01m:52s
Logical slot/port   = 12/1  Number of ports = 2
HotStandBy port = null
Port state  = Port-channel Ag-Inuse
Protocol=   LACP
Port security   = Disabled

Ports in the Port-channel:

Index   Load   Port EC stateNo of bits
--+--+--+--+---
  0 00 Gi1/0/1  Active 0
  0 00 Gi1/0/2  Active 0

Time since last port bundled:0d:00h:00m:26sGi1/0/2
Time since last port Un-bundled: 0d:00h:00m:28sGi1/0/2

On the OpenBSD, I have:

trunkproto lacp trunkport axen0 trunkport axen1
up

And the trunk0 comes up

Then I do:
parent trunk0
vnetid 51
descr unifimgmt
inet 10.45.51.252/24

Does not work... but if I destroy trunk0, remove one of the USBs, and
instead do like this:

ifconfig axnt0 up

and

parent axen0
vnetid 51
descr unifimgmt
inet 10.45.51.252/24

Then vlan51 passes data as it should.

I do something wrong?

Regards, Lars.

No Authen::PAM for perl?

2022-08-15 Thread Lars Bonnesen 
Setting up an OpenVPN-box in a network with no central user database, and I
would like an extra layer of security than just the certificate.

As I can't use LDAP (unless I install this), I found the auth-pam.pl
script, but using this OpenVPN complains:

Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM
module) (@INC contains: /usr/at /etc/openvpn/auth-pam.pl line 30.

Googled som non-OpenBSD ways to install the Authen::PAM module, but they
all failed. Anyone has succeeded in this?

Regards, Lars

Are relayd and httpd my future buddy?

2020-10-30 Thread Lars Bonnesen 
I have been using a combination of Apache, mod_proxy and letsencrypt to set
up different loadbalancing/https offload solution like this:

https://URL1[Apache http_1]
---|
https://URL2 [Apache https, mod_proxy, and letsencrypt] --- [Apache http_2}
---|-- SQL
https://URL3[Apache http_3]
---|

Of coarse running on OpenBSD

The URLS are typically sharing one IP and in theory the https offload could
also be load balanced.

Even though the above setup works, I would like to use as much of obsd base
as possible and less packages. Thinking of httpd, letsencrypt and relayd -
but can it accomplish my goals about sharing IPs, loadbalancing while also
doing SSL offload? Or do I need to stick with Apache or maybe look at
another solution like haproxy?

If I can use relayd for this, could someone please share a relayd.conf
example for me?

Regards, Lars.

Optimizing pf.conf

2020-05-06 Thread Lars Bonnesen 
Is it no longer important to group block/pass in/out for speed optimization?

I see many "modern" pf.conf where everything is mixed more or less randomly

Regards, Lars.

Re: VLAN syntax in hostname.vlanxxx

2020-04-29 Thread Lars Bonnesen 
That did it... thanks!

On Wed, Apr 29, 2020 at 10:42 PM Sebastian Benoit 
wrote:

> Lars Bonnesen(lars.bonne...@gmail.com) on 2020.04.29 21:58:27 +0200:
> > In earlier obsd versions I have been having success with this in
> > hostname.vlan703
> > inet 172.18.11.9 255.255.255.252 NONE vlandev em5 description VLAN703
> >
> > On an obsd 6.6, I use the vmx device, but the syntax:
> > inet 172.18.11.9 255.255.255.252 NONE vlandev vmx2 description VLAN703
> does
> > not work as expected. If I do a tcpdump, I can find the packages reaching
> > vmx2, but they are never passed on to vlan703
> >
> > How to to if I have configured a trunk on a switch, I want to configure
> say
> > VLAN id 703 on a vmx device?
>
> Between OpenBSD 6.1 and 6.2 the syntax for configuring VLAN interfaces was
> changed.
>
> You now have to use the 'vnetid' and 'parent' options, as well as 'up'.
>
>   # cat /etc/hostname.vlan7
>   vnetid 7 parent em0
>   up
>   lladdr random
>   # ifconfig vlan7
>   vlan7: flags=8843 mtu 1500
>   lladdr 60:e8:d7:0d:10:6d
>   index 7 priority 0 llprio 3
>   encap: vnetid 7 parent: em0
>   groups: vlan
>   status: active
>
>

VLAN syntax in hostname.vlanxxx

2020-04-29 Thread Lars Bonnesen 
In earlier obsd versions I have been having success with this in
hostname.vlan703
inet 172.18.11.9 255.255.255.252 NONE vlandev em5 description VLAN703

On an obsd 6.6, I use the vmx device, but the syntax:
inet 172.18.11.9 255.255.255.252 NONE vlandev vmx2 description VLAN703 does
not work as expected. If I do a tcpdump, I can find the packages reaching
vmx2, but they are never passed on to vlan703

How to to if I have configured a trunk on a switch, I want to configure say
VLAN id 703 on a vmx device?

And while we are at it, what if the switch is an access port?

Regards, Lars.

Re: Samba on obsd

2020-03-25 Thread Lars Bonnesen 
It seems that Debian is also recommended as an AD replacement.


On Wed, Mar 25, 2020 at 12:13 PM David Sastre 
wrote:

> Depending on your requirements, e.g. Windows machined in your setup, you
> can also try
> https://www.freeipa.org
> I would use Fedora, not CentOS.
> It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added
> functionality on top you might or might not need/use.
> It can also establish trust relationships with existing AD forests.
> Worth checking out.
> Regarding support for OpenBSD clients, I haven't tried, but you could hook
> up direct LDAP access, for example.
>
>
> On Wed, Mar 25, 2020 at 7:48 AM kasak  wrote:
>
>>
>> 25.03.2020 02:06, Lars Bonnesen пишет:
>> > Hi. I am having a project on setting up Samba to work as a replacement
>> for
>> > MS AD.
>> >
>> > I would prefer to do it on OpenBSD, but how is the implementation of
>> Samba
>> > on OpenBSD? Is it enhanced in a way that will cause any known problems
>> that
>> > would not be on say... CentOS?
>> >
>> > Regards, Lars.
>>
>> samba ad is not working on OpenBSD because ffs has no ea support.
>>
>> centos is bad choise too, because of permanently outdated version of
>> samba.
>>
>> You should try arch linux or freebsd for this project, both of them has
>>
>> nearly latest version of samba.
>>
>>

Samba on obsd

2020-03-24 Thread Lars Bonnesen 
Hi. I am having a project on setting up Samba to work as a replacement for
MS AD.

I would prefer to do it on OpenBSD, but how is the implementation of Samba
on OpenBSD? Is it enhanced in a way that will cause any known problems that
would not be on say... CentOS?

Regards, Lars.

Adding an additional IP on a NIC getting DHCP address

2019-03-22 Thread Lars Bonnesen 
The NIC hostname file contains:

dhcp

and it configures the nic with a DHCP address and configure mygate
according to this.

Now I need to add an additional static IP on top of this and use the static
IP address gateway address (thus not configuring myname from DHCP)

Can I just add inet x.x.x.x b.b.b.b to myname so that it reads:

dhcp
inet x.x.x.x b.b.b.b

and if so, how do I make sure that mygate does not get overwritten from
dhcp?

Regards, Lars.

SSH disconnects right after accepting

2019-02-07 Thread Lars Bonnesen 
OpenBSD 6.4

Putty just reports "Authenticating with public key "XXX" from agent" and
then I am disconnected. If I run sshd with -ddd, I get the following
output. I can't seem to get any error, and therefor I can't tell what is
wrong. Anyone has any idea? Thanks


debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 204
debug2: parse_server_config: config /etc/ssh/sshd_config len 204
debug3: /etc/ssh/sshd_config:25 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:30 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:39 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:86 setting Subsystem sftp
/usr/libexec/sftp-server
debug1: sshd version OpenSSH_7.9, LibreSSL 2.8.2
debug1: private host key #0: ssh-rsa SHA256:XXX
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:XXX
debug1: private host key #2: ssh-ed25519 SHA256:XXX
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 204
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 172.17.4.3 port 63721 on 172.17.1.2 port 22 rdomain "0"
debug1: Client protocol version 2.0; client software version
PuTTY_Release_0.70
debug1: no match: PuTTY_Release_0.70
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing pledge sandbox
debug2: Network child is on pid 89382
debug3: preauth child monitor started
debug3: privsep user:group 27:27 [preauth]
debug1: permanently_set_uid: 27/27 [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
[preauth]
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1...@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
aes256-...@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1...@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
aes256-...@openssh.com [preauth]
debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com,
hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,z...@openssh.com [preauth]
debug2: compression stoc: none,z...@openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: host key algorithms:
ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
[preauth]
debug2: ciphers ctos: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se
,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
debug2: ciphers stoc: aes256-ctr,aes256-cbc,rijndael-...@lysator.liu.se
,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1...@openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128
[preauth]
debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,
hmac-sha1-96-...@openssh.com,hmac-md5-...@openssh.com [preauth]
debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,
hmac-sha2-256-...@openssh.com,hmac-sha1-...@openssh.com,
hmac-sha1-96-...@openssh.com,hmac-md5-...@openssh.com [preauth]

Access old PPTP behind OpenBSD 6.1

2017-09-04 Thread Lars Bonnesen 
Yes... I know... Don't run MS PPTP and that is why I am implementing
OpenBSD.

Untill OpenVPN is fully installed on every client, I need to provide access
to PPTP during transition.

I don't know what to use in pf.conf though. I have tried everything that I
find logical.

In sysctl.conf I have added:


net.inet.gre.allow=1
net.inet.gre.wccp=1
net.inet.mobileip.allow=1


Lets say that openBSD public IP is 1.2.3.4  local IP 10.77.1.2 and LAN is
10.77.1.0/24 - PPTP server is 10.77.1.106

How would my PPTP lines look in pf.conf?

Help is greatly appriciated.

Regards, Lars.

Hearbleed and OpenSSL 1.0.1c

2014-05-02 Thread Lars Bonnesen 
Just want to make sure if I get this right.

Patches 007 and 008 (OpenSSL-fix) for 5.4 has been run.

OpenBSD 5.5 install source code patch branch run and compiled.

On both setup I get this:

# openssl version -a
OpenSSL 1.0.1c 10 May 2012
built on: date not available
platform: information not available
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: information not available
OPENSSLDIR: /etc/ssl

As far as I understand, OpenSSL 1.0.1g is needed in order to be home same
reg. heartbleed.

I know that OpenBSD's OpenSSL is a fork, and this is maybe where the
confussion comes in... but can someone clarify for me the above?

Regards, Lars.

Keeping OpenBSD up2date

2013-12-08 Thread Lars Bonnesen 
I like OpenBSD for it's easiness, straight forwardness and simpleness on
daily usage. Unfortunately with the last releases, I find keeping OpenBSD
up2date between releases to be confusing. Please help me on this one:

Well... I have been quite happy using cvsup to keep my src and ports
up2date, but it seems that this is getting quite impossible to use lately,
as the servers I normally use to pull from seem to block cvsup. )-:

Then I read that cvsync seem to be the way to go... although I can't get it
to work proberly.

I follow http://www.openbsd.org/cvsync.html and I am able to pull a
repository (size 5.2G)

Then I am going to pull the patch branch (well using cvsup, I normally go
for current), and I do:

# cd /usr
# cvs -d/cvs checkout -P src

It works... I am getting what looks to be update source files. I find the
changes of
http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/002_sshgcm.patch in
monitor_wrap.c

Then I going to compile from source (system is i386) by doing:

# cd /usr/src/sys/arch/i386/conf # config GENERIC # cd ../compile/GENERIC #
make clean  make # make install

Well... it looks to be going fine... not noticing any errors at least, and
I can find the new kernel /bsd. But...

Rebooting... and the system ends in limbo-mode.

I have to boot doing b /obsd

I can't figure out where the process goes wrong. Anyone?

Regards, Lars.