OpenBSD Customer Gateway to Amazon VPC
I found the following thread on this issue from 2010: http://comments.gmane.org/gmane.os.openbsd.misc/168129 Amazon still only supports route-based VPNs, but they have removed the requirement for BGP and instead allow for static routes. I was able to get a tunnel working without using BGP based on the info from the post above, but it would stop handling the reply traffic after a short time. The esp packets arrive at the gateway, but never get decrypted into enc0. Tearing down the tunnels and waiting an hour or so seems to permit another short-lived VPN, but it still doesn't stay up. Has anyone been successful establishing a customer gateway VPN connection into Amazon VPC using OpenBSD? Does the fact that they only support a route-based VPN exclude the possibility of using a policy-based system like OpenBSD?
Re: USB hubs
I can confirm this all is true, but due to USB power being the way it is YMMV. I use hubs regularly for host attachment and for standalone charging. The hub in my desktop monitor is intentionally disconnected from the host in order to provide charging, but it doesn't always work. A main thing is that some devices are really using the USB connector for convenience, but draw way more power than your USB provides with their wall charger. Check your device wall chargers to see if they provide more than 500mA and keep in mind that anything that goes with a charger supplying more than that will charge slower on the hub, if at all. The other thing to check is the hub, and possibly return it. Sometimes they aren't totally honest about the hub being self-powered. I have had good luck with Belkin in the past, but for all I know they have bad models I never purchased. Also check the electical power supply that came with the hub and make sure it is providing enough current. It is best to have at least 500mA per-port, so a 4-port hub should have at least a 2000mA supply. If the supply is undersized you could see issues where it simply can't provide enough juice. I have seen undersized supplies on cheaper hubs, since the part is cheaper than a higher-capacity supply. Really all the pain starts with the decision to combine the power plug with the USB, but that genie is out of the bottle now. Good luck.
Re: SSI
I initially thought this thread was about Social Security Insurance, but instead it is about something like SGI UV.
Re: happy alix user ?
Definitely OT, but I second the FW-7535. Good gear and Lanner is easy to work with direct even for small projects.
Re: happy alix user ?
On Thu, Sep 27, 2012 at 2:10 PM, Michel Blais mic...@targointernet.com wrote: Same with LEI technologie, the're division in Canada. Good catch. I now remember that was the actual entity I dealt with, not Lanner. Started with the main Lanner sales office for NA, but they directed me to LEI in Canada. From then on it was only a few days before I had hardware on my bench. The pair here is on 100/100 Internet and regularly handles around 20-25k states with ease.
Re: CARP and transit network to ISP
I have set up a pair of gateways for a similar scenario where the provider gave me /30 and an ethernet jack instead of providing a router on-premises. This is what I did: -Configured an interface on each machine to come up with no IP. -Configured a carpdev to use the no IP interface on each machine. -Configured my ip from the /30 on the carpdev on each machine. Other things included CARP on other interfaces like LAN and DMZ. In my case those IP networks were large enough to allow me 1 CARP IP and an IP for each gateway. Not sure if that helps, but the best general advice is to draw a picture of what you want. Read the FAQ/manpages to draft a config. Test all that, and if you are like me, realize you didn't really want bridge at the one place in the drawing and revise--repeat. Good luck!
Re: Load balancing and fail-over
On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya induni...@gmail.com wrote: If yes, How to ping external internet host when that link is DOWN? I find it difficult? I tried it with below commands ping -I WAN1_if_ip www.google.lk ping -I WAN2_if_ip www.google.lk Some times it works? some times it does NOT? Could you pls explain why? I have been asked by management a few times about why some pings fail when you ping things like google servers and core routers at the ISP. The short answer I give is that things like that are too busy being the Internet to respond to all the ping traffic that doesn't do anything to enable them to be the Internet. Best advice is to consult your routing tables or contact your ISP and have your ifstated ping the far-end of your internet connection. Those systems are typically less busy and have a higher expectation of answering all pings while up.
Re: Song copyright
Shucks! I was working on a baby mulching machine that was going to play the song while it operates. http://www.monkey.org/openbsd/archive/source-changes/0105/msg01243.html
Re: IPSec isakmpd pre shared interoperability with Fortigate VPN
Does look like the line, but is the OpenBSD ipsec VPN new to you? If it is I suggest building one between two OpenBSD machines and testing to see how you can break/change things from the defaults in the man pages. Doing that really made a difference for me after completely flopping on the first try with an OpenBSD to whatever our co-location has VPN. I got it together after some lab work and everything just worked magically on my second go. Cheers.
Re: Intel ICH9R compatibility with OpenBSD
Hello Axton, thanks for your reply. I do not want use RAID, I just need S-ATA to connect HDD and install system on it. You will be fine. I have Dell gear here that includes the Intel Matrix RAID ICH, and it doesn't have an issue with OpenBSD. The controller checks for a RAID pair at startup and then should revert to normal AHCI when none is found. Those chips also have a setting in the BIOS as an additional failsafe that will disable the R features and force them into AHCI or even IDE-compatible for older operating systems.
Re: My OpenBSD 5.0 installation experience (long rant)
It really is amazing how much the install is genuinely loved on OpenBSD. I think there are other distributions out there where the installer is liked or even praised, but I would describe my feelings and what I see here as love. It is always a pleasure when I have the chance to show someone the install process for the first time or hear their accounts of success or failure. I started out with OpenBSD around 2.3 and the funny thing is that I am most impressed by how the installer disk setup is improved since those days. At least I don't have to start off the discussion about how c is the whole disk, etc.
Re: My OpenBSD 5.0 installation experience (long rant)
I am absolutely intrigued by this story despite my better judgement. You were able to cook your own full OpenBSD installer on a USB stick with GRUB instead of downloading an ISO or using PXE, but you failed disk setup in the installer? It really would be interesting to see if you can read just http://www.openbsd.org/faq/faq4.html , particularly 4.5.3 and then come back to us with anything other than a mea culpa. There are always going to be stumbling points in computing, but the question is do we learn from them or just reject them and act like they are not the great opportunities for growth that they are.
Re: Problem filtering CARP in PF
In the spirit of K.I.S.S. I use: pass quick proto carp Since that should match the number on 4 and 6 packets. Your block rule had inet so you were probably blocking IPv4 only. But because of the send errors (due to pf blocking) fw1 started to demote itself.
Re: CD/DVD CDROM support
I found USB is easy with a thumbdrive big enough to hold the files, or there is pxe which is probably easier if you can control the DHCP on the network. My manual process for thumbdrive involved: Assume thumb is empty, otherwise insert to system and run. Also make sure you know the dev name from insert message (this example it is sd0): dd if=/dev/zero of=/dev/rsd0a bs=32k This will zero the drive out. Then run: fdisk i /dev/rsd0c then y to overwrite and save MBR. Then edit disklabel: disklabel E /dev/rsd0c then a take all defaults, then w and finally q just like old times! Then create the FS: newfs /dev/rsd0a Now mount: mount /dev/sd0a /mnt/thumb and mount /dev/cd0a /mnt/cd Copy CD to thumb: cp r /mnt/cd/* /mnt/thumb/ and cp /usr/mdec/boot /mnt/thumb/ BOOT VOODOO: /usr/mdec/installboot /mnt/thumb/boot /usr/mdec/biosboot sd0 On Fri, Feb 24, 2012 at 6:12 PM, Duncan Patton a Campbell campb...@neotext.ca wrote: I have run into a most peculiar phenomenon, that it appears that the CDrom driver support has dropped from the install CDs, apparently as of about version 5. This is not an old board, but admittedly ATAPI CDs are. I can boot all the images from 4.9release thru 5.1snap (today's) but only 4.9 shows any evidence of the CD after booting and in the rest CDROM is not an option for install media and there's no evidence of the device in the dmesgs, either. the sysctls after booting each cd: kern.osrelease=4.9 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=cd0:,sd0:,wd0:e09436d04e1d70c4,rd0:2870906e5854e337,sd1:0e7d30fe 615c49b0 hw.ncpufound=4 kern.osrelease=5.0 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:efa10dd049a97542 hw.ncpufound=4 kern.osrelease=5.0 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:10f77ef34d162647,sd1:0e7d30fe615c4 9b0 hw.ncpufound=4 kern.osrelease=5.1 hw.machine=amd64 hw.model=AMD Phenom(tm) II X4 840 Processor hw.product=M4A88TD-V EVO/USB3 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:7c8ac10ea613493f,sd1:0e7d30fe615c4 9b0 hw.ncpufound=4 And, following, the dmesg output for these same install media. Any idea how this is so would help, thanks. Dhu OpenBSD 4.9 (RAMDISK_CD) #858: Wed Mar 2 07:04:48 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3488153600 (3326MB) avail mem = 3383611392 (3226MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f000 (66 entries) bios0: vendor American Megatrends Inc. version 1702 date 12/22/2010 bios0: ASUSTeK Computer INC. M4A88TD-V EVO/USB3 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Phenom(tm) II X4 840 Processor, 3214.66 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: apic clock running at 200MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus -1 (PCE2) acpiprt3 at acpi0: bus -1 (PCE3) acpiprt4 at acpi0: bus -1 (PCE4) acpiprt5 at acpi0: bus 2 (PCE9) acpiprt6 at acpi0: bus 3 (PCEA) acpiprt7 at acpi0: bus 4 (P0PC) acpiprt8 at acpi0: bus 6 (PE21) pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS780 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Asustek, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 5 function 0 ATI Radeon HD 4250 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ATI Radeon HD 4200 HD Audio rev 0x00 at pci1 dev 5 function 1 not configured ppb1 at pci0 dev 9 function 0 AMD RS780 PCIE rev 0x00: apic 4 int 17 (irq 10) pci2 at ppb1 bus 2 vendor VIA, unknown product 0x3403 (class serial bus subclass Firewire, rev 0x00) at pci2 dev 0 function 0 not configured pciide0 at pci2 dev 0 function 1 vendor VIA, unknown product 0x0415 rev 0xa0: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using apic 4 int 17 (irq 10) for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-H20N, 1.05 ATAPI 5/cdrom removable pciide0: channel 1 ignored
Re: IPSEC Site-to-Site not routing packages
I can confirm this. Spent way too much time in my VMWare lab on this until I thought to add a default route to the host-only interfaces I was running the tunnel on. All you need is default route and it will work. I have found that fleshed out config for networking on OpenBSD is a sure way to clear up some of the more strange things that can happen. On Thu, Feb 23, 2012 at 10:43 AM, Aner Perez a...@ncstech.com wrote: See the thread titled ipsec tunnel traffic getting icmp host unreachable on this same list. In short, the answer is that you need a standard route (in addition to the encap route) to the destination networks. Any route that covers your destination network will do. In my case, instead of adding routes for each of my ipsec tunnels, I just added a default route and that fixed the problem. It won't actually use the gateway listed on this route, for that it uses the encap route. - Aner On 02/22/2012 05:22 PM, Morten Christensen wrote: Dear fellow OpenBSD friends. I'm setting up 2 FW's that should form a VPN tunnel securing the net behind each FW - simple NET x - FW x - WAN - FW y - NET y I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled. On FW x # cat /etc/ipsec.conf ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk lotsofFishs4meAndyou netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.20/16 0 10.21.35/240 0 212.37.141.59/esp/use/in 10.21.35/240 10.20/16 0 0 212.37.141.59/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type use flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid 212.37.141.60/32 dstid 212.37.141.59/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes On FW y # cat /etc/ipsec.conf ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk lotsofFishs4meAndyou netstat -rn Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.21.35/240 10.20/16 0 0 212.37.141.60/esp/use/in 10.20/16 0 10.21.35/240 0 212.37.141.60/esp/require/out # ipsecctl -sa FLOWS: flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type use flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid 212.37.141.59/32 dstid 212.37.141.60/32 type require SAD: esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth hmac-sha2-256 enc aes esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth hmac-sha2-256 enc aes Offcourse on both machines net.inet.ip.forwarding=1 Pinging from a host on NET x Request timeout for icmp_seq 1402 36 bytes from 10.21.35.1: Destination Host Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 736e 0 40 01 cfa4 10.21.35.100 10.20.0.10 The gateway clearly answers that it can't route the packet!? Pinging directly from FWx to FWy WORKS !!! ??? # ping -I 10.21.35.1 10.20.0.1 PING 10.20.0.1 (10.20.0.1): 56 data bytes 64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms 64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms Dump while ping # tcpdump -i enc0 -n tcpdump: listening on enc0, link-type ENC 13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 10.20.0.1: icmp: echo request (encap) 13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 10.21.35.1: icmp: echo reply (encap) 13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1 10.20.0.1: icmp: echo request (encap) 13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1 10.21.35.1: icmp: echo reply (encap) Routing is the problem ? what is the cause ? It looks like each FW doesn't permit routing packets from LAN hosts. Thanks for you help Regards Morten Bech Christensen
Re: network throughput tool suggestion
On Tue, Feb 14, 2012 at 3:13 PM, Christiano F. Haesbaert haesba...@haesbaert.org wrote: On 14 February 2012 17:59, Mihai Popescu mihp...@gmail.com wrote: Hi, I need to test a commercial router for throughtput and I decided to put it between 2 OpenBSD systems running network benchmark software. Looking on openports.se I found iperf, netperf and ttcp. Could you suggest one from them, based on your experience, please ? Thanks. We have tcpbench in base, that's what most devs use. I have used iperf on OpenBSD 4.9 to run get some quick basic numbers and experiment with jumbo frames. My test also involved a Windows system, so the cross-platform part was nice. Haven't used tcpbench before, but it is built-in to recent OpenBSD systems and looks pretty nice according to the man page.
Re: problem running named in non 0 rdomain
On Sun, Jan 1, 2012 at 5:40 PM, Stuart Henderson s...@spacehopper.org wrote: I'm pretty sure the child will be inheriting the rdomain from the process which forked it. I can offer the anecdote that when I ran sshd using the route -exec wrapper my child session would exist in whatever rdomain was hosting the daemon. Ended up backing away from this approach and sticking with pf rules, so I didn't have sshd parent processes littering my machine. I'll assume you don't want to use pf to land queries on the daemon, so the next question is did you try creating a loopback address in the non-zero rdomain to get the control port you need?
Re: [PF] bug in port range.
For those of us playing the CS home game. Is this an example of left-to right evaluation? My thought on this was that the value 81 isn't greater than 82 and isn't less than 80, so the rule doesn't match.
Re: strange tcp rst with rdomain
I have found that I need to add something like: !route -T 2 exec /usr/sbin/sshd To the pertinent hostname.if file to make sure sshd is listening in addtional routing tables, but I do not know if this is best. On Mon, Dec 19, 2011 at 1:02 PM, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com wrote: Hello. I'm running multihomed OpenBSD server: vlan5/carp5 - default vlan2/carp2 and vlan4/carp4 are connected to other ISPs. when there's no rdomain thing, everything seems to be working, except all outgoing packets goes through vlan5/carp5. so, I did f2n0:/root#cat /etc/hostname.vlan2 vlan 2 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp2 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z f2n0:/root#cat /etc/hostname.vlan4 vlan 4 vlandev trunk0 mtu 1300 up f2n0:/root#cat /etc/hostname.carp4 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z f2n0:/root# also, I did f2n0:/root#grep -v ^# /etc/pf.conf set skip on lo pass in vlan2 rtable 2 pass in vlan4 rtable 4 pass pingis working good, packets go out via appropriate interface. however, ssh ends with tcp rst, for example. how can the reason for that tcp rst might be detected? am I doing anything wrong with rdomains? Ilya Shipitsin
Re: OT: some news here
Wonderful news Eric! Good to know opportunities like these exist. Happy Holidays and good luck with the program.
Re: using ssh to forward the install console
On Wed, Dec 7, 2011 at 2:47 PM, Eric Oyen eric.o...@gmail.com wrote: hello group. I have an interesting (and fairly technical) question. the question is: how can I forward the install screen via ssh to another machine on my network? I ask this because I didn't see any specific instructions that applied. my issue right now is that I need a sighted assistant to read me the screen and help with installing the base system (and setting up ssh). I would like to run the install like from a serial port output (like the old spark pizza boxes) but none of my current machines have a serial port to do this on. comments? suggestions? -eric Any possibility of using USB serial adapters on these systems? You may need to blind-type to the boot loader in order to get it up on the serial redirection with an attached keyboard, but as I recall that isn't a big issue for Eric. ;) Then you would just need a crossover to the other DTE port on a host running cu and ssh to handle the install. We would do a similar thing with our v210's except they had built-in serial.
Re: correct netmask on carp interfaces
On Thu, Nov 24, 2011 at 2:40 PM, Henning Brauer lists-open...@bsws.de wrote: if your carpdev has an IP and the IP(s) on the carp interface are in the same subnet, is it best to have the real netmask on the carpdev and all-ones netmasks on the carp interface, for the case where you're carp slave. and the rule of thumb remains, one IP per subnet per rdomain in the system with the real netmask, all others all-ones - aka /32 for the one and only real protocol. Example: em5 - no IP carp5 - 10.0.0.0/30 mask on carpdev em5 right. em4 - 9.0.0.0/32 for mgmt carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4 here it is better to have the /28 on em4 and /32 on the carp ifs. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/ This was very helpful information and I have implemented it, but I am still wondering about a related issue with routing. My default route on the pair of firewalls is set to an IP on the carp5 IP network, so I don't have a useable default route to the Internet on the backup until it fails over. I think that Kapetanakis was referencing that same issue when he responded to me which led to me discovering it on my production setup. Is there anything I can do about this given the /30 on the em5/carp5 network. In the Firewall Redundancy with Carp and pfsync section of the PF Users Guide FAQ at http://www.openbsd.org/faq/pf/carp.html there is an example where the WAN/Internet connection has IP addresses assigned on the physical and CARP interfaces. The all ones mask rule isn't set out there, since the ifconfig commands for the underlying physical interfaces aren't included in the examples. In fact, the rule is violated by the included ifconfig commands for the carp IP addresses by including a permissive mask. I am pretty sure this is where my misunderstanding started, since I followed this FAQ to get started on my redundant firewall setup. It may be good to revise this and possibly even add discussion about the default route in the case where you have a /30 from your ISP to deal with. For now I can live with the lack of Internet access on the slave and having to SSH to the master and then hop over to the slave using the /28 for remote management. I did get Internet-sourced SSH access to the backup working with a nat-to on the master, but it was ugly and only worked when I set the translated source to the carp4 IP instead of the master's em4 IP. Ended up rolling it back since the indirect method works well enough. Any possible resolution to the default route issue would be greatly appreciated.
Re: correct netmask on carp interfaces
I had some experience with this and found another thread where the best thing to do for your routing is to have only one /(32-n) mask and then all /32 for any given subnet and rdomain combination on a system. I have set up my system accordingly and my advice is to set your carp primary IP to the proper network mask (especially if it is using the carp IP to provide a gateway to the connected network) and then any other IP/interfaces to /32 per subnet. Example: em5 - no IP carp5 - 10.0.0.0/30 mask on carpdev em5 em4 - 9.0.0.0/32 for mgmt carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4 Before this I had the same mask on em4 and carp4 primary IP. It worked, but I noticed the ARP had tell: set to the em4 MAC/IP and that the route for that network was homed to em4 in the table. After the change ARP has tell: set to the carp MAC/IP and the network is on the carp4 if, which seemed more consistent to me. Can't tell you for sure if that is better for you, but it is worth a shot. I can also advise that ifconfig on runtime can have different effects than editing hostname.if and using netstart. One example I can think of is all the self-routing stuff that happens with netstart. I also find it good to get a reboot in at some point just to double-check that the hostname.if files and netstart do what you want on a system that hasn't had any previous networking setup. Good luck, happy hacking. 2011/11/21 Kapetanakis Giannis bil...@edu.physics.uoc.gr: Hi, I'm a bit confused on setting appropriate netmask on carp interface when the carpdev has an IP address. Till yesterday (following http://openbsd.org/faq/pf/carp.html#failover) my carp interfaces had the same netmask as the carpdev interfaces: em1: (no inet adddress) vlanXX: vlan: 102 priority: 0 parent interface: em1 inet xxx.xxx.xxx.18 netmask 0xfff8 broadcast xxx.xxx.xxx.23 carp0: carp: MASTER carpdev vlanXX inet xxx.xxx.xxx.20 netmask 0xfff8 broadcast xxx.xxx.xxx.23 I've read this from Henning http://marc.info/?l=openbsd-miscm=123464537104366w=2 so I tried to switch to /32 netmask on the carp interfaces # ifconfig carp0 xxx.xxx.xxx.20/32 But now I get Nov 21 11:45:09 fw /bsd: carp0: state transition: BACKUP - MASTER Nov 21 11:45:09 fw /bsd: arp_rtrequest: bad gateway value Nov 21 11:45:10 fw /bsd: carp1: state transition: BACKUP - MASTER Nov 21 11:45:10 fw /bsd: arp_rtrequest: bad gateway value every time the state changes on each firewall. Apart from this I don't see any other problem. Is this normal behavior? Should I change back to the /29 netmask? regards, Giannis
hostname.if routing question
I am having trouble figuring out how I should configure a physical interface and a carp virtual interface where the carp IP will serve as a default route for hosts on the network and also hold some aliases for server re-directs. From what I have seen the routes built at startup home the route for the network on the interface that is configured with the actual network mask so: /etc/hostname.em0 inet A.B.C.14 255.255.255.240 A.B.C.15 rdomain 2 /etc/hostname.carp0 vhid 9 pass rdomain 2 inet A.B.C.1 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.3 255.255.255.255 A.B.C.15 rdomain 2 inet alias A.B.C.4 255.255.255.255 A.B.C.15 rdomain 2 Will put the A.B.C.0/28 entry in table 2 to: A.B.C.0/28 link#1 UC 0 0 - 4 em0 Changing the masks so carp0 has the open mask on its first ip and em0 is all 1s yields: A.B.C.0/28 link#9 UC 0 0 - 4 carp0 Is it better for that to be on carp0 instead of em0, given that carp0 will be the router for that network?
problem connecting to verizon.net
I discovered an odd issue once I upgraded my OpenBSD pf firewall/router that manifested itself by preventing my email server from sending to verizon.net customers. The strange thing was that mail was going out to other domains. I figured out that I did something odd in my ruleset and fixed it, so now I am wondering what is going on. I am only aware of one other individual with these symptoms, but he was using a bridge with pf and our fixes are at least semantically different. I have reduced everything to basic working parts and tested a few times to narrow down what is happening. In summary, I found that I can create two pass-only rules to nat outgoing traffic using carp and rdomains, but the traffic to verizon.net doesn't work unless I use a combination of two pass rules and a match rule. The basic setup where you can see this behavior follows (public IPs changed to protect the innocent): # ifconfig em0 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:90:0b:1f:72:e4 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 10.0.0.1 netmask 0xfffc broadcast 10.0.0.3 # ifconfig em1 em1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6 rdomain 1 mtu 1500 lladdr 00:90:0b:1f:72:e5 priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 9.9.9.170 netmask 0xfff0 broadcast 9.9.9.175 # ifconfig carp1 carp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 rdomain 1 mtu 1500 lladdr 00:00:5e:00:01:09 priority: 0 carp: MASTER carpdev em1 vhid 9 advbase 1 advskew 0 groups: carp status: master inet 9.9.9.167 netmask 0xfff0 broadcast 9.9.9.175 inet 9.9.9.168 netmask 0x broadcast 9.9.9.168 # route -T 0 -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.0.0.1 UGS09 - 8 em0 10.0.0.0/30link#1 UC 20 - 4 em0 10.0.0.1 00:90:0b:1f:72:e4 HLc10 - 4 lo0 10.0.0.2 00:14:22:2e:ba:8c UHLc 0 10 - 4 em0 9.9.9.168 127.0.0.1 UGHS 00 33200 8 lo0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 127.0.0.1 127.0.0.1 UH 20 33200 4 lo0 224/4 127.0.0.1 URS00 33200 8 lo0 # route -T 1 -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default9.9.9.161 UGS0 14 - 8 em1 9.9.9.160/28 link#2 UC 10 - 4 em1 9.9.9.161 00:1b:54:b7:81:a8 UHLc 10 - 4 em1 9.9.9.168/32 9.9.9.168 U 0 10 - 4 carp1 # cat /etc/hostname.em0 inet 10.0.0.1 255.255.255.252 NONE # cat /etc/hostname.em1 inet 9.9.9.170 255.255.255.240 9.9.9.175 rdomain 1 !route -T 1 add default 9.9.9.161 # cat /etc/hostname.carp1 inet 9.9.9.167 255.255.255.240 9.9.9.175 vhid 9\ pass password rdomain 1 inet alias 9.9.9.168 255.255.255.255 # cat /etc/mygate 10.0.0.1 # cat /etc/pf.conf set skip on lo block # LAN to Internet with three rules and rdomain # (fixes the verizon issue) #match out on em1 inet from 10.0.0.2\ to any nat-to 9.9.9.170 #pass out on em1 inet from 9.9.9.170\ to any #pass in on em0 from 10.0.0.2\ to any rtable 1 # example LAN to Internet with two rules and rdomain # (doesn't work) # Seeing TTL expired in transit #pass in on em0 inet from 10.0.0.2\ to any nat-to 9.9.9.170 rtable 1 #pass out on em1 inet from 9.9.9.170 to any # Internet access over rdomain and carp # (creates the verizon issue) pass in quick on em0 inet from 10.0.0.2\ to any nat-to 9.9.9.168 rtable 1 pass out quick on em1 inet from 9.9.9.168\ to any --- From 10.0.0.2 I run the following commands: (first a non-verizon smtp server) telnet 207.155.253.210 25 (works, but a little slower to display the banner under the pass-only rules) (now one of the relay.verizon.net smtp servers) telnet 206.46.232.11 25 (fails to connect unless I use the match/pass rule combo) In the rules above I also found that the two-rule setup doesn't work in any case with the public if physical IP in the rdomain. I have looked at these over tcpdump and I can see the traffic going out with the proper NAT to either server, but the returning SYN/ACKs in the handshake from verizon arrive and do not forward to the internal host. One thing I have noticed is that the verizon ttl is higher than the other server,