OpenBSD Customer Gateway to Amazon VPC

2013-02-12 Thread Russell Garrison 
I found the following thread on this issue from 2010:

http://comments.gmane.org/gmane.os.openbsd.misc/168129

Amazon still only supports route-based VPNs, but they have removed the
requirement for BGP and instead allow for static routes. I was able to
get a tunnel working without using BGP based on the info from the post
above, but it would stop handling the reply traffic after a short
time. The esp packets arrive at the gateway, but never get decrypted
into enc0. Tearing down the tunnels and waiting an hour or so seems to
permit another short-lived VPN, but it still doesn't stay up. Has
anyone been successful establishing a customer gateway VPN connection
into Amazon VPC using OpenBSD? Does the fact that they only support a
route-based VPN exclude the possibility of using a policy-based system
like OpenBSD?

Re: USB hubs

2012-11-06 Thread Russell Garrison 
I can confirm this all is true, but due to USB power being the way it
is YMMV. I use hubs regularly for host attachment and for standalone
charging. The hub in my desktop monitor is intentionally disconnected
from the host in order to provide charging, but it doesn't always
work.

A main thing is that some devices are really using the USB connector
for convenience, but draw way more power than your USB provides with
their wall charger. Check your device wall chargers to see if they
provide more than 500mA and keep in mind that anything that goes with
a charger supplying more than that will charge slower on the hub, if
at all.

The other thing to check is the hub, and possibly return it. Sometimes
they aren't totally honest about the hub being self-powered. I have
had good luck with Belkin in the past, but for all I know they have
bad models I never purchased. Also check the electical power supply
that came with the hub and make sure it is providing enough current.
It is best to have at least 500mA per-port, so a 4-port hub should
have at least a 2000mA supply. If the supply is undersized you could
see issues where it simply can't provide enough juice. I have seen
undersized supplies on cheaper hubs, since the part is cheaper than a
higher-capacity supply.

Really all the pain starts with the decision to combine the power plug
with the USB, but that genie is out of the bottle now. Good luck.

Re: SSI

2012-09-28 Thread Russell Garrison 
I initially thought this thread was about Social Security Insurance,
but instead it is about something like SGI UV.

Re: happy alix user ?

2012-09-27 Thread Russell Garrison 
Definitely OT, but I second the FW-7535. Good gear and Lanner is easy
to work with direct even for small projects.

Re: happy alix user ?

2012-09-27 Thread Russell Garrison 
On Thu, Sep 27, 2012 at 2:10 PM, Michel Blais mic...@targointernet.com wrote:
 Same with LEI technologie, the're division in Canada.

Good catch. I now remember that was the actual entity I dealt with,
not Lanner. Started with the main Lanner sales office for NA, but they
directed me to LEI in Canada. From then on it was only a few days
before I had hardware on my bench. The pair here is on 100/100
Internet and regularly handles around 20-25k states with ease.

Re: CARP and transit network to ISP

2012-08-17 Thread Russell Garrison 
I have set up a pair of gateways for a similar scenario where the
provider gave me /30 and an ethernet jack instead of providing a
router on-premises. This is what I did:

-Configured an interface on each machine to come up with no IP.
-Configured a carpdev to use the no IP interface on each machine.
-Configured my ip from the /30 on the carpdev on each machine.

Other things included CARP on other interfaces like LAN and DMZ. In my
case those IP networks were large enough to allow me 1 CARP IP and an
IP for each gateway.

Not sure if that helps, but the best general advice is to draw a
picture of what you want. Read the FAQ/manpages to draft a config.
Test all that, and if you are like me, realize you didn't really want
bridge at the one place in the drawing and revise--repeat.  Good luck!

Re: Load balancing and fail-over

2012-05-16 Thread Russell Garrison 
 On Wed, May 16, 2012 at 9:40 AM, Indunil Jayasooriya
 induni...@gmail.com wrote:

 If yes, How to ping external internet host when that link is DOWN? I find
 it difficult?

 I tried it with below commands


 ping -I WAN1_if_ip www.google.lk

 ping -I WAN2_if_ip www.google.lk


 Some times it works? some times it does NOT?

 Could you pls explain why?


I have been asked by management a few times about why some pings fail
when you ping things like google servers and core routers at the ISP.
The short answer I give is that things like that are too busy being
the Internet to respond to all the ping traffic that doesn't do
anything to enable them to be the Internet. Best advice is to consult
your routing tables or contact your ISP and have your ifstated ping
the far-end of your internet connection. Those systems are typically
less busy and have a higher expectation of answering all pings while
up.

Re: Song copyright

2012-05-14 Thread Russell Garrison 
Shucks! I was working on a baby mulching machine that was going to
play the song while it operates.

http://www.monkey.org/openbsd/archive/source-changes/0105/msg01243.html

Re: IPSec isakmpd pre shared interoperability with Fortigate VPN

2012-04-01 Thread Russell Garrison 
Does look like the line, but is the OpenBSD ipsec VPN new to you? If
it is I suggest building one between two OpenBSD machines and testing
to see how you can break/change things from the defaults in the man
pages. Doing that really made a difference for me after completely
flopping on the first try with an OpenBSD to whatever our co-location
has VPN. I got it together after some lab work and everything just
worked magically on my second go. Cheers.

Re: Intel ICH9R compatibility with OpenBSD

2012-03-13 Thread Russell Garrison 
 Hello Axton, thanks for your reply.
 I do not want use RAID, I just need S-ATA
 to connect HDD and install system on it.

You will be fine. I have Dell gear here that includes the Intel Matrix
RAID ICH, and it doesn't have an issue with OpenBSD. The controller
checks for a RAID pair at startup and then should revert to normal
AHCI when none is found. Those chips also have a setting in the BIOS
as an additional failsafe that will disable the R features and force
them into AHCI or even IDE-compatible for older operating systems.

Re: My OpenBSD 5.0 installation experience (long rant)

2012-03-08 Thread Russell Garrison 
It really is amazing how much the install is genuinely loved on
OpenBSD. I think there are other distributions out there where the
installer is liked or even praised, but I would describe my feelings
and what I see here as love. It is always a pleasure when I have the
chance to show someone the install process for the first time or hear
their accounts of success or failure. I started out with OpenBSD
around 2.3 and the funny thing is that I am most impressed by how the
installer disk setup is improved since those days. At least I don't
have to start off the discussion about how c is the whole disk, etc.

Re: My OpenBSD 5.0 installation experience (long rant)

2012-03-07 Thread Russell Garrison 
I am absolutely intrigued by this story despite my better judgement.
You were able to cook your own full OpenBSD installer on a USB stick
with GRUB instead of downloading an ISO or using PXE, but you failed
disk setup in the installer? It really would be interesting to see if
you can read just http://www.openbsd.org/faq/faq4.html , particularly
4.5.3 and then come back to us with anything other than a mea culpa.

There are always going to be stumbling points in computing, but the
question is do we learn from them or just reject them and act like
they are not the great opportunities for growth that they are.

Re: Problem filtering CARP in PF

2012-03-01 Thread Russell Garrison 
In the spirit of K.I.S.S. I use:

pass quick proto carp

Since that should match the number on 4 and 6 packets.


 Your block rule had inet so you were probably blocking IPv4 only.  But
 because of the send errors (due to pf blocking) fw1 started to demote
 itself.

Re: CD/DVD CDROM support

2012-02-24 Thread Russell Garrison 
I found USB is easy with a thumbdrive big enough to hold the files, or
there is pxe which is probably easier if you can control the DHCP on
the network. My manual process for thumbdrive involved:

Assume thumb is empty, otherwise insert to system and run. Also make
sure you know the dev name from insert message (this example it is
sd0):
dd if=/dev/zero of=/dev/rsd0a bs=32k
This will zero the drive out. Then run:
fdisk i /dev/rsd0c then y to overwrite and save MBR.
Then edit disklabel:
disklabel E /dev/rsd0c then a take all defaults, then w and
finally q just like old times!
Then create the FS:
newfs /dev/rsd0a
Now mount:
mount /dev/sd0a /mnt/thumb and mount /dev/cd0a /mnt/cd
Copy CD to thumb:
cp r /mnt/cd/* /mnt/thumb/ and cp /usr/mdec/boot /mnt/thumb/
BOOT VOODOO:
/usr/mdec/installboot /mnt/thumb/boot /usr/mdec/biosboot sd0


On Fri, Feb 24, 2012 at 6:12 PM, Duncan Patton a Campbell
campb...@neotext.ca wrote:
 I have run into a most peculiar phenomenon, that it appears that the
 CDrom driver support has dropped from the install CDs, apparently
 as of about version 5. This is not an old board, but admittedly
 ATAPI CDs are.  I can boot all the images from 4.9release thru
 5.1snap (today's) but only 4.9 shows any evidence of the CD after
 booting and in the rest CDROM is not an option for install media
 and there's no evidence of the device in the dmesgs, either.

 the sysctls after booting each cd:

 kern.osrelease=4.9
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=cd0:,sd0:,wd0:e09436d04e1d70c4,rd0:2870906e5854e337,sd1:0e7d30fe
615c49b0
 hw.ncpufound=4

 kern.osrelease=5.0
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3
 hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:efa10dd049a97542
 hw.ncpufound=4

 kern.osrelease=5.0
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:10f77ef34d162647,sd1:0e7d30fe615c4
9b0
 hw.ncpufound=4

 kern.osrelease=5.1
 hw.machine=amd64
 hw.model=AMD Phenom(tm) II X4 840 Processor
 hw.product=M4A88TD-V EVO/USB3

hw.disknames=sd0:,wd0:e09436d04e1d70c4,rd0:7c8ac10ea613493f,sd1:0e7d30fe615c4
9b0
 hw.ncpufound=4

 And, following, the dmesg output for these same install media.

 Any idea how this is so would help, thanks.

 Dhu


 OpenBSD 4.9 (RAMDISK_CD) #858: Wed Mar  2 07:04:48 MST 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
 real mem = 3488153600 (3326MB)
 avail mem = 3383611392 (3226MB)
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f000 (66 entries)
 bios0: vendor American Megatrends Inc. version 1702 date 12/22/2010
 bios0: ASUSTeK Computer INC. M4A88TD-V EVO/USB3
 acpi0 at bios0: rev 2
 acpi0: sleep states S0 S1 S3 S4 S5
 acpi0: tables DSDT FACP APIC MCFG OEMB SRAT HPET SSDT
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: AMD Phenom(tm) II X4 840 Processor, 3214.66 MHz
 cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN
OW
 cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
 cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully
associative
 cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully
associative
 cpu0: apic clock running at 200MHz
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 cpu at mainbus0: not configured
 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (P0P1)
 acpiprt2 at acpi0: bus -1 (PCE2)
 acpiprt3 at acpi0: bus -1 (PCE3)
 acpiprt4 at acpi0: bus -1 (PCE4)
 acpiprt5 at acpi0: bus 2 (PCE9)
 acpiprt6 at acpi0: bus 3 (PCEA)
 acpiprt7 at acpi0: bus 4 (P0PC)
 acpiprt8 at acpi0: bus 6 (PE21)
 pci0 at mainbus0 bus 0
 pchb0 at pci0 dev 0 function 0 AMD RS780 Host rev 0x00
 ppb0 at pci0 dev 1 function 0 vendor Asustek, unknown product 0x9602 rev
0x00
 pci1 at ppb0 bus 1
 vga1 at pci1 dev 5 function 0 ATI Radeon HD 4250 rev 0x00
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 ATI Radeon HD 4200 HD Audio rev 0x00 at pci1 dev 5 function 1 not
configured
 ppb1 at pci0 dev 9 function 0 AMD RS780 PCIE rev 0x00: apic 4 int 17 (irq
10)
 pci2 at ppb1 bus 2
 vendor VIA, unknown product 0x3403 (class serial bus subclass Firewire,
rev 0x00) at pci2 dev 0 function 0 not configured
 pciide0 at pci2 dev 0 function 1 vendor VIA, unknown product 0x0415 rev
0xa0: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to
native-PCI
 pciide0: using apic 4 int 17 (irq 10) for native-PCI interrupt
 atapiscsi0 at pciide0 channel 0 drive 0
 scsibus0 at atapiscsi0: 2 targets
 cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-H20N, 1.05 ATAPI
5/cdrom removable
 pciide0: channel 1 ignored

Re: IPSEC Site-to-Site not routing packages

2012-02-23 Thread Russell Garrison 
I can confirm this. Spent way too much time in my VMWare lab on this
until I thought to add a default route to the host-only interfaces I
was running the tunnel on. All you need is default route and it will
work. I have found that fleshed out config for networking on OpenBSD
is a sure way to clear up some of the more strange things that can
happen.

On Thu, Feb 23, 2012 at 10:43 AM, Aner Perez a...@ncstech.com wrote:
 See the thread titled ipsec tunnel traffic getting icmp host unreachable
 on this same list.

 In short, the answer is that you need a standard route (in addition to the
 encap route) to the destination networks.

 Any route that covers your destination network will do.  In my case,
instead
 of adding routes for each of my ipsec tunnels, I just added a default route
 and that fixed the problem.  It won't actually use the gateway listed on
 this route, for that it uses the encap route.

- Aner


 On 02/22/2012 05:22 PM, Morten Christensen wrote:

 Dear fellow OpenBSD friends.

 I'm setting up 2 FW's that should form a VPN tunnel securing the net
 behind each FW - simple

 NET x -  FW x -  WAN -  FW y -  NET y

 I'm using ipsec.conf / ipsecctl. OpenBSD 5, pf is disabled.

 On FW x
 # cat /etc/ipsec.conf
 ike esp from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 psk
 lotsofFishs4meAndyou

 netstat -rn
 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 10.20/16   0 10.21.35/240 0
 212.37.141.59/esp/use/in
 10.21.35/240 10.20/16   0 0
 212.37.141.59/esp/require/out

 # ipsecctl -sa
 FLOWS:
 flow esp in from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.59 srcid
 212.37.141.60/32 dstid 212.37.141.59/32 type use
 flow esp out from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.59 srcid
 212.37.141.60/32 dstid 212.37.141.59/32 type require

 SAD:
 esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth
 hmac-sha2-256 enc aes
 esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth
 hmac-sha2-256 enc aes



 On FW y
 # cat /etc/ipsec.conf
 ike esp from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 psk
 lotsofFishs4meAndyou

 netstat -rn
 Encap:
 Source Port  DestinationPort  Proto
 SA(Address/Proto/Type/Direction)
 10.21.35/240 10.20/16   0 0
 212.37.141.60/esp/use/in
 10.20/16   0 10.21.35/240 0
 212.37.141.60/esp/require/out

 # ipsecctl -sa
 FLOWS:
 flow esp in from 10.21.35.0/24 to 10.20.0.0/16 peer 212.37.141.60 srcid
 212.37.141.59/32 dstid 212.37.141.60/32 type use
 flow esp out from 10.20.0.0/16 to 10.21.35.0/24 peer 212.37.141.60 srcid
 212.37.141.59/32 dstid 212.37.141.60/32 type require

 SAD:
 esp tunnel from 212.37.141.59 to 212.37.141.60 spi 0xc2e3c650 auth
 hmac-sha2-256 enc aes
 esp tunnel from 212.37.141.60 to 212.37.141.59 spi 0xc5853584 auth
 hmac-sha2-256 enc aes

 Offcourse on both machines
 net.inet.ip.forwarding=1

 Pinging from a host on NET x
 Request timeout for icmp_seq 1402
 36 bytes from 10.21.35.1: Destination Host Unreachable
 Vr HL TOS  Len   ID Flg  off TTL Pro  cks  Src  Dst
  4  5  00 5400 736e   0   40  01 cfa4 10.21.35.100  10.20.0.10

 The gateway clearly answers that it can't route the packet!?

 Pinging directly from FWx to FWy WORKS !!! ???

 # ping -I 10.21.35.1 10.20.0.1
 PING 10.20.0.1 (10.20.0.1): 56 data bytes
 64 bytes from 10.20.0.1: icmp_seq=0 ttl=255 time=1.185 ms
 64 bytes from 10.20.0.1: icmp_seq=1 ttl=255 time=0.829 ms
 Dump while ping
 # tcpdump -i enc0 -n
 tcpdump: listening on enc0, link-type ENC
 13:52:24.297384 (authentic,confidential): SPI 0xc5853584: 10.21.35.1
  10.20.0.1: icmp: echo request (encap)
 13:52:24.297508 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1
  10.21.35.1: icmp: echo reply (encap)
 13:52:25.299664 (authentic,confidential): SPI 0xc5853584: 10.21.35.1
  10.20.0.1: icmp: echo request (encap)
 13:52:25.299760 (authentic,confidential): SPI 0xc2e3c650: 10.20.0.1
  10.21.35.1: icmp: echo reply (encap)


 Routing is the problem ? what is the cause ? It looks like each FW doesn't
 permit routing packets from LAN hosts.

 Thanks for you help

 Regards

 Morten Bech Christensen

Re: network throughput tool suggestion

2012-02-15 Thread Russell Garrison 
On Tue, Feb 14, 2012 at 3:13 PM, Christiano F. Haesbaert
haesba...@haesbaert.org wrote:
 On 14 February 2012 17:59, Mihai Popescu mihp...@gmail.com wrote:
 Hi,

 I need to test a commercial router for throughtput and I decided to
 put it between 2 OpenBSD systems running network benchmark software.
 Looking on openports.se I found iperf, netperf and ttcp. Could you
 suggest one from them, based on your experience, please ?

 Thanks.


 We have tcpbench in base, that's what most devs use.


I have used iperf on OpenBSD 4.9 to run get some quick basic numbers
and experiment with jumbo frames. My test also involved a Windows
system, so the cross-platform part was nice. Haven't used tcpbench
before, but it is built-in to recent OpenBSD systems and looks pretty
nice according to the man page.

Re: problem running named in non 0 rdomain

2012-01-03 Thread Russell Garrison 
On Sun, Jan 1, 2012 at 5:40 PM, Stuart Henderson s...@spacehopper.org wrote:

 I'm pretty sure the child will be inheriting the rdomain from the process
 which forked it.


I can offer the anecdote that when I ran sshd using the route -exec
wrapper my child session would exist in whatever rdomain was hosting
the daemon. Ended up backing away from this approach and sticking with
pf rules, so I didn't have sshd parent processes littering my machine.
I'll assume you don't want to use pf to land queries on the daemon, so
the next question is did you try creating a loopback address in the
non-zero rdomain to get the control port you need?

Re: [PF] bug in port range.

2012-01-03 Thread Russell Garrison 
For those of us playing the CS home game. Is this an example of
left-to right evaluation? My thought on this was that the value 81
isn't greater than 82 and isn't less than 80, so the rule doesn't
match.

Re: strange tcp rst with rdomain

2011-12-20 Thread Russell Garrison 
I have found that I need to add something like:

!route -T 2 exec /usr/sbin/sshd

To the pertinent hostname.if file to make sure sshd is listening in
addtional routing tables, but I do not know if this is best.

On Mon, Dec 19, 2011 at 1:02 PM, PP;QQ P(P8P?P8QP8P=
chipits...@gmail.com wrote:
 Hello.

 I'm running multihomed OpenBSD server:

 vlan5/carp5 - default
 vlan2/carp2 and vlan4/carp4 are connected to other ISPs.

 when there's no rdomain thing, everything seems to be working, except
 all outgoing packets goes through vlan5/carp5.


 so, I did

 f2n0:/root#cat /etc/hostname.vlan2
 vlan 2 vlandev trunk0 mtu 1300
 up

 f2n0:/root#cat /etc/hostname.carp2
 vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2
 !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z
 f2n0:/root#cat /etc/hostname.vlan4
 vlan 4 vlandev trunk0 mtu 1300
 up

 f2n0:/root#cat /etc/hostname.carp4
 vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4
 !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z
 f2n0:/root#

 also, I did

 f2n0:/root#grep -v ^# /etc/pf.conf

 set skip on lo

 pass in vlan2 rtable 2
 pass in vlan4 rtable 4

 pass


 pingis working good, packets go out via appropriate interface.
 however, ssh ends with tcp rst, for example.
 how can the reason for that tcp rst might be detected?

 am I doing anything wrong with rdomains?

 Ilya Shipitsin

Re: OT: some news here

2011-12-16 Thread Russell Garrison 
Wonderful news Eric! Good to know opportunities like these exist.
Happy Holidays and good luck with the program.

Re: using ssh to forward the install console

2011-12-07 Thread Russell Garrison 
On Wed, Dec 7, 2011 at 2:47 PM, Eric Oyen eric.o...@gmail.com wrote:
 hello group.

 I have an interesting (and fairly technical) question.

 the question is: how can I forward the install screen via ssh to another
 machine on my network? I ask this because I didn't see any specific
 instructions that applied. my issue right now is that I need a sighted
 assistant to read me the screen and help with  installing the base system
(and
 setting up ssh).

 I would like to run the install like from a serial port output (like the
old
 spark pizza boxes) but none of my current machines have a serial port to do
 this on.

 comments? suggestions?

 -eric


Any possibility of using USB serial adapters on these systems? You may
need to blind-type to the boot loader in order to get it up on the
serial redirection with an attached keyboard, but as I recall that
isn't a big issue for Eric. ;) Then you would just need a crossover to
the other DTE port on a host running cu and ssh to handle the install.
We would do a similar thing with our v210's except they had built-in
serial.

Re: correct netmask on carp interfaces

2011-12-02 Thread Russell Garrison 
On Thu, Nov 24, 2011 at 2:40 PM, Henning Brauer lists-open...@bsws.de wrote:
 if your carpdev has an IP and the IP(s) on the carp interface are in
 the same subnet, is it best to have the real netmask on the carpdev
 and all-ones netmasks on the carp interface, for the case where you're
 carp slave.

 and the rule of thumb remains, one IP per subnet per rdomain in the
 system with the real netmask, all others all-ones - aka /32 for the one
 and only real protocol.

 Example:
 em5 - no IP
 carp5 - 10.0.0.0/30 mask on carpdev em5

 right.

 em4 - 9.0.0.0/32 for mgmt
 carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4
 carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4

 here it is better to have the /28 on em4 and /32 on the carp ifs.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully 
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/


This was very helpful information and I have implemented it, but I am
still wondering about a related issue with routing. My default route
on the pair of firewalls is set to an IP on the carp5 IP network, so I
don't have a useable default route to the Internet on the backup until
it fails over. I think that Kapetanakis was referencing that same
issue when he responded to me which led to me discovering it on my
production setup. Is there anything I can do about this given the /30
on the em5/carp5 network.

In the Firewall Redundancy with Carp and pfsync section of the PF
Users Guide FAQ at http://www.openbsd.org/faq/pf/carp.html there is an
example where the WAN/Internet connection has IP addresses assigned on
the physical and CARP interfaces. The all ones mask rule isn't set out
there, since the ifconfig commands for the underlying physical
interfaces aren't included in the examples. In fact, the rule is
violated by the included ifconfig commands for the carp IP addresses
by including a permissive mask. I am pretty sure this is where my
misunderstanding started, since I followed this FAQ to get started on
my redundant firewall setup. It may be good to revise this and
possibly even add discussion about the default route in the case where
you have a /30 from your ISP to deal with.

For now I can live with the lack of Internet access on the slave and
having to SSH to the master and then hop over to the slave using the
/28 for remote management. I did get Internet-sourced SSH access to
the backup working with a nat-to on the master, but it was ugly and
only worked when I set the translated source to the carp4 IP instead
of the master's em4 IP. Ended up rolling it back since the indirect
method works well enough. Any possible resolution to the default route
issue would be greatly appreciated.

Re: correct netmask on carp interfaces

2011-11-22 Thread Russell Garrison 
I had some experience with this and found another thread where the
best thing to do for your routing is to have only one /(32-n) mask and
then all /32 for any given subnet and rdomain combination on a system.
I have set up my system accordingly and my advice is to set your carp
primary IP to the proper network mask (especially if it is using the
carp IP to provide a gateway to the connected network) and then any
other IP/interfaces to /32 per subnet. Example:

em5 - no IP
carp5 - 10.0.0.0/30 mask on carpdev em5
em4 - 9.0.0.0/32 for mgmt
carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4
carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4

Before this I had the same mask on em4 and carp4 primary IP. It
worked, but I noticed the ARP had tell: set to the em4 MAC/IP and that
the route for that network was homed to em4 in the table. After the
change ARP has tell: set to the carp MAC/IP and the network is on the
carp4 if, which seemed more consistent to me. Can't tell you for sure
if that is better for you, but it is worth a shot.

I can also advise that ifconfig on runtime can have different effects
than editing hostname.if and using netstart. One example I can think
of is all the self-routing stuff that happens with netstart. I also
find it good to get a reboot in at some point just to double-check
that the hostname.if files and netstart do what you want on a system
that hasn't had any previous networking setup.

Good luck, happy hacking.

2011/11/21 Kapetanakis Giannis bil...@edu.physics.uoc.gr:
 Hi,

 I'm a bit confused on setting appropriate netmask on carp interface when
the
 carpdev has an IP address.

 Till yesterday (following http://openbsd.org/faq/pf/carp.html#failover) my
 carp interfaces had the same netmask as the carpdev interfaces:
 em1:
   (no inet adddress)

 vlanXX:
   vlan: 102 priority: 0 parent interface: em1
   inet xxx.xxx.xxx.18 netmask 0xfff8 broadcast xxx.xxx.xxx.23

 carp0:
   carp: MASTER carpdev vlanXX
   inet xxx.xxx.xxx.20 netmask 0xfff8 broadcast xxx.xxx.xxx.23

 I've read this from Henning
 http://marc.info/?l=openbsd-miscm=123464537104366w=2
 so I tried to switch to /32 netmask on the carp interfaces
 # ifconfig carp0 xxx.xxx.xxx.20/32

 But now I get

 Nov 21 11:45:09 fw /bsd: carp0: state transition: BACKUP - MASTER
 Nov 21 11:45:09 fw /bsd: arp_rtrequest: bad gateway value
 Nov 21 11:45:10 fw /bsd: carp1: state transition: BACKUP - MASTER
 Nov 21 11:45:10 fw /bsd: arp_rtrequest: bad gateway value

 every time the state changes on each firewall. Apart from this I don't see
 any other problem.

 Is this normal behavior? Should I change back to the /29 netmask?

 regards,

 Giannis

hostname.if routing question

2011-11-16 Thread Russell Garrison 
I am having trouble figuring out how I should configure a physical
interface and a carp virtual interface where the carp IP will serve as
a default route for hosts on the network and also hold some aliases
for server re-directs. From what I have seen the routes built at
startup home the route for the network on the interface that is
configured with the actual network mask so:

/etc/hostname.em0
inet A.B.C.14 255.255.255.240 A.B.C.15 rdomain 2

/etc/hostname.carp0
vhid 9 pass  rdomain 2
inet A.B.C.1 255.255.255.255 A.B.C.15 rdomain 2
inet alias A.B.C.3 255.255.255.255 A.B.C.15 rdomain 2
inet alias A.B.C.4 255.255.255.255 A.B.C.15 rdomain 2

Will put the A.B.C.0/28 entry in table 2 to:

A.B.C.0/28  link#1  UC  0  0  -  4 em0

Changing the masks so carp0 has the open mask on its first ip and em0
is all 1s yields:

A.B.C.0/28  link#9 UC  0  0  -  4 carp0

Is it better for that to be on carp0 instead of em0, given that carp0
will be the router for that network?

problem connecting to verizon.net

2011-11-08 Thread Russell Garrison 
I discovered an odd issue once I upgraded my OpenBSD pf
firewall/router that manifested itself by preventing my email server
from sending to verizon.net customers. The strange thing was that mail
was going out to other domains. I figured out that I did something odd
in my ruleset and fixed it, so now I am wondering what is going on. I
am only aware of one other individual with these symptoms, but he was
using a bridge with pf and our fixes are at least semantically
different.

I have reduced everything to basic working parts and tested a few
times to narrow down what is happening. In summary, I found that I can
create two pass-only rules to nat outgoing traffic using carp and
rdomains, but the traffic to verizon.net doesn't work unless I use a
combination of two pass rules and a match rule. The basic setup where
you can see this behavior follows (public IPs changed to protect the
innocent):

# ifconfig em0
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:90:0b:1f:72:e4
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 10.0.0.1 netmask 0xfffc broadcast 10.0.0.3

# ifconfig em1
em1: 
flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6
rdomain 1 mtu 1500
lladdr 00:90:0b:1f:72:e5
priority: 0
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 9.9.9.170 netmask 0xfff0 broadcast 9.9.9.175

# ifconfig carp1
carp1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6
rdomain 1 mtu 1500
lladdr 00:00:5e:00:01:09
priority: 0
carp: MASTER carpdev em1 vhid 9 advbase 1 advskew 0
groups: carp
status: master
inet 9.9.9.167 netmask 0xfff0 broadcast 9.9.9.175
inet 9.9.9.168 netmask 0x broadcast 9.9.9.168

# route -T 0 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.0.0.1   UGS09 - 8 em0
10.0.0.0/30link#1 UC 20 - 4 em0
10.0.0.1   00:90:0b:1f:72:e4  HLc10 - 4 lo0
10.0.0.2   00:14:22:2e:ba:8c  UHLc   0   10 - 4 em0
9.9.9.168 127.0.0.1  UGHS   00 33200 8 lo0
127/8  127.0.0.1  UGRS   00 33200 8 lo0
127.0.0.1  127.0.0.1  UH 20 33200 4 lo0
224/4  127.0.0.1  URS00 33200 8 lo0

# route -T 1 -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default9.9.9.161 UGS0   14 - 8 em1
9.9.9.160/28  link#2 UC 10 - 4 em1
9.9.9.161 00:1b:54:b7:81:a8  UHLc   10 - 4 em1
9.9.9.168/32  9.9.9.168 U  0   10 - 4 carp1

# cat /etc/hostname.em0
inet 10.0.0.1 255.255.255.252 NONE

# cat /etc/hostname.em1
inet 9.9.9.170 255.255.255.240 9.9.9.175 rdomain 1
!route -T 1 add default 9.9.9.161

# cat /etc/hostname.carp1
inet 9.9.9.167 255.255.255.240 9.9.9.175 vhid 9\
pass password rdomain 1
inet alias 9.9.9.168 255.255.255.255

# cat /etc/mygate
10.0.0.1

# cat /etc/pf.conf

set skip on lo
block

# LAN to Internet with three rules and rdomain
# (fixes the verizon issue)
#match out on em1 inet from 10.0.0.2\
to any nat-to 9.9.9.170
#pass out on em1 inet from 9.9.9.170\
to any
#pass in on em0 from 10.0.0.2\
to any rtable 1

# example LAN to Internet with two rules and rdomain
# (doesn't work)
# Seeing TTL expired in transit
#pass in on em0 inet from 10.0.0.2\
to any nat-to 9.9.9.170 rtable 1
#pass out on em1 inet from 9.9.9.170 to any

# Internet access over rdomain and carp
# (creates the verizon issue)
pass in quick on em0 inet from 10.0.0.2\
to any nat-to 9.9.9.168 rtable 1
pass out quick on em1 inet from 9.9.9.168\
to any

---

From 10.0.0.2 I run the following commands:

(first a non-verizon smtp server)
telnet 207.155.253.210 25
(works, but a little slower to display the banner under the pass-only rules)

(now one of the relay.verizon.net smtp servers)
telnet 206.46.232.11 25
(fails to connect unless I use the match/pass rule combo)


In the rules above I also found that the two-rule setup doesn't work
in any case with the public if physical IP in the rdomain. I have
looked at these over tcpdump and I can see the traffic going out with
the proper NAT to either server, but the returning SYN/ACKs in the
handshake from verizon arrive and do not forward to the internal host.
One thing I have noticed is that the verizon ttl is higher than the
other server,