Re: Truncation Data Loss
Michal wrote, sometime around 11/11/09 11:40: I know this is a bit off topic, but storage devices have battery's on RAID cards for a reason. If you are worried about read/writes etc when a system dies, there are measures you can take Probably even more OT, but... Although some (most?) RAID cards which have a battery option will only let you enable the write cache if you have a battery installed. Certainly the HP P400 cards we have do. There has been endless discussion about data loss in these types of scenarios on the XFS mailing list - it journals metadata but not data, so if your application (e.g. vim) overwrites files by first truncating them to 0 length and then writing out the data, you'll find that the truncate and the resize of the file are all nicely replayed from the journal after the crash, but if the machine died before your data hit the disk, all you'll get when you read() is \0\0\0\0... Since ext4 has started to implement similar features in similar ways to XFS, the ext4 folk are running into the same old problems. -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: trunks and vlan madness
Marian Hettwer wrote, sometime around 23/07/09 16:07: Hi *, # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.trunk0 trunkproto failover trunkport bge0 trunkport bge1 up # cat /etc/hostname.trunk1 trunkproto failover trunkport bge0 trunkport bge1 up You can run both vlans over the one trunk. I'm not sure what happens if you have the same interface involved in more than one trunk, but it doesn't sound sensible to me. # rm /etc/hostname.trunk1 # cat /etc/hostname.vlan24 inet 10.46.24.101 255.255.255.0 10.46.24.255 vlan 24 vlandev trunk0 # cat /etc/hostname.vlan25 inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 vlandev trunk1 echo inet 10.46.25.101 255.255.255.0 10.46.25.255 vlan 25 \ vlandev trunk0 /etc/hostname.vlan25 -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: ADSL2+ PCI card
John Bond wrote: Hello, Im looking into bulding a home rourter device and my obvious OS choice is OpenBSD however im strugeling to find an ADSL2+ pci cards which i can use. I have only managed to find to devices which may work snagoma data card s519 -- http://www.sangoma.com/products_and_solutions/hardware/data_networking/s519.html or possibly the Viking PCI ADSL2+ Modem Card -- http://www.yawarra.com.au/pdfs/XC-P-ADSL2-V.pdf does anyone have any expirence with these cards and know if they do work with OpenBSD or know if they are better options These should work fine - the S518 presents itself as a special ADSL controller on the PCI bus, but AFAIK the 519 is actually an ethernet chip (Realtek 8139?) paired up with an ADSL modem on a PCI card, so all the computer sees is an ethernet card. I think you configure the ADSL modem by telnetting to it through the ethernet card, but I'm not sure. -- Russell Howe rh...@bmtmarinerisk.com
Re: Anyone using munin?
Martin SchrC6der wrote, sometime around 06/04/09 10:01: 2009/4/3, Marc Runkel mrun...@untangle.com: Trying to set up munin work with OpenBSD and was wondering if anyone had some plugins pre-written? In particular interface statistics but I'll take just about anything. Good luck. AFAIK there's a freebsd port, try that. And there are some plugins for pf at http://muninexchange.projects.linpro.no/ Munin can collect from SNMP, which makes life a LOT easier! OK, so that's not so useful if you want to collect some stats which OpenBSD's snmpd doesn't expose but assuming you do, this is what you need to do: munin-node can act as a proxy, forwarding requests to another box. This is handy if you want to monitor a bunch of hosts the other side of a firewall as you only need to punch a hole for the one machines. It can also do act as a munin-to-snmp one way bridge, forwarding incoming requests on to another node that speaks SNMP. Install munin-node somewhere (I installed it on a Debian box that I run munin on, which is also where I collect all syslog messages and run logcheck and nagios). Check that the box running munin-node can talk SNMP to OpenBSD: This works well enough for me as a test: $ snmpwalk -v 2c -c community address of obsd box Run munin-node-configure-snmp - you can pass either a single address or a CIDR range. It will scan for SNMP and configure any plugins which can monitor the stats it finds. Configure munin-node to allow connections from the host running munin e.g. echo 'allow ^10\.0\.0\.1$' /etc/munin/munin-node.conf where 10.0.0.1 is the IP address of the box running munin (the one which collects stats from all the nodes and draws graphs) Restart munin-node Wait for the pretty graphs to appear Debug, rejoice and go on an SNMP configuring rampage across your network (hint: this is useful for monitoring Windows boxes, if you have any of those). -- Russell Howe, IT Manager. rh...@bmtmarinerisk.com BMT Marine Offshore Surveys Ltd.
Re: Duplicate incoming packets to multiple destinations using pf
Simen Stavdal wrote, sometime around 05/11/08 14:14: Hi Damian/misc, I appreciate your input -I really do. Please see my comments below. I am not trying to escape the fact that one needs systems in place to manage large installations, I am merely looking for what *I* think would be a better way to deploy resources. As a service provider I can provide advice (and hence I posted this question in the first place to see if there was a good way to multicast traps to predefined destinations), but it is not in my power to manage a customers network - so this I'm afraid is out of my control - but I do agree with your point ...should *never* be a reason Maybe you answered your own question here - what if you sent your traps to a multicast address and had proper multicast routing? Not something I've ever tried, mind you... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: Duplicate incoming packets to multiple destinations using pf
Simen Stavdal wrote, sometime around 05/11/08 15:25: Hi Russell, Thanks for your answer. Sending traps to multicast addresses seems like a good idea, except it would be up to the receiver to decide whether to use the trap or not (taking away the possibility to filter which hosts gets copied the traps (multicast traps to predefined destinations)). How about rdr-ing to different multicast addresses depending on who you want the packet to go to? Start doing this though, and the configuration is going to get a bit messy. e.g. 3 multicast addresses, with their members: mcastA - trapdest1 mcastB - trapdest2 mcastC - trapdest1,trapdest2 then you can decide who to send the trap to by rdr'ing it to one of mcastA, mcastB or mcastC Certainly seems to violate the principle of least astonishment... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: OpenBSD and HP Proliant DL320/DL360 G5
Johan Strvm wrote, sometime around 15/09/08 16:39: On Sep 15, 2008, at 5:16 PM, Russell Howe wrote: Johan Strvm wrote, sometime around 15/09/08 15:46: Well, the main questions is if DL360/DL320 OpenBSD is working good together, the rest is only me thinking out loud :) They work fine for me. I have a pair of DL320 G5 machines each with a quad port Intel Pro/1000 PT card in them and they do all our vlan routing and pass traffic off into an OSPF area on its way to the internet. Sounds good. Are you using only these quad ports? Or the onboard too? Onboard too. I went a bit overkill and bonded everything into pairs. Onboard bonded crossover cable to the other box for pfsync/sasync then a couple of other bonded pairs off the quad port card with vlans on top of that. Basically, I have 3 more gigE interfaces available should I need them. (I can unbond one of the pairs - none of them need to be 2 x gigE). I've been thinking about using one onboard to external, one for pfsync and then get a dualport NIC where both ports are bonded to the switch. Since I will do both external and internal routing (but I'm not sure I will even be able to get that performance out of the box so might be a none-problem), it would be nice to have 2GBit in case I actually push 1 gig of traffic on the external interface (in which case the internal would be full too and thus internal routing would suffer).. You don't happen to have any numbers on performance do you? Never really benchmarked actually, so nothing specific, no. I do know that the carp failover is lovely, though. Nothing notices a box being rebooted (haven't yet tried yanking a power cable). iLO is fine - just set it up for serial console (if you want a GUI console you have to buy an 'Advanced iLO' license, but it's really not needed for a router box). You'll probably want to flip the iLO virtual serial port to be the 1st serial port, just to make life simpler. Yeah, openbsd works pretty good with the serial console, but how is it with BIOS etc? If I recall correct one can access RBSU (HPs rom boot thingy) etc from text console too. How is it with bootloader support for console? That works all the way right? Never used it myself in openbsd. Yep, it all works just fine. There are a few options for accessing the BIOS I think - text console or a curses-type interface. The DL320 can have proper RAID, but only if you buy an additional controller. I use a pair of 80G SATA drives with the onboard controller and they work fine (the box doesn't really do much disk I/O - all the network monitoring and graphing is elsewhere). Yep, thats my plan too (or well 250G since 250G is almost as cheap as 80G, and we are using 250G in other machines, no need for different spares), and use software raid. One thing I'm worried about though is if one disk fails, will the BIOS be able to boot from the other disk with a broken/empty disk in the first slot? I haven't seen any indications in the BIOS about being able to change, and I've had similar problems before (empty disk in slot1, disk with OS in slot2, box refusing to boot since disk1 is empty). I don't think this will work with the way I have it set up at present. The trick on Linux is to install the bootloader on disk 2 so that it is configured to boot from disk 1 (as disk #2 will become disk #1 when disk #1 is no longer there or operational). I haven't tried to figure out the necessary magic for that as yet. -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Re: OpenBSD and HP Proliant DL320/DL360 G5
Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 7 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3808110AS wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: ST3808110AS wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci1: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci2: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 usb5 at uhci3: USB revision 1.0 uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 uhidev0 at uhub1 port 1 configuration 1 interface 0 HP Virtual Keyboard rev 1.10/0.02 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 33 wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub1 port 1 configuration 1 interface 1 HP Virtual Keyboard rev 1.10/0.02 addr 2 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons wsmouse0 at ums0 mux 0 uhub6 at uhub1 port 2 HP Virtual Hub rev 1.10/0.01 addr 3 softraid0 at root root on wd0a swap on wd0b dump on wd0b -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Changed source address for packets from ospfd causing breakage?
Afternoon misc,
I recently added an extra loopback interface to an OpenBSD host running
OpenOSPFd as a way of assigning specific IP addresses to the host in a
way that didn't tie them to a specific physical interface.
I'm using the addresses for NAT and also announcing them as a route into
an OSPF area where there is another OpenBSD box (matched with this one
running with carp/pfsync/sasync/openospfd) and two Linux machines
running quagga's ospfd.
Ever since I did this, my OSPF area fell over and I think it might be
because ospfd is now sending packets with a source address matching one
of the (public) addresses on this loopback interface instead of the
address on the interface it is speaking OSPF on which matches its
router-id. I've configured static routes for now, until I can figure out
exactly what's going on.
How does ospfd choose the address to send from? I thought it might be
something to do with the multicast route, but that's set to be on 'lo0',
whereas my new loopback interface is lo1.
This is on OpenBSD 4.2 (I attempted to upgrade to 4.3 and the other node
in the carp group died, so I'll be trying that again outside office
hours, I think!).
The machine is connected to the ospf area via the 'vlan20' interface
which is configured with an IP address 192.168.50.10/24 and is supposed
to be announcing all the networks it is connected to on other
interfaces. I've anonymised the non-rfc1918 addresses, but (and this
might be important) they are the 'lowest' addresses on the router.
/etc/ospfd.conf:
cost_vpn=100
cost_gige=10
cost_gige_shared=12
cost_gige_crossover=8
router-id 192.168.50.10
auth-key censored
auth-type simple
hello-interval 6
retransmit-interval 5
router-dead-time 10
redistribute connected
redistribute static
area 0.0.0.0 {
interface trunk0 {
metric $cost_gige_crossover
}
interface trunk2 {
metric $cost_gige
passive
}
interface vlan1 {
metric $cost_gige_shared
passive
}
interface vlan5 {
metric $cost_gige_shared
passive
}
interface vlan6 {
metric $cost_gige_shared
passive
}
interface vlan8 {
metric $cost_gige_shared
passive
}
interface vlan10 {
metric $cost_gige_shared
passive
}
interface vlan20 {
metric $cost_gige_shared
}
interface lo1:1.2.3.4 {
metric $cost_gige
passive
}
interface lo1:1.2.3.5 {
metric $cost_gige
passive
}
interface lo1:1.2.3.6 {
metric $cost_gige
passive
}
interface lo1:1.2.3.7 {
metric $cost_gige
passive
}
interface lo1:1.2.3.8 {
metric $cost_gige
passive
}
}
--
Russell Howe, IT Manager. BMT Marine Offshore Surveys Ltd.
[EMAIL PROTECTED]
Re: UPDATE: mozilla-firefox-3.0
n0g0013 wrote: i'm sure SUN was/is hoping that someone will develop a java based animation toolkit to compete with flash but that's yet to happen. I think this is what JavaFX is aiming to be - unfortunately, it's probably missed the boat, what with Flash having been around for years and Microsoft having released Silverlight. One of the reasons Flash on Windows is so fast is that it is JIT-compiled to native code, plus it probably takes advantage of accelerated graphics rendering where it can. Neither of these seem to happen with the Linux flash plugin from Adobe (or if they do, it doesn't help - it's still dog slow). I think that was one of the things holding Adobe back from releasing an amd64 version of Flash (even for Windows!) - they didn't seem to be capable of porting their JIT compiler! The bug reference for that is here: https://bugs.adobe.com/jira/browse/FP-37 Looks like the JIT was released under the MPL/GPL/LGPL in 2006: http://www.mozilla.org/projects/tamarin/ -- Russell Howe [EMAIL PROTECTED]
Re: Hardware recommendation for firewalls (more than 4 NICs)
Claer wrote, sometime around 15/07/08 07:31: On Mon, Jul 14 2008 at 28:15, Mart?n Coco wrote: Thanks! Have you tried the quad nics on those Dells? We do have a couple of R200s, 860s and 850s running with 2 dual port cards no problem, but we have never tried the quad ports. Hello, I do have around 20 Dell 860 and R200 with 2 cards Intel Quad ports. That is a total of 10 interfaces on those cheap Dell. You'll never hit any problem if you use only one Quad port. Be careful with 2 cards on 860. You'll have to order Intel PRO/1000 PT Quad Port and *NOT* the Low profile one. For the moment, no issues with them. I run a pair of HP DL320 G5 boxes as a pair of failover gateways (pf/isakmpd/ospfd/dhcpd) and have an Intel Pro/1000 PT quad port card in each, giving me 6 interfaces. The onboard ethernet controller is bge, and the intel ones are em. I use the onboard for a crossover link between the two gateways, and then the other 4 connections are split into 2 bonded pairs. One is a plain old bond to a separate network and the other bonded pair has 5 VLANs running over it. Carp's used on all the links, pretty much, and it works great. I haven't performed any particularly scientific performance tests, but I did push ~800Mbit/s using iperf through them, from what I recall. If you were to stick two of the cards in, you'd need one full height and one low profile, as only one of the PCIe slots on the DL320 is full height. You'd also need to make sure you ordered the right version of the server (I think you can get it with one PCIe and one PCI-X slot as well as two PCIe slots). I'm still not sold on the benefits of bonding when you have a failover pair of gateways, but we had the budget for the extra ports, so why not? It gives me room to expand by breaking the bonds if necessary. Next task is to fix munin (or replace with something else) so that I can actually get bandwidth stats graphed. -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
Redistributing routes for IPSec tunnels with OpenOSPFD
I have a pair of firewall routers running OpenBSD (4.1 and 4.2 at present - need to get them updated) and I recently added an IPsec tunnel to their configurations, using ipsecctl and ipsec.conf complete with sasyncd. This works fine, and the host which is master of the carp interface I've told isakmpd to use gets routes to and from the remote network in the Encap section of route(8)'s output. However, this does not seem to be advertised by ospfd. I've tried redistribute connected and redistribute static, as well as explicitly specifying the prefix (which I didn't expect to do much), but the route doesn't show in the output of ospfctl show rib. Is what I am trying to do possible? I know that IPsec isn't a routed protocol and so it's not normally useful to announce routes to other routers, plus the policy tends to restrict the type of traffic that is allowed to pass through the tunnel. Currently I've set a static route on the other gateway, and this is what's being redistributed into OSPF. I saw in the man page that you can redistribute based on rtlabel, but couldn't see that the IPsec routes (which I suspect aren't normal routes) can be assigned an rtlabel. This wouldn't be an issue if I tied all my carp interfaces together so that the same host was always master for all interfaces (or at least all interfaces on VPN-related networks). There's no real reason I haven't done that aside from thinking that it shouldn't be necessary, but maybe now it is... -- Russell Howe, IT Manager. [EMAIL PROTECTED] BMT Marine Offshore Surveys Ltd.
