strange pf problem with 4.3 and vlans

[Thomas Börnert]

I use openbsd 4.3 i386 with vlans over a bridge and traffic is filtered.
When I add the vlan116 after vlan120 to the bridge, traffic on the vlan120 
will be filtered by pf on the vlan116.
In pf.conf  I need pass in on vlan116 for incoming traffic on vlan120.

If I add the vlans in the correct order, first vlan116 and then vlan120 all is 
working fine and in pf.conf traffic on vlan120  can be filtered by 
pass in on vlan120.

is that a bug or feature ?

-Thomas

Re: vlan trunking OpenBSD/Cisco switch

[Thomas Börnert]

hello,

it works.

on openbsd

trunk device em0

ifconfig vlan 1 vlandev em0 up (for example)

on cisco (2950 or 2960)

interface GigabitEthernet0/1
 switchport trunk allowed vlan 1
 switchport mode trunk
 no cdp enable
 spanning-tree portfast trunk
 spanning-tree bpdufilter enable

thats all

  - Thomas

On Wednesday 09 January 2008 20:18, you wrote:
 Hello,

 Is it posible to do vlan trunking between an OpenBSD and a cisco
 switch? I know you can create vlan interfaces in OpenBSD but how would
 they be trunk with the switch?

 In the physical interface (hostname.fxp1) i should just put 'up'?  Do
 you have to set some kind of native  vlan here?

 Example:

 $ cat /etc/hostname.fxp1
 up

 $ cat /etc/hostname.vlan0
 inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev fxp1


 I don't have a spare box to test this right now, so any  guidelines,
 advice or tips on how to this would be greatly apreciated as i have to
 do this overnight.

 Thanks

 Der

reporting of flowd data

[Thomas Börnert]

hi list,

i'm looking for a reporting tool that can read the
output of /var/log/flowd or the ascii data of flowd-reader.

has anyone an idea ?

thanks

thomas

openbsd debugger

[Thomas Börnert]

hi folks,

if everyone want to see the openbsd debugger,
here a nice tipp or bug :-)

as root

---snip---
mount -o ro /
mount -o ro /
---snip---

-Thomas

Re: flashdist-20061112 with openbsd 4.1 - SOLVED

[Thomas Börnert]

Hi List,

the problem is solved with the following patch for the
flashdisk.sh

---snip---
--- flashdist.shMon Nov 13 04:15:50 2006
+++ flashdist-new.shWed Aug  1 13:37:49 2007
@@ -473,6 +473,24 @@

 # Here we setup an 'a' partition that takes up the whole flash media
 # and a 'b' partition of minimal size which can be used with mount_mfs
+echo type: SCSI  $T
+echo disk: vnd device  $T
+echo label: fictitious  $T
+echo flags:  $T
+echo bytes/sector: ${bytessec}  $T
+echo sectors/track: ${sectorstrack}  $T
+echo tracks/cylinder: ${trackscylinder}  $T
+echo sectors/cylinder: ${sectorscylinder}  $T
+echo cylinders: ${cylinders}  $T
+echo total sectors: ${totalsize}  $T
+echo rpm: 3600  $T
+echo interleave: 1  $T
+echo trackskew: 0  $T
+echo cylinderskew: 0  $T
+echo headswitch: 0 $T
+echo track-to-track seek: 0$T
+echo drivedata: 0   $
+echo   $T
 echo a: $asize$sectorstrack   4.2BSD  1024819216  $T
 echo b: 1 $offset swap  $T
 echo c: $totalsize0   unused  0   0  $T
---snip---

Thomas

 Hi List,

 i've probleme with flashdist and OpenBSD 4.1. 4.0 works
 fine but on 4.1 i've problems with the partiontables.

 here my setup procedure
 -

 # dd if=/dev/zero of=flashimg bs=512 count=250368
 250368+0 records in
 250368+0 records out
 128188416 bytes transferred in 2.593 secs (49432122 bytes/sec)
 # vnconfig -c svnd0 flashimg
 # sh flashdist.sh svnd0 flashsmall.txt bsd /
 flashdist.sh 20061112 [EMAIL PROTECTED]
 Using disk device: svnd0
 Using distfile: flashsmall.txt
 Copying kernel from: bsd

 You did not specify -d and you did not specify a manual geometry.
 Please enter Cylinders/Heads/SectorsPerTrack.

 Cylinders: 978
 Tracks Per Cylinder(Heads): 8
 Sectors Per Track: 32

 Please pay attention to any error messages that you may
 receive from the commands this script is using. If you
 end up having problems, they could explain why.

 WARNING: This will erase ALL DATA on the svnd0 disk device!
 Press enter key to continue or Control-C to abort...

 Updating MBR and partition table...
 fdisk: sysctl(machdep.bios.diskinfo): Device not configured
 Note, you may ignore sysctl(machdep.bios.diskinfo) errors if present.

 Setting up disklabel...
 # Inside MBR partition 3: type A6 start 32 size 250336

 The install script is using the following parameters:
 Total size of media: 250368 sectors (128188416 bytes)
 Bytes/Sector: 512
 Sectors/Track: 32
 Sectors/Cylinder: 256
 Tracks/Cylinder (heads): 8
 Cylinders: 978

 Press enter key to continue or Control-C to abort...

 Checking distribution list...

 Installing disklabel...
 # Inside MBR partition 3: type A6 start 32 size 250336

 Creating new filesystem...
 /dev/rsvnd0a:   250080 sectors in 977 cylinders of 8 tracks, 32 sectors
 122.1MB in 4 cyl groups (285 c/g, 35.62MB/g, 9088 i/g)

 Mounting destination to /tmp/flashdist.iXZgI9414...
 Checking free space on svnd0...
 Copying OpenBSD distribution to media...
 Copying bsd kernel, boot blocks, /etc/resolv.conf...
 Installing boot blocks...
 Running MAKEDEV...done
 Setting up directories and links...
 Changing any instance of /bin/csh
 in /tmp/flashdist.iXZgI9414/etc/master.passwd to /bin/ksh
 Generating new RSA host key... done
 Generating new RSA1 host key... done
 Generating new DSA host key... done

 Please assign a root password...
 Password:
 Verify:
 Passwords don't match or password was empty.  Try again.
 Password:
 Verify:

 Copying configuration files to /etc... ttys fstab rc syslog.conf boot.conf
 nshrc

 Please enter the hostname or IP address of the central log host which will
 receive udp syslog packets from this installation. (Press enter for none,
 and syslog will log to ramdisk)

 Loghost:

 Installation finished.
 Unmounting filesystem...done!
 --

 # fdisk svnd0
 fdisk: sysctl(machdep.bios.diskinfo): Device not configured
 Disk: svnd0 geometry: 978/8/32 [250368 Sectors]
 Offset: 0   Signature: 0xAA55
  Starting   Ending   LBA Info:
  #: idC   H  S -C   H  S [   start:  size   ]
 
  0: E8 963667   7 23 - 14415919   1  7 [   246698998:  3443776305 ]
 Unknown ID
  1: 010   0  1 - 16777215   7 32 [   0:   0 ] DOS
 FAT-12 2: 000   0  0 -0   0  0 [   0:   0 ] unused
 3: 3F0   0  1 - 16777215   7 32 [   0:   0 ] Unknown
 ID


 # disklabel svnd0
 # /dev/rsvnd0c:
 type: vnd
 disk: vnd device
 label: fictitious
 flags:
 bytes/sector: 512
 sectors/track: 32
 tracks/cylinder: 8
 sectors/cylinder: 256
 cylinders: 978
 total sectors: 250368
 rpm: 3600
 interleave: 1
 trackskew: 0
 cylinderskew: 0
 headswitch: 0   # microseconds
 track-to-track seek: 0  # microseconds
 drivedata: 0

 16 partitions:
 # size

flashdist-20061112 with openbsd 4.1

[Thomas Börnert]

Hi List,

i've probleme with flashdist and OpenBSD 4.1. 4.0 works
fine but on 4.1 i've problems with the partiontables.

here my setup procedure
-

# dd if=/dev/zero of=flashimg bs=512 count=250368
250368+0 records in
250368+0 records out
128188416 bytes transferred in 2.593 secs (49432122 bytes/sec)
# vnconfig -c svnd0 flashimg
# sh flashdist.sh svnd0 flashsmall.txt bsd / 
flashdist.sh 20061112 [EMAIL PROTECTED]
Using disk device: svnd0
Using distfile: flashsmall.txt
Copying kernel from: bsd

You did not specify -d and you did not specify a manual geometry.
Please enter Cylinders/Heads/SectorsPerTrack.

Cylinders: 978
Tracks Per Cylinder(Heads): 8
Sectors Per Track: 32

Please pay attention to any error messages that you may
receive from the commands this script is using. If you
end up having problems, they could explain why.

WARNING: This will erase ALL DATA on the svnd0 disk device!
Press enter key to continue or Control-C to abort...

Updating MBR and partition table...
fdisk: sysctl(machdep.bios.diskinfo): Device not configured
Note, you may ignore sysctl(machdep.bios.diskinfo) errors if present.

Setting up disklabel...
# Inside MBR partition 3: type A6 start 32 size 250336

The install script is using the following parameters:
Total size of media: 250368 sectors (128188416 bytes)
Bytes/Sector: 512
Sectors/Track: 32
Sectors/Cylinder: 256
Tracks/Cylinder (heads): 8
Cylinders: 978

Press enter key to continue or Control-C to abort...

Checking distribution list...

Installing disklabel...
# Inside MBR partition 3: type A6 start 32 size 250336

Creating new filesystem...
/dev/rsvnd0a:   250080 sectors in 977 cylinders of 8 tracks, 32 sectors
122.1MB in 4 cyl groups (285 c/g, 35.62MB/g, 9088 i/g)

Mounting destination to /tmp/flashdist.iXZgI9414...
Checking free space on svnd0...
Copying OpenBSD distribution to media...
Copying bsd kernel, boot blocks, /etc/resolv.conf...
Installing boot blocks...
Running MAKEDEV...done
Setting up directories and links...
Changing any instance of /bin/csh 
in /tmp/flashdist.iXZgI9414/etc/master.passwd to /bin/ksh
Generating new RSA host key... done
Generating new RSA1 host key... done
Generating new DSA host key... done

Please assign a root password...
Password:
Verify:
Passwords don't match or password was empty.  Try again.
Password:
Verify:

Copying configuration files to /etc... ttys fstab rc syslog.conf boot.conf 
nshrc

Please enter the hostname or IP address of the central log host which will
receive udp syslog packets from this installation. (Press enter for none,
and syslog will log to ramdisk)

Loghost: 

Installation finished.
Unmounting filesystem...done!
--

# fdisk svnd0  
fdisk: sysctl(machdep.bios.diskinfo): Device not configured
Disk: svnd0 geometry: 978/8/32 [250368 Sectors]
Offset: 0   Signature: 0xAA55
 Starting   Ending   LBA Info:
 #: idC   H  S -C   H  S [   start:  size   ]

 0: E8 963667   7 23 - 14415919   1  7 [   246698998:  3443776305 ] Unknown 
ID
 1: 010   0  1 - 16777215   7 32 [   0:   0 ] DOS FAT-12  
 2: 000   0  0 -0   0  0 [   0:   0 ] unused  
 3: 3F0   0  1 - 16777215   7 32 [   0:   0 ] Unknown ID


# disklabel svnd0
# /dev/rsvnd0c:
type: vnd
disk: vnd device
label: fictitious
flags:
bytes/sector: 512
sectors/track: 32
tracks/cylinder: 8
sectors/cylinder: 256
cylinders: 978
total sectors: 250368
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  a:25008032  4.2BSD   1024  8192  285 # Cyl 0*-   976 
  b: 1250112swap   # Cyl   977 -   
977*
  c:250368 0  unused  0 0  # Cyl 0 -   977 


after unmounting and mounting the image

# disklabel svnd0
# /dev/rsvnd0c:
type: vnd
disk: vnd device
label: fictitious
flags:
bytes/sector: 512
sectors/track: 100
tracks/cylinder: 1
sectors/cylinder: 100
cylinders: 2503
total sectors: 250368
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
  c:250368 0  unused  0 0  # Cyl 0 -  
2503*
  i:250368 0   MSDOS   # Cyl 0 -  
2503*


it seems very strange 

have you anyone an idea ?

with openbsd 4.0 no problem 

Thanks

Thomas

Faster SBC - New Testresults

[Thomas Börnert]

i've now testet this device here:

http://www.ipc2u.de/catalog/E/EL/33640.html

my config:

linuxbox1 - new box obsd 3.9 - pc obsd 3.9 - linuxbox1

between the new box and the pc with obsd 3.9 is a
ethernet crosscable. on both boxes is running a
ipsec tunnel with isakmp with aes encryption and
rsa authentication with 4096 bit.

throughput:

i've transferred a 100M file with scp from

linuxbox1 to linuxbox2: 5,4MB/s
linuxbox2 to linuxbox1: 5,1MB/s

CPU peak 80% average 60%

This seems very good. i've now ordered a second box
and will made a throughput test with the ralink cards.

Thomas

Re: Transparent bridge rdr SSH traffic

[Thomas Börnert]

yes i tried, but it doesn't work, you need an ip adress on sis0

Thomas

On Wed, 2006-09-27 at 22:23 +0200, Johan wrote:
 Hi,
 
 We are trying to put an OpenBSD server (3.9 with all patches) between an 
 ADSL modem and a commercial firewall.
 Using transparent bridge and PF, is it possible to redirect all SSH 
 traffic arriving at sis0 to 127.0.0.1 on the OpenBSD server and pass all 
 other traffic the the existing firewall?
 We still want the existing firewall to get the (only) public ip via dhcp 
 from the ADSL modem.
 Must the bridge (sis1 or sis0) have a public ip for this to work?
 We have been trying google/groups and alot of different setups in 
 pf.conf wihtout any luck.
 Is this setup possible at all?
 Any help, hints or suggestions would be much appreciated!
 
 Regards
 
 Johan Linnir
 
 
  DHCP ExtInt
 | ADSL |-   -| Firewall |
 |   |
 -|---|-
 |sis0|   |sis1|bridge0
 -|---|-
  |   |
  ---
  | OpenBSD |
  |  sshd   |
  |127.0.0.1|
  ---

Re: Wireless Bridge...

[Thomas Börnert]

bridging doesn't work with wireless lan.

Thomas

On Mon, 3 Jul 2006, Novak, Trevor SCIC wrote:

 I'm trying to setup a wireless bridge with openbsd on a Toshiba laptop. I'm
 using an SMC2532W-B (Prism 2.5) wireless card and a 3Com 3C574-TX. I've
 created a bridgename.bridge0 file and added wi0 and ep1 to the file. The
 bridge is up and running. I can ping both on the wireless side and the
 ethernet side from the Obsd box, but I can't get any traffic to pass through
 it. I don't have PF running, in fact, I've stopped most of the services
 (hopefully not one I need). Anyway, any help would be appreciated.

usb ralink RT2571 problem

[Thomas Börnert]

i tried 2 usb ralink RT2571F usb with openbsd 3.9 and -current.

ural0 at uhub0 port 1
ural0: ASUS 802.11g WLAN Drive, rev 2.00/0.01, addr 2
ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address 00:17:31:2e:ae:34

problem:

this ifconfig works

ifconfig ural0 192.168.2.2 netmask 255.255.255.0 nwid raltest mediaopt
ibss

but

the throughput is very slow (90KB/s).

if i use the options media ODFM54 or mode 11g the card becomes
active, but i see only arp requests ...

i saw that the firmware for this chip is not used. why ?

when i use hostap mode with media or mode than i got on
the client the mac from the hostap pc but only the same thing
with no connection :-(

i tried also the RT2561 miniPCI, that works great.

has anyone an idea ?

thanks

Thomas

Throughput Problem OpenBSD3.9 soekris 4801 isakmpd

[Thomas Börnert]

hi list,

i've done several tests and i got bad values :-(

2 soekris net 4801

pc --- net4801 --- net 4801 ---pc

Test Transfer of an 10MB File with SCP from pc to pc

1. test

between the net4801 wlan with ralink
no encryption no isakmp

- good 2 MByte/s
CPU  10 %

2. test

same as 1. with isakmp
Transforms= AES-SHA-RSA_SIG
Suites= QM-ESP-AES-SHA-PFS-SUITE

- bad max. ca. 520 - 540 KByte/s
CPU 50 - 60 %

3. test

same as 2.

with pf

- bad max. ca. 450 - 500 KB/s
CPU 50 - 60 %

4. test

same as 2. with crosscable between the net4801, no wlan

- bad ca. 740 - 750 KB/s
CPU 75%

Has everyone an idea what's the problem.
Is there a way to get a higher throughput with encryption ?

Thanks.

Thomas

Re: Throughput Problem OpenBSD3.9 soekris 4801 isakmpd

[Thomas Börnert]

with the vpn1411 crypto card i get only

700 - 720 KB/s
CPU 30%

by the way the driver of the crypto card is buggy. i have
a lot of cards here removed in the last year. i got several
hangs. hans-joerg has no time to fix it. this was discussed on
this list very often.


On Wed, 2006-06-28 at 09:08 -0700, Scott Francis wrote:
 On 6/28/06, Thomas Bvrnert [EMAIL PROTECTED] wrote:
 [snip]
  Has everyone an idea what's the problem.
  Is there a way to get a higher throughput with encryption ?
 
 yes. Buy a vpn1411 hardware crypto accelerator for your net4801. In
 fact, you could have bought one when you purchased the soekris. It's a
 miniPCI card that plugs right into the board and greatly increases
 crypto performance.

problem sis timeout openbsd 3.9

[Thomas Börnert]

hi folks,

my setup

pc1 - soekris 4801 - soekris 4801 - pc2

between the soekris boxes wlan with ralink (2561)

default 3.9 setup without isakmp ...

pc1
ifconfig eth0 192.168.20.2 netmask 255.255.255.0 up
route add default gw 192.168.20.1 eth0

box1
sysctl -w net.inet.ip.forwarding=1
ifconfig ral0 192.168.2.1 netmask 255.255.255.0 up
ifconfig ral0 nwid raltest
ifconfig ral0 media OFDM54
ifconfig ral0 mediaopt ibss
ifconfig sis0 192.168.1.1 netmask 255.255.255.0 up
route add -net 192.168.20.0/24 192.168.2.2

box2
sysctl -w net.inet.ip.forwarding=1
ifconfig ral0 192.168.2.2 netmask 255.255.255.0 up
ifconfig ral0 nwid raltest
ifconfig ral0 media OFDM54
ifconfig ral0 mediaopt ibss
ifconfig sis0 192.168.20.1 netmask 255.255.255.0 up
route add -net 192.168.1.0/24 192.168.2.1

pc2
ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.1.1 eth0

all works fine, but if i copy a file with 500MB from
pc2 to pc1 with scp i got a break on the communication
on the sis0 on box1 after some seconds.

interrupts shows before

  memory totals (in KB)  PAGING   SWAPPING
Interrupts
 real   virtualfree  in  out   in  out 6734
total
Active   2380  2380  105376  ops   2397
sis0
All 17384 17384  105376  pages 4108
ral0

pciide0
Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks   1
pccom0
   1 2  10  6735  5   fkppw 100
clock
  fksvm 128
rtc
   0.0% Sys   0.0% User   0.0% Nice  34.1% Idle   pwait
|||||||||||   relck
  rlkok
  noram
Namei Sys-cacheProc-cacheNo-cache ndcpy
Calls hits%hits %miss   % fltcp
  zfod
  cow
Disks   wd0   128 fmin
seeks 170 ftarg
xfers itarg
Kbyte  32 wired
  sec pdfre

if i do a 
ifconfig sis0 up
it works again.

i've no message in dmesg.

strange: without ralink it works.

any idea ?

Thanks

Thomas

problem sis timeout openbsd 3.9 - UPDATE

[Thomas Börnert]

an additional info:

in the first step i use the ralink RT2561T.
now i tried the ralink RT2560F and i must
press ifconfig sis0 up every 3 seconds and
the throughput is also very bad.
i think it's can also be a problem of the
ralink driver.

-Thomas


hi folks,

my setup

pc1 - soekris 4801 - soekris 4801 - pc2

between the soekris boxes wlan with ralink (2561)

default 3.9 setup without isakmp ...

pc1
ifconfig eth0 192.168.20.2 netmask 255.255.255.0 up
route add default gw 192.168.20.1 eth0

box1
sysctl -w net.inet.ip.forwarding=1
ifconfig ral0 192.168.2.1 netmask 255.255.255.0 up
ifconfig ral0 nwid raltest
ifconfig ral0 media OFDM54
ifconfig ral0 mediaopt ibss
ifconfig sis0 192.168.1.1 netmask 255.255.255.0 up
route add -net 192.168.20.0/24 192.168.2.2

box2
sysctl -w net.inet.ip.forwarding=1
ifconfig ral0 192.168.2.2 netmask 255.255.255.0 up
ifconfig ral0 nwid raltest
ifconfig ral0 media OFDM54
ifconfig ral0 mediaopt ibss
ifconfig sis0 192.168.20.1 netmask 255.255.255.0 up
route add -net 192.168.1.0/24 192.168.2.1

pc2
ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.1.1 eth0

all works fine, but if i copy a file with 500MB from
pc2 to pc1 with scp i got a break on the communication
on the sis0 on box1 after some seconds.

interrupts shows before

  memory totals (in KB)  PAGING   SWAPPING
Interrupts
 real   virtualfree  in  out   in  out 6734
total
Active   2380  2380  105376  ops   2397
sis0
All 17384 17384  105376  pages 4108
ral0

pciide0
Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks   1
pccom0
   1 2  10  6735  5   fkppw 100
clock
  fksvm 128
rtc
   0.0% Sys   0.0% User   0.0% Nice  34.1% Idle   pwait
|||||||||||   relck
  rlkok
  noram
Namei Sys-cacheProc-cacheNo-cache ndcpy
Calls hits%hits %miss   % fltcp
  zfod
  cow
Disks   wd0   128 fmin
seeks 170 ftarg
xfers itarg
Kbyte  32 wired
  sec pdfre

if i do a 
ifconfig sis0 up
it works again.

i've no message in dmesg.

strange: without ralink it works.

any idea ?

Thanks

Thomas

Re: problem sis timeout openbsd 3.9

[Thomas Börnert]

ok i tried it and it works, ... strange ...
the throughout is a little bit higher, without the
patch it was 2,4 MB/s and with the patch 2,7 MB/s.
(scp) and i've 1500 total interrupts more.

But i think the problem is on another place in the code.

Thomas

On Thu, 2006-06-22 at 17:59 +0100, Stuart Henderson wrote:
 On 2006/06/22 17:38, Thomas Bvrnert wrote:
  pc1 - soekris 4801 - soekris 4801 - pc2
  between the soekris boxes wlan with ralink (2561)
  
  all works fine, but if i copy a file with 500MB from
  pc2 to pc1 with scp i got a break on the communication
  on the sis0 on box1 after some seconds.
 
 please try 
 http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5155

Re: problem sis timeout openbsd 3.9

[Thomas Börnert]

it's shure no power-saving problem, because:
i'm using the boxes as router with ral.
with the RT2561 Chip i had this problem only after 500MB
transferred data, with the RT2560 Chip i had this problem
after some MB and 3 seconds. And thats no power-saving
after 3 seconds. i've no problem with a ethernet cable
betweek the boxes, but only with the ral cards. i'd
also no problem with prism cards. i can be a problem
of the ral driver. strange 

Thomas

On Thu, 2006-06-22 at 23:14 +0100, Stuart Henderson wrote:
 On 2006/06/22 19:44, Thomas Bvrnert wrote:
  ok i tried it and it works, ... strange ...
  the throughout is a little bit higher, without the
  patch it was 2,4 MB/s and with the patch 2,7 MB/s.
  (scp) and i've 1500 total interrupts more.
  
  But i think the problem is on another place in the code.
 
 Glancing through the datasheet for dp83815 one thing that stuck
 out was a mention of disabling rx in power-saving, and I know that
 geode systems do a bunch of power-saving that can't be disabled
 (VSA loaded by BIOS runs above everything else on the cpu and can
 control this sort of thing), which has caused problems in other
 areas before (do you see that 'TSC disabled' right at the top
 of dmesg? played hell with altq until that was done...)
 
 I guess if anyone has both a sis(4) and ral(4) they can try in a
 non-soekris box, if they don't see the same freeze-ups remedied by
 'ifconfig sisN up', that lends support for this hypothesis (or,
 if they do see the same problem, blows it out the water)...
 
 The oldest version of Donald Becker's linux driver for the chip
 which I could find does this same thing (bottom of netdev_rx in
 natsemi.c, Restart Rx engine if stopped.) so unfortunately
 there's no time when it was added with additional details about
 why it was done, but it does seem to be known (at least by
 some people) to be necessary with the chip.
 
-- 
Mit freundlichen Gr|_en
Best regards

Thomas Bvrnert
Gesellschafter Geschdftsf|hrer
Senior IT Consultant  Manager
BSI lizenzierter Auditor f|r ISO 27001 auf Basis IT-Grundschutz

DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL
___
TBits.net GmbH  | Telefon:  +49 (0)7172 18391-0
Thomas Bvrnert  | Telefax:  +49 (0)7172 18391-99
Seeweg 6| Service:  +49 (0)700 TBITSNET
D-73553 Alfdorf | Auto: +49 (0)170 6744415
www.tbits.net   | eMail:[EMAIL PROTECTED]
Key fingerprint = 8602 2EF5 78FD 3C04 B148  2506 5D4F 6A49 E4E2 9D15

Re: build samba with kerberos support

[Thomas Börnert]

please try the version from ftp.sernet.de there is also heimdal
for krb support with samba.

Thomas

Am Dienstag, den 06.06.2006, 17:06 +0200 schrieb Thomas Schoeller:
 hi list,
 i try to build the samba ldap port with kerberos support. i have added
 the --with-ads --with-krb5 options to the Makefile. but the configure
 script reported:
 checking whether LDAP support is used... yes
 checking for Active Directory and krb5 support... no
 
 maybe the missing krb5-config program is the problem. but i do not know
 how to build the krb5-config binary which is not in the source tree.
 
 i like to build a samba member server so i could use the ntlm helper
 script from squid to auth my users. has somebody got this working?
 any comments on this?
 
 regards
 thomas

pf label issue

[Thomas Börnert]

Hi list,

hy rules:

pass in  quick on $extif ...
pass in  quick on $extif ...
pass out quick on $extif ...
an so on about 100 rules

the order of the rules is optimized
the first rules are the rules with the most
traffic

now a want to do accouting with labels
after this rules i place

pass in  quick on $extif from any to $server1 label in server1
pass out quick on $extif from $server1 to any label out server1

ok, this doesn't work if i've in my 100 of rules
the quick keyword. if i remove the quick
keyword it works. quick in the label rules are ok.

after removing the quick keywords my optimized
order is unprofitable. each packet will be
evalutate in each rule :-(.

is there a way to optimize this construct ?

My next problem is: After adding or removing some
of my rules in pf.conf and reloading pf with pfctl -f pf.conf
the label statistics will be reset :-(. Is there a way
to reload pf.conf without to untouch the statistics
of existing labels ? (the label rules are not changed).

Thanks !

Thomas

-- 
Mit freundlichen Gr|_en
Best regards

Thomas Bvrnert
Geschdftsf|hrer
Senior IT Consultant  Manager
BSI lizenzierter ISO27001 Auditor auf Basis IT-Grundschutz

DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL
___
TBits.net GmbH  | Telefon:  +49 (0)7172 18391-0
Thomas Bvrnert  | Telefax:  +49 (0)7172 18391-99
Seeweg 6| Service:  +49 (0)700 TBITSNET
D-73553 Alfdorf | Auto: +49 (0)170 6744415
www.tbits.net   | eMail:[EMAIL PROTECTED]
Key fingerprint = 8602 2EF5 78FD 3C04 B148  2506 5D4F 6A49 E4E2 9D15

how to reset interface statistics

[Thomas Börnert]

Hi @all

i want to use pf for accounting.

pfctl -s Interfaces -i interface -vv
shows the statistics; fine :-)

but i want reset this statistics every day and
write them to a file. does everyone know how i
can reset the statistics ? pfctl -F info doesn't
clear it.

another way can be using netstat -b -I hme1
but i've the same problem to reset the statistics.

Thanks for help.

-Thomas

Re: how to reset interface statistics - solved

[Thomas Börnert]

i found a solution ...

create a label

pass in from 0/0 to destination label in $dstaddr

read an reset the counter with

pfctl -sl -z

thats it

Thomas  


On Wed, 2006-05-10 at 13:05 +0200, Thomas Bvrnert wrote:
 Hi @all
 
 i want to use pf for accounting.
 
 pfctl -s Interfaces -i interface -vv
 shows the statistics; fine :-)
 
 but i want reset this statistics every day and
 write them to a file. does everyone know how i
 can reset the statistics ? pfctl -F info doesn't
 clear it.
 
 another way can be using netstat -b -I hme1
 but i've the same problem to reset the statistics.
 
 Thanks for help.
 
 -Thomas

Re: ar5212 wireless in a soekris 4801 debug question

[Thomas Börnert]

5212 will not work, i've spend hours on hours
only 5213 will work. I've talked to Reyk ... and it is strange.

Thomas

On Wed, 2006-02-22 at 07:22 +0100, Johan Torin wrote:
 On Wednesday 22 February 2006 03:07, b h wrote:
  Hi
 
  I have a (slightly older, but still snazzy) generic
  acting as my gateway - see dmesg at bottom
 
  my laptop internal wired NIC was acting funny, so I
  thought I'd try wireless to network through my net4801
  gateway.  Never using my wireless card before on the
  soekris (sat in the machine dormant for a year never
  configured), I thought I'd finally try out the
  excellent wireless support in OpenBSD.
 
  Following the man page, I have
 
  # cat /etc/hostname.ath0
  inet 10.0.1.1 255.255.255.0 NONE media autoselect
  mediaopt hostap nwid my_net chan 11
 [...]
 
 Yes, this is a gotcha the man-page doesn't mention.
 The ath driver is only capable of using 11b, so add
 'mode 11b' to your hostname.ath/ifconfig line and it
 should work.
 
 /Johan

Re: Hostap and 802.11g

[Thomas Börnert]

no, only 11b with atheros. there is no implementation for 11g in
openbsd.

Thomas

On Tue, 2006-02-21 at 22:02 -0500, Melameth, Daniel D. wrote:
 Is ANYONE doing hostap with 802.11g?  If so, is it working well?  And
 doing WEP?  If not, any thoughts on doing this with -current?
 
 Thoughts appreciated--I'd love a make, model and relevant dmesg of
 anyone doing hostap with 802.11g.
 
 Thanks,
 Danny

Re: pix firewall question

[Thomas Börnert]

pix isn't so easy as openbsd :-|

rdr from outside:

global (outside) 1 interface
nat (inside) 1 INTERNALPC 255.255.255.255
static (inside,outside) tcp EXTERNALIP smtp INTERNALPC smtp netmask
255.255.255.255

Thomas

On Sat, 2006-02-18 at 13:13 -0500, Rod Dorman wrote:
 On Saturday, February 18, 2006, 12:26:58, [EMAIL PROTECTED] wrote:
  Hi there.  I am a long time user of openbsd and ipf/pf.  I just got
  stuck with the task of managing some pix firewalls for the next eight
  weeks until they can get someone else.  Could somebody reply to me off
  list?  I just need to do some simple redirects.  Simple in openbsd,
  that is, but I can't figure out how to do it on the pix.
 
 Never  used a PIX so I can't directly answer ya but have you browsed the
 comp.dcom.sys.cisco archive?

Re: OpenBSD, Samba and active directory

[Thomas Börnert]

not on openbsd, but i think you need heimdal and not the krb5

Thomas

On Mon, 2006-01-30 at 14:16 -0500, Paolo Supino wrote:
 Hi
 
I'm trying to compile Samba 3.0.21a on OpenBSD 3.8 with active 
 directory enabled and when I run the configure script it fails to find 
 libkrb5. Has anyone recently tried to compile Samba with Active 
 Directory support enabled?
 
 
 
 
 TIA
 Paolo

Re: webmin like for openbsd

[Thomas Börnert]

yes, see here its only for pf i think

http://www.allard.nu/pfw/

-Thomas

On Fri, 2006-01-27 at 22:46 +0800, [EMAIL PROTECTED] wrote:
 guys do you have any idea if their's another package like webmin for openbsd?
 
 what is your comment also about webmin.. is it safe to use?
 
 thanks guys.. ;)

Re: Banking with OpenBSD

[Thomas Börnert]

Hi,

in german is a small good bank www.martinbank.de. They have really
no costs per month and per booking. it's the cheapest bank
in german that i know. and they have firewalls with a
very secure operating system. They will also support client
certificates in the next weeks for a much securer internet banking.
i use this with firefox without any problems.

Thomas

Am Mittwoch, den 11.01.2006, 19:29 -0700 schrieb Austin Hook:
 Here's a different kind of technical question -- who out there can
 recommend a Euro zone bank with Internet banking service which does a good
 job with OpenBSD and Mozilla-Firefox?
 
 North American banks generally work fine with Firefox and OpenBSD, but our
 current account with Bank of Ireland really requires Microsoft.
 
 Hopefully, also, it would be a bank that communicates well in either
 English or French, and is not the worst in the extra little charges and
 fees problem.
 
 Thanks,
 
 Austin
 
-- 
Mit freundlichen Gr|_en
Best regards

Thomas Bvrnert
Geschdftsf|hrer
Senior IT Consultant  Manager
BSI lizenzierter IT-Grundschutz Auditor

DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL
___
TBits.net GmbH  | Telefon:  +49 (0)7172 18391-0
Thomas Bvrnert  | Telefax:  +49 (0)7172 18391-99
Seeweg 6| Service:  +49 (0)700 TBITSNET
D-73553 Alfdorf | Auto: +49 (0)170 6744415
www.tbits.net   | eMail:[EMAIL PROTECTED]
Key fingerprint = 8602 2EF5 78FD 3C04 B148  2506 5D4F 6A49 E4E2 9D15

Re: MPLS-VPN Support in OpenBSD

[Thomas Börnert]

Am Freitag, den 06.01.2006, 12:33 +0059 schrieb Claudio Jeker:
 On Thu, Jan 05, 2006 at 09:26:23PM -0500, [EMAIL PROTECTED] wrote:
  Hi,
   I was wondering if there were any plans to add MPLS/VPN support into
  OpenBSD? NetBSD had some folks working on the Amaye project
  (http://www.ayame.org/) but that seems to have been dormant for a long
  time...
  
 
 I'm currently not interested in MPLS and I don't think any of the other
 developer is. I try to avoid MPLS as it is evil. It seems nobody
 learned form the ATM fiasco.

Why ?

Thomas

Re: MPLS-VPN Support in OpenBSD

[Thomas Börnert]

Thanks Claudio. Is there also an security issue on MPLS VPN ?
Or is a normal VPN much secure als MPLS VPN ?

Thanks ... its very interesting.

Thomas
  
 
 Why what?
 Why I'm not intersted in it or why I think MPLS is evil?
 
 MPLS is doing label switching on a hop by hop basis. In larger networks it
 is way to easy to screw something up in the lookup tables and suddenly
 your traffic is flowing to a totaly different location. Finding and fixing
 such missconfigurations are extremly time intensive as you need to
 reconstruct the path.
 
 If I have to tunnel traffic through a network I would use L2TPv3.

vr0 interrupt_vector: spurious vector 7c3 at pil 7 sparc64

[Thomas Börnert]

hi folks,

i've a sun ultra 5 running openbsd 3.5 with a 5 port levelone
switch ethernet card without any problems.

the card runs also on a intel pc with openbsd 3.8 without
any problems.

now i've a sun netra t1 105 with openbsd 3.8 with the same
card and i've problems.

ifconfig vr0 up
interrupt_vector: spurious vector 7c3 at pil 7
... sometimes later ...
vr0: watchdog timeout

have anyone any idea?

thanks

Thomas

Re: vr0 interrupt_vector: spurious vector 7c3 at pil 7 sparc64

[Thomas Börnert]

On Wed, 2005-12-21 at 23:20 +, Stuart Henderson wrote:
  now i've a sun netra t1 105 with openbsd 3.8 with the same
  card and i've problems.
 
 irq swizzling is broken on the t1 on OpenBSD. Cards requiring an irq
 mostly won't work right, it is possible to work around for some cards
 in ofw which you'll find some info in the sparc@ archives.

i can't found no info  at the list openbsd-sparc and google
have you an additional idea ?

thanks

Thomas

Re: Soekris

[Thomas Börnert]

Yes, you need only 22 MB :-)

Thomas

On Thu, 2005-12-08 at 09:41 -0200, Gustavo Rios wrote:
 One ore question:
 
 I was thinking going for net4526-30 model. Is 64MB CF enough to run
 openbsd 3.8 for a wireless router?
 
 Thanks in advance.
 
 2005/12/8, Rick Aliwalas [EMAIL PROTECTED]:
  On Thu, 8 Dec 2005, Gustavo Rios wrote:
 
   I hear CF is slow! Is that true? Which is faster: a 2.4 hard disk or a
   SanDisk CF?
 
  Since my Soekris is only used as a router/firewall, the CF card is only
  read at boot time so speed is not much of an issue.  The machine does boot
  up real fast though since it's much simpler than a PC.  I have heard
  the CF Microdrives are kind of slow and not built to do lots of reads
  and writes, but hey, if you need a PC, buy a PC!  Soekris' are reliable
  because they have no moving parts.  Which is good - completely silent and
  they generate little heat.  I'd have to imagine that a good quality 2.5
  hard drive is faster than a CF card but don't know for sure.
 
   Another question: what is your minipci wireless device model?
 
  Netgate has Soekris kits that come with all the cables, antennas, etc.
 
  http://www.netgate.com/index.php?cPath=27_43
 
  I purchased the kit w/ the 802.11b Intersil 2.5 mini-PCI card
  and a single antenna.  I also purchased a 802.11b Intersil 2.5 PCMCIA
  card for my OpenBSD laptop.  They do have 802.11g support now for
  OpenBSD but I haven't tried it yet.  Also, looks like they have
  dual-antenna kits now too.
 
  Looks like Netgate now has a nice case pre-drilled for antennas
  for the net4526 and net4826.
 
  -rick
 
   Thanks once more for your time and cooperation.
  
   2005/12/8, Rick Aliwalas [EMAIL PROTECTED]:
   On Wed, 7 Dec 2005, Gustavo Rios wrote:
  
   Dear gentleman,
  
   i am planning a single router for my 5 boxes network (ont incluind the
   router). I am thinking using Soekris for such a task. I was thinking
   on net4526 model (http://www.soekris.com/net4526.htm).
  
   If there is anyone here running such hardware, i would like to hear
   which harddisk and wireless  (as also the anthena if it came apart)
   device are you running.
  
   I'm using a net4501 and a mini-pci Prism-based 802.11b wireless card from
   http://www.netgate.com .  Works beautifully w/ OpenBSD - one of the
   few things in life I can always count on!  I had to drill a hole in
   the case for the antenna.  I'm also using a SanDisk 256MB compact flash
   card and did a plain vanilla install using pxeboot.  I used to use
   a SanDisk 64MB CF card and installed OpenBSD using flashdist (see
   http://www.nmedia.net/~chris/soekris/ ).  That worked fine too.
  
   -rick aliwalas
  
  
   Thank you for your time and cooperation.
  
   Best regards.
 
-- 
Mit freundlichen Gr|_en
Best regards

Thomas Bvrnert
Geschdftsf|hrer
Senior IT Consultant  Manager
BSI lizenzierter IT-Grundschutz Auditor

DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL
___
TBits.net GmbH  | Telefon:  +49 (0)7172 18391-0
Thomas Bvrnert  | Telefax:  +49 (0)7172 18391-99
Seeweg 6| Service:  +49 (0)700 TBITSNET
D-73553 Alfdorf | Auto: +49 (0)170 6744415
www.tbits.net   | eMail:[EMAIL PROTECTED]
Key fingerprint = 8602 2EF5 78FD 3C04 B148  2506 5D4F 6A49 E4E2 9D15

fixed Re: Can't get VM_UVMEXP: Cannot allocate memory 3.8 GENERIC

[Thomas Börnert]

Hi all 

it's fixed.

i'd installed gmake and thats was the problem.

after removing gmake it works.

thanks.

Thomas

On Tue, 6 Dec 2005, Tom Cosgrove wrote:

  =?ISO-8859-1?Q?Thomas_B=F6rnert?= 6-Dec-05 08:08 
 
  you wrote due to lack of details
 
  what details do you need ?
 
 At the very least, send dmesg output from each of the kernels you
 are talking about.  If the system doesn't fully boot, you will need to
 write down what you see on the screen - it's usually easier to set up
 another computer and use a serial console to capture this - there are
 details on how to do this in the FAQ.
 
 Thanks
 
 Tom

Can't get VM_UVMEXP: Cannot allocate memory 3.8 GENERIC

[Thomas Börnert]

Hi List,

i've a problem with 3.8

systat vm

shows this error above and no memory values ...

BUT:

if i'm using the original kernel from the 3.8 cd
that it works without this error.

BUT:

if i build the 3.8 GENERIC kernel by myself without
any changes pf the GENERIC config, then the error appears.

With 3.7 or older no problem.

Whats the difference between the builded 3.8 GENERIC
kernel on CD and the GENERIC config on the original
source CD ?

Thanks for help.

Thomas Boernert