Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover
Thank you all for your replies. Actually, I did not know that providing seamless switching VPN solutions is so problematic. If it can't be done in a simple way, then it doesn't have to be seamless at any cost. Users will manually reconnect to this VPN when CARP does switchover and there will be no drama. I am currently using IPSEC/L2TP, but I do not insist on switching to wireguard. IPSEC/L2TP simply works smoothly on win10/11/mac. About 2020 I switched IKEv2 to IPSEC/L2TP when my CA certificate expired and I couldn't cope with updating it to get a VPN back to work. It was a pandemic, and everybody worked remotely. Then I quickly switched IKEv2 to IPSEC/L2TP to allow users to work remotely again, and so it remains to this day. Maybe it's time to replace IPSEC/L2TP with other/newer VPN solution - on the occasion of CARP deployment. All I need is a highly secure VPN solution for win10/win11/mac. I have a dozen very non-technical remote users and this VPN just has to always work when they click CONNECT. That's what I got with IPSEC/L2TP. I also need to assign to users static IP addresses per user - if I remember that IKEv2 assigned to users random addresses from the entire VPN pool and I couldn't cope with IP/user assignment. Any suggestions - what to choose and how to configure it will be welcome. Replication is therefore not a priority. Radek On Thu, 30 May 2024 08:23:35 - (UTC) Stuart Henderson wrote: > On 2024-05-29, Vitaliy Makkoveev wrote: > > He wants replication. This means both wireguard "servers" know the client > > state. No client reconnection at failure, no delay, seamless migration > > from failed node to the backup. Something like sasyncd(8), but for > > npppd(8) or wg(4). > > wireguard doesn't have a "reconnection" in the way IKEv2+MSCHAP or > IKE+L2TP do, the user doesn't have to do anything, so as long as peers > are configured on all carp members it should be fairly seamless. > > It doesn't care about IP addresses as long as one end can get packets > through to the other's last known address. > > (Reason for ifstated would be to stop any carp backup machines from > trying to send wireguard packets and confusing things.) > >
Re: [7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover
Thank you, that explains everything. Does wireguard support replication? Will it work properly in my CARP setup? Radek On Mon, 27 May 2024 21:00:40 +0300 Vitaliy Makkoveev wrote: > npppd does not support replication > > > On 27 May 2024, at 19:58, Radek wrote: > > > > Hello, > > I have two redundant firewalls with CARP: [krz75-MAS]<->[krz75-SLA]. I'm > > trying to set up redundant IPSEC VPN on it. > > > > - CARP + pfsync is working as expected - ca 1-2 pings lost at switchover. > > - sasyncd seems to work as expected - flows and SADs are replicated > > between nodes > > - isakmpd is running with "-S -K" on both nodes > > - IPSEC/npppd is working as expected on [krz75-MAS] - client can connect to > > VPN node > > - IPSEC/npppd is working as expected on [krz75-SLA] (when running as > > master) - client can connect to VPN node > > > > Problem to solve: > > When I perform the switchover between nodes the "new master" doesn't pick > > up the VPN sessions. Clinet needs to disconnect, to wait several dozen > > seconds and then to reconnect to VPN at new master. > > > > Can anybody help me out with making it working? > > Thanks! > > > > Configs on both nodes are the same. > > > > > > May 27 17:37:22 krz75-SLA reorder_kernel: kernel relinking done > > May 27 17:37:28 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:38:00 krz75-SLA last message repeated 8 times > > May 27 17:40:03 krz75-SLA last message repeated 31 times > > May 27 17:42:46 krz75-SLA last message repeated 41 times > > May 27 17:42:49 krz75-SLA /bsd: carp100: state transition: BACKUP -> MASTER > > May 27 17:42:49 krz75-SLA /bsd: carp2: state transition: BACKUP -> MASTER > > May 27 17:42:50 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:42:52 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:42:52 krz75-SLA /bsd: carp0: state transition: BACKUP -> MASTER > > May 27 17:42:52 krz75-SLA isakmpd[98426]: conf_set_now: duplicate tag > > [peer-10.0.15.11]:Refcount, ignoring... > > May 27 17:42:52 krz75-SLA isakmpd[98426]: message_recv: cleartext phase 2 > > message > > May 27 17:42:52 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 > > port 500 due to notification type INVALID_FLAGS > > May 27 17:42:56 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:42:58 krz75-SLA /bsd: carp100: state transition: MASTER -> BACKUP > > May 27 17:42:58 krz75-SLA /bsd: carp2: state transition: MASTER -> BACKUP > > May 27 17:42:59 krz75-SLA isakmpd[98426]: message_recv: invalid cookie(s) > > e0f66ed709fcf140 16c20619d6f11bf4 > > May 27 17:42:59 krz75-SLA isakmpd[98426]: dropped message from 10.0.15.11 > > port 500 due to notification type INVALID_COOKIE > > May 27 17:42:59 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:42:59 krz75-SLA /bsd: carp0: state transition: MASTER -> BACKUP > > May 27 17:43:03 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:43:07 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:43:08 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): > > Network is unreachable > > May 27 17:43:11 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:43:15 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > May 27 17:43:19 krz75-SLA isakmpd[98426]: sendmsg (36, 0x73a6d3321e08, 0): > > Network is unreachable > > May 27 17:43:19 krz75-SLA isakmpd[98426]: transport_send_messages: giving > > up on exchange peer-10.0.15.11, no response from peer 10.0.15.11:500 > > May 27 17:43:19 krz75-SLA sasyncd[38852]: m_priv_iked_imsg: connect: No > > such file or directory > > > > [root@@krz75-MAS~:]ipsecctl -sa > > FLOWS: > > flow esp in proto udp from 10.0.15.11 port l2tp to 10.0.15.216 port l2tp > > peer 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require > > flow esp out proto udp from 10.0.15.216 port l2tp to 10.0.15.11 port l2tp > > peer 10.0.15.11 srcid 10.0.15.216/32 dstid 10.0.15.11/32 type require > > > > SAD: > > esp transport from 10.0.15.11 to 10.0.15.216 spi 0x6df78c14 auth hmac-sha1 > > enc aes > > esp transport from 10.0.15.216 to 10.0.15.11
[7.5/amd64] ipsec + npppd + sasyncd + carp - doesn't pick up the VPN session at switchover
c=YES ipsec_rules=/etc/ipsec.conf isakmpd_flags="-S -K" sasyncd_flags= [root@@krz75-MAS~:]cat /etc/hostname.em3 -inet inet 172.16.1.11 255.255.255.0 172.16.1.255 description "pfsync if to krz-slave" [root@@krz75-SLA~:]cat /etc/hostname.em3 -inet inet 172.16.1.12 255.255.255.0 172.16.1.255 description "pfsync if to krz-master" [root@@krz75-MAS/etc:]cat /etc/hostname.pfsync0 -inet syncdev em3 up [root@@krz75-SLA~:]cat /etc/hostname.pfsync0 -inet syncdev em3 up [root@@krz75-MAS~:]cat /etc/hostname.em0 -inet up [root@@krz75-SLA~:]cat /etc/hostname.em0 -inet up [root@@krz75-MAS~:]cat /etc/hostname.carp0 -inet inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 advskew 0 carpdev em0 pass test678 [root@@krz75-SLA~:]cat /etc/hostname.carp0 -inet inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 advskew 128 carpdev em0 pass test678 up [root@@krz75-MAS~:]cat /etc/ipsec.conf wan_ipv4 = 10.0.15.216 ike passive esp transport \ proto udp from $wan_ipv4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" group modp1024 \ psk "c98743717aa5f7" [root@@krz75-SLA~:]cat /etc/ipsec.conf wan_ipv4 = 10.0.15.216 ike passive esp transport \ proto udp from $wan_ipv4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" group modp1024 \ psk "c98743717aa5f7" [root@@krz75-MAS~:]cat /etc/sasyncd.conf interface carp0 group carp peer 172.16.1.12 sharedkey 0x115c413529ba5ac96b208d83a50473b3e6ade60e66c59a10a944ad3d273148dd [root@@krz75-SLA~:]cat /etc/sasyncd.conf interface carp0 group carp peer 172.16.1.11 sharedkey 0x115c413529ba5ac96b208d83a50473b3e6ade60e66c59a10a944ad3d273148dd [root@@krz75-MAS~:]cat /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 10.0.15.216 #listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.211.1-10.0.211.253 dns-servers 1.1.1.1 } interface pppx0 address 10.0.211.254 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 [root@@krz75-SLA~:]cat /etc/npppd/npppd.conf authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on 10.0.15.216 #listen on 0.0.0.0 } ipcp IPCP { pool-address 10.0.211.1-10.0.211.253 dns-servers 1.1.1.1 } interface pppx0 address 10.0.211.254 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 Radek
Re: NAT on CARP interface
> Nevertheless, writing egress or $ext_If, what difference does it really > make? You're just repeating a different word. Lol It doesn't make any difference for me. Being curious I added em0 do egress group and restarted all intefaces. However, em0 seems not to be in ergess group and the rule with egress still doesn't work: match out log on egress from $int_if:network to any nat-to $ext_carpif # cat /etc/hostname.em0 -inet group egress up # ifconfig em0 em0: flags=8b43 mtu 1500 lladdr 00:0d:b9:59:e0:90 index 1 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active # ifconfig egress carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 description: WAN_KRZ index 7 priority 15 llprio 3 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 groups: carp egress status: master inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255 # ifconfig carp0 carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 description: WAN_KRZ index 7 priority 15 llprio 3 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 groups: carp egress status: master inet 10.0.15.216 netmask 0xff00 broadcast 10.0.15.255 > Does that rule you posted error out or are you just seeing blocks with it? Just seeing blocks. > https://www.openbsd.org/faq/pf/filter.html#syntax > > "The egress group, which contains the interface(s) that holds the default > route(s)." So.. carp0 contains default route, carp0 is in egress group. carp0 refers to em0. But... match out log on carp0... - doesn't work match out log on egress... - doesn't work match out log on em0... - works! I dont know... On Sun, 28 Apr 2024 13:44:05 -0400 Mike wrote: > Oh now I remember, you might need to add it to the egress interface group. > > Does that rule you posted error out or are you just seeing blocks with it? > > > On Sun, Apr 28, 2024, 12:49 PM Mike wrote: > > > If I remember right, you can run 'ifconfig' and see if that interface is > > marked as an egress interface or not. I can't remember how OBSD determines > > what interfaces are egress or not but your em0 seems to be in a private > > network so it might not be classifying itself as egress. > > > > Nevertheless, writing egress or $ext_If, what difference does it really > > make? You're just repeating a different word. Lol > > > > On Sun, Apr 28, 2024, 12:08 PM Radek wrote: > > > >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it > >> will work as the rule you say works. > >> I made minor changes and tested the egress version. > >> > >> ext_if = "em0" > >> ext_carpif = "carp0" > >> int_if = "carp2" > >> This rule works for me: > >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif > >> > >> It seems it should work fine as well but it doesn't: > >> match out log on egress from $int_if:network to any nat-to $ext_carpif > >> > >> > >> On Thu, 25 Apr 2024 13:53:32 -0700 > >> obs...@loopw.com wrote: > >> > >> > > >> > > >> > > On Apr 25, 2024, at 10:36 AM, Radek wrote: > >> > > > >> > > Thank you for all your hints. > >> > > > >> > >> match out on egress from $lan_if:network to any nat-to (egress:0) > >> > > This rule doesn't work. > >> > > >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it > >> will work as the rule you say works. > >> > > >> > > >> > fwiw, the $lan_if came from your configs existing “match” > >> > > >> > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” > >> you can find out about “egress”. I definitely prefer it to hard coding an > >> interface in yet another line of a pf.conf > >> > > >> > I was presuming you didnt mind matching to $ext_if’s ip for new > >> sessions outbound, hence (egress:0). Matching to the carp ip works. (this > >> is basically a source nat rule in commercial-network-vendor speak) > >> > > >> > > >> > > > >> > >> ext_if=em0 > >> > >> int_if=vlan2 > >> > >> ext_carpIf=carp0 > >> > > >> > >> match out on $ext_if inet from $int_if:network to any nat-to > >> $ext_carpIf > >> > > This rule works as expected. > >> > > >> > >> > >> Radek > >> > >> Radek
Re: NAT on CARP interface
> change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work > as the rule you say works. I made minor changes and tested the egress version. ext_if = "em0" ext_carpif = "carp0" int_if = "carp2" This rule works for me: match out log on $ext_if from $int_if:network to any nat-to $ext_carpif It seems it should work fine as well but it doesn't: match out log on egress from $int_if:network to any nat-to $ext_carpif On Thu, 25 Apr 2024 13:53:32 -0700 obs...@loopw.com wrote: > > > > On Apr 25, 2024, at 10:36 AM, Radek wrote: > > > > Thank you for all your hints. > > > >> match out on egress from $lan_if:network to any nat-to (egress:0) > > This rule doesn't work. > > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it will work > as the rule you say works. > > > fwiw, the $lan_if came from your configs existing “match” > > https://www.openbsd.org/faq/pf/filter.html#syntax - under “interface” you > can find out about “egress”. I definitely prefer it to hard coding an > interface in yet another line of a pf.conf > > I was presuming you didnt mind matching to $ext_if’s ip for new sessions > outbound, hence (egress:0). Matching to the carp ip works. (this is > basically a source nat rule in commercial-network-vendor speak) > > > > > >> ext_if=em0 > >> int_if=vlan2 > >> ext_carpIf=carp0 > > >> match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf > > This rule works as expected. > Radek
Re: NAT on CARP interface
Thank you for all your hints. > match out on egress from $lan_if:network to any nat-to (egress:0) This rule doesn't work. > ext_if=em0 > int_if=vlan2 > ext_carpIf=carp0 > match out on $ext_if inet from $int_if:network to any nat-to $ext_carpIf This rule works as expected. On Wed, 24 Apr 2024 17:14:49 -0400 Mike wrote: > This command should help but you may need to add some "log" to your rules: > > tcpdump -nettti pflog0 will probably tell you. > > I don't have a bsd VM around to test but your int_if and ext_if should > still refer to the underlying interface, not the carp. > > I'd change: > > ext_if=em0 > int_if=vlan2 > ext_carpIf=carp0 > > match out on $ext_if inet from 10.0.2.0/24 to any nat-to $ext_carpIf > > > > > > > On Wed, Apr 24, 2024, 4:50 PM Radek wrote: > > > Hi everyone, > > it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm > > trying to configure the master box. On the LAN side I have created carp2 on > > vlan2 interface and it works as expected. > > On the WAN side I can't figure out how to make NAT work on carp0 interface. > > Can someone tell me where I have the wrong or missing configuration? > > > > OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > # cat /etc/hostname.em1 > > -inet > > up > > > > # cat /etc/hostname.vlan2 > > -inet > > vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up > > > > # cat /etc/hostname.carp2 > > -inet > > inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev > > vlan2 pass test54321 > > > > > > # cat /etc/hostname.em0 > > -inet > > up > > > > # cat /etc/hostname.carp0 > > -inet > > inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 > > advskew 0 carpdev em0 pass test678 > > > > > > # cat /etc/pf.conf > > ext_if = "carp0" > > lan_if = "carp2" > > pfsync_if = "em3" > > internal_if = "vlan1010" > > set skip on { lo0 vlan em3} > > # pfsync and carp > > pass quick on { $pfsync_if } proto pfsync #keep state (no-sync) > > pass on { $internal_if } proto carp keep state (no-sync) > > # nat > > match out on $ext_if from $lan_if:network to any nat-to $ext_if > > pass out > > > > # pfctl -s rules > > pass quick on em3 proto pfsync all > > pass on vlan1010 proto carp all keep state (no-sync) > > match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216 > > pass out all flags S/SA > > > > # route -n show > > Routing tables > > > > Internet: > > DestinationGateway Flags Refs Use Mtu Prio > > Iface > > 224/4 127.0.0.1 URS0 72 32768 8 lo0 > > 10.0.2/24 10.0.2.254 UCn10 -19 > > carp2 > > 10.0.2.201 18:03:73:b4:fa:c1 UHLc 011815 -18 > > carp2 > > 10.0.2.254 00:00:5e:00:01:02 UHLl 0 36 - 1 > > carp2 > > 10.0.2.255 10.0.2.254 UHb04 - 1 > > carp2 > > [snip] > > > > Radek > > > > Radek
NAT on CARP interface
Hi everyone, it's a lab, the goal is a redundant firewalls with CARP and PFSYNC, I'm trying to configure the master box. On the LAN side I have created carp2 on vlan2 interface and it works as expected. On the WAN side I can't figure out how to make NAT work on carp0 interface. Can someone tell me where I have the wrong or missing configuration? OpenBSD 7.5 (GENERIC.MP) #82: Wed Mar 20 15:48:40 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP # cat /etc/hostname.em1 -inet up # cat /etc/hostname.vlan2 -inet vnetid 2 parent em1 description "Interface VLAN-KRZ_LAN" up # cat /etc/hostname.carp2 -inet inet 10.0.2.254 255.255.255.0 NONE vhid 2 advbase 1 advskew 0 carpdev vlan2 pass test54321 # cat /etc/hostname.em0 -inet up # cat /etc/hostname.carp0 -inet inet 10.0.15.216 255.255.255.0 NONE description "WAN_KRZ" vhid 1 advbase 1 advskew 0 carpdev em0 pass test678 # cat /etc/pf.conf ext_if = "carp0" lan_if = "carp2" pfsync_if = "em3" internal_if = "vlan1010" set skip on { lo0 vlan em3} # pfsync and carp pass quick on { $pfsync_if } proto pfsync #keep state (no-sync) pass on { $internal_if } proto carp keep state (no-sync) # nat match out on $ext_if from $lan_if:network to any nat-to $ext_if pass out # pfctl -s rules pass quick on em3 proto pfsync all pass on vlan1010 proto carp all keep state (no-sync) match out on carp0 inet from 10.0.2.0/24 to any nat-to 10.0.15.216 pass out all flags S/SA # route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 224/4 127.0.0.1 URS0 72 32768 8 lo0 10.0.2/24 10.0.2.254 UCn10 -19 carp2 10.0.2.201 18:03:73:b4:fa:c1 UHLc 011815 -18 carp2 10.0.2.254 00:00:5e:00:01:02 UHLl 0 36 - 1 carp2 10.0.2.255 10.0.2.254 UHb04 - 1 carp2 [snip] Radek
Re: SOLVED [7.3/i386] pf-badhost - Illegal instruction (core dumped)
Hello, > Either build from ports with the MODCARGO_RUSTFLAGS line changed to this: > > MODCARGO_RUSTFLAGS = -C debuginfo=0 -C target-cpu=i586 I get some errors trying to build it from port: ===> Configuring for ripgrep-13.0.0p3 Illegal instruction (core dumped) *** Error 132 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2921 'do-configure': @mkdir -p /usr/ports/pobj/ripgrep-13.0.0/.cargo; echo "[...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2941 '/usr/ports/pobj/ripgrep-13.0.0/build-i386/.configure_done': @cd /usr/ports/...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2132 '/usr/ports/packages/i386/all/ripgrep-13.0.0p3.tgz': @cd /usr/ports/textproc...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2621 '_internal-package': @case X${_DEPENDS_CACHE} in X) _DEPENDS_CACHE=$( mktem...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2600 'package': @:; cd /usr/ports/textproc/ripgrep && PKGPATH=textproc/ripgrep ma...) *** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2153 '/var/db/pkg/ripgrep-13.0.0p3/+CONTENTS': @cd /usr/ports/textproc/ripgrep &&...) *** Error 2 in /usr/ports/textproc/ripgrep (/usr/ports/infrastructure/mk/bsd.port.mk:2600 'install': @lock=ripgrep-13.0.0p3; export _LOCKS_...) test73# > or try the binary at https://junkpile.org/rg This binary causes code dumps too. On Mon, 5 Jun 2023 12:43:53 - (UTC) Stuart Henderson wrote: > On 2023-06-05, Radek wrote: > > RipGrep caused my issue. When I replaced ripgrep with ggrep the script > > started to work fine. > > Can you try a new ripgrep binary built with a different target-cpu type > for me please? The default for the rust compiler is to use SSE instructions > which aren't present on your Alix. > > Either build from ports with the MODCARGO_RUSTFLAGS line changed to this: > > MODCARGO_RUSTFLAGS = -C debuginfo=0 -C target-cpu=i586 > > or try the binary at https://junkpile.org/rg > > If this helps then it might be a good idea to change the default in > lang/rust/patches/patch-compiler_rustc_target_src_spec_i686_unknown_openbsd_rs > so that other rust programs are compiled that way (currently it uses > "pentiumpro" which I understand disables SSE2 but not SSE). > > Radek
Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)
Just realized that if I edit the subject it will create a new thread in marc.info. So.. closing the thread, the solution is here: https://marc.info/?l=openbsd-misc=168594789107213=2 Sorry for the mess. On Sat, 3 Jun 2023 17:37:08 -0500 Andrew Daugherity wrote: > Unfortunately it looks like sh -x does not trace into functions, and > it is something inside "main" which is crashing: > > > > set -x or something. > > Sorry, I should have started with that. > > > > test73# doas -u _pfbadhost pf-badhost -O openbsd > > [ ... ] > > + command -v typeset > > + > /dev/null > > + 2>&1 > > + main -O openbsd > > Illegal instruction > > [ ... ] > > Illegal instruction (core dumped) > > > > No blocklist changes... > > Illegal instruction (core dumped) > > Both sh and ksh seem to behave that way, but bash will trace inside > functions. Try calling the script with 'bash -x' and hopefully you > can pinpoint which binary called by main() is crashing. > > -Andrew > Radek
Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)
Hello Diana, > I realize he shared it here, but this an OpenBSD mailing list. I strongly > suggest you contact the author, don't just "hope" he regularly monitors this > list. > > I've contacted him before at his email address and he was very prompt in > reply. If I don't solve the problem here (public list) I'll contact Jordan. On Tue, 30 May 2023 19:29:33 -0600 "deich...@placebonol.com" wrote: > I realize he shared it here, but this an OpenBSD mailing list. I strongly > suggest you contact the author, don't just "hope" he regularly monitors this > list. > > I've contacted him before at his email address and he was very prompt in > reply. > > 73 > diana > KI5PGJ > > On May 30, 2023 8:05:04 AM MDT, Radek wrote: > >Hello and sorry for the late reply, > > > >> Did you contact the individual who provides pf-bafhost script? He has > >> always responded to me when I contacted him. > >No, I didn't. Jordan shared his scripts here, I hope he reads misc@. > > > Radek
Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)
Hello Stuart, > What is the name of the core dump file? Actually there isn't any .core file. test73# find / -name '*.core' test73# On Tue, 30 May 2023 14:41:37 - (UTC) Stuart Henderson wrote: > On 2023-05-30, Radek wrote: > > Hello and sorry for the late reply, > > > >> Did you contact the individual who provides pf-bafhost script? He has > >> always responded to me when I contacted him. > > No, I didn't. Jordan shared his scripts here, I hope he reads misc@. > > > >> what program dumped core? > > Some parts of [1]. How can I determine which lines do it? > > pf-badhost is a fairly large ksh script which calls a bunch of various > other programs depending on what's present (3 different awks, 4 > different file fetching tools, 3 search tools, etc). > > It isn't likely to be the script itself which is SIGILLing but one of those > other programs. > > What is the name of the core dump file? > > >> dmesg? > > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) > > 500 MHz, 05-0a-02 > > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW > > so no SSE, etc. > > Radek
Re: [7.3/i386] pf-badhost - Illegal instruction (core dumped)
Hello and sorry for the late reply, > Did you contact the individual who provides pf-bafhost script? He has always > responded to me when I contacted him. No, I didn't. Jordan shared his scripts here, I hope he reads misc@. > what program dumped core? Some parts of [1]. How can I determine which lines do it? > dmesg? OpenBSD 7.3 (GENERIC) #0: Wed May 24 13:42:36 CEST 2023 r...@test73.my.domain:/usr/src/sys/arch/i386/compile/GENERIC real mem = 536363008 (511MB) avail mem = 509431808 (485MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0: (uniprocessor) cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz, 05-0a-02 cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW mtrr: K6-family MTRR support (2 registers) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) 0:20:0: io address conflict 0x6100/0x100 0:20:0: io address conflict 0x6200/0x200 pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:00:24:cb:4f:c8 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 00:00:24:cb:4f:c9 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 00:00:24:cb:4f:ca ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:00:24:cb:4f:cb ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbc0: unable to establish interrupt for irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (660c82c04771c00d.a) swap on wd0b dump on wd0b On Thu, 25 May 2023 18:17:49 - (UTC) Stuart Henderson wrote: > On 2023-05-25, Radek wrote: > > Hello, > > I am getting the following error message when I try to run pf-badhost > > script [1] at fresh install 7.3/i386. Have I missed something? > > > > 1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt > > > > test73# doas -u _pfbadhost pf-badhost -O openbsd > > doas (r...@test73.my.domain) password: > > Illegal instruction > > Illegal instruction > > Illegal instruction > > Illegal instruction > > Illegal instruction > > Illegal instruction > > Illegal instruction (core dumped) > > Illegal instruction (core dumped) > > Illegal instruction (core dumped) > > Illegal instruction (core dumped) > > > > No blocklist changes... > > Illegal instruction (core dumped) > > dmesg? > > what program dumped core? > > Radek
[7.3/i386] pf-badhost - Illegal instruction (core dumped)
Hello, I am getting the following error message when I try to run pf-badhost script [1] at fresh install 7.3/i386. Have I missed something? 1. https://www.geoghegan.ca/pub/pf-badhost/latest/install/openbsd.txt test73# doas -u _pfbadhost pf-badhost -O openbsd doas (r...@test73.my.domain) password: Illegal instruction Illegal instruction Illegal instruction Illegal instruction Illegal instruction Illegal instruction Illegal instruction (core dumped) Illegal instruction (core dumped) Illegal instruction (core dumped) Illegal instruction (core dumped) No blocklist changes... Illegal instruction (core dumped) pf-badhost: IPv4 addresses in table: 0 Radek
Re: How to announce over OSPF only one IP address
Hello Bradley, > It will look silly but maybe it works? It looks silly, but it works well, thank you. [10.109.3.15] $ cat /etc/hostname.vr0 -inet inet 10.109.3.15 255.255.255.0 [10.109.3.15] $ cat /etc/hostname.vr3 inet 10.1.111.1 255.255.255.0 !route add 10.1.111.11 10.1.111.11 !route add 10.1.111.16 10.1.111.16 [10.109.3.15] $ cat /etc/ospfd.conf router-id 10.109.3.15 #redistribute connected redistribute 10.1.111.11/32 redistribute 10.1.111.16/32 area 0.0.0.0 { interface vr0 } At the far end I looks as follows. [10.109.3.16] $ ospfctl show fib flags: * = valid, O = OSPF, C = Connected, S = Static Flags Prio Destination Nexthop *S8 0.0.0.0/010.109.3.254 *O 32 10.1.111.11/32 10.109.3.15 *O 32 10.1.111.16/32 10.109.3.15 C4 10.1.200.0/2410.1.200.1 C4 10.1.222.0/2410.1.222.1 *C4 10.109.3.0/2410.109.3.16 *C0 127.0.0.0/8 link#0 *S8 127.0.0.0/8 127.0.0.1 * 1 127.0.0.1/32 127.0.0.1 *S8 224.0.0.0/4 127.0.0.1 On Fri, 10 Feb 2023 11:24:50 +1100 Bradley Latus wrote: > Hello > > Maybe try doing the IP of the host you want to go to? > > It will look silly but maybe it works? > > Aka > !route add 10.1.111.11 10.1.111.11 > > That worked on my attempt even without sleeping > > See if that helps. > > > > > On Thu, 9 Feb 2023, 22:59 Radek, wrote: > > > Hello Bradley, > > if I add that route to /etc/hostname.vr3 I have no access to 10.1.111.11, > > even from the local router. > > After reboot I have to delete and add that route again by hand to make > > everything work (sometimes I have to repeat delete/add few times to make it > > work). It's 7.2/i386. > > Any idea? > > > > [10.109.3.15] $ cat /etc/hostname.vr3 > > inet 10.1.111.1 255.255.255.0 > > !sleep 60 > > !route add 10.1.111.11 10.1.111.1 > > > > [10.109.3.15] $ route -n show > > Routing tables > > > > Internet: > > DestinationGatewayFlags Refs Use Mtu Prio > > Iface > > default10.109.3.254 UGS5 10 - 8 vr0 > > 224/4 127.0.0.1 URS0 56 32768 8 lo0 > > 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 > > 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 > > 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 > > 10.1.111/2410.1.111.1 UCn00 - 4 vr3 > > 10.1.111.1 00:00:24:cb:4f:cf UHLhl 12 - 1 vr3 > > 10.1.111.1110.1.111.1 UGHS 0 104 - 8 vr3 > > 10.1.111.255 10.1.111.1 UHb00 - 1 vr3 > > 10.1.222/2410.109.3.16UG 00 -32 vr0 > > 10.109.3/2410.109.3.15UCn3 18 - 4 vr0 > > 10.109.3.10a4:bb:6d:d6:5a:a4 UHLc 1 11 - 3 vr0 > > 10.109.3.1500:00:24:cb:4f:cc UHLl 0 13 - 1 vr0 > > 10.109.3.1600:00:24:cd:90:10 UHLch 1 11 - 3 vr0 > > 10.109.3.254 00:0d:b9:35:39:29 UHLch 1 16 - 3 vr0 > > 10.109.3.255 10.109.3.15UHb00 - 1 vr0 > > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > > 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo0 > > > > then... > > [10.109.3.15] $ route delete 10.1.111.11 10.1.111.1 > > delete host 10.1.111.11: gateway 10.1.111.1 > > [10.109.3.15] $ route add 10.1.111.11 10.1.111.1 > > add host 10.1.111.11: gateway 10.1.111.1 > > > > [10.109.3.15] $ route -n show > > Routing tables > > > > Internet: > > DestinationGatewayFlags Refs Use Mtu Prio > > Iface > > default10.109.3.254 UGS5 11 - 8 vr0 > > 224/4 127.0.0.1 URS0 137 32768 8 lo0 > > 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 > > 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 > > 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 > > 10.1.111/2410.1.111.1 UCn10 - 4 vr3 > > 10.1.111.1 00:00:24:cb:4f:cf UHLhl 1 15 - 1 vr3 > > 10.1.111.1100:00:24:cb:4f:d0 UHLc 0 172 - 3 vr3 > > 10.1.111.1110.1.111.1 UGHS
Re: How to announce over OSPF only one IP address
Hello Bradley, if I add that route to /etc/hostname.vr3 I have no access to 10.1.111.11, even from the local router. After reboot I have to delete and add that route again by hand to make everything work (sometimes I have to repeat delete/add few times to make it work). It's 7.2/i386. Any idea? [10.109.3.15] $ cat /etc/hostname.vr3 inet 10.1.111.1 255.255.255.0 !sleep 60 !route add 10.1.111.11 10.1.111.1 [10.109.3.15] $ route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.109.3.254 UGS5 10 - 8 vr0 224/4 127.0.0.1 URS0 56 32768 8 lo0 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 10.1.111/2410.1.111.1 UCn00 - 4 vr3 10.1.111.1 00:00:24:cb:4f:cf UHLhl 12 - 1 vr3 10.1.111.1110.1.111.1 UGHS 0 104 - 8 vr3 10.1.111.255 10.1.111.1 UHb00 - 1 vr3 10.1.222/2410.109.3.16UG 00 -32 vr0 10.109.3/2410.109.3.15UCn3 18 - 4 vr0 10.109.3.10a4:bb:6d:d6:5a:a4 UHLc 1 11 - 3 vr0 10.109.3.1500:00:24:cb:4f:cc UHLl 0 13 - 1 vr0 10.109.3.1600:00:24:cd:90:10 UHLch 1 11 - 3 vr0 10.109.3.254 00:0d:b9:35:39:29 UHLch 1 16 - 3 vr0 10.109.3.255 10.109.3.15UHb00 - 1 vr0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo0 then... [10.109.3.15] $ route delete 10.1.111.11 10.1.111.1 delete host 10.1.111.11: gateway 10.1.111.1 [10.109.3.15] $ route add 10.1.111.11 10.1.111.1 add host 10.1.111.11: gateway 10.1.111.1 [10.109.3.15] $ route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.109.3.254 UGS5 11 - 8 vr0 224/4 127.0.0.1 URS0 137 32768 8 lo0 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 10.1.111/2410.1.111.1 UCn10 - 4 vr3 10.1.111.1 00:00:24:cb:4f:cf UHLhl 1 15 - 1 vr3 10.1.111.1100:00:24:cb:4f:d0 UHLc 0 172 - 3 vr3 10.1.111.1110.1.111.1 UGHS 00 - 8 vr3 10.1.111.255 10.1.111.1 UHb00 - 1 vr3 10.1.222/2410.109.3.16UG 0 170 -32 vr0 10.109.3/2410.109.3.15UCn3 28 - 4 vr0 10.109.3.10a4:bb:6d:d6:5a:a4 UHLc 1 22 - 3 vr0 10.109.3.1500:00:24:cb:4f:cc UHLl 0 24 - 1 vr0 10.109.3.1600:00:24:cd:90:10 UHLch 1 33 - 3 vr0 10.109.3.254 00:0d:b9:35:39:29 UHLch 1 24 - 3 vr0 10.109.3.255 10.109.3.15UHb00 - 1 vr0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo0 On Thu, 9 Feb 2023 07:47:33 +1100 Bradley Latus wrote: > Hi, > I see a small mistake > > You need to add that route to vr3 interface when you bring it up, vr0 will > most likely be up before vr3 so that is why your route adding in the > hostname.vr0 is wrong. > > Cheers > > On Thu, 9 Feb 2023, 01:36 Radek, wrote: > > > Hello Bradley, > > thank you, your setup works the way I need. > > > > I can't deal with adding the static route permanently. I have to add the > > static route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot. > > Did I missed something? > > > > [10.109.3.15] $ cat /etc/hostname.vr0 > > -inet > > dhcp > > #inet 10.109.3.15 255.255.255.0 > > !sleep 60 > > !route add 10.1.111.11/32 10.1.111.1 > > > > After reboot it looks like this: > > > > [10.109.3.15] $ route -n show > > Routing tables > > > > Internet: > > DestinationGatewayFlags Refs Use Mtu Prio > > Iface > > default10.109.3.254 UGS5 15 - 8 vr0 > > 224/4 127.0.0.1 URS0 59 32768 8 lo0 > > 10.1.100/24
Re: How to announce over OSPF only one IP address
Hello Bradley, thank you, your setup works the way I need. I can't deal with adding the static route permanently. I have to add the static route by hand (route add 10.1.111.11/32 10.1.111.1) after reboot. Did I missed something? [10.109.3.15] $ cat /etc/hostname.vr0 -inet dhcp #inet 10.109.3.15 255.255.255.0 !sleep 60 !route add 10.1.111.11/32 10.1.111.1 After reboot it looks like this: [10.109.3.15] $ route -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.109.3.254 UGS5 15 - 8 vr0 224/4 127.0.0.1 URS0 59 32768 8 lo0 10.1.100/2410.1.100.1 Cn 00 - 4 vr1 10.1.100.1 00:00:24:cb:4f:cd UHLl 00 - 1 vr1 10.1.100.255 10.1.100.1 Hb 00 - 1 vr1 10.1.111/2410.1.111.1 UCn10 - 4 vr3 10.1.111.1 00:00:24:cb:4f:cf UHLl 03 - 1 vr3 10.1.111.1100:00:24:cb:4f:d0 UHLc 02 - 3 vr3 10.1.111.255 10.1.111.1 UHb00 - 1 vr3 10.1.222/2410.109.3.16UG 00 -32 vr0 10.109.3/2410.109.3.15UCn3 40 - 4 vr0 10.109.3.10a4:bb:6d:d6:5a:a4 UHLc 1 29 - 3 vr0 10.109.3.1500:00:24:cb:4f:cc UHLl 0 13 - 1 vr0 10.109.3.1600:00:24:cd:90:10 UHLch 1 26 - 3 vr0 10.109.3.254 00:0d:b9:35:39:29 UHLch 1 31 - 3 vr0 10.109.3.255 10.109.3.15UHb00 - 1 vr0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo0 On Tue, 7 Feb 2023 17:54:27 +1100 Bradley Latus wrote: > Hi all, > > I have done an experiment. > > If your interface is part of an area, it will be advertised always. > > If you wanted to advertise only /32 this is how I got mine to work. > Ensure your interface vr3 is not in your ospf area > > Add a static route to the one you wish to advertise, it appears that unless > a route exists on the machine you cannot redistribute a random ip. > > So route add 10.1.111.11/32 10.1.111.1 > > Then you can redistribute your /32 > > > > router-id 10.109.3.15 > redistribute 10.1.111.11/32 > > area 0.0.0.0 { > interface vr0 > } > > > > On Tue, 7 Feb 2023, 02:46 Radek, wrote: > > > Hello, > > > I’d check the databases on both sides. > > > And flush/reload the config and fibs. > > I reloaded and restarted OSPFd on both sides - nothing changes. Then, I > > rebooted routers on both sides - nothing changes. > > I still can see/ping the whole 10.1.111.0/24 subnet from the far end. > > > > [10.109.3.15]$ ospfctl show database router > > > > Router Link States (Area 0.0.0.0) > > > > LS age: 238 > > Options: -|-|-|-|-|-|E|- > > LS Type: Router > > Link State ID: 10.109.3.15 > > Advertising Router: 10.109.3.15 > > LS Seq Number: 0x8016 > > Checksum: 0x6d0a > > Length: 48 > > Flags: *|*|*|*|*|-|E|- > > Number of Links: 2 > > > > Link connected to: Stub Network > > Link ID (Network ID): 10.1.111.0 > > Link Data (Network Mask): 255.255.255.0 > > Metric: 10 > > > > Link connected to: Transit Network > > Link ID (Designated Router address): 10.109.3.16 > > Link Data (Router Interface address): 10.109.3.15 > > Metric: 10 > > > > LS age: 239 > > Options: -|-|-|-|-|-|E|- > > LS Type: Router > > Link State ID: 10.109.3.16 > > Advertising Router: 10.109.3.16 > > LS Seq Number: 0x8016 > > Checksum: 0xb058 > > Length: 36 > > Flags: *|*|*|*|*|-|E|- > > Number of Links: 1 > > > > Link connected to: Transit Network > > Link ID (Designated Router address): 10.109.3.16 > > Link Data (Router Interface address): 10.109.3.16 > > Metric: 10 > > > > > > [10.109.3.16]$ ospfctl show fib > > flags: * = valid, O = OSPF, C = Connected, S = Static > > Flags Prio Destination Nexthop > > *S8 0.0.0.0/010.109.3.254 > > *O 32 10.1.111.0/2410.109.3.15 > > > > > > On Sun, 5 Feb 2023 22:20:07 +0100 > > Diederik Schouten wrote: > > > > > Hello, > > > > > > I’d check the databases on both sides. > > > And flush/reload the config and fibs. > > > Then check again which link state advert
Re: How to announce over OSPF only one IP address
Hello, > I’d check the databases on both sides. > And flush/reload the config and fibs. I reloaded and restarted OSPFd on both sides - nothing changes. Then, I rebooted routers on both sides - nothing changes. I still can see/ping the whole 10.1.111.0/24 subnet from the far end. [10.109.3.15]$ ospfctl show database router Router Link States (Area 0.0.0.0) LS age: 238 Options: -|-|-|-|-|-|E|- LS Type: Router Link State ID: 10.109.3.15 Advertising Router: 10.109.3.15 LS Seq Number: 0x8016 Checksum: 0x6d0a Length: 48 Flags: *|*|*|*|*|-|E|- Number of Links: 2 Link connected to: Stub Network Link ID (Network ID): 10.1.111.0 Link Data (Network Mask): 255.255.255.0 Metric: 10 Link connected to: Transit Network Link ID (Designated Router address): 10.109.3.16 Link Data (Router Interface address): 10.109.3.15 Metric: 10 LS age: 239 Options: -|-|-|-|-|-|E|- LS Type: Router Link State ID: 10.109.3.16 Advertising Router: 10.109.3.16 LS Seq Number: 0x8016 Checksum: 0xb058 Length: 36 Flags: *|*|*|*|*|-|E|- Number of Links: 1 Link connected to: Transit Network Link ID (Designated Router address): 10.109.3.16 Link Data (Router Interface address): 10.109.3.16 Metric: 10 [10.109.3.16]$ ospfctl show fib flags: * = valid, O = OSPF, C = Connected, S = Static Flags Prio Destination Nexthop *S8 0.0.0.0/010.109.3.254 *O 32 10.1.111.0/2410.109.3.15 On Sun, 5 Feb 2023 22:20:07 +0100 Diederik Schouten wrote: > Hello, > > I’d check the databases on both sides. > And flush/reload the config and fibs. > Then check again which link state advertisements are in the database. > To make sure you now get the /32 advertised. > > Sent from my iPhone > > > On 5 Feb 2023, at 21:15, Radek wrote: > > > > Hello Diederik, hello Tom, > > this is a simple lab/testing configuration, that's why there is no > > "passive" and other... > > The purpose of this configuration is to allow access to certain IP address > > and restrict access to the rest of the subnet. > > I can use PF to block/pass what I need... but I'm trying make sure if I can > > do it by announcing "not more than needed" over OSPF. > > > > "redistribute 10.1.111.11/32" seems to be what I need, but probally I > > missed something, because this option doesn't work for me as expected. > > > > $ cat /etc/ospfd.conf > > router-id 10.109.3.15 > > redistribute 10.1.111.11/32 > > > > area 0.0.0.0 { > >interface vr0 > >interface vr3 > > } > > > > Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end > > network. > > > > On the far router I can see the whole subnet instead of somthing like " *O > > 32 10.1.111.11/2410.109.3.15". > > > > $ ospfctl show fib > > flags: * = valid, O = OSPF, C = Connected, S = Static > > Flags Prio Destination Nexthop > > *S8 0.0.0.0/010.109.3.254 > > *O 32 10.1.111.0/2410.109.3.15 > > > > Any clues? > > > >> On Sat, 4 Feb 2023 23:16:57 + > >> Tom Smyth wrote: > >> > >> Hi Radek, > >> > >> it is better practice to add ospf network statements to ospfd.conf > >> (if you dont want to send / recieve ospf messages on an interface set the > >> interface to passive in ospfd.conf > >> avoid redistribute connected > >> (add the network you want to be added to your ospf network) and leave the > >> other network ommitted from your ospfd.conf > >> > >> > >> I hope this helps, > >> > >> > >>> On Sat, 4 Feb 2023 at 20:02, Radek wrote: > >>> > >>> Hello, > >>> is it possible to announce over OSPF only one (or a few specific) IP > >>> address instead of the whole subnet? > >>> If yes.. an ospfd.conf example would be appreciated. > >>> > >>> $ cat /etc/hostname.vr3 > >>> inet 10.1.111.1 255.255.255.0 > >>> > >>> $ cat /etc/ospfd.conf > >>> router-id 10.109.3.15 > >>> redistribute connected > >>> > >>> area 0.0.0.0 { > >>>interface vr0 > >>>interface vr3 > >>> } > >>> > >>> Thanks, > >>> Radek > >>> > >>> > >> > >> -- > >> Kindest regards, > >> Tom Smyth. > > > > > > Radek > > > Radek
Re: How to announce over OSPF only one IP address
Hello Diederik, hello Tom, this is a simple lab/testing configuration, that's why there is no "passive" and other... The purpose of this configuration is to allow access to certain IP address and restrict access to the rest of the subnet. I can use PF to block/pass what I need... but I'm trying make sure if I can do it by announcing "not more than needed" over OSPF. "redistribute 10.1.111.11/32" seems to be what I need, but probally I missed something, because this option doesn't work for me as expected. $ cat /etc/ospfd.conf router-id 10.109.3.15 redistribute 10.1.111.11/32 area 0.0.0.0 { interface vr0 interface vr3 } Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end network. On the far router I can see the whole subnet instead of somthing like " *O 32 10.1.111.11/2410.109.3.15". $ ospfctl show fib flags: * = valid, O = OSPF, C = Connected, S = Static Flags Prio Destination Nexthop *S8 0.0.0.0/010.109.3.254 *O 32 10.1.111.0/2410.109.3.15 Any clues? On Sat, 4 Feb 2023 23:16:57 + Tom Smyth wrote: > Hi Radek, > > it is better practice to add ospf network statements to ospfd.conf > (if you dont want to send / recieve ospf messages on an interface set the > interface to passive in ospfd.conf > avoid redistribute connected > (add the network you want to be added to your ospf network) and leave the > other network ommitted from your ospfd.conf > > > I hope this helps, > > > On Sat, 4 Feb 2023 at 20:02, Radek wrote: > > > Hello, > > is it possible to announce over OSPF only one (or a few specific) IP > > address instead of the whole subnet? > > If yes.. an ospfd.conf example would be appreciated. > > > > $ cat /etc/hostname.vr3 > > inet 10.1.111.1 255.255.255.0 > > > > $ cat /etc/ospfd.conf > > router-id 10.109.3.15 > > redistribute connected > > > > area 0.0.0.0 { > > interface vr0 > > interface vr3 > > } > > > > Thanks, > > Radek > > > > > > -- > Kindest regards, > Tom Smyth. Radek
How to announce over OSPF only one IP address
Hello, is it possible to announce over OSPF only one (or a few specific) IP address instead of the whole subnet? If yes.. an ospfd.conf example would be appreciated. $ cat /etc/hostname.vr3 inet 10.1.111.1 255.255.255.0 $ cat /etc/ospfd.conf router-id 10.109.3.15 redistribute connected area 0.0.0.0 { interface vr0 interface vr3 } Thanks, Radek
Re: Running redmine on OpenBSD
On Tue, 30 Nov 2021 22:31:11 +0100 Łukasz Moskała wrote: > W dniu 30.11.2021 o 16:07, Radek pisze: > > On Tue, 30 Nov 2021 10:04:30 +0100 > > Łukasz Moskała wrote: > > > >> > >> > >> Dnia 30 listopada 2021 09:45:15 CET, Radek napisał/a: > >>> On Mon, 29 Nov 2021 11:19:28 +0100 > >>> Łukasz Moskała wrote: > >>> > >>>> W dniu 28.11.2021 o 18:07, Radek pisze: > >>>>> Hello, > >>>>> following the official guide [1] and few others webites I finally > >>>>> installed my first Ruby on Rails/Puma web app... and it passed the > >>>>> local test by curl (bundle exec rails server webrick -e production) - > >>>>> relayd wasn't configured yet. > >>>>> > >>>>> Then, I ran my app with puma server. I can't figure out how to make it > >>>>> work with FQDN and LetsEncrypt cert. > >>>>> My configs seems to be fine. It's 7.0/amd64. I've read [2], [3]. > >>>>> > >>>>> I started with simple httpd configuration to get certs with acme-clinet > >>>>> and then https://redmine.MY.DOMAIN.COM showed my testing index.html > >>>>> properly. > >>>>> Now /etc/httpd.conf has changed but I assume my certs are still OK. > >>>>> > >>>>> Remote firefox is giving me a "Redirect Loop" error when trying to > >>>>> access https://redmine.MY.DOMAIN.COM > >>>>> > >>>>> Could someone please shed some light on this puzzle? > >>>>> > >>>>> 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall > >>>>> 2. https://github.com/basicfeatures/openbsd-rails > >>>>> 3. > >>>>> https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103 > >>>>> > >>>>> $ openssl s_client -connect redmine.MY.DOMAIN.COM:443 > >>>>> CONNECTED(0003) > >>>>> depth=0 CN = redmine.MY.DOMAIN.COM > >>>>> verify error:num=20:unable to get local issuer certificate > >>>>> verify return:1 > >>>>> depth=0 CN = redmine.MY.DOMAIN.COM > >>>>> verify error:num=21:unable to verify the first certificate > >>>>> verify return:1 > >>>>> write W BLOCK > >>>>> --- > >>>>> Certificate chain > >>>>>0 s:/CN=redmine.MY.DOMAIN.COM > >>>>> i:/C=US/O=Let's Encrypt/CN=R3 > >>>>> --- > >>>>> Server certificate > >>>>> -BEGIN CERTIFICATE- > >>>>> [...] > >>>>> -END CERTIFICATE- > >>>>> subject=/CN=redmine.MY.DOMAIN.COM > >>>>> issuer=/C=US/O=Let's Encrypt/CN=R3 > >>>>> --- > >>>>> No client certificate CA names sent > >>>>> Server Temp Key: ECDH, X25519, 253 bits > >>>>> --- > >>>>> SSL handshake has read 2403 bytes and written 367 bytes > >>>>> --- > >>>>> New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 > >>>>> Server public key is 4096 bit > >>>>> Secure Renegotiation IS NOT supported > >>>>> Compression: NONE > >>>>> Expansion: NONE > >>>>> No ALPN negotiated > >>>>> SSL-Session: > >>>>> Protocol : TLSv1.3 > >>>>> Cipher: AEAD-AES256-GCM-SHA384 > >>>>> Session-ID: > >>>>> Session-ID-ctx: > >>>>> Master-Key: > >>>>> Start Time: 1638116582 > >>>>> Timeout : 7200 (sec) > >>>>> Verify return code: 21 (unable to verify the first certificate) > >>>>> --- > >>>>> > >>>>> > >>>>> [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file > >>>>> config/puma.rb start > >>>>> Puma starting in single mode... > >>>>> * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi") > >>>>> * Min threads: 0 > >>>>> * Max threads: 5 > >>>>> * Environment: production > >>>>> * PID: 85983 > >>>>> * Listening on > >>>>> ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAI
Routing between different subnets
Hello, I have a router (6.9/amd64) with NATed subnets (vlan425, vlan426, etc..). This box is also connected to another subnet via vlan43 and the box can ping gw of vlan43 and machines inside this subnet. I need to enable access for clients from vlan426 to machines in vlan43 . I have no idea how to achieve that... I've tried to add some routes to /etc/hostname.vlan426: !sleep 2 !route -v add -inet default 10.4.26.254 !route -v add -net 10.43.0.0/16 10.43.0.197 but /etc/netstart stucks with these lines... What am I doing wrong? My configs: $ cat /etc/hostname.em0 -inet inet A.B.C.D 255.255.255.192 NONE $ cat /etc/mygate A.B.C.1 $ cat /etc/hostname.vlan426 inet 10.4.26.254 255.255.255.0 NONE vnetid 426 parent em1 $ cat /etc/hostname.vlan43 -inet inet 10.43.10.197 255.255.0.0 NONE vnetid 43 parent em1 !route -v add -inet default 10.43.0.1 $ grep 10.43.0 /etc/pf.conf pass quick from 10.4.26.0/24 to 10.43.0.0/16 pass quick from 10.43.0.0/16 to 10.4.26.0/24 -- Radek
Re: Running redmine on OpenBSD
On Tue, 30 Nov 2021 10:04:30 +0100 Łukasz Moskała wrote: > > > Dnia 30 listopada 2021 09:45:15 CET, Radek napisał/a: > >On Mon, 29 Nov 2021 11:19:28 +0100 > >Łukasz Moskała wrote: > > > >> W dniu 28.11.2021 o 18:07, Radek pisze: > >> > Hello, > >> > following the official guide [1] and few others webites I finally > >> > installed my first Ruby on Rails/Puma web app... and it passed the > >> > local test by curl (bundle exec rails server webrick -e production) - > >> > relayd wasn't configured yet. > >> > > >> > Then, I ran my app with puma server. I can't figure out how to make it > >> > work with FQDN and LetsEncrypt cert. > >> > My configs seems to be fine. It's 7.0/amd64. I've read [2], [3]. > >> > > >> > I started with simple httpd configuration to get certs with acme-clinet > >> > and then https://redmine.MY.DOMAIN.COM showed my testing index.html > >> > properly. > >> > Now /etc/httpd.conf has changed but I assume my certs are still OK. > >> > > >> > Remote firefox is giving me a "Redirect Loop" error when trying to > >> > access https://redmine.MY.DOMAIN.COM > >> > > >> > Could someone please shed some light on this puzzle? > >> > > >> > 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall > >> > 2. https://github.com/basicfeatures/openbsd-rails > >> > 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103 > >> > > >> > $ openssl s_client -connect redmine.MY.DOMAIN.COM:443 > >> > CONNECTED(0003) > >> > depth=0 CN = redmine.MY.DOMAIN.COM > >> > verify error:num=20:unable to get local issuer certificate > >> > verify return:1 > >> > depth=0 CN = redmine.MY.DOMAIN.COM > >> > verify error:num=21:unable to verify the first certificate > >> > verify return:1 > >> > write W BLOCK > >> > --- > >> > Certificate chain > >> > 0 s:/CN=redmine.MY.DOMAIN.COM > >> > i:/C=US/O=Let's Encrypt/CN=R3 > >> > --- > >> > Server certificate > >> > -BEGIN CERTIFICATE- > >> > [...] > >> > -END CERTIFICATE- > >> > subject=/CN=redmine.MY.DOMAIN.COM > >> > issuer=/C=US/O=Let's Encrypt/CN=R3 > >> > --- > >> > No client certificate CA names sent > >> > Server Temp Key: ECDH, X25519, 253 bits > >> > --- > >> > SSL handshake has read 2403 bytes and written 367 bytes > >> > --- > >> > New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 > >> > Server public key is 4096 bit > >> > Secure Renegotiation IS NOT supported > >> > Compression: NONE > >> > Expansion: NONE > >> > No ALPN negotiated > >> > SSL-Session: > >> > Protocol : TLSv1.3 > >> > Cipher: AEAD-AES256-GCM-SHA384 > >> > Session-ID: > >> > Session-ID-ctx: > >> > Master-Key: > >> > Start Time: 1638116582 > >> > Timeout : 7200 (sec) > >> > Verify return code: 21 (unable to verify the first certificate) > >> > --- > >> > > >> > > >> > [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file > >> > config/puma.rb start > >> > Puma starting in single mode... > >> > * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi") > >> > * Min threads: 0 > >> > * Max threads: 5 > >> > * Environment: production > >> > * PID: 85983 > >> > * Listening on > >> > ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt=/etc/ssl/private/redmine.MY.DOMAIN.COM.key_mode=none > >> > * Listening on http://127.0.0.1:3001 > >> > Use Ctrl-C to stop > >> > > >> > > >> > > >> > > >> > # /home/redminepk/redminepk/config/puma.rb > >> > #!/usr/bin/env puma > >> > app = "redminepk" > >> > ssl_bind "127.0.0.1", "3000", { > >> >key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key", > >> >cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt" > >> > } > >> > bind "tcp://127.0.0.1:3001" > >> > pidfile "/home/#{app}/#{app}/tmp/puma.pid" > >>
Re: Running redmine on OpenBSD
On Mon, 29 Nov 2021 11:19:28 +0100 Łukasz Moskała wrote: > W dniu 28.11.2021 o 18:07, Radek pisze: > > Hello, > > following the official guide [1] and few others webites I finally installed > > my first Ruby on Rails/Puma web app... and it passed the local test by > > curl (bundle exec rails server webrick -e production) - relayd wasn't > > configured yet. > > > > Then, I ran my app with puma server. I can't figure out how to make it work > > with FQDN and LetsEncrypt cert. > > My configs seems to be fine. It's 7.0/amd64. I've read [2], [3]. > > > > I started with simple httpd configuration to get certs with acme-clinet and > > then https://redmine.MY.DOMAIN.COM showed my testing index.html properly. > > Now /etc/httpd.conf has changed but I assume my certs are still OK. > > > > Remote firefox is giving me a "Redirect Loop" error when trying to access > > https://redmine.MY.DOMAIN.COM > > > > Could someone please shed some light on this puzzle? > > > > 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall > > 2. https://github.com/basicfeatures/openbsd-rails > > 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103 > > > > $ openssl s_client -connect redmine.MY.DOMAIN.COM:443 > > CONNECTED(0003) > > depth=0 CN = redmine.MY.DOMAIN.COM > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 CN = redmine.MY.DOMAIN.COM > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > write W BLOCK > > --- > > Certificate chain > > 0 s:/CN=redmine.MY.DOMAIN.COM > > i:/C=US/O=Let's Encrypt/CN=R3 > > --- > > Server certificate > > -BEGIN CERTIFICATE- > > [...] > > -END CERTIFICATE- > > subject=/CN=redmine.MY.DOMAIN.COM > > issuer=/C=US/O=Let's Encrypt/CN=R3 > > --- > > No client certificate CA names sent > > Server Temp Key: ECDH, X25519, 253 bits > > --- > > SSL handshake has read 2403 bytes and written 367 bytes > > --- > > New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 > > Server public key is 4096 bit > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > No ALPN negotiated > > SSL-Session: > > Protocol : TLSv1.3 > > Cipher: AEAD-AES256-GCM-SHA384 > > Session-ID: > > Session-ID-ctx: > > Master-Key: > > Start Time: 1638116582 > > Timeout : 7200 (sec) > > Verify return code: 21 (unable to verify the first certificate) > > --- > > > > > > [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file > > config/puma.rb start > > Puma starting in single mode... > > * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi") > > * Min threads: 0 > > * Max threads: 5 > > * Environment: production > > * PID: 85983 > > * Listening on > > ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt=/etc/ssl/private/redmine.MY.DOMAIN.COM.key_mode=none > > * Listening on http://127.0.0.1:3001 > > Use Ctrl-C to stop > > > > > > > > > > # /home/redminepk/redminepk/config/puma.rb > > #!/usr/bin/env puma > > app = "redminepk" > > ssl_bind "127.0.0.1", "3000", { > >key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key", > >cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt" > > } > > bind "tcp://127.0.0.1:3001" > > pidfile "/home/#{app}/#{app}/tmp/puma.pid" > > state_path "/home/#{app}/#{app}/tmp/puma.state" > > stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", > > "/home/#{app}/#{app}/log/puma_errors.log" > > environment "production" > > > > > > # /home/redminepk/redminepk/config/environments/production.rb > > Rails.application.configure do > > config.cache_classes = true > > config.eager_load = true > > config.consider_all_requests_local = false > > config.action_controller.perform_caching = true > > config.action_mailer.raise_delivery_errors = false > > config.action_mailer.logger = nil > > config.active_support.deprecation = :log > > config.force_ssl = true > > end > > > > > > > > # /etc/httpd.conf > > ext_if="vmx0" > > types { include "/usr/share/misc/mime.types" } > > server "redmine.MY.DOMAIN.COM" { &g
Re: Running redmine on OpenBSD
Hello, following the official guide [1] and few others webites I finally installed my first Ruby on Rails/Puma web app... and it passed the local test by curl (bundle exec rails server webrick -e production) - relayd wasn't configured yet. Then, I ran my app with puma server. I can't figure out how to make it work with FQDN and LetsEncrypt cert. My configs seems to be fine. It's 7.0/amd64. I've read [2], [3]. I started with simple httpd configuration to get certs with acme-clinet and then https://redmine.MY.DOMAIN.COM showed my testing index.html properly. Now /etc/httpd.conf has changed but I assume my certs are still OK. Remote firefox is giving me a "Redirect Loop" error when trying to access https://redmine.MY.DOMAIN.COM Could someone please shed some light on this puzzle? 1. https://www.redmine.org/projects/redmine/wiki/RedmineInstall 2. https://github.com/basicfeatures/openbsd-rails 3. https://gist.github.com/anon987654321/4532cf8d6c59c1f43ec8973faa031103 $ openssl s_client -connect redmine.MY.DOMAIN.COM:443 CONNECTED(0003) depth=0 CN = redmine.MY.DOMAIN.COM verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = redmine.MY.DOMAIN.COM verify error:num=21:unable to verify the first certificate verify return:1 write W BLOCK --- Certificate chain 0 s:/CN=redmine.MY.DOMAIN.COM i:/C=US/O=Let's Encrypt/CN=R3 --- Server certificate -BEGIN CERTIFICATE- [...] -END CERTIFICATE- subject=/CN=redmine.MY.DOMAIN.COM issuer=/C=US/O=Let's Encrypt/CN=R3 --- No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits --- SSL handshake has read 2403 bytes and written 367 bytes --- New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.3 Cipher: AEAD-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1638116582 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- [redminepk@@redmine70~/redminepk:]bundle exec pumactl27 --config-file config/puma.rb start Puma starting in single mode... * Puma version: 5.5.2 (ruby 2.7.4-p191) ("Zawgyi") * Min threads: 0 * Max threads: 5 * Environment: production * PID: 85983 * Listening on ssl://127.0.0.1:3000?cert=/etc/ssl/redmine.MY.DOMAIN.COM.crt=/etc/ssl/private/redmine.MY.DOMAIN.COM.key_mode=none * Listening on http://127.0.0.1:3001 Use Ctrl-C to stop # /home/redminepk/redminepk/config/puma.rb #!/usr/bin/env puma app = "redminepk" ssl_bind "127.0.0.1", "3000", { key: "/etc/ssl/private/redmine.MY.DOMAIN.COM.key", cert: "/etc/ssl/redmine.MY.DOMAIN.COM.crt" } bind "tcp://127.0.0.1:3001" pidfile "/home/#{app}/#{app}/tmp/puma.pid" state_path "/home/#{app}/#{app}/tmp/puma.state" stdout_redirect "/home/#{app}/#{app}/log/puma_access.log", "/home/#{app}/#{app}/log/puma_errors.log" environment "production" # /home/redminepk/redminepk/config/environments/production.rb Rails.application.configure do config.cache_classes = true config.eager_load = true config.consider_all_requests_local = false config.action_controller.perform_caching = true config.action_mailer.raise_delivery_errors = false config.action_mailer.logger = nil config.active_support.deprecation = :log config.force_ssl = true end # /etc/httpd.conf ext_if="vmx0" types { include "/usr/share/misc/mime.types" } server "redmine.MY.DOMAIN.COM" { listen on $ext_if port 80 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "*" { block return 302 "https://$HTTP_HOST$REQUEST_URI; } } # /etc/relayd.conf egress="A.B.C.D" table { 127.0.0.1 } redminepk_port="3001" table { 127.0.0.1 } httpd_port="80" http protocol "http" { match request header set "Connection" value "close" match response header remove "Server" } http protocol "https" { pass request header "Host" value "redmine.MY.DOMAIN.COM" forward to tls keypair "redmine.MY.DOMAIN.COM" # Preserve address headers match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-Port" value "$REMOTE_PORT" match request header append "X-Forwaded-By" value "$SERVER_ADDR:$SERVER_PORT" match request header set "Connection" value "close" match response header remove "Server" } relay "http" { listen on $egress port http protocol "http" forward to po
Re: How to restore vendor-specified MAC address
On Wed, 17 Nov 2021 22:28:50 +0100 Radek wrote: > On Wed, 17 Nov 2021 17:33:25 - (UTC) > Stuart Henderson wrote: > > > On 2021-11-17, Radek wrote: > > > On Wed, 17 Nov 2021 11:22:42 +0100 > > > Denis Fondras wrote: > > > > > >> Le Wed, Nov 17, 2021 at 05:03:42AM +0100, Radek a écrit : > > >> > > > >> > How can I restore the vendor's MAC address? > > >> > It is 6.8/amd64. > > >> > > > >> > > >> Check dmesg, it will give you the original MAC address, then ifconfig > > >> lladdr... > > >> > > > > > > Hello Denis, > > > dmesg shows my new_MAC. > > > I know the value of my original MAC address but I used to think that > > > removing lladdr value from /etc/hostname.if and then reboot restores the > > > original MAC. I doesn't. > > > > How about a power-cycle (rather than just a reboot)? > I'll do it ASAP. I've tested the same thing on another box, 6.9/amd64: PC Engines apu1 coreboot build 20210709 BIOS version v4.14.0.4 SeaBIOS (version rel-1.14.0.1-0-g8610266a) Reboot doesn't reset the MAC address, but power-cycle does. > > > > > > Is there any way to "force" OS to restore original MAC address by reading > > > it from hardware/NIC instead of ifconfig lladdr ...? > > > > That's what it normally does. > > > > If it's somehow stuck on the new one and a power-cycle doesn't clear it then > > presumably using lladdr to reset it to the original will stick (look in old > > boot messages in /var/log/messages.*.gz, dhcp server logs, maybe printed > > on the motherboard, etc) > I have a copy of the original MAC and presumably it's not a problem to > restore it with ifconfig lladdr but I'm trying to find out why > /etc/netstart (and even reboot) doesn't clear it. > > > > > -- > > Please keep replies on the mailing list. > > > > > -- > Radek > -- Radek
Re: How to restore vendor-specified MAC address
On Wed, 17 Nov 2021 17:33:25 - (UTC) Stuart Henderson wrote: > On 2021-11-17, Radek wrote: > > On Wed, 17 Nov 2021 11:22:42 +0100 > > Denis Fondras wrote: > > > >> Le Wed, Nov 17, 2021 at 05:03:42AM +0100, Radek a écrit : > >> > > >> > How can I restore the vendor's MAC address? > >> > It is 6.8/amd64. > >> > > >> > >> Check dmesg, it will give you the original MAC address, then ifconfig > >> lladdr... > >> > > > > Hello Denis, > > dmesg shows my new_MAC. > > I know the value of my original MAC address but I used to think that > > removing lladdr value from /etc/hostname.if and then reboot restores the > > original MAC. I doesn't. > > How about a power-cycle (rather than just a reboot)? I'll do it ASAP. > > > Is there any way to "force" OS to restore original MAC address by reading > > it from hardware/NIC instead of ifconfig lladdr ...? > > That's what it normally does. > > If it's somehow stuck on the new one and a power-cycle doesn't clear it then > presumably using lladdr to reset it to the original will stick (look in old > boot messages in /var/log/messages.*.gz, dhcp server logs, maybe printed > on the motherboard, etc) I have a copy of the original MAC and presumably it's not a problem to restore it with ifconfig lladdr but I'm trying to find out why /etc/netstart (and even reboot) doesn't clear it. > > -- > Please keep replies on the mailing list. > -- Radek
Re: How to restore vendor-specified MAC address
On Wed, 17 Nov 2021 17:48:44 +0100 Łukasz Moskała wrote: > > > Dnia 17 listopada 2021 16:39:07 CET, Radek napisał/a: > >On Wed, 17 Nov 2021 11:22:42 +0100 > >Denis Fondras wrote: > > > >> Le Wed, Nov 17, 2021 at 05:03:42AM +0100, Radek a écrit : > >> > > >> > How can I restore the vendor's MAC address? > >> > It is 6.8/amd64. > >> > > >> > >> Check dmesg, it will give you the original MAC address, then ifconfig > >> lladdr... > >> > > > >Hello Denis, > >dmesg shows my new_MAC. > >I know the value of my original MAC address but I used to think that > >removing lladdr value from /etc/hostname.if and then reboot restores the > >original MAC. I doesn't. > >Is there any way to "force" OS to restore original MAC address by reading it > >from hardware/NIC instead of ifconfig lladdr ...? > > > > I have no idea how the lladdr option is handled by driver, but it looks like > your network card decided to write new_MAC to it's EEPROM chip (where it's > usually stored). I thought the same thing. > > Out of curiosity, does linux or any other OS show new_MAC or vendor's MAC? It's a production router. I'm planning to replace that box with another one in a few weeks, then I'll do some tests. bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7ee42040 (9 entries) bios0: vendor coreboot version "v4.13.0.1" date 11/25/2020 bios0: PC Engines apu1 > -- > Łukasz Moskała > -- Radek
Re: How to restore vendor-specified MAC address
On Wed, 17 Nov 2021 11:22:42 +0100 Denis Fondras wrote: > Le Wed, Nov 17, 2021 at 05:03:42AM +0100, Radek a écrit : > > > > How can I restore the vendor's MAC address? > > It is 6.8/amd64. > > > > Check dmesg, it will give you the original MAC address, then ifconfig > lladdr... > Hello Denis, dmesg shows my new_MAC. I know the value of my original MAC address but I used to think that removing lladdr value from /etc/hostname.if and then reboot restores the original MAC. I doesn't. Is there any way to "force" OS to restore original MAC address by reading it from hardware/NIC instead of ifconfig lladdr ...? -- Radek
How to restore vendor-specified MAC address
Hello, I changed MAC address: $ cat /etc/hostname.re0 -inet dhcp lladdr 00:0d:b9:35:39:2e $ sh /etc/netstart re0 My NIC got new_MAC. Now, I want to restore the vendor's MAC: $ cat /etc/hostname.re0 -inet dhcp $ sh /etc/netstart re0 NIC still has the new_MAC. $ reboot NIC still has the new_MAC. How can I restore the vendor's MAC address? It is 6.8/amd64. -- Radek
Re: Running redmine on OpenBSD
Hello Werner, thank you for your installation details. I'll give it a try in a few days. On Thu, 11 Nov 2021 23:57:02 +0800 Werner Boninsegna wrote: > Hello Radek, > > I am running Redmine on OpenBSD 6.8 and I just followed the installation > instructions posted on the Redmine page which are quite complete: > > https://www.redmine.org/projects/redmine/wiki/Installation_Guide > > I installed Postgres and Ruby+Dependencies from the OpenBSD packages. > > Werner > > On 11/10/21 00:56, Radek wrote: > > Hi @misc, > Does anyone successfully run redmine[1] on OpenBSD? > I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've > never done it before so any advices and hints would be appreciated. > There isn't much up to date info in google about it[2][3]. > > 1. https://www.redmine.org/ 2. > https://www.redmine.org/boards/2/topics/496 3. > https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229 > Thank you! -- Radek
Re: Running redmine on OpenBSD
Hello Michael, Thank you for your reply. Actually I'm not new in OpenBSD but it's gonna be my first Redmine installation. That's why I wanted to know if there are any well known issues with Redmine vs OpenBSD. It's good to know that the Redmine installation doesn't require any special effort. On Wed, 10 Nov 2021 20:00:39 +0100 Michael Hekeler wrote: > Am 09.11.21 17:56 schrieb Radek: > > Hi @misc, > > Does anyone successfully run redmine[1] on OpenBSD? > > I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've > > never done it before so any advices and hints would be appreciated. > > Best way is to begin with your setup and then when you encounter > problems ask your questions with giving details of what you have done, > what you expect, what is not working and so on. > > > > There isn't much up to date info in google about it[2][3]. > > Just begin to setup httpd (it's already in base) and see the manpages. > Don't try to find tutorialson google - most of them are outdated or > describe things that not fit your own environment. > > Next step is to install postgresql. It's in packages, so you can do it > with `pkg_add postgresql`. Here again read then manpage and pkg-readme. > > > > > > 1. https://www.redmine.org/ > > 2. https://www.redmine.org/boards/2/topics/496 > > 3. > > https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229 > > > > Thank you! > > -- > > Radek > > > -- Radek
Running redmine on OpenBSD
Hi @misc, Does anyone successfully run redmine[1] on OpenBSD? I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've never done it before so any advices and hints would be appreciated. There isn't much up to date info in google about it[2][3]. 1. https://www.redmine.org/ 2. https://www.redmine.org/boards/2/topics/496 3. https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229 Thank you! -- Radek
Re: npppd - changing clients' route table
Sorry for the late reply, adding ":framed-ip-netmask=255.255.255.0:" doesn't solve the problem. Tested on Win10. On Mon, 22 Feb 2021 14:55:52 +0900 (JST) YASUOKA Masahiko wrote: > Hi, > > On Sun, 21 Feb 2021 19:18:48 +0100 > Radek wrote: > >> The interface which terminate the tunnel has "192.168.4.254". > >> Right? > > Do you mean the other end of the tunnel? It is 10.109.4.254 > > interface pppx0 address 10.109.4.254 ipcp IPCP > > Sorry, "192.168.4.244" should have been "10.109.4.254". > > >> How about if you configure the npppd-users > >> > >> rdk: > >> :password=pasword:\ > >> :framed-ip-address=10.109.4.254:\ > >> :framed-ip-netmask=255.255.255.0: > >> > >> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > >> session authenticated by the above "rdk". > > I have tried to configure npppd-users with netmask /24, but it doesnt make > > any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel > > to 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 > > through the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through > > default gw or sometimes some traffic to 10.0.0.0/8 through another tunnel > > at the same time. Now if the PPP tunnel is established the VPN catches all > > the 10.0.0.0/8 traffic. > > > > The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw. > > > > Example: > > I have a public, static IP. There is configured route to 10.55.0.0/24 at > > the ISP's side and I dont need any VPN tunnel to access 10.55.. > > Somewhere over the rainbow is a router with LAN 10.109.3.0/24 and npppd. > > If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I > > can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel. > > The route to the natural netmask of the tunnel address, 10.0.0.0/8 in > this case, is configured by Windows automatically. I don't know a way > to stop or override this. But by using another addresses for the > tunnel, you can avoid the problem. Also we can use dhcpd(8) to push > routes configuration. > > For example, > > 1. Use 192.168.255.0/24 for the tunnel to avoid the conflict on >10.0.0.0/8. > >ipcp IPCP { > pool-address 192.168.255.1-192.168.255.32 > : >interface pppx0 address 192.168.255.254 ipcp IPCP >--- >rdk: > :password=pasword:\ > :framed-ip-address=192.168.255.32: > > 2. Configure dhcpd > >/etc/dhcpd-l2tp.conf > >subnet 192.168.255.0 netmask 255.255.255.0 { > option classless-ms-static-routes 10.109.3.0/24 192.168.255.254; > option classless-static-routes10.109.3.0/24 192.168.255.254; >} >--- > >$ doas /usr/sbin/dhcpd -u255.255.255.255 -c /etc/dhcpd-l2tp.conf > > > On Sun, 21 Feb 2021 23:18:19 +0900 (JST) > > YASUOKA Masahiko wrote: > > > >> Hello, > >> > >> On Sat, 20 Feb 2021 21:14:24 +0100 > >> Radek wrote: > >> > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw > >> > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254. > >> > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 > >> > goes via 10.109.4.254 > >> > > >> > client> route print > >> > Network Destination Netmask Gateway Interface Metric > >> > 0.0.0.0 0.0.0.0 192.168.1.1 > >> > 192.168.1.101 20 > >> > 10.0.0.0 255.0.0.0 10.109.4.254 > >> > 10.109.4.1 21 > >> > 10.109.4.1 255.255.255.255 On-link > >> > 10.109.4.1276 > >> > [...] > >> > >> The interface which terminate the tunnel has "192.168.4.254". > >> Right? > >> > >> > $ cat /etc/npppd/npppd-users > >> > rdk:\ > >> > :password=pasword:\ > >> > :framed-ip-address=10.109.4.1: > >> > #:framed-ip-netmask=255.255.255.0: > >> > >> How about if you configure the npppd-users > >> > >> rdk: > >> :password=pasword:\ > >> :framed-ip-address=10.109.4.254:\ > >> :framed-ip-netmask=255.255.255.0: > >> > >> ? > >> > >> The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > >> session authenticated by t
Fw: Re: VLANs isolation
Hello Rosen, > - block out on vlan received-on vlan > is redundant, it never going to be used, you already have block all Unfortunalety, the traffic passes between vlans without that rule at the end of my rule set. I don't know why... > - pass quick on vlan1003 inet from vlan1002:network to vlan1003:network > Because of the direction from - to, this rule will be applied on the inbound > traffic only That's exactly what I need. I want clients fron one vlan to access devices in another vlan but disable access inversely. > Also as this is a quick rule, you should move it to the top of your rule set, > so the traffic that matches this one, does not get evaluated for the rest of > your rules. True, thanks for the hint! On Sat, 17 Jul 2021 10:25:37 -0600 Rosen Iliev wrote: > Hello Radek, > > Your > > - block out on vlan received-on vlan > is redundant, it never going to be used, you already have block all > > - pass quick on vlan1003 inet from vlan1002:network to vlan1003:network > Because of the direction from - to, this rule will be applied on the inbound > traffic only, so the rule should be*pass in quick on vlan1003***Also as this > is a quick rule, you should move it to the top of your rule set, so the > traffic that matches this one, does not get evaluated for the rest of your > rules. I know the pf will optimize that in some point of time. > > Regards, > > Rosen > > Radek wrote on 7/14/2021 08:25: > > Thank you Claudio for pointing me in the right direction. > > > > My testing pf.conf seems to work as expected: > > - vlan1002:network can ping vlan1003:network only > > - vlan1003:network can't ping vlan1002:network > > - there is no routing between other vlans > > > > set block-policy drop > > set loginterface egress > > set skip on lo0 > > match in all scrub (no-df random-id max-mss 1440) > > match out on egress inet from !(egress:network) to any nat-to (egress:0) > > antispoof quick for { egress vlan } > > block all > > pass in on egress inet proto tcp to egress port 22 > > pass out quick on egress inet > > pass on vlan inet to !vlan > > pass quick on vlan1003 inet from vlan1002:network to vlan1003:network > > block out on vlan received-on vlan > > > > Any other pf tweeks and suggestion would be appreciated. > > > > On Tue, 13 Jul 2021 12:25:32 +0200 > > Claudio Jeker wrote: > > > >> On Tue, Jul 13, 2021 at 11:34:28AM +0200, Radek wrote: > >>> Hello, > >>> I'm going to build a router with +40 vlans. > >>> I need to block access from every vlan to each other (and then enable > >>> traffic between certain vlans as needed). > >>> > >>> How can I do this? Is there any one liner pf block rule to do this? > >> Not really but you can try: > >> > >> block out on vlan received-on vlan > >> > >> It really matters in how you want to build your filters (outbound or > >> inbound filtering). Maybe it is better to just start with a block all rule > >> and slowly allow traffic back. You can use interface groups and pf tags to > >> help with rule writing. > >> > >> -- > >> :wq Claudio > >> > > > -- Radek -- Radek
Re: VLANs isolation
Thank you Claudio for pointing me in the right direction. My testing pf.conf seems to work as expected: - vlan1002:network can ping vlan1003:network only - vlan1003:network can't ping vlan1002:network - there is no routing between other vlans set block-policy drop set loginterface egress set skip on lo0 match in all scrub (no-df random-id max-mss 1440) match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for { egress vlan } block all pass in on egress inet proto tcp to egress port 22 pass out quick on egress inet pass on vlan inet to !vlan pass quick on vlan1003 inet from vlan1002:network to vlan1003:network block out on vlan received-on vlan Any other pf tweeks and suggestion would be appreciated. On Tue, 13 Jul 2021 12:25:32 +0200 Claudio Jeker wrote: > On Tue, Jul 13, 2021 at 11:34:28AM +0200, Radek wrote: > > Hello, > > I'm going to build a router with +40 vlans. > > I need to block access from every vlan to each other (and then enable > > traffic between certain vlans as needed). > > > > How can I do this? Is there any one liner pf block rule to do this? > > Not really but you can try: > > block out on vlan received-on vlan > > It really matters in how you want to build your filters (outbound or > inbound filtering). Maybe it is better to just start with a block all rule > and slowly allow traffic back. You can use interface groups and pf tags to > help with rule writing. > > -- > :wq Claudio > -- Radek
VLANs isolation
Hello, I'm going to build a router with +40 vlans. I need to block access from every vlan to each other (and then enable traffic between certain vlans as needed). How can I do this? Is there any one liner pf block rule to do this? -- Radek
Re: DHCPd - option capwap (code 138)
Update. My conf seems to work as expected, but it took a few hours for APs to find the controller. Since then even new APs find the controlles in a few minutes. Controller: Alcatel-Lucent OmniVista 2500 APs: OAW-AP1321-RW Thanks for your help! On Mon, 10 May 2021 15:30:01 +0200 Radek wrote: > Thank you Denis,Stu, > > I added option-138, the syntax is correct now but the AP doesn't connect to > the Controller. > Did I missed any other option(s) in my dhcpd.conf or should I look for the > reason at the Controller side? > > subnet 10.109.3.0 netmask 255.255.255.0 { > option routers 10.109.3.254; > range 10.109.3.201 10.109.3.220; > #option option-138 10.109.3.100; > option option-138 A:6D:3:64; > > host [...] > > On Thu, 6 May 2021 11:45:43 +0200 > Denis Fondras wrote: > > > Le Thu, May 06, 2021 at 10:48:55AM +0200, Radek a écrit : > > > Hello, > > > I want to use dhcpd server to push Wireless Controller's IP address to > > > the APs. > > > > > > According to this: > > > http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html > > > https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/ > > > I need to add *option capwap* to /etc/dhcpd.conf > > > > > > option capwap code 138 = ip-address; #Custom Option capwap > > > option capwap 192.168.1.110; #WLAN-Controller-IP > > > > > > > Have you tried something like : > > > > option option-138 C0:A8:01:6E; > > > > ? > > > > > -- > Radek > -- Radek
Re: DHCPd - option capwap (code 138)
Thank you Denis,Stu, I added option-138, the syntax is correct now but the AP doesn't connect to the Controller. Did I missed any other option(s) in my dhcpd.conf or should I look for the reason at the Controller side? subnet 10.109.3.0 netmask 255.255.255.0 { option routers 10.109.3.254; range 10.109.3.201 10.109.3.220; #option option-138 10.109.3.100; option option-138 A:6D:3:64; host [...] On Thu, 6 May 2021 11:45:43 +0200 Denis Fondras wrote: > Le Thu, May 06, 2021 at 10:48:55AM +0200, Radek a écrit : > > Hello, > > I want to use dhcpd server to push Wireless Controller's IP address to the > > APs. > > > > According to this: > > http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html > > https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/ > > I need to add *option capwap* to /etc/dhcpd.conf > > > > option capwap code 138 = ip-address; #Custom Option capwap > > option capwap 192.168.1.110; #WLAN-Controller-IP > > > > Have you tried something like : > > option option-138 C0:A8:01:6E; > > ? > -- Radek
DHCPd - option capwap (code 138)
Hello, I want to use dhcpd server to push Wireless Controller's IP address to the APs. According to this: http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/ I need to add *option capwap* to /etc/dhcpd.conf option capwap code 138 = ip-address; #Custom Option capwap option capwap 192.168.1.110; #WLAN-Controller-IP I can't find the capwap option in dhcp-options(5) i OpenBSD. How can I do what I need using other options/configuration? Thanks! -- Radek
Fw: Re: npppd - changing clients' route table
Hello, > The interface which terminate the tunnel has "192.168.4.254". > Right? Do you mean the other end of the tunnel? It is 10.109.4.254 interface pppx0 address 10.109.4.254 ipcp IPCP > How about if you configure the npppd-users > > rdk: > :password=pasword:\ > :framed-ip-address=10.109.4.254:\ > :framed-ip-netmask=255.255.255.0: > > The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > session authenticated by the above "rdk". I have tried to configure npppd-users with netmask /24, but it doesnt make any changes. Still have all traffic to 10.0.0.0/8 going across the tunnel to 10.109.4.254(VPN), but I need to push the traffic to 10.109.3.0/24 through the tunnel (via 10.109.4.254) and the rest of 10.0.0.0/8 through default gw or sometimes some traffic to 10.0.0.0/8 through another tunnel at the same time. Now if the PPP tunnel is established the VPN catches all the 10.0.0.0/8 traffic. The VPN client (Windows7/10) is configured to NOT use the VPN as remote gw. Example: I have a public, static IP. There is configured route to 10.55.0.0/24 at the ISP's side and I dont need any VPN tunnel to access 10.55.. Somewhere over the rainbow is a router with LAN 10.109.3.0/24 and npppd. If I use the PPP tunnel I can acces 10.109.3.0/24 but at the same time I can't access 10.55.0.0/24 because all 10.0.0.0/8 goes across the tunnel. On Sun, 21 Feb 2021 23:18:19 +0900 (JST) YASUOKA Masahiko wrote: > Hello, > > On Sat, 20 Feb 2021 21:14:24 +0100 > Radek wrote: > > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw > > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254. > > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes > > via 10.109.4.254 > > > > client> route print > > Network Destination Netmask Gateway Interface Metric > > 0.0.0.0 0.0.0.0 192.168.1.1 > > 192.168.1.101 20 > > 10.0.0.0 255.0.0.0 10.109.4.254 > > 10.109.4.1 21 > > 10.109.4.1 255.255.255.255 On-link10.109.4.1 > > 276 > > [...] > > The interface which terminate the tunnel has "192.168.4.254". > Right? > > > $ cat /etc/npppd/npppd-users > > rdk:\ > > :password=pasword:\ > > :framed-ip-address=10.109.4.1: > > #:framed-ip-netmask=255.255.255.0: > > How about if you configure the npppd-users > > rdk: > :password=pasword:\ > :framed-ip-address=10.109.4.254:\ > :framed-ip-netmask=255.255.255.0: > > ? > > The server (npppd) will configure a route for 10.109.4.0/24 to the PPP > session authenticated by the above "rdk". > > > On Sat, 20 Feb 2021 21:14:24 +0100 > Radek wrote: > > Hi, > > I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw > > 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254. > > If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes > > via 10.109.4.254 > > > > client> route print > > Network Destination Netmask Gateway Interface Metric > > 0.0.0.0 0.0.0.0 192.168.1.1 > > 192.168.1.101 20 > > 10.0.0.0 255.0.0.0 10.109.4.254 > > 10.109.4.1 21 > > 10.109.4.1 255.255.255.255 On-link10.109.4.1 > > 276 > > [...] > > > > I need to redirect the traffic to 10.109.4.254 only if it goes to the > > remote LAN (10.109.3.0/24), the rest should go via def gw. > > How can I configure it on the router/server side ? > > > > $ cat /etc/npppd/npppd.conf > > # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $ > > # sample npppd configuration file. see npppd.conf(5) > > > > set max-session 200 > > set user-max-session 4 > > > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > tunnel L2TP protocol l2tp { > > listen on X.X.X.X > > } > > > > ipcp IPCP { > > pool-address 10.109.4.1-10.109.4.32 > > dns-servers 1.1.1.1 > > } > > > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.109.4.254 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0 > > > > $ cat /etc/npppd/npppd-users > > rdk:\ > > :password=pasword:\ > > :framed-ip-address=10.109.4.1: > > #:framed-ip-netmask=255.255.255.0: > > > > $ dmesg | head > > OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021 > > > > r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > -- > > Radek > > > -- Radek
npppd - changing clients' route table
Hi, I have a router with VPN server (npppd). LAN net is 10.109.3.0/24, gw 10.109.3.254, the VPN net is 10.109.4.0/24, gw 10.109.4.254. If the client is conencted to VPN all client's traffic to 10.0.0.0/8 goes via 10.109.4.254 client> route print Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1192.168.1.101 20 10.0.0.0 255.0.0.0 10.109.4.254 10.109.4.1 21 10.109.4.1 255.255.255.255 On-link10.109.4.1276 [...] I need to redirect the traffic to 10.109.4.254 only if it goes to the remote LAN (10.109.3.0/24), the rest should go via def gw. How can I configure it on the router/server side ? $ cat /etc/npppd/npppd.conf # $OpenBSD: npppd.conf,v 1.3 2020/01/23 03:01:22 dlg Exp $ # sample npppd configuration file. see npppd.conf(5) set max-session 200 set user-max-session 4 authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } tunnel L2TP protocol l2tp { listen on X.X.X.X } ipcp IPCP { pool-address 10.109.4.1-10.109.4.32 dns-servers 1.1.1.1 } # use pppx(4) interface. use an interface per a ppp session. interface pppx0 address 10.109.4.254 ipcp IPCP bind tunnel from L2TP authenticated by LOCAL to pppx0 $ cat /etc/npppd/npppd-users rdk:\ :password=pasword:\ :framed-ip-address=10.109.4.1: #:framed-ip-netmask=255.255.255.0: $ dmesg | head OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021 r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP -- Radek
Re: OpenSMTPD is not sending e-mail.
Hi, a few days ago all my boxes using the same ISP stopped to send me emails from local users and daemons (daily outputs and any other cronjob reports) to @gmail.com. I have tried to send email to a few not_gmail mailboxes - the same problem. If i send emails from other boxes (using other ISP), they are received correctly. Telnet test doesn't show the "220 mx.google." line. Does is mean that port 25 is blocked by the ISP? $ telnet gmail-smtp-in.l.google.com 25 Trying 173.194.220.26... Connected to gmail-smtp-in.l.google.com. Escape character is '^]'. Connection closed by foreign host. $ smtpctl remove all 14 envelopes removed $ echo test-123 | mail -s test-123 a...@gmail.com $ tail -n 30 /var/log/maillog Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp connected address=local host=fw66-krz.krz Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp message msgid=ba93721b size=331 nrcpt=1 proto=ESMTP Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp envelope evpid=ba93721b7de7a76f from= to= Jan 28 20:06:43 fw66-krz smtpd[69953]: 717b813accae5132 smtp disconnected reason=quit Jan 28 20:06:57 fw66-krz smtpd[69953]: 717b8138ac37b4db mta error reason=Connection closed unexpectedly Jan 28 20:06:57 fw66-krz smtpd[69953]: smtp-out: Disabling route [] <-> 142.250.96.27 (142.250.96.27) for 15s Jan 28 20:07:12 fw66-krz smtpd[69953]: smtp-out: Enabling route [] <-> 142.250.96.27 (142.250.96.27) Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b8139462f1927 mta error reason=Connection closed unexpectedly Jan 28 20:07:14 fw66-krz smtpd[69953]: smtp-out: Disabling route [] <-> 108.177.112.27 (108.177.112.27) for 15s Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b813c3c64b02d mta connecting address=smtp://142.250.96.27:25 host=142.250.96.27 Jan 28 20:07:14 fw66-krz smtpd[69953]: 717b813c3c64b02d mta connected Jan 28 20:07:29 fw66-krz smtpd[69953]: smtp-out: Enabling route [] <-> 108.177.112.27 (108.177.112.27) Jan 28 20:07:30 fw66-krz smtpd[69953]: 717b813ddb20a2c5 mta connecting address=smtp://108.177.112.27:25 host=108.177.112.27 Jan 28 20:07:30 fw66-krz smtpd[69953]: 717b813ddb20a2c5 mta connected On Tue, 26 Jan 2021 11:26:17 - (UTC) Stuart Henderson wrote: > On 2021-01-25, latincom wrote: > > It had worked for many years; but this time OpenBSD 6.8; server and > > Laptop, are not working as the man page says. > > > > I did an empiric test, because i am not qualified for a real test. > > > > Both are not able to send messages (e-mails), to other machines. > > The message at maillog is the same: > > > > result="TempFail" stat="Network error on destination MXs" > > Perhaps your ISP blocks port 25. What do you get if you type > "telnet gmail-smtp-in.l.google.com 25"? It should go something > like this: > > $ telnet gmail-smtp-in.l.google.com 25 > Trying 66.102.1.27... > Connected to gmail-smtp-in.l.google.com. > Escape character is '^]'. > 220 mx.google.com ESMTP k2si3832128wrm.242 - gsmtpquit > 221 2.0.0 closing > connection k2si3832128wrm.242 - gsmtp > Connection closed by foreign host. > > -- Radek
Fw: Re: How to request a specific IP address from DHCP server
Forward. Begin forwarded message: Date: Thu, 21 Jan 2021 16:32:55 +0100 From: Radek To: Allan Streib Subject: Re: How to request a specific IP address from DHCP server > Can you configure a permanent IP address in the client configuration > (hostname.if file) that is outside the range that DHCP allocates, but > still on the same network? I'm trying to find a way to use a permanent IP address that is inside the dynamic DHCP range and I want to configure it on the client side. I just want to know if there is any way to do it. On Tue, 19 Jan 2021 23:25:29 -0500 Allan Streib wrote: > Radek writes: > > > I don't have an access to the DHCP server side. That's the problem and > > I'm trying to find a way to have the same IP address at any time. The > > client is permanently connected to the network. > > Can you configure a permanent IP address in the client configuration > (hostname.if file) that is outside the range that DHCP allocates, but > still on the same network? > > Allan -- Radek -- Radek
Re: How to request a specific IP address from DHCP server
> Instead of requesting a specific address, have you tried to supersede > the given one with your address in /etc/dhclient.conf? Yes, I have tried, but it doesn't work as expected. $ cat /etc/dhclient.conf supersede dhcp-requested-address 192.168.1.104; $ dhclient -v vr0 vr0: DHCPREQUEST to 255.255.255.255 vr0: DHCPACK from 192.168.1.1 (b0:48:7a:a5:86:15) vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15) Even if "supersede option" changes the gives IP address to the my_address I'm afraid it's not what I need because the given IP address is in /var/db/dhcpd.leases (instead of the my_addrees) and DHCPD can give my_address to other client. Am I rigth? On Wed, 20 Jan 2021 09:38:13 +0100 Marco Scholz wrote: > On Tue, Jan 19, 2021 at 08:56:39PM +0100, Radek wrote: > > I can't manage to request a specific IP address from DHCP server. > [...] > > Instead of requesting a specific address, have you tried to supersede > the given one with your address in /etc/dhclient.conf? > > man dhclient.conf > > > Marco. > -- Radek
Re: How to request a specific IP address from DHCP server
> You're using the wrong tool for the job, use an address reservation > bound to the client MAC on the DHCP server instead. I don't have an access to the DHCP server side. That's the problem and I'm trying to find a way to have the same IP address at any time. The client is permanently connected to the network. > configuration changes at the server end. Nobody touches the server end. On Tue, 19 Jan 2021 21:05:21 + Peter Kay wrote: > On Tue, 19 Jan 2021 at 20:57, Radek wrote: > > > > Hi, > > I can't manage to request a specific IP address from DHCP server. It is > > just a testing lab, the requiested IP address (.104) isn't used by any > > other client. What I'm doing wrong? > You're using the wrong tool for the job, use an address reservation > bound to the client MAC on the DHCP server instead. > > Whether or not requesting an address client side works, at any time it > could fail due to a change in leases allocated to other clients, or > configuration changes at the server end. If a specific IP is needed, > use reservations instead. > > PK > -- Radek
How to request a specific IP address from DHCP server
Hi, I can't manage to request a specific IP address from DHCP server. It is just a testing lab, the requiested IP address (.104) isn't used by any other client. What I'm doing wrong? $ cat /etc/hostname.vr0 -inet dhcp $ cat /etc/dhclient.conf send dhcp-requested-address 192.168.1.104; $ sh /etc/netstart vr0 vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15) $ dhclient -v vr0 vr0: DHCPREQUEST to 255.255.255.255 vr0: DHCPACK from 192.168.1.1 (b0:48:7a:a5:86:15) vr0: 192.168.1.103 lease accepted from 192.168.1.1 (b0:48:7a:a5:86:15) Thanks for any help. -- Radek
Re: npppd - problem with simultaneous sessions
Hi, > When the problem is happening, is the counter "dropped due to missing > IPsec protection" incremented? Yes, it is. No VPN session: $ netstat -sp udp udp: 360413 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 39898 with no checksum 108780 input packets software-checksummed 135430 output packets software-checksummed 187992 dropped due to no socket 50819 broadcast/multicast datagrams dropped due to no socket 970 dropped due to missing IPsec protection 0 dropped due to full socket buffers 121602 delivered 222326 datagrams output 285255 missed PCB cache First VPN session: $ netstat -sp udp udp: 360863 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 40104 with no checksum 108780 input packets software-checksummed 135518 output packets software-checksummed 188056 dropped due to no socket 50885 broadcast/multicast datagrams dropped due to no socket 970 dropped due to missing IPsec protection 0 dropped due to full socket buffers 121922 delivered 222532 datagrams output 285534 missed PCB cache Second VPN session (the first ses. was disconencted) [root@@fw-u/home/rdk:]netstat -sp udp udp: 361306 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 40446 with no checksum 108780 input packets software-checksummed 135660 output packets software-checksummed 188109 dropped due to no socket 50888 broadcast/multicast datagrams dropped due to no socket 977 dropped due to missing IPsec protection 0 dropped due to full socket buffers 122309 delivered 222708 datagrams output 285800 missed PCB cache and after ~2 minutes: [root@@fw-u/home/rdk:]netstat -sp udp udp: 361814 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 40862 with no checksum 108780 input packets software-checksummed 135837 output packets software-checksummed 188150 dropped due to no socket 50900 broadcast/multicast datagrams dropped due to no socket 1005 dropped due to missing IPsec protection 0 dropped due to full socket buffers 122764 delivered 222912 datagrams output 286078 missed PCB cache On Fri, 08 Jan 2021 18:15:37 +0900 (JST) YASUOKA Masahiko wrote: > Hi, > > >> It seems that only last person can use the tunnel. This reminds me > >> problems through NAT. > > True. Can it be caused by wrong PF rules? > > No, I don't think so. > > I suppose I could repeat the problem. > > When the problem is happening, is the counter "dropped due to missing > IPsec protection" incremented? > >% netstat -sp udp >udp: >655 datagrams received >0 with incomplete header >0 with bad data length field >0 with bad checksum >297 with no checksum >356 input packets software-checksummed >236 output packets software-checksummed >46 dropped due to no socket >0 broadcast/multicast datagrams dropped due to no socket >3 dropped due to missing IPsec protection >0 dropped due to full socket buffers >609 delivered >236 datagrams output >354 missed PCB cache > > I started looking into this problem. > > On Thu, 7 Jan 2021 09:45:07 +0100 > radek wrote: > > Hi, > > > >> It seems that only last person can use the tunnel. This reminds me > >> problems through NAT. > > True. Can it be caused by wrong PF rules? > > > >> Both sessions seem to be connected from A.B.C.D. Are the clients > >> behind a NAT? > > Yes, both client are behind the same router/NAT. > > I have a 66/i386 box running npppd on producion and my two clients > > can be connected the same time flawlessly. > > > >> How about the npppd side? Does the client directly connect to > >> > >> > tunnel L2TP protocol l2tp { > >> > listen on X.Y.Z.13 > >> > } > >> > >> X.Y.Z.13 ? Or a NAT is there? > > It is directly connected do X.Y.Z.13, no NAT. > > > > On Thu, 07 Jan 2021 16:27:57 +0900 (JST) > > YASUOKA Masahiko wrote: > > > >> Hi, > >> > >> On Wed, 6 Jan 2021 21:33:49 +0100 > >> Radek wrote: > >> > I have a box with relatively fresh install of 6
Re: npppd - problem with simultaneous sessions
Hi, > It seems that only last person can use the tunnel. This reminds me > problems through NAT. True. Can it be caused by wrong PF rules? > Both sessions seem to be connected from A.B.C.D. Are the clients > behind a NAT? Yes, both client are behind the same router/NAT. I have a 66/i386 box running npppd on producion and my two clients can be connected the same time flawlessly. > How about the npppd side? Does the client directly connect to > > > tunnel L2TP protocol l2tp { > > listen on X.Y.Z.13 > > } > > X.Y.Z.13 ? Or a NAT is there? It is directly connected do X.Y.Z.13, no NAT. On Thu, 07 Jan 2021 16:27:57 +0900 (JST) YASUOKA Masahiko wrote: > Hi, > > On Wed, 6 Jan 2021 21:33:49 +0100 > Radek wrote: > > I have a box with relatively fresh install of 68/amd64, fully > > syspatched. There is a npppd server running on it. The problem is > > that I can have only one nppp session at one time. If the second > > vpn user connects the box, the first nppp session hangs/drops. I > > probably have missed something obvious in my setup but I really > > can't find what it is. > > It seems that only last person can use the tunnel. This reminds me > problems through NAT. > > > Jan 6 20:53:16 fw-u npppd[82720]: ppp id=0 layer=base > > logtype=TUNNELSTART user="rdk" duration=1sec layer2=L2TP > > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.1 iface=pppx0 > > > Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base > > logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP > > layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.11 iface=pppx0 > > Both sessions seem to be connected from A.B.C.D. Are the clients > behind a NAT? > > How about the npppd side? Does the client directly connect to > > > tunnel L2TP protocol l2tp { > > listen on X.Y.Z.13 > > } > > X.Y.Z.13 ? Or a NAT is there? > > On Wed, 6 Jan 2021 21:33:49 +0100 > Radek wrote: > > Hi @misc, > > > > I have a box with relatively fresh install of 68/amd64, fully > > syspatched. There is a npppd server running on it. The problem is > > that I can have only one nppp session at one time. If the second > > vpn user connects the box, the first nppp session hangs/drops. I > > probably have missed something obvious in my setup but I really > > can't find what it is. > > > > Please help me to solve the problem. > > Thank you. > > > > $cat /etc/npppd/npppd.conf > > authentication LOCAL type local { > > users-file "/etc/npppd/npppd-users" > > } > > tunnel L2TP protocol l2tp { > > listen on X.Y.Z.13 > > } > > ipcp IPCP { > > pool-address 10.109.4.1-10.109.4.32 > > dns-servers 1.1.1.1 > > } > > # use pppx(4) interface. use an interface per a ppp session. > > interface pppx0 address 10.109.4.254 ipcp IPCP > > bind tunnel from L2TP authenticated by LOCAL to pppx0 > > > > $cat /etc/hostname.enc0 > > up > > > > > > $cat /etc/sysctl.conf > > net.inet.ip.forwarding=1 > > net.inet.ipcomp.enable=1 > > net.inet.esp.enable=1 > > net.inet.gre.allow=1 > > net.pipex.enable=1 > > > > $cat /etc/rc.conf.local > > ipsec=YES > > ipsec_rules=/etc/ipsec.conf > > isakmpd_flags="-K" > > npppd_flags="" > > > > $cat /etc/ipsec.conf > > wan_ipv4 = X.Y.Z.13 > > ike passive esp transport \ > > proto udp from $wan_ipv4 to any port 1701 \ > > main auth "hmac-sha1" enc "3des" group modp1024 \ > > quick auth "hmac-sha1" enc "aes" group modp1024 \ > > psk "pskpskpsk" > > > > $cat /etc/pf.conf > > [...] > > vpn_if = "pppx" > > vpn_local = "10.109.4.0/24" > > > > pass in on $ext_if proto udp from any to (egress:0) port > > {isakmp,ipsec-nat-t,l2tp} > > pass in on $ext_if proto {ah,esp} > > pass log proto { gre } from any to any keep state > > > > # filter all IPSec traffic on the enc interface > > pass on enc0 keep state (if-bound) > > > > # allow all trafic in on and out to the VPN network > > pass on $vpn_if from $vpn_local > > pass on $vpn_if to $vpn_local > > > > # NAT VPN traffic going out on the public interface with the public > > IP > > match out log on $ext_if inet proto { tcp, udp, icmp } from > > $vpn_local nat-to ($ext_if) set prio (3,7) > > > > some logs... > > > > Jan 6 20:53:14 fw-u last message repeated 4 t
npppd - problem with simultaneous sessions
soft firm=0601 Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendSCCRP Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvSCCN Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 SendZLB Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICRQ session_id=1 Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendICRP session_id=11788 Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 RecvICCN session_id=1 calling_number= tx_conn_speed=1 framing=sync Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 logtype=PPPBind ppp=1 Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base logtype=Started tunnel=L2TP(A.B.C.D:1701) Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 call=11788 SendZLB Jan 6 20:53:44 fw-u npppd[82720]: l2tpd ctrl=2 RecvZLB Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp logtype=Opened mru=1360/1400 auth=MS-CHAP-V2 magic=9699e1a6/244d01eb Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb text=MSRASV5.20 Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb text=MSRAS-0-X Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=lcp RecvId magic=244d01eb text=.*.(...N.Z68 Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=chap proto=mschap_v2 logtype=Success username="rdk-test" realm=LOCAL Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe mismatch our=40bit,128bit,56bit,stateless peer=stateless Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp IP Address peer=0.0.0.0 our=10.109.4.11. Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=ipcp logtype=Opened ip=10.109.4.11 assignType=dynamic Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base logtype=TUNNELSTART user="rdk-test" duration=1sec layer2=L2TP layer2from=A.B.C.D:1701 auth=MS-CHAP-V2 ip=10.109.4.11 iface=pppx0 Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=mppe logtype=Opened our=128bit,stateless peer=128bit,stateless Jan 6 20:53:44 fw-u npppd[82720]: ppp id=1 layer=base Using pipex=yes -- Radek
Re: OpenBSD + Firebird Server
> Assuming you mean the SQL database, Yes, I mean Firebird SQL db. > Firebird required pthread_condattr_setpshared > and pthread_mutexattr_setpshared, which OpenBSD doesn't implement. Does anybody know if there is a plan to implement it? On Tue, 24 Nov 2020 21:37:51 -0800 Jeremy Evans wrote: > On Tue, Nov 24, 2020 at 9:27 PM Radek wrote: > > > Hi, > > is it possible to install Firebird Server in OpenBSD? I can't find any > > info about that anywhere. > > Thanks! > > > Assuming you mean the SQL database, when last I looked into this years ago, > Firebird required pthread_condattr_setpshared > and pthread_mutexattr_setpshared, which OpenBSD doesn't implement. > > Thanks, > Jeremy -- Radek
OpenBSD + Firebird Server
Hi, is it possible to install Firebird Server in OpenBSD? I can't find any info about that anywhere. Thanks! -- Radek
Re: Wine for OpenBSD?
On Sun, 12 Apr 2020 07:24:09 + slackwaree wrote: > You don't want wine anyway. That is the shining example of badly written > software which sucked 15 years ago the same way it does today. They tried to > make it better with cedega, crossover office and what not and failed > miserably. All you could get out of it is to run basic apps like notepad or > calc even those with tons of bugs like borders, frames missing, broken fonts, > crashes etc. They claimed it can run game X,Y,Z but who cares about it when > Windows can run all games perfectly. This is ain't the 90's man everyone can > afford to have 2-3 or more PCs at home and with all these virtualization > supports like vmware, virtualbox around which just runs perfectly windows > applications in windows I even ask the question why is wine still exist, > probably it's someones pet project who don't want to let it go... > > > > ‐‐‐ Original Message ‐‐‐ > On Saturday, April 11, 2020 12:15 PM, Nikita Stepanov > wrote: > > > Wine for OpenBSD? > > > All you could get out of it is to run basic apps like notepad or calc even > those with tons of bugs like borders, frames missing, broken fonts, crashes > etc. I used to have FreeBSD on my old office desktop till 2018, WINE was the only way to run MT4 [1] on it. MT4 worked flawlessly with WINE, no frames missing, no broken fonts, not even one crash for few years... > This is ain't the 90's man everyone can afford to have 2-3 or more PCs at > home But sometimes you have to be outside the home. [1] https://www.metatrader4.com/ Cheers! -- Radek
Re: Ajust or set OpenIKED renegotiation timeout manually if remote ISP reset connections
On Thu, 02 Apr 2020 13:16:13 + Martin wrote: > Remote VPS hoster reset connections after some amount of data has been > transferred to/from remote VPS. > > May I adjust OpenIKED renegotiation timeout down to 1-2s in some way? > Currently it takes ~3-4m to reconnect. > Right after each 'connection reset' issued by VPS hoster I can restart iked > manually by "rcctl restart iked" and iked renegotiate the link immediately > after it. > > The question is how to automate it to have minimal connection loss? > > Martin Hi Martin, maybe that is not exactly what you asked but I used to fight with that problem: http://openbsd-archive.7691.n7.nabble.com/OpenIKED-Network-traffic-over-VPN-site-to-site-tunnel-stalls-few-times-a-day-td372267.html I used ping to monitor the other site of VPN: #!/bin/sh # 10.0.17.254 - local LAN gateway # 172.16.1.254 - remote LAN gateway while true do vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " '{print $4}'` if [ "${vpn}" -eq 0 ] ; then mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print $4}'` wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'` if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through VPN RACTEST-MON! restartng iked!" em...@example.com rcctl restart iked fi fi sleep 32 done You can trim the sleep time as you need but remember to give some time to restart/renegotiation/resync... I hope it helps. -- Radek
Re: [OpenIKED] current session list
On Wed, 1 Apr 2020 08:50:41 - (UTC) Stuart Henderson wrote: > On 2020-04-01, Radek wrote: > > Hi @misc, > > is there any equivalent of "npppctl sessions all/brief" for iked(8)? > > How can I get the list of currently connected roadwarriors? They use CA. > > "ipsecctl -sa" shows IPs only, but I need to know who is who. > > If you're not running recent -current, update (either the whole OS or > just iked+ikectl), something changed recently (possibly "Copy EAP ID to > new SA when rekeying IKE SA") that resulted in me seeing EAP-MSCHAPv2 > usernames in a typical ipsecctl -sa, hopefully it will help for CA client > certs too. (Perhaps not surprisingly there have been quite a lot of > recent improvements to iked in -current). > > Thank you Stuart. I'm running 6.6. Unfortunately, the VPN box became quite important because of recent remote work policy and I don't wan't to "touch" it now as it works as expected. I manage this box remotely and I can't take the risk that sth goes wrong with update. This box has recently got increase the number of iked(8) users and I just wanted to have a better view of them. That was the reason of my question. I will wait for the next release and replace the box in - hopefully - better circumstances. It is good to see that iked(8) improves regularly from one release to another. -- Radek
[OpenIKED] current session list
Hi @misc, is there any equivalent of "npppctl sessions all/brief" for iked(8)? How can I get the list of currently connected roadwarriors? They use CA. "ipsecctl -sa" shows IPs only, but I need to know who is who. -- Radek
Re: Traffic prioritization inside VPN
> what about working directly on rsync side, specifying the maximum > transfer rate? (--bwlimit option) Setting the hard transfer rate/limit on the rsync side is not what I need. I want my boxes to be able to use whole available bandwidth anytime. I mean if other services need some bandwitdh they just get it with higher priority and my boxes always can use *the rest*. If there is a quiet it the network my boxes can use the whole highway. On Thu, 2 Jan 2020 17:57:19 +0100 fRANz wrote: > On Thu, Jan 2, 2020 at 3:51 PM radek wrote: > > > I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by > > specific rules [1] and setting the lowest priority fot it. > > Unfortunately it doesn't seem to work as expected. Bandwidth seems to be > > shared roughly equally with other traffic (tested with pushing data > > (netcat) through VPN in the same time). > > I would appreciate your advice or any clues on what I have done wrong. > > Thank you. > > what about working directly on rsync side, specifying the maximum > transfer rate? (--bwlimit option) > -f > -- Radek
Traffic prioritization inside VPN
Hello, I have the following scenario: [box_rac][fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz] [box_rac] pulls (rsync) "big data" from [box_krz] through VPN. I need to put this traffic to the total background, making way for any other packets going through VPN, NICs, from/to any other boxes on both sides. I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific rules [1] and setting the lowest priority fot it. Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared roughly equally with other traffic (tested with pushing data (netcat) through VPN in the same time). I would appreciate your advice or any clues on what I have done wrong. Thank you. [fw_rac] and [fw_krz] have analogical rulesets [2]. [1] [fw_rac]: pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state [fw_krz]: pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state [2] pf.conf [fw_rac]: ext_if = "vr0" lan_rac_if = "vr2" # lan_rac_local = $lan_rac_if:network # 10.0.15.0/24 backup_if = "vr3" # backup_local= $backup_if:network # 10.0.115/24 box_rac = "10.0.115.151" box_krz = "10.0.100.151" set fingerprints "/dev/null" set skip on { lo, enc0 } set block-policy drop set optimization normal set ruleset-optimization basic antispoof quick for {lo0, $lan_rac_if, $backup_if } match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7) block all match out all scrub (no-df random-id) pass out on egress keep state pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 7) keep state ssh_port= "1071" table const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } table persist counters block from pass in log quick inet proto tcp from to $ext_if port $ssh_port flags S/SA \ set prio (7, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types \ set prio (7, 7) keep state table const { $krz_wan } pass out quick on egress proto esp from (egress:0) to set prio (6, 7) keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} set prio (6, 7) keep state pass in quick on egress proto esp from to (egress:0) set prio (6, 7) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} set prio (6, 7) keep state pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} set prio (6,7) keep state pass in on egress proto {ah,esp} set prio (6,7) keep state block return in on ! lo0 proto tcp to port 6000:6010 -- Radek
Re: Disabling ACPI permanently
Hello Philip, This box has installed the newest BIOS firmware. Following your suggestion I sent a bug report to b...@openbsd.org https://marc.info/?l=openbsd-bugs=157747038309405=2 On Mon, 23 Dec 2019 08:25:13 -0800 Philip Guenther wrote: > On Mon, Dec 23, 2019 at 5:10 AM Radek wrote: > > > I'm trying to permanently disable acpi doing the following steps[1]. > > After the first reboot OS boots fine. > > After the second reboot acpi seems to be re-enabled at boot - I get [2]. > > What Am I doing wrong? > > > > First, you should also check whether there's a newer BIOS firmware for this > box, as there's a good chance Intel has fixed issues and issued a new one. > If so, installing that may totally resolve the issue. > > If not, or if upgrading the firmware doesn't resolve this, then you should > next send a bug report to b...@openbsd.org using sendbug. To get the most > data when you do so, disable _just_ the acpipci device (using boot -c) > instead of all of acpi and then run sendbug as root on that system. The > bug report will then include the data from the ACPI tables, so that the > driver can be fixed to deal with this. > > ... > > > acpipci0 at acpi0 PCI0panic: malloc: allocation too large, type = 33, size > > = 292057776136 > > > > > Philip Guenther -- Radek
Disabling ACPI permanently
Hello, I'm trying to permanently disable acpi doing the following steps[1]. After the first reboot OS boots fine. After the second reboot acpi seems to be re-enabled at boot - I get [2]. What Am I doing wrong? [1] boot -c UKC>disable acpi 444 acpi0 disabled UKC>quit Continuing... [...] mv /bsd /bsd.old config -e -o /bsd /bsd.old OpenBSD 6.6 (GENERIC) #3: Thu Nov 21 01:58:46 MST 2019 r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC Enter 'help' for information ukc> disable acpi 444 acpi0 disabled ukc> quit Saving modified kernel. [2] OpenBSD 6.6 (GENERIC) #3: Thu Nov 21 01:58:46 MST 2019 r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1047724032 (999MB) avail mem = 1003417600 (956MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfcd70 (77 entries) bios0: vendor Intel Corp. version "BA72210A.86B.0228.2005.1122.2349" date 11/22/2005 bios0: MAXDATA PLATINUM 100 I M5 acpi0 at bios0: ACPI 2.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG ASF! WDDT acpi0: wakeup devices PEGP(S4) P0P2(S4) AC97(S4) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USB7(S1) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) AZAL(S4) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU 3.06GHz, 3067.28 MHz, 0f-04-09 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR,NXE,LONG,LAHF,MELTDOWN cpu0: 256KB 64b/line 4-way L2 cache mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEGP) acpiprt2 at acpi0: bus 6 (P0P2) acpiprt3 at acpi0: bus 5 (PEX1) acpiprt4 at acpi0: bus 4 (PEX2) acpiprt5 at acpi0: bus 3 (PEX3) acpicpu0 at acpi0: C1(@1 halt!) acpipwrres0 at acpi0: URP1 acpipwrres1 at acpi0: FDDP acpipwrres2 at acpi0: LPTP acpipwrres3 at acpi0: URP2 acpipci0 at acpi0 PCI0panic: malloc: allocation too large, type = 33, size = 292057776136 Stopped at db_enter+0x10: popq%rbp TIDPIDUID PRFLAGS PFLAGS CPU COMMAND * 0 0 0 0x1 0x2000 swapper db_enter(10,82281280,202,8,812c2e00,82281280) at db_ent er+0x10 panic(81c2af40,81c2af40,8007a088,21,0,440008) at pa nic+0x128 malloc(440008,21,9,440008,8642e84c095b2331,8007a088) at malloc+ 0x6d9 aml_parse(8007a088,74,0,8007a088,e233b61729a271c4,8007a 088) at aml_parse+0x1734 aml_parse(8007a088,54,c,8007a088,e233b61729a286b7,8007a 088) at aml_parse+0x54c aml_eval(0,80072608,74,82281700,82281700,0) at aml_eval +0x33f aml_evalnode(800725ac,80072588,4,82281700,82281 820,800725ac) at aml_evalnode+0xb5 acpipci_attach(80021400,80079d80,82281970,80021 400,f736340b0bc20316,80021400) at acpipci_attach+0xf7 config_attach(80021400,81f06328,82281970,81aa8a 50,472b3934561bab9a,80041708) at config_attach+0x1ee acpi_foundhid(80041708,80021400,c02f249ab5605f64,81aabc c0,80021400,80041188) at acpi_foundhid+0x2dc aml_find_node(80041188,81c413d0,81aabcc0,800214 00,c1874c1cd841fb5c,81aabcc0) at aml_find_node+0x84 aml_find_node(80023a88,81c413d0,81aabcc0,800214 00,c1874c1cd841fb5c,81aabcc0) at aml_find_node+0xb1 aml_find_node(81f90200,81c413d0,81aabcc0,800214 00,c1874c1cd8e35490,82281b50) at aml_find_node+0xb1 acpi_attach_common(80021400,f5600,f55897af781bc332,80023180,fff f82281c58,81f31230) at acpi_attach_common+0x7ad end trace frame: 0x82281c40, count: 0 https://www.openbsd.org/ddb.html describes the minimum info required in bug reports. Insufficient info makes it difficult to find and fix bugs. ddb> -- Radek
Re: Moving IKED certificates between routers
So.. finally I made it working. Files to copy: /etc/iked/ca/ca.crt /etc/iked/certs/1.2.3.4.crt /etc/iked/crls/ca.crl /etc/ssl/vpn/* /etc/iked/local.pub /etc/iked/private/local.key > > If you change the hostname then yes you'll need to a certificate with the > > new hostname, but then of course you will need to change clients to connect > > to the new name. Just for test I changed the hostname to some_new_hostname in /etc/myname and rebooted the box. I can still connect to *new* box with my *old* rdk.6501.rac certificate. Tested on Win7 and Win10. New box is 6.6/i386. On Sun, 10 Nov 2019 15:00:58 +0100 Radek wrote: > My new box has the same /etc/myname. > > I copied: > /etc/iked/ca/ca.crt > /etc/iked/certs/1.2.3.4.crt > /etc/iked/crls/ca.crl > /etc/ssl/vpn/* > > What did I do wrong/miss? > > Windows shows error 13826: Failed to verify signature. > > On Sun, 10 Nov 2019 13:30:24 -0000 (UTC) > Stuart Henderson wrote: > > > On 2019-11-10, Radek wrote: > > > Hi Stuart, > > > I have played around with copying them across but no luck (I get error > > > 13801 in win7). I don't know what I'm doing wrong. > > > > > > Do I need to set the same hostname (/etc/myname) in new box to make old > > > certs working? > > > > > > In my *old* box certs were created as below: > > > [1]ikectl ca vpn create #(CN = hostname) > > > [2]ikectl ca vpn install > > > [3]ikectl ca vpn certificate 1.2.3.4 create > > > [4]ikectl ca vpn certificate 1.2.3.4 install > > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > > > [6]ikectl ca vpn certificate rdk.6501.rac export > > > > > > What steps do I need to re-run and what exactly files should be > > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in > > > new box? > > > > Oh, I understood from your email that you were just replacing it > > like-for-like. > > If you change the hostname then yes you'll need to a certificate with the > > new hostname, but then of course you will need to change clients to connect > > to the new name. > > > > > > > > > > On Fri, 8 Nov 2019 11:59:56 - (UTC) > > > Stuart Henderson wrote: > > > > > >> On 2019-11-08, radek wrote: > > >> > Hello, > > >> > > > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > > >> > generate new iked certificates in every new installation or there is a > > >> > way to move and use "old" certificates in new install? Road warriors > > >> > would be happy with that. > > >> > > > >> > Thank you for guiding me on this journey. > > >> > > > >> > > >> Just copy them across. > > >> > > >> > > > > > > > > > > > -- > Radek -- Radek -- Radek
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
After upgrading my two endpoints to i386/6.6 it started to work flawlessly. There wasn't even one IKED restart within first two days of running. Thank you Patrick, Stuart and everyone involved in making IKED work as expected. I really appreciate it. # vmstat -m | head -n 17 Memory statistics by bucket size Size In Use Free Requests HighWater Couldfree 16 528752 1253321280 0 32 1470 66 105757 640 5 64 6001682554483 320 0 128 124 36 42106 160 0 256 446 18 51276 80 0 512 108 4 166303 40 0 1024 46 6 48352 20 0 2048 13 3 74 10 0 4096 16 2 84574 5 0 8192 21 1 44 5 0 163846 0505 5 0 327686 0 11 5 0 655362 0 12333 5 0 5242881 0 1 5 0 # vmstat -w 4 procsmemory pagedisk traps cpu r s avm fre flt re pi po fr sr wd0 int sys cs us sy id 2 53 29M313M 54 0 0 0 0 0 0 27560 109 0 2 98 0 57 30M312M 140 0 0 0 0 0 0 378 131 470 0 4 96 0 55 29M313M 30 0 0 0 0 0 0 38343 547 0 3 97 0 55 29M313M2 0 0 0 0 0 0 38017 529 0 3 97 0 57 30M312M 140 0 0 0 0 0 0 374 124 512 0 5 94 On Sun, 22 Sep 2019 17:11:20 +0200 Radek wrote: > Thank you Stuart. > I can't touch/upgrade these routers, but I have a bunch of Soekris/net5501 > that I can use for testing -current. Unfortunately, they are i386. I hope the > arch doesn't matter in this case. > I'll try -current asap. > > Am I the only one @misc who's facing this kind of iked issue? Nobody else > reports having the same issue here... > > On Fri, 20 Sep 2019 16:55:02 - (UTC) > Stuart Henderson wrote: > > > On 2019-09-20, radek wrote: > > > Hello Patrick, > > > I am sorry for the late reply. > > > > > > I have replaced my ALIX/Soekris production routers with APU1C and with PC > > > box (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). > > > Both are running 6.5/amd64 and both are fully syspatched. > > > > Please try a -current snapshot for starters, quite a number of iked bugs > > have been fixed since then including some which would cause connectivity > > problems during rekeying. (If you *really* can't update the whole thing, > > it should work to build -current iked on a 6.5 system, but no guarantees). > > > > > > > -- > Radek > -- Radek
Re: Moving IKED certificates between routers
My new box has the same /etc/myname. I copied: /etc/iked/ca/ca.crt /etc/iked/certs/1.2.3.4.crt /etc/iked/crls/ca.crl /etc/ssl/vpn/* What did I do wrong/miss? Windows shows error 13826: Failed to verify signature. On Sun, 10 Nov 2019 13:30:24 - (UTC) Stuart Henderson wrote: > On 2019-11-10, Radek wrote: > > Hi Stuart, > > I have played around with copying them across but no luck (I get error > > 13801 in win7). I don't know what I'm doing wrong. > > > > Do I need to set the same hostname (/etc/myname) in new box to make old > > certs working? > > > > In my *old* box certs were created as below: > > [1]ikectl ca vpn create #(CN = hostname) > > [2]ikectl ca vpn install > > [3]ikectl ca vpn certificate 1.2.3.4 create > > [4]ikectl ca vpn certificate 1.2.3.4 install > > [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) > > [6]ikectl ca vpn certificate rdk.6501.rac export > > > > What steps do I need to re-run and what exactly files should be > > copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in > > new box? > > Oh, I understood from your email that you were just replacing it > like-for-like. > If you change the hostname then yes you'll need to a certificate with the > new hostname, but then of course you will need to change clients to connect > to the new name. > > > > > > On Fri, 8 Nov 2019 11:59:56 - (UTC) > > Stuart Henderson wrote: > > > >> On 2019-11-08, radek wrote: > >> > Hello, > >> > > >> > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > >> > generate new iked certificates in every new installation or there is a > >> > way to move and use "old" certificates in new install? Road warriors > >> > would be happy with that. > >> > > >> > Thank you for guiding me on this journey. > >> > > >> > >> Just copy them across. > >> > >> > > > > > -- Radek
Re: Moving IKED certificates between routers
Hi Stuart, I have played around with copying them across but no luck (I get error 13801 in win7). I don't know what I'm doing wrong. Do I need to set the same hostname (/etc/myname) in new box to make old certs working? In my *old* box certs were created as below: [1]ikectl ca vpn create #(CN = hostname) [2]ikectl ca vpn install [3]ikectl ca vpn certificate 1.2.3.4 create [4]ikectl ca vpn certificate 1.2.3.4 install [5]ikectl ca vpn certificate rdk.6501.rac create #(CN = rdk.6501.rac) [6]ikectl ca vpn certificate rdk.6501.rac export What steps do I need to re-run and what exactly files should be copied/edited (/etc/ssl/vpn/ /etc/iked/) to make rdk.6501.rac working in new box? On Fri, 8 Nov 2019 11:59:56 - (UTC) Stuart Henderson wrote: > On 2019-11-08, radek wrote: > > Hello, > > > > I'm going to replace 6.5 router with new 6.6 box. Is it necessary to > > generate new iked certificates in every new installation or there is a way > > to move and use "old" certificates in new install? Road warriors would be > > happy with that. > > > > Thank you for guiding me on this journey. > > > > Just copy them across. > > -- Radek
Moving IKED certificates between routers
Hello, I'm going to replace 6.5 router with new 6.6 box. Is it necessary to generate new iked certificates in every new installation or there is a way to move and use "old" certificates in new install? Road warriors would be happy with that. Thank you for guiding me on this journey. -- Radek
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Thank you Stuart. I can't touch/upgrade these routers, but I have a bunch of Soekris/net5501 that I can use for testing -current. Unfortunately, they are i386. I hope the arch doesn't matter in this case. I'll try -current asap. Am I the only one @misc who's facing this kind of iked issue? Nobody else reports having the same issue here... On Fri, 20 Sep 2019 16:55:02 - (UTC) Stuart Henderson wrote: > On 2019-09-20, radek wrote: > > Hello Patrick, > > I am sorry for the late reply. > > > > I have replaced my ALIX/Soekris production routers with APU1C and with PC > > box (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). > > Both are running 6.5/amd64 and both are fully syspatched. > > Please try a -current snapshot for starters, quite a number of iked bugs > have been fixed since then including some which would cause connectivity > problems during rekeying. (If you *really* can't update the whole thing, > it should work to build -current iked on a 6.5 system, but no guarantees). > > -- Radek
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Hello Patrick, I am sorry for the late reply. I have replaced my ALIX/Soekris production routers with APU1C and with PC box (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04). Both are running 6.5/amd64 and both are fully syspatched. A also added "inet proto { tcp, udp, icmp }" to my match rule on the both sides: match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7) It does not make any changes. VPN still needs to be restarted with similar freq. Date: Thu, 19 Sep 2019 23:15:39 +0200 (CEST) Date: Fri, 20 Sep 2019 01:49:59 +0200 (CEST) Date: Fri, 20 Sep 2019 03:37:15 +0200 (CEST) Date: Fri, 20 Sep 2019 06:12:31 +0200 (CEST) Date: Fri, 20 Sep 2019 08:46:45 +0200 (CEST) Date: Fri, 20 Sep 2019 11:25:08 +0200 (CEST) Date: Fri, 20 Sep 2019 13:59:06 +0200 (CEST) > In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's. But at the time of VPN issue both sides can ping each other on public IPs. Only the VPN tunnel does not work as expected, untill restart of iked. > It appears that you have ICMP allow rules which is a good idea in my opinion. > Have you ever done any logging of these packets. Is there any legitimate > requests from your ISP? No, there are not any ICMP requests from my ISP. TCPDUMP shows only some pings from the world, mostly from Amazon's IPs. The following was logged just before VPN traffic stalls: 13:38:09.194783 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40] 13:38:09.194845 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40] 13:39:51.130602 18.138.136.9 > A.A.A.A: icmp: echo request (DF) 13:39:51.130665 A.A.A.A > 18.138.136.9: icmp: echo reply 13:42:42.825866 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40] 13:42:42.825938 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40] 13:44:17.474364 18.136.167.37 > A.A.A.A: icmp: echo request (DF) 13:44:17.474434 A.A.A.A > 18.136.167.37: icmp: echo reply 13:47:55.225820 13.210.171.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40] 13:47:55.225883 A.A.A.A > 13.210.171.31: icmp: echo reply [tos 0x40] 13:49:30.624877 18.138.136.9 > A.A.A.A: icmp: echo request (DF) 13:49:30.624945 A.A.A.A > 18.138.136.9: icmp: echo reply 13:53:45.675943 3.105.202.31 > A.A.A.A: icmp: echo request (DF) [tos 0x40] 13:53:45.676008 A.A.A.A > 3.105.202.31: icmp: echo reply [tos 0x40] 13:55:02.593285 18.136.167.37 > A.A.A.A: icmp: echo request (DF) 13:55:02.593347 A.A.A.A > 18.136.167.37: icmp: echo reply 13:55:31.703602 18.228.131.118 > A.A.A.A: icmp: echo request (DF) 13:55:31.703671 A.A.A.A > 18.228.131.118: icmp: echo reply On the other side of VPN ICMP logs are similar. > Do you have an alternate DNS server you can test against? Are you using your > ISP’s DNS? On the one side I can use any DNS I want. I was using google's 8.8.8.8 and ISP's DNS. If I change to 1.1.1.1 and 1.0.0.1 my problem still occurs. On the other side the ISP redirects all DNS requests to its own DNS. Any idea? On Sun, 25 Aug 2019 20:28:27 -0500 Patrick Dohman wrote: > Radek > In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's. > I also believe that defining specific proto's in your nat rule can decrease > interrupts. > You might consider the following to modification to your nat rule to > specificity allow UDP & ICMP. > > match out log on $ext_if inet proto { tcp, udp, icmp } rom { $lan_rac_local, > $backup_local } nat-to $ext_if set prio (3, 7) > > It appears that you have ICMP allow rules which is a good idea in my opinion. > Have you ever done any logging of these packets. Is there any legitimate > requests from your ISP? > Do you have an alternate DNS server you can test against? Are you using your > ISP’s DNS? > Perhaps the new OpenBSD unwind package is worth investigating ;) > ]Regards > Patrick > > > On Aug 25, 2019, at 1:31 PM, Radek wrote: > > > > Hello Patrick, > > > >> In my opinion your net5501’s system calls per interval are relatively high. > >> The (traps sys) column on my firewall hovers between 40 & 50 quite > >> consistently. > >> My understanding is that system calls are things like program calls & > >> library access. > > Is there any way to decrease these values? > > > >> Many commercial routers run a customized kernel & rely on a striped down > >> user-land. > >> The kernel is also recompiled to run TCP/IP4 only & can no longer execute > >> things like storage or virtualization. > >> The OpenBSD O.S includes all the user-land tools such as ping & top in > >> addition to a standardized precompiled kernel. > > Ok, I get it. > > > > > > On Fri, 23 Aug 2019 21:12:35 -0500
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Hello Patrick, > In my opinion your net5501’s system calls per interval are relatively high. > The (traps sys) column on my firewall hovers between 40 & 50 quite > consistently. > My understanding is that system calls are things like program calls & library > access. Is there any way to decrease these values? > Many commercial routers run a customized kernel & rely on a striped down > user-land. > The kernel is also recompiled to run TCP/IP4 only & can no longer execute > things like storage or virtualization. > The OpenBSD O.S includes all the user-land tools such as ping & top in > addition to a standardized precompiled kernel. Ok, I get it. On Fri, 23 Aug 2019 21:12:35 -0500 Patrick Dohman wrote: > In my opinion your net5501’s system calls per interval are relatively high. > The (traps sys) column on my firewall hovers between 40 & 50 quite > consistently. > My understanding is that system calls are things like program calls & library > access. > > In addition your net5501’s memory requests per second seem heavy. > You have fifty eight million 1024 bucket requests per second. > My firewall has a max of one hundred thousand 128 bucket requests per second. > > Many commercial routers run a customized kernel & rely on a striped down > user-land. > The kernel is also recompiled to run TCP/IP4 only & can no longer execute > things like storage or virtualization. > The OpenBSD O.S includes all the user-land tools such as ping & top in > addition to a standardized precompiled kernel. > Regards > Patrick > . > > > > > > On Thu, 22 Aug 2019 19:12:55 -0500 > > Patrick Dohman wrote: > > > >> Radek > >> > >> I’ve found that fast networking is actually CPU & memory intensive. > >> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in > >> my opinion. > >> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio > >> with a commercial router. > >> > >> What are your context switches & interrupts doing while the VPN is up & > >> traffic is flowing? > >> > >> vmstat -w 4 > >> > >> What is your memory high water mark during a peak traffic? > >> > >> vmstat -m > >> > >> Regards > >> Patrick > >> > >>> On Aug 21, 2019, at 12:34 AM, radek wrote: > >>> > >>> Hello Patrick, > >>> I am sorry for the late reply. > >>> > >>>> Do you consider memory an issue? > >>> No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, > >>> that I use for VPN testing. > >>> Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3 > >>> Production set (6.3/i386) is net5501-70 <-> ALIX2d2 > >>> Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs > >>> It is unlikely that every box has any hardware issue. > >>> > >>>> Unix load average can occasionally be deceiving. > >>> I did not know. > >>> > >>> net5501-70 > >>> $top -d1 | head -n 4 > >>> load averages: 0.05, 0.01, 0.00RAC-fw65-test.PRAC 10:58:14 > >>> 38 processes: 1 running, 35 idle, 1 dead, 1 on processor up 3 days, 18:02 > >>> CPU states: 0.5% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.2% intr, > >>> 98.8% idle > >>> Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M > >>> > >>> ALIX2d3 > >>> $top -d1 | head -n 4 > >>> load averages: 0.00, 0.00, 0.00mon65.home 07:30:05 > >>> 37 processes: 1 running, 35 idle, 1 on processor up 13:46 > >>> CPU states: 0.3% user, 0.0% nice, 1.1% sys, 0.0% spin, 0.4% intr, > >>> 98.3% idle > >>> Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M > >>> > >>> > >>> > >>>> What is the speed of your memory? > >>>> What make of Ethernets are you running? > >>> Dmesgs below > >>> > >>> net5501-70 > >>> OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019 > >>> r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > >>> real mem = 536363008 (511MB) > >>> avail mem = 511311872 (487MB) > >>> mpath0 at root > >>> scsibus0 at mpath0: 256 targets > >>> mainbus0 at root > >>> bios0 at mainbus0: date 2
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
16 24803 1 0 1 1 0 80 nchpl 88 2969920 3895 115288787 0 80 ffsino 184 2807560 6231 34662 284 284 0 80 dino1pl 128 2807560 6231 23641 195 195 0 80 dirhash 1024 13970 22080512929 0 80 art_node 8 1030 29 1 0 1 1 0 80 art_table 24 1170 105 1 0 1 1 0 80 art_heap4128 1160 104 4 0 4 4 0 80 art_heap8 2048101 1 0 1 1 0 80 pfrule 1212 7000 3815 9 6 7 0 80 pfsrctr 124 20021211 1 1 0 80 pfsnitem 8 23021211 1 1 0 80 pfstate 2361453804 622 621 1 2 0 80 pfstkey 801484904 611 610 1 1 0 80 pfstitem 121484904 611 610 1 1 0 80 pfruleitem 84835804 861 860 1 1 0 80 pftag 80500 3 3 0 1 0 80 pfrktable 1288 7305 1 0 1 1 0 80 pfrke_plain 96 2220 12 1 0 1 1 0 80 pfosfpen 1081570800 414 414 020 0 80 pfosfp28 9306006363 0 3 0 80 pffrent 24 16704400 304 303 1 1 0 81 pffrnode 648352200 304 303 1 1 0 81 pffrag 1328352200 304 303 1 1 0341 cryptop 276 22471300 13859 13858 1 3 0 81 rttmr 40200 2 2 0 1 0 80 tcpcb396 7860 10 4 2 2 2 0 80 tcpqe 16 2749001918 1 1 0 81 syncache 196 29002928 1 1 0 81 rtentry 76 1030 29 1 0 1 1 0 80 plimitpl 148 4290 23 1 0 1 1 0 80 inpcbpl 200225750 25 5 3 2 2 0 80 arp 36 7705 1 0 1 1 0 80 ipsec policy 252 211005 280 279 1 2 0 80 In use 5679K, total allocated 6336K; utilization 89.6% On Thu, 22 Aug 2019 19:12:55 -0500 Patrick Dohman wrote: > Radek > > I’ve found that fast networking is actually CPU & memory intensive. > Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my > opinion. > Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with a > commercial router. > > What are your context switches & interrupts doing while the VPN is up & > traffic is flowing? > > vmstat -w 4 > > What is your memory high water mark during a peak traffic? > > vmstat -m > > Regards > Patrick > > > On Aug 21, 2019, at 12:34 AM, radek wrote: > > > > Hello Patrick, > > I am sorry for the late reply. > > > >> Do you consider memory an issue? > > No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, > > that I use for VPN testing. > > Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3 > > Production set (6.3/i386) is net5501-70 <-> ALIX2d2 > > Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs > > It is unlikely that every box has any hardware issue. > > > >> Unix load average can occasionally be deceiving. > > I did not know. > > > > net5501-70 > > $top -d1 | head -n 4 > > load averages: 0.05, 0.01, 0.00RAC-fw65-test.PRAC 10:58:14 > > 38 processes: 1 running, 35 idle, 1 dead, 1 on processor up 3 days, 18:02 > > CPU states: 0.5% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.2% intr, > > 98.8% idle > > Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M > > > > ALIX2d3 > > $top -d1 | head -n 4 > > load averages: 0.00, 0.00, 0.00mon65.home 07:30:05 > > 37 processes: 1 running, 35 idle, 1 on processor up 13:46 > > CPU states: 0.3% user, 0.0% nice, 1.1% sys, 0.0% spin, 0.4% intr, > > 98.3% idle > > Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M > > > > > > > >> What i
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz, 05-0a-02 cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW mtrr: K6-family MTRR support (2 registers) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:1e:85:8c ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:1e:85:8d ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 00:0d:b9:1e:85:8e ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 maxtmp0 at iic0 addr 0x4c: lm86 pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 nvram: invalid checksum vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (83b335c3c86bb80c.a) swap on wd0b dump on wd0b clock: unknown CMOS layout On Mon, 19 Aug 2019 18:17:48 -0500 Patrick Dohman wrote: > Do you consider memory an issue? > What is the speed of your memory? > Unix load average can occasionally be deceiving. > What make of Ethernets are you running? > Regards > Patrick > > > On Aug 19, 2019, at 5:28 AM, radek wrote: > > > > Hello Patrick, > > > >> Does your ISP implement authoritative DNS? > >> Do you suspect a UDP issue? > > My VPN is configured with IPs, not with domain names. Does DNS and/or UDP > > matter anyway? > > > >> Is a managed (switch) involved? > > No, it is not. I do not use any switches in my testing setup. > > GW1--ISP1_modem--.--ISP2_modem--GW2 > > > > Has duplex ever been an issue? > > I have never noticed any duplex issue. > > > > > > On Sun, 18 Aug 2019 16:07:14 -0500 > > Patrick Dohman wrote: > > > >> Does your ISP implement authoritative DNS? > >> Do you suspect a UDP issue? > >> Is a managed (switch) involved? Has duplex ever been an issue? > >> Regards > >> Patrick > >> > >>> On Aug 18, 2019, at 1:03 PM, Radek wrote: > >>> > >>> Hello, > >>> > >>> I have two testing gateways (6.5/i386) with site-to-side VPN between its > >>> LANs (OpenIKED). > >>> Both gws are fully syspatched, have public IPs and the same iked/pf > >>> configuration. > >>> > >>> Unfortunately, the network traffic over the VPN tunnel stalls few times a > >>> day. > >>> > >>> On the one side I use a script to monitor VPN tunnel with ping, it > >>> restarts iked and emails me if there is no ping over the VPN tunnel. > >>> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) > >>> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) > >>> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) > >>> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) > >>> >
Re: [OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Hello Patrick, > Does your ISP implement authoritative DNS? > Do you suspect a UDP issue? My VPN is configured with IPs, not with domain names. Does DNS and/or UDP matter anyway? > Is a managed (switch) involved? No, it is not. I do not use any switches in my testing setup. GW1--ISP1_modem--.--ISP2_modem--GW2 Has duplex ever been an issue? I have never noticed any duplex issue. On Sun, 18 Aug 2019 16:07:14 -0500 Patrick Dohman wrote: > Does your ISP implement authoritative DNS? > Do you suspect a UDP issue? > Is a managed (switch) involved? Has duplex ever been an issue? > Regards > Patrick > > > On Aug 18, 2019, at 1:03 PM, Radek wrote: > > > > Hello, > > > > I have two testing gateways (6.5/i386) with site-to-side VPN between its > > LANs (OpenIKED). > > Both gws are fully syspatched, have public IPs and the same iked/pf > > configuration. > > > > Unfortunately, the network traffic over the VPN tunnel stalls few times a > > day. > > > > On the one side I use a script to monitor VPN tunnel with ping, it restarts > > iked and emails me if there is no ping over the VPN tunnel. > > Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) > > Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) > > Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) > > Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) > > > > > > In 6.3/i386 I have the same problem, but more frequently. > > Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST) > > Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST) > > Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST) > > Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST) > > Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST) > > Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST) > > Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST) > > Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST) > > Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST) > > > > Do I have any bugs/deficiencies in my configs, missed something? > > Is there any way to make it work uninterruptedly? > > I would be very greatful if you could help me with this case. > > > > $cat /etc/hostname.enc0 > > up > > > > $cat /etc/hostname.vr3 > > inet 10.0.17.254 255.255.255.0 NONE description "LAN17" > > group trust > > > > $cat /etc/iked.conf > > local_gw_RAC17 = "10.0.17.254" # lan_RAC > > local_lan_RAC17 = "10.0.17.0/24" > > remote_gw_MON = "1.2.3.5" # fw_MON > > remote_lan_MON = "172.16.1.0/24" > > ikev2 quick active esp \ > > from $local_gw_RAC17 to $remote_gw_MON \ > > from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \ > > childsa enc chacha20-poly1305 \ > > psk "psk" > > > > $cat /etc/pf.conf > > # RAC-fwTEST > > ext_if = "vr0" > > lan_rac_if = "vr3" # vr3 - > > lan_rac_local = $lan_rac_if:network # 10.0.17.0/24 > > backup_if = "vr2" # vr2 - lewy port > > backup_local= $backup_if:network # 10.0.117/24 > > > > bud = "1.2.3.0/25" > > rdk_wy = "1.2.3.4" > > rdk_mon = "1.2.3.5" > > panac_krz = "1.2.3.6" > > panac_rac = "1.2.3.7" > > > > set fingerprints "/dev/null" > > set skip on { lo, enc0 } > > set block-policy drop > > set optimization normal > > set ruleset-optimization basic > > > > antispoof quick for {lo0, $lan_rac_if, $backup_if } > > > > match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to > > $ext_if set prio (3, 7) > > > > block all > > > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > pass out on egress keep state > > > > pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio > > (3, 7) keep state > > > > ssh_port= "1071" > > table const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, > > 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } > > table persist counters > > block from > > pass in log quick inet proto tcp from to $ext_if port $ssh_port > > flags S/SA \ > >set prio (7, 7) keep state \ > >(max-src-conn 15, max-src-conn-rate 2/10, overload > > flush global) > > > > icmp_types = "{ echoreq, unreach }" > > pass inet proto icmp all icmp-type $icmp_types \ > >set prio (7, 7) keep state > > > > table const { $rdk_mon, $panac_rac, $panac_krz } &g
[OpenIKED] Network traffic over VPN site-to-site tunnel stalls few times a day
Hello, I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs (OpenIKED). Both gws are fully syspatched, have public IPs and the same iked/pf configuration. Unfortunately, the network traffic over the VPN tunnel stalls few times a day. On the one side I use a script to monitor VPN tunnel with ping, it restarts iked and emails me if there is no ping over the VPN tunnel. Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) In 6.3/i386 I have the same problem, but more frequently. Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST) Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST) Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST) Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST) Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST) Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST) Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST) Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST) Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST) Do I have any bugs/deficiencies in my configs, missed something? Is there any way to make it work uninterruptedly? I would be very greatful if you could help me with this case. $cat /etc/hostname.enc0 up $cat /etc/hostname.vr3 inet 10.0.17.254 255.255.255.0 NONE description "LAN17" group trust $cat /etc/iked.conf local_gw_RAC17 = "10.0.17.254" # lan_RAC local_lan_RAC17 = "10.0.17.0/24" remote_gw_MON = "1.2.3.5" # fw_MON remote_lan_MON = "172.16.1.0/24" ikev2 quick active esp \ from $local_gw_RAC17 to $remote_gw_MON \ from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \ childsa enc chacha20-poly1305 \ psk "psk" $cat /etc/pf.conf # RAC-fwTEST ext_if = "vr0" lan_rac_if = "vr3" # vr3 - lan_rac_local = $lan_rac_if:network # 10.0.17.0/24 backup_if = "vr2" # vr2 - lewy port backup_local= $backup_if:network # 10.0.117/24 bud = "1.2.3.0/25" rdk_wy = "1.2.3.4" rdk_mon = "1.2.3.5" panac_krz = "1.2.3.6" panac_rac = "1.2.3.7" set fingerprints "/dev/null" set skip on { lo, enc0 } set block-policy drop set optimization normal set ruleset-optimization basic antispoof quick for {lo0, $lan_rac_if, $backup_if } match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to $ext_if set prio (3, 7) block all match in all scrub (no-df random-id) match out all scrub (no-df random-id) pass out on egress keep state pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 7) keep state ssh_port= "1071" table const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } table persist counters block from pass in log quick inet proto tcp from to $ext_if port $ssh_port flags S/SA \ set prio (7, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types \ set prio (7, 7) keep state table const { $rdk_mon, $panac_rac, $panac_krz } pass out quick on egress proto esp from (egress:0) to set prio (6, 7) keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} set prio (6, 7) keep state pass in quick on egress proto esp from to (egress:0) set prio (6, 7) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} set prio (6, 7) keep state pass out quick on trust received-on enc0 set prio (6, 7) keep state pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} set prio (6,7) keep state pass in on egress proto {ah,esp} set prio (6,7) keep state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 $cat iked_monitor.sh #!/bin/sh while true do vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " '{print $4}'` if [ "${vpn}" -eq 0 ] ; then mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " '{print $4}'` wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'` if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping through VPN RACTEST-MON! restartng iked!" em...@example.com rcctl restart iked fi fi sleep 32 done -- Radek
Re: low bandwidth results with IPSEC enabled between two PC Engines APU2C2
> There is a longstanding bug there that causes the ikeds to lose > synchronization. Is this bug fixed or not in 6.5? On Wed, 9 Nov 2016 15:19:49 + (UTC) Christian Weisgerber wrote: > On 2016-11-09, "Comète" wrote: > > > I've made some bandwidth tests (on 6.0 stable - amd64) between two APU2C > > boxes connected with an Ethernet cable and an IPSEC VPN using IKEDv2. I get > > a > > maximum bandwidth of 66 Avg Mbps when IPSEC is enable which is, I think, > > very > > low for an AES-NI enabled processor. > > Well, it still is a slow processor. For best performance, I'd add > "childsa enc aes-128-gcm" to the iked configuration. The default > cipher is aes-256-cbc with hmac-sha2-256, and the latter has a > noticeable performance impact. > > > And about 30 seconds after the test is > > started, I don't know why, the connection is lost and I have restart IKED > > daemon on the "passive" host. > > Every half gigabyte of transferred data, iked rekeys. There is a > longstanding bug there that causes the ikeds to lose synchronization. > They will eventually resync on their own, but it takes several > minutes. > > -- > Christian "naddy" Weisgerber na...@mips.inka.de > -- Radek
problem with site-to-site VPN between local machine and remote LAN (OpenIKED)
Hello, I have a local_machine and testing remote_gateway/NAT with one remoteLAN_machine behind it. All the boxes are running OpenBSD. I can log in (ssh) to remoteLAN_machine through port forwarded on remote_gateway/NAT. I'm trying to setup Site-To-Site VPN between local_machine and the remote LAN. When I set it up (iked) the local_machine can ping (only ping) remoteLAN_machine through VPN tunnel. I CANNOT log in (ssh) to remoteLAN_machine from local_machine, both through VPN and from outside (on gateway's public IP and forwarded port). I need to have both ways access to behind_NAT services/boxes. I don't know what I'm doing wrong. Could you shed some light on my problem/configs please? Thank you! local_machine# cat /etc/iked.conf | grep "^[^#;]" remote_gw_FW70 = "240.240.10.70" remote_lan_FW70= "10.0.100.0/24" ikev2 quick active esp from egress to $remote_lan_FW70 \ peer $remote_gw_FW70 \ psk "aaa" local_machine# cat /etc/pf.conf | grep "^[^#;]" set skip on lo block all table const {240.240.10.96, 240.240.10.70 } pass out quick on egress proto esp from (egress:0) to keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} keep state pass in quick on egress proto esp from to (egress:0) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} keep state pass out quick on trust received-on enc0 keep state pass out block return in on ! lo0 proto tcp to port 6000:6010 block return out log proto {tcp udp} user _pbuild local_machine# ipsecctl -sa FLOWS: flow esp in from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.70 srcid FQDN/desk.pk dstid FQDN/fw63 type use flow esp out from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.70 srcid FQDN/desk.pk dstid FQDN/fw63 type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth hmac-sha2-256 enc aes-256 remote_gateway/NAT# cat /etc/iked.conf | grep "^[^#;]" local_lan_FW70 = "10.0.100.0/24" remote_desk_RDK= "240.240.10.69" ikev2 quick active esp \ from $local_lan_FW70 to $remote_desk_RDK peer $remote_desk_RDK \ psk "aaa" remote_gateway/NAT# cat /etc/pf.conf | grep "^[^#;]" sql_soe = "10.0.100.123" ssh_port= "1071" icmp_types = "{ echoreq, unreach }" ssh_soe_int = "1071" ssh_soe_ext = "22123" set block-policy drop set optimization normal set ruleset-optimization basic set skip on lo set fingerprints "/dev/null" antispoof quick for lo0 block all match out log on egress from vr3:network nat-to egress:0 match in all scrub (no-df random-id) match out all scrub (no-df random-id) table const {240.240.10.96, 240.240.10.69 } pass out quick on egress proto esp from (egress:0) to keep state pass out quick on egress proto udp from (egress:0) to port {500, 4500} keep state pass in quick on egress proto esp from to (egress:0) keep state pass in quick on egress proto udp from to (egress:0) port {500, 4500} keep state pass out quick on trust received-on enc0 keep state pass out log proto tcp keep state pass log proto udp keep state pass in log quick inet proto tcp from any to egress port $ssh_port flags S/SA keep state pass in log quick on egress inet proto tcp from any to egress port $ssh_soe_ext rdr-to $sql_soe port $ssh_soe_int keep state pass inet proto icmp all icmp-type $icmp_types keep state pass log inet proto { tcp, udp, esp } from vr3:network to any keep state block in log on ! lo0 proto tcp to port 6000:6010 remote_gateway/NAT# ipsecctl -sa FLOWS: flow esp in from 240.240.10.69 to 10.0.100.0/24 peer 240.240.10.69 srcid FQDN/fw63 dstid FQDN/desk.pk type use flow esp out from 10.0.100.0/24 to 240.240.10.69 peer 240.240.10.69 srcid FQDN/fw63 dstid FQDN/desk.pk type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x09952f16 auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x216a3871 auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x3428e2ee auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.70 to 240.240.10.69 spi 0x4b96dca8 auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x62c0615a auth hmac-sha2-256 enc aes-256 esp tunnel from 240.240.10.69 to 240.240.10.70 spi 0x97cc9e5f auth hmac-sha2-256 enc aes-256 remoteLAN_machine# cat /etc/pf.conf | grep "^[^#;]" set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) pass all -- radek
Re: vlan problem
This works for me: $cat /etc/hostname.vr1 up $cat /etc/hostname.vlan2 inet 10.0.2.254 255.255.255.0 NONE vlan 2 vlandev vr1 $cat /etc/hostname.vlan100 inet 10.0.100.254 255.255.255.0 NONE vlan 100 vlandev vr1 OpenBSD 6.3 (GENERIC) #3: Thu Dec 20 09:35:15 MST 2018 t...@syspatch-63-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC As Josh mentioned, you also need 802.1Q managed switch. Then you have to configure your VLANs on your switch. Example: let's have any 16ports switch: 16p - configure as uplink for vlan2 and vlan100 1-10p - configure as ports of vlan2 11-15p - configure as ports of vlan100 Then connect 16p to your vlanNIC of openbsd box. On Mon, 28 Jan 2019 20:02:19 +0800 johnw wrote: > My system is: > > OpenBSD 6.4-current (GENERIC.MP) #639: Sun Jan 27 14:27:05 MST 2019 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > Thanks. > > On 2019年1月28日 19:57:01 [GMT+08:00], johnw wrote: > >hi, I want create vlan network, I create two files > > > >hostname.vio0 > >up > > > >hostname.vlan0 > >inet 10.10.10.101 255.255.255.0 10.10.10.255 parent vio0 vnetid 10 > > > >then reboot > > > >I can not ping 10.10.10.1 > > > >If I create bridge0, and add vio0 and vlan0 to bridge0, then I can ping > >10.10.10.1 > > > >Or if I just use vio0 without vlan, > >hostname.vio0 > >inet 10.10.10.101 255.255.255.0 10.10.10.255 > >I can also ping 10.10.10.1. > > > >Why vlan0 not linked vio0(parent) without create bridge? > > > >Is this normal? AM I miss understand vlan? > > > >(eg: I also tried on real machine with hostname.em0 card, same result) > > > >Thanks. > > > > > > > > > > > >Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC > > > Key fingerprint: CDB3 6C62 254B C088 1E5D DD32 182C 97DB CF2C 80AC -- radek
Re: Printing problem
Thank you Stuart. If I use /usr/local/bin/lpr printing works as expected. $ grep Kyocera /etc/xpdfrc psFile "|/usr/local/bin/lpr -P Kyocera_Mita_FS-6020" On Wed, 23 Jan 2019 14:33:15 - (UTC) Stuart Henderson wrote: > On 2019-01-23, Radek wrote: > > Hello, > > > > I can print from LibreOffice without any problems, but I canNOT print from > > textproc/xpdf > > > > If I print from textproc/xpdf (command: /usr/bin/lpr -P > > Kyocera_Mita_FS-6020) I get error: > > lpr: connect: No such file or directory > > jobs queued, but cannot start daemon. > > /usr/bin/lpr is lpr from the base OS. Since you are using CUPS you need > to use /usr/local/bin/lpr instead, you can either set this in xpdf (e.g. > /etc/xpdfrc), or you could adjust your PATH so that /usr/local/bin comes > before /usr/bin. > > > -- radek
Re: Printing problem
Hello, I can print from LibreOffice without any problems, but I canNOT print from textproc/xpdf If I print from textproc/xpdf (command: /usr/bin/lpr -P Kyocera_Mita_FS-6020) I get error: lpr: connect: No such file or directory jobs queued, but cannot start daemon. It worked for me in FreeBSD, but maybe I have missed something in my new desktop. This is a network printer. $ lpstat -d -p system default destination: Kyocera_Mita_FS-6020 printer Kyocera_Mita_FS-6020 is idle. enabled since Wed Jan 23 08:55:43 2019 $ cat /etc/printcap Kyocera_Mita_FS-6020|:rm=desk.pk:rp=Kyocera_Mita_FS-6020: $ cat .cups/lpoptions Default Kyocera_Mita_FS-6020 $ rcctl check cupsd cupsd(ok) OpenBSD 6.4 (GENERIC.MP) #0: Thu Jan 10 13:55:24 CET 2019 r...@desk.pk:/usr/src/sys/arch/amd64/compile/GENERIC.MP Thanks for help. On Fri, 21 Feb 2014 07:47:28 -0800 Jeremy Evans wrote: > On Fri, Feb 21, 2014 at 3:54 AM, Jan Stary wrote: > > > On Feb 19 13:20:07, chrisbenn...@bennettconstruction.us wrote: > > > I don't print from my laptop often, but all was fine until recently. > > > I did not have any problems previously. > > > I haven't made any changes either. > > > I am using commands of > > > lpr -Plp estimate_details_for_customer > > > or > > > lpr -Paps1 estimate_details_for_customer > > > > On Feb 19 12:32:36, jeremyeva...@gmail.com wrote: > > > Known issue with that snapshot. Already fixed in -current. > > > > Indeed. Out of curiosity, what was it? I couldn't find anything under > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/lpr/ > > that would break and fix this. > > > > Remote printing with lpd was broken from January 20 to February 7. > > usr.sbin/lpr/lpd/printjob.c (broken by r1.50, fixed by r1.52) > > Thanks, > Jeremy > -- radek
Re: Slow VPN Performance
Thank you Stuart and Christian. >In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum > throughput on this hardware. It gives me up to 700KB/s. > Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. "childsa enc chacha20-poly1305" does the trick. It gives me up to 3MB/s. I think it is throughput I need, but what about security with CHACHA vs AES? Should I buy new routers ASAP and change enc to AES or stay calm with CHACHA? > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. No, I don't have any - that's the problem. I'm trying *not* to buy new APUs because it seems to be quite expensive (very small company, only 3 endusers at remote location). I think 3MB/s over VPN is sufficient. If not - I (they) will have no choice. Will APU.2D2 be OK for that purpose or other board, considering price/performance? https://www.pcengines.ch/apu2d2.htm > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. True. I use LAN machine on the one side in my netcat tests, but I don't have any on the other side, so I have to use router. On Mon, 21 Jan 2019 13:52:41 + (UTC) Stuart Henderson wrote: > On 2019-01-21, Radek wrote: > > I changed default crypto to: > > > > ikev2 quick active esp from $local_gw to $remote_gw \ > > from $local_lan to $remote_lan peer $remote_gw \ > > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > > childsa enc aes-128-ctr \ > > psk "pass" > > > > That increased VPN throughput up to 750KB/s but it is still too slow. > > Mayba some sysctl tweaks would also help with this? > > Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. > I don't think any sysctl is likely to help. > > 750KB/s is maybe a bit slower than I'd expect but that 10+ year old > net5501 is *not* a fast machine. You might be able to squeeze a bit more > from it but probably not a lot, it won't be getting anywhere near your > line speed even with larger packets, and will be terribly overloaded > for small packets e.g. voip. > > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. > > >> To be more precise: > >> I use net/ifstat for current bw testing. > >> If I push data by netcat over public IPs, it is up to 5MB/s. > >> If I push data by netcat through VPN, it is up to 400KB/s. > >> Endusers in LANs also complain about VPN bw. > > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. > > >> > is the HEADER compression activated ? > >> I do not know. How can I check it out? > > I don't know what compression that would be. There is ROHCoIPsec (RFC5856) > but OpenBSD doesn't support that. > > There is ipcomp (packet compression) which can be configured in iked, > but the last thing you want to do on this hardware is add more cpu load > by compressing. (it is not configured in the sample you sent). > -- radek
Re: Slow VPN Performance
I changed default crypto to: ikev2 quick active esp from $local_gw to $remote_gw \ from $local_lan to $remote_lan peer $remote_gw \ ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ childsa enc aes-128-ctr \ psk "pass" That increased VPN throughput up to 750KB/s but it is still too slow. Mayba some sysctl tweaks would also help with this? Any hint would be appreciated. Thank you. $ ifstat -i vr0 vr0 KB/s in KB/s out 4.48100.64 24.14503.63 15.32237.62 0.33 6.32 27.37516.81 25.92548.57 25.36516.66 23.49514.80 30.79594.94 37.45583.15 34.16621.32 31.54653.58 31.40659.72 33.00667.91 40.15753.08 34.54738.35 32.15639.13 35.11621.26 34.78733.43 34.59728.21 On Fri, 18 Jan 2019 18:25:11 +0100 Radek wrote: > To be more precise: > I use net/ifstat for current bw testing. > If I push data by netcat over public IPs, it is up to 5MB/s. > If I push data by netcat through VPN, it is up to 400KB/s. > Endusers in LANs also complain about VPN bw. > > > You should use curl + nginx (with tmpfs) or iperf for bw testing. > I do not need to get very exact bw. My "netcat test" shows that data transfer > over VPN is ~10 times slower. > > > Have you tried your NC on the loopback as a reference ? > $ time nc -N 127.0.0.1 1234 < 50MB.test > 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w > > > is the HEADER compression activated ? > I do not know. How can I check it out? > > > just drop the all sendbug data if you actually want to help. > OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 > rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) > 500 MHz > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW > real mem = 536363008 (511MB) > avail mem = 512651264 (488MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 > pcibios0 at bios0: rev 2.0 @ 0xf/0x1 > pcibios0: pcibios_get_intr_routing - function not supported > pcibios0: PCI IRQ Routing information unavailable. > pcibios0: PCI bus #0 is the last bus > bios0: ROM list: 0xc8000/0xa800 > cpu0 at mainbus0: (uniprocessor) > mtrr: K6-family MTRR support (2 registers) > amdmsr0 at mainbus0 > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > 0:20:0: io address conflict 0x6100/0x100 > 0:20:0: io address conflict 0x6200/0x200 > pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 > glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES > vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address > 00:00:24:cd:90:10 > ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address > 00:00:24:cd:90:11 > ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address > 00:00:24:cd:90:12 > ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address > 00:00:24:cd:90:13 > ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI > 0x004063, model 0x0034 > glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit > 3579545Hz timer, watchdog, gpio, i2c > gpio0 at glxpcib0: 32 pins > iic0 at glxpcib0 > pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > wd0 at pciide0 channel 0 drive 0: > wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > pciide0: channel 1 ignored (disabled) > ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version > 1.0, legacy support > ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15 > usb0 at ehci0: USB revision 2.0 > uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 > addr 1 > isa0 at glxpcib0 > isadma0 at isa0 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com0: console > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbc0: unable to establish interrupt for irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0:
Re: Slow VPN Performance
To be more precise: I use net/ifstat for current bw testing. If I push data by netcat over public IPs, it is up to 5MB/s. If I push data by netcat through VPN, it is up to 400KB/s. Endusers in LANs also complain about VPN bw. > You should use curl + nginx (with tmpfs) or iperf for bw testing. I do not need to get very exact bw. My "netcat test" shows that data transfer over VPN is ~10 times slower. > Have you tried your NC on the loopback as a reference ? $ time nc -N 127.0.0.1 1234 < 50MB.test 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w > is the HEADER compression activated ? I do not know. How can I check it out? > just drop the all sendbug data if you actually want to help. OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 536363008 (511MB) avail mem = 512651264 (488MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0: (uniprocessor) mtrr: K6-family MTRR support (2 registers) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) 0:20:0: io address conflict 0x6100/0x100 0:20:0: io address conflict 0x6200/0x200 pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:00:24:cd:90:10 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address 00:00:24:cd:90:11 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address 00:00:24:cd:90:12 ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:00:24:cd:90:13 ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbc0: unable to establish interrupt for irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 ugen0 at uhub1 port 1 "American Power Conversion Smart-UPS C 1500 FW:UPS 10.0 / ID=1005" rev 2.00/1.06 addr 2 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (3f37e17802c01339.a) swap on wd0b dump on wd0b > You should use curl + nginx (with tmpfs) or iperf for bw testing. > > don't drop data, maybe the driver of the ethernet card is crappy ? > > just drop the all sendbug data if you actually want to help. > > Have you tried your NC on the loopback as a reference ? > is the HEADER compression activated ? On Fri, 18 Jan 2019 09:28:45 -0500 sven falempin wrote: > On Fri, Jan 18, 2019 at 8:58 AM Radek wrote: > > > I have configured Site-to-Site ikev2 VPN between two routers (Soekris > > net5501-70). > > Over the internet my transfer speed between these machines is up to > > 5000KB/s (it is OK). > > Over the VP
Re: Slow VPN Performance
I have configured Site-to-Site ikev2 VPN between two routers (Soekris net5501-70). Over the internet my transfer speed between these machines is up to 5000KB/s (it is OK). Over the VPN it is up to 400KB/s only. Is there any way to squeeze more performance out from these hardware and speed up the VPN? Tested with netcat: $ nc 10.0.15.254 1234 < 49MB.test $ nc -l 1234 > 49MB.test $ cat /etc/iked.conf ikev2 quick active esp from $local_gw to $remote_gw \ from $local_lan to $remote_lan peer $remote_gw \ psk "pass" $ dmesg | head OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018 rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 536363008 (511MB) avail mem = 512651264 (488MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40 On Wed, 24 Oct 2012 10:28:43 + (UTC) Stuart Henderson wrote: > On 2012-10-24, Michael Sideris wrote: > > Also, OpenBSD 5.2 is around the corner and you never know what that might > > bring. > > There's a commit from just after 5.2 which is relevant to some > packet forwarding setups, which might be of interest.. > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet/ip_input.c?r1=1.197;f=h#rev1.197 > -- radek
Re: Blocking "shodan.io" - What are my options?
Sorry, I haven't tried it yet. I'll do it ASAP. On Tue, 15 Jan 2019 21:05:32 -0600 ed...@pettijohn-web.com wrote: > On Sun, Jan 13, 2019 at 01:39:13PM -0600, ed...@pettijohn-web.com wrote: > > On Sun, Jan 13, 2019 at 08:04:32PM +0100, Radek wrote: > > > Hi, > > > > > > I would gladly play with your script. Would you please share it @misc. > > > Maybe our community could develope it further... > > Just curious if anyone has tried it out. I've been running it for about > 48 hours now and it doesn't appear to be having any issues. Plus my pf > table is growing. > > $ doas pfctl -t badguys -T show | wc -l > 697 > > I have it running on about 10 ports. Obviously the majority of the scans > are on 22, but I was surprised to see so many on 23. > > $ egrep "23$" /var/log/messages | wc -l > 247 > > Edgar > > > > > > > On Sun, 13 Jan 2019 12:43:15 -0600 > > > ed...@pettijohn-web.com wrote: > > > > > > > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > > > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > > > > suspicion that you'd need something to listen on that port. Is there > > > > > a way to achieve what we seek, in that case, without userland tools? > > > > > > > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > > > > wrote: > > > > > > > > > > > > On 2019-01-09, Aaron Mason wrote: > > > > > > > Hi Jordan > > > > > > > > > > > > > > I've set it up to try it, but I'm not having much luck. Even > > > > > > > when I > > > > > > > trigger more than one, it still doesn't populate the bad_hosts > > > > > > > table, > > > > > > > even again when I extend the rate period to 86400 seconds. I've > > > > > > > added > > > > > > > logging so I know the rule is triggering. See below. > > > > > > > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > > > > established, you need to have something listening (and it will only > > > > > > trigger on the *second* connection). > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Aaron Mason - Programmer, open source addict > > > > > I've taken my software vows - for beta or for worse > > > > > > > > > > > > > I wrote a little daemon to do what we're looking for. It listens on > > > > specified ports, accepts the connection and executes a script so you can > > > > either use something like logger or pfctl, etc to do what you want with > > > > the address it connected from. If anyone wants to play with it let me > > > > know and I'll send you the tarball. > > > > > > > > Edgar > > > > > > > > > > > > > -- > > > radek > > > > It can be obtained at http://www.pettijohn-web.com/void-1.0.0.tar.gz > > > > The manual isn't quite complete. The supplied script could really use > > some help as well as an rc script. The makefile is also cobbled > > together. It is pledged and unveiled. I think it can have a few of the > > pledges removed, but I haven't gotten that far. I think it is unveiled > > correctly, but this was my first time playing with it. > > > > The only requirement is libevent2 to aid in portability, which was the > > driving force behind executing a script so that it could tie into > > whatever packet filter is in use. Any constructive suggestions and > > patches are more than welcome. > > > > Enjoy. > > > > Edgar > > -- radek
Re: Blocking "shodan.io" - What are my options?
Hi, I would gladly play with your script. Would you please share it @misc. Maybe our community could develope it further... On Sun, 13 Jan 2019 12:43:15 -0600 ed...@pettijohn-web.com wrote: > On Fri, Jan 11, 2019 at 09:30:38AM +1100, Aaron Mason wrote: > > I knew it wouldn't trigger on the first attempt, but I had a sneaking > > suspicion that you'd need something to listen on that port. Is there > > a way to achieve what we seek, in that case, without userland tools? > > > > On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson > > wrote: > > > > > > On 2019-01-09, Aaron Mason wrote: > > > > Hi Jordan > > > > > > > > I've set it up to try it, but I'm not having much luck. Even when I > > > > trigger more than one, it still doesn't populate the bad_hosts table, > > > > even again when I extend the rate period to 86400 seconds. I've added > > > > logging so I know the rule is triggering. See below. > > > > > > max-src-conn-rate is only triggered when a TCP connection is > > > established, you need to have something listening (and it will only > > > trigger on the *second* connection). > > > > > > > > > > > > -- > > Aaron Mason - Programmer, open source addict > > I've taken my software vows - for beta or for worse > > > > I wrote a little daemon to do what we're looking for. It listens on > specified ports, accepts the connection and executes a script so you can > either use something like logger or pfctl, etc to do what you want with > the address it connected from. If anyone wants to play with it let me > know and I'll send you the tarball. > > Edgar > -- radek
Re: Polish localization
> Don't know about the console, Sorry, I meant XTERM. >but to set (default) Polish keyboard in X >you need to run "setxkbmap pl", eg. in your .xsession file. Thank you, that is exactly what I need! I just want to be able to type and display Polish characters in X. Polish interfaces are not obligatorily needed. On Tue, 8 Jan 2019 17:29:22 +0200 Dumitru Moldovan wrote: > On Tue, Jan 08, 2019 at 02:52:21PM +, Radek wrote: > >Hello, > > > >I'm trying to set Polish locales in my new desktop (6.4/amd64, xenodm, > >WindowMaker). > > > > […] > > Don't know about the console, but to set (default) Polish keyboard in X > you need to run "setxkbmap pl", eg. in your .xsession file. > > To have Polish interface displayed (when available) you need to set LANG > and LC_MESSAGES as pl_PL.UTF-8 (not sure if both or only one of it). > Setting LC_ALL will do that too (and more). > > For Firefox there is a separate package for the Polish localization: > firefox-i18n-pl. For the other program, I don't know… Maybe nobody > localized it or the translation was removed? > > HTH! > -- radek
Polish localization
Hello, I'm trying to set Polish locales in my new desktop (6.4/amd64, xenodm, WindowMaker). $ cat /etc/kbdtype pl $ cat /etc/wsconsctl.conf keyboard.encoding=pl $ grep LC ~/.xsession export LC_CTYPE="pl_PL.UTF-8" $ grep LC ~/.profile export LC_CTYPE="pl_PL.UTF-8" It doesn't work as expected. I can't type Polish characters anywhere (console, X). I have English menu bars in Firefox and in claws-mail. Then, I changed LC_CTYPE to LC_ALL I still can't type Polish characters anywhere but now I have Polish menu bar in claws-mail. Did I miss something? $ locale LANG= LC_COLLATE="C" LC_CTYPE="C" LC_MONETARY="C" LC_NUMERIC="C" LC_TIME="C" LC_MESSAGES="C" LC_ALL= Any help appreciated. Thanks! -- radek
Re: Blocking "shodan.io" - What are my options?
> A little ncat, sed, pfctl, and a dash of cron are able to do > the job just fine. cron is just there to start the ncat processes at > boot and run an hourly script to do a pfctl -T expire 86400 to > keep the table clean of old attackers. Sounds good. Could you share your script here? On Thu, 3 Jan 2019 15:20:44 -0800 Misc User wrote: > On 1/3/2019 3:06 PM, Jordan Geoghegan wrote: > > Hello, > > > > I wrote a small script called 'pf-badhost' to block shodan and other > > annoyances via pf firewall. Check out www.geoghegan.ca/pf-badhost.html > > to see the script. > > > > pf-badhost also blocks ssh bruteforcers and other annoyances by loading > > a list of regularly updated badhost lists from trusted sources. If you > > only want to block shodan specifically, just comment out the few lines > > that download the other blocklists, and you should be good to go. I've > > had a number of people give good feedback on it, and they've reported it > > blocking the scanners and baddies quite effectively; BSDNow also did a > > piece about it, so it seems to work alright. > > > > > > Cheers, > > > > Jordan > > > > > > On 01/02/19 22:15, Antonino Sidoti wrote: > >> Hi, > >> > >> I wish to block all attempts by "shodan.io". Basically I run an > >> OpenBSD (6.4) mail server using OpenSMTPD and notice quite bit of > >> traffic all stemming from "shodan.io". I have PF configured so I was > >> wondering how to block such a domain from making any attempts to > >> connect to my server. There is little information about Public IP > >> addresses being used by "shodan.io" scanner, so making an IP list for > >> PF may be futile. > >> > >> Could someone suggest a possible option? I was thinking along the > >> lines of "relayd" or "squid proxy". My server is hosted at Vultr and > >> has a single WAN interface with Public IP. There is no internal LAN > >> interface. > >> > >> For those who do not know about "shodan.io", please do a search and > >> you will discover what it does. > >> > >> Regards > >> > >> Nino > >> > > > > > I've always been a fan of just setting up a simple script to open a > couple ports with ncat, then when a client connects to the port, it gets > shoved into pf table that has a `drop' rule attached to it. No messing > about with blocklists or proxies or anything else. > > ncat listens on various low-number ports that nothing is using on my > servers. A little ncat, sed, pfctl, and a dash of cron are able to do > the job just fine. cron is just there to start the ncat processes at > boot and run an hourly script to do a pfctl -T expire 86400 to > keep the table clean of old attackers. > > Shodan isn't the only scanner out there, so there is no point in just > blocking it. And I figure if someone is trying to connect to unused > ports on my system, they probably aren't up to any good. If you aren't > aware that my machine isn't legitimately listening on 22 or 23, or 443, > I don't want to talk to you. > > I usually just run on port 22 and move sshd to a different port, that > seems to stop >95% of attackers. > > -- radek
Re: ikev2 and road warriors setup
Another question araised in my random walk: How can I assign static IPs to more than one client? I played around with DSTID but when I add DSTID to my policy then auth stops working. ikev2 "roadWarrior" passive ipcomp esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ dstid "/C.../CN=win7/emailAddress=r...@123.com" \ config address 10.0.1.123 \ tag "$id" tap enc0 The only working way I have found is to assign static IP to specific peer (IP or network) local 4.5.6.88 peer 1.2.3.4/32 or local 4.5.6.88 peer 1.2.3.0/24 but this in NOT what I need. I need to do sth like this: policy1, peer any, warrior1/CA1/ASN11, config address IP1 policy2, peer any, warrior2/CA2,ASN12, config address IP2 policy3, peer any, warrior3/CA3,ASN13, config address IP3 ... policyN "catch the rest" config address 10.0.11/24 \ Any help appreciated! On Fri, 28 Dec 2018 10:41:22 +0100 Radek wrote: > Hello, > > finally I solved my problem as follows: > 1. Uncheck "use default gateway on remote network" in warrior (Windows) > 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 > 10.0.1.123 > 3. Run route192.bat as administrator (when vpn connection is established) > It works as expected, traffic to 192.168.2.0 goes through VPN, the rest > through warrior's local gateway. > # When using PPTP (npppd) I do not need to add extra route to "LAN behind > VPNgateway" (2.) - it works by default. Why? > > GW88# grep "^[^#;]" /etc/iked.conf > ikev2 "roadWarrior" passive ipcomp esp \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.123 \ > tag "$id" tap enc0 > > GW88# grep "^[^#;]" /etc/pf.conf > set skip on {lo, enc} > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > match out on egress from lan:network to any nat-to egress > block log all > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > > > On Wed, 12 Dec 2018 21:45:25 +0100 > Radek wrote: > > > Hello again, > > > > I am using PPTP VPN (npppd) and it works as expected on windows clients - > > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. > > The "rest" is going through clients' gateway - DO NOT "use default gateway > > on remote network". > > > > I have been playing around with iked.conf, pf.conf and ipsec.conf - still > > cannot get it working in this manner. > > I do not want to use OpenIKED as a internet gateway, VPN is needed only to > > access "LAN behind that VPNgateway". > > > > Could someone please help me with this problem? Christmas is coming... > > > > Many thanks! > > > > On Fri, 7 Dec 2018 20:20:21 +0100 > > Radek wrote: > > > > > Hello, > > > > > > I am still almost in the same point. > > > If I want to reach my GW88_LAN I have to check "use default gateway on > > > remote network" box (Windows roadwarrior), but this option makes me > > > reaching the internet through GW88. > > > > > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > > > "local" gateway for the rest of the traffic - unchecked box "use default > > > gateway on remote network". > > > If the box is unchecked I am not able to access 192.168.2.0/24. > > > > > > What should I change in my confs to get it working in this manner? > > > > > > GW88# grep "^[^#;]" /etc/pf.conf > > > set skip on {lo, enc} > > > match in all scrub (no-df random-id) > > > match out all scrub (no-df random-id) > > > match out on egress from lan:network to any nat-to egress > > > block log all > > > pass out quick on egress inet received-on enc0 nat-to (egress) > > > pass in on egress proto udp from any to (egress:0) port > > > {isakmp,ipsec-nat-t} > > > pass in on egress proto {ah,esp} > > > pass out on egress > > > pass on lan > > > > > > > > > GW88# grep "^[^#;]" /etc/iked.conf > > > ikev2 "roadWarrior" passive esp \ > > > from 0.0.0.0/0 to 10.0.1.0/24 \ > > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > > local 4.5.6.88 peer any \ > > > srcid 4.5.6.88 \ > > > config address 10.0.1.0/24 \ > > > config netmask 255.255.255.0 \ > > > config name-server 8.8
Re: Cheaper alternatives for APC UPS
Thanks for your hints, Stuart. I hope to get one OpenUPS soon and give it a try. On Sun, 23 Dec 2018 12:13:12 + (UTC) Stuart Henderson wrote: > On 2018-12-19, Radek wrote: > > Thank you for all your comprehensive technical references. I just wanted to > > know if there is any way to save some money buying other brands than APC. > > After reading your posts I will definitely stay with APC. > > I have had APCs that required a crowbar to remove the batteries before ;) > Whatever brand, it's probably a good idea to schedule a battery inspection > from time to time. > > > Salicru, OpenUPS - I have never heard about these brands/solutions. Thanks. > > > >> I am not sure about "supported", > > I wanted to say that you can manage it smoothly using OpenBSD. > > > > BTW, do you have any experience with 12V DC small UPS that can be smoothly > > use with routers only (PCEngines/Soekris). I am looking for an "out of the > > box" small, silent and low power consumption device that can shutdown my > > home OpenBSD router when the power is loss. > > I would like not to use 230V device fot that purpose, which consumes more > > power when compare to 12V devices. > > OpenUPS is perfect for this. Or there are cheap chinese boxes that > work with 18650 batteries and are meant for this sort of use too (but > no monitoring with those like you get with OpenUPS). > > -- radek
Re: ikev2 and road warriors setup
Hello, finally I solved my problem as follows: 1. Uncheck "use default gateway on remote network" in warrior (Windows) 2. Create route192.bat file: route add 192.168.2.0 mask 255.255.255.0 10.0.1.123 3. Run route192.bat as administrator (when vpn connection is established) It works as expected, traffic to 192.168.2.0 goes through VPN, the rest through warrior's local gateway. # When using PPTP (npppd) I do not need to add extra route to "LAN behind VPNgateway" (2.) - it works by default. Why? GW88# grep "^[^#;]" /etc/iked.conf ikev2 "roadWarrior" passive ipcomp esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.123 \ tag "$id" tap enc0 GW88# grep "^[^#;]" /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan On Wed, 12 Dec 2018 21:45:25 +0100 Radek wrote: > Hello again, > > I am using PPTP VPN (npppd) and it works as expected on windows clients - > traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The > "rest" is going through clients' gateway - DO NOT "use default gateway on > remote network". > > I have been playing around with iked.conf, pf.conf and ipsec.conf - still > cannot get it working in this manner. > I do not want to use OpenIKED as a internet gateway, VPN is needed only to > access "LAN behind that VPNgateway". > > Could someone please help me with this problem? Christmas is coming... > > Many thanks! > > On Fri, 7 Dec 2018 20:20:21 +0100 > Radek wrote: > > > Hello, > > > > I am still almost in the same point. > > If I want to reach my GW88_LAN I have to check "use default gateway on > > remote network" box (Windows roadwarrior), but this option makes me > > reaching the internet through GW88. > > > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > > "local" gateway for the rest of the traffic - unchecked box "use default > > gateway on remote network". > > If the box is unchecked I am not able to access 192.168.2.0/24. > > > > What should I change in my confs to get it working in this manner? > > > > GW88# grep "^[^#;]" /etc/pf.conf > > set skip on {lo, enc} > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > match out on egress from lan:network to any nat-to egress > > block log all > > pass out quick on egress inet received-on enc0 nat-to (egress) > > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} > > pass in on egress proto {ah,esp} > > pass out on egress > > pass on lan > > > > > > GW88# grep "^[^#;]" /etc/iked.conf > > ikev2 "roadWarrior" passive esp \ > > from 0.0.0.0/0 to 10.0.1.0/24 \ > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > local 4.5.6.88 peer any \ > > srcid 4.5.6.88 \ > > config address 10.0.1.0/24 \ > > config netmask 255.255.255.0 \ > > config name-server 8.8.8.8 > > > > On Fri, 30 Nov 2018 15:06:28 +0100 > > Radek wrote: > > > > > Hello, > > > > > > Thank all of you for your time and your help in this matter! > > > I think that the ISP of A.B.C.0/23 is filtering/blocking some > > > certificates. > > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect > > > to VPN serv. > > > Site-to-Site VPN is doing its job. > > > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY > > > if "use default gateway on remote network" is set. > > > I need to make road_warriors: > > > - reaching GW88_LAN_machines 192.168.2.254/24 > > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > > > - force road_warriors to use its own gateway for the rest of traffic - > > > unticked "use default gateway on remote network". > > > > > > I was playing around with iked.conf and pf.conf but I did not find the > > > way to make it work. > > > I will be grateful if anyone could help me with that. > > > > > > My network diagram and configs of GW88: > > > > > > GW88$ cat /etc/hostname.enc0 > &g
Re: Cheaper alternatives for APC UPS
Thank you for all your comprehensive technical references. I just wanted to know if there is any way to save some money buying other brands than APC. After reading your posts I will definitely stay with APC. Salicru, OpenUPS - I have never heard about these brands/solutions. Thanks. > I am not sure about "supported", I wanted to say that you can manage it smoothly using OpenBSD. BTW, do you have any experience with 12V DC small UPS that can be smoothly use with routers only (PCEngines/Soekris). I am looking for an "out of the box" small, silent and low power consumption device that can shutdown my home OpenBSD router when the power is loss. I would like not to use 230V device fot that purpose, which consumes more power when compare to 12V devices. On Tue, 18 Dec 2018 20:19:20 +0100 Juan Francisco Cantero Hurtado wrote: > On Mon, Dec 17, 2018 at 09:47:25PM +0100, Radek wrote: > > Hello, > > > > could you recommend me any UPS brands *cheaper* than APC that are fully > > supported in OpenBSD? > > I always use APC, managing them via USB and apcupsd(both servers and > > clients) and PowerChute(windows clients). It works like a charm. APC is > > quite expensive brand so I am looking for any cheaper alternatives. > > Salicru is a good brand. The home models use a third party protocol > supported by one of our ports (I don't remember the names). The > professional product lines have support for USB HID. > > I've used a couple of basic models. The batteries lasted for 3 years and > I never had a leak. > > The windows software is the biggest crap ever done. Use a third party > application. > > > -- > Juan Francisco Cantero Hurtado http://juanfra.info -- radek
Cheaper alternatives for APC UPS
Hello, could you recommend me any UPS brands *cheaper* than APC that are fully supported in OpenBSD? I always use APC, managing them via USB and apcupsd(both servers and clients) and PowerChute(windows clients). It works like a charm. APC is quite expensive brand so I am looking for any cheaper alternatives. Thanks! -- radek
Re: ikev2 and road warriors setup
Hello again, I am using PPTP VPN (npppd) and it works as expected on windows clients - traffic to the "LAN behind that VPNgateway" is going through VPNgateway. The "rest" is going through clients' gateway - DO NOT "use default gateway on remote network". I have been playing around with iked.conf, pf.conf and ipsec.conf - still cannot get it working in this manner. I do not want to use OpenIKED as a internet gateway, VPN is needed only to access "LAN behind that VPNgateway". Could someone please help me with this problem? Christmas is coming... Many thanks! On Fri, 7 Dec 2018 20:20:21 +0100 Radek wrote: > Hello, > > I am still almost in the same point. > If I want to reach my GW88_LAN I have to check "use default gateway on remote > network" box (Windows roadwarrior), but this option makes me reaching the > internet through GW88. > > I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's > "local" gateway for the rest of the traffic - unchecked box "use default > gateway on remote network". > If the box is unchecked I am not able to access 192.168.2.0/24. > > What should I change in my confs to get it working in this manner? > > GW88# grep "^[^#;]" /etc/pf.conf > set skip on {lo, enc} > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > match out on egress from lan:network to any nat-to egress > block log all > pass out quick on egress inet received-on enc0 nat-to (egress) > pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > > GW88# grep "^[^#;]" /etc/iked.conf > ikev2 "roadWarrior" passive esp \ > from 0.0.0.0/0 to 10.0.1.0/24 \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.0/24 \ > config netmask 255.255.255.0 \ > config name-server 8.8.8.8 > > On Fri, 30 Nov 2018 15:06:28 +0100 > Radek wrote: > > > Hello, > > > > Thank all of you for your time and your help in this matter! > > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. > > I have moved VPN server and clients out of A.B.C.0/23. They can connect > > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to > > VPN serv. > > Site-to-Site VPN is doing its job. > > > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if > > "use default gateway on remote network" is set. > > I need to make road_warriors: > > - reaching GW88_LAN_machines 192.168.2.254/24 > > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > > - force road_warriors to use its own gateway for the rest of traffic - > > unticked "use default gateway on remote network". > > > > I was playing around with iked.conf and pf.conf but I did not find the way > > to make it work. > > I will be grateful if anyone could help me with that. > > > > My network diagram and configs of GW88: > > > > GW88$ cat /etc/hostname.enc0 > > inet 10.0.1.254 255.255.255.0 > > > > GW88$ cat /etc/iked.conf > > # > > ikev2 "roadWarrior" passive esp \ > > from 192.168.2.0/24 to 10.0.1.0/24 \ > > local 4.5.6.88 peer any \ > > srcid 4.5.6.88 \ > > config address 10.0.1.0/24 > > # > > # > > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > > remote_lan_GW119_1 = "172.16.1.0/24" > > remote_lan_GW119_2 = "172.16.2.0/24" > > > > local_gw_GW88_2 = "192.168.2.254" > > local_lan_GW88_2 = "192.168.2.0/24" > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > > psk "pkspass" > > > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ > > psk "pskpass" > > > > > > GW88$ cat /etc/pf.conf > > set skip on {lo, enc} > > > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > > > match out on egress from lan:network to any nat-to egress > > > > block log all > > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > > pass in
Re: sh /etc/netstart interface counter intuitive behaviour with multiple inet aliases 6.4 and 6.3
; inet 10.134.91.237 netmask 0xfffc broadcast 10.134.91.239 > >>> inet 10.134.91.241 netmask 0xfffc broadcast 10.134.91.243 > >>> inet 10.134.91.245 netmask 0xfffc broadcast 10.134.91.247 > >>> inet 10.134.91.249 netmask 0xfffc broadcast 10.134.91.251 > >>> inet 10.134.91.253 netmask 0xfffc broadcast 10.134.91.255 > >>> > >>> > >>> after commenting out the last 2 inet aliases , and running sh > >>> /etc/netstart vio4 > >>> > >>> the ifconfig output is as follows (i have highlighted with *** the > >>> addresses > >>> which I think should have been removed > >>> > >>> vio4: flags=8843 mtu 1500 > >>> lladdr 16:2c:a4:f2:b4:e3 > >>> index 5 priority 0 llprio 3 > >>> media: Ethernet autoselect > >>> status: active > >>> ** inet 10.134.91.249 netmask 0xfffc broadcast 10.134.91.251 > >>> ** inet 10.134.91.253 netmask 0xfffc broadcast 10.134.91.255 > >>> inet 10.94.0.1 netmask 0x broadcast 10.94.255.255 > >>> inet 10.134.91.65 netmask 0xfffc broadcast 10.134.91.67 > >>> inet 10.134.91.69 netmask 0xfffc broadcast 10.134.91.71 > >>> inet 10.134.91.73 netmask 0xfffc broadcast 10.134.91.75 > >>> inet 10.134.91.85 netmask 0xfffc broadcast 10.134.91.87 > >>> inet 10.134.91.89 netmask 0xfffc broadcast 10.134.91.91 > >>> inet 10.134.91.93 netmask 0xfffc broadcast 10.134.91.95 > >>> inet 10.134.91.161 netmask 0xfffc broadcast 10.134.91.163 > >>> inet 10.134.91.165 netmask 0xfffc broadcast 10.134.91.167 > >>> inet 10.134.91.169 netmask 0xfffc broadcast 10.134.91.171 > >>> inet 10.134.91.173 netmask 0xfffc broadcast 10.134.91.175 > >>> inet 10.134.91.193 netmask 0xfffc broadcast 10.134.91.195 > >>> inet 10.134.91.197 netmask 0xfffc broadcast 10.134.91.199 > >>> inet 10.134.91.201 netmask 0xfffc broadcast 10.134.91.203 > >>> inet 10.134.91.205 netmask 0xfffc broadcast 10.134.91.207 > >>> inet 10.134.91.209 netmask 0xfffc broadcast 10.134.91.211 > >>> inet 10.134.91.213 netmask 0xfffc broadcast 10.134.91.215 > >>> inet 10.134.91.217 netmask 0xfffc broadcast 10.134.91.219 > >>> inet 10.134.91.221 netmask 0xfffc broadcast 10.134.91.223 > >>> inet 10.134.91.225 netmask 0xfffc broadcast 10.134.91.227 > >>> inet 10.134.91.229 netmask 0xfffc broadcast 10.134.91.231 > >>> inet 10.134.91.233 netmask 0xfffc broadcast 10.134.91.235 > >>> inet 10.134.91.237 netmask 0xfffc broadcast 10.134.91.239 > >>> inet 10.134.91.241 netmask 0xfffc broadcast 10.134.91.243 > >>> inet 10.134.91.245 netmask 0xfffc broadcast 10.134.91.247 > >>> > >>> This behaviour is counter intuitive as it is different to sh > >>> /etc/netstart > >>> behaviour on the configuration of inet addresses > >>> im wondiring is this a feature or a bug ... or me misunderstanding the > >>> use of netstart script to reset / reload the configuration of an interface > >>> > >>> Thanks > >>> > >>> Tom Smyth > >>> > >> > >> -- > >> I'm not entirely sure you are real. > > > > > > > -- radek
Re: ikev2 and road warriors setup
Hello, I am still almost in the same point. If I want to reach my GW88_LAN I have to check "use default gateway on remote network" box (Windows roadwarrior), but this option makes me reaching the internet through GW88. I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local" gateway for the rest of the traffic - unchecked box "use default gateway on remote network". If the box is unchecked I am not able to access 192.168.2.0/24. What should I change in my confs to get it working in this manner? GW88# grep "^[^#;]" /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass out quick on egress inet received-on enc0 nat-to (egress) pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan GW88# grep "^[^#;]" /etc/iked.conf ikev2 "roadWarrior" passive esp \ from 0.0.0.0/0 to 10.0.1.0/24 \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.0/24 \ config netmask 255.255.255.0 \ config name-server 8.8.8.8 On Fri, 30 Nov 2018 15:06:28 +0100 Radek wrote: > Hello, > > Thank all of you for your time and your help in this matter! > I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. > I have moved VPN server and clients out of A.B.C.0/23. They can connect > pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to > VPN serv. > Site-to-Site VPN is doing its job. > > The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if > "use default gateway on remote network" is set. > I need to make road_warriors: > - reaching GW88_LAN_machines 192.168.2.254/24 > - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible > - force road_warriors to use its own gateway for the rest of traffic - > unticked "use default gateway on remote network". > > I was playing around with iked.conf and pf.conf but I did not find the way to > make it work. > I will be grateful if anyone could help me with that. > > My network diagram and configs of GW88: > > GW88$ cat /etc/hostname.enc0 > inet 10.0.1.254 255.255.255.0 > > GW88$ cat /etc/iked.conf > # > ikev2 "roadWarrior" passive esp \ > from 192.168.2.0/24 to 10.0.1.0/24 \ > local 4.5.6.88 peer any \ > srcid 4.5.6.88 \ > config address 10.0.1.0/24 > # > # > remote_gw_GW119 = "1.2.3.119" # fw_GW119 > remote_lan_GW119_1 = "172.16.1.0/24" > remote_lan_GW119_2 = "172.16.2.0/24" > > local_gw_GW88_2 = "192.168.2.254" > local_lan_GW88_2 = "192.168.2.0/24" > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ > psk "pkspass" > > ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ > from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ > psk "pskpass" > > > GW88$ cat /etc/pf.conf > set skip on {lo, enc} > > match in all scrub (no-df random-id) > match out all scrub (no-df random-id) > > match out on egress from lan:network to any nat-to egress > > block log all > pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} > pass in on egress proto {ah,esp} > pass out on egress > pass on lan > > table persist counters > pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags > S/SA \ > set prio (6, 7) keep state \ > (max-src-conn 15, max-src-conn-rate 2/10, overload > flush global) > > icmp_types = "{ echoreq, unreach }" > pass inet proto icmp all icmp-type $icmp_types > > > >++ >|road_warrior| > +-+10.0.1.0/24 | > | ++ > | >ikev2 > | > | > v > > 4.5.6.881.2.3.119 > +-+ +--+ > | | > | GW88 | <--+site-to-site VPN+--> | GW119 | > +--+--+ +---+--+ >| | >+-+192.168.1.254/24 | >| | >| 172.16.1.254/24---+ >| | >+---+-+192.168.2.254/24
Re: iked : pf.conf rule for outgoing traffic
> I'm confused how to replace "$some_address". Isn't it "(egress)" ? "(egress)" or your_WAN_IP On Fri, 7 Dec 2018 10:00:07 +0100 Thuban wrote: > * Stuart Henderson le [06-12-2018 13:44:50 +]: > > On 2018-12-06, Thuban wrote: > > > * Thuban le [02-12-2018 19:16:09 +0100]: > > >> Hi, > > >> I need help to write a correct rule in pf.conf. > > >> > > >> I want : > > >> > > >> A -> B --> web > > >> > > >> The appearing IP of A is the B's one on the web. > > >> > > >> I managed to configure iked on A and B using default pubkeys according > > >> to Stuart Henderson advices. > > >> > > >> iked.conf on A : > > >> > > >> ikev2 active ipcomp esp \ > > >> from 192.168.100.0/16 to 0.0.0.0/0 \ > > >> peer "xx.xx.xx.xx" \ > > >> srcid "m...@moria.lan" \ > > >> dstid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> iked.conf on B : > > >> > > >> ikev2 "warrior" passive esp \ > > >> from 0.0.0.0/0 to 0.0.0.0/0 \ > > >> local xx.xx.xx.xx peer any \ > > >> srcid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> Auth works as expected : > > >> > > >> # iked -vvd > > >> .. > > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > > >> 192.168.100.122:4500 policy 'policy1' > > >> .. > > >> > > >> > > >> But I can't reach internet from A through B. > > >> > > >> Here is the pf.conf on B (at least a small part of it) > > >> > > >> pass out on egress \ > > >> from any to any tagged IKED \ > > >> nat-to (egress) > > >> > > >> > > > > > > I'm still stuck at the same point. > > > Can someone give me an example of a working configuration natting ot > > > Internet? > > > > I used this, > > > > pass in on enc0 inet from $some_net > > pass out quick on egress inet received-on enc0 nat-to $some_address > > > > Also I don't remember what you've already said you checked, but > > make sure you have sysctl net.inet.ip.forwarding=1. > > > > Thank you. > Yes, I do have ip.forwarding=1. > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > Regards. > -- radek
Re: ikev2 and road warriors setup
Hello, Thank all of you for your time and your help in this matter! I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates. I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv. Site-to-Site VPN is doing its job. The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use default gateway on remote network" is set. I need to make road_warriors: - reaching GW88_LAN_machines 192.168.2.254/24 - reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible - force road_warriors to use its own gateway for the rest of traffic - unticked "use default gateway on remote network". I was playing around with iked.conf and pf.conf but I did not find the way to make it work. I will be grateful if anyone could help me with that. My network diagram and configs of GW88: GW88$ cat /etc/hostname.enc0 inet 10.0.1.254 255.255.255.0 GW88$ cat /etc/iked.conf # ikev2 "roadWarrior" passive esp \ from 192.168.2.0/24 to 10.0.1.0/24 \ local 4.5.6.88 peer any \ srcid 4.5.6.88 \ config address 10.0.1.0/24 # # remote_gw_GW119 = "1.2.3.119" # fw_GW119 remote_lan_GW119_1 = "172.16.1.0/24" remote_lan_GW119_2 = "172.16.2.0/24" local_gw_GW88_2 = "192.168.2.254" local_lan_GW88_2 = "192.168.2.0/24" ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \ psk "pkspass" ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \ from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \ psk "pskpass" GW88$ cat /etc/pf.conf set skip on {lo, enc} match in all scrub (no-df random-id) match out all scrub (no-df random-id) match out on egress from lan:network to any nat-to egress block log all pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t} pass in on egress proto {ah,esp} pass out on egress pass on lan table persist counters pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags S/SA \ set prio (6, 7) keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global) icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types ++ |road_warrior| +-+10.0.1.0/24 | | ++ | ikev2 | | v 4.5.6.881.2.3.119 +-+ +--+ | | | GW88 | <--+site-to-site VPN+--> | GW119 | +--+--+ +---+--+ | | +-+192.168.1.254/24 | | | | 172.16.1.254/24---+ | | +---+-+192.168.2.254/24 | | | | | | +---+ | | +---+192.168.2.1| 172.16.2.254/24---| | ++ | |+192.168.3.254/24 Thanks! On Thu, 8 Nov 2018 14:04:23 +0100 Radek wrote: > I've been playing around with netcat. > I noticed that the netcat process on my VPN_server does not show any "X" on > stdout for ports 4500 and 1701. > > May it be relevant to my VPN issue? > > VPN_serv is A.B.C.77/23 (it is not behind NAT): > > $ pfctl -s rules > pass all flags S/SA > > $ nc -u -l 500 > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 > A.B.C.69/23$ nc -vuz A.B.C.77 4500 > $ nc -u -l 4500 > NOTHING IS HERE > > $ nc -u -l 4499 > > > $ nc -u -l 4501 > > > X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 > A.B.C.69/23$ nc -vuz A.B.C.77 1701 > $ nc -u -l 1701 > NOTHING IS HERE > > $ nc -u -l 22 > > > $ nc -u -l 1234 > > > On Wed, 7 Nov 2018 12:17:09 +0100 > Radek wrote: > > > Yesterday I tried this scenario: > > > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > > VPN_IKEv2 - A.B.C.77/23, not NATed > > > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having > > two active VPN conn in one time. > > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working > > fine. > > > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting > > VPN_L2TP - I got 809. > > > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not > > chang
Re: Supermicro X7SPA-HF D510 and OpenBSD
Thanks for your answers. Probably I will buy one and check it out. > Everything seems to work just fine, only problems are that it can't > support a lot of graphical modes (xenocara will run, just not very well, > since the gpu only has 8 MB of memory and it comes from the main pool of > memory anyway). It does not matter to me. 8MB is OK for OS installation. I am not gonna use X, serial console and ssh is all I need. On Thu, 22 Nov 2018 12:01:36 -0800 Misc User wrote: > On 11/22/2018 6:13 AM, Stuart Henderson wrote: > > On 2018-11-22, Radek wrote: > >> Hello, > >> does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF > >> D510? > >> Does it work well together? > >> > >> I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack > >> case for better cooling. RAID is not needed. > >> It must be as silent as possible. Low power consumption is also welcomed. > >> > >> Thanks! > > > > Not sure if I have that *exact* board but I have something very similar, > > I wouldn't expect any problems with this. > > > > > > I am running the X7SPA-HF-D525 version (Same board, different chip. The > D525 and D510 are really just the same chip anyway, just that the D510 > has a slightly different set of bits burned into the configuration fuses). > > Everything seems to work just fine, only problems are that it can't > support a lot of graphical modes (xenocara will run, just not very well, > since the gpu only has 8 MB of memory and it comes from the main pool of > memory anyway). That and you can't communicate with the IPMI interface > from within the OS (But doesn't prevent you from using the IPMI > interface, you'd just need to do any configuration of it via BIOS or the > IPMI's web interface). > > dmesg from my system is below > > > OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018 > > r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4277665792 (4079MB) > avail mem = 4138745856 (3947MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (19 entries) > bios0: vendor American Megatrends Inc. version "1.2" date 09/14/11 > bios0: Supermicro X7SPA-HF > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S1 S4 S5 > acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST > acpi0: wakeup devices P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) > EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) > P0P7(S4) P0P8(S4) P0P9(S4) [...] > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.30 MHz, 06-1c-0a > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN > cpu0: 512KB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 207MHz > cpu0: mwait min=64, max=64, C-substates=0.1, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1872.00 MHz, 06-1c-0a > cpu1: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN > cpu1: 512KB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 3 pa 0xfec0, version 20, 24 pins, remapped > acpimcfg0 at acpi0 > acpimcfg0: addr 0xe000, bus 0-255 > acpihpet0 at acpi0: 14318179 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 4 (P0P1) > acpiprt2 at acpi0: bus 1 (P0P4) > acpiprt3 at acpi0: bus -1 (P0P5) > acpiprt4 at acpi0: bus -1 (P0P6) > acpiprt5 at acpi0: bus -1 (P0P7) > acpiprt6 at acpi0: bus 2 (P0P8) > acpiprt7 at acpi0: bus 3 (P0P9) > acpicpu0 at acpi0: C1(@1 halt!) > acpicpu1 at acpi0: C1(@1 halt!) > acpicmos0 at acpi0 > acpibtn0 at acpi0: PWRB > ipmi at mainbus0 not configured > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02 > ppb0 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x02: msi > pci1 at ppb0 bus 1 > ppb1 at pci0 dev 28 function 4 "Intel 82801I PCIE" rev 0x02: msi > pci2 at ppb1 bus 2 > em0 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address > 00:25:90:62:cc:46 > ppb2 at pci0 dev
Supermicro X7SPA-HF D510 and OpenBSD
Hello, does anybody run OpenBSD 6.3/amd64 or 6.4/amd64 on SUPERMICRO X7SPA-HF D510? Does it work well together? I need to build a backup server (rsync only) with 2-3x 4TB HDD, 3U/4U Rack case for better cooling. RAID is not needed. It must be as silent as possible. Low power consumption is also welcomed. Thanks! -- radek
Re: ikev2 and road warriors setup
I've been playing around with netcat. I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701. May it be relevant to my VPN issue? VPN_serv is A.B.C.77/23 (it is not behind NAT): $ pfctl -s rules pass all flags S/SA $ nc -u -l 500 X.Y.Z.11/29$ nc -vuz A.B.C.77 4500 A.B.C.69/23$ nc -vuz A.B.C.77 4500 $ nc -u -l 4500 NOTHING IS HERE $ nc -u -l 4499 $ nc -u -l 4501 X.Y.Z.11/29$ nc -vuz A.B.C.77 1701 A.B.C.69/23$ nc -vuz A.B.C.77 1701 $ nc -u -l 1701 NOTHING IS HERE $ nc -u -l 22 $ nc -u -l 1234 On Wed, 7 Nov 2018 12:17:09 +0100 Radek wrote: > Yesterday I tried this scenario: > > Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 > VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed > VPN_IKEv2 - A.B.C.77/23, not NATed > > I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two > active VPN conn in one time. > Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working > fine. > > When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting > VPN_L2TP - I got 809. > > Removing home_router which is between Win7_warrior and 1.2.3.119 does not > change anything. > > Another thing: > I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then > I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. > Maybe I missed something in network conf that is important for OpenIKED? > > Any idea? > > > On Tue, 6 Nov 2018 11:21:52 +0100 > Radek wrote: > > > Hello Kim, > > > > > My question was concerning the VPN_server, is the server NATed? > > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > I only have switches in my building. > > All routers/firewalls of my network are in another building, I do not know > > the whole network structure, devices, security policies... but I have never > > noticed that any ports were blocked. > > > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it > > works like a charm. > > https://community.riocities.com/openike_openbsd.html > > But I can not setup a VPN_server for road warriors. > > > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that > > it is not any Router/FW problem. > > > > On Tue, 6 Nov 2018 07:48:37 +0100 > > Kim Zeitler wrote: > > > > > Good morning Radek, > > > > > > I have a suspicion ... > > > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not > > > > matter if warrior has public IP or it is behind NAT). The rest of the > > > > world fails to connect the VPN_server. > > > My question was concerning the VPN_server, is the server NATed? > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall > > > ... > > > > > > Cheers, > > > Kim > > > > > > > > > > > > -- > > radek > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Yesterday I tried this scenario: Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119 VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed VPN_IKEv2 - A.B.C.77/23, not NATed I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time. Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine. When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809. Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything. Another thing: I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED? Any idea? On Tue, 6 Nov 2018 11:21:52 +0100 Radek wrote: > Hello Kim, > > > My question was concerning the VPN_server, is the server NATed? > A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > I only have switches in my building. > All routers/firewalls of my network are in another building, I do not know > the whole network structure, devices, security policies... but I have never > noticed that any ports were blocked. > > I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works > like a charm. > https://community.riocities.com/openike_openbsd.html > But I can not setup a VPN_server for road warriors. > > I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect > my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). > L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it > is not any Router/FW problem. > > On Tue, 6 Nov 2018 07:48:37 +0100 > Kim Zeitler wrote: > > > Good morning Radek, > > > > I have a suspicion ... > > > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter > > > if warrior has public IP or it is behind NAT). The rest of the world > > > fails to connect the VPN_server. > > My question was concerning the VPN_server, is the server NATed? > > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > > > Cheers, > > Kim > > > > > > > -- > radek -- radek
Re: ikev2 and road warriors setup
Hello Kim, > My question was concerning the VPN_server, is the server NATed? A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed. > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... I only have switches in my building. All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked. I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm. https://community.riocities.com/openike_openbsd.html But I can not setup a VPN_server for road warriors. I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network). L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem. On Tue, 6 Nov 2018 07:48:37 +0100 Kim Zeitler wrote: > Good morning Radek, > > I have a suspicion ... > > > For (1), (2) and (3) VPN is working just fine with Win7_warrior and > > puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if > > warrior has public IP or it is behind NAT). The rest of the world fails to > > connect the VPN_server. > My question was concerning the VPN_server, is the server NATed? > How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ... > > Cheers, > Kim > > -- radek