Re: [Soekris] Building an OpenBSD router
On 17 Sep 2011, mo...@rodents-montreal.org outgrape: This is really easy with one of the BSDs or a source-based Linux distro and much more unpleasant with a Linux-based binary package manager. What are the caveats with a binary package manager (vs. source-based)? It seems like it ought to work fine/as-well. Well, I'm not Nix, but my usual answer to that is that binary packages are usually very dogmatic about where they have to be installed. I was more worried that they generally have post-install actions that assume the package installation machine is equivalent to the machine on which the packages will run, so insist on doing things like restarting and killing daemons. This is fine if that matches up well with what Nix's scheme wants, but only rarely do binary packages' built-in paths match up well enough to deal well with unusual filesystem-layout hackery. What unusual filesystem layout? bash-4.1$ ls -l /trees/fold total 60 drwxr-xr-x 2 root root 4096 Jul 28 17:01 bin drwxr-xr-x 2 root root 4096 Aug 30 15:23 boot drwxr-xr-x 2 root root 4096 Jun 6 2009 dev drwxr-xr-x 26 root root 4096 Aug 31 19:48 etc drwxr-xr-x 15 root root 4096 Oct 30 2010 home drwxr-xr-x 4 root root 4096 Jul 28 17:01 lib drwxr-xr-x 3 root root 4096 Sep 19 2009 mnt drwxr-xr-x 2 root root 4096 Mar 21 2004 proc drwxr-xr-x 8 root root 4096 Feb 28 2009 root drwxrwxrwt 2 root root 4096 Apr 1 17:48 run drwxr-xr-x 3 root root 4096 Jul 28 17:01 sbin drwxr-xr-x 2 root root 4096 Feb 5 2005 sys drwxr-xr-x 2 root root 4096 Mar 7 2010 tmp drwxr-xr-x 8 root root 4096 Apr 17 13:49 usr drwxr-xr-x 13 root root 4096 Apr 1 17:52 var lrwxrwxrwx 1 root root3 Jun 7 2009 lib32 - lib Perfectly normal filesystem. It's just not located at / on this machine. I don't expect things to *run* from there: should I need to run them on the build machine, I chroot in and all the paths match up. --- well, a perfectly normal filesystem if you ignore that it doesn't have e.g. a compiler (that's located on the host). But most firewalls don't have those. Installing into a subtree rooted in one place while keeping the paths pointing at another is easy: make install DESTDIR=... or make install prefix= (depending on the package). It's been a while since I used the ports system but I'm fairly sure you can tell it to install into an fs rooted at an unusual location while running from a different location. -- NULL (void) ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On 26 Aug 2011, Ralph Becker-Szendy stated: One problem is upgrades. If your whole household and family rely on the server, you can't take it out of service for a weekend to upgrade the OS. And OBSD wants to be upgraded every 6 months, otherwise you are looking at a reinstall. Right now, I'm doing a leapfrog technique: About once a year, I rsync my Soekris to a whitebox server, quickly (2-3 hours) swap them, then have a week to do a thorough install/ improve cycle. But if you get busy, that week turns into a month and then a year; right now I'm in that year, and going to restart with a 2GB 6501. An alternative approach is to maintain the primary OS image (everything but variable parts of /var and any network-mounted filesystems) in a chroot or other jail on another (bigger) machine, and rsync it over nightly in a cron job (or on demand, if you've just done a security upgrade or something). It takes a little work to autorestart affected services after the rsync, but not very much (if you even want to bother with that, as most daemons don't care if their binary image is replaced underneath them). This makes it completely trivial to recover on flash failure: just slam the image onto it. You *know* it's up to date -- it can never get out of date. This is really easy with one of the BSDs or a source-based Linux distro and much more unpleasant with a Linux-based binary package manager. -- NULL (void) ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On 9/17/2011 7:10 AM, Nix wrote: This is really easy with one of the BSDs or a source-based Linux distro and much more unpleasant with a Linux-based binary package manager. What are the caveats with a binary package manager (vs. source-based)? It seems like it ought to work fine/as-well. Jordan ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
This is really easy with one of the BSDs or a source-based Linux distro and much more unpleasant with a Linux-based binary package manager. What are the caveats with a binary package manager (vs. source-based)? It seems like it ought to work fine/as-well. Well, I'm not Nix, but my usual answer to that is that binary packages are usually very dogmatic about where they have to be installed. This is fine if that matches up well with what Nix's scheme wants, but only rarely do binary packages' built-in paths match up well enough to deal well with unusual filesystem-layout hackery. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTMLmo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
* Todd Pytel (tppy...@sophrosune.org) wrote: And OBSD wants to be upgraded every 6 months, otherwise you are looking at a reinstall. This is why I stopped using OpenBSD outside of the router about 5 years ago. It's a great system but not very easy to maintain, especially if you require a bunch of ports/packages and have a lot of services to protect. I moved all of my servers over to Debian long ago and have been very happy with that. Really. The whole OpenBSD upgrading procedure takes me no more than 20min. And nowadays the package upgrade is automatic too. Upgrading a box running on a CF takes longer time due to slow disk access. If uptime is essential you can do most of the upgrade when the system is running. But seriously, it's important to keep priorities strait, taking down the internet connection for a while and sending the kids out to jump on the trampoline is a good thing. And facebook is not a mission critical application :) Cheers, /Joakim ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On Thu, Aug 25, 2011 at 4:22 AM, Todd Pytel tppy...@sophrosune.org wrote: I've had an OpenBSD router built on basically commodity PC hardware running for many years now, long enough that I'm starting to worry about some part of it (especially the disk) dying abruptly at the worst possible time. I'm planning on replacing it with a Soekris box. Since I don't have as much time for my tech hobby as I used to, I haven't followed much in the way of tech, networking, or OpenBSD news. So I'm hoping the folks in know here can give my plan a quick check and let me know if I'm missing any important developments or overlooking any basic hardware requirements. What I have right now is a box built on a VIA board with a 533MHz Samuel 2 processor and 256MB of RAM, vintage 2003 or so. Mostly it just does routing and firewalling duties for my network, which includes some servers on public IP space used for very low-traffic hobby stuff. It's also an NTP server for my network. That's it. So I have basically no unusual requirements apart from having at least 3 network interfaces, which looks like it's already standard on the Soekris gear. So from Soekris's offerings, does the standard net5501-60 look like a good choice? Along with that, I'll need the appropriate power supply and a CF card. Maybe an extra null modem cable since I can never find mine. Anything else I'm missing? Then to get things installed I'll use a serial console, do a PXE boot to get the installer running, and then go from there? Any other unusual OpenBSD compatibility issues to worry about? I know there are plenty of OBSD/Soekris project pages out there, but it's not always clear whether anything important has changed in the years since they were published. Thanks for any pointers you can provide. --Todd Hi Todd, The net5501 is a perfect choice under OpenBSD. I run a 5501-70 since two years without any problem. It's rock stable. I follow OpenBSD-current so you won't have any problem with the upcoming 5.0. There is nothing special with a net5501 and OpenBSD. Just install the way you prefer, it will work. Personnaly, I do a standard install on a CF: no RAM drive, everything is mounted rw. These days, with a good CF, tuning the system to use ram disks and ro filesystems isn't worth the effort. By the way, I'd like to ask preachers on this mailing list to respect the initial subject. It's really boring to see all these recommendations about another OS. Maybe you prefer another OS or you have an experience with another OS. But really, if someone asks a question about his prefered OS, he don't give a shit to the other system you prefer. Thanks. -- Mattieu Baptiste /earth is 102% full ... please delete anyone you can. ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On Fri, 2011-08-26 at 08:57 -0700, Ralph Becker-Szendy wrote: I've had a combination router/firewall/802.11 AP/DNS/DHCP/NTP server/Squid cache/file server/backup appliance/... on OBSD for years now. And they have died occasionally ... always due to disk failures or the like. Every disk death causes 1-2 days of abject horror. Running that many functions on a single machine is a recipe for that. I used to do that, and it sucked. Life is easier if you part out those functions. Virtualization helps a lot there. You still have the disk problem though. Booting/running from CF works, but the CF may be just as short-lived as a spinning rust drive would be; I haven't had CF failures, but stories abound. I'm just buying an extra CF card and copying the original system to it once it's configured and tested. My PF machine only does routing, PF, DHCP, and NTP. Apart from the occasional opening/forwarding of a port in pf.conf, nothing ever changes on it. I've done PXE once, and didn't enjoy it (took days of trial and error, no idea why it eventually worked, probably would never work again). I'll have to work on honing that skill. Much simpler: take an old laptop with CD, put the Soekris disk (might be CF in an adapter) in there, install, then move the disk to Soekris. I'll probably use the qemu trick referenced in one of the links in this thread. But I've used PXE before in other contexts and it works fine. One problem is upgrades. If your whole household and family rely on the server, you can't take it out of service for a weekend to upgrade the OS. Another reason not to do everything on a single machine. And again, virtualization helps a lot. The OpenBSD router is the only real machine I have apart from my desktops. Other network functions run on several virtual machines, so that one can be upgraded without touching the others. If the virtual host needs extensive upgrades, I can move the most important VM (DNS and mail) to an extra box and run it there in the meantime with very little interruption. And the host machine is well protected by disk mirroring and backups. Even if it melted down and I started again with bare iron, I could restore it in a few hours (most of which would be spent waiting on file ops). And OBSD wants to be upgraded every 6 months, otherwise you are looking at a reinstall. This is why I stopped using OpenBSD outside of the router about 5 years ago. It's a great system but not very easy to maintain, especially if you require a bunch of ports/packages and have a lot of services to protect. I moved all of my servers over to Debian long ago and have been very happy with that. Who knows what function you want to add to your server. I know that I don't want my router to be a fileserver, run public services beyond SSH, or have any user accounts on it. Those are the servers' jobs. --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On Fri, Aug 26, 2011 at 3:33 PM, Mouse mo...@rodents-montreal.org wrote: Running that many functions on a single machine is a recipe for that. I used to do that, and it sucked. Life is easier if you part out those functions. Virtualization helps a lot there. Not all that much; if you have a hsot running a half-dozen VMs and its disk dies, it takes out all the half-dozen VMs at once. Yeah, but it's more efficient that way =) ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On Fri, 2011-08-26 at 16:33 -0400, Mouse wrote: Not all that much; if you have a hsot running a half-dozen VMs and its disk dies, it takes out all the half-dozen VMs at once. Of course. However, it's a lot easier to mirror disks and maintain a rigorous backup regimen for a single machine than it is for half a dozen. --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
I'm doing pretty much exactly what you are proposing, except: I'm running NetBSD instead. I have a 40G laptop drive with the IDE bracket. Beware that SSDs are sometimes thicker than laptop drives. I believe that the 9.5mm drives are what fits in the case. On the 5501 you can't boot from USB, and the transfer rate to external disks is about 1/2 what it is on regular desktops. I would get the higher-end 5501 with more memory; it seems little enough more $ and you can't upgrade later. (I expect the box to be still working fine in 5-10 years, maybe much longer.) The standard case is nice. pgpdsJuWNNJNi.pgp Description: PGP signature ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
Same here, except FreeBSD running PF. Net5501 Love it! I've been running it for over a year now. Here are my specs: -- From Soekris: 1 x net5501-70 Board and 1 Slot standard Case (10550170) 1 x 2.5 SATA hard drive mounting kit for the net5501 (14550120) 1 x Power Supply, 12V, 3.0A, IEC320-C8 inlet 90V-264V Worldwide (31211230) - Power Cord Type A C8 (US type) -- Newegg: 80GB 2.5 SATA (Samsung I think) In the process of building a custom mini-rack for it. -Ben 2011/8/25 Greg Troxel g...@work.lexort.com I'm doing pretty much exactly what you are proposing, except: I'm running NetBSD instead. I have a 40G laptop drive with the IDE bracket. Beware that SSDs are sometimes thicker than laptop drives. I believe that the 9.5mm drives are what fits in the case. On the 5501 you can't boot from USB, and the transfer rate to external disks is about 1/2 what it is on regular desktops. I would get the higher-end 5501 with more memory; it seems little enough more $ and you can't upgrade later. (I expect the box to be still working fine in 5-10 years, maybe much longer.) The standard case is nice. ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech -- Benjamin Francom Information Technology Professional http://www.benfrancom.com ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
I have been running a 4801 running OpenBSD on a Sandisk camera grade CF card for 5 years or so without issue. Run swapless and put var on a ramdisk and you should be fine. I keep / mount ro to be on the safe side but have For what its worth, the limited CPU and RAM on the 4801 have never been an issue for me routing a home cable connection, firewalling with pf and providing VPN via OpenVPN so a 5501 should do you fine. Install has also always gone smoothly. All in all I love my 4801 Good luck, Brian On Wed, Aug 24, 2011 at 11:41 PM, Todd Pytel tppy...@sophrosune.org wrote: Thanks for the comments. I'm quite happy with OpenBSD, and would need a compelling reason to move away from it. So I'm not looking for tailored network appliance distributions. I just want to make sure there aren't any serious hangups with the current hardware and OS iterations. I did notice the page for the 6501. It looks like a pretty big step up from the 5501, though I'm not sure I would make much use of the extra power. Gigabit ethernet is sexy and all, but I've never needed that kind of transfer rate across the router - my desktops and file server are all on their own switch behind the router's NAT, and I haven't even bothered upgrading that to 10/100/1000 yet. Any word on what pricing is going to look like? If it's no more than $100 or so, I might do it, provided the hardware compatibility is good. It doesn't seem like it would be worth much more than that in my situation. I did read that Soekris wiki page as well, so I know there are some other odds and ends like the com port to deal with, but that should be fine. The CF corruption is more troubling, though. Is that a common issue? I know CF isn't really designed to be an OS's boot drive for a variety of reasons, but I haven't followed the details so much. Suppose I wanted to move up to a SSD instead? Is that just a matter of buying Soekris's 2.5 SATA mounting kit and popping in something like this... http://www.newegg.com/Product/Product.aspx?Item=N82E16820167044 ? Any other power or configuration issues to deal with there? The last time I followed hardware tech closely was right before SSD's became affordable, so I don't know a lot about them. --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
* Brian Johnson brian.l.john...@gmail.com [2011-08-25 10:25:17]: I have been running a 4801 running OpenBSD on a Sandisk camera grade CF card for 5 years or so without issue. Run swapless and put var on a ramdisk and you should be fine. I keep / mount ro to be on the safe side but have I've been doing pretty much the same on a pair of net4501's for about 8 or 9 years, powered on 99.99% since then, using cheap 32 MB CF cards mounted read-only. Never had a problem with them, OpenBSD JFW's. For what its worth, the limited CPU and RAM on the 4801 have never been an issue for me routing a home cable connection, firewalling with pf and providing VPN via OpenVPN so a 5501 should do you fine. Install has also always gone smoothly. All in all I love my 4801 Unfortunately I've upgraded my internet connection and now the 4501 can't handle the bandwidth, so I'm patiently waiting for the 6501 which I hope will give me another 8 or 9 years of trouble-free service. Matt pgp0S5WeZuXy0.pgp Description: PGP signature ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
Hi there Todd; If you're looking to build a BSD based router out of a Soekris box and you're not really into hacking your own stuff these days, I highly recommend you try out PFSense (http://pfsense.org) It's a FreeBSD 8.x based routing/firewalling distribution. They have a native Flash DD image that works extremely well on a Net5501. I have a few in my lab and have benchmarked them at 80Mb/sec (firewalling) and 40Mb/sec (Firewall+VPN) with 3 network zones and a SPAN port. This is on a Net5501-60 w/ 512MB RAM. PFSense has an HTTP(s) interface, supports layer 2 bridging, aliasing/grouping and a great number of enterprise-type firewalling and routing features - even native Radius authentication for VPN setups. Also, if you can wait a few weeks, the Net6501 series is coming out with significantly more power than the 5501 and gigabit (vs 100meg) adapters. I'll be benchmarking them in my lab as soon as I can get a few; I expect 100Mb/sec performance based on what I've seen from the 5501s. On 8/24/11 7:22 PM, Todd Pytel wrote: I've had an OpenBSD router built on basically commodity PC hardware running for many years now, long enough that I'm starting to worry about some part of it (especially the disk) dying abruptly at the worst possible time. I'm planning on replacing it with a Soekris box. Since I don't have as much time for my tech hobby as I used to, I haven't followed much in the way of tech, networking, or OpenBSD news. So I'm hoping the folks in know here can give my plan a quick check and let me know if I'm missing any important developments or overlooking any basic hardware requirements. What I have right now is a box built on a VIA board with a 533MHz Samuel 2 processor and 256MB of RAM, vintage 2003 or so. Mostly it just does routing and firewalling duties for my network, which includes some servers on public IP space used for very low-traffic hobby stuff. It's also an NTP server for my network. That's it. So I have basically no unusual requirements apart from having at least 3 network interfaces, which looks like it's already standard on the Soekris gear. So from Soekris's offerings, does the standard net5501-60 look like a good choice? Along with that, I'll need the appropriate power supply and a CF card. Maybe an extra null modem cable since I can never find mine. Anything else I'm missing? Then to get things installed I'll use a serial console, do a PXE boot to get the installer running, and then go from there? Any other unusual OpenBSD compatibility issues to worry about? I know there are plenty of OBSD/Soekris project pages out there, but it's not always clear whether anything important has changed in the years since they were published. Thanks for any pointers you can provide. --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
Thanks again for all the comments and links. Sounds like I shouldn't encounter any issues apart from the usual, well-documented installation bumps. I think I'll go ahead and order the upgraded 5501 - the extra $30 hardly seems relevant if I get another 10 years out of this box like I did with the last one. And I don't see myself needing anything the 6501 will offer. For storage, I'll stick with CF for now, along with MFS and the usual tweaks there to minimize disk writes. I can always keep a backup of the CF image handy in case I hit some kind of trouble. Then I can just buy a fresh card if necessary, or even keep a spare around since they're so cheap. And I might as well get the higher-rated power supply as well. I kind of doubt it will be necessary if I'm using CF instead of a mechanical disk, but there's no sense in risking hard-to-debug PSU problems. Thanks again! --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
On Wed, Aug 24, 2011 at 9:22 PM, Todd Pytel tppy...@sophrosune.org wrote: I've had an OpenBSD router built on basically commodity PC hardware running for many years now, long enough that I'm starting to worry about some part of it (especially the disk) dying abruptly at the worst possible time. I'm planning on replacing it with a Soekris box. Since I don't have as much time for my tech hobby as I used to, I haven't followed much in the way of tech, networking, or OpenBSD news. So I'm hoping the folks in know here can give my plan a quick check and let me know if I'm missing any important developments or overlooking any basic hardware requirements. What I have right now is a box built on a VIA board with a 533MHz Samuel 2 processor and 256MB of RAM, vintage 2003 or so. Mostly it just does routing and firewalling duties for my network, which includes some servers on public IP space used for very low-traffic hobby stuff. It's also an NTP server for my network. That's it. So I have basically no unusual requirements apart from having at least 3 network interfaces, which looks like it's already standard on the Soekris gear. So from Soekris's offerings, does the standard net5501-60 look like a good choice? Along with that, I'll need the appropriate power supply and a CF card. Maybe an extra null modem cable since I can never find mine. Anything else I'm missing? Then to get things installed I'll use a serial console, do a PXE boot to get the installer running, and then go from there? Any other unusual OpenBSD compatibility issues to worry about? I know there are plenty of OBSD/Soekris project pages out there, but it's not always clear whether anything important has changed in the years since they were published. Thanks for any pointers you can provide. --Todd I'm currently running OpenBSD on a net5501-70 and it's been great. I was using a CF card but have moved to 2.5 SATA as I like having the freedom of space and the CF card corrupted itself causing it to stop booting. As for installing using PXE boot will work but you do need to make sure you tell it to use the com port when it boots the installer, see the wiki page for more details. http://wiki.soekris.info/Installing_OpenBSD ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
Re: [Soekris] Building an OpenBSD router
Thanks for the comments. I'm quite happy with OpenBSD, and would need a compelling reason to move away from it. So I'm not looking for tailored network appliance distributions. I just want to make sure there aren't any serious hangups with the current hardware and OS iterations. I did notice the page for the 6501. It looks like a pretty big step up from the 5501, though I'm not sure I would make much use of the extra power. Gigabit ethernet is sexy and all, but I've never needed that kind of transfer rate across the router - my desktops and file server are all on their own switch behind the router's NAT, and I haven't even bothered upgrading that to 10/100/1000 yet. Any word on what pricing is going to look like? If it's no more than $100 or so, I might do it, provided the hardware compatibility is good. It doesn't seem like it would be worth much more than that in my situation. I did read that Soekris wiki page as well, so I know there are some other odds and ends like the com port to deal with, but that should be fine. The CF corruption is more troubling, though. Is that a common issue? I know CF isn't really designed to be an OS's boot drive for a variety of reasons, but I haven't followed the details so much. Suppose I wanted to move up to a SSD instead? Is that just a matter of buying Soekris's 2.5 SATA mounting kit and popping in something like this... http://www.newegg.com/Product/Product.aspx?Item=N82E16820167044 ? Any other power or configuration issues to deal with there? The last time I followed hardware tech closely was right before SSD's became affordable, so I don't know a lot about them. --Todd ___ Soekris-tech mailing list Soekris-tech@lists.soekris.com http://lists.soekris.com/mailman/listinfo/soekris-tech
