jail(8) vimage epair bridge
Hello questions list
I am using jail(8) trying to get a functional vimage environment on my
9.1-RELEASE system. My PC only has a single real NIC facing the public
internet. My goal is to be able to have multiple vimage jails, each with
their own epairXa epairXb and bridgeX where the X is the jails JID
number all having their traffic passing through the single rl0 real
interface. The vnet.start script shown below handles this nicely.
The problem is after the first vimage jail is started the rl0 interface
gets marked as busy when the second vimage jail is started.
How do I get all vnet jails to pass through the real rl0 interface?
Thanks for you help
# /root cat /etc/jail.conf
vimage33 {
host.hostname = vimage33;
path= /usr/jails/vimage33;
mount.fstab = /usr/local/etc/fstab/vimage33;
exec.start = /bin/sh /etc/rc;
exec.stop = /bin/sh /etc/rc.shutdown;
exec.consolelog = /var/log/vimage33.console.log;
devfs_ruleset = 4;
allow.mount.devfs;
vnet;
exec.poststart=vnet.start vimage33 rl0;
exec.prestop=vnet.stop vimage33;
}
# /root cat /usr/local/bin/vnet.start
#!/bin/sh
jailname=$1
nicname=$2
jid=`jls -j ${jailname} jid`
if [ ${jid} -gt 100 ]; then
echo
echo The JID value is greater then 100.
echo You must shutdown the host and reboot
echo to zero out the JID counter and recover
echo the lost memory from stopping vimage jails.
echo
exit 2
fi
ifconfig bridge${jid} create /dev/null 2 /dev/null
ifconfig bridge${jid} 10.${jid}.0.1
ifconfig bridge${jid} up
ifconfig epair${jid} create /dev/null 2 /dev/null
ifconfig bridge${jid} addm ${nicname} addm epair${jid}a
ifconfig epair${jid}a up
ifconfig epair${jid}b vnet ${jid}
jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2
jexec ${jailname} route add default 10.${jid}.0.1 /dev/null 2 /dev/null
jexec ${jailname} ifconfig lo0 127.0.0.1
# Display the hosts network view before starting any vnet jails
# /root ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu
options=2008VLAN_MTU,WOL_MAGIC
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
media: Ethernet autoselect (100baseTX full-duplex)
status: active
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff00
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
# Start the first vnet jail
# /root jail -f /etc/jail.conf -c vimage33
vimage33: created
bridge1: Ethernet address: 02:8f:94:84:0c:02
epair1a: Ethernet address: 02:c0:a4:00:0b:0a
epair1b: Ethernet address: 02:c0:a4:00:0c:0b
# /root jls
JID IP Address Hostname Path
1 - vimage33 /usr/jails/vimage33
# Lets display the hosts network after the first vnet jail has started
# /root ifconfig
rl0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0
options=2008VLAN_MTU,WOL_MAGIC
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
media: Ethernet autoselect (100baseTX full-duplex)
status: active
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff00
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
bridge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu
ether 02:8f:94:84:0c:01
inet 10.1.0.1 netmask 0xff00 broadcast 10.255.255.255
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP
ifmaxaddr 0 port 9 priority 128 path cost 14183
member: rl0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP
ifmaxaddr 0 port 5 priority 128 path cost 20
epair1a: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST
options=8VLAN_MTU
ether 02:c0:a4:00:09:0a
inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
media: Ethernet 10Gbase-T (10Gbase-T full-duplex
9.1-release bridge config at startup not working
Hello list After pretty much of googling I was able to make this bridge setup up and running: cloned_interfaces=bridge0 ifconfig_bridge0=addm igb6 addm igb7 ifconfig_bridge0_alias0=inet x.x.x.x netmask x.x.x.x ifconfig_igb6=up ifconfig_igb7=up however I'm running xorp pim multicast router on the box as well and it complains about not being able to get the primary IP address of bridge0. And I need xorp running on that subnet. (after manually assigning an IP to bridge0, bridge0 becomes unresponsive) I tried autobridge according to some sparse documentation found, but autobridge with setup: cloned_interfaces=bridge0 autobridge_interfaces=bridge0 autobridge_bridge0=igb6 igb7 ifconfig_bridge0=inet x.x.x.x netmask x.x.x.x ifconfig_igb6=up ifconfig_igb7=up does not start at all. I end up with having only igb6 added in bridge0 without an IP address. Well, I would gladly live without a bridge ;) if somebody could give me a hit how to protect a group of servers on the same subnet as the router is. Without a need of NAT or IP changes. I need a DMZ, so I thought I'd simply put the boxes behind a filtered bridge. Seems like it's not that easy as it sound. Thank you very much for any kind of help/advice Peter Huncar ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD 9.1 RC3 fails boot on Ivy Bridge?
Hi all, I just downloaded 9.1 RC3 (amd64 USB img) and I tried to install it on an Ivy Bridge CPU system (Gigabyte Z77 DS3H motherboard) without success: the system starts to boot but suddenly blows up and reboots. I tried to boot with verbose mode but this does not help to determine the cause of the problem. I was wondering if someone could shed some light into this. TIA, Antonio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
packet filter problem on transparent firewall using bridge and pf
I have some trouble with pf on freebsd bridge.
Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )
Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )
pf.conf on freebsd
serv1=10.1.1.101
client1=10.1.6.73
block in all
block out all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on bridge0 from 10.1.1.0/24 to any
pass out quick on bridge0 from 10.1.1.0/24 to any
pass in quick on bridge0 from $client1 to 10.1.1.1
pass in quick on bridge0 from $client1 to $serv1
When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully
If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?
The following is some description of the bridge topology.
Freebsd and server are vmware guest in the vmware ESXi.
The ESXi has two virtual switchs,
vSw1: connect to untrust
vSw2: interconnect with freebsd and servers
freebsd has tow vNICs,
em0: connect to vSw1
em1: connect to vSw2.
servers has only one vNIC,
em0: connect to vSw2
freebsd's rc.conf
cloned_interfaces=bridge0
ifconfig_bridge0=inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up
ifconfig_em0=up
ifconfig_em1=up
pf_enable=YES
pf_rules=/etc/pf.conf
freebsd's sysctl
net.link.bridge.ipfw: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 1
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bridge wired / wireless without hosting the network - is this possible
Hi all, Apologies if this has come up before but I can't see anything with a quick google. What I want to do is setup a bridge between my wireless network and a wired one. Hostap I hear everyone cry but I don't think that will work because I don't want to create a wireless network - I want to join an existing one because this box won't be turned on all the time. I also need the bridging desktop to have a DHCP acquired IP because it want to have internet access (I mainly use it for Scala dev). Essentially, the network looks like this: [Internet Router w/ DHCP] -wired--[Switch] ---wired---[Airport Express]**wireless**[Desktop w/Freebsd9]---wired-[ReadyNAS] What I want to do is have the freebsd (dual boot wi/ Windows) desktop bridge to the readyNAS when it's turned on via the wireless LAN so that I can access files on it. Unfortunately I can't connect the readyNAS to the switch because the switch is in the living room and the readyNAS is too noisy. When the desktop is running Windows 7 this is dead easy, but I can't figure out how to do it under FreeBSD. Any ideas? Thanks, Mark signature.asc Description: Message signed with OpenPGP using GPGMail
bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to 4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to 4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
Just a follow up with more info.
Set 2 vms and booting from 9 release cd using live system option.
Host system is stable/9, vbox 4.0.14:
Per the handbook setup bridging on firewall_vm that has no IP, and only
two interfaces [em0 - external, and em1 - internal networking]
http://www.freebsd.org/doc/handbook/network-bridging.html
On client_vm, em0 is connected to internal network and should pass through
that bridge, but I get nothing:
client_vm - internal network - em1[bridge vm]em0 - internet
]Peter[
on bridge vm, doing dhclient bridge0 gets nothing, doing dhclient em0
gets IP
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
solved - bridge firewall in virtualbox not passing traffic after upgrade to stable/9
Hello,
Was running 8.2 and virtualbox 3 - wiped Freebsd 8.2, installed 9.0,
installed latest virtualbox port 4.0.14 and the networking broke in my
vms.
Setup I had:
{vm1,vm2,etc}--- vbox internal network - em2[firewall VM]em1 --
re0[physical box]--ISP
the firewall vm has this:
ifconfig_em0='172.20.6.210/24'
cloned_interfaces=bridge0
ifconfig_bridge0=addm em1 addm em2 up
ifconfig_em1=up
ifconfig_em2=up
Firewall vm has this setup:
nic1 - bridge re0
nic2 - bridge re0
nic3 - internal network
The VMs are still on 8.2, the only change was virtualbox from 3 to
4.0.14
and host system fresh install of stable/9.
vboxnet is loaded, if I change the VMs to just bridge re0, they are able
to get out, if I put them on the internal network, nothing gets out.
internal networking works because without bridge and just setting static
IP on vm1 and firewall vm em2, they talk without problem.
]Peter[
it can't be this hard.
Just a follow up with more info.
Set 2 vms and booting from 9 release cd using live system option.
Host system is stable/9, vbox 4.0.14:
Per the handbook setup bridging on firewall_vm that has no IP, and only
two interfaces [em0 - external, and em1 - internal networking]
http://www.freebsd.org/doc/handbook/network-bridging.html
On client_vm, em0 is connected to internal network and should pass through
that bridge, but I get nothing:
client_vm - internal network - em1[bridge vm]em0 - internet
]Peter[
on bridge vm, doing dhclient bridge0 gets nothing, doing dhclient em0
gets IP
Another follow up and solution:
Virtualbox lost default promiscuous mode on version 4.0.6 and that option
did not appear under 'modifyvm' until 4.1.8. Followed this forum post and
used the vbox internal 'setextradata' to fix my firewall VM to allow
promiscuous mode.
https://forums.virtualbox.org/viewtopic.php?f=7t=41036
For me that was:
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/0/LUN#0/Config/IfPolicyPromisc allow-all
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/1/LUN#0/Config/IfPolicyPromisc allow-all
VBoxManage setextradata chernogorsk.pknet.net
VBoxInternal/Devices/e1000/2/LUN#0/Config/IfPolicyPromisc allow-all
or modify the config file for the vm:
ExtraDataItem
name=VBoxInternal/Devices/e1000/0/LUN#0/Config/IfPolicyPromisc
value=allow-all/
ExtraDataItem
name=VBoxInternal/Devices/e1000/1/LUN#0/Config/IfPolicyPromisc
value=allow-all/
ExtraDataItem
name=VBoxInternal/Devices/e1000/2/LUN#0/Config/IfPolicyPromisc
value=allow-all/
That allowed the nics to pass all data and turns off mac security - In
Vbox 4.1.8 [on Windows] that option is in the GUI, this was pure luck I
decided to upgrade my 4.1.2 to 4.1.8 for further testing and that option
appeared.
]Peter[
ahh, all the little hidden internals of vbox...
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Static IP on a Bridge
Hey everyone, Sorry for the late response. Got sidetracked during the New Year. Below is my response: Quoting Benjamin Lee b...@b1c1l1.com: On 12/29/2011 09:21 AM, ja...@colannino.org wrote: Quoting Matthew Seaman m.sea...@infracaninophile.co.uk: What's the error message you see when you fail to ping out? ping: cannot resolve google.com: Host name lookup failure It seems that you are currently receiving your resolver from DHCP as well, you should statically configure that in /etc/resolv.conf: nameserver 192.168.1.1 I already have nameservers in /etc/resolv.conf. Everything was fine before I setup the bridge. What does the routing table (netstat -r) look like before and after DHCP? Before DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire localhost link#11UH 00lo0 [...] What happens if you run 'route add default 192.168.1.1' instead of DHCP? What is the output of '/etc/rc.d/routing restart'? [root@frodo ~]# route add default 192.168.1.1 route: writing to routing socket: Network is unreachable add net default: gateway 192.168.1.1: Network is unreachable [root@frodo ~]# /etc/rc.d/routing restart route: writing to routing socket: No such process delete net default: gateway 192.168.1.1: not in table delete net :::0.0.0.0: gateway ::1 delete net ::0.0.0.0: gateway ::1 delete net fe80::: gateway ::1 delete net ff02::: gateway ::1 ifconfig: interface auto does not exist route: writing to routing socket: Network is unreachable add net default: gateway 192.168.1.1: Network is unreachable add net :::0.0.0.0: gateway ::1 add net ::0.0.0.0: gateway ::1 add net fe80::: gateway ::1 add net ff02::: gateway ::1 James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Static IP on a Bridge
Hey everyone. I've successfully setup a network bridge in /etc/rc.conf. However, I am only able to access the network if I dhcp on bridge0 *after* the bridge is configured. If I try to set a static IP on the bridge, things don't work. Here's my /etc/rc.conf: cloned_interfaces=bridge0 tap0 tap1 ifconfig_bridge0=addm re0 addm tap0 addm tap1 up inet 192.168.1.6 netmask 255.255.255.0 ifconfig_re0=up ifconfig_tap0=up ifconfig_tap1=up defaultrouter=192.168.1.1 bridge0 is configured with the IP 192.168.1.6, but I can't ping out. However, once I run dhclient in bridge0, things magically work. Does anyone know why the above won't work? Thanks! James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Static IP on a Bridge
On 29/12/2011 07:48, ja...@colannino.org wrote: bridge0 is configured with the IP 192.168.1.6, but I can't ping out. However, once I run dhclient in bridge0, things magically work. Does anyone know why the above won't work? Thanks! What's the error message you see when you fail to ping out? What does the routing table (netstat -r) look like before and after DHCP? What does your arp table look like (arp -a) before and after DHCP? Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Static IP on a Bridge
Quoting Brian Seklecki (Mobile) r...@probikesllc.com: Also, what MAC address does the DHCPREQUEST packet appear to be sourced from (from the view of your DHCP server, or on the wire somewhere between the two (SPAN PORT)) ~BAS How do I do that? :) James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Static IP on a Bridge
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of ja...@colannino.org Sent: Thursday, December 29, 2011 9:21 AM To: freebsd-questions@freebsd.org Subject: Re: Static IP on a Bridge Quoting Matthew Seaman m.sea...@infracaninophile.co.uk: What's the error message you see when you fail to ping out? ping: cannot resolve google.com: Host name lookup failure What does the routing table (netstat -r) look like before and after DHCP? Before DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire localhost link#11UH 00lo0 Internet6: DestinationGatewayFlags Netif Expire :: localhost UGRSlo0 localhost localhost UH lo0 :::0.0.0.0 localhost UGRSlo0 fe80:: localhost UGRSlo0 fe80::%re0 link#5 U re0 fe80::6ef0:49ff:fe link#5 UHS lo0 fe80::%lo0 link#11U lo0 fe80::1%lo0link#11UHS lo0 fe80::%tap0link#13U tap0 fe80::2bd:8aff:fe3 link#13UHS lo0 fe80::%tap1link#14U tap1 fe80::2bd:8dff:fe3 link#14UHS lo0 ff01::%re0 fe80::6ef0:49ff:fe U re0 ff01::%lo0 localhost U lo0 ff01::%tap0fe80::2bd:8aff:fe3 U tap0 ff01::%tap1fe80::2bd:8dff:fe3 U tap1 ff02:: localhost UGRSlo0 ff02::%re0 fe80::6ef0:49ff:fe U re0 ff02::%lo0 localhost U lo0 ff02::%tap0fe80::2bd:8aff:fe3 U tap0 ff02::%tap1fe80::2bd:8dff:fe3 U tap1 After DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 00 bridge localhost link#11UH 00lo0 192.168.1.0link#12U 01 bridge 192.168.1.103 link#12UHS 00lo0 Internet6: DestinationGatewayFlags Netif Expire :: localhost UGRSlo0 localhost localhost UH lo0 :::0.0.0.0 localhost UGRSlo0 fe80:: localhost UGRSlo0 fe80::%re0 link#5 U re0 fe80::6ef0:49ff:fe link#5 UHS lo0 fe80::%lo0 link#11U lo0 fe80::1%lo0link#11UHS lo0 fe80::%tap0link#13U tap0 fe80::2bd:8aff:fe3 link#13UHS lo0 fe80::%tap1link#14U tap1 fe80::2bd:8dff:fe3 link#14UHS lo0 ff01::%re0 fe80::6ef0:49ff:fe U re0 ff01::%lo0 localhost U lo0 ff01::%tap0fe80::2bd:8aff:fe3 U tap0 ff01::%tap1fe80::2bd:8dff:fe3 U tap1 ff02:: localhost UGRSlo0 ff02::%re0 fe80::6ef0:49ff:fe U re0 ff02::%lo0 localhost U lo0 ff02::%tap0fe80::2bd:8aff:fe3 U tap0 ff02::%tap1fe80::2bd:8dff:fe3 U tap1 What does your arp table look like (arp -a) before and after DHCP? Before DHCP: (nothing was printed to the screen) After DHCP: ? (192.168.1.1) at 4c:e6:76:50:86:f6 on bridge0 expires in 1190 seconds [bridge] ? (192.168.1.103) at 02:62:11:f0:35:00 on bridge0 permanent [bridge] I can see that something is definitely not right. Not sure how to fix /etc/rc.conf so that it will be setup correctly, though. Thank you for the help! Add the following line (exactly as it appears) to /etc/rc.conf: defaultrouter=192.168.1.1 -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Static IP on a Bridge
Also, what MAC address does the DHCPREQUEST packet appear to be sourced from (from the view of your DHCP server, or on the wire somewhere between the two (SPAN PORT)) ~BAS This sounds familar. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Static IP on a Bridge
Quoting Matthew Seaman m.sea...@infracaninophile.co.uk: What's the error message you see when you fail to ping out? ping: cannot resolve google.com: Host name lookup failure What does the routing table (netstat -r) look like before and after DHCP? Before DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire localhost link#11UH 00lo0 Internet6: DestinationGatewayFlags Netif Expire :: localhost UGRSlo0 localhost localhost UH lo0 :::0.0.0.0 localhost UGRSlo0 fe80:: localhost UGRSlo0 fe80::%re0 link#5 U re0 fe80::6ef0:49ff:fe link#5 UHS lo0 fe80::%lo0 link#11U lo0 fe80::1%lo0link#11UHS lo0 fe80::%tap0link#13U tap0 fe80::2bd:8aff:fe3 link#13UHS lo0 fe80::%tap1link#14U tap1 fe80::2bd:8dff:fe3 link#14UHS lo0 ff01::%re0 fe80::6ef0:49ff:fe U re0 ff01::%lo0 localhost U lo0 ff01::%tap0fe80::2bd:8aff:fe3 U tap0 ff01::%tap1fe80::2bd:8dff:fe3 U tap1 ff02:: localhost UGRSlo0 ff02::%re0 fe80::6ef0:49ff:fe U re0 ff02::%lo0 localhost U lo0 ff02::%tap0fe80::2bd:8aff:fe3 U tap0 ff02::%tap1fe80::2bd:8dff:fe3 U tap1 After DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 00 bridge localhost link#11UH 00lo0 192.168.1.0link#12U 01 bridge 192.168.1.103 link#12UHS 00lo0 Internet6: DestinationGatewayFlags Netif Expire :: localhost UGRSlo0 localhost localhost UH lo0 :::0.0.0.0 localhost UGRSlo0 fe80:: localhost UGRSlo0 fe80::%re0 link#5 U re0 fe80::6ef0:49ff:fe link#5 UHS lo0 fe80::%lo0 link#11U lo0 fe80::1%lo0link#11UHS lo0 fe80::%tap0link#13U tap0 fe80::2bd:8aff:fe3 link#13UHS lo0 fe80::%tap1link#14U tap1 fe80::2bd:8dff:fe3 link#14UHS lo0 ff01::%re0 fe80::6ef0:49ff:fe U re0 ff01::%lo0 localhost U lo0 ff01::%tap0fe80::2bd:8aff:fe3 U tap0 ff01::%tap1fe80::2bd:8dff:fe3 U tap1 ff02:: localhost UGRSlo0 ff02::%re0 fe80::6ef0:49ff:fe U re0 ff02::%lo0 localhost U lo0 ff02::%tap0fe80::2bd:8aff:fe3 U tap0 ff02::%tap1fe80::2bd:8dff:fe3 U tap1 What does your arp table look like (arp -a) before and after DHCP? Before DHCP: (nothing was printed to the screen) After DHCP: ? (192.168.1.1) at 4c:e6:76:50:86:f6 on bridge0 expires in 1190 seconds [bridge] ? (192.168.1.103) at 02:62:11:f0:35:00 on bridge0 permanent [bridge] I can see that something is definitely not right. Not sure how to fix /etc/rc.conf so that it will be setup correctly, though. Thank you for the help! James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Static IP on a Bridge
Quoting Devin Teske devin.te...@fisglobal.com: Add the following line (exactly as it appears) to /etc/rc.conf: defaultrouter=192.168.1.1 That line's been there the whole time. Hasn't helped :( James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Static IP on a Bridge
Quoting Devin Teske devin.te...@fisglobal.com: Add the following line (exactly as it appears) to /etc/rc.conf: defaultrouter=192.168.1.1 I should probably re-port my original configuration: cloned_interfaces=bridge0 tap0 tap1 ifconfig_bridge0=addm re0 addm tap0 addm tap1 up inet 192.168.1.6 netmask 255.255.255.0 ifconfig_re0=up ifconfig_tap0=up ifconfig_tap1=up defaultrouter=192.168.1.1 James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Static IP on a Bridge
On 12/29/2011 09:21 AM, ja...@colannino.org wrote: Quoting Matthew Seaman m.sea...@infracaninophile.co.uk: What's the error message you see when you fail to ping out? ping: cannot resolve google.com: Host name lookup failure It seems that you are currently receiving your resolver from DHCP as well, you should statically configure that in /etc/resolv.conf: nameserver 192.168.1.1 What does the routing table (netstat -r) look like before and after DHCP? Before DHCP: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire localhost link#11UH 00lo0 [...] What happens if you run 'route add default 192.168.1.1' instead of DHCP? What is the output of '/etc/rc.d/routing restart'? -- Benjamin Lee http://www.b1c1l1.com/ signature.asc Description: OpenPGP digital signature
ia64 kernel conf error BRIDGE
While attempting to ecompile the 8.1 ia64 kernel, the following error was produced: /usr/src/sys/amd64/conf/BRIGHTSTAR: unknown option BRIDGE *** Error code 1 Is this option no longer supported? Is there an alternative? Thanks, Gene -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ia64 kernel conf error BRIDGE - Addtional problems
In reference to the messageia64 kernel conf error BRIDGE I simply deleted the option. Also had to delete option IPSEC_ESP. Compile proceeded normally until I got: xform_ipcomp.o(.text+0xe3c): In function `ipcomp_output': /usr/src/sys/netipsec/xform_ipcomp.c:448: undefined reference to `crypto_dispatch' Is there also a problem with option IPSEC? Maybe I should just grab the GENERIC config and start over. Problem is - I'm not sure what changes I made. -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ia64 kernel conf error BRIDGE
On Wed, Aug 31, 2011 at 09:28:55AM -0500, Gene wrote: While attempting to ecompile the 8.1 ia64 kernel, the following error was I think you mean amd64. produced: /usr/src/sys/amd64/conf/BRIGHTSTAR: unknown option BRIDGE *** Error code 1 Is this option no longer supported? Is there an alternative? Thanks, Gene -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ia64 kernel conf error BRIDGE - Addtional problems
On 08/31/2011 11:05 AM, Gene wrote: In reference to the message ia64 kernel conf error BRIDGE I simply deleted the option. Also had to delete option IPSEC_ESP. Compile proceeded normally until I got: xform_ipcomp.o(.text+0xe3c): In function `ipcomp_output': /usr/src/sys/netipsec/xform_ipcomp.c:448: undefined reference to `crypto_dispatch' Is there also a problem with option IPSEC? Maybe I should just grab the GENERIC config and start over. Problem is - I'm not sure what changes I made. options IPSEC also requires you to build in support for the crypto device. Add device crypto to your kernel config and try the build again. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Wed, May 4, 2011 at 4:31 PM, Geoff Roberts ge...@apro.com.au wrote: Was this easy to measure, and how did you measure this - dropped packets on the bridge interface? I don't remember. It's been too long since I last tried it. Dropped packets would be a good measure, though, assuming the bridge interface does that kind of accounting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On 5/5/2011 12:24 AM, David Brodbeck wrote: The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. There is no inbuilt reason why a L2 VPN is more easily saturated than a L3 VPN. After all protocols doing bulk transfers should - and mostly - use TCP which autotunes the rate of sent packets. And TCP should be able to saturate the lower-bandwidth link of the whole path. That's normal and desirable. Some care must be taken with the broadcast and multicast traffic which goes through the L2 VPN. Just my 2 cents, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Thu, May 5, 2011 at 10:39 AM, Nikos Vassiliadis nv...@gmx.com wrote: There is no inbuilt reason why a L2 VPN is more easily saturated than a L3 VPN. I disagree slightly. With L2 you have broadcasts and non-routable protocols being sent over the wire. This is fortunately becoming less of an issue than it used to be, but it can (for example) be a problem for certain kinds of Windows networking. I have had severe congestion problems in the past when bridging wired interfaces to wireless. In general I think adding a slow hop that's invisible to clients is asking for trouble, but that's not to say it can't work well in certain environments. The main thing to remember is just because the clients can pretend it's a LAN doesn't mean you can. ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On 3 May 2011 20:44, Kevin Wilcox kevin.wil...@gmail.com wrote: On Tue, May 3, 2011 at 15:19, Geoff Roberts ge...@apro.com.au wrote: Is it possible to join two sites with the same subnet across a VPN? Yes. I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. That's understandable. You may want to consider breaking the /24 into two /25s, one at each site, and routing the connection instead but that's not necessary and you can indeed use a bridge with few issues. Happy to use either IPSec or OpenVPN to actually encrypt the traffic. We've done it as a demo of what you can do with OpenVPN, it's trivial once you get some configuration issues straight in your head (or that's how it worked for me). To bridge in OpenVPN, take a look at: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you can do this with a combination of openvpn (using tap, not tun) and if_bridge both ends. However I have found it to be flakey and not really worth the effort. Better to go with a routed solution. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Wed, May 4, 2011 at 8:19 AM, krad kra...@gmail.com wrote: you can do this with a combination of openvpn (using tap, not tun) and if_bridge both ends. However I have found it to be flakey and not really worth the effort. Better to go with a routed solution. The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
Hi David and others, Thanks for the feedback. On Thu, 5 May 2011 07:24:13 am David Brodbeck wrote: The problem I've always found with bridged solutions is they don't cope well under heavy traffic loads when the VPN link is slower than the LANs they're bridging between. And the VPN link is usually slower if it's over a WAN. The link tends to get saturated. Was this easy to measure, and how did you measure this - dropped packets on the bridge interface? Kind regards, Geoff -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can I bridge the same subnet across a VPN?
Hi, Is it possible to join two sites with the same subnet across a VPN? I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. All configuration examples I've come across so far assume that each site will have a different subnet. Eg, one site with 192.168.1.0/24 the other with 192.168.2.0/24 I control the firewalls at each end. One will be a pfsense firewall, the other an existing FreeBSD 7.4 system. For example I would want to be able to do the following: Site A Site B -- -- Firewall A 10.1.1.3 - Firewall B 10.1.1.4 | | Subnet: 192.168.20.0/24 Subnet: 192.168.20.0/24 Happy to use either IPSec or OpenVPN to actually encrypt the traffic. Kind regards, Geoff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Can I bridge the same subnet across a VPN?
On Tue, May 3, 2011 at 15:19, Geoff Roberts ge...@apro.com.au wrote: Is it possible to join two sites with the same subnet across a VPN? Yes. I have two sites that have the same subnet/mask. I need these two separated networks to behave as one across a VPN. That's understandable. You may want to consider breaking the /24 into two /25s, one at each site, and routing the connection instead but that's not necessary and you can indeed use a bridge with few issues. Happy to use either IPSec or OpenVPN to actually encrypt the traffic. We've done it as a demo of what you can do with OpenVPN, it's trivial once you get some configuration issues straight in your head (or that's how it worked for me). To bridge in OpenVPN, take a look at: http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge, dpcpd, sshd
My similar config . cloned_interfaces=bridge0 ifconfig_bridge0=addm wlan0 addm sk0 up ifconfig_bridge0_alias0=ether f6:3f:1f:48:4d:97 ifconfig_bridge0_alias1=inet 172.16.254.1 netmask 255.255.255.0 ifconfig_sk0=up ifconfig_wlan0=up . Use alias# for setting inet on bridge0 -- View this message in context: http://freebsd.1045724.n5.nabble.com/Bridge-dpcpd-sshd-tp4259717p4261792.html Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge, dpcpd, sshd
--- On Thu, 3/24/11, Nerius Landys nlan...@gmail.com wrote: From: Nerius Landys nlan...@gmail.com Subject: Re: Bridge, dpcpd, sshd To: Chris devnullacco...@yahoo.se Cc: freebsd-questions@freebsd.org Date: Thursday, March 24, 2011, 1:56 AM I have a server machine that I use as DHCP server, sshd login etc, and since I have multiple Ethernet interfaces on it, I would like to use two of those for the internal network to avoid adding one more ethernet switch for just one extra machine. DHCP should configure hosts on both those interfaces and all the hosts should be on the same subnet. So, I set up a bridge interface as per the FreeBSD handbook (ch. 31.5), but now dhcpd is refusing to start during boot as it claim that the bridge0 interface doesn't exist. If I manually start dhcpd with the same parameters after the machine has come up, it will start and it will also work as expected and assign addresses to users connecting from teh bridge interface. sshd seems to do something similar, it refuses to start, but can manually be re-started later on. Is this some kinf of expected behavior, or does it sound like I'm doing something badly wrong? Can I force bride0 to be configured earlier in the boot so it is always there when the daemons start waking up? Configuration info below. TIA, Chris = rc.conf extract dhcpd_enable=YES dhcpd_ifaces=bridge0 cloned_interfaces=bridge0 ifconfig_bridge0=addm dc0 addm dc1 up ifconfig_bridge0=inet 172.16.0.100/24 ifconfig_dc0=up ifconfig_dc1=up = sshd.conf extract = ListenAddress 172.16.0.100 === the dhcpd.conf is quite standard and does not say anything about the interfaces, that info is in rc.conf above === /var/log/messages extract dhcpd: bridge0: not found I am running a very similar setup. I learned from my own experience that sometimes little things like the order of statements or what's exactly inside the statement affects the outcome. In any case after much tweaking I got my router to work, and here is my complete rc.conf. People on this mailing list have helped me come up with my rc.conf (thank you all): gateway_enable=YES hostname=speedy.i ifconfig_fxp2=DHCP cloned_interfaces=bridge0 ifconfig_bridge0=addm fxp0 addm fxp1 addm re0 addm ath0 up ifconfig_fxp0=up ifconfig_fxp1=up ifconfig_re0=up ifconfig_ath0=ssid speedy.i mode 11g mediaopt hostap channel 2 -bgscan up ipv4_addrs_bridge0=192.168.0.254/24 ipnat_enable=YES hostapd_enable=YES sshd_enable=YES named_enable=YES ntpdate_enable=YES ntpd_enable=YES linux_enable=YES dhcpd_enable=YES dhcpd_ifaces=bridge0 apache22_enable=YES The ath0 stuff is for a wireless access point and is not needed in your case. The rest you can probably understand. fxp2 is the external facing interface, it's what is connecting to ATT UVerse via DHCP. The line ipv4_addrs_bridge0 is important and from what I recall it needs to come after the interfaces are brought up, just like in the above rc.conf. Of course there is also some dhcpd config that is not present here. If you still can't get it to work, try disabling dhcpd to have a static IP network, try getting that to work first. Then add dhcpd once the static network is working. Hi Nerius and thanks for your reply. I tried changing rc.conf as per your suggestion and added the ipv4_addrs_ command, but it did not manage to set any address on the bridge anyway, and I'm still getting errors starting the daemons because the bridge isn't created yet. And then I realized how long it has been since I upgraded that machine, it's actually running FreeBSD-6.0 (I'm a bit ashamed here...), so I would guess that it is so far outdated that these things aren't supposed to work. I guess I'll have to bite the bullet and reinstall the machine this weekend and try again with the same config and see if that makes it any better. I'll come back to the list if that doesn't solve it. Thanks for the help /Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bridge, dpcpd, sshd
Hi all, I have a server machine that I use as DHCP server, sshd login etc, and since I have multiple Ethernet interfaces on it, I would like to use two of those for the internal network to avoid adding one more ethernet switch for just one extra machine. DHCP should configure hosts on both those interfaces and all the hosts should be on the same subnet. So, I set up a bridge interface as per the FreeBSD handbook (ch. 31.5), but now dhcpd is refusing to start during boot as it claim that the bridge0 interface doesn't exist. If I manually start dhcpd with the same parameters after the machine has come up, it will start and it will also work as expected and assign addresses to users connecting from teh bridge interface. sshd seems to do something similar, it refuses to start, but can manually be re-started later on. Is this some kinf of expected behavior, or does it sound like I'm doing something badly wrong? Can I force bride0 to be configured earlier in the boot so it is always there when the daemons start waking up? Configuration info below. TIA, Chris = rc.conf extract dhcpd_enable=YES dhcpd_ifaces=bridge0 cloned_interfaces=bridge0 ifconfig_bridge0=addm dc0 addm dc1 up ifconfig_bridge0=inet 172.16.0.100/24 ifconfig_dc0=up ifconfig_dc1=up = sshd.conf extract = ListenAddress 172.16.0.100 === the dhcpd.conf is quite standard and does not say anything about the interfaces, that info is in rc.conf above === /var/log/messages extract dhcpd: bridge0: not found ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge, dpcpd, sshd
I have a server machine that I use as DHCP server, sshd login etc, and since I have multiple Ethernet interfaces on it, I would like to use two of those for the internal network to avoid adding one more ethernet switch for just one extra machine. DHCP should configure hosts on both those interfaces and all the hosts should be on the same subnet. So, I set up a bridge interface as per the FreeBSD handbook (ch. 31.5), but now dhcpd is refusing to start during boot as it claim that the bridge0 interface doesn't exist. If I manually start dhcpd with the same parameters after the machine has come up, it will start and it will also work as expected and assign addresses to users connecting from teh bridge interface. sshd seems to do something similar, it refuses to start, but can manually be re-started later on. Is this some kinf of expected behavior, or does it sound like I'm doing something badly wrong? Can I force bride0 to be configured earlier in the boot so it is always there when the daemons start waking up? Configuration info below. TIA, Chris = rc.conf extract dhcpd_enable=YES dhcpd_ifaces=bridge0 cloned_interfaces=bridge0 ifconfig_bridge0=addm dc0 addm dc1 up ifconfig_bridge0=inet 172.16.0.100/24 ifconfig_dc0=up ifconfig_dc1=up = sshd.conf extract = ListenAddress 172.16.0.100 === the dhcpd.conf is quite standard and does not say anything about the interfaces, that info is in rc.conf above === /var/log/messages extract dhcpd: bridge0: not found I am running a very similar setup. I learned from my own experience that sometimes little things like the order of statements or what's exactly inside the statement affects the outcome. In any case after much tweaking I got my router to work, and here is my complete rc.conf. People on this mailing list have helped me come up with my rc.conf (thank you all): gateway_enable=YES hostname=speedy.i ifconfig_fxp2=DHCP cloned_interfaces=bridge0 ifconfig_bridge0=addm fxp0 addm fxp1 addm re0 addm ath0 up ifconfig_fxp0=up ifconfig_fxp1=up ifconfig_re0=up ifconfig_ath0=ssid speedy.i mode 11g mediaopt hostap channel 2 -bgscan up ipv4_addrs_bridge0=192.168.0.254/24 ipnat_enable=YES hostapd_enable=YES sshd_enable=YES named_enable=YES ntpdate_enable=YES ntpd_enable=YES linux_enable=YES dhcpd_enable=YES dhcpd_ifaces=bridge0 apache22_enable=YES The ath0 stuff is for a wireless access point and is not needed in your case. The rest you can probably understand. fxp2 is the external facing interface, it's what is connecting to ATT UVerse via DHCP. The line ipv4_addrs_bridge0 is important and from what I recall it needs to come after the interfaces are brought up, just like in the above rc.conf. Of course there is also some dhcpd config that is not present here. If you still can't get it to work, try disabling dhcpd to have a static IP network, try getting that to work first. Then add dhcpd once the static network is working. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge, dpcpd, sshd
In freebsd-questions Digest, Vol 355, Issue 4, Message: 33 On Wed 23 Mar 2011 22:20:06 + (GMT) Chris devnullacco...@yahoo.se wrote: I have a server machine that I use as DHCP server, sshd login etc, and since I have multiple Ethernet interfaces on it, I would like to use two of those for the internal network to avoid adding one more ethernet switch for just one extra machine. DHCP should configure hosts on both those interfaces and all the hosts should be on the same subnet. So, I set up a bridge interface as per the FreeBSD handbook (ch. 31.5), but now dhcpd is refusing to start during boot as it claim that the bridge0 interface doesn't exist. If I manually start dhcpd with the same parameters after the machine has come up, it will start and it will also work as expected and assign addresses to users connecting from teh bridge interface. sshd seems to do something similar, it refuses to start, but can manually be re-started later on. Is this some kinf of expected behavior, or does it sound like I'm doing something badly wrong? Can I force bride0 to be configured earlier in the boot so it is always there when the daemons start waking up? Configuration info below. TIA, Chris = rc.conf extract dhcpd_enable=YES dhcpd_ifaces=bridge0 cloned_interfaces=bridge0 ifconfig_bridge0=addm dc0 addm dc1 up ifconfig_bridge0=inet 172.16.0.100/24 There's your problem, and the response by Nerius Landys (read in the archives, as it hasn't arrived here in a digest yet :) would seem to indicate correct config - except that it has nothing to do with the order of assignments in rc.conf, but that your first ifconfig_bridge0 assignment is replaced, not added to, by the second. It's important to know that /etc/rc.conf is a sh script that is sourced (that is, executed inline) at the end of /etc/defaults/rc.conf and so its statements are executed sequentially. These statements just assign values to variables, and have no bearing at all on the order in which the rc.d system will actually use them; that depends on rcorder(8). Nerius has indicated use of e.g: ipv4_addrs_bridge0=192.168.0.254/24 to assign address(es) to the bridge, avoiding your problem above. ifconfig_dc0=up ifconfig_dc1=up = sshd.conf extract = ListenAddress 172.16.0.100 === the dhcpd.conf is quite standard and does not say anything about the interfaces, that info is in rc.conf above === /var/log/messages extract dhcpd: bridge0: not found Yes; at that time your bridge hadn't been created, ie it had no members. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge Interface Members
Yes. You overwrite your first ifconfig_bridge0 setting with the second one. These are shell variable initializations, not executable statements. There are various ways to fix the problem. Try this for example: replace the second ifconfig_bridge0 line with: ipv4_addrs_bridge0=10.0.1.2/24 Doh! Of course, thanks. Rookie mistake. Carl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bridge Interface Members
Trying to configure a bridge interface with two member interfaces, fxp0 and re0. Configuring the interface from scratch manually works fine but when I add config entries to rc.conf the two member interfaces aren't added at boot. Bridge0 is created it just doesn't have any members. From the serial console I can manually add the two member interfaces and everything is fine but obviously I'd like it to work without manual intervention. Any ideas? Here's my rc.conf entries: cloned_interfaces=bridge0 ifconfig_bridge0=addm fxp0 addm re0 ifconfig_fxp0=up ifconfig_re0=up ifconfig_bridge0=inet 10.0.1.2 netmask 255.255.255.0 up Any ideas? Troubleshooting is bit of a pain as I'm booting zfs root from a USB stick and there's a 5 minute (yes, 5 minutes!) delay at the BTX loader before the boot loader menu is displayed. I haven't figured out what's causing that but it makes tweaking and rebooting a slow process! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge Interface Members
On 30/01/2011 16:49, Carl Chave wrote: Trying to configure a bridge interface with two member interfaces, fxp0 and re0. Configuring the interface from scratch manually works fine but when I add config entries to rc.conf the two member interfaces aren't added at boot. Bridge0 is created it just doesn't have any members. From the serial console I can manually add the two member interfaces and everything is fine but obviously I'd like it to work without manual intervention. Any ideas? Here's my rc.conf entries: cloned_interfaces=bridge0 ifconfig_bridge0=addm fxp0 addm re0 ifconfig_fxp0=up ifconfig_re0=up ifconfig_bridge0=inet 10.0.1.2 netmask 255.255.255.0 up Any ideas? Yes. You overwrite your first ifconfig_bridge0 setting with the second one. These are shell variable initializations, not executable statements. There are various ways to fix the problem. Try this for example: replace the second ifconfig_bridge0 line with: ipv4_addrs_bridge0=10.0.1.2/24 Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Questions about setting bridge
I want to setup a bridge in a ring topology since a break at any point along the ring would still leave all stations connected. My machine has two nics. In /etc/rc.conf, I have: ifconfig_em0=inet 192.168.1.0 netmask 255.255.255.0 cloned_interfaces=bridge0 ifconfig_em0=up ifconfig_em1=up ifconfig_bridge0=addm em0 addm em1 up ifconfig_bridge0_alias0=192.168.1.0 netmask 255.255.255.0 up I tried to boot my clients using tftpd, but it seems doesn't work if I unpluged em0. If I run ifconfig em1 inet 192.168.1.0 netmask 255.255.255.0 then my clients can boot via tftpd. But it's not a bridge, right? I mean should I configure the same ip for em0, em1, and bridge0? 192.168.1.0/24 is not a valid address. Your addressable hosts are 192.168.1.1 - 192.168.1.254. I think you want to lagg: http://www.freebsd.org/doc/handbook/network-aggregation.html -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Questions about setting bridge
On Fri, Sep 10, 2010 at 2:51 PM, Adam Vande More wrote: I want to setup a bridge in a ring topology since a break at any point along the ring would still leave all stations connected. My machine has two nics. In /etc/rc.conf, I have: ifconfig_em0=inet 192.168.1.0 netmask 255.255.255.0 cloned_interfaces=bridge0 ifconfig_em0=up ifconfig_em1=up ifconfig_bridge0=addm em0 addm em1 up ifconfig_bridge0_alias0=192.168.1.0 netmask 255.255.255.0 up I tried to boot my clients using tftpd, but it seems doesn't work if I unpluged em0. If I run ifconfig em1 inet 192.168.1.0 netmask 255.255.255.0 then my clients can boot via tftpd. But it's not a bridge, right? I mean should I configure the same ip for em0, em1, and bridge0? 192.168.1.0/24 is not a valid address. Your addressable hosts are 192.168.1.1 - 192.168.1.254. Oops, typo. Should be 192.168.1.1 I think you want to lagg: http://www.freebsd.org/doc/handbook/network-aggregation.html In Winodws, I setup a bridge with no problems. But in FreeBSD, it seems doesn't work :( -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Questions about setting bridge
On Fri, Sep 10, 2010 at 10:29 PM, dave jones s.dave.jo...@gmail.com wrote: I think you want to lagg: http://www.freebsd.org/doc/handbook/network-aggregation.html In Winodws, I setup a bridge with no problems. But in FreeBSD, it seems doesn't work :( It does work quite well, Many, many people do it. Windows generally refers to this as network teaming, Linux nic bonding, and FreeBSD does lagg. If you bother to read the handbook link I sent, you'll see a way to accomplish your goal. Your bridge setup also has another error: ifconfig_em0=inet 192.168.1.0 netmask 255.255.255.0 You should not set an ip address on a member interface. The bridge interface should get the real ip, no alias. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Questions about setting bridge
Hello, I want to setup a bridge in a ring topology since a break at any point along the ring would still leave all stations connected. My machine has two nics. In /etc/rc.conf, I have: ifconfig_em0=inet 192.168.1.0 netmask 255.255.255.0 cloned_interfaces=bridge0 ifconfig_em0=up ifconfig_em1=up ifconfig_bridge0=addm em0 addm em1 up ifconfig_bridge0_alias0=192.168.1.0 netmask 255.255.255.0 up I tried to boot my clients using tftpd, but it seems doesn't work if I unpluged em0. If I run ifconfig em1 inet 192.168.1.0 netmask 255.255.255.0 then my clients can boot via tftpd. But it's not a bridge, right? I mean should I configure the same ip for em0, em1, and bridge0? Thanks. Dave. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DHCP server and bridge, mixed w/ some static IP assignments
I'm trying to add some sort of DHCP server functionality to my router
box running FreeBSD 7.1. First, let me explain the current network.
This is how my rc.conf is currently configured, and everything is
running smoothly:
gateway_enable=YES
hostname=speedy.i
ifconfig_fxp2=DHCP # Connecting to the outside internet via ATT UVerse
cloned_interfaces=bridge0
ifconfig_bridge0=addm re0 addm ath0 addm fxp0 addm fxp1 up # Bridge
consisting of four interfaces
ifconfig_re0=up # My gigabit wired interface
ifconfig_ath0=ssid speedy.i mode 11g mediaopt hostap up # Wireless interface
ifconfig_fxp0=up # 100 megabit wired
ifconfig_fxp1=up # 100 megabit wired
ipv4_addrs_bridge0=192.168.0.254/24
ipnat_enable=YES
hostapd_enable=YES
So as you can see, I have an internal network with 192.168.0.0/24 IP
addresses. Both the wired and wireless are in the same network, and
this is the way I've decided that I want it. All the machines
connected to this internal network are using static IP addresses, even
the wireless laptops.
Now, I'd like to add a DHCP server capability to the 192.168.0.0/24
network, but I'd like to allow some machines to still connect with
static IP addresses (of their own choice, not controlled by the router
via MAC address lookups for example).
So, I'm reading this:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dhcp.html
under the server section.
And I have a few questions.
First, I look in /usr/ports/net/ and I find both isc-dhcp31-server and
isc-dhcp41-server. The manual says to use the 31 version.
Q1: Which do you recommend? I know that the manual is oftentimes out
of date. I'm on FreeBSD 7.1.
Next, would it be possible to, for example, DHCP-lease out IP
addresses above 192.169.0.127, but leave IP addresses below that as
statically assigned? For example my plan for dhcpd.conf:
option domain-name i;
option domain-name-servers 192.168.0.254;
option subnet-mask 255.255.255.0;
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.128 192.168.0.253;
option routers 192.168.0.254;
}
And in my rc.conf I plan to add:
dhcpd_enable=YES
dhcpd_ifaces=bridge0
Q2: Now is it legal to assign a bridge to a dhcpd interface? That
would be nice, because then both wired and wireless machines could
connect via DHCP. If it's not possible to do this, can I at least
assign the ath0 (my wireless interface) to the dhcpd interface, even
though ath0 is part of a bridge?
Q3: I have some machines connected via static IP addresses, e.g.
192.168.0.9 and 192.168.0.10. I would like to keep it this way, and
let the clients themselves control which IP addresses they want to
use. Am I allowed to mix DHCP leases with static assignments on the
same network like this?
I'm afraid to get locked out of my router, because right now it's only
accessible over the network. If I get locked out I'll have to hook up
either the serial console via null modem cable or a monitor/keyboard,
which could be a pain.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
bridge filters ipv6
Hi all, I have 7.2-RELEASE and a bridge between ath0 and sis0 everything works fine except ipv6 including router advertisements. There is no filtering, just a L2 bridge without any address. rtadv comes from lan/sis. What could be missing? bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 0a:03:b2:xx:fe:xx id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: sis0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 2 priority 128 path cost 20 member: ath0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 1 priority 128 path cost 370370 ath0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:80:48:xx:cd:xx inet6 fe80::280:48xx:fexx:%ath0 prefixlen 64 scopeid 0x1 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g hostap status: associated ssid x channel 11 (2462 Mhz 11g) bssid 00:80:48:xx:cd:xx authmode WPA1+WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpower 22 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5 pureg protmode RTSCTS wme burst dtimperiod 1 sis0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:0d:b9:xx:52:xx inet6 fe80::20d:b9ff:fe03:52fc%sis0 prefixlen 64 scopeid 0x2 inet 172.23.0.1 netmask 0xff00 broadcast 172.20.0.255 media: Ethernet autoselect (100baseTX full-duplex) status: active ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
bridge wlan and tap
I know everyone's busy with the release. This is not a showstopper, but it relates to networking, which is pretty central to a working bsd box... I read in some obscure post that I can't bridge from a wlan to tap because the wlan can only handle one MAC? Kindof thought every card has only one mac. No idea if this related to 6.x or something earlier, or current...of course I can't find the post again, either, but it was just a mention in some other howto. Anyway, I can't get an address on bridge0. rc.conf: cloned_interfaces=bridge0 autobridge_interfaces=bridge0 # autoconfigure these bridges autobridge_bridge0=tap* wlan0 ifconfig_bridge0=DHCP After I boot, no address on bridge0, and dhclient bridge0 just times out...sortof thought I was following the handbook man tap, but again, I have a 7.2 box on a wired network that this basic operation works on, so I'm suspecting wlan does break bridging... Best, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
bridge wlan and tap
I know everyone's busy with the release. This is not a showstopper, but it relates to networking, which is pretty central to a working bsd box... I read in some obscure post that I can't bridge from a wlan to tap because the wlan can only handle one MAC? Kindof thought every card has only one mac. No idea if this related to 6.x or something earlier, or current...of course I can't find the post again, either, but it was just a mention in some other howto. Anyway, I can't get an address on bridge0. rc.conf: cloned_interfaces=bridge0 autobridge_interfaces=bridge0 # autoconfigure these bridges autobridge_bridge0=tap* wlan0 ifconfig_bridge0=DHCP After I boot, no address on bridge0, and dhclient bridge0 just times out...sortof thought I was following the handbook man tap, but again, I have a 7.2 box on a wired network that this basic operation works on, so I'm suspecting wlan does break bridging... Best, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Traffic Shaping Bridge with Dummynet
I am trying to do traffic shaping using a bridge on FreeBSD 7.1. I have the bridge configured and it works fine. It looks like this: rest of network - xl0 - bridge0 - xl1 - side to be shaped It works with the following set of ipfw rules (pipes in but unlimited bw): network=10.10.10.0/24 limit=0 ipfw -q -f flush ipfw -q pipe 1000 config mask dst-ip 0x00ff bw $limit ipfw -q add pipe 1000 ip from any to $network via xl1 ipfw -q pipe 1001 config mask src-ip 0x00ff bw $limit ipfw -q add pipe 1001 ip from $network to any via xl1 ipfw -q add 6 allow all from any to any If I change the limit to 1Mbit/s (or anything else) it stops passing traffic. I used tcpdump and I can see the traffic on the bridge but I cannot see it after the bridge. However ipfw -a list shows the counts for the pipe going up, which doesn't make sense to me. I've tried adding: ipfw -q add allow all from any to any via bridge0 ipfw -q add allow all from any to any via xl0 before the pipes. I also tried moving the pipes to bridge0 and xl0. The docs on bridging (http://www.freebsd.org/doc/en/books/handbook/network-bridging.html) says The bridge can be used as a traffic shaper with altq(4) or dummynet(4). So what am I doing wrong? What else do I need to do to limit the bandwidth over a bridge? Thanks, Dan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Network bridge, but assigned IP address
I am creating a simple network bridge (as described in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) which consists of 5 network interface cards. Function-wise, it's basically acting as a switch. However, I want to assign an IP address to the machine with the 5 NICs. So far without the bridge everything is working perfectly, and my /etc/rc.conf looks like this: gateway_enable=YES hostname=speedy.i ifconfig_fxp4=DHCP ifconfig_em0=inet 192.168.0.254 netmask 255.255.255.0 And I have a NAT (using pf) to allow the 192.168.0.x hosts to directly reach the outside internet. fxp4 is the external network card. My other network cards that I want to make part of the internal network (acting as a switch) are fxp0 through fxp3. So I'm not sure what to do with my rc.conf. In the handbook it says to add these lines: cloned_interfaces=bridge0 ifconfig_bridge0=addm em0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 up ifconfig_fxp0=up ifconfig_fxp1=up ifconfig_fxp2=up ifconfig_fxp3=up ifconfig_em0=up How should I intermingle these lines with my existing rc.conf, and/or which lines should I remove? I want em0, fxp0, fxp1, fxp2, and fxp3 to be a bridge and be assigned the IP address 192.168.0.254. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Network bridge, but assigned IP address
Nerius Landys wrote: I am creating a simple network bridge (as described in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html) which consists of 5 network interface cards. Function-wise, it's basically acting as a switch. However, I want to assign an IP address to the machine with the 5 NICs. So far without the bridge everything is working perfectly, and my /etc/rc.conf looks like this: gateway_enable=YES hostname=speedy.i ifconfig_fxp4=DHCP ifconfig_em0=inet 192.168.0.254 netmask 255.255.255.0 You should remove this ifconfig_em0 setting ... And I have a NAT (using pf) to allow the 192.168.0.x hosts to directly reach the outside internet. fxp4 is the external network card. My other network cards that I want to make part of the internal network (acting as a switch) are fxp0 through fxp3. So I'm not sure what to do with my rc.conf. In the handbook it says to add these lines: cloned_interfaces=bridge0 ifconfig_bridge0=addm em0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 up ifconfig_fxp0=up ifconfig_fxp1=up ifconfig_fxp2=up ifconfig_fxp3=up ifconfig_em0=up ... and then add all of these lines to the rest of the existing rc.conf How should I intermingle these lines with my existing rc.conf, and/or which lines should I remove? I want em0, fxp0, fxp1, fxp2, and fxp3 to be a bridge and be assigned the IP address 192.168.0.254. To give the whole ensemble an IP address, simply set the IP on the bridge0 interface. I think you can do it most easily by adding this line, ipv4_addrs_bridge0=192.168.0.254/24 but in case that doesn't work correctly, just extend the ifconfig_bridge0 setting: ifconfig_bridge0=addm em0 addm fxp0 addm fxp1 addm fxp2 addm fxp3 inet 192.168.0.254 netmask 255.255.255.0 up See the section on network_interfaces in rc.conf(5) for more detail and some other possibilities. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Network bridge, but assigned IP address
To give the whole ensemble an IP address, simply set the IP on the bridge0 interface. I think you can do it most easily by adding this line, ipv4_addrs_bridge0=192.168.0.254/24 Indeed, that works well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
On Friday 31 July 2009 10:15:56 markham roan wrote: A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? No experience with the case at hand, but I do see that Vista started to use IGMP protocol even when there's no obvious need to do so. Given that allow all does in fact only allow a handful of IP protocols, excluding IGMP, you may want to investigate if you're not silently blocking (or not translating) one of the more obscure IP protocols. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
On Mon, Aug 3, 2009 at 5:15 PM, Mel Flynn mel.flynn+fbsd.questi...@mailing.thruhere.netmel.flynn%2bfbsd.questi...@mailing.thruhere.net wrote: On Friday 31 July 2009 10:15:56 markham roan wrote: A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? No experience with the case at hand, but I do see that Vista started to use IGMP protocol even when there's no obvious need to do so. Given that allow all does in fact only allow a handful of IP protocols, excluding IGMP, you may want to investigate if you're not silently blocking (or not translating) one of the more obscure IP protocols. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org This might be way off base but I had a server that had issues like that and it ended up being the network cable going bad. It would send an ack but if you captured the ack and other packets at the destination server it would be missing bits. I have personally not had an issue with a pf firewall and server 2008 joining a 2003 domain but network card or cable could cause an issue like that. What does tcpdump tell you on the firewall when monitoring PF while it joins, what rule(s) is it using when it joins? -- Who knew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Another idea could be giving 7.x a shot as it has newer version of PF IIRC. That's on the list of things to try, but upgrading will probably be painful, so I'm hoping to find something else first. Something else you might want to try is to find/install the new PF from source, if you don't want to try a general upgrade. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Windows 2008 + AD + PF + bridge = problems?
Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. DC: Windows Server 2003 Server: Windows Server 2008 Firewall: FreeBSD 6.1 plus PF We're doing bidirectional NAT on the clients, so the DC has a real address while the Server has an RFC1918 address. We are explicitly allowing all traffic between the server and the DC, with and later without keeping state. Windows Server 2003 machines behind the firewall join just fine, and Windows 2008 Server machines outside of the firewall join just fine. A packet capture revealed a number of anomalies. Once the server starts trying to join the domain, we get all sorts of TCP transmission errors, retries, duplicate ACKs etc. In some cases, the public side of the firewall will send an ICMP host-unreachable message for a host which is clearly being BINAT. I've tinkered with net.inet.ip.intr_queue_maxlen, but it doesn't seem to help. net.inet.ip.intr_queue_drops isn't increasing at a noticeable rate, anyway. Does anyone have any thoughts and/or advice on where I can go from here? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. Haven't used the combination myself, but in couple of cases MS developer/beta evaluation staff has been quite helpful when Vista beta got all kind of funnies when trying to connect to internet via PF. So giving MS the information of the problems in traffic might (in case you want to help MS to troubleshoot Win2008...) help some. Another idea could be giving 7.x a shot as it has newer version of PF IIRC. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
On Fri, Jul 31, 2009 at 2:11 PM, Reko Turja reko.tu...@liukuma.net wrote: Has anyone used Windows 2008 and active directory with a bridging, NATing firewall between the domain controller and the 2008 machine? We're in a situation where we're trying to join a domain with a 2008 machine, and no matter what we do to the firewall, joining stalls and fails. Haven't used the combination myself, but in couple of cases MS developer/beta evaluation staff has been quite helpful when Vista beta got all kind of funnies when trying to connect to internet via PF. So giving MS the information of the problems in traffic might (in case you want to help MS to troubleshoot Win2008...) help some. Do you happen to have contact information for this team? Another idea could be giving 7.x a shot as it has newer version of PF IIRC. That's on the list of things to try, but upgrading will probably be painful, so I'm hoping to find something else first. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Windows 2008 + AD + PF + bridge = problems?
Do you happen to have contact information for this team? Sadly no, I just reported the perceived bug via Vista beta bug reporting - can't remember if that was from the OS itself or from the web, and got pretty fast reply and tech savvy responder from there. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bridge network device for VirtualBox
Hello, I'm experimenting with the new VirtualBox port and wand to implement a bridged network interface on the FreeBSD host. Could someone point me to some docs that may assist me? BTW, the handbook advanced networking section, http://www.freebsd.org/doc/en/books/handbook/network-bridging.html, doesn't seem to apply to this application. Thanks! -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge network device for VirtualBox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Doug Poland wrote: Hello, I'm experimenting with the new VirtualBox port and wand to implement a bridged network interface on the FreeBSD host. Could someone point me to some docs that may assist me? Only NAT networking is available at the moment. I've updated the wiki page a few minutes ago with some other not working features: http://wiki.freebsd.org/VirtualBox Maybe this helps. Beat -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpRD50ACgkQQMW893dCSds8tgCeKo/KfNf6hFxFoukleDz8VMUY u5IAn2Y2ehvs3xp1cYOTDPQ6AzWhDjRu =8h0U -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge network device for VirtualBox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, Jul 05, 2009 at 03:10:07PM -0500, Doug Poland wrote: Hello, I'm experimenting with the new VirtualBox port and wand to implement a bridged network interface on the FreeBSD host. Could someone point me to some docs that may assist me? BTW, the handbook advanced networking section, http://www.freebsd.org/doc/en/books/handbook/network-bridging.html, doesn't seem to apply to this application. That's true, bridge network isn't ported yet: http://wiki.freebsd.org/VirtualBox - - Martin Thanks! -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org - -- +---+---+ | PGP: 0xB1E6FCE9 | Jabber : miwi(at)BSDCrew.de | | Skype : splash_111 | Mail : miwi(at)FreeBSD.org | +---+---+ | Mess with the Best, Die like the Rest! | +---+---+ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkpREq4ACgkQdLJIhLHm/OkubACgvqZSvG+ovtKM6KPT1apj/S2X N4IAnRxXx+j8TCoDTQNDD+lqzmJO3HtT =S5KO -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge network device for VirtualBox
On Sun, Jul 05, 2009 at 10:39:57PM +0200, Beat Gaetzi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Doug Poland wrote: Hello, I'm experimenting with the new VirtualBox port and wand to implement a bridged network interface on the FreeBSD host. Could someone point me to some docs that may assist me? Only NAT networking is available at the moment. I've updated the wiki page a few minutes ago with some other not working features: http://wiki.freebsd.org/VirtualBox Maybe this helps. Thanks for the heads-up. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge network device for VirtualBox
Martin Wilke wrote: -BEGIN PGP SIGNED MESSAGE- On Sun, Jul 05, 2009 at 03:10:07PM -0500, Doug Poland wrote: Hello, I'm experimenting with the new VirtualBox port and wand to implement a bridged network interface on the FreeBSD host. Could someone point me to some docs that may assist me? BTW, the handbook advanced networking section, http://www.freebsd.org/doc/en/books/handbook/network-bridging.html, doesn't seem to apply to this application. That's true, bridge network isn't ported yet: http://wiki.freebsd.org/VirtualBox Thanks for the heads up. I look forward to trying out the port when it's ready. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Failure to get past a PCI bridge
On Thu, 28 May 2009 16:24:00 +0200 Josef Moellers josef.moell...@ts.fujitsu.com wrote: Hi, I'm trying to install 7.2-RELEASE on a pretty new system (a Fujitsu RX300S5). The first obstacle was the fact that while the system has an AT-Keyboard-Controller, it ist not used (keyboard and mouse are connected via USB) and I have found that I can get past that by specifying set hint.atkbd.0.disabled=1 set hint.atkbdc.0.disabled=1 The install kernel then boots properly and reaches the Country Selection. At that point, no keyboard input is accepted. An optical mouse is off, so I assume the keyboard to be off, too. I have hooked up a serial connection to log the kernel's output (some 1000+ lines): set boot_serial=1 set boot_verbose=1 set boot_multicons=1 set console=comconsole vidconsole The following lines make me wonder if the kernel fails to get past PCI bridges and this can't reach the UHCI controllers: pcib0: ACPI Host-PCI bridge on acpi0 pcib0: could not get PCI interrupt routing table for \_SB_.CPU0 - AE_NOT_FOUND : pcib1: ACPI Host-PCI bridge on acpi0 pcib1: could not get PCI interrupt routing table for \_SB_.CPU1 - AE_NOT_FOUND : pcib2: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pcib2: couldn't find _ADR pcib2: trying bus number 2 pci2: ACPI PCI bus on pcib2 pci2: domain=0, physical bus=2 I talked to the guy who does the BIOS for the machine and he says that it makes no sense for the kernel to try and find the _PRT for \_SB_.CPU0 or \_SB_.CPU1! Can anyone help? I haven't been using FreeBSD since 4.2 and haven't dug through deep kernel functions for quite some time. Not directly, but you may do better posting that to the a...@freebsd.org list. See archives at http://lists.freebsd.org/pipermail/freebsd-acpi/ cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Failure to get past a PCI bridge
Polytropon wrote: On Thu, 28 May 2009 16:24:00 +0200, Josef Moellers josef.moell...@ts.fujitsu.com wrote: The install kernel then boots properly and reaches the Country Selection. At that point, no keyboard input is accepted. An optical mouse is off, so I assume the keyboard to be off, too. Not neccessarily. Check the blinkenlights with caps lock, num lock and scroll lock (if present). BTDTNT. If optical mouse doesn't have any light, it's nearly obvious that it doesn't get power from the USB port. This doesn't need to imply that the keyboard is off, too. Yes, but none of the *Lock key work either. When trying to install without ACPI, I managed to get past the bridge, but then I got a Fatal trap: --- igb0: Reserved 0x2 bytes for rid 0x10 type 3 at 0xce26 igb0: Reserved 0x4000 bytes for rid 0x1c type 3 at 0xce20 igb0: attempting to allocate 3 MSI-X vectors (10 supported) Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x18 fault code = supervisor read data, page not present instruction pointer = 0x8:0x803e127d stack pointer = 0x10:0x810d8830 frame pointer = 0x10:0x3 code segment= base 0x0, limit 0xf, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags= interrupt enabled, resume, IOPL = 0 current process = 0 (swapper) trap number = 12 panic: page fault -- I'll talk to the BIOS guy again, but if someone has some other ideas, I'd be grateful. Josef -- These are my personal views and not those of Fujitsu Technology Solutions! Josef Möllers (Pinguinpfleger bei FTS) If failure had no penalty success would not be a prize (T. Pratchett) Company Details: http://de.ts.fujitsu.com/imprint.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Failure to get past a PCI bridge
Hi, I'm trying to install 7.2-RELEASE on a pretty new system (a Fujitsu RX300S5). The first obstacle was the fact that while the system has an AT-Keyboard-Controller, it ist not used (keyboard and mouse are connected via USB) and I have found that I can get past that by specifying set hint.atkbd.0.disabled=1 set hint.atkbdc.0.disabled=1 The install kernel then boots properly and reaches the Country Selection. At that point, no keyboard input is accepted. An optical mouse is off, so I assume the keyboard to be off, too. I have hooked up a serial connection to log the kernel's output (some 1000+ lines): set boot_serial=1 set boot_verbose=1 set boot_multicons=1 set console=comconsole vidconsole The following lines make me wonder if the kernel fails to get past PCI bridges and this can't reach the UHCI controllers: pcib0: ACPI Host-PCI bridge on acpi0 pcib0: could not get PCI interrupt routing table for \_SB_.CPU0 - AE_NOT_FOUND : pcib1: ACPI Host-PCI bridge on acpi0 pcib1: could not get PCI interrupt routing table for \_SB_.CPU1 - AE_NOT_FOUND : pcib2: ACPI Host-PCI bridge port 0xcf8-0xcff on acpi0 pcib2: couldn't find _ADR pcib2: trying bus number 2 pci2: ACPI PCI bus on pcib2 pci2: domain=0, physical bus=2 I talked to the guy who does the BIOS for the machine and he says that it makes no sense for the kernel to try and find the _PRT for \_SB_.CPU0 or \_SB_.CPU1! Can anyone help? I haven't been using FreeBSD since 4.2 and haven't dug through deep kernel functions for quite some time. Josef -- These are my personal views and not those of Fujitsu Technology Solutions! Josef Möllers (Pinguinpfleger bei FTS) If failure had no penalty success would not be a prize (T. Pratchett) Company Details: http://de.ts.fujitsu.com/imprint.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Failure to get past a PCI bridge
On Thu, 28 May 2009 16:24:00 +0200, Josef Moellers josef.moell...@ts.fujitsu.com wrote: The install kernel then boots properly and reaches the Country Selection. At that point, no keyboard input is accepted. An optical mouse is off, so I assume the keyboard to be off, too. Not neccessarily. Check the blinkenlights with caps lock, num lock and scroll lock (if present). If optical mouse doesn't have any light, it's nearly obvious that it doesn't get power from the USB port. This doesn't need to imply that the keyboard is off, too. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP bridge
Hi, Nikos Vassiliadis wrote: Sebastiaan van Erk wrote: Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 I just noticed that. On -CURRENT carp tells you that's not supported: bridge0: carp is not supported for this interface type OTOH why do you even have to use the VIP from the remote side of the bridge? The only reason I can think of, for doing such a thing, is to get *all* traffic from the remote location through a single redundant router, the one with the VIP. Is this the case? It is indeed a single redundant router, though the traffic from the other side of the bridge (the OpenVPN clients) generally don't need to be routed redudantantly. The OpenVPN clients use OpenVPN's redundancy (multiple remote xxx.xxx.xxx.xxx lines), and thus use the non-redundant IP address of the OpenVPN client they're connected to as gateway (which is fine, because if the server dies OpenVPN connects to a different server anyway)... So I don't really *NEED* the CARP ip address over the bridge (the static arp works, so I have a working solution, albeit an ugly one; an ARP request generates a reply from every member of the redundant cluster). I guess it's just not a supported configuration yet and it's not my stupidity (in this case anyway ;-)) that's the problem. Nikos Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
Re: CARP bridge
Hi, Sebastiaan van Erk wrote: So I don't really *NEED* the CARP ip address over the bridge (the static arp works, so I have a working solution, albeit an ugly one; an ARP request generates a reply from every member of the redundant cluster). Just a guess, you could try adding the VIP/32 to the tap interface, instead of the static arp thing. Don't know if it will work, it is just a guess, which looks - to me - like a cleaner configuration. At least it's rc.conf friendly. Just my 0.2 euros, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP bridge
Sebastiaan van Erk wrote: Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 I just noticed that. On -CURRENT carp tells you that's not supported: bridge0: carp is not supported for this interface type OTOH why do you even have to use the VIP from the remote side of the bridge? The only reason I can think of, for doing such a thing, is to get *all* traffic from the remote location through a single redundant router, the one with the VIP. Is this the case? Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
CARP bridge
Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX full-duplex) status: active bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? This is all on FreeBSD 7.1 with OpenVPN 2.0.6 (both client and server). Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
Re: CARP bridge
Hi, Julien Cigar wrote: On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX full-duplex) status: active bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
Re: CARP bridge
On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX full-duplex) status: active bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. This is all on FreeBSD 7.1 with OpenVPN 2.0.6 (both client and server). Regards, Sebastiaan -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP bridge
Sebastiaan van Erk wrote: Hi, Julien Cigar wrote: On Wed, 2009-04-29 at 11:37 +0200, Sebastiaan van Erk wrote: Hi, I have a bridged OpenVPN setup where the OpenVPN tap0 driver is bridged (via bridge0) to the physical em1 interface, which has a VIP via a carp1 interface: em1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:0c:29:61:2a:55 inet 10.0.80.77 netmask 0xff00 broadcast 10.0.80.255 media: Ethernet autoselect (1000baseTX full-duplex) status: active bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 9a:6a:9f:b2:65:da id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 11 priority 128 path cost 200 member: em1 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 2 priority 128 path cost 2 tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:bd:48:03:00:00 Opened by PID 24616 carp1: flags=49UP,LOOPBACK,RUNNING metric 0 mtu 1500 inet 10.0.80.74 netmask 0xff00 carp: MASTER vhid 2 advbase 1 advskew 0 The problem I have is that when I ping the VIP from a VPN client (on tap0), the server receives arp requests for the VIP on tap0, but it does not respond to them: # tcpdump -i tap0 -ln 11:29:13.637048 arp who-has 10.0.80.74 tell 10.0.80.6 Is there any way to get the server to respond to arp requests on tap0 for the VIP? Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: CARP bridge
Hi, Nikos Vassiliadis wrote: Sebastiaan van Erk wrote: Julien Cigar wrote: Maybe you've to do ARP Proxy on one side ? Try to add an ARP entry in the ARP table with arp (arp -s 1.2.3.4 MAC foo) .. Thanks for the suggestion. Ok, static arp works: that is, if I take the carp1 mac address and add it to the arp table using: arp -s 10.0.80.74 00:00:5e:00:01:02 pub The ping starts to work. I'm still a bit confused why I have to do this though, because I can ping the non-shared IP 10.0.80.77 from the VPN client (via tap0) without any static arp, and I can ping the shared VIP (10.0.80.74) from clients on the physical network (em1) as well without any static arp. It's only when the ping it has to cross the bridge that it's an issue. Does it make any difference if you set the IP address on the bridge0 iface and not on the physical one? I recall that the recommended setup is to use IP addresses on the bridge interface and leave the members of the bridge IPless. Nikos Thanks for the suggestion. I tried it, but unfortunately the carp device never leaves the INIT state when I put the ip on the bridge. :-( I did find some similar problem here: http://www.freebsd.org/cgi/query-pr.cgi?pr=125816 Regards, Sebastiaan smime.p7s Description: S/MIME Cryptographic Signature
problem with bridge + ipfw
Hi! I have faced such problem: Has established the bridge on FreeBSD 6.3 and the module if_bridge. But at me the traffic passing through the bridge is not filtered. Here so all looks: Code: #ifconfig fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU ether 00:a0:c9:65:c1:35 media: Ethernet autoselect (100baseTX full-duplex) status: active fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU ether 00:90:27:85:b7:95 media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU ether 4c:00:10:60:67:ca media: Ethernet autoselect status: no carrier re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 192.168.5.28 netmask 0xff00 broadcast 192.168.5.255 ether 00:0f:ea:f9:a6:ff media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether b6:c3:a2:cc:06:65 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: fxp1 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP member: fxp0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP #sysctl -a |grep bridge net.link.ether.bridge_cfg: net.link.ether.bridge_ipfw: 1 net.link.ether.bridge_ipf: 0 net.link.ether.bridge.config: net.link.ether.bridge.enable: 0 net.link.ether.bridge.predict: 0 net.link.ether.bridge.dropped: 0 net.link.ether.bridge.packets: 0 net.link.ether.bridge.ipfw_collisions: 0 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.copy: 0 net.link.ether.bridge.ipfw: 1 net.link.ether.bridge.ipf: 0 net.link.ether.bridge.debug: 0 net.link.ether.bridge.version: 031224 net.link.bridge.pfil_onlyip: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_local_phys: 1 net.link.bridge.log_stp: 0 net.link.bridge.ipfw: 1 #ipfw show ipfw show 00100 0 0 allow ip from 85.159.31.54 to any layer2 via bridge0 00200 65885 allow ip from 85.159.31.54 to any layer2 00300 0 0 allow ip from 85.159.31.54 to any layer2 via fxp1 00400 0 0 allow ip from 85.159.31.54 to any layer2 via fxp0 00500 0 0 allow ip from 85.159.31.54 to any via fxp0 00600 0 0 allow ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x8100 00700 0 0 allow ip from 85.159.31.54 to any via bridge0 mac-type 0x8100 00800 0 0 allow ip from 85.159.31.54 to any via fxp0 mac-type 0x8100 00900 0 0 allow ip from 85.159.31.54 to any via fxp1 mac-type 0x8100 01000 0 0 allow ip from 85.159.31.54 to any via bridge0 layer2 MAC any any mac-type 0x8100 01100 0 0 allow ip from 85.159.31.54 to any via bridge0 MAC any any mac-type 0x8100 01200 0 0 allow ip from 85.159.31.54 to any via bridge0 mac-type 0x8100 01300 10874732 657168582 count ip from any to any layer2 via bridge0 01400 82562 7154845 count ip from any to any not layer2 via bridge0 01500 10611069 640854269 count ip from any to any layer2 via bridge0 mac-type 0x8100 01600 77929 6682967 count ip from any to any layer2 via bridge0 mac-type 0x0800 01700 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x8100 01800 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x0800 01900 0 0 count ip from any to any not layer2 via bridge0 mac-type 0x8100 02000 0 0 count ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x8100 02100 0 0 count ip from 85.159.31.54 to any layer2 via bridge0 mac-type 0x0800 02200 0 0 count ip from 85.159.31.54 to any not layer2 via bridge0 mac-type 0x8100 02300 0 0 count ip from 85.159.31.54 to any not layer2 via bridge0 mac-type 0x0800 02400640285 437872365 count ip from any to any layer2 via fxp0 02500 4019 426922 count ip from any to any not layer2 via fxp0 02600621668 426064356 count ip from any to any layer2 via fxp0 mac-type 0x8100 02700 1091 142307 count ip from any to any layer2 via fxp0 mac-type 0x0800 02800 0 0 count ip from any to any not layer2 via fxp0 mac-type 0x8100 02900 0
Re: Creating a 10km wireless bridge...pointers?
Hello. ! used to make wireless links too and my best experiences are: ADSL-MODEM (bridge mode) ==|switch| === Freebsd with pppoe,nat,ipfw || || wireless (--10km-) wireless switch |||||| users... Freebsd is a small machine (celeron, P2, P3) 256mb memory, 4gb or more disk 1 ethernet Software on FreeBSD ppp using bridge mode (I supose your adsl is pppoe) man ppp the adsl mode is configured to work in bridge mode and as you see , is connect in the switch together with the freebsd and the wireless bridge Wireless bridge. this is the trick point of the project... After searching and testing various radios/swithes.. I deciced for the airlive 5460 ap2 http://www.airlive.com configure both ap in bridge with WDS enable and 21db of output power Antennas: the radios must use a small pigtail and be as near as possible to the antenna... I build the antennas using a project canantenna http://www.turnpoint.net/wireless/cantennahowto.html the two points must be visual, that is: in one point you must see the other, beware with water (lakes, flat fields...) between the points stay away from trees... put the antennas at about 6m from the soil... 10km... You must try, I have one link in 7km here... with good performance.. in severel clients (10 clients)... about 3mbits... the radios costs about 45 dollars each, the pigtail is 5dollars, the antenna is about 5 dollars each the swithes is about 20 dollars each... Should work. Hope I could help... Sergio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
10km... You must try, I have one link in 7km here... with good performance.. in severel clients (10 clients)... about 3mbits... the radios costs about 45 dollars each, the pigtail is 5dollars, the antenna is about 5 dollars each it's really worth to spent at least 50$ for each antenna to be sure it will be stable at 10km with huge margins ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Em Qua, 2009-03-25 às 13:32 +0100, Wojciech Puchar escreveu: it's really worth to spent at least 50$ for each antenna to be sure it will be stable at 10km with huge margins I agree with you... but here (in Brazil) the 24dbi antennas are so bad that using a can seems to work better... a 24db antenna here costs 24 dollars... a good USA made antenna costs 200 dollars each.. and is difficult to find... I agree with you that wireless success id a matter of anntennas.. the better the antennas and positioning the better success you have in the small budgjet project... By the way Mr Puchar, what are the radios you recommend or use?? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
I agree with you... but here (in Brazil) the 24dbi antennas are so bad that using a can seems to work better... a 24db antenna here costs 24 dollars... looks like bad joke. you can make antenna from few copper wires and expanded polystyrene - getting 12-14dB isn't hard (i mean yagi). By the way Mr Puchar, what are the radios you recommend or use?? for a long time i don't use radios so i can recommend NOW. anyway - it's less important than antennas - the one that have best distance with builtin 1dB antennas will be best with antennas on long distance. and make sure they have bridge mode not only AP or AP-client - it always make a difference. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
On Sat, Mar 21, 2009 at 6:43 AM, Modulok modu...@gmail.com wrote: List, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? May be you should use two embedded hardware (to acomplish yours BSDRouter) like this: http://www.pcengines.ch/alix2d0.htm or like this: http://www.soekris.com/net4526.htm The second one is more expensive than the firts one. Attaching one poweful mini-pci Atheros wireless card on each hardware embedded you might could get large distance. you ought to use one mini-pci wireless card like this: http://www.netgate.com/product_info.php?cPath=26_34products_id=694 it's a very expensive wireless card but it's very powerful card too, it work with 1watt of power when work in IEEE802.11g/b modes also you need to use two good directional antennas may be like this: http://www.netgate.com/product_info.php?products_id=395 I had used the embedded hardware http://www.pcengines.ch/alix2d0.htm with NanoBSD and I got good results but i never need getting large distances like you. -- Linux is for people who hate Windows, BSD is for people who love UNIX. Social Engineer - Because there is no patch for human stupidity The Unix Guru's View of Sex unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ; umount ; sleep. Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Modulok wrote: List, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. One option: gnswireless.com We have a couple of short-haul wireless setups from them. They work out of the box, and they seem to provide good support as well. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org __ Scanned by Google Message Security - Leaving Seaman Paper ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Hi, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? We have something of the sort runing between a Thai university and the National University of Laos. Purpose is to connect the Lao University to the Thai university and research network. Expected speed is 10Mbps. You can email me personnally at the end of April, then I will be able to give you more details :) I will not go to Laos before one month, until then I cannot remember the brand of the radio equipment. National University of Laos used to have their network with remote campus locations build over air, using public grade WiFi access-points, they were not really stable. Regarding your set-up, I think it is nothing different from: LAN-BSDrouter-1-DSL only the link between the BDSrouter and the DSL provider is a bit longer. On your concern about traveling 10KM at 3:00, you can locate the BSDrouter at either end of the radio link, it will not change much of the volume of traffic crossing the radio link, unless the BSDrouter is also doing some heavy proxying. So you could locate the BSDrouter at the closest end to your home. Only one remark, if that BSDrouter is to serve as DHCP and such, it is best located at the LAN end: if the radio link goes down, the clients on the LAN can still access their DHCP server, and they can still communicate inside the LAN. If the BSDrouter is located at the DSL end and the radio link goes down, the clients in the LAN will not manage to get IP and will not be able to communicate among eachothers. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Best encrypted, or at least use point-to-point adhoc in bridge mode rather than point-to-AP unencrypted, which will surely get abused. quite available in Poland where people have unencrypted AP's at home. good antenna and you get free (and anonymous ;) access to the net. easily. With +15dBm antennae you should get (at least lower) 11g rates, and if you can afford 20+dBm dish grid antennae, so much the faster. grid antennas for 2.4Ghz are not expensive. give best available there are about 24dB, to have LARGE margin for noise. As others have said - avoid amplifiers, spend most on good antennae and amplifiers make sense ONLY when there are something on the line that damps the signal (like few trees) and you can't avoid that. but still it's not good, snow would fall on trees and then nothing will help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
On Sun, 22 Mar 2009, Wojciech Puchar wrote: Best encrypted, or at least use point-to-point adhoc in bridge mode rather than point-to-AP unencrypted, which will surely get abused. quite available in Poland where people have unencrypted AP's at home. good antenna and you get free (and anonymous ;) access to the net. My point exactly :) easily. With +15dBm antennae you should get (at least lower) 11g rates, and if you can afford 20+dBm dish grid antennae, so much the faster. grid antennas for 2.4Ghz are not expensive. give best available there are about 24dB, to have LARGE margin for noise. It's a few years since I priced some of those, they're likely much cheaper now. Then something like AU$200 + coax + fittings per end. As others have said - avoid amplifiers, spend most on good antennae and amplifiers make sense ONLY when there are something on the line that damps the signal (like few trees) and you can't avoid that. but still it's not good, snow would fall on trees and then nothing will help. There's good discussion of that and fresnel zones etc in that WNDW book. BTW, I've since explored a bit and found what looks like a very useful companion (free, PDF) book How to Accelerate Your Internet that I've yet to read beyond the table of contents getting my attention, and a quick browse to scope the Traffic Shaping section. http://bwmo.net/ Very timely for me anyway; I have to tackle some Debian boxes in coming weeks, doing a crash course in iptables re both firewall and shaping. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
You guys are sweethearts!. Thanks to everyone who contributed! It has been quite helpful. I have much reading to do :) -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Creating a 10km wireless bridge...pointers?
List, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
On Sat, 21 Mar 2009 06:43:01 -0600, Modulok modu...@gmail.com wrote: Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL Your BSD router would act as a gateway, eventually using functions like IPDIVERT and DHCPd via RF. It would then serve as an AP, put in simple words. This should be achievable mostly by means of the base OS. For the RF transmission part, you will need antennas (yagí type ideally) with a good signal gain and narrow radiation. It's possible to build them, but I'm sure they're sold, too. Optionally, a power amplifier (PA) may be added on both ends to strengthen the signal if it's too low. In case you have something in the way that hinders a direct view from your desired AP to the client (e. g. a mountain), things get a bit more complicated, a repeater would be needed. But as long as you can see it, you can connect it. :-) Coming back to your suggestion, I'd express it as follows: ~ ~ V V +--+ | ~ ~ | | wireless NIC |---+ | DSL in+--- ^ -- v ---+ | +--+ the wall--*--| ethernet NIC | +---| wireless NIC | at your +--+ +--+ siteyour FreeBSD AP box client's box * insert modem if needed I'm not sure why wou want to employ a modem on the client's site. If it's only about Internet access, it's usable via the WLAN component already. If you want to handle IP telephony and multiple clients... well, more complicated, the client's all in one modem / spliiter / router / DHCP server / firewall / whatnot would need to connect to the RF bridge, I'm not sure if this is possible even if the modem offers WLAN antennas. Tips? References? Advice? Sorry, no. :-) Just some basic thoughts from a radio amateur and FreeBSD user. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Just take some advice from the owner of a WISP... and a FreeBSD user. if your only trying to get connectivity a less then 500 USD this is easily accomplished buy a couple high end radios with built in antennas, Ubiquiti PowerStations come to mind, place 1 at each end of the link if line of sight is close to good, your done. Ive done numerous long distance links, longest being 17km in extreme terrain spend the money, have 0 headaches, itll even do PPPoE for the DSL link, if you want to add a BSD box fine, but in this instance its really not needed. On Sat, Mar 21, 2009 at 8:16 PM, Polytropon free...@edvax.de wrote: On Sat, 21 Mar 2009 06:43:01 -0600, Modulok modu...@gmail.com wrote: Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL Your BSD router would act as a gateway, eventually using functions like IPDIVERT and DHCPd via RF. It would then serve as an AP, put in simple words. This should be achievable mostly by means of the base OS. For the RF transmission part, you will need antennas (yagí type ideally) with a good signal gain and narrow radiation. It's possible to build them, but I'm sure they're sold, too. Optionally, a power amplifier (PA) may be added on both ends to strengthen the signal if it's too low. In case you have something in the way that hinders a direct view from your desired AP to the client (e. g. a mountain), things get a bit more complicated, a repeater would be needed. But as long as you can see it, you can connect it. :-) Coming back to your suggestion, I'd express it as follows: ~ ~ V V +--+ | ~ ~ | | wireless NIC |---+ | DSL in+--- ^ -- v ---+ | +--+ the wall--*--| ethernet NIC | +---| wireless NIC | at your +--+ +--+ siteyour FreeBSD AP box client's box * insert modem if needed I'm not sure why wou want to employ a modem on the client's site. If it's only about Internet access, it's usable via the WLAN component already. If you want to handle IP telephony and multiple clients... well, more complicated, the client's all in one modem / spliiter / router / DHCP server / firewall / whatnot would need to connect to the RF bridge, I'm not sure if this is possible even if the modem offers WLAN antennas. Tips? References? Advice? Sorry, no. :-) Just some basic thoughts from a radio amateur and FreeBSD user. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Hi Have a look at Microtik's equipment very cheap for what it does and linux based, else there is also the Ubiquity Powerstation's, I have used both with success, Microtik boasts a 70Km wireless link with the right wireless card and antennae :D Regards, Bruce Grobler On Sat, 21 Mar 2009 06:43:01 -0600, Modulok modu...@gmail.com wrote: List, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Doy you have a pre-determined budget for this homework? have a look at california amplifiers - calamp.com if I remember correctly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This there are LOT of wireless bridges that can do if proper antennas are used. depending of where you are it may be not legal (output power*antenna gain can't be 100mW), like in EU (but nobody usually cares and controls), in US it is legal. Do not use any afterburners giving power in watt range. Normal 30-100mW output are OK. Example: Smartbridges 2.4Ghz WiFi radios (they are built to be used externally)+25dB grid antennas - worked at about real 4Mbit/s in 24km over the sea with large operating margin. It was 11Mbps only radios. But there are lot of method to do this. i think something like 50km is achievable. Just use one old rule - 1$ for radio, 1000$ for antenna :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
buy a couple high end radios with built in antennas, Ubiquiti PowerStations this is excellent if builtin antennas have quite high gains. there are no connector losses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Have a look at Microtik's equipment very cheap i don't think it's cheap :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Doy you have a pre-determined budget for this homework? have a look at california amplifiers - calamp.com if I remember correctly. amplifiers are kind of idiot solution. it just make more mess for others. DO NOT use them unless you REALLY have to == the best antennas are not enough. for 50km it's unlikely you will need it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL Your BSD router would act as a gateway, eventually using functions like IPDIVERT and DHCPd via RF. It would then serve as an AP, put in simple words. This should be achievable mostly by means of the base OS. Do not use builtin cards for such links unless you like to keep computer outside. long RF cables=LARGE signal loss. There are LOT of external radiobridges that are designed to be placed outside so it's connected to antenna almost directly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
speaking comparatively, of course :D On Sat, 21 Mar 2009 15:10:42 +0100 (CET), Wojciech Puchar woj...@wojtek.tensor.gdynia.pl wrote: Have a look at Microtik's equipment very cheap i don't think it's cheap :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
Depending upon what your budget is, Tranzeo has some excellent wireless products that are ideal for point-point links. Encryption is built-in and they can be configured for point-point or point-multipoint (just in case the project expands). One problem that you may run into, if both sides of the link are close to the ground, is the fresnel zone. If one side is higher than the other, this shouldn't be a problem. Two self contained POE radios with built-in antanna should run you about $500 and they can be mounted on standard satellite dish arms. I've also used mikrotik products and have generally been very happy with them. There is a ton of functionality and I actually use two of them for my core routers at my current job. I think for this project they are overkill and there is quite a bit of a learning curve to get them up and running. If you don't plan on deploying anything else, I think that you will find that the tranzeo's are a simpler solution. Craig - Original Message From: Modulok modu...@gmail.com To: freebsd-questions@freebsd.org Sent: Saturday, March 21, 2009 8:43:01 AM Subject: Creating a 10km wireless bridge...pointers? List, I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
NOTE: could you please do break lines properly on your posts? answering your mails is not easy. Depending upon what your budget is, Tranzeo has some excellent wireless products that are ideal for point-point links. Encryption is built-in and they can be configured for point-point or point-multipoint (just in case the project expands). One problem that you may run into, if both sides of the link are close to the ground, is the fresnel zone. which is not dependent from manufacturer, but physics, and more important in lower frequency. Calculations are easily found in the net. and there are few meters to be counted too because earth is not flat. If one side is higher than the other, this shouldn't be a problem. Two self contained POE radios with built-in antanna should run you about $500 and they can be mounted on standard satellite dish arms. it works if done precisely enough :) I've also used mikrotik products and have generally been very happy with them. There is a ton of functionality and I actually use two of them for my core routers at my current job. I think for this project they are overkill and there is quite a bit of a learning curve to get them up and running. If you don't plan on deploying anything else, I think that you will find that the tranzeo's are a simpler solution. -- generally - simple radio bridges. you put one to DSL router, and other to computer/switch. that's all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Creating a 10km wireless bridge...pointers?
On Sat, 21 Mar 2009 06:43:01 -0600 Modulok modu...@gmail.com wrote: I have been tasked with getting a DSL connection across about 10km of no-man's-land to a rural location without internet access. Ideally, all traffic inbetween the two directional antennas would be encrypted. Best encrypted, or at least use point-to-point adhoc in bridge mode rather than point-to-AP unencrypted, which will surely get abused. (Nice, but not entirely required.) 3Mb/s would be great! Something like: LAN-BSDrouter-modem-Antenna~~air~~Antenna-modem-DSL I'm looking for general pointers of both hardware and software to achieve this. I'd like to employ FreeBSD as much as is feasible. This is my first WAN network project, so even newbie pointers and general references would be much appreciated. (Hardware suggestions, books to read, etc.) Reliability is of mild concern, simply because I don't want to drive 10km at 3:00am when something breaks. Tips? References? Advice? I suggest downloading Wireless Networking in the Developing World in language of choice from http://wndw.net/download.html .. a great read, good coverage of theory and lots of practical advice. If you're on a budget, a couple of (say) Dlink or Cisco APs - something with decent external antenna connectors anyway - in bridge mode with two yagi or helical antennae with = 12dBm gain should do 10km line of sight easily. With +15dBm antennae you should get (at least lower) 11g rates, and if you can afford 20+dBm dish grid antennae, so much the faster. Might be worth checking out /usr/ports/net/olsrd (http://www.olsr.org/) As others have said - avoid amplifiers, spend most on good antennae and cables, as short and fat as is practicable. You'll likely want short pigtails between the wireless card or bridge and the longer fat leads. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bridge setup at boot
On Wed, 2009-02-11 at 14:34 +1000, Da Rock wrote: On Tue, 2009-02-10 at 23:10 -0500, Steve Bertrand wrote: Da Rock wrote: I feel like a real newbie asking this one, but the answer is still eluding me :( I have a system where I'm separating my servers for distinction so I'm running qemu. I have a bridge setup which works occasionally, but I need it to work 100% of the time. I also need this to run at boot time, which is where it seems to fall short (not to mention that on occasion even the re driver fails to load- not sure if its hardware or software yet, but appears to have no bearing on the bridge problem; I could still get an ip address via dhcp when the bridge is not working). My loader.conf looks like this: snd_hda_load=YES if_bridge_load=YES if_tap_load=YES My rc.conf looks like this: cloned_interfaces=bridge0 tap0 autobridge_interface=bridge0 autbridge_bridge0=re0 tap0 ifconfig_re0=up ifconfig_tap0=up ifconfig_bridge0=DHCP If I tell re0 to use DHCP as well, I can access the host, but not the guest. If I run qemu in a script, the guest cannot get a DHCP address. This seems to happen intermittently- one problem then the other. If the bridge fails to get an ip from dhcp, I find re going down just after bridge0 starts looking for an ip- re comes up again after that starts. If bridge0 does get an ip, the tap0 will go down and qemu guest can't get an ip. I feel like I'm going round in circles now. Using rc.conf nothing appears to be happening in order- things seem to be going up and down when they feel like instead of when they should. I need this to be stable, not a cross your fingers and toes, we're going in scenario- which is what bridging appears to be like at startup. Manually I can get it working off the bat, but I'm trying to get this working within the framework provided. For reference the sysctl.conf settings mentioned in some circles are useless in 7.1- net.link.ether.bridge_cfg and net.link.ether.bridge.enable aren't recognized. Can you stabilize the bridge at boot, without any other software starting up? The short answer is no. The usual problem here is re0 goes down just after bridge0 goes looking for an ip. The other times are a mix of tap0 going down or some other gremlin I haven't been able to find yet. If not, does re0 get set up consistently with the same config with a basic setup? It can, but that would depend on whether the driver picks it up during boot. If the driver comes back with an error then re0 doesn't exist for the rc.conf, if re0 does exist it usually sets up and runs ok during the entire system up time (as far as I'm aware- I'm accessing the system usually through ssh, I haven't seen anything strange in the logs, so ?). I had similar issues a while back (pre 7.1) in which sometimes 're' devices didn't start up at the proper speed/duplex. Every once in a while, it would show up at 10 or 100 half, when it should have been auto set at full 100 or 1000. If I forced proper speed/duplex, other outside programs began to work properly. However, I haven't witnessed those issues since 7.1 I didn't know about that, but given the problems I'm having I'm starting to wonder if they could be a root cause of the problem here. I think I'm starting to get a clearer picture here: based on my observation on a test system tap0 appears to go down as soon as a program connects to it and uses it. Ergo, IF this is the case then that solves the second part of my problem. So could this be a composite issue from this and a hidden issue with my re0 device (driver or whatever)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
