FreeBSD routing problem
Hi All, I am facing a routing issue for the Interoperability 1.5 topology. Please find the attachment of the exact topology map. As per test setup – Ø Configured REF-Router2 NOT to transmit Router Advertisement on Network1. But REF-Router2 is able to transmit Router Advertisement on Network2 with 2001:db8::3::/64 . Ø Configured a static route on TAR-RouterD ( ubuntu) Indicating REF-Router2’s Link local address as the next hop for the Network2 . Ø But Ref-Router Not able to routes between Network1 and Network2. Due to this ICMPv6 request from TAR-router to the global address of REF-Host2 is not working. There is no reply for this ICMPv6 request. Ø Same when I try to transmit ICMPv6 Echo request from REF-HOST2 to global address of TAR-HOST1( Prefix of TAR-RouterD), no ICMPv6 reply. Ø Within Network1 , nodes are able to communicate. But when I try to communicate Netwrok2 from Network1, it is not working. Could you please suggest tell me if I am missing something to route the traffic on REF-Router ? I suspect , as there is no Route Advertisement on Interface1 of the Ref-Router, it is not able to route the traffic between the interfaces. Please help me to find this solution. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD routing problem
From: hrkesh sahu hrisikeshs...@gmail.com Date: Thu, 3 Oct 2013 19:09:02 +0530 To: Julian H. Stacey j...@berklix.com Cc: Polytropon free...@edvax.de, FreeBSD questions freebsd-questions@freebsd.org Hi, No idea why it was To: me. Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable I dislike MS windows quoted-printable, Content-Type: application/msword; name=1.5.VendorD.Topology.doc Content-Disposition: attachment; filename=1.5.VendorD.Topology.doc MS excrement not accepted. http://www.berklix.com/~jhs/std/no_ms_format.txt Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com Reply below not above, like a play script. Indent old text with . Send plain text. No quoted-printable, HTML, base64, multipart/alternative. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
openvpn routing
Hi all :-) This freebsd server in an internal lan server, IP 192.168.1.254. 192.168.1.212 is gateway on internet. I've an easy config: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.212 UGS 031807em0 10.20.10.0/24 10.20.10.2 UGS 00 tun0 10.20.10.1 link#5 UHS 00lo0 10.20.10.2 link#5 UH 00 tun0 127.0.0.1 link#4 UH 0 3478lo0 192.168.1.0/24 link#2 U 046116em0 192.168.1.254 link#2 UHS 00lo0 ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 [...] tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 inet 10.20.10.1 -- 10.20.10.2 netmask 0x Problem is: 10.20.10.2 is a gateway? why? On clients I've this error: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Tue Jul 16 19:28:30 2013 us=860975 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.20.10.0 Tue Jul 16 19:28:30 2013 us=861091 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options openvpn server config: port XXX proto udp dev tun ;dev-node tap0 ca /usr/local/etc/openvpn/XX.crt cert /usr/local/etc/openvpn/XX.crt key /usr/local/etc/openvpn/XX.key dh /usr/local/etc/openvpn/dh2048.pem server 10.20.10.0 255.255.255.0 push route 10.20.10.0 255.255.255.0 ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt 0 ;duplicate-cn keepalive 10 120 ;cipher BF-CBC# Blowfish (default) ;cipher AES-256-CBC # AES cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun ;status /var/log/openvpn-status.log ;log-append /var/log/openvpn.log verb 10 mute 20 client-to-client client-config-dir ccd route 10.20.10.1 255.255.255.0 ping-restart 0 tls-auth /usr/local/etc/openvpn/ta.key 0 plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login #tmp-dir /dev/shm Almost same config on linux openvpn server runs. It's the server that create correct route. But on freebsd I've 10.20.10.2 like automatic gw. Any idea? thanks! Pol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openvpn routing
This freebsd server in an internal lan server, IP 192.168.1.254. 192.168.1.212 is gateway on internet. [...] tap -- tun solved :-) Pol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
routing issues to freebsd.org
On doing some updates this morning, am seeing a routing issue beyond bgp1-ext.ysv.freebsd.org... Updating Index fetch: http://www.FreeBSD.org/ports/INDEX-9.bz2: No route to host www.freebsd.org.513 IN CNAME wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org. 1690IN A 8.8.178.110 traceroute to 8.8.178.110 (8.8.178.110), 64 hops max, 52 byte packets 1 -- 0.528 ms 0.462 ms 0.428 ms 2 490.net2.north.dc5.as20860.net (62.233.127.210) 0.267 ms 0.263 ms 0.263 ms 3 593.core1.thn.as20860.net (62.233.127.173) 111.922 ms 49.373 ms 1.125 ms 4 ae3-309.lon11.ip4.tinet.net (77.67.74.101) 1.080 ms 1.181 ms 1.081 ms 5 xe-9-1-0.sjc10.ip4.tinet.net (89.149.184.53) 145.580 ms 145.746 ms xe-8-1-0.sjc10.ip4.tinet.net (89.149.183.17) 145.216 ms 6 213.200.66.238 (213.200.66.238) 145.702 ms 188.823 ms ge-0-3-9.pat1.sjc.yahoo.com (216.115.96.10) 219.331 ms 7 bgp1-ext.ysv.freebsd.org (216.115.101.227) 146.013 ms 146.385 ms ae-5.pat2.sjc.yahoo.com (216.115.105.19) 145.653 ms 8 * * bgp1-ext.ysv.freebsd.org (216.115.101.227) 146.519 ms 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * Paul. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA High Specification Dedicated Servers from £100.00pm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing issues to freebsd.org
On Mon, Jul 08, 2013 at 09:57:59AM +0100, Paul Macdonald wrote: On doing some updates this morning, am seeing a routing issue beyond bgp1-ext.ysv.freebsd.org... Updating Index fetch: http://www.FreeBSD.org/ports/INDEX-9.bz2: No route to host www.freebsd.org.513 IN CNAME wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org. 1690IN A 8.8.178.110 Perhaps an issue on your end (probably on the reverse route)? Traces look fine from multiple networks: http://sprunge.us/JFeS -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing issues to freebsd.org
Paul Macdonald schreef: On doing some updates this morning, am seeing a routing issue beyond bgp1-ext.ysv.freebsd.org... Updating Index fetch: http://www.FreeBSD.org/ports/INDEX-9.bz2: No route to host www.freebsd.org.513 IN CNAME wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org. 1690IN A 8.8.178.110 traceroute to 8.8.178.110 (8.8.178.110), 64 hops max, 52 byte packets 1 -- 0.528 ms 0.462 ms 0.428 ms 2 490.net2.north.dc5.as20860.net (62.233.127.210) 0.267 ms 0.263 ms 0.263 ms 3 593.core1.thn.as20860.net (62.233.127.173) 111.922 ms 49.373 ms 1.125 ms 4 ae3-309.lon11.ip4.tinet.net (77.67.74.101) 1.080 ms 1.181 ms 1.081 ms 5 xe-9-1-0.sjc10.ip4.tinet.net (89.149.184.53) 145.580 ms 145.746 ms xe-8-1-0.sjc10.ip4.tinet.net (89.149.183.17) 145.216 ms 6 213.200.66.238 (213.200.66.238) 145.702 ms 188.823 ms ge-0-3-9.pat1.sjc.yahoo.com (216.115.96.10) 219.331 ms 7 bgp1-ext.ysv.freebsd.org (216.115.101.227) 146.013 ms 146.385 ms ae-5.pat2.sjc.yahoo.com (216.115.105.19) 145.653 ms 8 * * bgp1-ext.ysv.freebsd.org (216.115.101.227) 146.519 ms 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * Paul. I noticed FreeBSD was not accessable this morning. svnup gives me the following. svnup stable svnup: connect failure: Connection refused earlier i could not even open www.freebsd.org, so something is or was not right. Now www.freebsd.org works again gr Johan Hendriks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing issues to freebsd.org
Hi, On Mon, 8 Jul 2013 08:01:09 -0400 staticsafe m...@staticsafe.ca wrote: On Mon, Jul 08, 2013 at 09:57:59AM +0100, Paul Macdonald wrote: On doing some updates this morning, am seeing a routing issue beyond bgp1-ext.ysv.freebsd.org... Updating Index fetch: http://www.FreeBSD.org/ports/INDEX-9.bz2: No route to host www.freebsd.org.513 IN CNAME wfe0.ysv.freebsd.org. wfe0.ysv.freebsd.org. 1690IN A 8.8.178.110 Perhaps an issue on your end (probably on the reverse route)? it was the same story in Indonesia. Erich Traces look fine from multiple networks: http://sprunge.us/JFeS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
/23 static routing question
Hi, I have added an IP of the 2nd group of 254 addresses in a /23. let's call them100.100.98.0 and 100.100.99.0 what's the correct way to set up the routing table for this and how my rc.conf should look Currently netstat shows something like the below DestinationGatewayFlagsRefs Use Netif Expire default100.100.98.254 UGS 0 111301074 bge0 100.100.98.0 link#1 U 0 1470707172 bge0 But i suspect i want: Internet: DestinationGatewayFlagsRefs Use Netif Expire default100.100.98.254 UGS 0 111301074 bge0 100.100.98.0 link#1 U 0 1470707172 bge0 100.100.99.0 link#1 U 0 1470707172 bge0 or 100.100.98.0/23 link#1 U 0 1470707172 bge0 many thanks Paul. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA High Specification Dedicated Servers from £100.00pm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
SOLVED /23 static routing question
On 13/03/2013 14:59, Paul Macdonald wrote: Hi, I have added an IP of the 2nd group of 254 addresses in a /23. let's call them100.100.98.0 and 100.100.99.0 what's the correct way to set up the routing table for this and how my rc.conf should look Currently netstat shows something like the below DestinationGatewayFlagsRefs Use Netif Expire default100.100.98.254 UGS 0 111301074 bge0 100.100.98.0 link#1 U 0 1470707172 bge0 But i suspect i want: Internet: DestinationGatewayFlagsRefs Use Netif Expire default100.100.98.254 UGS 0 111301074 bge0 100.100.98.0 link#1 U 0 1470707172 bge0 100.100.99.0 link#1 U 0 1470707172 bge0 or 100.100.98.0/23 link#1 U 0 1470707172 bge0 restarting routing seemed to do this fine...:P / FreeBSD will automatically identify any hosts (//test0//in the example) on the local Ethernet and add a route for that host, directly to it over the Ethernet interface, //ed0// /http://www.freebsd.org/doc/handbook/network-routing.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vlan routing
On Sun, 10 Mar 2013, ??? ??? wrote: 2013/3/10 d...@safeport.com: I am trying set this up. First I munged the IP addresses. Not to worry if I hit yours. I did the following commands: ifconfig vlan0 create ifconfig vlan0 vlan 95 vlandev fxp0 ifconfig vlan0 inet 134.217.128.117 netmask 255.255.255.0 ifconfig fxp0 add 134.217.128.117 netmask 255.255.255.0 route add -inet 134.217.128.117 134.217.128.1 ifconfig shows: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:d0:b7:56:cf:ab inet 45.22.17.3 netmask 0xfc00 broadcast 45.22.19.255 inet 45.22.17.17 netmask 0x broadcast 45.22.17.17 inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active bge0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:09:5b:60:e4:1f media: Ethernet autoselect (none) status: no carrier vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:d0:b7:56:cf:ab inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active vlan: 95 parent interface: fxp0 Needless to say it does not work. The switch is programmed correctly (I am told). My questions are (1) it seems like the option got applied to the wrong interface; (2) what did I miss?? I also tried booting the system with IP of 134.217.128.117 but I did not get the rc.conf macros correctly. I do know I can not route through the switch without going the vlan commands. _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I guess you shouldn't put the same IP address on two interfaces (vlan and fxp0), you need to decide wherther you need tagged or untagged vlan frames there and, depending on this decision put the IP address on VLAN interface (tagged variant) or fxp0 (untagged one). If i understand your task correctly, then this line is faulty from your configuration: ifconfig fxp0 add 134.217.128.117 netmask 255.255.255.0 You don't need it. route add -inet 134.217.128.117 134.217.128.1 This is smth absoulutely wrong:) Basically, if you only need a vlan interface that could be used for routing, you need these commands only: ifconfig vlan95 create ifconfig vlan95 inet 134.217.128.117/24 vlan 95 vlandev fxp0 and in /etc/rc.conf you should put such strings: cloned_interfaces=vlan95 ifconfig_vlan95=inet 134.217.128.117/24 vlan 95 vlandev fxp0 for the interface to be created on reboot. Hope this helps. Thanks I will try _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
vlan routing
I am trying set this up. First I munged the IP addresses. Not to worry if I hit yours. I did the following commands: ifconfig vlan0 create ifconfig vlan0 vlan 95 vlandev fxp0 ifconfig vlan0 inet 134.217.128.117 netmask 255.255.255.0 ifconfig fxp0 add 134.217.128.117 netmask 255.255.255.0 route add -inet 134.217.128.117 134.217.128.1 ifconfig shows: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:d0:b7:56:cf:ab inet 45.22.17.3 netmask 0xfc00 broadcast 45.22.19.255 inet 45.22.17.17 netmask 0x broadcast 45.22.17.17 inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active bge0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:09:5b:60:e4:1f media: Ethernet autoselect (none) status: no carrier vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:d0:b7:56:cf:ab inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active vlan: 95 parent interface: fxp0 Needless to say it does not work. The switch is programmed correctly (I am told). My questions are (1) it seems like the option got applied to the wrong interface; (2) what did I miss?? I also tried booting the system with IP of 134.217.128.117 but I did not get the rc.conf macros correctly. I do know I can not route through the switch without going the vlan commands. _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vlan routing
2013/3/10 d...@safeport.com: I am trying set this up. First I munged the IP addresses. Not to worry if I hit yours. I did the following commands: ifconfig vlan0 create ifconfig vlan0 vlan 95 vlandev fxp0 ifconfig vlan0 inet 134.217.128.117 netmask 255.255.255.0 ifconfig fxp0 add 134.217.128.117 netmask 255.255.255.0 route add -inet 134.217.128.117 134.217.128.1 ifconfig shows: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 00:d0:b7:56:cf:ab inet 45.22.17.3 netmask 0xfc00 broadcast 45.22.19.255 inet 45.22.17.17 netmask 0x broadcast 45.22.17.17 inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active bge0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:09:5b:60:e4:1f media: Ethernet autoselect (none) status: no carrier vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:d0:b7:56:cf:ab inet 134.217.128.117 netmask 0xff00 broadcast 134.217.128.255 media: Ethernet autoselect (100baseTX full-duplex) status: active vlan: 95 parent interface: fxp0 Needless to say it does not work. The switch is programmed correctly (I am told). My questions are (1) it seems like the option got applied to the wrong interface; (2) what did I miss?? I also tried booting the system with IP of 134.217.128.117 but I did not get the rc.conf macros correctly. I do know I can not route through the switch without going the vlan commands. _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I guess you shouldn't put the same IP address on two interfaces (vlan and fxp0), you need to decide wherther you need tagged or untagged vlan frames there and, depending on this decision put the IP address on VLAN interface (tagged variant) or fxp0 (untagged one). If i understand your task correctly, then this line is faulty from your configuration: ifconfig fxp0 add 134.217.128.117 netmask 255.255.255.0 You don't need it. route add -inet 134.217.128.117 134.217.128.1 This is smth absoulutely wrong:) Basically, if you only need a vlan interface that could be used for routing, you need these commands only: ifconfig vlan95 create ifconfig vlan95 inet 134.217.128.117/24 vlan 95 vlandev fxp0 and in /etc/rc.conf you should put such strings: cloned_interfaces=vlan95 ifconfig_vlan95=inet 134.217.128.117/24 vlan 95 vlandev fxp0 for the interface to be created on reboot. Hope this helps. -- ~~~ WBR, Vitaliy Turovets NOC Lead @TV-Net ISP NOC Lead @Service Outsourcing company +38(093)265-70-55 VITU-RIPE X-NCC-RegID: ua.tv ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Different take on old FAQ: multihoming and source-based routing
Hi everyone, I've been doing a lot of google searching recently for variants of freebsd source-based routing to look for how to get a dual-homed FreeBSD machine to send to the correct default gateway based on the source address of the packets it's expecting that gateway to pass along. You can't send a packet with a Comcast source address to the ATT default gateway and expect it to actually make it out onto the public internet, etc. Universally, the posts I've been finding that discuss this always recommend creating multiple routing tables with options ROUTETABLES=... which I wasn't willing to do, because my wild youthful kernel-recompiling days are over -- these days I like the advantages that come with using a pure GENERIC kernel. :-) So, today I tried the following /etc/pf.conf: if = bge0 v4_addr_1 = 173.228.91.225 v4_net_1 = 173.228.91.0/24 v4_gw_1 = 173.228.91.1 v4_addr_2 = 50.193.24.82 v4_net_2 = 50.193.24.80/28 v4_gw_2 = 50.193.24.94 pass out quick on $if route-to ($if $v4_gw_1) inet from $v4_addr_1 to !$v4_net_1 no state pass out quick on $if route-to ($if $v4_gw_2) inet from $v4_addr_2 to !$v4_net_2 no state #pass out quick on $if route-to ($if $v6_gw_1) inet6 from $v6_addr_1 to !$v6_net_1 no state pass all no state I guess my setup is a bit simpler than the norm because I only have one physical interface, that both networks are on. But... by Jove, it seems to be working! Is there something I'm missing? Is this going to break in some subtle edge case that I'm just not seeing? If it really is this simple, why does everyone keep recommending the options ROUTETABLES approach? Thanks, ~Ben___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem with routing in VmWare VMS
Thank you, Mark! All work! - Вы писали 22 июня 2012 г., 16:31:39: On Fri, 22 Jun 2012 08:10:43 -0500, UNIX developer @ Google.com developeru...@gmail.com wrote: now after reboot the problem still the same. ping -S 192.168.2.1 192.168.1.1 PING 192.168.1.1 (192.168.1.1) from 192.168.2.1: 56 data bytes ^C --- 192.168.1.1 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss 192.168.1.1 does not know how to find 192.168.2.1, so it can't respond to the ping. I bet it only has a default route to the internet. If you add a static route on 192.168.1.1 telling it that it can find 192.168.2.0/24 at 192.168.1.10 it will probably work. On 192.168.1.1: route add -net 192.168.2.0/24 192.168.1.10 Now the pings will work. -- С уважением, UNIX mailto:developeru...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem with routing in VmWare VMS
On Fri, Jun 22, 2012 at 3:13 PM, UNIX developer @ Google.com developeru...@gmail.com wrote: Ok, I understud! I remove from rc.conf this rows: static_routes=clnet route_clnet=-net 192.168.2.0/24 192.168.1.10 new rc.conf: ifconfig_em0= inet 192.168.1.10 netmask 255.255.255.0 ifconfig_em1= inet 192.168.2.1 netmask 255.255.255.0 defaultrouter=192.168.1.1 gateway_enable=YES now after reboot the problem still the same. ping -S 192.168.2.1 192.168.1.1 PING 192.168.1.1 (192.168.1.1) from 192.168.2.1: 56 data bytes ^C --- 192.168.1.1 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 38em0 127.0.0.1 link#4 UH 00lo0 192.168.1.0/24 link#1 U 0 1153em0 192.168.1.10 link#1 UHS 06lo0 192.168.2.0/24 link#2 U 00em1 192.168.2.1link#2 UHS 06lo0 Where more can be trouble? - Вы писали 22 июня 2012 г., 0:56:49: On Thu, 21 Jun 2012 15:59:36 -0500, UNIX developer @ Google.com developeru...@gmail.com wrote: /etc/rc.conf ifconfig_em0= inet 192.168.1.10 netmask 255.255.255.0 ifconfig_em1= inet 192.168.2.1 netmask 255.255.255.0 defaultrouter=192.168.1.1 gateway_enable=YES static_routes=clnet route_clnet=-net 192.168.2.0/24 192.168.1.10 You simply CANNOT do this. Traffic for 192.168.2.0/24 is bound to em1 and cannot be changed. You setup a static route that basically says to find 192.168.2.0/24, don't use em1 but instead ask 192.168.1.10 how to find it? This makes no sense at all. -- С уважением, UNIX mailto:developeru...@gmail.com Hi, Your problem, as Mark told you, is that you are buildinga gateway to connect two networks on the same subnet. Regards, Alexandre ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem with routing in VmWare VMS
Hi! I have problem with routing on FreeBSD. I have ESXi 5 host. In there is 5 VMs and one of them is a BSD. I need create router on BSD. I try to setting up it with this manual: http://www.freebsd.org/doc/handbook/network-routing.html but problem is still the same... I cant ping external network from local network. # ping -S 192.168.2.1 192.168.1.4 ... no replays ... many packets sent and 100% loss. Ok ^C. My configs: /ets/sysctl.conf net.inet.ip.forwarding=1 /etc/rc.conf ifconfig_em0= inet 192.168.1.10 netmask 255.255.255.0 ifconfig_em1= inet 192.168.2.1 netmask 255.255.255.0 defaultrouter=192.168.1.1 gateway_enable=YES static_routes=clnet route_clnet=-net 192.168.2.0/24 192.168.1.10 after booting in netstat is: # netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 02em0 127.0.0.1 link#4 UH 00lo0 192.168.1.0/24 link#1 U 0 120em0 192.168.1.10 link#1 UHS 00lo0 192.168.2.0/24 link#2 U 00em1 192.168.2.1link#2 UHS 00lo0 after /etc/rc.d/routing restart, I see: # netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 02em0 127.0.0.1 link#4 UH 00lo0 192.168.1.0/24 link#1 U 0 120em0 192.168.1.10 link#1 UHS 00lo0 192.168.2.0/24 192.168.1.10 U 00em1 192.168.2.1link#2 UHS 00lo0 What I need to do for other VMs from routed network cat get the external network? Please help me solve this problem. If need more information, please write for me! Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problem with routing in VmWare VMS
On Thu, 21 Jun 2012 15:59:36 -0500, UNIX developer @ Google.com developeru...@gmail.com wrote: /etc/rc.conf ifconfig_em0= inet 192.168.1.10 netmask 255.255.255.0 ifconfig_em1= inet 192.168.2.1 netmask 255.255.255.0 defaultrouter=192.168.1.1 gateway_enable=YES static_routes=clnet route_clnet=-net 192.168.2.0/24 192.168.1.10 You simply CANNOT do this. Traffic for 192.168.2.0/24 is bound to em1 and cannot be changed. You setup a static route that basically says to find 192.168.2.0/24, don't use em1 but instead ask 192.168.1.10 how to find it? This makes no sense at all. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 4:58 PM, Mark Felder wrote: On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC c...@shire.net wrote: No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. You're clearly exploiting a bug in FreeBSD 6's jails. It was a documented behavior when I first started using jails ca. 2004 in FreeBSD 5. Which is why I did it that way. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Hi All OK, so I have a server that has been running FreeBSD 6.1 and a bunch of jails, providing a few limited services. I am migrating these from real hardware and FreeBSD 6.1 with jail running, to a Xen based VPS running FreeBSD 9.0-R with a kernel rebuild from a GENERIC kernel to GENERIC plus the Xen pci device. There is one network device on the new server and it shares all addresses and the default route goes out it. Because jails in FBSD 6 shared a network stack, I could have a public network x.x.x.0/24 and public address on the host machine, and a default route in that network as well, and use a 192.168.1.0/24 address aliased on the same network interface as the IP for my jail. When doing that, from inside the jail, I could still reach the internet since it shared the route with the underlying machine. That seems to have changed on FBSD 9. Now, if I add in the 192.168.1.0/24 address and run a jail on it, with the host machine in a public network/address/route as described above, from inside the jail I CANNOT reach the internet (it is not a resolver issue as services going to numeric addresses also fail). However, the jail with the private 192.168.1.0/24 address CAN reach the host machines services even if it cannot get out onto the internet. And the HOST machine can access services on the jail running on the private IP address. (The purpose of the jail is to provide services to other jails and hosts on the same public network [all VPS on the same public vlan] and NOT to provide services to the internet. Things like local ldap or a local dns etc. But the private jail still needs to reach the internet for things like name servers it needs to access that are outside of the public network the host lives in. So I don't care if the internet itself can reach the private jail, just the local jails and hosts it co-exists with. The answer shouldn't be natd etc (was not needed in 6.0 and I am not sharing one public address with a range of private jails behind it). If I launch the jail with an address from the same public range as the host, it works fine. The jail can access the internet fine and vice versa. The host can access the jail services as well. If I launch the jail with a private address, the jail cannot reach the internet. It can reach the host in the public network, but not other machines in the same public network (ie, the other VPS I have running which are all in the same public network). If I launch the jail with both a private address and a public address, it can reach the internet and other VPS on the same public network. I may have to end up doing that and just not having any services run on the public IP but I'd rather avoid using up an address like that. What changes happened in the jails between FBSD 6 and FBSD 9 that would give the symptoms I have been experiencing? Thanks Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Do I understand this right? Working in FreeBSD 6.x: interface em0: 1.2.3.4/24 -- public IP, host only 192.168.1.1/24 -- private IP, host only 192.168.1.2/24 -- Jail #1 192.168.1.3/24 -- Jail #2 With this configuration you had no problems accessing the internet from the jails. Is this correct? This seems bizarre; this should only be possible if you're doing NAT somewhere in there and that is not possible with Jails v1 (which share a network stack) and is only possible in Jails v2 (vnet). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 1:50 PM, Mark Felder wrote: Do I understand this right? Working in FreeBSD 6.x: interface em0: 1.2.3.4/24 -- public IP, host only 192.168.1.1/24 -- private IP, host only 192.168.1.2/24 -- Jail #1 192.168.1.3/24 -- Jail #2 With this configuration you had no problems accessing the internet from the jails. correct. (not that it did not matter I don't think is the private IP, host only exists and ALL IP exist on the host in addition to whatever Jail they are assigned to) Is this correct? This seems bizarre; this should only be possible if you're doing NAT somewhere in there and that is not possible with Jails v1 (which share a network stack) and is only possible in Jails v2 (vnet). No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. The question is, is it possible to do something similar with FreeBSD 9 jails (v2 I guess) without the overhead of running NAT? The jail with the private IP *can* access the HOST's public services but not anyone else's Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC c...@shire.net wrote: No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. You're clearly exploiting a bug in FreeBSD 6's jails. It must get confused and send your public IP on those packets. I have no idea how it processes the return traffic successfully, but that's a neat trick!. There is no possible way for this to work without NAT or whatever bug this is. If a Jail has a 192.168 IP all packets would leave with a source of 192.168. When Google or whoever on the internet gets your packets it would see 192.168 and probably drop it because that's not a publicly routable network. Without NAT it's impossible for any device anywhere on the planet to access the internet with an RFC 1918 IP address. I urge you to share your experience on the freebsd-jail@ mailing list. Those guys might be able to lend some further insight. I bet the change came with the update to jails that allows multiple IPs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RIP routing protocol implementation is FreeBSD?
Hi there, does anyone know if there's an implementation of the RIP version 2 routing protocol in FreeBSD??? I would like to use it to exchange routes with my Cisco 857W router as the BSD machine will provide routing for a virtual test network in VBox. I did check out the handbook for the enable_routerd=YES and have used that before as default gateway of 'last-resort' with NAT but never RIP as don't wana use NAT in this case. OpenBSD definitely has it but since am more familiar with FreeBSD I thought let's try here first :-) Can anyone help me out? Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
On Mon, Jan 30, 2012 at 10:33 AM, Kaya Saman kayasa...@gmail.com wrote: Hi there, does anyone know if there's an implementation of the RIP version 2 routing protocol in FreeBSD??? man routed The routed utility is a daemon invoked at boot time to manage the network routing tables. It uses Routing Information Protocol, RIPv1 (RFC 1058), RIPv2 (RFC 1723), and Internet Router Discovery Protocol (RFC 1256) to maintain the kernel routing table. router_enable=YES in /etc/rc.conf this has nothing to do with NAT, btw. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
Kaya Saman kayasa...@gmail.com writes: Hi, does anyone know if there's an implementation of the RIP version 2 routing protocol in FreeBSD??? man 8 routed I did check out the handbook for the enable_routerd=YES I'd try routed_enable = YES instead. Regards Éric Masson -- je crosspost sur fr rec moto pour ce triste modéle d'intolérance. [...] PS :Désolé mon logiciel de news ne permet pas les follow up et je n'en changerai certainement pas pour vous etre agréable. -+- CC in Guide du Neuneu Usenet - Bien configurer son incompétence -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
Eric Masson e...@free.fr writes: Sorry, Followup to myself. I'd try routed_enable = YES instead. router_enable = YES as Michael stated in another post. Regards Éric Masson -- et me dis quil y a eu une merde avec le serveur truc machin et que ca a fait un gros server crash. OU ets la merde? Fallait choisir le serveur bidule, c'est pour ça. -+- EJ in guide du linuxien pervers - Tout ça c'est de la bidouille -+- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
On 01/30/2012 06:47 PM, Michael Sierchio wrote: On Mon, Jan 30, 2012 at 10:33 AM, Kaya Samankayasa...@gmail.com wrote: Hi there, does anyone know if there's an implementation of the RIP version 2 routing protocol in FreeBSD??? man routed The routed utility is a daemon invoked at boot time to manage the network routing tables. It uses Routing Information Protocol, RIPv1 (RFC 1058), RIPv2 (RFC 1723), and Internet Router Discovery Protocol (RFC 1256) to maintain the kernel routing table. router_enable=YES in /etc/rc.conf this has nothing to do with NAT, btw. Thanks for the response. sorry I think I wasn't getting my point through clearly enough. Am Cisco Engineer so know the difference between NAT, PAT, Static routing and dynamic routing ;-) Yep I read about it in the handbook and yes I have used it before but not for dynamic routing. The NAT'ing is what I did previously and was just mentioning what I 'had' used before. which was everything but dynamic routing on FreeBSD 8.0 :-) P.s. sorry if what I'm trying to say isn't getting out clearly enough :-) Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
On 01/30/2012 06:53 PM, Eric Masson wrote: Kaya Samankayasa...@gmail.com writes: Hi, does anyone know if there's an implementation of the RIP version 2 routing protocol in FreeBSD??? man 8 routed I did check out the handbook for the enable_routerd=YES I'd try routed_enable = YES instead. Regards Éric Masson Syntax blooper. It's sometimes hard to remember 'EVERYTHING' but once I see the /etc/rc.conf file I will know what is needed and how it's used :-) Thanks for the correction though. Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
On 01/30/2012 07:11 PM, Eric Masson wrote: Eric Massone...@free.fr writes: Sorry, Followup to myself. I'd try routed_enable = YES instead. router_enable = YES as Michael stated in another post. Regards Éric Masson The generic syntax of rc.conf is like so (using mine as example): zfs_enable=YES nfs_server_flags=-a -t -n 4 nfs_server_enable=YES rpc_statd_enable=YES rpc_lockd_enable=YES rpcbind_enable=YES mountd_enable=YES mountd_flags=-r munin_node_enable=NO zabbix_server_enable=NO zabbix_agentd_enable=NO icecast_enable=NO darkice_enable=NO fail2ban_enable=YES implying: routerd_enable=YES :-) :-) :-) Best regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: RIP routing protocol implementation is FreeBSD?
snip I'd try routed_enable = YES instead. Regards Éric Masson I have now setup a virtual instance of FreeBSD and another machine running Bind9 on OpenBSD. I can tell that the system is receiving RIP updates as netstat -r shows the routes advertised by my router however, it seems that RIP isn't being advertised by FreeBSD. My /etc/rc.conf file looks as such: router_enable=YES router_flags=-P ripv2 ripv2_out From the manual I wasn't quite sure if I needed to put the above 'router_flags' syntax or if: ripv2 ripv2_out should be put in the /etc/gateways file. I tried Google'ing around but found almost no information on how to use the service. However, on bootup the system claims: switch to trace file ripv2_out. Running: sh ip route in the IOS only shows the C (connected routers) or S* (the gateway of last resort) but no dynamic RIP updates R. Ok got something wrong here??? Can anyone assist. Regards, Kaya ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Displaying Routing Tables
Executing route under linux displays all of the routing info for that host. For the life of me I cannot figure out how to get the BSD route command to dump the whole table at once. I have used the GET flag to find one specific entry. Is it possible to see all routes and once like the Linux route command? Thanks, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Displaying Routing Tables
On Fri, Jan 27, 2012 at 9:38 PM, Bernt Hansson b...@bananmonarki.se wrote: 2012-01-28 05:40, Chris Maness skrev: Executing route under linux displays all of the routing info for that host. For the life of me I cannot figure out how to get the BSD route command to dump the whole table at once. I have used the GET flag to find one specific entry. Is it possible to see all routes and once like the Linux route command? netstat -r Thanks Guys, Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Thu, Jan 12, 2012 at 11:29 PM, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 01/13/12 17:11, Waitman Gobble wrote: On Thu, Jan 12, 2012 at 10:04 PM, Da Rock freebsd-questions@**herveybayaustralia.com.aufreebsd-questi...@herveybayaustralia.com.au wrote: On 01/13/12 15:29, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) i am getting the same results with either nic card, and i think i am just missing something simple. ath0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 2290 ether 00:24:2b:ad:d6:5f nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated wlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:24:2b:ad:d6:5f inet 10.0.0.21 netmask 0xff00 broadcast 10.0.0.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid CUDAPANG channel 6 (2437 MHz 11g) bssid 00:22:3f:9b:b8:aa regdomain 101 indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpower 20 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst connecting: ifconfig wlan0 create wlandev ath0 ifconfig wlan0 up scan ifconfig wlan0 inet 10.0.0.21 netmask 255.255.255.0 ssid CUDAPANG wepmode on weptxkey 1 wepkey 1:0x10961323931B628F844360718A scan results: p00ntang# ifconfig wlan0 up scan SSID/MESH IDBSSID CHAN RATE S:N INT CAPS CUDAPANG00:22:3f:9a:16:1b6 54M -69:-93 100 EPS ATH CUDAPANG00:22:3f:9b:b8:aa6 54M -68:-93 100 EPS WME ATH Abujie 00:14:6c:7a:98:ec6 54M -89:-93 100 EPS RSN WPA ATH TDMA chavez family 00:c0:02:11:22:336 54M -88:-93 100 EP HTCAP RSN WME WPS My machine shows up on the wireless router as a connected device w/ correct mac and ip showing But i cannot ping gw, no machine on lan or outside. (no route to host) p00ntang# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.0.1 UGS 0 3338 ale0 10.0.0.0/24link#2 U 0 2405 ale0 10.0.0.20 link#2 UHS 00lo0 10.0.0.21 link#9 UHS 02lo0 127.0.0.1 link#8 UH 0 12lo0 I do not see ath0' or wlan0 in the routing table under 'Netif', not sure if that's the problem :) p00ntang# less /etc/rc.conf hostname=p00ntang ifconfig_ale0= inet 10.0.0.20 netmask 255.255.255.0 defaultrouter=10.0.0.1 sshd_enable=YES ntpd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=NO fusefs_enable=YES hald_enable=YES dbus_enable=YES moused_enable=YES snddetect_enable=YES mixer_enable=YES avahi_daemon_enable=YES ices0_enable=YES p00ntang# grep ath /boot/loader.conf if_ath_load=YES p00ntang# grep wlan /boot/loader.conf wlan_wep_load=YES wlan_ccmp_load=YES wlan_tkip_load=YES i've tried /etc/rc.d/routing restart.. no worky :) here's my wired connection ifconfig --- wired connection works :) ale0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c319aTXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM, TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE ether 00:23:5a:59:e1:e4 inet 10.0.0.20 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::223:5aff:fe59:e1e4%ale0 prefixlen 64 scopeid 0x2 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTXfull-duplex) status: active any help/suggestions much appreciated! The solution is simple, but I know the frustration well. Your problem is that the route is looking to go through your wired network port, you started the network on the wired and then switched to wifi so the routing needs to change. Run as root: route change default -interface wlan0 will fix that temporarily. To fix it permanently (better for a laptop situation anyway, I feel), setup a lagg port including ale0 and wlan0. See http://www.freebsd.org/doc/handbook/network-aggregation.htmlhttp://www.freebsd.org/doc/**handbook/network-aggregation.**html http://www.freebsd.org/**doc/handbook/network-**aggregation.htmlhttp://www.freebsd.org/doc/handbook/network-aggregation.html Good luck and happy networking
Re: wireless and/or routing question
El día Friday, January 13, 2012 a las 07:03:11AM -0800, Waitman Gobble escribió: Hi, Thanks. I've always heard countless rumors about WPA being wise :) I'll take your advice and take a step up in technology. My stubborn conservatism probably roots back to the time when not all devices could do WPA, or at least I had crazy trouble getting things to work. But this learned attitude was probably around 2000, which was like a million years ago with dinosaurs and stuff. Time for me to finally get with it. ... Concerning WEP ./. WPA: From the technical point it is clear, WPA is more secure; but there are other aspects as well; we have had in Germany cases where the WAN IP of the AP appeared as source addr of some kind of crime (access to child porn or whatever) and the AP owner said: I'm using WEP, it was not me, and someone highjacked my AP ... and he/she went home as free person; matthias -- Matthias Apitz e g...@unixarea.de - w http://www.unixarea.de/ UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Thu, 12 Jan 2012, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) On other models of the Aspire One (AOA150 and D250), adding some ath-specific settings to /boot/loader.conf enables the LED: dev.ath.0.ledpin=3 dev.ath.0.softled=1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Jan 13, 2012 7:19 AM, Matthias Apitz g...@unixarea.de wrote: El día Friday, January 13, 2012 a las 07:03:11AM -0800, Waitman Gobble escribió: Hi, Thanks. I've always heard countless rumors about WPA being wise :) I'll take your advice and take a step up in technology. My stubborn conservatism probably roots back to the time when not all devices could do WPA, or at least I had crazy trouble getting things to work. But this learned attitude was probably around 2000, which was like a million years ago with dinosaurs and stuff. Time for me to finally get with it. ... Concerning WEP ./. WPA: From the technical point it is clear, WPA is more secure; but there are other aspects as well; we have had in Germany cases where the WAN IP of the AP appeared as source addr of some kind of crime (access to child porn or whatever) and the AP owner said: I'm using WEP, it was not me, and someone highjacked my AP ... and he/she went home as free person; matthias -- Matthias Apitz e g...@unixarea.de - w http://www.unixarea.de/ UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 thanks, going to try WPA this weekend. My apartment is not so convenient for drive-by scanners (cant think of the proper term at the moment) but i do have at least one neighbor who appears potentially suspect.. like he might try to hack my ap for fun. Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Jan 13, 2012 7:38 AM, Warren Block wbl...@wonkity.com wrote: On Thu, 12 Jan 2012, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) On other models of the Aspire One (AOA150 and D250), adding some ath-specific settings to /boot/loader.conf enables the LED: dev.ath.0.ledpin=3 dev.ath.0.softled=1 cool thanks ill try it out. Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On 01/14/12 01:38, Warren Block wrote: On Thu, 12 Jan 2012, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) On other models of the Aspire One (AOA150 and D250), adding some ath-specific settings to /boot/loader.conf enables the LED: dev.ath.0.ledpin=3 dev.ath.0.softled=1 I'm curious as to how you can find out which pin to use in this setting? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question UPDATE - WPA
On Fri, Jan 13, 2012 at 8:34 AM, Waitman Gobble gobble...@gmail.com wrote:
On Jan 13, 2012 7:19 AM, Matthias Apitz g...@unixarea.de wrote:
El día Friday, January 13, 2012 a las 07:03:11AM -0800, Waitman Gobble
escribió:
Hi,
Thanks. I've always heard countless rumors about WPA being wise :) I'll
take your advice and take a step up in technology. My stubborn
conservatism probably roots back to the time when not all devices
could do
WPA, or at least I had crazy trouble getting things to work. But this
learned attitude was probably around 2000, which was like a million
years
ago with dinosaurs and stuff. Time for me to finally get with it.
...
Concerning WEP ./. WPA: From the technical point it is clear, WPA is
more secure; but there are other aspects as well; we have had in Germany
cases where the WAN IP of the AP appeared as source addr of some kind of
crime (access to child porn or whatever) and the AP owner said: I'm
using WEP, it was not me, and someone highjacked my AP ... and he/she
went home as free person;
matthias
--
Matthias Apitz
e g...@unixarea.de - w http://www.unixarea.de/
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
thanks, going to try WPA this weekend.
My apartment is not so convenient for drive-by scanners (cant think of the
proper term at the moment) but i do have at least one neighbor who appears
potentially suspect.. like he might try to hack my ap for fun.
Waitman
Hi,
Today I picked up a D-Link DIR-815 and set it up for WPA with TKIP/PSK.
I believe i followed the instructions in the FreeBSD handbook. However, the
wpa_supplicant appears to hang indefinitely. If i control-c it barfs out an
error.
This clones ale0 wired NIC MAC to ath0 wireless NIC for lagg
ifconfig ath0 ether 00:23:5a:59:e1:e4
ifconfig wlan0 create wlandev ath0 ssid BOOTAY
ifconfig wlan0 up scan
here's the wpa_supplicant that's hanging:
wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
p00ntang# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
Trying to associate with 1c:7e:e5:de:ed:52 (SSID='BOOTAY' freq=2452 MHz)
Associated with 1c:7e:e5:de:ed:52
WPA: Key negotiation completed with 1c:7e:e5:de:ed:52 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 1c:7e:e5:de:ed:52 completed (auth)
[id=0 id_str=]
^CCTRL-EVENT-TERMINATING - signal 2 received
ioctl[SIOCS80211, op 20, len 7]: Can't assign requested address
ELOOP: remaining socket: sock=4 eloop_data=0x284081c0 user_data=0x28412080
handler=0x806d620
If I terminate with ampersand to run asynchronously it keeps running and i
have a wireless connection - it works.
p00ntang# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
I guess that makes sense but the handbook is not clear to me that it's to
be done this way. It's the first time i've set up WPA on FreeBSD so i'm not
100% about what to expect.
i am noticing messages about rekeying, so maybe the wpa-supplicant is
supposed to keep running.
here's /etc/wpa_supplicant.conf
network={
ssid=BOOTAY
psk=PASSWORD GOES HERE
}
here's the rest of the lagg to set wired/wireless interface with a failover
configuration. this is pretty clear in the handbook but i'll put it here in
case someone runs across the thread in the future.
ifconfig ale0 up
ifconfig wlan0 up
ifconfig lagg0 create
ifconfig lagg0 up laggproto failover laggport ale0 laggport wlan0
10.0.0.20/24
Thanks
Waitman
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question UPDATE - WPA
On 01/14/12 16:28, Waitman Gobble wrote:
On Fri, Jan 13, 2012 at 8:34 AM, Waitman Gobblegobble...@gmail.com wrote:
On Jan 13, 2012 7:19 AM, Matthias Apitzg...@unixarea.de wrote:
El día Friday, January 13, 2012 a las 07:03:11AM -0800, Waitman Gobble
escribió:
Hi,
Thanks. I've always heard countless rumors about WPA being wise :) I'll
take your advice and take a step up in technology. My stubborn
conservatism probably roots back to the time when not all devices
could do
WPA, or at least I had crazy trouble getting things to work. But this
learned attitude was probably around 2000, which was like a million
years
ago with dinosaurs and stuff. Time for me to finally get with it.
...
Concerning WEP ./. WPA: From the technical point it is clear, WPA is
more secure; but there are other aspects as well; we have had in Germany
cases where the WAN IP of the AP appeared as source addr of some kind of
crime (access to child porn or whatever) and the AP owner said: I'm
using WEP, it was not me, and someone highjacked my AP ... and he/she
went home as free person;
matthias
--
Matthias Apitz
eg...@unixarea.de - w http://www.unixarea.de/
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
thanks, going to try WPA this weekend.
My apartment is not so convenient for drive-by scanners (cant think of the
proper term at the moment) but i do have at least one neighbor who appears
potentially suspect.. like he might try to hack my ap for fun.
Waitman
Hi,
Today I picked up a D-Link DIR-815 and set it up for WPA with TKIP/PSK.
I believe i followed the instructions in the FreeBSD handbook. However, the
wpa_supplicant appears to hang indefinitely. If i control-c it barfs out an
error.
This clones ale0 wired NIC MAC to ath0 wireless NIC for lagg
ifconfig ath0 ether 00:23:5a:59:e1:e4
ifconfig wlan0 create wlandev ath0 ssid BOOTAY
ifconfig wlan0 up scan
here's the wpa_supplicant that's hanging:
wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
p00ntang# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
Trying to associate with 1c:7e:e5:de:ed:52 (SSID='BOOTAY' freq=2452 MHz)
Associated with 1c:7e:e5:de:ed:52
WPA: Key negotiation completed with 1c:7e:e5:de:ed:52 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 1c:7e:e5:de:ed:52 completed (auth)
[id=0 id_str=]
^CCTRL-EVENT-TERMINATING - signal 2 received
ioctl[SIOCS80211, op 20, len 7]: Can't assign requested address
ELOOP: remaining socket: sock=4 eloop_data=0x284081c0 user_data=0x28412080
handler=0x806d620
If I terminate with ampersand to run asynchronously it keeps running and i
have a wireless connection - it works.
p00ntang# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
I guess that makes sense but the handbook is not clear to me that it's to
be done this way. It's the first time i've set up WPA on FreeBSD so i'm not
100% about what to expect.
i am noticing messages about rekeying, so maybe the wpa-supplicant is
supposed to keep running.
here's /etc/wpa_supplicant.conf
network={
ssid=BOOTAY
psk=PASSWORD GOES HERE
}
here's the rest of the lagg to set wired/wireless interface with a failover
configuration. this is pretty clear in the handbook but i'll put it here in
case someone runs across the thread in the future.
ifconfig ale0 up
ifconfig wlan0 up
ifconfig lagg0 create
ifconfig lagg0 up laggproto failover laggport ale0 laggport wlan0
10.0.0.20/24
Just stick the config in rc.conf and make sure you include WPA in the
wlan0 definition. It will just work then.
For reference, to run wpa_supplicant from the cli you usually add -B
in the flags to daemonise it, and run in the background; otherwise it
will run in the foreground for debugging purposes.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
wireless and/or routing question
Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) i am getting the same results with either nic card, and i think i am just missing something simple. ath0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 2290 ether 00:24:2b:ad:d6:5f nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated wlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:24:2b:ad:d6:5f inet 10.0.0.21 netmask 0xff00 broadcast 10.0.0.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid CUDAPANG channel 6 (2437 MHz 11g) bssid 00:22:3f:9b:b8:aa regdomain 101 indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpower 20 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst connecting: ifconfig wlan0 create wlandev ath0 ifconfig wlan0 up scan ifconfig wlan0 inet 10.0.0.21 netmask 255.255.255.0 ssid CUDAPANG wepmode on weptxkey 1 wepkey 1:0x10961323931B628F844360718A scan results: p00ntang# ifconfig wlan0 up scan SSID/MESH IDBSSID CHAN RATE S:N INT CAPS CUDAPANG00:22:3f:9a:16:1b6 54M -69:-93 100 EPS ATH CUDAPANG00:22:3f:9b:b8:aa6 54M -68:-93 100 EPS WME ATH Abujie 00:14:6c:7a:98:ec6 54M -89:-93 100 EPS RSN WPA ATH TDMA chavez family 00:c0:02:11:22:336 54M -88:-93 100 EP HTCAP RSN WME WPS My machine shows up on the wireless router as a connected device w/ correct mac and ip showing But i cannot ping gw, no machine on lan or outside. (no route to host) p00ntang# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.0.1 UGS 0 3338 ale0 10.0.0.0/24link#2 U 0 2405 ale0 10.0.0.20 link#2 UHS 00lo0 10.0.0.21 link#9 UHS 02lo0 127.0.0.1 link#8 UH 0 12lo0 I do not see ath0' or wlan0 in the routing table under 'Netif', not sure if that's the problem :) p00ntang# less /etc/rc.conf hostname=p00ntang ifconfig_ale0= inet 10.0.0.20 netmask 255.255.255.0 defaultrouter=10.0.0.1 sshd_enable=YES ntpd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=NO fusefs_enable=YES hald_enable=YES dbus_enable=YES moused_enable=YES snddetect_enable=YES mixer_enable=YES avahi_daemon_enable=YES ices0_enable=YES p00ntang# grep ath /boot/loader.conf if_ath_load=YES p00ntang# grep wlan /boot/loader.conf wlan_wep_load=YES wlan_ccmp_load=YES wlan_tkip_load=YES i've tried /etc/rc.d/routing restart.. no worky :) here's my wired connection ifconfig --- wired connection works :) ale0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c319aTXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE ether 00:23:5a:59:e1:e4 inet 10.0.0.20 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::223:5aff:fe59:e1e4%ale0 prefixlen 64 scopeid 0x2 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active any help/suggestions much appreciated! Thank you, Waitman Gobble San Jose California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Thu, Jan 12, 2012 at 9:29 PM, Waitman Gobble gobble...@gmail.com wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. Hi, update- i noticed if i start routed it complains... p00ntang# routed p00ntang# routed: wlan0 (10.0.0.21/24) is duplicated by ale0 (10.0.0.20/24) so i tried shutting off ale0... now i can ping gw but still no luck getting outside. :( p00ntang# ifconfig ale0 down p00ntang# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1): 56 data bytes 64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=3.381 ms 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=2.499 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=2.893 ms ^C --- 10.0.0.1 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 2.499/2.924/3.381/0.361 ms p00ntang# ping google.com PING google.com (74.125.224.116): 56 data bytes ping: sendto: Network is down Now I feel like i need to go back to networking school 101. lol. If anyone has a hint to solve my routing situation I'd really appreciate it! Thanks, Waitman Gobble San Jose California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On 01/13/12 15:29, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) i am getting the same results with either nic card, and i think i am just missing something simple. ath0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 2290 ether 00:24:2b:ad:d6:5f nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated wlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:24:2b:ad:d6:5f inet 10.0.0.21 netmask 0xff00 broadcast 10.0.0.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid CUDAPANG channel 6 (2437 MHz 11g) bssid 00:22:3f:9b:b8:aa regdomain 101 indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpower 20 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst connecting: ifconfig wlan0 create wlandev ath0 ifconfig wlan0 up scan ifconfig wlan0 inet 10.0.0.21 netmask 255.255.255.0 ssid CUDAPANG wepmode on weptxkey 1 wepkey 1:0x10961323931B628F844360718A scan results: p00ntang# ifconfig wlan0 up scan SSID/MESH IDBSSID CHAN RATE S:N INT CAPS CUDAPANG00:22:3f:9a:16:1b6 54M -69:-93 100 EPS ATH CUDAPANG00:22:3f:9b:b8:aa6 54M -68:-93 100 EPS WME ATH Abujie 00:14:6c:7a:98:ec6 54M -89:-93 100 EPS RSN WPA ATH TDMA chavez family 00:c0:02:11:22:336 54M -88:-93 100 EP HTCAP RSN WME WPS My machine shows up on the wireless router as a connected device w/ correct mac and ip showing But i cannot ping gw, no machine on lan or outside. (no route to host) p00ntang# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.0.1 UGS 0 3338 ale0 10.0.0.0/24link#2 U 0 2405 ale0 10.0.0.20 link#2 UHS 00lo0 10.0.0.21 link#9 UHS 02lo0 127.0.0.1 link#8 UH 0 12lo0 I do not see ath0' or wlan0 in the routing table under 'Netif', not sure if that's the problem :) p00ntang# less /etc/rc.conf hostname=p00ntang ifconfig_ale0= inet 10.0.0.20 netmask 255.255.255.0 defaultrouter=10.0.0.1 sshd_enable=YES ntpd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=NO fusefs_enable=YES hald_enable=YES dbus_enable=YES moused_enable=YES snddetect_enable=YES mixer_enable=YES avahi_daemon_enable=YES ices0_enable=YES p00ntang# grep ath /boot/loader.conf if_ath_load=YES p00ntang# grep wlan /boot/loader.conf wlan_wep_load=YES wlan_ccmp_load=YES wlan_tkip_load=YES i've tried /etc/rc.d/routing restart.. no worky :) here's my wired connection ifconfig --- wired connection works :) ale0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c319aTXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE ether 00:23:5a:59:e1:e4 inet 10.0.0.20 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::223:5aff:fe59:e1e4%ale0 prefixlen 64 scopeid 0x2 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTXfull-duplex) status: active any help/suggestions much appreciated! The solution is simple, but I know the frustration well. Your problem is that the route is looking to go through your wired network port, you started the network on the wired and then switched to wifi so the routing needs to change. Run as root: route change default -interface wlan0 will fix that temporarily. To fix it permanently (better for a laptop situation anyway, I feel), setup a lagg port including ale0 and wlan0. See http://www.freebsd.org/doc/handbook/network-aggregation.html Good luck and happy networking! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: wireless and/or routing question
On Thu, Jan 12, 2012 at 10:04 PM, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 01/13/12 15:29, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) i am getting the same results with either nic card, and i think i am just missing something simple. ath0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 2290 ether 00:24:2b:ad:d6:5f nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated wlan0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:24:2b:ad:d6:5f inet 10.0.0.21 netmask 0xff00 broadcast 10.0.0.255 nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid CUDAPANG channel 6 (2437 MHz 11g) bssid 00:22:3f:9b:b8:aa regdomain 101 indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpower 20 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst connecting: ifconfig wlan0 create wlandev ath0 ifconfig wlan0 up scan ifconfig wlan0 inet 10.0.0.21 netmask 255.255.255.0 ssid CUDAPANG wepmode on weptxkey 1 wepkey 1:0x10961323931B628F844360718A scan results: p00ntang# ifconfig wlan0 up scan SSID/MESH IDBSSID CHAN RATE S:N INT CAPS CUDAPANG00:22:3f:9a:16:1b6 54M -69:-93 100 EPS ATH CUDAPANG00:22:3f:9b:b8:aa6 54M -68:-93 100 EPS WME ATH Abujie 00:14:6c:7a:98:ec6 54M -89:-93 100 EPS RSN WPA ATH TDMA chavez family 00:c0:02:11:22:336 54M -88:-93 100 EP HTCAP RSN WME WPS My machine shows up on the wireless router as a connected device w/ correct mac and ip showing But i cannot ping gw, no machine on lan or outside. (no route to host) p00ntang# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.0.1 UGS 0 3338 ale0 10.0.0.0/24link#2 U 0 2405 ale0 10.0.0.20 link#2 UHS 00lo0 10.0.0.21 link#9 UHS 02lo0 127.0.0.1 link#8 UH 0 12lo0 I do not see ath0' or wlan0 in the routing table under 'Netif', not sure if that's the problem :) p00ntang# less /etc/rc.conf hostname=p00ntang ifconfig_ale0= inet 10.0.0.20 netmask 255.255.255.0 defaultrouter=10.0.0.1 sshd_enable=YES ntpd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=NO fusefs_enable=YES hald_enable=YES dbus_enable=YES moused_enable=YES snddetect_enable=YES mixer_enable=YES avahi_daemon_enable=YES ices0_enable=YES p00ntang# grep ath /boot/loader.conf if_ath_load=YES p00ntang# grep wlan /boot/loader.conf wlan_wep_load=YES wlan_ccmp_load=YES wlan_tkip_load=YES i've tried /etc/rc.d/routing restart.. no worky :) here's my wired connection ifconfig --- wired connection works :) ale0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c319aTXCSUM,VLAN_MTU,**VLAN_HWTAGGING,VLAN_HWCSUM,** TSO4,WOL_MCAST,WOL_MAGIC,VLAN_**HWTSO,LINKSTATE ether 00:23:5a:59:e1:e4 inet 10.0.0.20 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::223:5aff:fe59:e1e4%ale0 prefixlen 64 scopeid 0x2 nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTXfull-duplex) status: active any help/suggestions much appreciated! The solution is simple, but I know the frustration well. Your problem is that the route is looking to go through your wired network port, you started the network on the wired and then switched to wifi so the routing needs to change. Run as root: route change default -interface wlan0 will fix that temporarily. To fix it permanently (better for a laptop situation anyway, I feel), setup a lagg port including ale0 and wlan0. See http://www.freebsd.org/doc/**handbook/network-aggregation.**htmlhttp://www.freebsd.org/doc/handbook/network-aggregation.html Good luck and happy networking! __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.org freebsd-questions-unsubscr...@freebsd.org Thanks, that's very helpful - seems
Re: wireless and/or routing question
On 01/13/12 17:11, Waitman Gobble wrote: On Thu, Jan 12, 2012 at 10:04 PM, Da Rock freebsd-questi...@herveybayaustralia.com.au wrote: On 01/13/12 15:29, Waitman Gobble wrote: Hello, I am running 9.0-RC3 i386 on an Acer Aspire One D150. i am having trouble with the wireless setup. I have two wireless cards, the BCM94312MCG that came with it, and an Atheros 5424/2424 that i swapped out. I can run the BCM with ndis and the windows xp driver, and the Atheros with the ath driver that is installed with FreeBSD. (But BCM/ndis is noticeably much slower, Atheros - no green wireless light appears on netbook ) i am getting the same results with either nic card, and i think i am just missing something simple. ath0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 2290 ether 00:24:2b:ad:d6:5f nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet autoselect mode 11g status: associated wlan0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:24:2b:ad:d6:5f inet 10.0.0.21 netmask 0xff00 broadcast 10.0.0.255 nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: IEEE 802.11 Wireless Ethernet OFDM/24Mbps mode 11g status: associated ssid CUDAPANG channel 6 (2437 MHz 11g) bssid 00:22:3f:9b:b8:aa regdomain 101 indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:104-bit txpower 20 bmiss 7 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst connecting: ifconfig wlan0 create wlandev ath0 ifconfig wlan0 up scan ifconfig wlan0 inet 10.0.0.21 netmask 255.255.255.0 ssid CUDAPANG wepmode on weptxkey 1 wepkey 1:0x10961323931B628F844360718A scan results: p00ntang# ifconfig wlan0 up scan SSID/MESH IDBSSID CHAN RATE S:N INT CAPS CUDAPANG00:22:3f:9a:16:1b6 54M -69:-93 100 EPS ATH CUDAPANG00:22:3f:9b:b8:aa6 54M -68:-93 100 EPS WME ATH Abujie 00:14:6c:7a:98:ec6 54M -89:-93 100 EPS RSN WPA ATH TDMA chavez family 00:c0:02:11:22:336 54M -88:-93 100 EP HTCAP RSN WME WPS My machine shows up on the wireless router as a connected device w/ correct mac and ip showing But i cannot ping gw, no machine on lan or outside. (no route to host) p00ntang# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.0.1 UGS 0 3338 ale0 10.0.0.0/24link#2 U 0 2405 ale0 10.0.0.20 link#2 UHS 00lo0 10.0.0.21 link#9 UHS 02lo0 127.0.0.1 link#8 UH 0 12lo0 I do not see ath0' or wlan0 in the routing table under 'Netif', not sure if that's the problem :) p00ntang# less /etc/rc.conf hostname=p00ntang ifconfig_ale0= inet 10.0.0.20 netmask 255.255.255.0 defaultrouter=10.0.0.1 sshd_enable=YES ntpd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=NO fusefs_enable=YES hald_enable=YES dbus_enable=YES moused_enable=YES snddetect_enable=YES mixer_enable=YES avahi_daemon_enable=YES ices0_enable=YES p00ntang# grep ath /boot/loader.conf if_ath_load=YES p00ntang# grep wlan /boot/loader.conf wlan_wep_load=YES wlan_ccmp_load=YES wlan_tkip_load=YES i've tried /etc/rc.d/routing restart.. no worky :) here's my wired connection ifconfig --- wired connection works :) ale0: flags=8843UP,BROADCAST,**RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c319aTXCSUM,VLAN_MTU,**VLAN_HWTAGGING,VLAN_HWCSUM,** TSO4,WOL_MCAST,WOL_MAGIC,VLAN_**HWTSO,LINKSTATE ether 00:23:5a:59:e1:e4 inet 10.0.0.20 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::223:5aff:fe59:e1e4%ale0 prefixlen 64 scopeid 0x2 nd6 options=29PERFORMNUD,**IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTXfull-duplex) status: active any help/suggestions much appreciated! The solution is simple, but I know the frustration well. Your problem is that the route is looking to go through your wired network port, you started the network on the wired and then switched to wifi so the routing needs to change. Run as root: route change default -interface wlan0 will fix that temporarily. To fix it permanently (better for a laptop situation anyway, I feel), setup a lagg port including ale0 and wlan0. See http://www.freebsd.org/doc/**handbook/network-aggregation.**htmlhttp://www.freebsd.org/doc/handbook/network-aggregation.html Good luck and happy networking! __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.orgfreebsd-questions-unsubscr...@freebsd.org Thanks, that's very helpful - seems to be the issue. Getting rid of my ale0 ifconfig spec
Routing Woes
I have a question that I thought that you could probably answer. I have setup a freebsd seedbox in my apartment. This box has two internet connections (multi-homed server.). One is an ethernet connection behind a firewall that is connected to a Comcast modem. The other is my apartment's wifi. I desire to use the wifi for torrenting and my connection for http,ftp, and ssh access. The proper ports have been forwarded to the freebsd server from the firewall on the Comcast connection. My problem is when the default route is set to go over the wifi, i cannot access the server from the comcast modem address. When my default route is set to go over the modem, my server is accessible to the outside world. Due to the nature of the torrent-dameon i am using. I must have the default route go over the wifi connection. Is there a route i can add that will fix my problem? Thanks for your help. Jordan ifconfig output: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:12:3f:a4:59:ef inet 10.0.1.5 netmask 0xff00 broadcast 10.0.1.255 media: Ethernet autoselect (100baseTX full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3PERFORMNUD,ACCEPT_RTADV wlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 00:1e:e5:ff:1d:49 inet 1.1.3.153 netmask 0xff00 broadcast 1.1.3.255 media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g status: associated ssid Elms D South channel 9 (2452 MHz 11g) bssid 00:16:01:59:e4:c0 regdomain FCC indoor ecm authmode OPEN privacy ON deftxkey 1 wepkey 1:40-bit txpower 27 bmiss 7 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme burst roaming MANUAL The boxes routing table is as follows: Internet: DestinationGatewayFlagsRefs Use Netif Expire default1.1.3.1UGS 2245 253352 wlan0 Wireless 1.1.3.0/24 link#5 U 1 421 wlan0 1.1.3.153 link#5 UHS 00lo0 10.0.1.0/24link#2 U 2 6098 fxp0 10.0.1.5 link#2 UHS 00lo0 - Comcast 127.0.0.1 link#4 UH 0 34lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 link#4U lo0 fe80::1%lo0 link#4UHS lo0 ff01:4::/32 fe80::1%lo0 U lo0 ff02::%lo0/32 fe80::1%lo0 U lo0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing Woes
On Sat, Sep 3, 2011 at 8:16 PM, Monkeyfoahead jordanbha...@gmail.comwrote: I have a question that I thought that you could probably answer. I have setup a freebsd seedbox in my apartment. This box has two internet connections (multi-homed server.). One is an ethernet connection behind a firewall that is connected to a Comcast modem. The other is my apartment's wifi. I desire to use the wifi for torrenting and my connection for http,ftp, and ssh access. The proper ports have been forwarded to the freebsd server from the firewall on the Comcast connection. My problem is when the default route is set to go over the wifi, i cannot access the server from the comcast modem address. When my default route is set to go over the modem, my server is accessible to the outside world. Due to the nature of the torrent-dameon i am using. I must have the default route go over the wifi connection. Is there a route i can add that will fix my problem? I believe you'll want to use fib's eg setfib(1) and assign your torrent client to use the fib associated with your wifi. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPSec routing (long post)
Ladies and Gentlemen,
First, please excuse this extremely long post. I have tried to include
all of the information I thought was relevant, and may have included too
much.
I have established an IPSec connection to our vendor using transport mode.
However, I am having problems successfully routing the traffic. We using
a preshared key for authentication. The connection is successfully made.
My vendor has verified they are able to see the connection up on their
router and I am able to see a successful connection when running racoon in
the foreground. I am running FBSD 8.1.
My external IP address is 1.2.3.4 and the vendor's is 5.6.7.8. The
default gateway on my system is 1.2.3.5. My internal IP address range is
192.168.1.0/24 and the vendor's is 192.168.2.0//24.
Following is what I have done/tried.
Following are my entries in racoon.conf. I have not changed any of the
default settings for padding/spacing/etc.
remote 5.6.7.8
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address 1.2.3.4;
proposal_check obey;# obey, strict, or claim
lifetime time 86400 secs;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 192.168.1.024 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.2.0/24 any address 192.168.1.024 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 1.2.3.4/32 any address 192.168.2.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.2.0/24 any address 65.1117.48.155/32 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 1.2.3.4/32 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
sainfo address 1.2.3.4/32 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 5.6.7.8/32 any address 1.2.3.4/32 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.024 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 192.168.1.024 any address 5.6.7.8 any
{
pfs_group 2;
encryption_algorithm 3des;
lifetime time 3600 secs;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
The following entries are made using setkey.
flush;
spdflush;
spdadd 1.2.3.4/32 5.6.7.8/32 any -P out ipsec
esp/tunnel/1.2.3.4-5.6.7.8/require;
spdadd 192.168.1.0/24 192.168.2.0//24 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 1.2.3.4/32 192.168.2.0//24 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 192.168.1.0/24 5.6.7.8 any -P out ipsec
esp/transport/1.2.3.4-5.6.7.8/require;
spdadd 5.6.7.8/32 1.2.3.4/32 any -P in ipsec
esp/tunnel/5.6.7.8-1.2.3.4/require;
spdadd 192.168.2.0//24 192.168.1.0/24 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
spdadd 192.168.2.0//24 1.2.3.4/32 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
spdadd 5.6.7.8/32 192.168.1.0/24 any -P in ipsec
esp/transport/5.6.7.8-1.2.3.4/require;
Using setkey -DP all of the entries have been made.
I see the following in the log which indicates, to me anyway, the proper
policy has been applied.
2011-05-21 10:10:29: DEBUG: suitable inbound SP found: 192.168.2.0/24[0]
1.2.3.4/32[0] proto=any dir=in.
2011-05-21 10:10:29: DEBUG: new acquire 1.2.3.4/32[0] 192.168.2.0/24[0]
proto=any dir=out
2011-05-21 10:10:29: DEBUG: configuration found for 5.6.7.8.
2011-05-21 10:10:29: DEBUG: getsainfo params: loc='1.2.3.4',
rmt='192.168.2.0/24', peer='NULL', id=0
2011-05-21 10:10:29: DEBUG: getsainfo pass #2
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='ANONYMOUS',
rmt='ANONYMOUS', peer='ANY', id=0
2011-05-21 10:10:29: DEBUG: evaluating sainfo: loc='192.168.1.0/24',
rmt
Re: Re: IPSec routing (long post)
From : claudiu vasadi claudiu.vas...@gmail.com To : jh...@socket.net Subject : Re: IPSec routing (long post) Date : Sat, 21 May 2011 18:45:07 +0200 Some additional points: - have you been following the FreeBSD handbook on this ? - http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html - pls post your ifconfig interface settings - you can use tcpdump to sniff traffic off of your real network interface (tcpdump (-v) -i interface host vendor_ext_IP and dst local_ext_IP) - do you have options IPSEC and device crypto in your kernel ? My understanding is the handbook was using tunnel mode to connect the networks, and I am using transport mode. Are these the same, and I am misunderstanding what I am reading. Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Wednesday 27 of April 2011 01:15:09, Ryan Coleman wrote: Maciej, Here you go: Ryan-Colemans-MacBook-Pro:~ ryanjcole$ netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.1.1 UGSc 610 en1 10.0.1/24 link#5 UCS 30 en1 10.0.1.1 0:23:12:f7:37:cc UHLWI 89 1268 en1 1142 10.0.1.2 0:14:d1:1f:79:1b UHLWI 0 837 en1183 10.0.1.198 127.0.0.1 UHS 0 0 lo0 10.0.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en1 127127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 2 75 lo0 169.254link#5 UCS 0 0 en1 172.16.87/24 link#7 UC 10 vmnet1 172.16.87.255 ff:ff:ff:ff:ff:ff UHLWbI 03 vmnet1 192.168.46 192.168.47.2 UGSc00 tap0 192.168.47 link#10UC 10 tap0 192.168.47.2 link#10UHLWI 10 tap0 And this is with tap interfaces - I think it won't work. Don't use bridge mode if you have two subnets of /24. I saw examples that it would work only if you make one subnet accessible to both: local network and vpn network. Change your configuration from bridged to routed or change your vpn addressing space. If you'll go the routed way you may try this: http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed -- Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tuesday 26 of April 2011 04:38:29, Ryan Coleman wrote: Also: [root@nbserver1 /usr/home/ryanc]# ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:14:22:15:dc:65 inet 192.168.46.2 netmask 0xff00 broadcast 192.168.46.255 media: Ethernet autoselect (1000baseT full-duplex) status: active tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8LINKSTATE ether 00:bd:7e:86:1d:00 inet 192.168.47.1 netmask 0xff00 broadcast 192.168.47.255 Opened by PID 10341 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 46:e1:75:c6:a3:a7 inet 192.168.47.254 netmask 0xff00 broadcast 192.168.47.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 5 priority 128 path cost 200 member: em0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 1 priority 128 path cost 2 On Apr 25, 2011, at 9:36 PM, Ryan Coleman wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: ... server 192.168.47.0 255.255.255.0 From the man openvpn(8): Don't use --server if you are ethernet bridging. Use --server- bridge instead. And additionally bridging means that you have to divide your local subnet(192.168.46.0/24) into two parts. Please have a look for the example at [1]. You may even not need bridging if you want to use two subnets of /24. Have you tried with standard setup(server) and configuring your default gateway(I suspect 192.168.46.1) with the routing information about openvpn subnet 192.168.47.0/24? [1] http://openvpn.net/index.php/open-source/documentation/miscellaneous/76- ethernet-bridging.html Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=192.168.46.254 hostname=nbserver1.allstatecom.local ifconfig_em0=inet 192.168.46.2 netmask 255.255.255.0 openvpn_enable=YES openvpn_configfile=/usr/local/etc/openvpn/server.conf gateway_enable=YES ipnat_enable=YES Thanks again, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tue, Apr 26, 2011 at 8:45 AM, Ryan Coleman ryan.cole...@cwis.biz wrote: On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=192.168.46.254 hostname=nbserver1.allstatecom.local ifconfig_em0=inet 192.168.46.2 netmask 255.255.255.0 openvpn_enable=YES openvpn_configfile=/usr/local/etc/openvpn/server.conf gateway_enable=YES ipnat_enable=YES Thanks again, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing -- Still Going Strong!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 9:53 AM, Maciej Milewski wrote: On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski I'm going to have to get this information when I get home and am not on the office LAN. I can do ping tests specifically through the tap0 interface but not check the netstat report properly from inside the network. -- Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 3:50 PM, Ryan Coleman wrote: On Apr 26, 2011, at 9:53 AM, Maciej Milewski wrote: On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski I'm going to have to get this information when I get home and am not on the office LAN. I can do ping tests specifically through the tap0 interface but not check the netstat report properly from inside the network. Maciej, Here you go: Ryan-Colemans-MacBook-Pro:~ ryanjcole$ netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.1.1 UGSc 610 en1 10.0.1/24 link#5 UCS 30 en1 10.0.1.1 0:23:12:f7:37:cc UHLWI 89 1268 en1 1142 10.0.1.2 0:14:d1:1f:79:1b UHLWI 0 837 en1183 10.0.1.198 127.0.0.1 UHS 00 lo0 10.0.1.255 ff:ff:ff:ff:ff:ff UHLWbI 06 en1 127127.0.0.1 UCS 00 lo0 127.0.0.1 127.0.0.1 UH 2 75 lo0 169.254link#5 UCS 00 en1 172.16.87/24 link#7 UC 10 vmnet1 172.16.87.255 ff:ff:ff:ff:ff:ff UHLWbI 03 vmnet1 192.168.46 192.168.47.2 UGSc00tap0 192.168.47 link#10UC 10tap0 192.168.47.2 link#10UHLWI 10tap0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#1 UHL lo0 fe80::%en1/64 link#5 UC en1 fe80::224:36ff:fea1:1d68%en10:24:36:a1:1d:68UHLW en1 fe80::9227:e4ff:fef8:b2fb%en1 90:27:e4:f8:b2:fb UHL lo0 ff01::/32 ::1 Um lo0 ff02::/32 ::1 UmC lo0 ff02::/32 link#5 UmC en1 Ryan-Colemans-MacBook-Pro:~ ryanjcole$ ping 192.168.46.2 PING 192.168.46.2 (192.168.46.2): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 9:07 AM, Diego Arias wrote: If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing I've done that and it had no effect :-\___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing to a directly attached subnet without an address in this subnet
On Sun, Apr 24, 2011 at 08:50:53PM -0400, David Scheidt wrote: On Apr 24, 2011, at 4:29 PM, Lionel Fourquaux wrote: em0 has addresses fe80::1234:56ff:fe78:9abc and 2001:db8::1 em1 has address fe80::1234:56ff:fe78:9abd Network 2001:db8::/64 is directly attached to em0, and network 2001:db8:0:1::/64 is directly attached to em1. The default route points to em0. I would like to route packets addressed to 2001:db8:0:1::/64 to interface em1, without allocating an address in 2001:db8:0:1::/64 for em1. (Or to understand why this would be impossible). Why do you want to do this? Because I think it would look better that way. How do you expect the hosts on the attached networks to get packets to you? They are already using fe80::1234:56ff:fe78:9abd as default gateway, so this is not a problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing to a directly attached subnet without an address in this subnet
On Sun, Apr 24, 2011 at 06:43:11PM -0500, Robert Bonomi wrote: Sorry, it _is_ impossible. :( simply put, to communicate _on_ a network, you have to be *ON* that network, i.e., 'have an address in that network's address-space'. I don't quite see why this would be required, as long as packets are routed as they should. It is perfectly legitimate for two (or more) separate networks to share the same physical media. Yes. *ONLY* the address of the device distinguishes which network the trafic goes to/from. But this is the destination address on packets. The point here is, why would the router need an address that is never used as source or destination? I can't see any strong reason for requiring that em1 have an address for every directly attached subnet packets are routed to. Think about how 'reply' packets have to be routed by other machines on that subnet. Packets from other machines are routed to fe80::1234:56ff:fe78:9abd (link local address of the router), so this part is fine. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing to a directly attached subnet without an address in this subnet
On Mon, Apr 25, 2011 at 10:17:40PM +1000, Daniel Marsh wrote: What you need to verify is the default routes on the client hosts. It's very likely your packets and your initial route add commands on your dual host machine are correct, yet the return route on the other clients are incorrect. I have checked that. Actually, I can ping the router from the clients. What does not work is initiating a packet exchange from the router's side. Short reminder: em0 has addresses fe80::1234:56ff:fe78:9abc and 2001:db8::1 em1 has address fe80::1234:56ff:fe78:9abd default route is to em0 2001:db8:0:1::/64 is router to em1 (route add -inet6 2001:db8:0:1::/64 -iface em1) clients connected to em1 have addresses in 2001:db8:0:1::/64 and default route to fe80::1234:56ff:fe78:9abd If I reboot the router, then try to ping a client in 2001:db8:0:1::/64, directly connected to em1, ping6 fails with sendmsg: Operation not permitted. tcpdump does not show anything being sent to this client. The client's MAC does not show up in ndp -a. If I ping the router from the client, I get answers. The client's MAC show up in the NDP table, and I can ping the client from the router as long as it is still listed in the NDP table. If I clear the table with ndp -c, I can't ping from the router any more. If I reboot and add a static entry for the client in the NDP table, I can ping this client. All this seems to point to NDP as the root of the problem: it looks like it is not aware of the addition of 2001:db8:0:1::/64 to the routing table. I do not see any way to give the missing information to NDP other than adding an address to em1. (Adding static entries for all the clients would not be manageable in the long run). Google seems to turn up some mentions of cloning routes that look like a way to solve this (I'm not quite sure), but this was apparently removed in a recent reimplementation of ARP+NDP (arp-v2). Maybe some functionality was lost in the process, but I don't know about this. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OpenVPN routing
I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
Also: [root@nbserver1 /usr/home/ryanc]# ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:14:22:15:dc:65 inet 192.168.46.2 netmask 0xff00 broadcast 192.168.46.255 media: Ethernet autoselect (1000baseT full-duplex) status: active tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8LINKSTATE ether 00:bd:7e:86:1d:00 inet 192.168.47.1 netmask 0xff00 broadcast 192.168.47.255 Opened by PID 10341 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 46:e1:75:c6:a3:a7 inet 192.168.47.254 netmask 0xff00 broadcast 192.168.47.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 5 priority 128 path cost 200 member: em0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 1 priority 128 path cost 2 On Apr 25, 2011, at 9:36 PM, Ryan Coleman wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
routing to a directly attached subnet without an address in this subnet
Dear FreeBSD users, Consider an IPv6 router with two interfaces, e.g. em0 and em1. em0 has addresses fe80::1234:56ff:fe78:9abc and 2001:db8::1 em1 has address fe80::1234:56ff:fe78:9abd Network 2001:db8::/64 is directly attached to em0, and network 2001:db8:0:1::/64 is directly attached to em1. The default route points to em0. I would like to route packets addressed to 2001:db8:0:1::/64 to interface em1, without allocating an address in 2001:db8:0:1::/64 for em1. (Or to understand why this would be impossible). I have tried to add a route using: route add -ipv6 2001:db8:0:1::/64 -iface em1 (and several variations), but this fails (route returns successfully, but I can't ping anything on 2001:db8:0:1::/64). On the other hand, if I give address 2001:db8:0:1::1/64 to em1, ping6 works and packets are routed successfully. I guess that the differenceis that the OS can't figure out which interface to use for NDP in the first case. However, ndp(8) can create static entries in the NDP table for individual hosts but not whole subnets. I can't see any strong reason for requiring that em1 have an address for every directly attached subnet packets are routed to. The router already has a valid routable address on em0 which can be used as source address for ICMP, and it has an address on em1 (the link local one) which can be used for NDP and routing. So: 1. Is there a way to set up the router the way I want it? 2. If not, why is it not possible? I can mark the additional addresses on em1 as deprecated, possibly even firewall out anything going to these addresses. From the outside, the router would behave exactly the way I want. However, this does not seem as nice as such a simple setup should be. This is on FreeBSD 8.2 (i386), GENERIC kernel. I have slightly simplified the description but all the relevant parts should be here. Anticipated thanks for your answers, and best regards. -- Lionel Fourquaux ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: routing to a directly attached subnet without an address in this subnet
On Apr 24, 2011, at 4:29 PM, Lionel Fourquaux wrote: Dear FreeBSD users, Consider an IPv6 router with two interfaces, e.g. em0 and em1. em0 has addresses fe80::1234:56ff:fe78:9abc and 2001:db8::1 em1 has address fe80::1234:56ff:fe78:9abd Network 2001:db8::/64 is directly attached to em0, and network 2001:db8:0:1::/64 is directly attached to em1. The default route points to em0. I would like to route packets addressed to 2001:db8:0:1::/64 to interface em1, without allocating an address in 2001:db8:0:1::/64 for em1. (Or to understand why this would be impossible). Why do you want to do this? How do you expect the hosts on the attached networks to get packets to you? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Marble and routing
I'm in the U.S., so I believe that my only valid choice is OpenRoute service. Does it require any subscription payment, os is it available free? -- System Name: doris.StevenFriedrich.org Window Manager(s): kde4-4.6.2 X Window System: xorg-7.5.1X.Org X Server 1.7.7 OS version: FreeBSD 8.2-RELEASE i386 (5.9 MB kernel) Platform:HP pavilion zd8000 (zd8215us) CPU: 2.40GHz Intel Pentium 4 with 511 MB memory FreeBSD Audio Driver (newpcm: 32bit 2009061500/i386) Installed devices: pcm0: CMedia CMI8738 (play/rec) default ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Marble and routing
From owner-freebsd-questi...@freebsd.org Fri Apr 8 18:19:15 2011 From: Steven Friedrich free...@insightbb.com To: freebsd-questions@freebsd.org Date: Fri, 8 Apr 2011 19:18:25 -0400 Subject: Marble and routing I'm in the U.S., so I believe that my only valid choice is OpenRoute service. Does it require any subscription payment, os is it available free? Google is your friend. search string marble routing (oddly enough ) What I got as the 4th link http://nienhueser.de/blog/?p=137http://nienhueser.de/blog/?p=137 seems very relevant to your question. To quote Sgt. Schultz, I know nothing about KDE, marble, or the openroute service. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Tuning routing table size in FreeBSD 8.0 and 7.2
On Thu, Feb 24, 2011 at 9:37 PM, nikitha sumi.tec...@gmail.com wrote: Thank you all, for your timely reply.. To answer Niko's question: Just i'm doing some performance/stress testing of a freebsd router.. :-) -Sumi On Thu, Feb 24, 2011 at 10:11 PM, Nikos Vassiliadis nv...@gmx.com wrote: On 2/24/2011 4:51 PM, Damien Fleuriot wrote: On 2/24/11 3:00 PM, nikitha wrote: Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? [snip] I could not find a sysctl that matched what you're looking for. AFAIK, the routing table is limited only by the amount of RAM you can allocate to it. Yes. You can use vmstat -z | grep rtentry to examine it. It seems trivial to add a limit there(without having thought of multiple routing tables and vnet). Out of curiosity, why would you want such a limit? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Hello Sumi, What tools do you use to perform the tests? thanks, v -- network warrior ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Tuning routing table size in FreeBSD 8.0 and 7.2
Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? Your earliest reply in this regard is much appreciated. Thanks for any inputs.. -Sumi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Tuning routing table size in FreeBSD 8.0 and 7.2
On 2/24/11 3:00 PM, nikitha wrote: Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? Your earliest reply in this regard is much appreciated. Thanks for any inputs.. -Sumi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I could not find a sysctl that matched what you're looking for. AFAIK, the routing table is limited only by the amount of RAM you can allocate to it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Tuning routing table size in FreeBSD 8.0 and 7.2
Sysctl -a lists all options. This MAY be what you want: net.inet.ip.rtmaxcache - Upper limit on dynamically learned routes http://people.freebsd.org/~hmp/utilities/satbl/sysctl-net.html HTH Gary -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of nikitha Sent: Thursday, February 24, 2011 8:01 AM To: freebsd-questions@freebsd.org Subject: Tuning routing table size in FreeBSD 8.0 and 7.2 Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? Your earliest reply in this regard is much appreciated. Thanks for any inputs.. -Sumi ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Tuning routing table size in FreeBSD 8.0 and 7.2
On 2/24/2011 4:51 PM, Damien Fleuriot wrote: On 2/24/11 3:00 PM, nikitha wrote: Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? [snip] I could not find a sysctl that matched what you're looking for. AFAIK, the routing table is limited only by the amount of RAM you can allocate to it. Yes. You can use vmstat -z | grep rtentry to examine it. It seems trivial to add a limit there(without having thought of multiple routing tables and vnet). Out of curiosity, why would you want such a limit? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Tuning routing table size in FreeBSD 8.0 and 7.2
Thank you all, for your timely reply.. To answer Niko's question: Just i'm doing some performance/stress testing of a freebsd router.. :-) -Sumi On Thu, Feb 24, 2011 at 10:11 PM, Nikos Vassiliadis nv...@gmx.com wrote: On 2/24/2011 4:51 PM, Damien Fleuriot wrote: On 2/24/11 3:00 PM, nikitha wrote: Hi, Could you plz share the information on the maximum number of routes that can be added (by default) in FREEBSD 8.0/7.2 kernel? In Linux the sysctl rt_max_size is used. Is there a similar tunable parameter in freeBSD? [snip] I could not find a sysctl that matched what you're looking for. AFAIK, the routing table is limited only by the amount of RAM you can allocate to it. Yes. You can use vmstat -z | grep rtentry to examine it. It seems trivial to add a limit there(without having thought of multiple routing tables and vnet). Out of curiosity, why would you want such a limit? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing issue?
ff02::%lo0/32 fe80::1%lo0 U lo0 ifconfig_em0=inet 70.89.123.5 netmask 255.255.255.248 ifconfig_em1=inet 70.89.123.4 netmask 255.255.255.248 defaultrouter=70.89.123.6 hostname=se**.somehtingelse.biz I tried to add the gateway for link2 but it's not taking since it already exists, and I've run multiple IP'd servers before without issue. I'm really lost.___ you can't have 2 gateways. but you may configure ipfw firewall and use it's fwd function to define exactly what is routed through what, whatever your wish is. not that long ago i had 7 links to my server doing ISP business, as there was no way to get single large link that place. no problems ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing issue?
As mentioned before, this is already solved. On Nov 12, 2010, at 3:08 AM, Wojciech Puchar wrote: ff02::%lo0/32 fe80::1%lo0 U lo0 ifconfig_em0=inet 70.89.123.5 netmask 255.255.255.248 ifconfig_em1=inet 70.89.123.4 netmask 255.255.255.248 defaultrouter=70.89.123.6 hostname=se**.somehtingelse.biz I tried to add the gateway for link2 but it's not taking since it already exists, and I've run multiple IP'd servers before without issue. I'm really lost.___ you can't have 2 gateways. but you may configure ipfw firewall and use it's fwd function to define exactly what is routed through what, whatever your wish is. not that long ago i had 7 links to my server doing ISP business, as there was no way to get single large link that place. no problems ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Routing issue?
I'm trying to get the other half of my business up on my second IP. It's not routing. This is not a multi-homed system, but two IPs in the same subnet. [r...@server /usr/home/ryan]# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default70.89.123.6UGS 7 1090em0 70.89.123.0/29 link#1 U 2 837em0 70.89.123.4link#2 UHS 0 25lo0 70.89.123.5link#1 UHS 00lo0 127.0.0.1 link#5 UH 0 863lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 link#5U lo0 fe80::1%lo0 link#5UHS lo0 ff01:5::/32 fe80::1%lo0 U lo0 ff02::%lo0/32 fe80::1%lo0 U lo0 ifconfig_em0=inet 70.89.123.5 netmask 255.255.255.248 ifconfig_em1=inet 70.89.123.4 netmask 255.255.255.248 defaultrouter=70.89.123.6 hostname=se**.somehtingelse.biz I tried to add the gateway for link2 but it's not taking since it already exists, and I've run multiple IP'd servers before without issue. I'm really lost.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing issue?
What exactly isn't working? You don't have two L3 nets, but two ips on the same net - nothing to route, except the default. - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: Free BSD Questions list freebsd-questions@freebsd.org Sent: Thu Nov 11 21:41:40 2010 Subject: Routing issue? I'm trying to get the other half of my business up on my second IP. It's not routing. This is not a multi-homed system, but two IPs in the same subnet. [r...@server /usr/home/ryan]# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default70.89.123.6UGS 7 1090em0 70.89.123.0/29 link#1 U 2 837em0 70.89.123.4link#2 UHS 0 25lo0 70.89.123.5link#1 UHS 00lo0 127.0.0.1 link#5 UH 0 863lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 link#5U lo0 fe80::1%lo0 link#5UHS lo0 ff01:5::/32 fe80::1%lo0 U lo0 ff02::%lo0/32 fe80::1%lo0 U lo0 ifconfig_em0=inet 70.89.123.5 netmask 255.255.255.248 ifconfig_em1=inet 70.89.123.4 netmask 255.255.255.248 defaultrouter=70.89.123.6 hostname=se**.somehtingelse.biz I tried to add the gateway for link2 but it's not taking since it already exists, and I've run multiple IP'd servers before without issue. I'm really lost.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
{Solved} Re: Routing issue?
It didn't work until I bridged the connections. [r...@server /usr/home/ryan]# ifconfig bridge create bridge0 [r...@server /usr/home/ryan]# ifconfig bridge0 bridge0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 0a:df:a2:b3:3e:96 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 [r...@server /usr/home/ryan]# ifconfig bridge0 addm em0 addm em1 up On Nov 11, 2010, at 10:00 PM, Gary Gatten wrote: What exactly isn't working? You don't have two L3 nets, but two ips on the same net - nothing to route, except the default. - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: Free BSD Questions list freebsd-questions@freebsd.org Sent: Thu Nov 11 21:41:40 2010 Subject: Routing issue? I'm trying to get the other half of my business up on my second IP. It's not routing. This is not a multi-homed system, but two IPs in the same subnet. [r...@server /usr/home/ryan]# netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default70.89.123.6UGS 7 1090em0 70.89.123.0/29 link#1 U 2 837em0 70.89.123.4link#2 UHS 0 25lo0 70.89.123.5link#1 UHS 00lo0 127.0.0.1 link#5 UH 0 863lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 link#5U lo0 fe80::1%lo0 link#5UHS lo0 ff01:5::/32 fe80::1%lo0 U lo0 ff02::%lo0/32 fe80::1%lo0 U lo0 ifconfig_em0=inet 70.89.123.5 netmask 255.255.255.248 ifconfig_em1=inet 70.89.123.4 netmask 255.255.255.248 defaultrouter=70.89.123.6 hostname=se**.somehtingelse.biz I tried to add the gateway for link2 but it's not taking since it already exists, and I've run multiple IP'd servers before without issue. I'm really lost.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing Question
Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardie bc...@lafn.org a écrit : PF's route_to will return the packets to the proper router, but I have not been able to figure out which ones those would be. The source IP address can be any on either network and its highly likely that we will see packets from the same source network on both at the same time. The only distinction I see in the input packets between the two paths is the MAC address of the router. I don't see any way in pf or the system to use that to affect the return path though. the filter option reply-to looks to be what you need. It works by keeping the state of a connection (see pf.conf(5)). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing Question
On 27 August 2010, at 05:07, Patrick Lamaiziere wrote: Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardie bc...@lafn.org a écrit : PF's route_to will return the packets to the proper router, but I have not been able to figure out which ones those would be. The source IP address can be any on either network and its highly likely that we will see packets from the same source network on both at the same time. The only distinction I see in the input packets between the two paths is the MAC address of the router. I don't see any way in pf or the system to use that to affect the return path though. the filter option reply-to looks to be what you need. It works by keeping the state of a connection (see pf.conf(5)). That works great on the output if you can figure out which packets to use it on. The only way I can see to separate the traffic is using the router MAC address. I don't find anything in pf that will look at that.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Routing Question
On 8/27/2010 9:09 PM, Doug Hardie wrote: On 27 August 2010, at 05:07, Patrick Lamaiziere wrote: Le Thu, 26 Aug 2010 18:17:19 -0700, Doug Hardiebc...@lafn.org a écrit : PF's route_to will return the packets to the proper router, but I have not been able to figure out which ones those would be. The source IP address can be any on either network and its highly likely that we will see packets from the same source network on both at the same time. The only distinction I see in the input packets between the two paths is the MAC address of the router. I don't see any way in pf or the system to use that to affect the return path though. the filter option reply-to looks to be what you need. It works by keeping the state of a connection (see pf.conf(5)). That works great on the output if you can figure out which packets to use it on. The only way I can see to separate the traffic is using the router MAC address. I don't find anything in pf that will look at that. Yes, pf cannot use the MAC address to classify a packet. The most sensible sollution would be installing a single router to handle both lines but I know it's not always feasible to do so for several reasons. ipfw can use MAC addresses for classification, perhaps you hack some rules using fwd, skipto and mac. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Routing Question
I have several servers with one ethernet interface. Currently it is connected via a WAN to the internet. We are in the midst of switching to a different provider. I would like to be able to operate with both temporarily until all the users/services get switched. The new circuit is in and working. I would like somehow to configure the system (I have pf in use) to be able to detect the packets that come from a specific router and route the return packets back through it. The other network would be the default. PF's route_to will return the packets to the proper router, but I have not been able to figure out which ones those would be. The source IP address can be any on either network and its highly likely that we will see packets from the same source network on both at the same time. The only distinction I see in the input packets between the two paths is the MAC address of the router. I don't see any way in pf or the system to use that to affect the return path though.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Odd routing issue...
Running: FreeBSD caduceus.wingfoot.org 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #42: Fri May 7 19:22:48 EDT 2010 r...@caduceus.wingfoot.org:/usr/obj/usr/src/sys/SANDALS amd64 I'm getting a route added upon reboot with the hostname of the box, going to lo0. It's preventing things like, pinging itself. I can manually delete the route, but.. where is it being set to begin with?! Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultip-66-80-251-65.ny UGS17 50 nfe0 66.80.251.64/26link#1 U 00 nfe0 caduceus link#1 UHS 07lo0 (much snippage) localhost link#2 UH 00lo0 Nothing's changed in my /etc/rc.conf from when I was running 7.2-RELEASE... This behavior didn't happen with 7.2. And, I don't see anything in /usr/src/UPDATING that seems relevant (unless, naturally, I'm missing something). My google-fu keeps bringing me to the handbook, but I don't see anything useful in there that might apply. If I restart netif, the mysterious caduceus route pops up again. If someone can point me in the right direction, I'd really appreciate it. Thanks in advance! Best, --Glenn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Odd routing issue...
On Wednesday 12 of May 2010 06:07, Glenn Sieb wrote: I'm getting a route added upon reboot with the hostname of the box, going to lo0. It's preventing things like, pinging itself. I can manually delete the route, but.. where is it being set to begin with?! well, that behaviour is what i would expect. After all, the machine knows that to ping its own ip, it has to use the lo0 interface. It just resolves your ip with the hostname of the machine. So as far as i see, this is the intended behaviour. (You can use netstat -rn to see the actual ip and not hostnames.) If you can't ping localhost, i'd say that the problem lies elsewere. (firewalls probably) You can check with tcpdump to see what happens and your pings don't get a reply. -- Real programmers don't document. If it was hard to write, it should be hard to understand. signature.asc Description: This is a digitally signed message part.
what means: route: writing to routing socket: No such process ?
Hello, It seems that deleting a route which does not exist gives some message about writing to routing socket: No such process: # route delete xxx.xxx.xxx.xxx/27 delete net xxx.xxx.xxx.xxx # route delete xxx.xxx.xxx.xxx/27 route: writing to routing socket: No such process delete net xxx.xxx.xxx.xxx: not in table The man page does not explain this. What does this mean exactly? Thanks matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Solidarity with the imperialistic Israel?Not in my name! ¿Solidaridad con el imperialismo de Israel? ¡No en mi nombre! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
routing for jails on public IPs, jails on private IPs between 2 servers
Hi , I have this question which need some comment/help on: == the setup == I have 2 freebsd servers with several jails running on it. Each server have several jails thats either listening on publicly accessible IP or listening on a loopback/private IP. The two servers are connected together using vpn with routing that allows ServerA to connect to private jails in ServerB and vice versa. ServerA (10.1.0.1_tun0,192.168.1.1_bge0,192.168.1.2_bge0,127.0.1.1_lo1,127.0.1.1_lo1) - JailA(192.168.1.2_bge0) - JailB(127.0.1.1_lo1) - JailC(127.0.1.1_lo1) ServerB (10.1.0.3_tun0,192.168.1.3_bge0,192.168.1.4_bge0,127.0.2.1_lo1,127.0.2.2_lo1) - JailA(192.168.1.4_bge0) - JailB(127.0.2.1_lo1) - JailC(127.0.2.2_lo1) == the issue == under the current config, ServerA can connect to all private jails in ServerB through vpn+routing and vice versa. Private jails in ServerA can connect to public jails in ServerB through NAT and vice versa. However, I cant figure out how to allow public jails in ServerA to connect to private jails in ServerB. Anybody have idea on how to implement it? Thanks -- Mohd Izhar Firdaus Bin Ismail Amano Hikaru 天野晃 「あまの ひかる」 http://fedoraproject.org/wiki/MohdIzharFirdaus http://blog.kagesenshi.org 92C2 B295 B40B B3DC 6866 5011 5BD2 584A 8A5D 7331 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ifconfig routing
Greets, Here's my delemma - Im running FreeBSD 7.1 - that was setup with its normal host area and added via ezjail (2) jails. Out of jail #2, I run a IRCD for a local christian group. I also installed a old-school BBS in jail #2, and it works great, connects and works fine. But, since I wish to run a few old DOS programs that are DOORS. It recommends I install it where it can reach X, the windows server. Then I'll have a shot at utilizing doscmd to get them to work. No matter how many times I install and reinstall it it fires up, but cant seem to access it via telnet either locally or from outside my computer via telnet. For further info, my system setup is the internet goes through my DSL/ROUTER set in BRIDGE MODE, to my DLINK wireless router. My jail #2 is set to PRIVATE IP 192.168.0.103 - jail #1 set to 192.168.0.102 and host part of computer set to 192.168.0.100. Any help suggestions greatly appreciated. JP === netstat -rn results below: $ netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.0.1UGS 0 3082vr0 127.0.0.1 127.0.0.1 UH 00lo0 192.168.0.0/24 link#1 UC 00vr0 192.168.0.100:0d:88:9f:e2:5f UHLW2 986vr0 1102 192.168.0.100 00:0e:a6:a0:db:24 UHLW14lo0 192.168.0.102 00:0e:a6:a0:db:24 UHLW1 12lo0 192.168.0.103 00:0e:a6:a0:db:24 UHLW157562lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#3UHL lo0 ff01:3::/32 fe80::1%lo0 UC lo0 ff02::%lo0/32 fe80::1%lo0 UC lo0 === ifconfig results below: $ ifconfig vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2808VLAN_MTU,WOL_UCAST,WOL_MAGIC ether 00:0e:a6:a0:db:24 inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.103 netmask 0xff00 broadcast 192.168.0.255 inet 192.168.0.102 netmask 0xff00 broadcast 192.168.0.255 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 $ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF Routing to VPN Device
On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
mik...@adhost.comwrote:
Hello,
We have a network with a VPN device sitting beside a PF server, both
connected to an internal network.
PF Server: 10.1.4.1
VPN Device: 10.1.4.200
The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
these networks should be routed to 10.1.4.200. We've set up routes on
the PF server as such.
We've set up the following rules:
block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
10.1.2.0/24)
However, the block in log is catching the return traffic. From pflog
when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
port 80:
00 rule 28/0(match): block in on bge1: 10.1.4.25.80
10.1.2.105.3558: [|tcp]
If we remove the block in log, the traffic works.
What are we missing?
Thanks,
Mike
Hello Mike,
What version on FBSD are you using? The keep state is implicit from 7.0 as
far as i know. I might not be right so someone please correct.
If that is the case you should add keep state to your rule and see what
happens.
my 7c,
v
--
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: PF Routing to VPN Device
-Original Message-
From: Valentin Bud [mailto:valentin@gmail.com]
Sent: Thursday, June 18, 2009 1:36 AM
To: Mike Sweetser - Adhost
Cc: freebsd-questions@freebsd.org
Subject: Re: PF Routing to VPN Device
On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
mik...@adhost.com wrote:
Hello,
We have a network with a VPN device sitting beside a PF server,
both
connected to an internal network.
PF Server: 10.1.4.1
VPN Device: 10.1.4.200
The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any
traffic to
these networks should be routed to 10.1.4.200. We've set up
routes on
the PF server as such.
We've set up the following rules:
block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to {
10.1.1.0/24
10.1.2.0/24)
However, the block in log is catching the return traffic. From
pflog
when somebody on the VPN (10.1.2.105) tries to connect to
10.1.4.25 on
port 80:
00 rule 28/0(match): block in on bge1: 10.1.4.25.80
10.1.2.105.3558: [|tcp]
If we remove the block in log, the traffic works.
What are we missing?
Thanks,
Mike
Hello Mike,
What version on FBSD are you using? The keep state is implicit from
7.0 as
far as i know. I might not be right so someone please correct.
If that is the case you should add keep state to your rule and see
what happens.
We're using FreeBSD 7.2.
Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF Routing to VPN Device
On Thu, Jun 18, 2009 at 11:35 AM, Valentin Bud valentin@gmail.comwrote:
On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
mik...@adhost.com wrote:
Hello,
We have a network with a VPN device sitting beside a PF server, both
connected to an internal network.
PF Server: 10.1.4.1
VPN Device: 10.1.4.200
The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
these networks should be routed to 10.1.4.200. We've set up routes on
the PF server as such.
We've set up the following rules:
block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
10.1.2.0/24)
However, the block in log is catching the return traffic. From pflog
when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
port 80:
00 rule 28/0(match): block in on bge1: 10.1.4.25.80
10.1.2.105.3558: [|tcp]
If we remove the block in log, the traffic works.
What are we missing?
Thanks,
Mike
Hello Mike,
What version on FBSD are you using? The keep state is implicit from 7.0
AFAIK.
So if you are using a version prior 7.0 you should add keep state so the
return traffic
can be passed.
v
--
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF Routing to VPN Device
On 6/17/09, Mike Sweetser - Adhost mik...@adhost.com wrote:
Hello,
We have a network with a VPN device sitting beside a PF server, both
connected to an internal network.
PF Server: 10.1.4.1
VPN Device: 10.1.4.200
The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
these networks should be routed to 10.1.4.200. We've set up routes on
the PF server as such.
We've set up the following rules:
block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
10.1.2.0/24)
However, the block in log is catching the return traffic. From pflog
when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
port 80:
00 rule 28/0(match): block in on bge1: 10.1.4.25.80
10.1.2.105.3558: [|tcp]
If we remove the block in log, the traffic works.
What are we missing?
Thanks,
Mike
Mike,
I know the typical firewall rules that are googleable are one of two
basic starting policies..
-- 1.
block in all
pass out all
-- 2.
block all
They've become a headache to me to configure a firewall and I now
start with this base. In this example, fxp0 is facing the Internet,
and xl0 is facing the trusted network.
-- 3.
block in on fxp0 all
pass out
This adds the benefit that VPN connections, TUNs, GIFs, and all other
ethernet devices aren't blindly evaluated to a simple block in rule,
rather it's just the fxp0 interface public Internet traffic that is
being blocked, while TUNs, GIFs, and the like are exempt from that
rule entry line.
Might you try by editing your rules to just block your public IP
firewall interface?
Good luck.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PF Routing to VPN Device
Hello,
We have a network with a VPN device sitting beside a PF server, both
connected to an internal network.
PF Server: 10.1.4.1
VPN Device: 10.1.4.200
The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
these networks should be routed to 10.1.4.200. We've set up routes on
the PF server as such.
We've set up the following rules:
block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
10.1.2.0/24)
However, the block in log is catching the return traffic. From pflog
when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
port 80:
00 rule 28/0(match): block in on bge1: 10.1.4.25.80
10.1.2.105.3558: [|tcp]
If we remove the block in log, the traffic works.
What are we missing?
Thanks,
Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pppoe routing problem, default route isnt used for some hosts
Hello,
I have an strange routing problem. I can't connect to some hosts in the
internet till I add an explicit route for this hosts with my default gw
as gateway.
There aren't any other routes that could match the destination IP for
non-working hosts. So the connection should also without an explicit
route for this Hosts use the default gw.
My Setup:
FreeBSD 7.2-RELEASE
mppd to make an PPPOE connection to my internet service
provider.
PF as firewall
To isolate the problem I used an minimal pf.conf:
---
inetif=ng0
lanif=vr0
scrub all max-mss 1492
pass quick on lo0 all
pass out on $inetif proto { tcp udp icmp } all keep state
pass on $lanif from any to any
---
I also tried pppd instead of mppd(dont helps).
Hosts that I can't connect to, are ie spiegel.de, tagesschau.de, freebsd.org
southparkstudios.com
I.e
TCP connections to Port 80 of southparkstudios.com dont work.
If I add an explicit route:
route add southparkstudios.com 213.191.84.199
Connections with nc to port 80 works
(the connections tests are made from the router, the iface MTUs are correct)
Anybody have an idea what could be wrong?
I have no idea anymore
(its also not an provider problem, when i made the pppoe connection from
windows I can connect to alls hosts)
thanks for any hints:)
best regards
Fabian
-
My routing table:
# netstat -ra
Routing tables
Internet:
DestinationGatewayFlagsRefs Use Netif Expire
defaultlo1.br04.weham.de. UGS 015505ng0
1.1.1.10x1010101 link#1 UC 00rl0
exxx45031.adsl.al lo0UHS 00lo0
localhost localhost UH 0 433lo0
192.168.113.0 link#2 UC 00vr0
xyz 00:30:18:ad:26:88 UHLW124005lo0
mail.xyz.ath.cx 00:30:18:ad:26:88 UHLW186400lo0
http.xyz.ath.cx 00:30:18:ad:26:88 UHLW1 770lo0
192.168.113.255ff:ff:ff:ff:ff:ff UHLWb 1 3228vr0
lo1.br04.weham.de. e176145031.adsl.al UH 10ng0
[... ipv6 stuff]
Interface infos:
# netstat -ira
NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll
rl01492 Link#1 00:02:2a:b0:4a:e0 26128479 0 19855993 0 0
01:00:5e:00:00:010 0
rl01492 1.1.1.10x101 1.1.1.1 0 - 2653 - -
ALL-SYSTEMS.MCAST
vr01500 Link#2 00:30:18:ad:26:88 12662831 0 17678949 0 0
01:00:5e:00:00:01 2038 0
vr01500 192.168.113.0 xyz 9745471 - 13639692 - -
ALL-SYSTEMS.MCAST
vr01500 192.168.113.0 mail.xyz.a 291626 -86404 - -
ALL-SYSTEMS.MCAST
vr01500 192.168.113.0 http.xyz.a 6814 - 770 - -
ALL-SYSTEMS.MCAST
lo0 16384 Link#3 113929 0 113929 0 0
lo0 16384 fe80:3::1 fe80:3::10 -0 - -
ff01:3::1 (refs: 1)
ff02:3::2:a61d:93b4(refs: 1)
ff02:3::1 (refs: 1)
ff02:3::1:ff00:1 (refs: 1)
lo0 16384 localhost ::1 0 -0 - -
ff01:3::1 (refs: 1)
ff02:3::2:a61d:93b4(refs: 1)
ff02:3::1 (refs: 1)
ff02:3::1:ff00:1 (refs: 1)
lo0 16384 your-net localhost 433 - 2433 - -
ALL-SYSTEMS.MCAST
pflog 33204 Link#4 0 080567 0 0
tun0* 1500 Link#5 78331 076381 0 0
tun99 1500 Link#6 353 0 375 0 0
ng01492 Link#717114096 0 13449463 0 0
ng01492 85.176.145.31 e176145031.adsl.a12398 -17011 - -
ALL-SYSTEMS.MCAST
mpd.conf:
default:
load PPPoE
PPPoE:
new -i ng0 PPPoE PPPoE
set iface addrs 1.1.1.1 2.2.2.2
set iface route default
set iface enable on-demand
set iface idle 0
set bundle disable multilink
set bundle authname xxy
set iface disable tcpmssfix
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1492
set link mru 1492
set link keep-alive 10 60
set ipcp yes vjcomp
set iface enable tcpmssfix#I know pf also do this in my setup, but Iam
despaired:)
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set nat disable
log +link
open
Re: pppoe routing problem, default route isnt used for some hosts
Fabian Holler wrote:
Hello,
I have an strange routing problem. I can't connect to some hosts in the
internet till I add an explicit route for this hosts with my default gw
as gateway.
There aren't any other routes that could match the destination IP for
non-working hosts. So the connection should also without an explicit
route for this Hosts use the default gw.
My Setup:
FreeBSD 7.2-RELEASE
mppd to make an PPPOE connection to my internet service
provider.
PF as firewall
To isolate the problem I used an minimal pf.conf:
---
inetif=ng0
lanif=vr0
scrub all max-mss 1492
pass quick on lo0 all
pass out on $inetif proto { tcp udp icmp } all keep state
pass on $lanif from any to any
---
I also tried pppd instead of mppd(dont helps).
Hosts that I can't connect to, are ie spiegel.de, tagesschau.de, freebsd.org
southparkstudios.com
I.e
TCP connections to Port 80 of southparkstudios.com dont work.
If I add an explicit route:
route add southparkstudios.com 213.191.84.199
Besides netstat -rn, you can use route get southparkstudios.com
to check a route for a destination.
Connections with nc to port 80 works
(the connections tests are made from the router, the iface MTUs are correct)
You cannot test MTU settings using nc, since initial packets, that
is, small packets, are always smaller than your MTU. You can test
MTU using fetch or ftp or nc + GET /some.big.file.
Anybody have an idea what could be wrong?
I have no idea anymore
(its also not an provider problem, when i made the pppoe connection from
windows I can connect to alls hosts)
thanks for any hints:)
best regards
Fabian
-
My routing table:
# netstat -ra
Routing tables
Internet:
DestinationGatewayFlagsRefs Use Netif Expire
defaultlo1.br04.weham.de. UGS 015505ng0
1.1.1.10x1010101 link#1 UC 00rl0
What is this ???
It looks like not-contiguous netmask?
exxx45031.adsl.al lo0UHS 00lo0
localhost localhost UH 0 433lo0
192.168.113.0 link#2 UC 00vr0
xyz 00:30:18:ad:26:88 UHLW124005lo0
mail.xyz.ath.cx 00:30:18:ad:26:88 UHLW186400lo0
http.xyz.ath.cx 00:30:18:ad:26:88 UHLW1 770lo0
192.168.113.255ff:ff:ff:ff:ff:ff UHLWb 1 3228vr0
lo1.br04.weham.de. e176145031.adsl.al UH 10ng0
[... ipv6 stuff]
Interface infos:
# netstat -ira
NameMtu Network Address Ipkts IerrsOpkts Oerrs Coll
rl01492 Link#1 00:02:2a:b0:4a:e0 26128479 0 19855993 0 0
01:00:5e:00:00:010 0
rl01492 1.1.1.10x101 1.1.1.1 0 - 2653 - -
ALL-SYSTEMS.MCAST
vr01500 Link#2 00:30:18:ad:26:88 12662831 0 17678949 0 0
01:00:5e:00:00:01 2038 0
vr01500 192.168.113.0 xyz 9745471 - 13639692 - -
ALL-SYSTEMS.MCAST
vr01500 192.168.113.0 mail.xyz.a 291626 -86404 - -
ALL-SYSTEMS.MCAST
vr01500 192.168.113.0 http.xyz.a 6814 - 770 - -
ALL-SYSTEMS.MCAST
lo0 16384 Link#3 113929 0 113929 0 0
lo0 16384 fe80:3::1 fe80:3::10 -0 - -
ff01:3::1 (refs: 1)
ff02:3::2:a61d:93b4(refs: 1)
ff02:3::1 (refs: 1)
ff02:3::1:ff00:1 (refs: 1)
lo0 16384 localhost ::1 0 -0 - -
ff01:3::1 (refs: 1)
ff02:3::2:a61d:93b4(refs: 1)
ff02:3::1 (refs: 1)
ff02:3::1:ff00:1 (refs: 1)
lo0 16384 your-net localhost 433 - 2433 - -
ALL-SYSTEMS.MCAST
pflog 33204 Link#4 0 080567 0 0
tun0* 1500 Link#5 78331 076381 0 0
tun99 1500 Link#6 353 0 375 0 0
ng01492 Link#717114096 0 13449463 0 0
ng01492 85.176.145.31 e176145031.adsl.a12398 -17011 - -
ALL-SYSTEMS.MCAST
mpd.conf:
default:
load PPPoE
PPPoE:
new -i ng0 PPPoE PPPoE
set iface addrs 1.1.1.1 2.2.2.2
Maybe you should delete the above line as
well. I dont remembere what iface addrs does,
but you'll get the IP addresses via IPCP,
so it's surely redundant.
set iface route default
set iface enable on-demand
Re: pppoe routing problem, default route isnt used for some hosts
Hello Nikos, thank you very much Nikos You've repaired my internet ,) On Fri, May 29, 2009 at 06:56:49PM +0300, Nikos Vassiliadis wrote: Fabian Holler wrote: I have an strange routing problem. I can't connect to some hosts in the internet till I add an explicit route for this hosts with my default gw as gateway. There aren't any other routes that could match the destination IP for non-working hosts. So the connection should also without an explicit route for this Hosts use the default gw. Besides netstat -rn, you can use route get southparkstudios.com to check a route for a destination. Connections with nc to port 80 works (the connections tests are made from the router, the iface MTUs are correct) You cannot test MTU settings using nc, since initial packets, that is, small packets, are always smaller than your MTU. You can test MTU using fetch or ftp or nc + GET /some.big.file. I only tried to say, that the connection problems couldn't be an MTU problem. Because I tried to connect from the router(where the PPPOE iface should have the correct MTU) and not from any LAN-Host. PPPoE: new -i ng0 PPPoE PPPoE set iface addrs 1.1.1.1 2.2.2.2 Maybe you should delete the above line as That was the problem:) I thought ip+netmask from the iface are arbitrary because they will be overwritten after I made an successfull connection. But the the crappy netmask was responsible for my problems set link mtu 1492 set link mru 1492 this is also wrong, don't try to set MTU or MRU. There are negotiated during PPP. removed this also :) regards Fabian pgpksnt3OWbda.pgp Description: PGP signature
strange routing behaviour with openvpn
Hi, I'm using openvpn to connect my vpn-gateway at home to an external server, both are FreeBSD-boxes (6.2-STABLE). The external server has an fixed IP, the client at home connects to a router, which gets a new IP every 24 hours. The client is configured as router (gateway_enable=YES) which works... at least sometimes. After my router gets a new IP, the openvpn client reconnects to the server and the tunnel is usable from free...@home to free...@external. But: I have one Vista and one OSX at home, both have static routes to the FreeBSD-box. They are able to use the tunnel, when the openvpn-client is freshly startet. After getting a new IP from my ISP, the tunnel is up (and - as I wrote - the FreeBSD is able to use it), but the two other boxes don't get routed through the tunnel, but the default gateway. When I restart the openvpn-client, everythink works again like it should. Sample output of traceroute when openvpn is restarted: 11 ms1 ms1 ms wintermute [192.168.2.2] 229 ms30 ms32 ms GOTHNET [10.10.0.1] (works) After router gets net external IP: 11 ms1 ms1 ms wintermute [192.168.2.2] 21 ms1 ms1 ms 192.168.2.1 319 ms19 ms19 ms 217.0.119.195 4 217.0.89.70 meldet: Zielhost nicht erreichbar. Any advice? :( Regards, Neo [GC] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
strange routing behaviour with openvpn
Hi, I'm using openvpn to connect my vpn-gateway at home to an external server, both are FreeBSD-boxes (6.2-STABLE). The external server has an fixed IP, the client at home connects to a router, which gets a new IP every 24 hours. The client is configured as router (gateway_enable=YES) which works... at least sometimes. After my router gets a new IP, the openvpn client reconnects to the server and the tunnel is usable from free...@home to free...@external. But: I have one Vista and one OSX at home, both have static routes to the FreeBSD-box. They are able to use the tunnel, when the openvpn-client is freshly startet. After getting a new IP from my ISP, the tunnel is up (and - as I wrote - the FreeBSD is able to use it), but the two other boxes don't get routed through the tunnel, but the default gateway. When I restart the openvpn-client, everythink works again like it should. Sample output of traceroute when openvpn is restarted: 11 ms1 ms1 ms wintermute [192.168.2.2] 229 ms30 ms32 ms GOTHNET [10.10.0.1] (works) After router gets net external IP: 11 ms1 ms1 ms wintermute [192.168.2.2] 21 ms1 ms1 ms 192.168.2.1 319 ms19 ms19 ms 217.0.119.195 4 217.0.89.70 meldet: Zielhost nicht erreichbar. Any advice? :( Regards, Neo [GC] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: strange routing behaviour with openvpn
Hi, Neo-- On Apr 24, 2009, at 3:26 PM, Neo [GC] wrote: After my router gets a new IP, the openvpn client reconnects to the server and the tunnel is usable from free...@home to free...@external. But: I have one Vista and one OSX at home, both have static routes to the FreeBSD-box. They are able to use the tunnel, when the openvpn-client is freshly startet. After getting a new IP from my ISP, the tunnel is up (and - as I wrote - the FreeBSD is able to use it), but the two other boxes don't get routed through the tunnel, but the default gateway. When I restart the openvpn-client, everythink works again like it should. Not enough info to tell, but, consider the output of netstat -nr before and after the IP reassignment, and you'll probably notice a routing table change which is causing your other LAN clients to send traffic the wrong way Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Networking Questions / vlan, lagg, routing, FIBs, ezjail
Now, it is my suspicion that the apparent need for promisc at the router end indeed is an apperent one and not really the router's fault but rather the other end's. The other end, in this case, is the server below. If the server, with its single MIB, default-routes its packets through one specific of its vlans which may not be the one, at the router's end, with the corresponding IP network the traffic entered into the net, would it be possible that there's something preventing them be received? Unless there's promisc on, of course... I'll grab the laptop next time I think of it and have the switch monitor traffic to it to see what really is on the wire, maybe that helps and gives me a clue. I just keep forgetting the bl**dy thing each time I leave... Ok, after a good portion of fiddling with the switch, it seems that you cannot copy traffic from link-aggregated ports to a monitor port on a Linksys SRW2016. Now out at my wits end here it seems. I'll try the FIB approach hopefully next week then. - On my server, is there any way to set up individual default routes (to the router) for each of the vlans short of tucking the ezjails behind the vlan interfaces each into their own FIB (btw,. has anyone ever done that?)? Yes, from FreeBSD-7.1 and beyond, there is support for up to 16 routing tables. Use the setfib command to select routing table for outgoing connections. So, I interpret your response as that I am correct, I have a single default route per FIB, and that's it. Which effectively means that I do need FIBs. I agree that this behaviour might make some sense :) Something like, setfib 10 jail $JAILOPTSANDARGS, in the jail case. You have to compile a kernel with the option ROUTETABLES=n. Read the message for revision 1.1485 from here: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES (...) Generally speaking, or rather, inquiring, has anyone ever done FIBs with ezjail? It probably is very easy, and I consider(ed) looking into it myself but I currently spend about max. an hour every 2-3 days on FreeBSE so I don't really progress. Well, might eventually, but that'll be dunno when. But well, such is life, and this is pleasure not work :) and I hope to learn something useful on the way. (...) [1] http://lists.freebsd.org/pipermail/freebsd-arch/2007-December/007331.html Regards, Peter. -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
