Re: OpenBSD on VMware ESXi

I think FreeBSD or any Linux template will work just fine and add vmxnet3. However, last I checked (1year ago) vmxnet3 been less stable than e1000 under pressure. Sent from my iDevice > 22 мая 2019 г., в 13:47, Reyk Floeter написал(а): > >> On Wed, May 22, 2019 at 01:43:35PM +0200, Janne

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

With -stable kernel and modded syspatch I was able to pull down all the patches I needed to have this machine to be fully up to date. Sent from my iDevice > 30 мая 2018 г., в 18:59, Stuart Henderson написал(а): > >> On 2018-05-30, Maxim Bourmistrov wrote: >> I ended up with a -stable kernel

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

Reverting if_ix.c to rev 1.139 brought ix back to live. Sent from my iDevice > 29 мая 2018 г., в 21:36, Maxim Bourmistrov > написал(а): > > Diff, discussed in the thread, seems to follow all the way to 6.3. > Sure I probably can try out 6.3, but I have a feeling that this will not help. > >

Re: 6.0-stable panic

ch can be applied to -stable to dump more info and hopefully resolve this long standing bug? Sorry, but -current is not an option anymore to run there. I’m happy to pull those in, apply and trigger. br //mxb > On 21 sep. 2016, at 10:44, mxb <m...@alumni.chalmers.se> wrote: > >

Re: IPSec

ump: # tcpdump -n -vs 1440 -r /var/run/isakmpd.pcap All this info actually came from Stuart originally. //mxb

Re: Recommendation for firewall appliance running of and OpenBSD

Looks nice. Like a Soekis x2 + Kerberos case. What I miss on all those boards is dedicated IPMI. Else, with IPMI, those are perfect products for remote small office. //mxb > On 25 nov. 2016, at 15:01, Bob Jones <r.a.n.d.o.m.d.e.v.4+openbsdm...@gmail.com> wrote: > > Try the NetBoa

Re: IPSec

You should be able to. As far as I understand ipses.conf gets “translated” to isakmpd.conf I use both. What I have in isakmpd.conf is: [General] DPD-check-interval = 60 Works fine. //mxb > On 24 nov. 2016, at 22:58, Damian McGuckin <dami...@esi.com.au> wrote: > > Can

Re: Recommendation for firewall appliance running of and OpenBSD

As far as I know, Halon cuts the number of IPSec tunnels on free version. > On 24 nov. 2016, at 21:21, Joe Crivello wrote: > >> Can somebody please recommend me a firewall appliance that can run OpenBSD > and >> pf, and can be upgradeable to the latest version? It

relayd with multiple pools

this parent table. As in the test above, disabling child table should override status of hosts within the table and those should become UNKNOW, which should prevent usage of this child table. Any clarification regarding this scenario is appreciated. P.S. This is 6.0-stable Br //mxb

Re: Allow FTP through Openbsd firewall

Depending on the clients software, but you should be able to use Passive mode. man 1 ftp: -p Enable passive mode operation for use behind connection filtering firewalls. This option has been deprecated as ftp now tries to use passive mode by default, falling back to

OpenBSD 6.0-stable: uvm_mapent_alloc: out of static map entries

Hey, seeing following in dmesg: uvm_mapent_alloc: out of static map entries Wasn’t it fixed so system dynamically adjusted this or do I stil need to increase and re-compile kernel ? P.S. Have plenty of RAM (15G free) on this box. //mxb

Re: what all touches the carp demote counter?

if not node which toke over master roll will stay master until it goes down. All default recommendations/“best practice” are in man pages. //mxb

Re: Failure to get unbound to talk to nsd on the same server

Try to use forward-zone instead of stub-zone in unbound.conf forward-zone: name: “abc.com" forward-addr: 127.0.0.1 > On 10 okt. 2016, at 23:42, Johan Mellberg wrote: > > Hi all, > > I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my >

Re: what all touches the carp demote counter?

to wait. //mxb > On 11 okt. 2016, at 03:58, Paul B. Henson <hen...@acm.org> wrote: > > On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > >> Did you adjust advskew value on the machine you want to be Backup ? > > Yes, the backup has an advskew of 5 and the p

Re: 6.0-stable panic

Thanks for the tip, Stuart. I’ll take a look at it. > On 30 sep. 2016, at 03:40, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2016-09-29, mxb <m...@alumni.chalmers.se> wrote: >> Unfortunately, this is a remote, IPMI machine - no kbd while it is in ddb > >

Re: unbound and truly multihomed setup

Tried to play around with ports nsd/unbound listens on? //Мэксб > On 29 sep. 2016, at 09:48, Gregory Edigarov wrote: > > Hi, > > Need an advice. > > I have a bgp router with 3 interfaces: > > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > > bgp is up and running,

Re: 6.0-stable panic

seen it to overwrite /var/crash . Should it? //mxb > On 21 sep. 2016, at 11:00, Martin Pieuchot <m...@openbsd.org> wrote: > > On 21/09/16(Wed) 10:44, mxb wrote: >> Panic is very similar to > > So far no developer have a clue how to reproduce this panic. It's a >

Re: 6.0-stable panic

Where do you see word “solution” in the thread pointed out by URL? > On 21 sep. 2016, at 10:50, Mihai Popescu wrote: > >> Panic is very similar to > > So the solution must be very similar to ... too!

6.0-stable panic

Panic is very similar to https://www.mail-archive.com/tech@openbsd.org/msg32608.html Panic happened during restart of relayd. System is up to date with errata up to 004. Runs relayd, ospfd, bgpd. no Tor, no transparent stuff.

Re: 5.9: vmx0: device timeout

Hey, it would be nice to define “network load”. I have several VMs running 5.8-stable/5.9-stable/current without seeing this. //mxb > On 11 aug. 2016, at 21:44, Kurt Mosiejczuk <kurt-open...@se.rit.edu> wrote: > > I've noticed that for 5.9, any VMs (in VMware) using vmx(4),

Re: tmpfs

"""This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If > you have received this email in error please notify the system manager.""&qu

Re: tmpfs

Mine is sane. Yours just couple of thousands years after. Fix yours. > On 31 juli 2016, at 21:46, Consus <con...@gmx.com> wrote: > > On 20:53 Sun 31

Re: tmpfs

Else it is just a discussion. > On 31 juli 2016, at 20:48, Consus wrote: > > drama

Re: tmpfs

un, Jul 31, 2016 at 7:54 PM, mxb <m...@alumni.chalmers.se> wrote: >> Who gives a sh*t?! >> Ppl supporting OpenBSD community what matters - with userbase without users is >> like masturbating. >> >> Ppl like me test public diffs on live equipment, donate money and bu

Re: tmpfs

Как у нас говорят, за базар надо отвечать. В Швеции ему это предоставится. > On 31 juli 2016, at 20:47, mxb <m...@alumni.chalmers.se> wrote: > > Я Русский, и что с этого? > >> On 31 juli 2016,

Re: tmpfs

Я Русский, и что с этого? > On 31 juli 2016, at 20:37, Aioi Yuuko wrote: > > Stop making Russians look bad. Some of us like OpenBSD

Re: tmpfs

He didn’t answered about mirrors. I asked. So this one you can send to /dev/null. > On 31 juli 2016, at 20:37, Aioi Yuuko wrote: > > See your previous message re: mirrors.

Re: tmpfs

, buy pulling off DARPA feed. > On 31 juli 2016, at 16:51, ludovic coues <cou...@gmail.com> wrote: > > Guess which one of you and theo have it's name all over the CVS tree ? > > 2016-07-31 16:37 GMT+02:00 mxb <m...@alumni.chalmers.se>: >> While looking at the

Re: tmpfs

While looking at the mirror, read your last email once again. > On 30 juli 2016, at 19:58, Theo de Raadt wrote: > > Yeah, you sure are the cool dude. > > Despite the existance of people like you, OpenBSD has been > progressing as working code for 20 years. > > > And

Re: tmpfs

I don't appreciate the private reply. Adding misc back in. > On 30 juli 2016, at 16:29, Theo de Raadt wrote: > > Just shut up.

Re: tmpfs

Missed "CC all" last time. You or any other actually answered my questions. Your “jumps” are as usual. I understand that best way to defend is to actually attack. This kind of answer I received is expected. I could add more to this mail, but I’d rather not. > On 29 juli 2016, at 23:04, Theo de

Re: tmpfs

Are there any “gatekeepers” around the code? I thought “tech” was the best place to release questionable code? //mxb > On 29 juli 2016, at 18:14, Theo de Raadt <dera...@openbsd.org> wrote: > > Because the code quality is crap.

Re: ipsec routing issues

Hey, to begin with, it would be nice to see output from ‘netstat -rn’ before you started adding/deleting routes. //mxb > On 15 juni 2016, at 22:56, rizz2pro <rizzz2...@gmail.com> wrote: > > Hi, im not sure if this is some kind of bug or by design but I thought > i would ask.

dhcp-class-identifier in dhclient

Hey, is there any reason to no setting dhcp-class-indentifier by default in dhclient? My guess is that this is probably not mandatory? //mxb

relayd: high CPU usage by one or two proc. of many

: Question if there is anything else can be done to trace this down? Br //mxb

Re: bgpd in snapshot from 4 feb.

I actually run sysmerge. It added new users/groups, updated certs. Rest of configs I merged. Seen nothing about rc-scripts. > On 7 feb. 2016, at 22:01, Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > > On Sun, Feb 07, 2016 at 07:53:01PM +0100, mxb wrote: >> Hey, >&

bgpd in snapshot from 4 feb.

Hey, bgpd from snap of 4 feb. fails to start (according to rc): shell# /etc/rc.d/bgpd start bgpd(failed) shell# ps aux|grep bgp _bgpd11880 0.0 0.0 1220 1804 ?? Sp 7:46PM0:00.02 bgpd: session engine (bgpd) _bgpd11350 0.0 0.0 920 1816 ?? Sp 7:46PM0:00.02 bgpd:

Re: panic: mtx_enter: locking against myself

I was unable to trigger this with OpenBSD 5.9 (GENERIC.MP) #1869: Thu Feb 4 09:50:59 MST 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP //mxb > On 5 feb. 2016, at 19:12, mxb <m...@alumni.chalmers.se> wrote: > > > Any one from @devs have

Re: panic: mtx_enter: locking against myself

Any one from @devs have time to pick it up? This is a new env. , so I have time to investigate. Access can be provided on need bases. //mxb > On 4 feb. 2016, at 15:46, mxb <m...@alumni.chalmers.se> wrote: > > Found it in dmesg buffer: > > Stopped at Debugger+0x9:

Re: panic: mtx_enter: locking against myself

I was able to re-produce this panic with similar stack trace. Unfortunately 'trace/show regs/ps' are not in txt format, but are screenshots. //mxb > On 4 feb. 2016, at 12:42, mxb <m...@alumni.chalmers.se> wrote: > > > Hey, > see those again on 5.8-STABLE. > > This is

panic: mtx_enter: locking against myself

Hey, see those again on 5.8-STABLE. This is a 2-node CARP setup within VMWare ESX. Both machines are rebooting after this and it happens quite often. Any ideas? panic: mtx_enter: locking against myself Starting stack trace... panic() at panic+0x10b mtx_enter() at mtx_enter+0x60 sofree() at

Re: panic: mtx_enter: locking against myself

0x14200 bored systqmp 16058 0 0 0 3 0x14200 bored systq 15954 0 0 0 3 0x40014200idle0 1 0 1 0 30x82 wait init 0 -1 0 0 3 0x10200 scheduler swapper > On 4 feb. 2016

Re: ipsec between three networks

OSPF is not right protocol if you scale to more than 3 sites and want influence routing. BGP will do a better job in this situation. > On 27 jan. 2016, at 03:39, Dewey Hylton wrote: > > my current working configuration has 3 sites; each site is connected to the > others,

Re: Downgrade from 5.8-current to 5.8 release

-current. Also it depends on how far from -release your -current is. As far you are then more is not compatible any more and more problems you’ll get while reverting. Most easiest way is to collect all configs and to install from scratch. //mxb > On 1 nov. 2015, at 14:38, Adam Wysocki

Re: iked ikev2 x509 authentication problem - no valid local certificate found

http://marc.info/?l=openbsd-tech=144362542514318=2 > On 1 okt. 2015, at 21:25, Rob wrote: > > Hi, > > I’m a little stuck getting two different clients connected to my OpenBSD > 5.7 (i386) VPN ikev2 server.

Re: 5.8-stable: panic: mtx_enter locking against myself

Looks like I found the root cause. At least it is stable as it suppose to be. In need to reproduce this in lab before making next move. //mxb > On 17 sep. 2015, at 10:35, mxb <m...@alumni.chalmers.se> wrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > >

Re: 5.8-stable: panic: mtx_enter locking against myself

igured "Intel E5 v3 Hot Plug" rev 0x02 at pci10 dev 5 function 1 not configured "Intel E5 v3 Error Reporting" rev 0x02 at pci10 dev 5 function 2 not configured "Intel E5 v3 I/O APIC" rev 0x02 at pci10 dev 5 function 4 not configured uhub3 at uhub0 port 14 "vendor 0x product 0x0001" rev 2.00/0.00 addr 2 uhub3: device problem, disabling port 1 uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 uhub5 at uhub2 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (a6bfac843655c015.a) swap on sd0b dump on sd0b carp: pfsync0 demoted group carp by 32 to 160 (pfsync init) carp: pfsync0 demoted group pfsync by 32 to 32 (pfsync init) carp: pfsync0 demoted group carp by 1 to 161 (pfsync bulk start) carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start) carp1: state transition: BACKUP -> MASTER carp302: state transition (vhid 40): BACKUP -> MASTER carp0: state transition: BACKUP -> MASTER carp302: state transition (vhid 30): BACKUP -> MASTER carp1: state transition: MASTER -> BACKUP carp302: state transition (vhid 40): MASTER -> BACKUP carp0: state transition: MASTER -> BACKUP carp302: state transition (vhid 30): MASTER -> BACKUP carp: pfsync0 demoted group carp by -1 to 32 (pfsync bulk done) carp: pfsync0 demoted group pfsync by -1 to 32 (pfsync bulk done) carp: pfsync0 demoted group carp by -32 to 0 (pfsync init) carp: pfsync0 demoted group pfsync by -32 to 0 (pfsync init) carp1: state transition: BACKUP -> MASTER carp302: state transition (vhid 40): BACKUP -> MASTER > On 17 sep. 2015, at 10:56, k...@kurawa.no-ip.org wrote: > > On Thu, 17 Sep 2015 10:35:46 +0200 > mxb <m...@alumni.chalmers.se> wrote: > >> getting panics with 5.8-STABLE kernel. >> > 5.8-STABLE not released yet. you mean 5.8-CURRENT?

5.8-stable: panic: mtx_enter locking against myself

Hey, getting panics with 5.8-STABLE kernel. panic: mix_enter: locking against myself Starting stack trace… panic() at panic+0x10b mtx_enter() at mtx_enter+0x60 sofree() at sofree+0xa0 in_pcbdetach() at in_pcbdetach+0x40 tcp_close() at tcp_close+0xad tcp_timer_2msl() at tcp_timer_2msl+0x90

Re: 5.8-stable: panic: mtx_enter locking against myself

in ?? () #2 0x0005 in ?? () #3 0x8135e990 in sd_flush () Previous frame inner to this frame (corrupt stack?) Any ideas? > On 17 sep. 2015, at 10:35, mxb <m...@alumni.chalmers.se> wrote: > > > Hey, > getting panics with 5.8-STABLE kernel. > > panic:

Re: 5.8-stable: panic: mtx_enter locking against myself

<s...@spacehopper.org> wrote: > > On 2015-09-17, mxb <m...@alumni.chalmers.se> wrote: >> Hey, >> getting panics with 5.8-STABLE kernel. >> >> panic: mix_enter: locking against myself >> Starting stack trace… >> panic() at panic+0x10b >> mtx_enter

Re: nsd configuration problem

Good that you solved your problem. I'v done same work as you by converting from bind to nsd+unbound. The hard way via digging Google and trying out. You got lucky with shortcut ;) //mxb On 2015-06-25 21:22, Andrew Daugherity wrote: On Wed, Jun 24, 2015 at 1:06 PM, Graham Stephens gra

ifconfig carp30 state backup

and then returns to MASTER. advskew is 100 on the second node. Question is if it is expected behavior? According to man I can force it to become BACKUP on the first node. Br //mxb

Re: AMD64 Snapshot Issues

This is how it goes with snaps. You should not complain. If team managed to build it, it does not mean that it IS stable. I'v been in this situation several times. There are no one to blame. You should ever stay away from snaps or be prepared to fix problems by yourself. Br //mxb Sent from my

Re: tls with relayd (on 5.7) and key without password

Try to create symlink in /etc/ssl/private. ln -s mydomain.org http://mydomain.org/.key 1.2.3.4.key, where “1.2.3.4” is your address in $ext_addr. //mxb On 3 maj 2015, at 13:04, Comète com...@daknet.org wrote: Hi, my tls key has no password and i already use it for other stuff, so i try

Re: relayd crashes often

this problem as well. So diff is applied on top of -current on a backup node. Let’s see how it runs from now on. I’m was running old, post 5.6 snapshot. //mxb

Re: IPSec and Cisco peers

Run isakmpd with ‘-L’ and then tcpdump -n -vs 1440 -r /var/run/isakmpd.pcap and se what is going on. //mxb On 7 apr 2015, at 19:29, jean-yves boisiaud jean-yves.boisi...@alcor-consulting.fr wrote: Hello Alexander, Thank you for your help. The problem is that I do not have any access

Re: l2pt traffic forwarding

You done the routing on the client side? Client, after connecting to L2TP, should know how to reach your internal network there web3 lives. //mxb On 31 mar 2015, at 23:17, Predrag Punosevac punoseva...@gmail.com wrote: Hi Misc, Thanks to sevral kind fox I got L2PT server to work like

Re: can't ping CARP interfaces

Probably your PF rules. put in ‘pass quick proto icmp’. On 28 mar 2015, at 00:59, David Newman dnew...@networktest.com wrote: Greetings. In preparation for upgrading two CARP+pfsync boxes to 5.6/i386, I put together a lab network to test new firewall rules. Topology is pretty simple:

Re: httpd tls - what am i missing?

On 25 mar 2015, at 23:44, Theodore Wynnychenko t...@uchicago.edu wrote: Thank you for the suggestion. I was not aware of pound. I’d rather go for relayd. Which is out of the box. No need to install “yet another port and make sure it is up2date”. //mxb

Re: OpenBSD 5.5 ISAKMPD

Hey, You probably want to start with ipsec.conf(5). isakmpd.conf is generated out of ipsec.conf. I think people running 5.4+ don’t even use it any more. Br //mxb On 16 jan 2015, at 21:22, Motty Cruz motty.c...@gmail.com wrote: Hello All, I'm trying to setup IPSec Tunnel using

Re: Dell R630 high interrupts on acpi0

On 16 dec 2014, at 06:40, David Gwynne da...@gwynne.id.au wrote: others have hit this on r620s as well I don’t see it on mine. interrupt total rate irq0/clock 9587998940 1599 irq0/ipi136166514 22 irq144/acpi0

OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

Hello @list, are there any plans for those constants to be configurable via smtpd.conf? //mxb

Re: OpenBSD 5.6/current on Soekris 6501-70

We have exactly this model. tcpbench from base gave only around 340Mbit/s on those. So CPU is probably one problem on those boards. tcpbench done against 1U machines with better CPU and doing almost line rate on 1G NIC. //mxb On 8 dec 2014, at 00:53, Martin Hanson greencopperm...@yandex.com

Re: OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

We do a lot of bulk mails and not via local smtp, eg. PHP-code talks directly to opensmtpd. opensmtpd used as internal relay/smart host. I had to higher limits for those two in order to escape 452 4.5.3 Too many recipients: Too many messages sent “ //mxb On 8 dec 2014, at 11:14, Gilles

Re: Squid configuration

echo max_filedescriptors 4096” /etc/squid/squid.conf On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote: Am 03.12.2014 03:55, schrieb Steve Shockley: On 12/2/2014 8:49 PM, Einfach Jemand wrote: Hmm, I checked on one of my boxen and there /etc/passwd has _squid

Re: Keyboard through IPMI lag/skipping keys

Tried upgrade to a newer IPMI firmware? On 13 okt 2014, at 02:11, Justin Winch flas...@hotmail.com wrote: I have a very irritating problem with the keyboard lag through IPMI on a supermicro X9DRT. If i install centos I do not have the lag/missed keystrokes and also I do not have this

Re: amd64 snapshot from Sep 17 - isakmpd drops fifo

Looks like an old OpenBSD 5.0 install caused this problem. isakmpd is stable as soon as 5.0 - 5.6 . //mxb On 22 sep 2014, at 23:23, mxb m...@alumni.chalmers.se wrote: Hey, isakmpd seems to lose its FIFO-file in the snapshot from Sep17 [fw1]-[23:16:35]# ipsecctl -f /etc/ipsec.conf

Re: Sponsorship offer

Hey, all relevant info can be found at http://www.openbsd.org/ http://www.openbsd.org/ or at http://www.openbsd.org/donations.html http://www.openbsd.org/donations.html or at http://www.openbsdfoundation.org/ http://www.openbsdfoundation.org/ //mxb On 20 sep 2014, at 00:27, Gurkan Mercan

amd64 snapshot from Sep 17 - isakmpd drops fifo

? OpenBSD fw1 5.6 GENERIC.MP#383 amd64 //mxb

Re: Can OpenBSD access BBC Iplayer?

BBC is propaganda, any way. Why should you watch this?! On 4 sep 2014, at 13:49, Anthony Campbell a...@acampbell.org.uk wrote: On 04 Sep 2014, Anthony Campbell wrote: On 03 Sep 2014, David Coppa wrote: Thanks. I'm not using -current at the moment (I'm too new to OpenBSD) so I'd better

Re: troubleshooting carp

What switch do you have? advbase 20” and advskew 100” means that you’ll have to wait 20+ sec in order to see announcement in tcpdump. Are you sure you have waited enough? //mxb On 14 aug 2014, at 16:37, Stefan Olsson stur...@hotmail.com wrote: Hi Misc, I am having problems with setting up

Re: troubleshooting carp

You should show configuration from the other side too. You’ll have to start your troubleshooting from the base, eg. can you ping node2 from node1? //mxb On 14 aug 2014, at 20:36, Stefan Olsson stur...@hotmail.com wrote: From: stur...@hotmail.com To: m...@alumni.chalmers.se CC: misc

Re: l2tp / ipsec follow up

your cable modem. Nor services (ex. dhcpd) running inside. And then you get connection problems, you’ll look for a problem and will end up in resetting/rebooting several devices(modem, openbsd-box). //mxb On 27 jul 2014, at 22:58, Gordon Turner tur...@ftn.net wrote: The OpenBSD ip (192.168.2.232

Re: l2tp / ipsec issue

Probably, but you can play with ipsec-config and send your results over here. On 24 jul 2014, at 13:23, Stefan Krueger stadtki...@gmx.de wrote: In mailing.openbsd.misc, you wrote: the public_ip in your ipsec.conf should be the external ip of your router, not the openbsd box. other setup

Re: l2tp / ipsec issue

\ quick auth hmac-sha1 enc aes \ psk “P4SSWORD \ tag rwarrior This setup is on 5.4-current //mxb On 22 jul 2014, at 13:05, chenghan tv chenghan...@gmail.com wrote: OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with iptables, based on my previous experience. iOS

Re: l2tp / ipsec issue

pool-address in the same subnet may not work as you expect it. proxyarp needed. at least I’v seen a discussion regarding this, so I have separate network for vpn-clients. This might have changed. framed-ip-address - yes, it should be within subnet range used for l2tp-clients //mxb On 22 jul

Re: l2tp / ipsec issue

I’d made cable modem act as bridge and let OpenBSD handle public IP/firewall (guessing it is DHCP). In this setup you’d eliminate this extra device with forwarding ports and simplified debugging. //mxb On 21 jul 2014, at 02:35, Gordon Turner tur...@ftn.net wrote: Hey List, I am trying

Re: Poor CARP Interface Performance with NAT

You PF rules are needed too for this. On 22 jan 2014, at 00:51, Gabriel Kuri gk...@ieee.org wrote: I am running obsd 5.4 as my NAT router. I decided to setup a second obsd box and run carp between the two for the external NATed interface (facing the ISP). After I setup everything and switched

Re: Is it possible to track bandwidth usage of different VPN accounts using PF?

You can setup RADIUS, make users authenticate against it and assign IP stored in RADIUS srv. Then use plow(4) to account. This is just theory. On 10 jan 2014, at 16:33, Some Developer someukdevelo...@gmail.com wrote: I have a VPN server configured using L2TP and IPSec. Clients authenticate

Re: BCM5719/20 or I350

On 6 jan 2014, at 22:44, Hrvoje Popovski hrv...@srce.hr wrote: On 5.1.2014. 17:10, mxb wrote: I have I350 on several machines and haven’t seen any problems. Do you have vlans or trunk on I350? Could you share some numbers like bps or pps? Tnx for info.

Re: BCM5719/20 or I350

I have I350 on several machines and haven’t seen any problems. On 5 jan 2014, at 12:18, Hrvoje Popovski hrv...@srce.hr wrote: Hello, I need to upgrade my OpenBSD firewalls and have chance to buy HP DL360p G8 or Supermicro 5017R-WRF. Which card is better or more stable for firewalling

Re: VPN Between OpenBSD and iOS

from L2TP authenticated by RADIUS to tun0 //mxb On 4 jan 2014, at 02:09, Matt Carlson obsda0...@mpcarlson.com wrote: mxb, I tried that and I'm getting the same results. Any other ideas? What does your npppd.conf look like? Thanks, Matt On Fri, Jan 3, 2014 at 8:03 AM, mxb m

Re: VPN Between OpenBSD and iOS

I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). My ipsec.conf for L2TP is this: ike passive esp transport \ proto udp from $local_gw to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \

Re: relayd - sporadic high CPU usage

Could you point to the right commit in cvs? //mxb On 26 nov 2013, at 20:42, Chris Cappuccio ch...@nmedia.net wrote: There was a bug fixed in 5.4-current which may cause behavior like this i believe mxb [m...@alumni.chalmers.se] wrote: Hello list, I have a pair of pre-5.4 in master

relayd - sporadic high CPU usage

start to consume CPU as well. Notable thing is that I’v seen this on 5.3 as well. Any ideas where to dig? //mxb

Re: carp+pfsync+relayd question

Output for 'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq’ would be hie to see. //mxb On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com wrote: Sorry, looking more detailed at the logs i found this: /var/log/daemon Nov 17 18:36:12 v-arcbabalancer01

Re: carp+pfsync+relayd question

15 sites and only 9? I’d put around 50 (and have). You might need even more. On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com wrote: set limit states 9

Re: carp+pfsync+relayd question

Put all of those into the same relay { }” as they are going to the same forward table. relay { listen on addr1 port 80 listen on addr2 port 80 etc…. } or you’ll end up doing “check http” several times. and I’d do just simple check tcp” - faster. On 14 nov 2013, at

Re: carp+pfsync+relayd question

No, it is number of currently active sessions for this particular relay. Eg. 502 “users. On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote: Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds like an error return from nginx/apache etc. could be a direct server

Re: Dell servers

I have couple of R620 in production with ix(4) as 10G NICs. You might want to disable cores you don't need and HTT (I'v done it half way). No problems so far. Below is an old dmesg with HTT disabled (else it shows up 16 cores). OpenBSD 5.3 (GENERIC.MP) #55: Fri Mar 1 09:13:04 MST 2013

Re: Sorry OpenBSD people, been a bit busy

I'd turn this to police and tried to make Twitter to shut down this account. On 7 okt 2013, at 02:48, dera...@cvs.openbsd.org wrote: Well, at the end of 2007 someone decided to open an impersonation account on twitter in my name, and start sending a mix of things I have said (see wikiquote

Broken IPSec tunnels with latest snapshot

message_send_expire(0x2088b5700) 141945.886909 Timr 10 timer_handle_expirations: event message_send_expire(0x2088b5500) 141945.887028 Timr 10 timer_handle_expirations: event message_send_expire(0x20ec11a00) 141945.887225 Timr 10 timer_handle_expirations: event message_send_expire(0x20ec11800) //mxb

Re: how to compare ipsec.conf and isakmpd.conf settings?

As naddy@ answered this already for ipsec outgoing address translation question on this list, 'ipsecctl -nv' is the right way to go. //mxb On 26 sep 2013, at 18:04, Daniel Polak dan...@sys.nl wrote: On a computer running OpenBSD 5.3 system I am migrating from an isakmpd.conf based

Re: OSPF ABR/ASBR issue

As you can see, this setup works without any patch. I tested to remove lo1 and see if routes to carped nets disappear. No luck. Routes are there. //mxb On 24 sep 2013, at 11:08, Kapetanakis Giannis bil...@edu.physics.uoc.gr wrote: On 24/09/13 12:02, Kapetanakis Giannis wrote: Without this patch

Re: ipsec outgoing address translation question

It is possible to achieve this via pf.conf. Sorry, no example, as this was done long time ago and for testing only. On 16 sep 2013, at 12:55, Christoph Leser le...@sup-logistik.de wrote: Hello, with ipsecctl I can configure outgoing address translation in ipsec.conf like this:

relayd: Is it safe to rise RELAY_MAX* limits

Hello list, how safe is it to rise limits in relayd.h? #define RELAY_MAX_SESSIONS 1024 #define RELAY_MAXPROC 32 #define RELAY_MAXHOSTS 32

Re: relayd: Is it safe to rise RELAY_MAX* limits

Discarded. :) On 10 sep 2013, at 12:13, mxb m...@alumni.chalmers.se wrote: Hello list, how safe is it to rise limits in relayd.h? #define RELAY_MAX_SESSIONS1024 #define RELAY_MAXPROC 32 #define RELAY_MAXHOSTS32

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

, then you'll have to divide this number with 2(avrg. and not precise number). So, per port on X540-T2, you have maximum 3Gbit/s. in theory, if both ports used and have avrg. the same amount of traffic. if not both - 6Gbit/s Correct me if I'm wrong. //mxb On 9 aug 2013, at 03:35, John Jasen jja

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

You might want to pull in 5.4-current instead. One you have is not that current any more. :) On 7 aug 2013, at 16:26, Maxim Khitrov m...@mxcrypt.com wrote: Hi all, I'm looking for performance measuring and tuning advice for 10 gigabit Ethernet. I have a pair of Lanner FW-8865 systems that

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

I use OSPFd on each OpenSBD firewall I deploy. This way you get access to all machines on the remote LAN, including firewall itself. and you don't have to maintain routing manually. //mxb On 4 jul 2013, at 16:25, Andy a...@brandwatch.com wrote: On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren

  1   2   >