Re: Ubiquiti EdgeRouter X (ER-X) OpenBSD Installation
On Tue, Feb 23, 2021 at 06:31:19AM +, Conrad Douglas wrote: > Hi Misc, > > I have an Ubiquiti ER-X which I'm trying to install OpenBSD current on it. > > I'm serving bsd.rd which I downloaded from shapshots/octeon. (via TFTP) > > When I try to booting device with bsd.rd, I'm getting an error like "Bad > Magic Number,7F454C46" The ER-X is not an octeon based machine, so this won't work. MT7621 is a 32 bit mips cpu.
Re: Bufferbloat, FQ-CoDel, and performance
> On Feb 22, 2021, at 8:51 PM, Steven Shockley > wrote: > > I have OpenBSD 6.8 running on a Dell R210-II acting as a firewall/router. To > combat bufferbloat I tried implementing FQ-CoDel queueing. The WAN bandwidth > is advertised as 940 Mbit/sec down and 840 Mbit/sec up. > > I've tried adding one or the other of these lines to my pf.conf: > > queue outq on $ext_if flows 1024 bandwidth 1024M max 1024M qlimit 1024 default > or > queue outq on $ext_if flows 1024 qlimit 1024 default > > In both cases, upload speeds drop from ~800 Mbit/sec to < 100 Mbit/sec. > Changing the 1024M to other values makes little or no difference. To be > fair, bufferbloat does improve, but that's quite a hit. I'm measuring using > the dslreports.com speed test via wired ethernet through a Cisco 3750x. > > One possible complexity is that the internal interface is tagged VLANs, but > if it were an MTU issue I'd expect it to affect performance across the board. > > Any suggestions? I'm happy to post dmesg/pf.conf/diagrams if they'd help. > Thanks. > Hi, I have a connection with similar bandwidth. I don’t have a solution for your problem but want to make one suggestion---don’t use a line like your first one. pf ignores “flows” when the queue also specifies min/max bandwidth, so you won’t end up using FQ-CoDel. Do something like this instead to get the benefit of capping upload bandwidth and also using FQ-CoDel: queue outq_parent on $ext_if bandwidth 760M max 800M queue outq parent outq_parent bandwidth 760M flows 1024 qlimit 1024 default I found I had better results capping upload bandwidth at 10% below my connection’s stated amount (880M in my case). Best, Brian
Ubiquiti EdgeRouter X (ER-X) OpenBSD Installation
Hi Misc, I have an Ubiquiti ER-X which I'm trying to install OpenBSD current on it. I'm serving bsd.rd which I downloaded from shapshots/octeon. (via TFTP) When I try to booting device with bsd.rd, I'm getting an error like "Bad Magic Number,7F454C46" Getting bsd.rd; MT7621 # tftpboot 0 bsd.rd Trying Eth0 (10/100-M) ETH_STATE_ACTIVE!! TFTP from server 10.10.12.37; our IP address is 10.10.12.146 Filename 'bsd.rd'. TIMEOUT_COUNT=10,Load address: 0x0 Loading: Got ARP REPLY, set server/gtwy eth addr (00:30:18:cf:6f:b8) Got it # # # # # # # # # # # # # # # # # # # # # # # # # # ## done Bytes transferred = 8865181 (87459d hex) NetBootFileXferSize= 0087459d MT7621 # Booting from bsd.rd; MT7621 # bootm ## Booting image at ... Bad Magic Number,7F454C46 --- Device has U-Boot 1.1.3. MT7621 # version U-Boot 1.1.3 (UBNT Build Version: e50_001_1e49c) (Jul 27 2018 - 04:44:52) MT7621 # Env. Variables; MT7621 # printenv bootcmd=tftp bootdelay=1 baudrate=57600 BootType=3 autostart=no bootfile=vme50 stdin=serial stdout=serial stderr=serial ethaddr=18:e8:29:2f:59:76 bootargs=console=ttyS1,57600n8 ubi.mtd=7 root=ubi0_0 rootfstype=ubifs rootsqimg=squashfs.img rootsqwdir=w rw filesize=87459d fileaddr=0 gatewayip=10.10.12.1 netmask=255.255.255.0 ipaddr=10.10.12.146 serverip=10.10.12.37 Environment size: 366/4092 bytes MT7621 # Available commands; MT7621 # ? ? - alias for 'help' bootm - boot application image from memory cp - memory copy erase - erase SPI FLASH memory go - start application at address 'addr' help- print online help i2ccmd - read/write data to eeprom via I2C Interface loadb - load binary file over serial line (kermit mode) md - memory display mdio - Ralink PHY register R/W command !! mm - memory modify (auto-incrementing) nand - nand command nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables reset - Perform RESET of the CPU saveenv - save environment variables to persistent storage setenv - set environment variables spi - spi command tftpboot- boot image via network using TFTP protocol ubntw - ubntw command urescue - start TFTP server and wait for firmware version - print monitor version MT7621 #
Re: Bufferbloat, FQ-CoDel, and performance
On Mon, Feb 22, 2021 at 08:51:32PM -0500, Steven Shockley wrote: > I have OpenBSD 6.8 running on a Dell R210-II acting as a firewall/router. > To combat bufferbloat I tried implementing FQ-CoDel queueing. The WAN > bandwidth is advertised as 940 Mbit/sec down and 840 Mbit/sec up. > > I've tried adding one or the other of these lines to my pf.conf: > > queue outq on $ext_if flows 1024 bandwidth 1024M max 1024M qlimit 1024 > default > or > queue outq on $ext_if flows 1024 qlimit 1024 default > > In both cases, upload speeds drop from ~800 Mbit/sec to < 100 Mbit/sec. > Changing the 1024M to other values makes little or no difference. To be > fair, bufferbloat does improve, but that's quite a hit. I'm measuring using > the dslreports.com speed test via wired ethernet through a Cisco 3750x. > > One possible complexity is that the internal interface is tagged VLANs, but > if it were an MTU issue I'd expect it to affect performance across the > board. Here is what I am doing. First rule, apply queue only on real interface, and not on a vlan interface. Next, I have a ADSL uplink. My router has only one physical interface: re0. The router is connected to ADSL modem via a vlan, and a pppoe0 session is build over the vlan. On local network side, several vlan exists. Using http://www.dslreports.com/speedtest/: - download: 8.140 Mbit/s (90% = 7.326M) - upload: 0.827 Mbit/s (90% = 0.744M) I am applying queue on pppoe0 to control outgoing traffic, and queue on re0 to control the incoming traffic. # on pppoe0 : outgoing traffic queue rootq on pppoe0 bandwidth 0.744M max 0.744M queue netq on pppoe0 parent rootq flows 1024 bandwidth 0.744M max 0.744M qlimit 32 default queue guessq on pppoe0 parent rootq flows 1024 bandwidth 0.150M max 0.150M qlimit 32 # on re0 : incoming traffic queue rootq on re0 bandwidth 1G max 1G queue stdq on re0 parent rootq flows 1024 bandwidth 1G max 1G qlimit 1024 default queue netq on re0 parent rootq flows 1024 bandwidth 7.362M max 7.362M qlimit 32 queue guessq on re0 parent rootq flows 1024 bandwidth 0.500M max 1.000M qlimit 16 and next, I am setting the queue to use using rules (please note I am using "group" parameter on interfaces for the names like "guess", "internet" or "with_internet"). anchor "outgoing" out on internet received-on with_internet { pass out label "outgoing" match out set queue netq match out received-on guess set queue guessq } I hope it helps, even if my network speeds isn't comparable to your :) Thanks. -- Sebastien Marie
Bufferbloat, FQ-CoDel, and performance
I have OpenBSD 6.8 running on a Dell R210-II acting as a firewall/router. To combat bufferbloat I tried implementing FQ-CoDel queueing. The WAN bandwidth is advertised as 940 Mbit/sec down and 840 Mbit/sec up. I've tried adding one or the other of these lines to my pf.conf: queue outq on $ext_if flows 1024 bandwidth 1024M max 1024M qlimit 1024 default or queue outq on $ext_if flows 1024 qlimit 1024 default In both cases, upload speeds drop from ~800 Mbit/sec to < 100 Mbit/sec. Changing the 1024M to other values makes little or no difference. To be fair, bufferbloat does improve, but that's quite a hit. I'm measuring using the dslreports.com speed test via wired ethernet through a Cisco 3750x. One possible complexity is that the internal interface is tagged VLANs, but if it were an MTU issue I'd expect it to affect performance across the board. Any suggestions? I'm happy to post dmesg/pf.conf/diagrams if they'd help. Thanks.
Re: spamd vs IPv6
On Mon, Feb 22, 2021 at 06:28:29PM +, Nick Guenther wrote: > February 22, 2021 1:22 PM, "Edgar Pettijohn" wrote: > > > Have you tried starting spamd with '-l ::1' to alter its address to bind > > to? > > I hadn't! But it's no help: > > comms# /usr/libexec/spamd -l ::1 -d -v -G 15:4:864 -C > /etc/letsencrypt/live/comms.kousu.ca/fullchain.pem -K > /etc/letsencrypt/live/comms.kousu.ca/privkey.paranoid.pem > spamd: getaddrinfo: no address associated with name > Looks like its hardcoded to only support inet4.
Re: 6.9-BETA Installer crash
Chris Cappuccio [ch...@nmedia.net] wrote: > Chris Zakelj [c.zak...@ieee.org] wrote: > > > > Thanks! Now for a mixed-bag result. 5.6 and 5.5 both panic. 5.4 boots > > (dmesg attached), but doesn't actually see the 1TB array (installer says > > "Available disks are: none." I did get this curiosity after I escaped the > > install shell and rebooted: > > > > Looks like we have a problem with arc_marvell cards. I had one working > but there may be different firmware, etc. > > Areca sent a newer patch to openbsd-tech in the last year or so which you > should try: > > From: ching Huang > Subject: [PATCH: sys/dev/pci/arc.c] update Areca Raid adapter driver arc.c > for support ARC-1203, ARC-1884 > > It's not clear if this changes the behavior on your card significantly. > Oh and here is where he supports the ARC 1200 rev B: http://openbsd-archive.7691.n7.nabble.com/PATCH-sys-dev-pci-arc-c-update-Areca-Raid-adapter-driver-arc-c-for-support-ARC-1203-ARC-1884-td394610.html It looks like the newer patch on openbsd-tech includes this plus newer. Chris
Re: OpenIKED and Strongswan
On Mon, Feb 22, 2021 at 03:59:53PM +0100, Riccardo Giuntoli wrote: > Ok. In the log you can appreciate. > > UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and > one VyOS. The VyOS is CAT-HOST > > Kind regards The log looks fine but it doesn't seem to contain the error message you sent earlier. Can you try reproducing the bug and then send a log containing the error message and everything that happened before? > > > On Mon, Feb 22, 2021 at 12:02 PM Stuart Henderson > wrote: > > > On 2021-02-22, Riccardo Giuntoli wrote: > > > Ok I've got the same error on three different OpenBSD, tell me what error > > > do you want or if you want an access. > > > > It would be a good start to run iked in the foreground with iked -vvd and > > show the log from there. > > > > > > > > -- > Name: Riccardo Giuntoli > Email: tag...@gmail.com > Location: sant Pere de Ribes, BCN, Spain > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net > create_ike: using signature for peer --FR-- > create_ike: using signature for peer > ikev2 "--CAT-HOST--" passive transport esp proto gre inet from --UK-- to > --CAT-- local --UK-- peer any ikesa enc aes-256 prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256 group > ecp256 childsa enc aes-256 auth hmac-sha2-256 group ecp256 esn,noesn srcid > --UK-ID-- ikelifetime 86400 lifetime 3600 bytes 536870912 signature > /etc/iked.conf: loaded 4 configuration rules > ca_privkey_serialize: type RSA_KEY length 1191 > ca_pubkey_serialize: type RSA_KEY length 270 > ca_privkey_to_method: type RSA_KEY method RSA_SIG > ca_getkey: received private key type RSA_KEY length 1191 > ca_getkey: received public key type RSA_KEY length 270 > ca_dispatch_parent: config reset > ca_reload: loaded ca file ca.crt > ca_reload: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom > Lobby/OU=VPNC/CN=--CA-HOST-- > ca_reload: loaded 1 ca certificate > ca_reload: loaded cert file --FR-HOST--.crt > ca_reload: loaded cert file --UK-HOST--.crt > config_getpolicy: received policy > config_getpolicy: received policy > config_getpolicy: received policy > config_getpolicy: received policy > config_getpfkey: received pfkey fd 3 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 15 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > ca_validate_cert: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom > Lobby/OU=VPNC/CN=--FR-HOST-- ok > ca_validate_cert: /C=UK/ST=England/L=London/O=Telecom > Lobby/OU=VPNC/CN=--UK-HOST-- ok > ca_reload: local cert type X509_CERT > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > policy_lookup: setting policy '--CAT-HOST--' > spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local > --UK--:500, 96 bytes, policy '--CAT-HOST--' > ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e > ikev2_init_recv: unknown SA > ikev2_init_ike_sa: initiating "--FR-HOST--" > ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31 > ikev2_add_proposals: length 68 > ikev2_next_payload: length 72 nextpayload KE > ikev2_next_payload: length 104 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload NOTIFY > ikev2_nat_detection: local source 0xf2043da59221143f 0x > --UK--:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xf2043da59221143f 0x > --FR--:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_next_payload: length 14 nextpayload NONE > ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 310 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 72 > ikev2_pld_sa: more 0 reserved 0 length 68 proposal #1 protoid IKE spisize 0 > xforms 7 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104 > ikev2_pld_ke: dh group ECP_384 reserved 0 > ikev2_pld_payloads:
Re: 6.9-BETA Installer crash
Ohh... that's a pretty big diff, but my Marvell-based ARC-1200 is listed as affected, so it's certainly worth a shot. Now to dig in and teach myself how to patch and build releases against -CURRENT (might be a while before I come back with results)... Chris On 2/22/2021 1:40 PM, Chris Cappuccio wrote: Chris Zakelj [c.zak...@ieee.org] wrote: Thanks! Now for a mixed-bag result. 5.6 and 5.5 both panic. 5.4 boots (dmesg attached), but doesn't actually see the 1TB array (installer says "Available disks are: none." I did get this curiosity after I escaped the install shell and rebooted: Looks like we have a problem with arc_marvell cards. I had one working but there may be different firmware, etc. Areca sent a newer patch to openbsd-tech in the last year or so which you should try: From: ching Huang Subject: [PATCH: sys/dev/pci/arc.c] update Areca Raid adapter driver arc.c for support ARC-1203, ARC-1884 It's not clear if this changes the behavior on your card significantly. Chris
Re: 6.9-BETA Installer crash
Chris Zakelj [c.zak...@ieee.org] wrote: > > Thanks! Now for a mixed-bag result. 5.6 and 5.5 both panic. 5.4 boots > (dmesg attached), but doesn't actually see the 1TB array (installer says > "Available disks are: none." I did get this curiosity after I escaped the > install shell and rebooted: > Looks like we have a problem with arc_marvell cards. I had one working but there may be different firmware, etc. Areca sent a newer patch to openbsd-tech in the last year or so which you should try: From: ching Huang Subject: [PATCH: sys/dev/pci/arc.c] update Areca Raid adapter driver arc.c for support ARC-1203, ARC-1884 It's not clear if this changes the behavior on your card significantly. Chris
Re: spamd vs IPv6
February 22, 2021 1:22 PM, "Edgar Pettijohn" wrote: > Have you tried starting spamd with '-l ::1' to alter its address to bind > to? I hadn't! But it's no help: comms# /usr/libexec/spamd -l ::1 -d -v -G 15:4:864 -C /etc/letsencrypt/live/comms.kousu.ca/fullchain.pem -K /etc/letsencrypt/live/comms.kousu.ca/privkey.paranoid.pem spamd: getaddrinfo: no address associated with name
Re: spamd vs IPv6
Have you tried starting spamd with '-l ::1' to alter its address to bind to? Edgar On Feb 22, 2021 10:11 AM, Nick Guenther wrote: July 1, 2020 7:34 AM, "Harald Dunkel" wrote: > Hi folks, > > spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. > Looking on Google for "openbsd spamd ipv6" gives me some entries of > 2015 and 2016, but no up-to-date information. Please excuse if I am > too blind to see. > > I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP > address families? Would you recommend "IPv4 only" for EMail? I was just wondering about this too! I can't see a clear answer anywhere online either. I went looking because I realized that # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd was becoming # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 I wondered where that `inet` was coming from. Eventually I realized that maybe pf was implying it from the divert-to, since, according to pf.conf(5): > divert-to [...] The packets will not be modified [...] so if a packet comes in as IPv4 (inet) is has to stay IPv4. I tried # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd pass in log proto tcp to any port smtp divert-to ::1 port spamd and this became # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 pass in log inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 However if I actually tried to connect via IPv6 (`nc -6 mail.myserver.com 25`) I just get an immediately closed connection, presumably because ::1:8025 isn't open. Come to think of it, because spamd uses IP addresses to do its job, for this to happen the database format needs to be augmented to store the longer addresses, so it's not necessarily a simple change, and that's probably why it hasn't happened yet. I just double-checked by digging around in the code (which I am not finally experienced enough for, phew) and found: https://github.com/openbsd/src/blob/cf8f31167b4af5c8ea769ff3d8a5974a24fec6bb/libexec/spamd/spamd.c#L1427 smtplisten = socket(AF_INET, SOCK_STREAM, 0); So yeah, it looks like it's still inet-only, no inet6 here. -Nick
Re: PC Engines APU2 Leds control
I have now made a pull request for an example on PC Engines' qpu_gpio_lib GitHub repository of my LED server solution: https://github.com/pcengines/apu_gpio_lib/pull/4 Maybe it should use unveil(2) and pledge(2), if I manage to figure out how to use them... / Raimo Niskanen On Wed, Feb 17, 2021 at 11:53:31AM +0100, Raimo Niskanen wrote: > I solved this problem a while ago using > https://github.com/pcengines/apu_gpio_lib > since gpio(4), that they linked to, only seems to work for APU1. > I have no such device mentioned in dmesg(8) on my APU2, > and gpioctl(8) says all /dev/gpio? devices are not configured. > > OpenBSD does not allow direct memory access in default securelevel(7), > so I wrote a small daemon that I start from rc.securelevel(8) which > reads one byte commands from a fifo to control the leds. > > In my case ifstated(8) writes to the fifo to show status. > This solution works just fine for me. > > Unfortunately the code is in a lousy state build-wise, so I need to clean > it up and for example create a pull request for PCEngines' repository > to add this daemon as an OpenBSD example. Even if they would not > accept a pull request it would be published my GitHub account... > > / Raimo Niskanen > > > On Fri, May 08, 2020 at 09:43:38PM +0200, Sacha wrote: > > Dear all, > > > > I'm enjoying OpenBSD on PC Engines hardwares called APU2: > > https://www.pcengines.ch/apu2.htm > > > > There is 3 led, which could be very usefull to deliver informations to > > the endusers, but I never could control them with OpenBSD /o\ > > > > Is any way to make it work ? > > > > On PCEngines forum I got the following answer: > > > > >You cannot control the GPIOs on J20, because those are are driven by > > a NCT5104D and wbsio(4) only supports hardware monitoring. > > >The LEDs OTOH are on GPIOs of the AMD FCH. I am not a hardware guy, and > > OpenBSD seems to have a lot of drivers which attach - but probably none > > for those GPIOs. > > >If you want to dig deeper, there is AMD documentation for the FCH and > > also a linux driver called "amd-fch-gpio" > > > > >Update: There seems to be somebody, who worked on this a while ago on > > OpenBSD: https://marc.info/?l=openbsd-tech&m=155355977613046 > > > > > > Sacha. > > -- > > / Raimo Niskanen, Erlang/OTP, Ericsson AB -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: OpenBSD NTFS experience
My latest issue with NTFS was that my external drive stopped responding and caused Thunar to hang. After this my entire session hung until I killed it with Ctrl + Alt+ backspace. It seems the rsync data copy I did completely properly but the mount stopped responding after some time of the PC being unused. Any attempts to access the mounted directory caused a hang of the terminal or process. I can now see with atactl that my USB hard drive supports power management and looks to be in standby mode when not in use. I am wondering if maybe the drive goes into standby or powers down and that causes the mount to stop working or if it is a bug in NTFS-3G support or something else. This time I am going to run ntfs-3g with the debug mode enabled in no_detach to determine if there are any errors when the drive is left connected but unused. It outputs the following on successful mount: Version 2017.3.23 external FUSE 26 Mounted /dev/sd2i (Read-Write, label "SAMSUNG", NTFS 3.1) Cmdline options: no_detach Mount options: allow_other,nonempty,relatime,fsname=/dev/sd2i,blkdev,blksize=4096 Ownership and permissions disabled, configuration type 1 Regards Ed Gray https://www.linkedin.com/in/ed-gray-55079422 On Sun, 21 Feb 2021 at 19:15, Ed Gray wrote: > > Thanks for your reply Maurice, > > I tried the read-only driver on an earlier version maybe 6.6 and it crashed. > I wasn't able to debug it myself but I suppose it could have been my external > hard drive, the NTFS version or a particular file that caused that issue as > it happened with a large data copy and a particularly large file (multiple > GB). > > I'm finding poor performance with USB drives on 6.8 with a hard disk and a > card reader. It could be ntfs-3g with the hard drive but the card is FAT32. I > am wondering if it's to do with the default shm kernel variables or maxfiles > and such. It causes various hangs in thunar file manager. > > I previously had increased shm variables because of a KDE application > recommending it for lots of file accesses. > > I know ntfs-3g is using FUSE rather than a native driver. > > Regards > Ed Gray > > On Sun, 21 Feb 2021, 6:51 pm Maurice McCarthy, wrote: >> >> Native read-only support is excellent. >> I find writing with ntfs-3g quite a lot slower than native Windows >> Best
Re: spamd vs IPv6
July 1, 2020 7:34 AM, "Harald Dunkel" wrote: > Hi folks, > > spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. > Looking on Google for "openbsd spamd ipv6" gives me some entries of > 2015 and 2016, but no up-to-date information. Please excuse if I am > too blind to see. > > I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP > address families? Would you recommend "IPv4 only" for EMail? I was just wondering about this too! I can't see a clear answer anywhere online either. I went looking because I realized that # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd was becoming # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 I wondered where that `inet` was coming from. Eventually I realized that maybe pf was implying it from the divert-to, since, according to pf.conf(5): > divert-to [...] The packets will not be modified [...] so if a packet comes in as IPv4 (inet) is has to stay IPv4. I tried # /etc/pf.conf pass in log proto tcp to any port smtp divert-to 127.0.0.1 port spamd pass in log proto tcp to any port smtp divert-to ::1 port spamd and this became # pfctl -s rules pass in log inet proto tcp from any to any port = 25 flags S/SA divert-to 127.0.0.1 port 8025 pass in log inet6 proto tcp from any to any port = 25 flags S/SA divert-to ::1 port 8025 However if I actually tried to connect via IPv6 (`nc -6 mail.myserver.com 25`) I just get an immediately closed connection, presumably because ::1:8025 isn't open. Come to think of it, because spamd uses IP addresses to do its job, for this to happen the database format needs to be augmented to store the longer addresses, so it's not necessarily a simple change, and that's probably why it hasn't happened yet. I just double-checked by digging around in the code (which I am not finally experienced enough for, phew) and found: https://github.com/openbsd/src/blob/cf8f31167b4af5c8ea769ff3d8a5974a24fec6bb/libexec/spamd/spamd.c#L1427 smtplisten = socket(AF_INET, SOCK_STREAM, 0); So yeah, it looks like it's still inet-only, no inet6 here. -Nick
UEFI install issues
Hello group, I've tried for the last two hours to install OpenBSD 6.8 onto an new HPE MicroServer but so far without success. Installed the .img file onto a USB stick (via Balena Etcher on a Macbook). Booted up the device and eventually got it to boot from the USB stick. The USB keyboard works initially, i.e. it allows me to press carriage return at the boot loader prompt. When I get to the 'Install, Upgrade...' prompt the keyboard no longer responds. I've disconnected and reconnected the keyboard and get the expected messages on screen to show that these actions have taken place. I've subsequently installed FreeBSD 12.2 and that's gone in with no issues at all (trouble is, whilst I could use FreeBSD for what I intend to do, I've prefer to use OpenBSD). Any thoughts?
Re: OpenIKED and Strongswan
Ok. In the log you can appreciate. UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and one VyOS. The VyOS is CAT-HOST Kind regards On Mon, Feb 22, 2021 at 12:02 PM Stuart Henderson wrote: > On 2021-02-22, Riccardo Giuntoli wrote: > > Ok I've got the same error on three different OpenBSD, tell me what error > > do you want or if you want an access. > > It would be a good start to run iked in the foreground with iked -vvd and > show the log from there. > > > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net create_ike: using signature for peer --FR-- create_ike: using signature for peer ikev2 "--CAT-HOST--" passive transport esp proto gre inet from --UK-- to --CAT-- local --UK-- peer any ikesa enc aes-256 prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256 group ecp256 childsa enc aes-256 auth hmac-sha2-256 group ecp256 esn,noesn srcid --UK-ID-- ikelifetime 86400 lifetime 3600 bytes 536870912 signature /etc/iked.conf: loaded 4 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST-- ca_reload: loaded 1 ca certificate ca_reload: loaded cert file --FR-HOST--.crt ca_reload: loaded cert file --UK-HOST--.crt config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getstatic: dpd_check_interval 15 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 ca_validate_cert: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--FR-HOST-- ok ca_validate_cert: /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST-- ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 policy_lookup: setting policy '--CAT-HOST--' spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--' ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e ikev2_init_recv: unknown SA ikev2_init_ike_sa: initiating "--FR-HOST--" ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31 ikev2_add_proposals: length 68 ikev2_next_payload: length 72 nextpayload KE ikev2_next_payload: length 104 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xf2043da59221143f 0x --UK--:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xf2043da59221143f 0x --FR--:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 310 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 72 ikev2_pld_sa: more 0 reserved 0 length 68 proposal #1 protoid IKE spisize 0 xforms 7 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104 ikev2_pld_ke: dh group ECP_384 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNAT
Re: OpenIKED and Strongswan
On 2021-02-22, Riccardo Giuntoli wrote: > Ok I've got the same error on three different OpenBSD, tell me what error > do you want or if you want an access. It would be a good start to run iked in the foreground with iked -vvd and show the log from there.
Re: OpenIKED and Strongswan
Ok I've got the same error on three different OpenBSD, tell me what error do you want or if you want an access. Kind regards On Mon, Feb 22, 2021 at 11:33 AM Tobias Heider wrote: > On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote: > > I there I've got a lot of problems putting a IKE2 point to point > connection > > stable between OpenBSD/OpenIKED and VyOS/Strongswan. > > > > Basically OpenBSD is a transport GRE in passive mode. Strongswan active > GRE > > transport. Gre tunnel is builded above and keepalive work in all the two > > sides, because I've changed the beaviour of the tun interface in linux. > > > > This is the error that I've got also in the OpenBSD side: > > > > Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8: > > ikev2_ike_sa_rekey: busy, delaying rekey > > Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8: > > ikev2_ike_sa_rekey: busy, delaying rekey > > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such > > process > > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such > > process > > Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659: > > ikev2_ike_sa_rekey: busy, delaying rekey > > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such > > process > > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such > > process > > Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e: > > ikev2_ike_sa_rekey: busy, delaying rekey > > Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54: > > ikev2_ike_sa_rekey: busy, delaying rekey > > Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such > > process > > > > I don't see any obvious misconfiguration so this might be a bug, > but without the log i won't be able to help. > > - Tobias > > > > > Here you are the Strongswan configuration: > > > > conn > > keyexchange=ikev2 > > type=transport > > auto=start > > reauth=no > > ikelifetime=1h > > dpdaction=restart > > dpddelay=15 > > dpdtimeout=1 > > closeaction=restart > > > > left=%defaultroute > > leftsourceip=%config4 > > leftauth=pubkey > > leftid=%indra@ > > leftprotoport=gre > > leftupdown=/config/ipsec/ESJP-updown.sh > > > > right= > > rightsubnet= > > rightauth=pubkey > > rightid=%j > > rightcert=/etc/ipsec.d/certs/.crt > > rightprotoport=gre > > > > #!/bin/bash > > > > set -o nounset > > set -o errexit > > > > TUN_IFACE="tun2" > > > > case "${PLUTO_VERB}" in > > up-host) > > echo "Putting interface ${TUN_IFACE} up" > > ifconfig $TUN_IFACE up > > echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" > > sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" > > echo "Accepting gre keepalive" > > sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" > > ;; > > down-host) > > ifconfig $TUN_IFACE down > > ;; > > esac > > > > IKE is checked with DPD > > SA is checked with te script > > > > above also a cron script acting in this way: > > > > #!/bin/bash > > ROUTER_IP= > > IPSEC="" > > GRE="tun2" > > > > PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1) > > ALIVE="alive" > > STATUS=$(ipsec status $IPSEC) > > ESTABLISED="INSTALLED" > > > > if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then > > if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then > > ipsec stroke down-nb $IPSEC > > ipsec up $IPSEC > > else > > ipsec up $IPSEC > > fi > > fi > > > > In the OpenBSD side: > > > > set dpd_check_interval 15 > > ikev2 "" passive transport \ > > proto gre \ > > from to \ > > local jpeer any \ > > ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \ > > childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ > > srcid "shiva@" \ > > ikelifetime 86400 lifetime 3600 > > > > root@shiva:/etc# cat hostname.gre1 > > > > > > > > description "" > > keepalive 5 2 > > mtu 1392 > > !ifconfig gre1 4 netmask 0xfffc up > > !ifconfig gre1 tunnel > > root@shiva:/etc# > > > > And some ifstated to check keepalive status. > > > > Any suggestions? > > > > -- > > Name: Riccardo Giuntoli > > Email: tag...@gmail.com > > Location: sant Pere de Ribes, BCN, Spain > > PGP Key: 0x67123739 > > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > > Key server: hkp://wwwkeys.eu.pgp.net > -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net
Re: OpenIKED and Strongswan
On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote: > I there I've got a lot of problems putting a IKE2 point to point connection > stable between OpenBSD/OpenIKED and VyOS/Strongswan. > > Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE > transport. Gre tunnel is builded above and keepalive work in all the two > sides, because I've changed the beaviour of the tun interface in linux. > > This is the error that I've got also in the OpenBSD side: > > Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8: > ikev2_ike_sa_rekey: busy, delaying rekey > Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8: > ikev2_ike_sa_rekey: busy, delaying rekey > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such > process > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such > process > Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659: > ikev2_ike_sa_rekey: busy, delaying rekey > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such > process > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such > process > Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e: > ikev2_ike_sa_rekey: busy, delaying rekey > Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54: > ikev2_ike_sa_rekey: busy, delaying rekey > Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such > process > I don't see any obvious misconfiguration so this might be a bug, but without the log i won't be able to help. - Tobias > > Here you are the Strongswan configuration: > > conn > keyexchange=ikev2 > type=transport > auto=start > reauth=no > ikelifetime=1h > dpdaction=restart > dpddelay=15 > dpdtimeout=1 > closeaction=restart > > left=%defaultroute > leftsourceip=%config4 > leftauth=pubkey > leftid=%indra@ > leftprotoport=gre > leftupdown=/config/ipsec/ESJP-updown.sh > > right= > rightsubnet= > rightauth=pubkey > rightid=%j > rightcert=/etc/ipsec.d/certs/.crt > rightprotoport=gre > > #!/bin/bash > > set -o nounset > set -o errexit > > TUN_IFACE="tun2" > > case "${PLUTO_VERB}" in > up-host) > echo "Putting interface ${TUN_IFACE} up" > ifconfig $TUN_IFACE up > echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" > sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" > echo "Accepting gre keepalive" > sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" > ;; > down-host) > ifconfig $TUN_IFACE down > ;; > esac > > IKE is checked with DPD > SA is checked with te script > > above also a cron script acting in this way: > > #!/bin/bash > ROUTER_IP= > IPSEC="" > GRE="tun2" > > PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1) > ALIVE="alive" > STATUS=$(ipsec status $IPSEC) > ESTABLISED="INSTALLED" > > if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then > if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then > ipsec stroke down-nb $IPSEC > ipsec up $IPSEC > else > ipsec up $IPSEC > fi > fi > > In the OpenBSD side: > > set dpd_check_interval 15 > ikev2 "" passive transport \ > proto gre \ > from to \ > local jpeer any \ > ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \ > childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ > srcid "shiva@" \ > ikelifetime 86400 lifetime 3600 > > root@shiva:/etc# cat hostname.gre1 > > > > description "" > keepalive 5 2 > mtu 1392 > !ifconfig gre1 4 netmask 0xfffc up > !ifconfig gre1 tunnel > root@shiva:/etc# > > And some ifstated to check keepalive status. > > Any suggestions? > > -- > Name: Riccardo Giuntoli > Email: tag...@gmail.com > Location: sant Pere de Ribes, BCN, Spain > PGP Key: 0x67123739 > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 > Key server: hkp://wwwkeys.eu.pgp.net
OpenIKED and Strongswan
I there I've got a lot of problems putting a IKE2 point to point connection stable between OpenBSD/OpenIKED and VyOS/Strongswan. Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE transport. Gre tunnel is builded above and keepalive work in all the two sides, because I've changed the beaviour of the tun interface in linux. This is the error that I've got also in the OpenBSD side: Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Here you are the Strongswan configuration: conn keyexchange=ikev2 type=transport auto=start reauth=no ikelifetime=1h dpdaction=restart dpddelay=15 dpdtimeout=1 closeaction=restart left=%defaultroute leftsourceip=%config4 leftauth=pubkey leftid=%indra@ leftprotoport=gre leftupdown=/config/ipsec/ESJP-updown.sh right= rightsubnet= rightauth=pubkey rightid=%j rightcert=/etc/ipsec.d/certs/.crt rightprotoport=gre #!/bin/bash set -o nounset set -o errexit TUN_IFACE="tun2" case "${PLUTO_VERB}" in up-host) echo "Putting interface ${TUN_IFACE} up" ifconfig $TUN_IFACE up echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" echo "Accepting gre keepalive" sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" ;; down-host) ifconfig $TUN_IFACE down ;; esac IKE is checked with DPD SA is checked with te script above also a cron script acting in this way: #!/bin/bash ROUTER_IP= IPSEC="" GRE="tun2" PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1) ALIVE="alive" STATUS=$(ipsec status $IPSEC) ESTABLISED="INSTALLED" if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then ipsec stroke down-nb $IPSEC ipsec up $IPSEC else ipsec up $IPSEC fi fi In the OpenBSD side: set dpd_check_interval 15 ikev2 "" passive transport \ proto gre \ from to \ local jpeer any \ ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \ childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ srcid "shiva@" \ ikelifetime 86400 lifetime 3600 root@shiva:/etc# cat hostname.gre1 description "" keepalive 5 2 mtu 1392 !ifconfig gre1 4 netmask 0xfffc up !ifconfig gre1 tunnel root@shiva:/etc# And some ifstated to check keepalive status. Any suggestions? -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net