Re: IPsec and MTU / fragmentation

If a client and a server set up a new conversation over tcp. They both have an MTU of 1500 and DF=1 How will you fragment this, even being a L3 tunnel? /S On Tue, 11 Feb 2020 at 08:22, Janne Johansson wrote: > Den mån 10 feb. 2020 kl 20:53 skrev Simen Stavdal : > >> I think the m

Re: IPsec and MTU / fragmentation

On Mon, 10 Feb 2020 at 17:00, Janne Johansson wrote: > Den mån 10 feb. 2020 kl 16:27 skrev Simen Stavdal : > >> This is more a discussion about scalability and practical implementation. >> We both know that PMTU will work partly at best, your entire path back >> mus

Re: IPsec and MTU / fragmentation

hich would include TCP, UDP and ICMP). Would be interesting to find if UDP enforces DF in most cases. Cheers, Simon. On Mon, 10 Feb 2020 at 13:50, Janne Johansson wrote: > Den mån 10 feb. 2020 kl 12:15 skrev Simen Stavdal : > >> True, but issue was related to downloading over http, wh

Re: IPsec and MTU / fragmentation

? Cheers, Simon. On Mon, 10 Feb 2020 at 12:06, Janne Johansson wrote: > Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal : > >> Hi Lucas, >> Have you tried to manipulate the mss during conversation setup? >> This is done with the max-mss directive in pf.conf. >> Bas

Re: IPsec and MTU / fragmentation

Hi Lucas, Have you tried to manipulate the mss during conversation setup? This is done with the max-mss directive in pf.conf. Basically, it takes the three way handshake, and overrides the MSS value in the handshake to something lower than the default. Client (1500 bytes) -> pf (change to 1300

Re: BGP Redistribution question

92.168.2.0/30) so that I can re-advertise into OSPF. Is there a way to add a label to a directly connected network? Can I get router C to advertise this, and then use router B to label? etc Cheers, Simon. On Mon, 14 Jan 2019 at 22:06, Sebastian Benoit wrote: > Hi, > > Simen Stavda

BGP Redistribution question

Hello, I have three routers connected in a chain. A<->B<->C All routers have a host address as loopback 100 (192.168.5.x/32, A=1, B=2, C=3). The segments between the routers are 192.168.1.0/30 (AB) and 192.168.2.0/30 (BC). A to B runs OSPF B to C runs IBGP I redistribute the BGP routes into

Re: Ospf adding new interface

So, with 6.4 recently released, I just installed it rather than using latest current - worked flawlessly - thank you. ospfctl reload now picks up new interfaces added. /S On Sat, 29 Sep 2018 at 13:40, Stuart Henderson wrote: > On 2018/09/29 13:36, Simen Stavdal wrote: > > Than

Re: Ospf adding new interface

Thanks Stuart, -vd just said the same, i.e interface unknown, will try -current and report back :) Thanks, Simon On Sat, 29 Sep 2018 at 13:06, Stuart Henderson wrote: > I've had problems at times with ospfd not seeing interfaces properly > after adding them, please try a -current snapshot and

Re: Ospf adding new interface

On Fri, Sep 28, 2018 at 10:22:42PM +0200, Simen Stavdal wrote: > > Hi all, > > > > On 6.3, using both octeon and amd64. > > > > While ospfd is running, I would like to add another interface (let’s say > a > > loopback if). After adding the loopback if to os

Ospf adding new interface

Hi all, On 6.3, using both octeon and amd64. While ospfd is running, I would like to add another interface (let’s say a loopback if). After adding the loopback if to ospf as passive I reload with ospfctl, but it does not start advertising the new interface. Only when I restart ospfd will it

Adding interfaces to ospf

Hello, I am setting up an ospf lab, and have a quick question. The answer is probably right in front of me, but I just can't seem to find it. I have a basic ospfd.conf including some active and some passive interfaces. Working just fine. usg2# cat /etc/ospfd.conf | grep -v "^#"

Re: Serving multiple domains on one machine or IP address

Hi Greg, I haven't done this myself, but take a look at the man pages of httpd.conf under the servers sections. You can create multiple a-records pointing to the same ip address, and then pick up the incoming traffic by inspecting the http header in order to find which virtual server to send the

Re: Topics for revised PF and networking tutorial

Anycast with ospf and ipv6 could be a fun tutorial... /S On 2 Apr 2017 22:27, "Luke Small" wrote: > It might be a fun idea to share what a really locked down desktop system > pf.conf would look like like if you are running a chain of DNS services (or > something that

Re: OpenVPN problem.

and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. Alessandro Baggi wrote: Johan Beisser wrote: On Mon, Jan 25, 2010 at 10:05 AM, Alessandro Baggi

Re: OpenVPN problem.

Hello Alessandro, Can you see any of the traffic on the inside LAN on the client side with tcpdump? I.e set tcpdump on $int with tcpdump -i nameofinternalinterface proto icmp and then try to ping from a server? Silly suggestion, but What about client side firewalls? Do they allow to be

Re: OpenVPN problem.

you want to use NAT between to RFC1918 networks that don't overlap? I am trying to understand your objective and the purpose of the setup, maybe there is a different way of setting it up? Cheers, Simon. Alessandro Baggi wrote: Simen Stavdal wrote: and... do you have the routing table

Re: Filtering scp ssh and sftp

Dukes wrote: On Mon, Sep 28, 2009 at 11:28:51PM +0200, Simen Stavdal wrote: Hello misc, I have an openbsd host running that I wish to access in different manners depending on where the users connect from. This host runs sftp chrooted for internet users, and at the same time

Filtering scp ssh and sftp

Hello misc, I have an openbsd host running that I wish to access in different manners depending on where the users connect from. This host runs sftp chrooted for internet users, and at the same time, I wish to administer the box with ssh. At the same time, I do not wish to allow ssh from the

Re: OT: 10GbE Physical Network Taps

Hello jcr, Not quite sure if this would meet your needs, but you could look at anue systems : http://www.anuesystems.com Cheers, Simon. On Wed May 6 13:33 , J.C. Roberts sent: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber

Re: Static IP address problems

Hello, What sort of box is your default gateway? (Possibilities for running tcpdump on the gateway?) If you do, you could check the interfaces on the gateway, that the packets get routed to another interface on the gateway. There could be a number of configuration options on the gateway producing

Re: why wont my vlan interface accept this /28 ?

Hello, I've had a similar issue before, and cannot quite remember in detail, but it was something like this ; Check that you have a /etc/hostname.vlan203 config file, and modify the netmask here. Do you have any carp interfaces layered over vlan203 that may be conflicting with the netmask? If

Re: pkg_add adds an extra / to pkg_path

Hello, Checking on my own box (running 4.1), $PKG_PATH echoes ; ftp://ftp.stacken.kth.se/pub/OpenBSD/4.1/packages/i386/ # uname -a OpenBSD ## 4.1 GENERIC.MP#1225 i386 I have export PKG_PATH=ftp://ftp.stacken.kth.se/pub/OpenBSD/4.1/packages/i386/ Set in my .profile, and it works for

Re: Detecting heavy traffic users

Hi Ricardo/list, You could also use pfflowd (which exports netflow compatible datagrams). Then you could set up ntop as a receiver, to give you long term stats. Cheers, Simon. On Thu Jan 15 15:24 , Ricardo Augusto de Souza sent: Hi list, i have an openBSD 4.3 with PF as a gateway/router.

Re: Dump on soekris slow?

Hi Lars, The USB 2.0 Specification says max 480Mbps, and is to be considered a theroretical max. This equates to about 60MBytes/second. The devices that connect through the bus rarely get even close to this rate. In fact, if you compare it to the SATA-2 specification says 3000Mbps

Re: Duplicate incoming packets to multiple destinations using pf

if sendbug is appropriate for feature requests or not. Given the text under http://www.openbsd.org/report.html, it sounds like sendbug is appropriate for feature requests, but you may want to double-check that yourself. - Damian Simen Stavdal wrote: : : Hello again, : Ok, I think we

Re: Duplicate incoming packets to multiple destinations using pf

Hello Damian/Claer/misc, Thanks for your feedback, Just a bit more background... Here is some of my reasoning for wanting to do trap handling and duplications There are several advantages to having the devices send only one trap to a central system. 1) Less configuration on the devices (and

Re: Duplicate incoming packets to multiple destinations using pf

Hi Damian/misc, I appreciate your input -I really do. Please see my comments below. Cheers, Simon. On Wed Nov 5 14:46 , Damian Gerow sent: Simen Stavdal wrote: : 1) Less configuration on the devices (and also less load, though not a : big problem anymore). This is not really a problem

Re: Duplicate incoming packets to multiple destinations using pf

Hi Damian, Nothing like a fiery discussion :) On Wed Nov 5 15:39 , Damian Gerow sent: Simen Stavdal wrote: : I am not trying to escape the fact that one needs systems in place : to manage large installations, I am merely looking for what *I* : think would be a better way to deploy

Re: Duplicate incoming packets to multiple destinations using pf

which is the only accepted argument when using a host table. I will give multicast a try, as it may be a better fix than store and forward, replacing the source address. Ultimately, I think this is a feature request. Thank you, Simen. On Wed Nov 5 15:28 , Russell Howe sent: Simen Stavdal

Re: Duplicate incoming packets to multiple destinations using pf

: Simen Stavdal wrote: : Worth submitting a feature request? : --- I looks like this would be the best solution --- Sounds like you have your desired solution. So long as the OBSD developers accept your request as valid. : --- The subject of my posting is Duplicating incoming packets

Re: Duplicate incoming packets to multiple destinations using pf

hosts Cheers, Simon. On Nov 4, 2008, at 5:32 PM, Giancarlo Razzolini wrote: Simen Stavdal escreveu: Hello, I have the following scenario. A router (let's call it router A) is sending snmp traps to an nms (Network Monitoring System). Between the router A and the nms (let's call it nms

Duplicate incoming packets to multiple destinations using pf

Hello, I have the following scenario. A router (let's call it router A) is sending snmp traps to an nms (Network Monitoring System). Between the router A and the nms (let's call it nms-a) is a Dell PowerEdge 860 running OpenBSD 4.1 i386 (bsd.mp) and pf. On the same segment as nms-a, is nms-b,