Re: OpenVPN in rdomain 1 error

[BARDOU Pierre]

Hello,

We also tried to set up openVPN in non default rdomain, without success.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Denis  
Envoyé : jeudi 13 décembre 2018 13:02
À : Misc 
Objet : OpenVPN in rdomain 1 error

Trying to run OpenVPN in rdomain 1 by command

# sh /etc/netstart tap0

# cat /var/openvpn.log
...
Thu Dec 13 14:40:27 2018 us=655401 TUN/TAP device /dev/tap0 opened Thu Dec 13 
14:40:27 2018 us=655456 do_ifconfig,
tt->did_ifconfig_ipv6_setup=0
Thu Dec 13 14:40:27 2018 us=655500 /sbin/ifconfig tap0 192.168.1.1 netmask 
255.255.255.0 mtu 1500 broadcast 192.168.1.255 Thu Dec 13 14:40:27 2018 
us=658571 Data Channel MTU parms [ L:1654
D:1500 EF:122 EB:411 ET:32 EL:3 ]
Thu Dec 13 14:40:27 2018 us=659026 Could not determine IPv4/IPv6 protocol. 
Using AF_INET Thu Dec 13 14:40:27 2018 us=659338 Socket Buffers: 
R=[41600->41600] S=[9216->9216] Thu Dec 13 14:40:27 2018 us=659481 TCP/UDP: 
Socket bind failed on local address [AF_INET]127.0.0.1:2294: Can't assign 
requested address (errno=49) Thu Dec 13 14:40:27 2018 us=659496 Exiting due to 
fatal error Thu Dec 13 14:40:27 2018 us=659543 Closing TUN/TAP interface

# cat /etc/hostname.em0
rdomain 1
dhcp

# cat /etc/hostname.tap0
up
description 'conn1'
inet 192.168.1.1 255.255.255.0 192.168.1.255

!/sbin/route -T1 exec /usr/bin/env
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib /usr/local/sbin/openvpn --config 
/etc/openvpn/server.conf

# route -T1 -n show
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
defaultISP_gateway UGS0   84 - 8
em0
ISP_gateway/21em0_IP   UCn14 - 4 em0
ISP_gateway 00:1f:6c:cc:ad:ee  UHLch  13 - 3
emo
emo_IP   00:a1:f3:a0:44:c2  UHLl   05 - 1 emo
ISP_destination   em0_IP   UHb00 - 1 emo

Re: Weird routing problem on simple CARP setup

[BARDOU Pierre]

That makes sense.
Thanks for your advices.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Stuart Henderson  
Envoyé : mercredi 11 juillet 2018 23:24
À : misc@openbsd.org
Objet : Re: Weird routing problem on simple CARP setup

On 2018-07-11, Tom Smyth  wrote:
> Hi Pierre,
>
> with VRRP on other vendors the IP on the Virtual interface is 
> recommended to be a /32,
>
>
> afaik
> it prevents ambiguity when it comes to your connected routes do you 
> route a packet out the carp interface which as an ip on the configured
> /24 network or do you route the packet out the physcial interface 
> which also has a /24 network configured
>
>
> I note the examples and faq page in openbsd  show ips configured with 
> a /24 configured https://man.openbsd.org/carp
>
> and a /24 seems to be the default ip if a subnet mask is not specified
>
>
> But I would love to hear / learn more experienced OpenBSD Admins Devs 
> take on it

My GBP0.02 (which isn't worth much these days ;)

- generally /32 for addresses on carp

- if there are no IPs from the subnet used in carp on another "real" interface 
(i.e. the address is only on the carp interface) then use the full /XX for one 
IP in that subnet on carp

- if you're redistributing a subnet on a carp interface into OSPF you need the 
full /XX on the carp interface so it can announce the network rather than a 
single host (you want to announce it from carp rather than the "real" interface 
so the priority changes depending on the carp state)

Re: Weird routing problem on simple CARP setup

[BARDOU Pierre]

Hellom

Sorry for the long delay, I've been very busy recently.

Putting the carp in /32 works.
What's the best practice when you have a physical IP + CARP in the same subnet ?
The FAQ here https://www.openbsd.org/faq/pf/carp.html#failover uses the same 
netmask for the CARP and the physical interface.

I upgraded to 6.3 and it also works.

Thank you for your help

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Stefan Sperling  
Envoyé : mardi 3 juillet 2018 13:33
À : BARDOU Pierre 
Cc : misc@openbsd.org
Objet : Re: Weird routing problem on simple CARP setup

On Wed, Jun 27, 2018 at 09:30:16AM +, BARDOU Pierre wrote:
> Hello,
> 
> I have a strange problem with OpenBSD 6.2, which looks like a bug.
> Steps to reproduce :
> 
> * sh /etc/netstart -> everything works. Routing table :
> root@fw-t-wan-chut01:~ # netstat -rnf inet
>   
>  
> Routing tables
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default10.194.119.254 UGS0   16 - 8 bge0 
> 224/4  127.0.0.1  URS0  798 32768 8 lo0  
> 10.194.116/22  10.194.116.29  UCn11 - 4 bge0 
> 10.194.116/22  10.194.116.28  UCn00 -19 carp0
> 10.194.116.28  00:00:5e:00:01:0f  UHLl   03 - 1 carp0
> 10.194.116.29  40:a8:f0:36:22:0c  UHLl   0   28 - 1 bge0 
> 10.194.119.254 00:1b:2a:e9:c4:00  UHLch  25 - 3 bge0 
> 10.194.119.255 10.194.116.29  UHb00 - 1 bge0 
> 10.194.119.255 10.194.116.28  UHb00 - 1 carp0
> 127/8  127.0.0.1  UGRS   00 32768 8 lo0  
> 127.0.0.1  127.0.0.1  UHhl   1 1122 32768 1 lo0  
> 192.168.190/24 192.168.190.1  Cn 00 - 4 bge1 
> 192.168.190.1  40:a8:f0:36:22:0d  UHLl   00 - 1 bge1 
> 192.168.190.255192.168.190.1  Hb 00 - 1 bge1
> root@fw-t-wan-chut01:~ # ifconfig carp0   
>   
> 
> carp0: flags=8843 mtu 1500
> lladdr 00:00:5e:00:01:0f
> description: TL-INT-ADM-WAN
> index 10 priority 15 llprio 3
> carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10
> groups: carp
> status: master
> inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255
> 
> * then sh /etc/netstart carp0 -> routed traffic stops working (ping 
> 10.194.125.120 says "sendmsg: Invalid argument"). 
> Same result if I do ifconfig carp0 10.194.116.28/22.

Have you tried using a /32 mask on carp0 instead of /22?
That might work around the problem.

I believe this problem is fixed in 6.3. Can you confirm?

Weird routing problem on simple CARP setup

[BARDOU Pierre]

Hello,

I have a strange problem with OpenBSD 6.2, which looks like a bug.
Steps to reproduce :

* sh /etc/netstart -> everything works. Routing table :
root@fw-t-wan-chut01:~ # netstat -rnf inet  

 
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.194.119.254 UGS0   16 - 8 bge0 
224/4  127.0.0.1  URS0  798 32768 8 lo0  
10.194.116/22  10.194.116.29  UCn11 - 4 bge0 
10.194.116/22  10.194.116.28  UCn00 -19 carp0
10.194.116.28  00:00:5e:00:01:0f  UHLl   03 - 1 carp0
10.194.116.29  40:a8:f0:36:22:0c  UHLl   0   28 - 1 bge0 
10.194.119.254 00:1b:2a:e9:c4:00  UHLch  25 - 3 bge0 
10.194.119.255 10.194.116.29  UHb00 - 1 bge0 
10.194.119.255 10.194.116.28  UHb00 - 1 carp0
127/8  127.0.0.1  UGRS   00 32768 8 lo0  
127.0.0.1  127.0.0.1  UHhl   1 1122 32768 1 lo0  
192.168.190/24 192.168.190.1  Cn 00 - 4 bge1 
192.168.190.1  40:a8:f0:36:22:0d  UHLl   00 - 1 bge1 
192.168.190.255192.168.190.1  Hb 00 - 1 bge1
root@fw-t-wan-chut01:~ # ifconfig carp0 


carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:0f
description: TL-INT-ADM-WAN
index 10 priority 15 llprio 3
carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10
groups: carp
status: master
inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255

* then sh /etc/netstart carp0 -> routed traffic stops working (ping 
10.194.125.120 says "sendmsg: Invalid argument"). 
Same result if I do ifconfig carp0 10.194.116.28/22.
Routing table and ifconfig look the same :
root@fw-t-wan-chut01:~ # netstat -rnf inet  

 
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.194.119.254 UGS5   58 - 8 bge0 
224/4  127.0.0.1  URS0 3918 32768 8 lo0  
10.194.116/22  10.194.116.29  UCn159014 - 4 bge0 
10.194.116/22  10.194.116.28  UCn00 -19 carp0
10.194.116.28  00:00:5e:00:01:0f  UHLl   07 - 1 carp0
10.194.116.29  40:a8:f0:36:22:0c  UHLl   0   40 - 1 bge0 
10.194.119.254 00:1b:2a:e9:c4:00  UHLc   029528 - 3 bge0 
10.194.119.255 10.194.116.29  UHb00 - 1 bge0 
10.194.119.255 10.194.116.28  UHb00 - 1 carp0
127/8  127.0.0.1  UGRS   00 32768 8 lo0  
127.0.0.1  127.0.0.1  UHhl   1 5498 32768 1 lo0  
192.168.190/24 192.168.190.1  Cn 00 - 4 bge1 
192.168.190.1  40:a8:f0:36:22:0d  UHLl   00 - 1 bge1 
192.168.190.255192.168.190.1  Hb 00 - 1 bge1
root@fw-t-wan-chut01:~ # ifconfig carp0 


carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:0f
description: TL-INT-ADM-WAN
index 10 priority 15 llprio 3
carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10
groups: carp
status: master
inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255

* then again sh /etc/netstart -> everything is working again.
Deleting and readding the default route also does the trick.

If I test something like :
root@fw-t-wan-chut01:~ # sh /etc/netstart
root@fw-t-wan-chut01:~ # ifconfig bge0 10.194.116.29/22
The default route disappears. This is a bit weird, but at least the routing 
table is consistent with what happens.

I figured a workaround by not using the mygate file, and adding a line in the 
hostname.bge0 and hostname.carp0 :
!route add default 10.194.119.254 1>/dev/null || route change default 
10.194.119.254 1>/dev/null


Additional informations :
Network configuration :
root@fw-t-wan-chut01:~ # cat /etc/hostname.bge0 

Re: Queuing faster than 4 Gbps

[BARDOU Pierre]

syncache 264   62003333 0 1 0 80
rtentry  112407550   42  1079  1076 316 0 80
plcache  128   400   40 2 0 2 2 0 80
plimitpl 152 11770   24 4 3 1 2 0 80
inpcbpl  288 32240   17 5 3 2 3 0 80
arp   56406820   20   518   516 2 8 0 80
pfsync72  41600 1 1 0 1 0 80

###

IFACE LIVELOCKS  SIZE ALIVE   LWM   HWM   CWM
System0   256 103001114
 204871  32
 2112 100931176
 921634   5
lo0
ix0  2050   25610   256   256
ix1  2050   25610   256   256
bge0 20483417   51234
 90321717   25617
bge1 20482317   51223
 90321717   25617
enc0
trunk0
vlan3202
vlan3203
vlan4027
carp1
carp2
carp3
carp4
pfsync0
pflog0

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : BARDOU Pierre 
Envoyé : mardi 27 février 2018 13:52
À : misc@openbsd.org
Objet : RE: Queuing faster than 4 Gbps

Hello,

I reached this conclusion like Stuart says : if I configure a bandwidth above 
4G, like for instance 50, pfctl says "number too big".
I checked in parse.y, the limit is UINT_MAX.

If I use 5G instead, it parses OK, but pfctl -sq shows another number. I guess 
50 - UINT_MAX.

By the way, with this hardware (dmesg below) I can only get around 2.5 Gbps of 
firewalled traffic (around 350 kpps)...
If you have some tuning advices to pump that up, that would be great.
I only tuned ifq.maxlen to 8192 and qlimit to the same value.


OpenBSD 6.2 (GENERIC.MP) #5: Fri Feb  2 23:02:19 CET 2018

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4108201984 (3917MB)
avail mem = 3976663040 (3792MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xb7fcb000 (82 entries)
bios0: vendor HP version "P80" date 04/02/2015
bios0: HP ProLiant DL320e Gen8 v2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC  BERT HEST DMAR 
 SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PCI0(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xb800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3592.17 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3592174860 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1

Re: Queuing faster than 4 Gbps

[BARDOU Pierre]

d0 at scsibus1 targ 0 lun 0: <HP, LOGICAL VOLUME, 6.64> SCSI3 0/direct fixed
sd0: 139979MB, 512 bytes/sector, 286677120 sectors
ppb1 at pci0 dev 1 function 1 "Intel Core 4G PCIE" rev 0x06: msi
pci2 at ppb1 bus 7
ix0 at pci2 dev 0 function 0 "Intel 82599" rev 0x01: msi, address 
00:11:0a:67:9e:ec
ix1 at pci2 dev 0 function 1 "Intel 82599" rev 0x01: msi, address 
00:11:0a:67:9e:ed
ppb2 at pci0 dev 1 function 2 "Intel Core 4G PCIE" rev 0x06: msi
pci3 at ppb2 bus 2
unknown vendor 0x1590 product 0x005f (class memory subclass miscellaneous, rev 
0x00) at pci3 dev 0 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x04: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 21
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb3 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd4
pci4 at ppb3 bus 10
ppb4 at pci0 dev 28 function 5 "Intel 8 Series PCIE" rev 0xd4
pci5 at ppb4 bus 3
bge0 at pci5 dev 0 function 0 "Broadcom BCM5720" rev 0x00, BCM5720 A0 
(0x572), APE firmware NCSI 1.3.7.0: msi, address 50:65:f3:f0:9d:58
brgphy0 at bge0 phy 1: BCM5720C 10/100/1000baseT PHY, rev. 0
bge1 at pci5 dev 0 function 1 "Broadcom BCM5720" rev 0x00, BCM5720 A0 
(0x572), APE firmware NCSI 1.3.7.0: msi, address 50:65:f3:f0:9d:59
brgphy1 at bge1 phy 2: BCM5720C 10/100/1000baseT PHY, rev. 0
ppb5 at pci0 dev 28 function 7 "Intel 8 Series PCIE" rev 0xd4
pci6 at ppb5 bus 1
"Hewlett-Packard iLO3 Slave" rev 0x05 at pci6 dev 0 function 0 not configured
vga1 at pci6 dev 0 function 1 "Matrox MGA G200eH" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Hewlett-Packard iLO3 Management" rev 0x05 at pci6 dev 0 function 2 not 
configured
uhci0 at pci6 dev 0 function 4 "Hewlett-Packard USB" rev 0x02: apic 8 int 16
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Hewlett-Packard UHCI root hub" rev 
1.00/1.00 addr 1
ehci1 at pci0 dev 29 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 20
usb3 at ehci1: USB revision 2.0
uhub3 at usb3 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
pcib0 at pci0 dev 31 function 0 "Intel C222 LPC" rev 0x04
"Intel 8 Series RAID" rev 0x04 at pci0 dev 31 function 2 not configured
isa0 at pcib0
isadma0 at isa0
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
com1: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
uhub4 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems 
product 0x2660" rev 2.00/8.01 addr 2
uhub5 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 
2.00/0.04 addr 2
uhub6 at uhub3 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 
2.00/0.04 addr 2
uhidev0 at uhub2 port 1 configuration 1 interface 0 "BMC Virtual Keyboard" rev 
1.10/0.02 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes, country code 33
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 1 configuration 1 interface 1 "BMC Virtual Keyboard" rev 
1.10/0.02 addr 2
uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (e4426d30edab0280.a) swap on sd0b dump on sd0b
--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Peter N. M. Hansteen [mailto:pe...@bsdly.net] 
Envoyé : lundi 26 février 2018 18:43
À : misc@openbsd.org
Objet : Re: Queuing faster than 4 Gbps

On 02/26/18 17:50, BARDOU Pierre wrote:
> Hello,
> 
> I'm trying to use queuing on a 10 Gbps interface.
> I remind of a conversation on tech@ or misc@ which was about queuing values 
> being stored in a UINT which prevented configuring values > 4 Gbps.
> I can't find it in the mailing list archive logs though. Wasn't the 
> discussion about using long integers and so remove this limitation ?

If I remember correctly, the bandwidth values were 32-bit in ALTQ, effectively 
limiting the upper bandwidth value to something like what you suggest.  The 
current queueing code is quite different in most respects.

> As of today current, it seem to be still present. Any plans to upgrade this 
> in the (near) future ?

I'm a bit curious as to how you reached this conclusion. You're hitting one or 
more limits in your environment, but how do you identify which one?

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team 
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember 
to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Queuing faster than 4 Gbps

[BARDOU Pierre]

Hello,

I'm trying to use queuing on a 10 Gbps interface.
I remind of a conversation on tech@ or misc@ which was about queuing values 
being stored in a UINT which prevented configuring values > 4 Gbps.
I can't find it in the mailing list archive logs though. Wasn't the discussion 
about using long integers and so remove this limitation ?

As of today current, it seem to be still present. Any plans to upgrade this in 
the (near) future ?

Thank you

--
Cordialement,
Pierre Bardou

IPsec (isakmpd) in rdomain non zero needs default route

[BARDOU Pierre]

Hello, 

I don't know if I should post this to misc@ or bugs@...
If this is the wrong list tell me I'll file a proper bug report.

I need to add a default route in rdomain 1 to be able to use the tunnels 
created by isakmpd.
That is a bit weird, routes should be injected by isakmpd.

Here is my test setup :
++
| em1 (rd1):192.168.0.1  em1(rd1)192.168.0.2 |
++   ++
|  rtr1  |   |  rtr2  |
| lo1 (rd1): 127.0.0.1   |   | lo1 (rd1): 127.0.0.1   |
| alias: 192.168.1.1 |   | alias: 192.168.2.1 |
++   ++
on rtr 1 and 2 :
created enc1 rdomain 1 up
launched route -T 1 exec isakmpd -K

tunnel conf rtr 1:
ike esp from 192.168.1.0/24 to 192.168.2.0/24 local 192.168.0.2 peer 
192.168.0.2 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

tunnel conf rtr 2:
ike esp from 192.168.2.0/24 to 192.168.1.0/24 local 192.168.0.2 peer 
192.168.0.1 \
main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \
quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef"

routing table rt1 :
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo1
192.168.0/24   192.168.0.1UCn10 - 4 em1
192.168.0.100:50:56:b4:7b:eb  UHLl   0   37 - 1 em1
192.168.0.200:50:56:b4:77:82  UHLc   1   16 - 3 em1
192.168.0.255  192.168.0.1UHb00 - 1 em1
192.168.1.1192.168.1.1UHl07 32768 1 lo1

routing table rt2 :
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
127.0.0.1  127.0.0.1  UHhl   12 32768 1 lo1
192.168.0/24   192.168.0.2UCn00 - 4 em1
192.168.0.200:50:56:b4:77:82  UHLl   0  245 - 1 em1
192.168.0.255  192.168.0.2UHb00 - 1 em1
192.168.2.1192.168.2.1UHl0   52 32768 1 lo1

flows rtr1 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type use
flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.2 srcid 
192.168.0.1/32 dstid 192.168.0.2/32 type require

flows rtr2 :
# route -T1 exec ipsecctl -sf
flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type use
flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.1 srcid 
192.168.0.2/32 dstid 192.168.0.1/32 type require

On rtr1 :
ping -V 1 -I 192.168.1.1 192.168.2.1 
won't work until I do on both routers :
route -T1 add default 127.0.0.1

My guess is that the problem is quite the same as with inter-domain routing 
with PF : destination lookup is done BEFORE processing by PF or IPSEC 
(explained here for PF : 
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/).
 So when there is no default route, it fails. If this guess is right, the 
problem shoud also happen on rdomain 0.

Could you fix the code to make it work without the default route ?
Or, as I suspect, is this too difficult and I'll go with my workaround ?

--
Cordialement,
Pierre Bardou

Re: Read sysctl from file

[BARDOU Pierre]

Hello,

I didn't realized that, but you have a point here.
For future reference, I got ansible sysctl working tuning the options :

Task :
- name: "Tuning sysctl"
  sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
reload: no
sysctl_set: yes
  with_items: "{{ sysctl }}"

Vars :
sysctl:
  - name: "net.inet.ip.forwarding"
value: 1
  - name: "net.inet.carp.preempt"
value: 1

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Theo de Raadt [mailto:dera...@openbsd.org] 
Envoyé : jeudi 20 juillet 2017 15:46
À : BARDOU Pierre <bardo...@mipih.fr>
Cc : misc@openbsd.org
Objet : Re: Read sysctl from file

> Is there a way to make sysctl re-read its conf file, or even another 
> file, like sysctl -p does on linux systems ?
> Supporting this option would be nice, as it is used by the sysctl 
> module of= ansible.

But sysctl doesn't have a configuration file.

there is a file called sysctl.conf, but it isn't a configuration file for the 
command.  It is a list of sysctl changes, which will be made by the rc scripts 
at startup.

someone in linux land went off the map here.  and then another piece of 
software started un-portably assuming that's the way to do things?

Read sysctl from file

[BARDOU Pierre]

Hello,

Is there a way to make sysctl re-read its conf file, or even another file, like 
sysctl -p does on linux systems ?
Supporting this option would be nice, as it is used by the sysctl module of 
ansible.


--
Cordialement,
Pierre BARDOU

Re: OpenBSD on HPE DL20 G9

[BARDOU Pierre]

Hello,

Unfortunately, I don't have this server any more : as it didn't worked I sent 
it back to HP.
But thanks for the info, the trick may be useful for other servers.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Naoki Fukaumi [mailto:fuka...@soum.co.jp] 
Envoyé : lundi 17 avril 2017 09:13
À : BARDOU Pierre <bardo...@mipih.fr>
Cc : misc@openbsd.org
Objet : Re: OpenBSD on HPE DL20 G9

hi,

From: BARDOU Pierre <bardo...@mipih.fr>
Subject: OpenBSD on HPE DL20 G9
Date: Mon, 10 Oct 2016 15:12:04 +

> I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD 
> (version 6.0).
> 
> 1s try : UEFI. The boot loader does its work, and then the screen 
> remains blank.
> I can't see any line with blue background.
> I tried to see what happend via console, but there is no serial port 
> on these little beasts :(

Can you try to disable "UEFI Optimized Boot"?

 
http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=7481826=mmr_kc-0123842=en_US

It works for me.

# I have no idea why it works...

Best Regards,

--
FUKAUMI Naoki

Re: Monitoring relayd via SNMP

[BARDOU Pierre]

Hello,

Thanks for the idea, but how are you triggering a script on polling ?
BTW, I think that if snmp is not available I will stick to check_relayd wth 
NRPE.
Cf. http://undeadly.org/cgi?action=article=20110220204953

--
Cordialement,
Pierre BARDOU

De : Mik J [mailto:mikyde...@yahoo.fr] 
Envoyé : samedi 11 mars 2017 15:23
À : BARDOU Pierre <bardo...@mipih.fr>; misc@openbsd.org
Objet : Re: Monitoring relayd via SNMP

Hello Pierre,
I don't use relayd but for some of my needs with snmp, I retrieve the 
statistics through a script that is executed everytime I poll a specific OID.
It might be dirty, but does the job.
Regards

Le Mardi 7 mars 2017 16h08, BARDOU Pierre <bardo...@mipih.fr> a écrit :

I found nothing to implement the relayd MIB in the SNMPD source code apart
from the traps part.
So it seems this is still a WIP.

Anyone could confirm that ?

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : BARDOU Pierre
Envoyé : lundi 6 mars 2017 16:46
À : misc@openbsd.org
Objet : Monitoring relayd via SNMP

Hello,

I am trying to monitor relayd through snmpd(8).
It seems that a MIB exists :
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx
t?rev=1.3=text/x-cvsweb-markup

But SNMPwalking these OIDs doesn't work.
snmpctl show mib doesn't show them either.

I tried to setup an AgentX socket, but according to the man relayd.conf(5) it
is only for traps.

I'm feeling I am doing something wrong here...
Could someone point me to the right direction to use this MIB ?

Thank you

--
Cordialement,
Pierre Bardou

Re: Monitoring relayd via SNMP

[BARDOU Pierre]

I found nothing to implement the relayd MIB in the SNMPD source code apart
from the traps part.
So it seems this is still a WIP.

Anyone could confirm that ?

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : BARDOU Pierre
Envoyé : lundi 6 mars 2017 16:46
À : misc@openbsd.org
Objet : Monitoring relayd via SNMP

Hello,

I am trying to monitor relayd through snmpd(8).
It seems that a MIB exists :
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx
t?rev=1.3=text/x-cvsweb-markup

But SNMPwalking these OIDs doesn't work.
snmpctl show mib doesn't show them either.

I tried to setup an AgentX socket, but according to the man relayd.conf(5) it
is only for traps.

I'm feeling I am doing something wrong here...
Could someone point me to the right direction to use this MIB ?

Thank you

--
Cordialement,
Pierre Bardou

Monitoring relayd via SNMP

[BARDOU Pierre]

Hello,

I am trying to monitor relayd through snmpd(8).
It seems that a MIB exists :
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx
t?rev=1.3=text/x-cvsweb-markup

But SNMPwalking these OIDs doesn't work.
snmpctl show mib doesn't show them either.

I tried to setup an AgentX socket, but according to the man relayd.conf(5) it
is only for traps.

I'm feeling I am doing something wrong here...
Could someone point me to the right direction to use this MIB ?

Thank you

--
Cordialement,
Pierre Bardou

Relayd and rdomains

[BARDOU Pierre]

Hello,

Is there a solution tu use relayd (redirect mode) on multiple rdomains on the
same host ?

I had two ideas, but none of them work :
* launch relayd in the default rdomain -> rules are injected with "on rdomain
0", so they do not match on other rdomains
* launch one relayd instance by rdomain : the control socket name cannot be
specified, so using relayctl is not possible

--
Cordialement,
Pierre Bardou

Re: 350MHz IBM Intel Pentium II runs 5.9 fine

[BARDOU Pierre]

It is quite stable also :)
I love this OS... Congrats to the team for all the good work.

This router is used for etherip, and works flawlessly for more than 5 years
now (and counting).
# uptime
 5:59PM  up 1890 days,  1:02, 1 user, load averages: 0.17, 0.11, 0.09
# cat /var/run/dmesg.boot
OpenBSD 4.9-stable (GENERIC.MP) #0: Wed Sep 28 10:37:22 CEST 2011
r...@rt-t-etherip1.mipih.net:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,C
X16,xTPR
real mem  = 2147000320 (2047MB)
avail mem = 2101714944 (2004MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
SMBIOS rev. 2.3 @ 0xec000 (56 entries)
bios0: vendor HP version "P52" date 02/14/2006
bios0: HP ProLiant DL360 G4
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,C
X16,xTPR
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 9 pa 0xfec1, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 9
ioapic2 at mainbus0: apid 10 pa 0xfec82000, version 20, 24 pins
ioapic3 at mainbus0: apid 11 pa 0xfec82400, version 20, 24 pins
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (ICHR)
acpiprt2 at acpi0: bus 7 (PCXA)
acpiprt3 at acpi0: bus 10 (PCXB)
acpiprt4 at acpi0: bus 6 (PTB0)
acpiprt5 at acpi0: bus 13 (PTA0)
acpiprt6 at acpi0: bus 3 (PTC0)
acpiprt7 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: FVS, 3600, 3200, 2800 MHz
acpicpu1 at acpi0: FVS, 3600, 3200, 2800 MHz
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1600
0xee000/0x2000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
bridge io address conflict 0x1000/0x3000
pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c
ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c
pci1 at ppb0 bus 13
ppb1 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x0c
pci2 at ppb1 bus 6
ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci3 at ppb2 bus 7
ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci4 at ppb3 bus 10
ppb4 at pci0 dev 6 function 0 "Intel E7520 PCIE" rev 0x0c
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci6 at ppb5 bus 2
ciss0 at pci6 dev 1 function 0 "Compaq Smart Array 64xx" rev 0x01: apic 9 int
0 (irq 5)
ciss0: 1 LD, HW rev 1, FW 2.80/2.80, 64bit fifo
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI2 0/direct fixed
sd0: 34727MB, 512 bytes/sec, 71122560 sec total
bge0 at pci6 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): apic 9 int 1 (irq 5), address 00:15:60:ac:ea:1e
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci6 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0
(0x2100): apic 9 int 2 (irq 5), address 00:15:60:ac:ea:1d
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: apic 8 int 16
(irq 5)
uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: apic 8 int 19
(irq 5)
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: apic 8 int 23
(irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a
pci7 at ppb6 bus 1
vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured
"Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 

Re: 4th nic for pcengines apu2

[BARDOU Pierre]

Hi, 

I am planning to try DL320e G8 v2, in the same price range of the DL20 G9.
If you have a few weeks I should be able to tell you if it works.

For the APU, I would go with a manageable switch and VLAN.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Marko Cupać [mailto:marko.cu...@mimar.rs] 
Envoyé : mercredi 19 octobre 2016 21:03
À : misc@openbsd.org
Objet : Re: 4th nic for pcengines apu2

Hi,

I have a budget which is a few times the price of single apu2.
Actually, initially I planned to use a pair of HPE ProLiant DL20 gen9 for this 
purpose. Unfortunately, it appears DL20gen9s won't boot
OpenBSD: [https://marc.info/?l=openbsd-misc=147611237327210=2]
If someone has good experience with OpenBSD on entry level HPE ProLiant servers 
that are currently being sold new, please let me know.

One of requirements for this hardware is that it has to be purchased from a 
local distributor in Serbia, in order to avoid hassle with customs, import 
taxes, first import certification, guarantee period etc. PC Engines have 
distributor here, that's one of the reasons I buy their gear. The same with HP. 
I doubt Lanner and Jetway have distributor in Serbia, at least web search 
didn't return anything.

My intention was what Florian suggested, to use miniPCIe NIC, and I wanted to 
ask if someone knows about one that is tested in production on OpenBSD, and 
works fine.

Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD on HPE DL20 G9

[BARDOU Pierre]

Nice idea.
Sadly, I tried and it seems not to work : the boot can't find any serial

boot> set tty com0
switching console to com0
com0 console not present
boot> set tty
pc0


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Todd C. Miller [mailto:todd.mil...@courtesan.com]
Envoyé : lundi 10 octobre 2016 17:45
À : BARDOU Pierre <bardo...@mipih.fr>
Cc : misc@openbsd.org
Objet : Re: OpenBSD on HPE DL20 G9

Can't you enable serial console redirection with the built-in iLO?
That should make it easier to get the boot messages in legacy mode.

 - todd

OpenBSD on HPE DL20 G9

[BARDOU Pierre]

Hello,

I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD (version
6.0).

1s try : UEFI. The boot loader does its work, and then the screen remains
blank.
I can't see any line with blue background.
I tried to see what happend via console, but there is no serial port on these
little beasts :(

2nd try : legacy bios.
The kernel starts, lines startiong with "cpu" seem OK.
But then there are a lot of "mem adress conflict" and "bridge mem address
conflict".
Then it freezes.

Is there something I can do ?
Would that be useful that I give you the full messages (long and painful
process of copying the text from the video of the boot) ?

Thank you

--
Cordialement,
Pierre Bardou

Re: ratble and rdomain support on dhcpd and openvpn

[BARDOU Pierre]

Hi,

OpenVPN does not support rdomains and probably never will, as it is
OpenBSD-specific.

I had some success by running it in the default rdomain an then dispatching
the clients in different rdomains via PF. But this was for server mode.
Maybe you can do something like that for the client, like running it in the
default rdomain and make PF rules in your rdomain 200 to send relevant packets
to the VPN.
You might also use "route -T 200 exec openvpn ..." and a script, which will
set the rdomain on connection. Look at the --up parameter of the OpenVPN man
page.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Difan Zhao [mailto:difan.z...@pason.com]
Envoyé : vendredi 15 juillet 2016 21:35
À : Chris Cappuccio 
Cc : Pierre Emeriaud ; misc@openbsd.org
Objet : Re: ratble and rdomain support on dhcpd and openvpn

Thank you sir! So I probably just stick with my hacking approach and wait for
the 6.0. I see that will come in November so not too much waiting.

So any idea how the openvpn might start to support rtable or rdomain?

Thanks,
Difan

-Original Message-
From: Chris Cappuccio [mailto:ch...@nmedia.net]
Sent: Friday, July 15, 2016 11:07 AM
To: Difan Zhao 
Cc: Pierre Emeriaud ; misc@openbsd.org
Subject: Re: ratble and rdomain support on dhcpd and openvpn

Difan Zhao [difan.z...@pason.com] wrote:
> Hi Pierre,
>
> I just upgraded the soekris box to openbsd 5.9 however I am still
> having the
problem setting the rtable...
>

This requires OpenBSD 6.0 which is not yet released. You can use snapshots at
http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.

Re: syslog-ng+ELK

[BARDOU Pierre]

Hello,

I use ELK for all my system/firewall logs.
It gathers linux, windows, ASA, pflog and all appliances syslogs very well,
despite the high number of messages (actually more than 1 000 000 000/week).

You can configure logstah filtering to suit your needs.
Kibana interface is very efficient, and even gives you graphics.

I am very happy with it.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : trondd [mailto:tro...@kagu-tsuchi.com]
Envoyé : samedi 7 mai 2016 18:02
À : Predrag Punosevac 
Cc : misc@openbsd.org
Objet : Re: syslog-ng+ELK

On Sat, May 7, 2016 12:29 am, Predrag Punosevac wrote:
> Michael Shirk wrote:
>
>> On May 23, 2015 10:42, "Predrag Punosevac" 
>> wrote:
>> >
>> > 5. Finally I am open for simpler ideas. Any opinions on
>> sysutils/logfmon
>> > Is it possible to visualize on the web output from logfmon?
>> >
>> > Best,
>> > Predrag Punosevac
>> >
>>
>> There is another aspect to log analysis tools that bothers me the
>> most, why must we risk system security to review log files?
>>
>> Any of the tools that "work well" open you up to web vulnerabilities,
>> or cost money in the case of Splunk. I have not had time to work on
>> it, but I would like to create a tool that avoids all of the issues
>> of running a web service or requiring java.
>>
>> My interest is in UNIX system logs and IDS/IPS events, with full
>> packet captures. The simplest form I have used is with automated
>> processing of IDS events, firewall logs, and full pcap data as static
>> files shared on a webserver. I would be interested in a CLI log
>> viewer with ncurses, or scripted output (maybe using pipecut to
>> process data as you search for what you want in the simplest UNIX
>> way).
>>
>> --
>> Michael Shirk
>> Daemon Security, Inc.
>> http://www.daemon-security.com
>
>
> I am resurrecting this old thread I started almost a year ago in an
> attempt to learn how other OpenBSD users are managing their
> centralized logging servers. I also wanted to revisit the issues
> raised by Mr. Shirk.
>
> Namely the problem I am trying to solve seems very common. I am
> running centralized logging server (syslog-ng) an OpenBSD host. This
> server receives log files from my heterogeneous network consisting of
> OpenBSD machines (running syslogd) Red Hat machines (rsyslog), and
> FreeBSD machines running FreeBSD version of syslogd. I noticed that
> sending log files generates lots of traffic on my monitoring server in
> part due to the fact that I am recording lots of noise like
>
> last message repeated 10 times
>
> Next problem is properly rotating, archiving, and deleting monthly
> directories containing log files of all my servers. For example
> directory
>
> /var/log/syslog-ng/HOSTS/2016-05
>
> contains log files of all my servers for this month. That is not too
> useful. Storing them per day would be probably better but having fewer
> log files just for important things would be even better.
>
> Log files are useless unless some kind analytics is run on them.
> I would like to be able to do real time monitoring for anomalies using
> a daemon for. The following seems obvious anomalies:
>
> 1 . SMART errors (I am big data/machine learning guy so I want to
> replace failed HDD in timely fashion) even though SMART deamon is
> sending separate e-mail
>
> 2. failing hardware (sensors, IPMI, mcelog)
>
> 3. firewall logs
>
> 4. IDS/IPS events
>
>
>
> A daemon should be able to send me an e-mail every couple of hours
> containing as little noise as possible.
>
> So far I have found in ports the following daemons:
>
> 1. security/logsurfer (package exists only for i386 and I use amd64)
>
> 2. sysutils/logfmon (From looking at /etc/logfmon.conf it looks like
> it is written to monitor log files on the single OpenBSD machine
> running syslogd. I don't see how I could monitor entire syslog-ng
> directories)
>
> 3. I noticed that syslog daemons do not work very well as SQL
> databases as a storage backends. For example LibreNMS has the
> interface for displaying and searching (manually which makes it useless)
syslog files.
> But MariaDB has to be restarted quite frequently and on the top of it.
>
> 4. I am not sure what to think of ELK anymore. The more I learn the
> less i like it.
>
> 5. Finally I stumbled upon echofish
>
> https://echothrust.github.io/echofish/
>
> which seems to be repeating old pattern. Using SQL database as a
> backend and providing UI for searching messages (I can do that using
> grep) but no e-mail notification when troubles are found.
>
>
> What am I missing here? How do people monitor their log files in the
> real time. That would seems such an obvious topic for people who care
> about security.
>
> Predrag
>

Note: I don't centralize my logs, and don't do realtime monitoring.  I don't
have a NOC, and I'm not on call 24x7.  So most of the time, there is no one to
respond anyway.  I run a couple dozen servers hosting a handful of internal
tools.  

Announce NAT pools via OSPF

[BARDOU Pierre]

Hello,

Il would like to announce the NAT pools used by my firewalls to my backbone
using OSPF.

Let's say my real network is connected to vmx0. It's address is A/24 and is
NATed to N/24.
My backbone is reached through vmx1.

So I configured a route on the firewall , destination N/24, gateway
127.0.0.1.
Then I configured ospf to "redistribute static, area 0.0.0.0 { interface vmx1
}".
I can see N/24 with ospfctl sh fib, flagged valid.

But the route doesn't show up in the backbone when i use ospfctl sh rib.

I tried to add interface lo0 on the firewall ospfd.conf, this adds
127.0.0.1/32 on the backbone RIB, but I still can't see N/24.

I also tried to configure a lo1 with the address N/24 and to put it in
ospfd.conf, only N/32 shows up on the backbone.

Finally I configured a vether0 with the address N/24 and put it in ospfd.conf,
and that did the trick.

Is that a good way to do what I want, or do someone has any better solution to
advise me ?
Thank you

--
Cordialement,


Pierre Bardou
Ingénieur réseau
Tél. 05.34.61.71.84
bardo...@mipih.fr

12, rue Michel Labrousse
CS 93668- 31036 Toulouse cedex 1


Avant d'imprimer cet e-mail, pensons à l'environnement

Re: rdomain with BGP dynamic route

[BARDOU Pierre]

Hello,

I think this is what I tried a while ago, which is not possible.
Cf 
http://openbsd-archive.7691.n7.nabble.com/Multi-VRF-bgpd-no-MPLS-td248639.html

Bgpd.conf(5) says : Currently the routing table must belong to the default 
routing domain

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : XU, YANG (YANG) [mailto:y...@research.att.com] 
Envoyé : dimanche 26 juillet 2015 14:28
À : misc@openbsd.org
Objet : Re: rdomain with BGP dynamic route

Thanks for the info. I read the rdomain configuration section. My problem is 
how to put prefix learned dynamically from a BGP neighbor to a specific rdomain 
(not default rdomain 0). Sadly, I still don't know if that's possible. 

Regards,
-Yang



From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Alexander 
Salmin [alexan...@salmin.biz]
Sent: 25 July 2015 17:36
To: misc@openbsd.org
Subject: Re: rdomain with BGP dynamic route

Hey,

man 5 bgpd.conf

See section Routing Domain Configuration and parameters export-target and 
import-target. I suspect that is what you want.

Alexander Salmin

On 2015-07-24 13:47, XU, YANG (YANG) wrote:
 Let me describe it in another way. Can I create a new rdomain as a VRF and 
 use the rdomain to import/export customer's prefix through BGP?

 I will greatly appreciate it if you can provide any information. I have seen 
 some information online, but prefix is either from static configuration or 
 connected network. In my case, I need to support dynamic routes from BGP in 
 VRF.

 Thanks,
 -Yang



 
 From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, 
 YANG  (YANG)
 Sent: 23 July 2015 08:06
 To: misc@openbsd.org
 Subject: rdomain with BGP dynamic route

 Hi all,

 I am configuring OpenBSD bgpd so that it can relay the routes learned from 
 customer BGP servers to a route reflector (RR). Customer BGP servers only 
 speak IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher 
 and route-target to the dynamic routes learned from each customer BGP 
 neighbor before forwarding to RR. As I understand, I should be able to use 
 rdomain to implement this. What I really need conceptually is to attach a BGP 
 neighbor to a rdomain, so that dynamic routes learned from that BGP neighbor 
 are added to the specified rdomain.  But I failed to find a way to do this in 
 OpenBSD. Does anyone know if this is possible and give me an BGP configure 
 example?

 Many thanks in advance,

 -Yang

PF monitoring

[BARDOU Pierre]

Hello,

I'm looking for performance indicators to be warned if my PF firewall is about
to be overwhelmed.
I heard about congestion in pfctl -si, net.inet.ip.ifq.drops and
kern.netlivelocks.

I searched the man pages pfctl(8) and sysctl(3), but I didn't found a clear
explanation of what these number means.
Could someone around here clarify that please ?

Many thanks

--
Cordialement,

Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84
[Description : Logo MiPih COUL transparent.gif]
MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1
www.mipih.frhttp://www.mipih.fr/

[cid:image002.png@01CFE47A.06EA5FC0] Avant d'imprimer cet e-mail, pensons à
l'environnement

[demime 1.01d removed an attachment of type image/png which had a name of 
image001.png]

[demime 1.01d removed an attachment of type image/png which had a name of 
image002.png]

Re: openbgpd rdomain/rtable (vrf-lite)

[BARDOU Pierre]

Hello,

I tried to do a similar setup. I tried different configuration without success.
Then I found this in the manpage : Currently the routing table must belong to 
the default routing domain and nexthop verification happens on table 0.

So I think OpenBGPD is not (yet ?) able to do this.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Pierre Emeriaud [mailto:petrus.lt+open...@gmail.com] 
Envoyé : samedi 30 août 2014 17:50
À : misc@openbsd.org
Objet : openbgpd  rdomain/rtable (vrf-lite)

Hello misc@,


I'd like to set up bgpd with multiple routing tables, a la vrf-lite (ie without 
mpls and mp-bgp).


What works:
- peering within a rtable/rdomain
- receiving the routes

What doesn't work:
- nexthop is never validated
 - routes are never installed in fib

Configuration is pretty straitforward:

# cat bgpd.conf
AS 64751
router-id 172.22.151.130
listen on 172.22.151.130  # loopback
listen on 172.22.151.251  # interface towards peer rtable 10 group ibgp 
peering AS64751 {
   remote-as 64751
   neighbor 172.22.151.245 {
  descr   beta
  announce self
   }
}

bgpd is started as such:
 route -n -T10 exec bgpd -d -v -f /etc/bgpd/bgpd.conf

Peering gets up, and routes received:
# bgpctl -n show sum
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down  State/PrfRcvd
172.22.151.245  64751  10851   6373 0 2d05h05m338

Routes are received in rtable 0:

# bgpctl show rib in | head
flags: * = Valid,  = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
I 10.0.0.0/16  172.22.151.245 100 0 64734.14918
64734.12596 65112 65530 i
I 10.1.0.0/16  172.22.151.245 100 0 64734.14918
64734.12596 65112 65530 i
I 10.8.0.0/16  172.22.151.245 100 0 64734.12699
1.10582 65053 i
I 10.11.0.0/18 172.22.151.245 100 0 64828 64609 i
I 10.11.64.0/18172.22.151.245 100 0 64828 1.10567 1.10594 i
I 10.15.0.0/16 172.22.151.245 100 0 64828 1.10604 65079 i

And indeed, 172.22.151.245 is not reachable in rtable0.

If I use rde rib foo no evaluate, routes are put in the 'foo' rib, but still 
not installed.

If I use the rde rib foo table 10, I get the following error:
'/etc/bgpd/bgpd.conf:20: rtable 10 does not belong to rdomain 0'

I tried to use 'rdomain 10' in the config file, but that looks very 
mpls-oriented (mp-bgp peering in GRT, which works fine btw).


Have I missed something, or am I asking for something currently unsupported?


Thanks, and sorry for the long post,
--
petrus

Re: openbgpd rdomain/rtable (vrf-lite)

[BARDOU Pierre]

I ended up with static routing, it was an acceptable setup in my case and I had 
never heard of brid.
But if you succeed please tell me.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : petrus...@gmail.com [mailto:petrus...@gmail.com] De la part de Pierre 
Emeriaud
Envoyé : lundi 1 septembre 2014 14:35
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: openbgpd  rdomain/rtable (vrf-lite)

Hi Pierre,

 I tried to do a similar setup. I tried different configuration without 
 success.

Yup, I saw your post on misc@ a few days ago when I was looking for some 
pointers.

 Then I found this in the manpage : Currently the routing table must belong 
 to the default routing domain and nexthop verification happens on table 0.


I saw that too, but as this is not entirely accurate (multiple rdomains is 
possible, though with mpbgp), I told myself I had to try.

What solution did you ended up with? Have you tried to do the same with bird?


--
petrus

Re: Pflow granularity

[BARDOU Pierre]

Hello,

Many thanks for the idea, I didn't knew about softflowd.

But I wonder if it is production ready :
* It seems there are no new developments : 
https://code.google.com/p/softflowd/source/list
* The TODO list is quite long, and has not moved since 2007. 
* The counters are not 64 bit, thus flows are limited to 2 Gb
* There is no multiple interface support, all flows are exported with IfIndex 0

I am testing it anyway, it gives me correct graphs with -t maxlife=60.
It's really sad that pflow doesn't have such an option, it would be perfect.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Andy [mailto:a...@brandwatch.com] 
Envoyé : lundi 2 juin 2014 18:01
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: Pflow granularity

I think you might have to try softflowd instead of the built-in sflowd..

These guys had the same problem and moved to softflowd to allow them to analyse 
DDOS traffic with netflow..

https://ripe68.ripe.net/presentations/276-DDoS.pdf

Cheers, Andy.


On Mon 02 Jun 2014 14:38:33 BST, BARDOU Pierre wrote:
 Hello,

 I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in 
 the implementation : only global statistics about the flow are given (start 
 time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as 
 an example if somebody establishes an sftp connexion, downloads a file @10 
 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in 
 the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps 
 link was saturated.

 I saw questions about this were already posted on misc@ :
 http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-t
 d233952.html

 Some diff were even posted :
 http://marc.info/?l=openbsd-miscm=124661838923498w=2

 But it seems they never made their way to the base system.

 Is there any way to break-up long flows in fragments, like the Cisco command 
 ip flow-cache timeout active does ?

 --
 Cordialement,

 Pierre BARDOU
 Ingénieur réseau - P2I Infrastructure
 05 67 69 71 84

 MiPih
 12, rue Michel Labrousse - BP93668
 31036 TOULOUSE Cedex 1
 www.mipih.fr

   Avant d'imprimer cet e-mail, pensons à l'environnement

Pflow granularity

[BARDOU Pierre]

Hello,

I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in 
the implementation : only global statistics about the flow are given (start 
time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an 
example if somebody establishes an sftp connexion, downloads a file @10 Mbps 
for 2 mins, then waits 2 min and ends the connexion, all I will see in the 
netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was 
saturated.

I saw questions about this were already posted on misc@ :
http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-td233952.html

Some diff were even posted :
http://marc.info/?l=openbsd-miscm=124661838923498w=2

But it seems they never made their way to the base system.

Is there any way to break-up long flows in fragments, like the Cisco command 
ip flow-cache timeout active does ?

--
Cordialement,
 
Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84

MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1 
www.mipih.fr

 Avant d'imprimer cet e-mail, pensons à l'environnement

Re: Multi-VRF bgpd (no MPLS)

[BARDOU Pierre]

Hello,

I think I can reply to myself : bgpd.conf(5) says currently the routing table 
must belong to the default routing domain.
So by now what I'm trying to do is just not possible with OpenBSD + bgpd.

Anybody knows if it is planned to implement this functionality ? 
Maybe I could help testing, as my C skills are far below what is needed to do 
that ?

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : BARDOU Pierre 
Envoyé : lundi 19 mai 2014 11:30
À : misc@openbsd.org
Objet : Multi-VRF bgpd (no MPLS)

Hello,

I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box 
instead. NAT on ASA is such a pain...
The use would be a WAN firewall, routing for sites with potentially identical 
IP ranges. Overlapping IP ranges are translated by the firewall so that from 
the point of view of the main site every IP is different.
Actually, this is done using ASA contexts and static routing. I'd like to do 
the same with openBSD plus BGP routing.

So I started to set up a PF box with VRFs (one BSD VRF - one ASA context), 
this works like a charm.

Problems start when I try to do BGP routing : basically what I need is one BGP 
daemon running in each VRF. 
I tried to launch BGP with route -T VRF number exec bgpd -f 
/etc/bgpd.conf.VRF number, it learns route from the WAN, but doesn't injects 
them in the rdomain VRF number.

I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop 
qualify via default.

I have messages like these in my logs :
neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm - Established, 
reason: KEEPALIVE message received nexthop 10.200.18.209 now valid: via 
10.194.126.254
send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable
send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable

My bgpd.conf :
# grep -v ^# bgpd.adh200
peer_adh200_int=10.200.6.57
peer_adh200_ext=10.200.18.209
pool_adh200=10.199.12.112/28

AS 65040
router-id 10.194.126.241
listen on 10.200.18.214
listen on 10.200.6.62
rtable 200

nexthop qualify via default

neighbor $peer_adh200_int {
 descr ADH200_INT
 remote-as 65040
}
neighbor $peer_adh200_ext {
 descr ADH200_EXT
 remote-as 65041
}

Some bgpctl show :
# bgpctl sh nex
Flags: * = nexthop valid

  Nexthop Route  Prio Gateway Iface
* 10.200.18.209   0.0.0.0/0 8 10.194.126.254  vlan3080 (UP, active)
# bgpctl sh rib
flags: * = Valid,  = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
*10.199.12.112/28 10.200.18.209  100 0 65041 i
*10.199.13.112/28 10.200.18.209  100 0 65041 i
# route -T 200 show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.200.18.209  UGS00 - 8 carp450
10/8   sw-t-wan-adh200UGS00 - 8 carp2200
10.200.6.56/29 link#10UC 10 - 4 carp2200
10.200.6.56/29 link#10UC 10 - 4 carp2200
sw-t-wan-adh20000:08:e3:ff:fc:08  UHLc   3   38 - 4 carp2200
10.200.6.6200:00:5e:00:01:01  UHLc   01 - 4 lo0
10.200.14.56/29link#11UC 00 - 4 carp2450
10.200.14.56/29link#11UC 00 - 4 carp2450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 10 - 4 carp450
10.200.18.209  00:1e:c9:49:17:d8  UHLc   2  234 - 4 carp450
172.16/12  sw-t-wan-adh200UGS00 - 8 carp2200
192.168/16 sw-t-wan-adh200UGS00 - 8 carp2200

Any idea of why those routes are not injected ?

Thanks
--
Cordialement,
 
Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84

MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1
www.mipih.fr

 Avant d'imprimer cet e-mail, pensons à l'environnement

Multi-VRF bgpd (no MPLS)

[BARDOU Pierre]

Hello,

I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box 
instead. NAT on ASA is such a pain...
The use would be a WAN firewall, routing for sites with potentially identical 
IP ranges. Overlapping IP ranges are translated by the firewall so that from 
the point of view of the main site every IP is different.
Actually, this is done using ASA contexts and static routing. I'd like to do 
the same with openBSD plus BGP routing.

So I started to set up a PF box with VRFs (one BSD VRF - one ASA context), 
this works like a charm.

Problems start when I try to do BGP routing : basically what I need is one BGP 
daemon running in each VRF. 
I tried to launch BGP with route -T VRF number exec bgpd -f 
/etc/bgpd.conf.VRF number, it learns route from the WAN, but doesn't injects 
them in the rdomain VRF number.

I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop 
qualify via default.

I have messages like these in my logs :
neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm - Established, 
reason: KEEPALIVE message received
nexthop 10.200.18.209 now valid: via 10.194.126.254
send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable
send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable

My bgpd.conf :
# grep -v ^# bgpd.adh200
peer_adh200_int=10.200.6.57
peer_adh200_ext=10.200.18.209
pool_adh200=10.199.12.112/28

AS 65040
router-id 10.194.126.241
listen on 10.200.18.214
listen on 10.200.6.62
rtable 200

nexthop qualify via default

neighbor $peer_adh200_int {
 descr ADH200_INT
 remote-as 65040
}
neighbor $peer_adh200_ext {
 descr ADH200_EXT
 remote-as 65041
}

Some bgpctl show :
# bgpctl sh nex
Flags: * = nexthop valid

  Nexthop Route  Prio Gateway Iface
* 10.200.18.209   0.0.0.0/0 8 10.194.126.254  vlan3080 (UP, active)
# bgpctl sh rib
flags: * = Valid,  = Selected, I = via IBGP, A = Announced, S = Stale
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
*10.199.12.112/28 10.200.18.209  100 0 65041 i
*10.199.13.112/28 10.200.18.209  100 0 65041 i
# route -T 200 show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default10.200.18.209  UGS00 - 8 carp450
10/8   sw-t-wan-adh200UGS00 - 8 carp2200
10.200.6.56/29 link#10UC 10 - 4 carp2200
10.200.6.56/29 link#10UC 10 - 4 carp2200
sw-t-wan-adh20000:08:e3:ff:fc:08  UHLc   3   38 - 4 carp2200
10.200.6.6200:00:5e:00:01:01  UHLc   01 - 4 lo0
10.200.14.56/29link#11UC 00 - 4 carp2450
10.200.14.56/29link#11UC 00 - 4 carp2450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 00 - 4 carp450
10.200.18.208/29   link#12UC 10 - 4 carp450
10.200.18.209  00:1e:c9:49:17:d8  UHLc   2  234 - 4 carp450
172.16/12  sw-t-wan-adh200UGS00 - 8 carp2200
192.168/16 sw-t-wan-adh200UGS00 - 8 carp2200

Any idea of why those routes are not injected ?

Thanks
--
Cordialement,
 
Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84

MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1 
www.mipih.fr

 Avant d'imprimer cet e-mail, pensons à l'environnement

Re: OpenBSD ipsec performance on modern HW

[BARDOU Pierre]

Hi,

The testbed has been reused since I ran the tests, but the config was something 
standard like :

ike esp from a.b.c.d/24  to e.f.g.h/24 peer i.j.k.l \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 psk secret

If I remember well, for AES-GCM, there is no AUTH parameter, and it is phase 2 
only. So it was something like :
ike esp from a.b.c.d/24  to e.f.g.h/24 peer i.j.k.l \
main auth hmac-sha1 enc aes-256 \
quick enc aes-256-gcm psk secret

If I've made syntax errors ipssecctl will tell you quickly btw.

--
Cordialement,
Pierre BARDOU

De : Evgeniy Sudyr [mailto:eject.in...@gmail.com] 
Envoyé : dimanche 21 juillet 2013 13:17
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBSD ipsec performance on modern HW

All,

during my tests I seen that CPU on all cores and memory usage was very low.
Just interesting if there are any bottlenecks and how to fix them.
1) Does anybody care tcp stack tuning for high speed IPSEC ?
2) Can I run IPSEC (that's isakmpd ?) on other cores?

Pierre,
can you share your ipsec config to check same on my side. 

Re: OpenBSD ipsec performance on modern HW

[BARDOU Pierre]

Hello,

I did some testing with AES-NI enabled CPU.
You can find them in the list archives, here :
http://old.nabble.com/Re%3A-ipsec-tunnel-speeds-p34080479.html

Upgrading CPU number is useless (if I have well understood how it works) : 
IPsec only runs on the first core.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Chris Cappuccio [mailto:ch...@nmedia.net] 
Envoyé : mardi 16 juillet 2013 00:51
À : Evgeniy Sudyr
Cc : misc@openbsd.org; mi...@openbsd.org
Objet : Re: OpenBSD ipsec performance on modern HW

Evgeniy Sudyr [eject.in...@gmail.com] wrote:
 
 BOX1 dmesg:
 cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.45 MHz
 cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu4: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu5: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu6: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu7: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu8: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu9: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz
 cpu10: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz
 cpu11: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz
 cpu12: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu13: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz
 cpu14: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz
 cpu15: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz
 
 
 BOX2 dmesg:
 cpu0: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.98 MHz
 cpu1: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu2: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu3: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu4: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu5: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu6: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz
 cpu7: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz

I think to get better performance, you need to add more CPUs and more RAM.

16 CPUs and 32GB of RAM is hardly enough to get more than 270Mbps encryption 
throuhput.

Ok, maybe I'm exaggerating. You won't see difference between a dual core CPU of 
similar spec with 1GB of RAM and what you have now.

Really, OpenBSD needs to use more than one of your 16 cores at a time for 
encryption if you want higher speed. 

Some people talked about giving the encryption system its own core to work on 
so it doesn't compete with the rest of the kernel. That would help you get 
somewhat higher throughput. But the real solution for getting significant speed 
boosts on kernel-based IPsec with your type of hardware is much farther off. 
You can only hope for small improvements until that magical work is completed 
by the master magicians.

Re: PF sync doesn't not work very well

[BARDOU Pierre]

Hello,

I don't know if this may help you, but I have a working BGP setup with two 
routers active/active.
I don't use pfsync, but keep state (sloppy).

This is less secure according to pf.conf(5), but that's not really a concern 
for me as those routers are not my border firewalls...
But maybe I am mistaking doing this ?

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : David Gwynne [mailto:da...@gwynne.id.au] 
Envoyé : jeudi 4 juillet 2013 09:47
À : loic.b...@unix-experience.fr
Cc : misc@openbsd.org
Objet : Re: PF sync doesn't not work very well

On 03/07/2013, at 6:23 PM, Loïc Blot loic.b...@unix-experience.fr wrote:

 Okay, defer is now enabled on pfsync interface (sorry for my last 
 idea, i haven't the man on me :) ).
 It seems the problem isn't resolved.
 The transfer starts but blocked at random time.

i have hit this too, despite being the person most responsible for trying to 
make pfsync work in active-active (hi bob!) configurations.

the problem is the tcp window tracking pf does, and how pfsync tries to cope 
with different routers being responsible for different halves of the packet 
flow. pfsync tries to merge each side of the tcp windows and tries to detect 
split paths to exchange updates more rapidly for those states. however, i find 
at some point the actual tcp windows move too fast for pfsync to keep up and 
all the real packets fall out of the window, causing the stalls you're talking 
about.

my solution is to try and prefer one half of the firewalls for all traffic, and 
use the second for handling failure. the split path handling works well enough 
that we can support traffic while we change roles (moving master to slave and 
slave to master) and the upstream hasnt figured it out yet via ospf.

sorry for the bad news. i might try and have a look at the state merge code 
again and see if there's something obvious i am missing.

cheers,
dlg

 --
 Best regards,
 
 Loïc BLOT, Engineering
 UNIX Systems, Security and Networks
 http://www.unix-experience.fr
 
 
 Le mercredi 03 juillet 2013 à 08:12 +0200, Loïc BLOT a écrit :
 Hi,
 Thanks for your reply. I wasn't careful about this section.
 If i understand i must add defer option to my WAN iface (or i'm wrong 
 i must add it to my vlan995 iface ?) ?
 
 I will test it this morning, and i return back to misc :)
 --
 Best regards,
 Loc BLOT,
 UNIX systems, security and network expert 
 http://www.unix-experience.fr
 
 
 Le mercredi 03 juillet 2013  02:02 +0200, mxb a crit :
 pfsync(4) explains this:
 
  The pfsync interface will attempt to collapse multiple state 
 updates
 into
 a single packet where possible.  The maximum number of times a single
 state can be updated before a pfsync packet will be sent out is
 controlled by the maxupd parameter 
 
 
 and
 
  Where more than one firewall might actively handle packets, e.g. with
 certain ospfd(8), bgpd(8) or carp(4) configurations, it is 
 beneficial
 to
 defer transmission of the initial packet of a connection.  The pfsync
 state insert message is sent immediately; the packet is queued until
 either this message is acknowledged by another system, or a 
 timeout
 has
 expired.  This behaviour is enabled with the defer parameter to
 ifconfig(8).
 
 
 
 Eg. defer: on, yours is off.
 
 //mxb
 
 
 On 2 jul 2013, at 21:54, Loc BLOT loic.b...@unix-experience.fr wrote:
 
 Hi all
 I have a strange issue (or i haven't read pfsync correctly but i 
 don't think this is the problem :D)
 
 I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site.
 
 Those BGP routers are secure with strong PF in stateful mode, and 
 the stateful is working very well on each router. Because of my 
 full mesh BGP configuration, the outgoing layer 7 sessions can 
 leave my network by one router and responses can income by the other.
 
 To resolve this issue, i have created a dedidated VLAN for the 
 pfsync traffic and attached pfsync to this VLAN.
 
 Here is a sample output of ifconfig on my first router:
 
 vlan995: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr a0:36:9f:10:4a:a6
   priority: 0
   vlan: 995 parent interface: trunk1
   groups: vlan
   status: active
   inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid
 0x10
   inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135
 pfsync0: flags=41UP,RUNNING mtu 1500
   priority: 0
   pfsync: syncdev: vlan995 maxupd: 255 defer: off
   groups: carp pfsync
 
 And here on my second router:
 
 vlan995: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr a0:36:9f:17:e2:1e
   priority: 0
   vlan: 995 parent interface: trunk1
   groups: vlan
   status: active
   inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid
 0x10
   inet 10.117.1.130 netmask 0xfff8 broadcast 10.117.1.135
 pfsync0: flags=41UP,RUNNING mtu 1500
   priority: 0
   pfsync: syncdev: vlan995 maxupd: 255 defer: 

Re: Running OpenBSD on Raspberry Pi

[BARDOU Pierre]

Hello, 

Many thanks for all those advices.
All of them make sense, but :
* An used computer (I have plenty of them) cost 50-100€ a year in power (and is 
big and heats a lot, but that's not my main concern).
* Alix or soekris are nice hardware, but expensive for me. I intend to build a 
home router to play a bit with networking, not an enterprise grade solution
* Raspberry cost 50€ with power adapter, 16 GB SD card and case. I added 15€ 
for a wifi USB dongle and 20€ for a 802.1q switch. The power adapter is a 5V 
1A, so it uses 5W power or less.

TCO on five years :
Alix : 200€ hardware (with power supply, CF, WiFi and case), 25€ power = 225€
Used computer from my closet : 0€ hardware, at least 250€ power = 250 €
Raspberry : 85€ hardware, 25€ power = 110€

Half price. So I bought a raspberry. I does routing, firewalling, samba PDC 
with LDAP, DNS and DHCP. 
The only drawback : I have to use iptables (no need to recompile, works OOTB), 
and I found its syntax way less pleasant to use than its PF counterpart.

Unfortunately, my coding skills are way too limited to try to port OpenBSD...
So if nobody around thinks it worth the trouble to do it (with some good 
reasons I read in this thread), no problem. I'll stick on OpenBSD at work, and 
play with linux at home.

--
Cordialement,
Pierre BARDOU

De : Andres Genovez [mailto:andresgeno...@gmail.com] 
Envoyé : mercredi 9 janvier 2013 21:21
À : Gene
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: Running OpenBSD on Raspberry Pi


2013/1/9 Gene gh5...@gmail.com
On Wed, Jan 9, 2013 at 10:54 AM, Andres Genovez andresgeno...@gmail.com wrote:
 2012/12/31 BARDOU Pierre bardo...@mipih.fr

 Hello,

 I would be very interested by an OpenBSD port too.
 Usage : home router with firewall, DNS and DHCP.

 I am looking into FreeBSD and NetBSD ports, but I would prefer to have the
 latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like
 using it :-)

 If somebody knows X86 hardware able to do the same (routing/firewlling 20
 mbps traffic, VLAN, fits in a tiny box, power consumption below 5W, price
 around 50$) as the raspberry I am interested BTW.

 I am interested too, can somebody give an advice on what hardware to use?
 maybe 5 lan or at least two lan? an below 100?

For under $100 USD your best bet is to look for a used computer on
craigslist or a yard sale and install another NIC in it.  But, this
will not get you at 5 watts or less.

For under $200 look at either PC Engines ALIX boards or Soekris.  eBay
has plenty of them.  You can manage 5W or less this route.

For the Raspberry Pi you will not get OpenBSD.  You will have to use
Linux and configure it manually, including recompiling the kernel with
iptables support.  You *might* be able to get under $100, but it won't
be under 5 watts and it will be a jalopy.  USB ethernet adapters start
around $25 new.
Thanks, i will look forward those, because a Mikrotik is under 100, and 
features over 1000.
 
-Gene



-- 
Atentamente

Andrés Genovez Tobar / DTIT
Elastix ECE - Linux  LPI-1 - Novell CLA - Apple ACMT - Mikrotik 
MTCNA/MTCTCE/MTCRE/MTCWE
http://www.cspmsa.com

Re: Running OpenBSD on Raspberry Pi

[BARDOU Pierre]

Hello,

I would be very interested by an OpenBSD port too.
Usage : home router with firewall, DNS and DHCP.

I am looking into FreeBSD and NetBSD ports, but I would prefer to have the 
latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like 
using it :-)

If somebody knows X86 hardware able to do the same (routing/firewlling 20 mbps 
traffic, VLAN, fits in a tiny box, power consumption below 5W, price around 
50$) as the raspberry I am interested BTW.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Doug Brewer [mailto:brewer.d...@gmail.com] 
Envoyé : lundi 31 décembre 2012 09:39
À : KarlOskar Rikås; misc@openbsd.org
Objet : Re: Running OpenBSD on Raspberry Pi

On Mon, Dec 31, 2012 at 12:13 AM, Tobias Ulmer  wrote:
 On Sun, Dec 30, 2012 at 05:01:23PM +0100, KarlOskar Rikås wrote:
 Hi, I wonder if it's possible to run OpenBSD on Raspberry Pi.

 Is there any image ready for putting on my SD card and boot up? If 
 not, is there any manual or guide how to make one?

 No it's not possible and there are no plans to change that. Search the 
 archives if you're interested in the reasons.

 In short, there is plenty of better performing and better documented 
 hardware available for nearly the same price. This makes the rpi 
 unattractive for developers.

If so, try install FreeBSD. Last time I checked, it worked pretty well for me.

BR,
Doug.

Re: ipsec tunnel speeds

[BARDOU Pierre]

Hello,

I am just doing some IPsec performance tests on shiny new DL 380 G8 (CPU is
Intel(R) Xeon(R) CPU E5-2643 @ 3.30GHz).

Here is the setup :
Two Optiplex - HP DL380 G8 - HP DL 380 G8 - Two Optiplex
Intel Gb NIC in every computer
All running 5.2-beta amd64 compiled yesterday
2x1gb trunk between the DL 380 g8
Max throughput is measured with tcpbench -n 10, max PPS is with 
tcpbench -u
-B 64

I got those results :
Unencrypted :
Max thoughput : 1800 Mbps
Max PPS : 250 kpps

AES 256 :
Max thoughput : 410 Mbps
Max PPS : 70 kpps

AES 256 GCM :
Max thoughput : 570 Mbps
Max PPS : 95 kpps

AES 128 :
Max thoughput : 430 Mbps
Max PPS : 75 kpps

AES 128 GCM :
Max thoughput : 575 Mbps
Max PPS : 85 kpps

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Mike Belopuhov [mailto:m...@crypt.org.ru]
Envoyé : mardi 26 juin 2012 14:39
À : Mark Romer
Cc : Ted Unangst; misc@openbsd.org; Ryan McBride
Objet : Re: ipsec tunnel speeds

On Mon, Jun 25, 2012 at 2:53 PM, Mark Romer romesterm...@gmail.com wrote:
 Great question Ted
 Does anyone know the answer?

sure.

 Thanks Mark
 On Jun 22, 2012 12:58 PM, Ted Unangst t...@tedunangst.com wrote:

 On Fri, Jun 22, 2012 at 12:52, Ryan McBride wrote:

  550Mb/s with aes-128-gcm (requires AES-NI and amd64) on
  hw.model=Intel(R) Xeon(R) CPU E5649 @ 2.53GHz hw.vendor=HP
  hw.product=ProLiant DL360 G7

 what's the reason aes-128-gcm requires amd64?

because the assembly is written for amd64.

  we can't add that code to i386?

that specific one? of course not. but the aes-ni and clmul instructions are
part of sse and can be executed by both 32-bit and 64-bit programs.

apart from that, it might be possible that binutils have to be adjusted (i
don't remember if they share the same code) and i386 has to grow
fpu_kernel_{enter,exit}.

Re: bnx[01] - trunk0 - vlan119 - carp119 problem

[BARDOU Pierre]

Hello,

I have dozens of CARP interfaces over VLAN interfaces over LACP trunk
interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast
routing is disabled. Works like a charm with various OpenBSD versions since
4.4 to 5.0.

I can give you my hostname.if if that helps...

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Matt Hamilton [mailto:ma...@netsight.co.uk]
Envoyi : lundi 23 avril 2012 17:49
@ : misc@openbsd.org
Objet : Re: bnx[01] - trunk0 - vlan119 - carp119 problem

Kapetanakis Giannis bilias at edu.physics.uoc.gr writes:


 On 23/04/12 17:13, Matt Hamilton wrote:
  So it appears there is somewhere a problem with multicast packets
  being filtered out somewhere.
 
  This is all running with pfctl -d
 
  -Matt

 Hi,

 Not sure if multicast routing is related with this since it's a single
 host, but check netstart(8) and search for multicast.

 Also /etc/rc.conf and
 sysctl -a|grep mforwarding


I've just had a play with those, but no joy. As you say, as I'm not a
multicast router then it shouldn't be anything to do with them.

I run 5.0 on other boxes and carp works fine on top of a physical interface.
This is the first time I've run carp on top of a vlan interface.
I would appear that it is the vlan part that is somehow messing with multicast
packets.

-Matt

Re: Daily digest, Issue 2282 (37 messages)

[BARDOU Pierre]

Hello,

The firewall redirects inbound SMTP to spamd box (let's say its address is
192.168.0.10).
Then the spamd box redirects non-spam traffic to the qmail box while doing NAT
to 192.168.0.10 (to avoid asymmetrical routing).
Should work like a charm.

Outgoing mail will go through the default gateway (ie. the firewall), and so
save resources on the spamd box.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
Envoyi : mardi 25 octobre 2011 12:20
@ : misc@openbsd.org
Objet : [misc] Daily digest, Issue 2282 (37 messages)

The pre-dawn daily digest
Volume 1 : Issue 2282 : mime Format

Messages in this Issue:
  Re: pfsync0 MTU
  Re: pfsync0 MTU
  =?iso-8859-1?Q?Viajes_familiares_a_Canc=FAn_-_Ver_precios_y_condiciones?=
  Re: dhclient, resolv.conf
  Re: dhclient, resolv.conf
  Re: Acer aspire one - synaptics regression
  Re: Acer aspire one - synaptics regression
  =?iso-8859-1?Q?RECOLETA_2_LOCALES_EN_VENTA_JUNTOS_o_SEPARADOS,_Rodriguez_?=
=?iso-8859-1?Q?Pe=F1a_entre_Juncal_y_Av._Las_Heras?=
  How to disable wireless card ath0
  Re: How to disable wireless card ath0
  Re: How to disable wireless card ath0
  Re: How to disable wireless card ath0
  Re: How to disable wireless card ath0
  Re: How to disable wireless card ath0
  Re: fatal machine check (18) in supervisor mode
  Re: fatal machine check (18) in supervisor mode
  I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re: I can use snapshots packages in a release?
  Re;payment Confirmation
  El arte de vender cualquier cosa 4686
  =?utf-8?B?MTQy44CB56WI5oS/5L2g5oiR77yM5aaC6bKc6Iqx57u/5Y+25oC755u45Ly077yM5
YOP6Z2S?=   =?utf-8?B?5bGx57u/5rC05oC755u46ZqP44CCfWFkbWluQG9wZW5hcg==?=
=?utf-8?B?Y2guY29t4pag6LSkdnlvenU4OTBxOXVr?=
=?utf-8?B?a31hZG1pbkBvcGVuYXJjaC5jb20=?==?utf
  wt...@terra.com
  TORRE con todos los Amenities, 2amb desde us 90mil de 48,1m2 TORRE con todos
los Amenities, 2amb desde us 90m
  Keyboard no longer works after upgrading xenocara to -current (amd64, hp g42
laptop)
  Re: Keyboard no longer works after upgrading xenocara to -current (amd64, hp
g42 laptop)
  Re: Keyboard no longer works after upgrading xenocara to -current (amd64, hp
g42 laptop)
  dedicating a server to spamd
  Re: dedicating a server to spamd
  Re: dedicating a server to spamd

Hardware for 1Gbps IPsec

[BARDOU Pierre]

Hello,

I'm looking for hardware capable of doing 1bgps IPsec, under OpenBSD of
course.
Do you think it is possible with a brand new high end server and their new
instructions (AES/NI and/or AVX) ?

Or would a crypto card be necessary ? If yes, do you have a brand/model to
recommend ?

In the crypto section most of the devices I see are old chipsets, which are
far from 1 Gbps throughput.
The only thing I see is the Via Padlock, but I think the CPU is not capable of
Gigabit routing. There is also the BCM5862, but I can't find a card embedding
it.

Thank you

--
Cordialement, 
Pierre BARDOU

Re: Quad-Gigabit 1U mini-itx board recommendations?

[BARDOU Pierre]

Hello,

I think the Soekris net6501 has two great advantages :
* power consumption : their atom E6XX is between 3,3w and 7w TDP, which is
much lower than the 35w of the Pentium G620T. The complete board is said to
use under 10w.
* the user programmable FPGA, which might be used (I guess) as a crypto
acceleration device... if someone knows how to program it, and get it
supported by openBSD.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Joe S [mailto:js.li...@gmail.com]
Envoyi : samedi 1 octobre 2011 17:19
@ : Joakim Aronius
Cc : Johan Linner; Paul Suh; misc@openbsd.org Misc
Objet : Re: Quad-Gigabit 1U mini-itx board recommendations?

On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius joa...@aronius.se wrote:
 I have used Soekris for a few years and are very happy with them. They
 have a new board that will start shipping soon:
 http://soekris.com/net6501.htm


Curious if anyone has tried these boards out. I'm looking for something
similar (low power, small size, em nics). These boards seem really expensive
for having an Atom processor. I guess the 4 NICs drives up the cost.

Since I don't actually need 4 NICs, I'm looking at the new Intel S1200KP
(mini-itx 1155 board with dual intel nics). I can put a g620t and get the same
power consumption rates as an atom d525, for the same prices as the Soekris.
Plus I can always upgrade my processor down the line.

Re: Load balancing incoming trafic with BGP

[BARDOU Pierre]

Hello,

Wow, I didn't thought of that solution, but that's very simple and elegant,
just the way I like :)
I tested it, it works very well. Thank you very much for your advices.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Stuart Henderson [mailto:s...@spacehopper.org]
Envoyi : mardi 29 juin 2010 14:47
@ : misc@openbsd.org
Objet : Re: Load balancing incoming trafic with BGP

On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote:
 Hello,

 I tried to follow your advices, and I set :
 network 1.1.1.0/24
 network 1.1.1.0/25 set prepend-self 5

hmm, I meant that you should announce the larger network (/24) from
both sites, and the more-specific (/25) from each site.

e.g. from the main site:

network 1.1.1.0/24
network 1.1.1.0/25

and from the backup site:

network 1.1.1.0/24
network 1.1.1.128/25

No need to mess about with prepends for this.

 The /25 appears on the RIB of router A, but not in ISP A router RIB.
 Why ? My only filter rule is allow from any

Are you absolutely certain you have allow from any everywhere
that you need it?

 A few details :
 * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I
have
 a true /24, registered with RIPE.

It is still bad practice. What if someone were to use your registered
/24 in their test network, and then accidentally announce it to the internet?
Sometimes things which shouldn't happen do; the point of this is to avoid
breaking other people's networks when things go wrong.

 * I have an MPLS VPN between my two sites, which uses different wires from
 Internet
 * I didn't knew the issue about propagating a /25 to the internet. Thanks
for
 the information, I'll have to think about that before setting this in
 production...

Yes, something like the allow from any inet prefixlen 8 - 24 in the
sample bgpd.conf (i.e. don't allow longer prefixes) is pretty common
practice in many networks.





 Many thanks for the help
 --
 Cordialement,
 Pierre BARDOU


 -Message d'origine-
 De : Stuart Henderson [mailto:s...@spacehopper.org]
 Envoyi : samedi 26 juin 2010 12:18
 @ : misc@openbsd.org
 Objet : Re: Load balancing incoming trafic with BGP

 On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote:
 I have issues trying to setup this :

ISP AISP B
  ||
   Router ARouter B
  Main site  ---  Backup site
  1.1.1.0/25  1.1.1.128/25

 I think you will have to rethink a bit.

 Even if your immediate upstreams accept it (which is unlikely without
 a special arrangement), there is no way that most of the internet will
 accept a /25 announcement. You would want to use at least a /23 for
 the whole net, so your site-specific announcements can be /24.

 You will also have to ensure connectivity between the two sites
 under normal conditions (if you don't have a direct link, then you
 could consider a tunnel between addresses from outside this network;
 either plain gif/gre and accept the restricted MTU, or you could use a
 gre+vether+bridge+pf setup which would let you run at the lowest MTU
 of the physical links between them).

 I'd like that connections to the main site flow through ISP A, to the
 backup
 site flow through ISP B, with backup through the other ISP if one fails.
 So I set up openBGPd like this :
 Router A :
 AS 65001
 network 1.1.1.0/25
 network 1.1.1.128/25 set prepend-self 5

 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24
 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with
 /24 and /23 if you actually want it to work from the rest of the
 internet).

 Also: note that 1.0.0.0/8 is an allocated network. Please do not
 use addresses from this block even as a test network unless they are
 properly allocated to you (which being in europe, they are not).

Re: Load balancing incoming trafic with BGP

[BARDOU Pierre]

Sorry, it's a typo. The real RIB :

On router A bgpctl sh rib :
Flags   destination gateway lpref   med aspath  
origin
AI*217.109.108.0/240.0.0.0 100 0   
i
AI*217.109.108.128/25  0.0.0.0 100 0   
i
On ISP router A bgpctl sh rib :
Flags   destination gateway lpref   med aspath  
origin
AI*217.109.108.0/240.0.0.0 100 0   65001   
i
AI*217.109.108.128/25  0.0.0.0 100 0   65001 65001 65001 65001 
65001   i

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Stuart Henderson [mailto:s...@spacehopper.org]
Envoyi : mardi 29 juin 2010 17:13
@ : misc@openbsd.org
Objet : Re: Load balancing incoming trafic with BGP

On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote:
 Hello,

 I did this on router A :

 network 217.109.108.0/24
 network 217.109.108.128/25

 neigbor...

 allow from any
 match to any prefix 217.109.108.128/25 set prepend-self 5

 On router A bgpctl sh rib :

 Flags destination gateway lpref   med aspath  
 origin
 AI*  217.109.108.0/240.0.0.0 100 0   
 i
 AI*  217.109.108.128/24  0.0.0.0 100 0   
 i

 On ISP router A bgpctl sh rib :

 Flags destination gateway lpref   med aspath  
 origin
 AI*  217.109.108.0/240.0.0.0 100 0   65001   
 i
 AI*  217.109.108.128/24  0.0.0.0 100 0   65001 65001 65001 65001 
 65001   i

 Everything is fine :)


Hmm, that's wierd, the received routes are /24!

Re: Load balancing incoming trafic with BGP

[BARDOU Pierre]

Hello,

I tried to follow your advices, and I set :
network 1.1.1.0/24
network 1.1.1.0/25 set prepend-self 5

The /25 appears on the RIB of router A, but not in ISP A router RIB.
Why ? My only filter rule is allow from any

A few details :
* 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have
a true /24, registered with RIPE.
* I have an MPLS VPN between my two sites, which uses different wires from
Internet
* I didn't knew the issue about propagating a /25 to the internet. Thanks for
the information, I'll have to think about that before setting this in
production...

Many thanks for the help
--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Stuart Henderson [mailto:s...@spacehopper.org]
Envoyi : samedi 26 juin 2010 12:18
@ : misc@openbsd.org
Objet : Re: Load balancing incoming trafic with BGP

On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote:
 I have issues trying to setup this :

ISP AISP B
  ||
   Router ARouter B
  Main site  ---  Backup site
  1.1.1.0/25  1.1.1.128/25

I think you will have to rethink a bit.

Even if your immediate upstreams accept it (which is unlikely without
a special arrangement), there is no way that most of the internet will
accept a /25 announcement. You would want to use at least a /23 for
the whole net, so your site-specific announcements can be /24.

You will also have to ensure connectivity between the two sites
under normal conditions (if you don't have a direct link, then you
could consider a tunnel between addresses from outside this network;
either plain gif/gre and accept the restricted MTU, or you could use a
gre+vether+bridge+pf setup which would let you run at the lowest MTU
of the physical links between them).

 I'd like that connections to the main site flow through ISP A, to the
backup
 site flow through ISP B, with backup through the other ISP if one fails.
 So I set up openBGPd like this :
 Router A :
 AS 65001
 network 1.1.1.0/25
 network 1.1.1.128/25 set prepend-self 5

From one site you would want to announce x.x.x.0/25 and x.x.x.0/24
From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with
/24 and /23 if you actually want it to work from the rest of the
internet).

Also: note that 1.0.0.0/8 is an allocated network. Please do not
use addresses from this block even as a test network unless they are
properly allocated to you (which being in europe, they are not).

Re: Load balancing incoming trafic with BGP

[BARDOU Pierre]

Hello,



I did this on router A :



network 217.109.108.0/24

network 217.109.108.128/25



neigbor...



allow from any

match to any prefix 217.109.108.128/25 set prepend-self 5



On router A bgpctl sh rib :

Flags   destination gateway lpref   med aspath  
origin

AI*217.109.108.0/240.0.0.0 100 0   
i

AI*217.109.108.128/24  0.0.0.0 100 0   
i



On ISP router A bgpctl sh rib : 

Flags   destination gateway lpref   med aspath  
origin

AI*217.109.108.0/240.0.0.0 100 0   65001   
i

AI*217.109.108.128/24  0.0.0.0 100 0   65001 65001 65001 65001 
65001   i



Everything is fine :)

Many, many thanks for your help.



--

Cordialement,

Pierre BARDOU





-Message d'origine-

DeB : rh...@hushmail.com [mailto:rh...@hushmail.com] 

EnvoyC)B : mardi 29 juin 2010 13:30

CB : misc@openbsd.org

CcB : BARDOU Pierre

ObjetB : Re: Load balancing incoming trafic with BGP



Hello,



Have you tried a filter based config for your prepends ?

Load balancing incoming trafic with BGP

[BARDOU Pierre]

Hello,

I have issues trying to setup this :

   ISP AISP B
 ||
  Router ARouter B
 Main site  ---  Backup site
 1.1.1.0/25  1.1.1.128/25

I'd like that connections to the main site flow through ISP A, to the backup
site flow through ISP B, with backup through the other ISP if one fails.
So I set up openBGPd like this :
Router A :
AS 65001
network 1.1.1.0/25
network 1.1.1.128/25 set prepend-self 5

neighbor ISP A {
remote-as 65002
}
neighbor router B {
remote-as 65001
}
allow from any

Router B :
AS 65001
network 1.1.1.0/25
network 1.1.1.128/25 set prepend-self 5

neighbor ISP B {
remote-as 65003
}
neighbor router A {
remote-as 65001
}
allow from any

I'm still during the test phase, so to simulate ISPs routers I've put some
other openBSD boxes.
Their setup :
Router ISP A :
AS 65002
neighbor Router A {
remote-as 65001
announce default-route
}
allow from any

Router ISP B :
AS 65003
neighbor Router B {
remote-as 65001
announce default-route
}
allow from any

For now, I only have ISP A and router A set up.
My problem : the set prepend-self 5 on router A prevents the network
1.1.1.128/25 from appearing into router ISP A RIB.
If I remove the option, everything is fine.

Bgpctl sh rib on router A :
Flags   destination gateway lpref   med aspath  
origin
*  0.0.0.0/0   router ISP A  100 0   65002   
i
AI*1.1.1.0/25  0.0.0.0 100 0   
i
AI*1.1.1.128/250.0.0.0 100 0   65001 65001 65001 65001 
65001   i

Bgpctl sh rib on router ISP A :
Flags   destination gateway lpref   med aspath  
origin
*  1.1.1.0/25  router A  100 0   65001   
i


Could someone tell me where is my mistake ?
Thank you very much.

--
Cordialement,
Pierre BARDOU

Re: Hardware for a PF box

[BARDOU Pierre]

Hello,



I'll try to answer every suggestion...



I'm going to buy brand new HP servers, DL360 G5 or DL165 G7. So the choice for 
CPU is between AMD Opteron 24xx or Intel Xeon 55xx.

I've read that a PIII would be sufficient : I have performance issues actually, 
running on a Xeon 2.8GHz (monocore, FSB 800, socket 604). I don't think they 
come from PF BTW, it should be logging/relayd/OpenVPN which makes the box lag.



I'm actually on a test with dual xeon E5420 on GEMERIC.MP, it runs like a 
charm. But it's borrowed hardware, I have to give it back :)



I'm very interested in separated log machine, I think I'll do that. Could you 
give me an estimation on how many Mbps I need on the log server ?

I think I'll put this on a VM, we have an ESX cluster connected to a CX3-40 SAN 
which should give enough disk I/O...



Installing SSD on the machines is way more expensive with HP hardware : 72 GB 
SAS 15Ktpm costs 260b,, 60 GB SSD costs 950b,.

HP offers no way to install a compact flash as disk drive.



Networks cards are Intel Gb, using em(4) driver.



So, with all your considerations, here's my actual setup :

* Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the 
same prize than the only dual core remaining, E5502 @1.86GHz)

* 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal 
memory bandwidth)

* 2x72 Gb SAS drives on raid0 



Does it sound correct to you ?

Do you have any suggestion/modification ?



Thank you very much for the help.



--

Cordialement,

Pierre BARDOU





-Message d'origine-

DeB : Aaron Mason [mailto:simplersolut...@gmail.com] 

EnvoyC)B : mardi 11 mai 2010 14:01

CB : Lars Nooden

CcB : misc@openbsd.org

ObjetB : Re: Hardware for a PF box



On Tue, May 11, 2010 at 4:56 PM, Lars Nooden lars.cura...@gmail.com wrote:

 On Mon, 10 May 2010, Chris Smith wrote:



 What about logging in this case? Can PF logs be sent to another system

 running a syslog daemon?



 You answered your own question. ;)  Look at the 'action' field explanation

 in the manual page for syslog.conf(5)



 About the diskless machine, many of the so-called diskless machines actually

 use flash or ssd instead of a spinning magnetic platter.  The base

 installation of openbsd is still quite small.  If you are only running PF,

 you will have a lot of space left over on a 1GB CF to make a logging

 partition.  Flash can be very slow, so volitile caches can be stored in an

 mfs partition.



 /Lars







OpenBSD will happily fit into about 160mb by installing only base and

etc which provide plenty for a firewall.  My 1.4GHz Toshiba laptop

acting as a wireless-wired gateway runs OpenBSD 4.6 on a 512mb USB

drive (which I'd like to replace with a CF disk on a 2.5 compatible

adapter) with space to spare.  Sure it doesn't do anywhere near as

many packets as you propose, but it handles a constantly-running

seedbox and my gaming together without skipping a beat, which is more

than I can ask for.



-- 

Aaron Mason - Programmer, open source addict

I've taken my software vows - for beta or for worse

Re: Hardware for a PF box

[BARDOU Pierre]

Sorry, typo : 

SAS drives would be on RAID1.



So the config would be :

* Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the 
same prize than the only dual core remaining, E5502 @1.86GHz)

* 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal 
memory bandwidth)

* 2x72 Gb SAS drives on raid1

* GENERIC.MP kernel



--

Cordialement,

Pierre BARDOU





-Message d'origine-

DeB : BARDOU Pierre 

EnvoyC)B : mardi 11 mai 2010 15:40

CB : 'misc@openbsd.org'

ObjetB : RE: Hardware for a PF box



Hello,



I'll try to answer every suggestion...



I'm going to buy brand new HP servers, DL360 G5 or DL165 G7. So the choice for 
CPU is between AMD Opteron 24xx or Intel Xeon 55xx.

I've read that a PIII would be sufficient : I have performance issues actually, 
running on a Xeon 2.8GHz (monocore, FSB 800, socket 604). I don't think they 
come from PF BTW, it should be logging/relayd/OpenVPN which makes the box lag.



I'm actually on a test with dual xeon E5420 on GEMERIC.MP, it runs like a 
charm. But it's borrowed hardware, I have to give it back :)



I'm very interested in separated log machine, I think I'll do that. Could you 
give me an estimation on how many Mbps I need on the log server ?

I think I'll put this on a VM, we have an ESX cluster connected to a CX3-40 SAN 
which should give enough disk I/O...



Installing SSD on the machines is way more expensive with HP hardware : 72 GB 
SAS 15Ktpm costs 260b,, 60 GB SSD costs 950b,.

HP offers no way to install a compact flash as disk drive.



Networks cards are Intel Gb, using em(4) driver.



So, with all your considerations, here's my actual setup :

* Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the 
same prize than the only dual core remaining, E5502 @1.86GHz)

* 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal 
memory bandwidth)

* 2x72 Gb SAS drives on raid0 



Does it sound correct to you ?

Do you have any suggestion/modification ?



Thank you very much for the help.



--

Cordialement,

Pierre BARDOU





-Message d'origine-

DeB : Aaron Mason [mailto:simplersolut...@gmail.com] 

EnvoyC)B : mardi 11 mai 2010 14:01

CB : Lars Nooden

CcB : misc@openbsd.org

ObjetB : Re: Hardware for a PF box



On Tue, May 11, 2010 at 4:56 PM, Lars Nooden lars.cura...@gmail.com wrote:

 On Mon, 10 May 2010, Chris Smith wrote:



 What about logging in this case? Can PF logs be sent to another system

 running a syslog daemon?



 You answered your own question. ;)  Look at the 'action' field explanation

 in the manual page for syslog.conf(5)



 About the diskless machine, many of the so-called diskless machines actually

 use flash or ssd instead of a spinning magnetic platter.  The base

 installation of openbsd is still quite small.  If you are only running PF,

 you will have a lot of space left over on a 1GB CF to make a logging

 partition.  Flash can be very slow, so volitile caches can be stored in an

 mfs partition.



 /Lars







OpenBSD will happily fit into about 160mb by installing only base and

etc which provide plenty for a firewall.  My 1.4GHz Toshiba laptop

acting as a wireless-wired gateway runs OpenBSD 4.6 on a 512mb USB

drive (which I'd like to replace with a CF disk on a 2.5 compatible

adapter) with space to spare.  Sure it doesn't do anywhere near as

many packets as you propose, but it handles a constantly-running

seedbox and my gaming together without skipping a beat, which is more

than I can ask for.



-- 

Aaron Mason - Programmer, open source addict

I've taken my software vows - for beta or for worse

Hardware for a PF box

[BARDOU Pierre]

Hello,

I'm going to buy hardware to create 4 PF/relayd/openVPN boxes (2 active, 2
passive).
I have an average of 500 new connections/s, 40k states and 40kpps in PF, 20
remote concurrent accesses on OpenVPN.

What CPU would you recommend between Intel and AMD ?
Since PF is mono threaded, I think more than 2 CPU cores are useless. Am I
right ?
For the same reason, I think that the CPU with the highest frequency will be
the best ?
Would it be useful to replace 15ktpm SAS HDDs by SSDs ?

Thank you.

--
Cordialement,

Pierre BARDOU
CSIM - Bureau 002


[cid:image001.jpg@01CAF064.EC6665D0]

12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1

Til : 05 67 69 71 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.frmailto:bardo...@mipih.fr

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
image001.jpg]

LACP problem

[BARDOU Pierre]

Hello,

I use an LACP trunk on my openBSD firewall since 4.5
It worked during more than a year, but since I upgraded to 4.6 the trunk
went down two times.
I cant do anything to fix it except reboot the firewall.

The switch is a HP Procurve 8412zl.

I tried a workaround, to test it I did on my slave firewall :
ifconfig trunk0 trunkproto none # simulation of trunk down
ifconfig trunk0

= This systematically leads to a kernel panic

There was code changes on LACP between 4.5 and 4.6 ?
Should I downgrade to 4.5/upgrade to -stable ?

TYVM

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
MiPih
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 69 71 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: LACP problem

[BARDOU Pierre]

 /bsd: pciide0 at pci0 dev 15 function 1
ServerWorks CSB5 IDE rev 0x93: DMA

Dec 22 11:00:17 fw-intra-slave /bsd: atapiscsi0 at pciide0 channel 1 drive 0

Dec 22 11:00:17 fw-intra-slave /bsd: scsibus0 at atapiscsi0: 2 targets

Dec 22 11:00:17 fw-intra-slave /bsd: cd0 at scsibus0 targ 0 lun 0: TEAC,
CD-224E, K.9A ATAPI 5/cdrom removable

Dec 22 11:00:17 fw-intra-slave /bsd: cd0(pciide0:1:0): using PIO mode 4, DMA
mode 2, Ultra-DMA mode 2

Dec 22 11:00:17 fw-intra-slave /bsd: ohci0 at pci0 dev 15 function 2
ServerWorks OSB4/CSB5 USB rev 0x05: apic 8 int 11 (irq 11), version 1.0,
legacy support

Dec 22 11:00:17 fw-intra-slave /bsd: pcib0 at pci0 dev 15 function 3
ServerWorks CSB5 LPC rev 0x00

Dec 22 11:00:17 fw-intra-slave /bsd: pchb3 at pci0 dev 16 function 0
ServerWorks CIOB-E rev 0x12

Dec 22 11:00:17 fw-intra-slave /bsd: pchb4 at pci0 dev 16 function 2
ServerWorks CIOB-E rev 0x12

Dec 22 11:00:17 fw-intra-slave /bsd: pci3 at pchb4 bus 2

Dec 22 11:00:17 fw-intra-slave /bsd: bge0 at pci3 dev 0 function 0 Broadcom
BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 0 (irq 7), address
00:11:43:5a:86:d1

Dec 22 11:00:17 fw-intra-slave /bsd: brgphy0 at bge0 phy 1: BCM5704
10/100/1000baseT PHY, rev. 0

Dec 22 11:00:17 fw-intra-slave /bsd: bge1 at pci3 dev 0 function 1 Broadcom
BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 1 (irq 5), address
00:11:43:5a:86:d2

Dec 22 11:00:17 fw-intra-slave /bsd: brgphy1 at bge1 phy 1: BCM5704
10/100/1000baseT PHY, rev. 0

Dec 22 11:00:17 fw-intra-slave /bsd: pchb5 at pci0 dev 17 function 0
ServerWorks CIOB-X2 PCIX rev 0x05

Dec 22 11:00:17 fw-intra-slave /bsd: pchb6 at pci0 dev 17 function 2
ServerWorks CIOB-X2 PCIX rev 0x05

Dec 22 11:00:17 fw-intra-slave /bsd: pci4 at pchb6 bus 4

Dec 22 11:00:17 fw-intra-slave /bsd: ami0 at pci4 dev 3 function 0 Dell
PERC 4/Di Verde rev 0x02: apic 9 int 2 (irq 7)

Dec 22 11:00:17 fw-intra-slave /bsd: ami0: Dell 14a, 32b, FW 412W, BIOS
vH406, 128MB RAM

Dec 22 11:00:17 fw-intra-slave /bsd: ami0: 2 channels, 0 FC loops, 1 logical
drives

Dec 22 11:00:17 fw-intra-slave /bsd: scsibus1 at ami0: 40 targets

Dec 22 11:00:17 fw-intra-slave /bsd: sd0 at scsibus1 targ 0 lun 0: AMI,
Host drive #00,  SCSI2 0/direct fixed

Dec 22 11:00:17 fw-intra-slave /bsd: sd0: 34680MB, 512 bytes/sec, 71024640
sec total

Dec 22 11:00:17 fw-intra-slave /bsd: scsibus2 at ami0: 16 targets

Dec 22 11:00:17 fw-intra-slave /bsd: safte0 at scsibus2 targ 6 lun 0:
PE/PV, 1x3 SCSI BP, 1.1 SCSI2 3/processor fixed

Dec 22 11:00:17 fw-intra-slave /bsd: scsibus3 at ami0: 16 targets

Dec 22 11:00:17 fw-intra-slave /bsd: usb0 at ohci0: USB revision 1.0

Dec 22 11:00:17 fw-intra-slave /bsd: uhub0 at usb0 ServerWorks OHCI root
hub rev 1.00/1.00 addr 1

Dec 22 11:00:17 fw-intra-slave /bsd: isa0 at pcib0

Dec 22 11:00:17 fw-intra-slave /bsd: isadma0 at isa0

Dec 22 11:00:17 fw-intra-slave /bsd: com0 at isa0 port 0x3f8/8 irq 4:
ns16550a, 16 byte fifo

Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0 at isa0 port 0x60/5

Dec 22 11:00:17 fw-intra-slave /bsd: pckbd0 at pckbc0 (kbd slot)

Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0: using irq 1 for kbd slot

Dec 22 11:00:17 fw-intra-slave /bsd: wskbd0 at pckbd0: console keyboard,
using wsdisplay0

Dec 22 11:00:17 fw-intra-slave /bsd: pmsi0 at pckbc0 (aux slot)

Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0: using irq 12 for aux slot

Dec 22 11:00:17 fw-intra-slave /bsd: wsmouse0 at pmsi0 mux 0

Dec 22 11:00:17 fw-intra-slave /bsd: pcppi0 at isa0 port 0x61

Dec 22 11:00:17 fw-intra-slave /bsd: midi0 at pcppi0: PC speaker

Dec 22 11:00:17 fw-intra-slave /bsd: spkr0 at pcppi0

Dec 22 11:00:17 fw-intra-slave /bsd: npx0 at isa0 port 0xf0/16: reported by
CPUID; using exception 16

Dec 22 11:00:17 fw-intra-slave /bsd: fdc0 at isa0 port 0x3f0/6 irq 6 drq 2

Dec 22 11:00:17 fw-intra-slave /bsd: fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2
head, 18 sec

Dec 22 11:00:17 fw-intra-slave /bsd: mtrr: Pentium Pro MTRR support

Dec 22 11:00:17 fw-intra-slave /bsd: softraid0 at root

Dec 22 11:00:17 fw-intra-slave /bsd: root on sd0a swap on sd0b dump on sd0b



--

Cordialement,

Pierre BARDOU



De : Iqigo Ortiz de Urbina [mailto:tarom...@gmail.com]
Envoyi : mardi 22 dicembre 2009 12:45
@ : BARDOU Pierre
Objet : Re: LACP problem



On Tue, Dec 22, 2009 at 11:22 AM, BARDOU Pierre bardo...@mipih.fr wrote:

Hello,

I use an LACP trunk on my openBSD firewall since 4.5
It worked during more than a year, but since I upgraded to 4.6 the trunk
went down two times.
I can t do anything to fix it except reboot the firewall.

The switch is a HP Procurve 8412zl.

I tried a workaround, to test it I did on my slave firewall :
ifconfig trunk0 trunkproto none # simulation of trunk down
ifconfig trunk0

= This systematically leads to a kernel panic



Curious



There was code changes on LACP between 4.5 and 4.6 ?



See it for yourself

http://www.openbsd.org/plus46.html

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_trunk.c

Recently there's been some activity on trunk.c maybe

Packets to IPsec blackholed ?

[BARDOU Pierre]

Hello,

I had a working ipsec tunnel this morning :
Dec 04 09:30:35.086117 rule 375/(match) pass in on vlan100: 10.80.2.135.4685
 10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss
1460,nop,nop,sackOK (DF)
Dec 04 09:30:35.086154 rule 28/(match) pass out on enc0: 10.80.2.135.4685 
10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss
1460,nop,nop,sackOK

At noon I rebooted my gateway, and now packets get lost in the wild (no
pass out nor block out):
Dec 04 13:55:35.054695 rule 375/(match) pass in on vlan100: 10.80.2.135.3265
 10.96.37.1.23: S 2811095018:2811095018(0) win 64512 mss
1460,nop,nop,sackOK (DF)

But my tunnel is still up according to ipsecctl -sa.

I have other tunnels who work like a charm.

Anyone could tell me out to get my packets back on the right way ?

TYVM

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 



12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 69 71 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Disk occupation problem

[BARDOU Pierre]

Hello,

I have a strange problem with disk occupation.
Df says my disk is nearly full (25G occupied), but when I do a du sh on the
mountpoint it says only 10M used !?

I had the same problem a few days ago on 4.5-stable ; I upgraded to
4.6-stable and it happens again.

Some logs :
# du -sh /var/
10.7M   /var/
# du -sh /var/*
2.0K/var/account
2.0K/var/audit
2.0K/var/authpf
1.3M/var/backups
4.0K/var/crash
22.0K   /var/cron
2.2M/var/db
4.0K/var/empty
44.0K   /var/games
12.0K   /var/lib
4.2M/var/log
4.0K/var/lost+found
1.1M/var/mail
4.0K/var/msgs
92.0K   /var/named
2.0K/var/quotas
96.0K   /var/run
2.0K/var/rwho
24.0K   /var/spool
4.0K/var/tmp
1.4M/var/www
28.0K   /var/yp
# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/sd0a  3.8G2.1G1.5G59%/
/dev/sd0d 28.6G   25.0G2.2G92%/var

Could someone give me a clue on how to fix this ?
TYVM

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 



12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 69 71 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: Disk occupation problem

[BARDOU Pierre]

Hello,

I didn't delete anything by hand.
The space comes back after a reboot, yes.

I found the problem : log rotation with pflogd.
I killed pflogd and started it again, and the free space came back.

But why log rotation fails ?
It worked like a charm since more than 2 years...

If that helps :
# cat /etc/newsyslog.conf
#   $OpenBSD: newsyslog.conf,v 1.26 2007/02/02 14:52:48 ajacoutot Exp $
#
# configuration file for newsyslog
#
# logfile_name  owner:group mode count size when  flags
/var/cron/log   root:wheel  600  3 10   * Z
/var/log/aculog uucp:dialer 660  7 *24Z
/var/log/authlogroot:wheel  640  7 *168   Z
/var/log/daemon 640  5 30   * Z
/var/log/lpd-errs   640  7 10   * Z
/var/log/maillog600  7 *24Z
/var/log/messages   644  5 30   * Z
/var/log/secure 600  7 *168   Z
/var/log/wtmp   644  7 *$W6D4 ZB
/var/log/xferlog640  7 250  * Z
/var/log/ppp.log640  7 250  * Z
#/var/log/pflog 600  3 250  * ZB
/var/run/pflogd.pid
/var/log/pflog  600  3 *24ZB
/var/run/pflogd.pid


TYVM for the help

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Richard Toohey [mailto:richardtoo...@paradise.net.nz]
Envoyi : lundi 9 novembre 2009 09:21
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: Disk occupation problem

On 9/11/2009, at 9:11 PM, BARDOU Pierre wrote:

 Hello,

 I have a strange problem with disk occupation.
 Df says my disk is nearly full (25G occupied), but when I do a du 
 sh on the
 mountpoint it says only 10M used !?


Are you deleting in-use log files?  Does the space come back after a
reboot?

 I had the same problem a few days ago on 4.5-stable ; I upgraded to
 4.6-stable and it happens again.

 Some logs :
 # du -sh /var/
 10.7M   /var/
 # du -sh /var/*
 2.0K/var/account
 2.0K/var/audit
 2.0K/var/authpf
 1.3M/var/backups
 4.0K/var/crash
 22.0K   /var/cron
 2.2M/var/db
 4.0K/var/empty
 44.0K   /var/games
 12.0K   /var/lib
 4.2M/var/log
 4.0K/var/lost+found
 1.1M/var/mail
 4.0K/var/msgs
 92.0K   /var/named
 2.0K/var/quotas
 96.0K   /var/run
 2.0K/var/rwho
 24.0K   /var/spool
 4.0K/var/tmp
 1.4M/var/www
 28.0K   /var/yp
 # df -h
 Filesystem SizeUsed   Avail Capacity  Mounted on
 /dev/sd0a  3.8G2.1G1.5G59%/
 /dev/sd0d 28.6G   25.0G2.2G92%/var

 Could someone give me a clue on how to fix this ?
 TYVM

 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012




 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 69 71 84
 Fax : 05 34 61 51 00
 Mail : bardo...@mipih.fr

 [demime 1.01d removed an attachment of type application/x-pkcs7-
 signature which had a name of smime.p7s]

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: Disk occupation problem

[BARDOU Pierre]

I think you spotted the base problem.
I run 2 instances of pflogd since a few of days, and I forgot to set a
separate pid file.

I put the new pflogd in log rotation with its own pid file, I hope this will
solve the problem.

Many, many thanks for the help.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Otto Moerbeek [mailto:o...@drijf.net]
Envoyi : lundi 9 novembre 2009 09:55
@ : BARDOU Pierre
Cc : Richard Toohey; misc@openbsd.org
Objet : Re: Disk occupation problem

On Mon, Nov 09, 2009 at 09:43:24AM +0100, BARDOU Pierre wrote:

 Hello,

 I didn't delete anything by hand.
 The space comes back after a reboot, yes.

 I found the problem : log rotation with pflogd.
 I killed pflogd and started it again, and the free space came back.

Do you have more than once instance of pflogd running?

Or are you actually ruining current? becasue recently something
changed here.

-Otto


 But why log rotation fails ?
 It worked like a charm since more than 2 years...

 If that helps :
 # cat /etc/newsyslog.conf
 #   $OpenBSD: newsyslog.conf,v 1.26 2007/02/02 14:52:48 ajacoutot Exp
$
 #
 # configuration file for newsyslog
 #
 # logfile_name  owner:group mode count size when  flags
 /var/cron/log   root:wheel  600  3 10   * Z
 /var/log/aculog uucp:dialer 660  7 *24Z
 /var/log/authlogroot:wheel  640  7 *168   Z
 /var/log/daemon 640  5 30   * Z
 /var/log/lpd-errs   640  7 10   * Z
 /var/log/maillog600  7 *24Z
 /var/log/messages   644  5 30   * Z
 /var/log/secure 600  7 *168   Z
 /var/log/wtmp   644  7 *$W6D4 ZB
 /var/log/xferlog640  7 250  * Z
 /var/log/ppp.log640  7 250  * Z
 #/var/log/pflog 600  3 250  * ZB
 /var/run/pflogd.pid
 /var/log/pflog  600  3 *24ZB
 /var/run/pflogd.pid


 TYVM for the help

 --
 Cordialement,
 Pierre BARDOU


 -Message d'origine-
 De : Richard Toohey [mailto:richardtoo...@paradise.net.nz]
 Envoyi : lundi 9 novembre 2009 09:21
 @ : BARDOU Pierre
 Cc : misc@openbsd.org
 Objet : Re: Disk occupation problem

 On 9/11/2009, at 9:11 PM, BARDOU Pierre wrote:

  Hello,
 
  I have a strange problem with disk occupation.
  Df says my disk is nearly full (25G occupied), but when I do a du 
  sh on the
  mountpoint it says only 10M used !?
 

 Are you deleting in-use log files?  Does the space come back after a
 reboot?

  I had the same problem a few days ago on 4.5-stable ; I upgraded to
  4.6-stable and it happens again.
 
  Some logs :
  # du -sh /var/
  10.7M   /var/
  # du -sh /var/*
  2.0K/var/account
  2.0K/var/audit
  2.0K/var/authpf
  1.3M/var/backups
  4.0K/var/crash
  22.0K   /var/cron
  2.2M/var/db
  4.0K/var/empty
  44.0K   /var/games
  12.0K   /var/lib
  4.2M/var/log
  4.0K/var/lost+found
  1.1M/var/mail
  4.0K/var/msgs
  92.0K   /var/named
  2.0K/var/quotas
  96.0K   /var/run
  2.0K/var/rwho
  24.0K   /var/spool
  4.0K/var/tmp
  1.4M/var/www
  28.0K   /var/yp
  # df -h
  Filesystem SizeUsed   Avail Capacity  Mounted on
  /dev/sd0a  3.8G2.1G1.5G59%/
  /dev/sd0d 28.6G   25.0G2.2G92%/var
 
  Could someone give me a clue on how to fix this ?
  TYVM
 
  --
  Cordialement,
 
  Pierre BARDOU
  CSIM - Bureau 012
 
 
 
 
  12 rue Michel Labrousse
  BP93668
  F-31036 Toulouse CEDEX 1
 
  Til : 05 67 69 71 84
  Fax : 05 34 61 51 00
  Mail : bardo...@mipih.fr
 
  [demime 1.01d removed an attachment of type application/x-pkcs7-
  signature which had a name of smime.p7s]

 [demime 1.01d removed an attachment of type application/x-pkcs7-signature
which had a name of smime.p7s]

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: New functionnality for authpf

[BARDOU Pierre]

I would be hard to ask my boss to hire a developer, since with my script the
solution is working.
I'll think to OpenBSD people before discarding our old hardware, anyway.

My script loads the rules once, and modifies the table within the rule.
When the user disconnects, its IP is removed from the table, and its
connections are killed with pfctl -k.

By the way, your idea of include statement is very good, and doesn't need any
further coding of authpf.
I'm going to test this right now.

Thank you for the precious time you spent on my problem !

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : Vadim Zhukov [mailto:persg...@gmail.com]
EnvoyC) : mardi 13 octobre 2009 18:09
C : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: New functionnality for authpf

On 13 October 2009 P3. 18:53:07 BARDOU Pierre wrote:
 Hello,



 Id need a new functionnality in authpf

 It would be nice to do group based rules instead of user based rules.



 I made this using a script used as shell for the user, which lists the
 groups of the user, and add them to a table named like the group using
 pfctl and sudo.

 I can give it to you if you are interested.



 But I think it would be better to include this in authPF, and by the
 way it doesnt seems too difficult.

 Unfortunately, I dont know how to make this in C. Someone interested
 in doing this ?

Ignoring the fact that it's better for you to prepare money (or some
equivalent) to hier someone to do that work. You need it, then either
you implement it, or pay for it. For example, you could donate some
hardware OpenBSD need - see the www.openbsd.org/want.html .

Now, for the request itself, you should clarify exact behavior you want:

- Should the rules loaded only once, or every time user logs in? (The
real fun part here is detach policy)

- Maybe it's simplier to have /etc/authpf/groups/$GROUP/ directory with
authpf.rules in it, and make /etc/authpf/users/$USER/authpf.rules be a
soft link or contain include statement? The latter allows you very,
very much flexibility.

- Maybe more, I do not want to spend more time that I better have spent
for polishing my own patches.

--
  Best wishes,
Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

New functionnality for authpf

[BARDOU Pierre]

Hello,



Id need a new functionnality in authpf

It would be nice to do group based rules instead of user based rules.



I made this using a script used as shell for the user, which lists the
groups of the user, and add them to a table named like the group using pfctl
and sudo.

I can give it to you if you are interested.



But I think it would be better to include this in authPF, and by the way it
doesnt seems too difficult.

Unfortunately, I dont know how to make this in C. Someone interested in
doing this ?



Thank you



--

Cordialement,



Pierre BARDOU

CSIM - Bureau 012





Logo MiPih COUL



12 rue Michel Labrousse

BP93668

F-31036 Toulouse CEDEX 1



Til : 05 67 69 71 84

Fax : 05 34 61 51 00

Mail :  mailto:bardo...@mipih.fr bardo...@mipih.fr

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: CARP problem : slave rioting

[BARDOU Pierre]

Hello,

I found the cause of the problem : the CARP interface vas configured with a
/24 mask on the master, and a /25 mask on the slaves.
With coherent masks everything works like a charm now.


--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : BARDOU Pierre
Envoyi : lundi 29 juin 2009 10:12
@ : 'uday'
Cc : misc@openbsd.org
Objet : RE: CARP problem : slave rioting

Hello,

I thought it had to be unique _on the same network segment_, but not
necessarily on the same machine.

And everything works again since I moved the firewall off the backbone
(2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve
3400cl, 2 firewalls on it). But everything seems to be configured
identically on those two switches, and the error log of the 5400zl shows
nothing about the ports where my firewalls are...

I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows
:

# cat /etc/hostname.carp*
217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet
217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet

# cat /etc/hostname.carp*
217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet
217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet

They also run like a charm !?
I have run out of ideas about the cause of the problem.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : uday [mailto:umoorjani@gmail.com]
Envoyi : vendredi 26 juin 2009 21:17
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: CARP problem : slave rioting

Pierre,

If I'm not mistaken the vhid on all your carp interfaces are the same
value. I would suggest you use a unique value for each group.

From the man :
The Virtual Host ID. This is a unique number that is used to identify
the redundancy group to other nodes on the network. Acceptable values
are from 1 to 255.

I think this is the way to go but I'm not sure.

UM

Nonviolence means avoiding not only external physical violence but
also internal violence of spirit. You not only refuse to shoot a man,
but you refuse to hate him. Rev. Martin Luther King Jr.



On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote:
 Hello,

 CARP is configured using a script. Here it is (truncated version) :

 ifconfig carp5 create
 ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description
LAN

 ifconfig carp2 create
 ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description
DMZ 1

 ifconfig carp3 create
 ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description
DMZ 2

 ifconfig carp12 create
 ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description
DMZ 3


 ifconfig carp13 create
 ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description
DMZ 5

 ifconfig carp4 create
 ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description
DMZ Internet
 ifconfig carp4 alias 217.109.108.1/24

 ifconfig carp14 create
 ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28
description Internet


 --
 Cordialement,
 Pierre BARDOU


 -Message d'origine-
 De : uday [mailto:umoorjani@gmail.com]
 Envoyi : vendredi 26 juin 2009 12:21
 @ : BARDOU Pierre
 Cc : misc@openbsd.org
 Objet : Re: CARP problem : slave rioting

 Can you post configuration files for the carp interfaces ?

 Nonviolence means avoiding not only external physical violence but
 also internal violence of spirit. You not only refuse to shoot a man,
 but you refuse to hate him. Rev. Martin Luther King Jr.



 On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote:
 Hello,

 I have a setup with 2 openBSD boxes used as firewall, redundancy is made
using
 CARP.
 Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used
as a
 trunk, collecting all other VLANs.
 Master's advskew is 10, slave's is 50.
 All worked like a charm since nearly 2 years, but since 3 weeks I have
odd
 problems :
 * on the net interface, the backup becomes master, but the master remains
 master - Nearly half of the packets are lost
 I did a tcpdump on the slave's interface, carp packets from the master
arrive.
 But it remains master !
 Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos
0x10]
 Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos
0x10]

 * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as
it
 is part of a trunk, physical connections are good : they work for all
other
 VLANs. When I shut down the corresponding carp interface on the slave
 (ifconfig carp4 down), master becomes master again.

 Could you give me any clue to keep my master in master state ?

 Thank you

 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Picardie Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

Re: CARP problem : slave rioting

[BARDOU Pierre]

Hello,

I thought it had to be unique _on the same network segment_, but not
necessarily on the same machine.

And everything works again since I moved the firewall off the backbone
(2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl,
2 firewalls on it). But everything seems to be configured identically on those
two switches, and the error log of the 5400zl shows nothing about the ports
where my firewalls are...

I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows
:

# cat /etc/hostname.carp*
217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet
217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet

# cat /etc/hostname.carp*
217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet
217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet

They also run like a charm !?
I have run out of ideas about the cause of the problem.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : uday [mailto:umoorjani@gmail.com]
Envoyi : vendredi 26 juin 2009 21:17
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: CARP problem : slave rioting

Pierre,

If I'm not mistaken the vhid on all your carp interfaces are the same
value. I would suggest you use a unique value for each group.

From the man :
The Virtual Host ID. This is a unique number that is used to identify
the redundancy group to other nodes on the network. Acceptable values
are from 1 to 255.

I think this is the way to go but I'm not sure.

UM

Nonviolence means avoiding not only external physical violence but
also internal violence of spirit. You not only refuse to shoot a man,
but you refuse to hate him. Rev. Martin Luther King Jr.



On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote:
 Hello,

 CARP is configured using a script. Here it is (truncated version) :

 ifconfig carp5 create
 ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description
LAN

 ifconfig carp2 create
 ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description
DMZ 1

 ifconfig carp3 create
 ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description
DMZ 2

 ifconfig carp12 create
 ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ
3


 ifconfig carp13 create
 ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description
DMZ 5

 ifconfig carp4 create
 ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ
Internet
 ifconfig carp4 alias 217.109.108.1/24

 ifconfig carp14 create
 ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description
Internet


 --
 Cordialement,
 Pierre BARDOU


 -Message d'origine-
 De : uday [mailto:umoorjani@gmail.com]
 Envoyi : vendredi 26 juin 2009 12:21
 @ : BARDOU Pierre
 Cc : misc@openbsd.org
 Objet : Re: CARP problem : slave rioting

 Can you post configuration files for the carp interfaces ?

 Nonviolence means avoiding not only external physical violence but
 also internal violence of spirit. You not only refuse to shoot a man,
 but you refuse to hate him. Rev. Martin Luther King Jr.



 On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote:
 Hello,

 I have a setup with 2 openBSD boxes used as firewall, redundancy is made
using
 CARP.
 Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as
a
 trunk, collecting all other VLANs.
 Master's advskew is 10, slave's is 50.
 All worked like a charm since nearly 2 years, but since 3 weeks I have odd
 problems :
 * on the net interface, the backup becomes master, but the master remains
 master - Nearly half of the packets are lost
 I did a tcpdump on the slave's interface, carp packets from the master
arrive.
 But it remains master !
 Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10]
 Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10]

 * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as
it
 is part of a trunk, physical connections are good : they work for all
other
 VLANs. When I shut down the corresponding carp interface on the slave
 (ifconfig carp4 down), master becomes master again.

 Could you give me any clue to keep my master in master state ?

 Thank you

 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Picardie Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 31 90 84
 Fax : 05 34 61 51 00
 Mail : bardo...@mipih.fr

Re: CARP problem : slave rioting

[BARDOU Pierre]

Hello,

CARP is configured using a script. Here it is (truncated version) :

ifconfig carp5 create
ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN

ifconfig carp2 create
ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description
DMZ 1

ifconfig carp3 create
ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ
2

ifconfig carp12 create
ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ
3


ifconfig carp13 create
ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description
DMZ 5

ifconfig carp4 create
ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ
Internet
ifconfig carp4 alias 217.109.108.1/24

ifconfig carp14 create
ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description
Internet


--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : uday [mailto:umoorjani@gmail.com]
Envoyi : vendredi 26 juin 2009 12:21
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: CARP problem : slave rioting

Can you post configuration files for the carp interfaces ?

Nonviolence means avoiding not only external physical violence but
also internal violence of spirit. You not only refuse to shoot a man,
but you refuse to hate him. Rev. Martin Luther King Jr.



On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote:
 Hello,

 I have a setup with 2 openBSD boxes used as firewall, redundancy is made
using
 CARP.
 Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as
a
 trunk, collecting all other VLANs.
 Master's advskew is 10, slave's is 50.
 All worked like a charm since nearly 2 years, but since 3 weeks I have odd
 problems :
 * on the net interface, the backup becomes master, but the master remains
 master - Nearly half of the packets are lost
 I did a tcpdump on the slave's interface, carp packets from the master
arrive.
 But it remains master !
 Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10]
 Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
 CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10]

 * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as
it
 is part of a trunk, physical connections are good : they work for all other
 VLANs. When I shut down the corresponding carp interface on the slave
 (ifconfig carp4 down), master becomes master again.

 Could you give me any clue to keep my master in master state ?

 Thank you

 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Picardie Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 31 90 84
 Fax : 05 34 61 51 00
 Mail : bardo...@mipih.fr

CARP problem : slave rioting

[BARDOU Pierre]

Hello,

I have a setup with 2 openBSD boxes used as firewall, redundancy is made using
CARP.
Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a
trunk, collecting all other VLANs.
Master's advskew is 10, slave's is 50.
All worked like a charm since nearly 2 years, but since 3 weeks I have odd
problems :
* on the net interface, the backup becomes master, but the master remains
master - Nearly half of the packets are lost
I did a tcpdump on the slave's interface, carp packets from the master arrive.
But it remains master !
Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10]
Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10]

* on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it
is part of a trunk, physical connections are good : they work for all other
VLANs. When I shut down the corresponding carp interface on the slave
(ifconfig carp4 down), master becomes master again.

Could you give me any clue to keep my master in master state ?

Thank you

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Picardie Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

PF performance problem

[BARDOU Pierre]

Hello,

I have performance issues on a OpenBSD 4.4 firewall.
CPU load is OK (always below 50%), but system load is always between 1 and
1.5, it may go up to 2 sometimes.

I suspected an I/O problem on the HDD because of pflogd, so I shut it down and
the system load is always as high.

Could you tell me what should I upgrade to solve this ?
And what Debug: Urgent means ?

Thank you


Stats of PF :
# pfctl -si
Status: Enabled for 29 days 15:27:29  Debug: Urgent

State Table  Total Rate
  current entries16592
  searches 3611345993314099.9/s
  inserts286242425  111.8/s
  removals   286225833  111.8/s
Counters
  match  794705461  310.3/s
  bad-offset 00.0/s
  fragment   60.0/s
  short  00.0/s
  normalize2720.0/s
  memory 00.0/s
  bad-timestamp  00.0/s
  congestion  64940.0/s
  ip-option 120.0/s
  proto-cksum10.0/s
  state-mismatch1075430.0/s
  state-insert   109660.0/s
  state-limit   180.0/s
  src-limit  00.0/s
  synproxy   00.0/s


dmesg :
# cat /var/run/dmesg.boot
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 1073053696 (1023MB)
avail mem = 1029165056 (981MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
bios0: vendor Dell Computer Corporation version A04 date 09/22/2005
bios0: Dell Computer Corporation PowerEdge 1850
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET MCFG
acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5)
PICH(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PALO)
acpiprt2 at acpi0: bus 2 (DOBA)
acpiprt3 at acpi0: bus 3 (DOBB)
acpiprt4 at acpi0: bus 4 (PBLO)
acpiprt5 at acpi0: bus 8 (VPR0)
acpiprt6 at acpi0: bus 5 (PBHI)
acpiprt7 at acpi0: bus 6 (PXB1)
acpiprt8 at acpi0: bus 7 (PXB2)
acpiprt9 at acpi0: bus 9 (PICH)
acpicpu0 at acpi0
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x800 0xcc800/0x1000
0xcd800/0x2600 0xd/0x1800 0xec000/0x4000!
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09
ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06
pci2 at ppb1 bus 2
mpi0 at pci2 dev 5 function 0 Symbios Logic 53c1030 rev 0x08: irq 7
scsibus0 at mpi0: 16 targets, initiator 7
em0 at pci2 dev 12 function 0 Intel PRO/1000MT (82546EB) rev 0x01: irq 10,
address 00:11:0a:64:32:74
em1 at pci2 dev 12 function 1 Intel PRO/1000MT (82546EB) rev 0x01: irq 11,
address 00:11:0a:64:32:75
ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06
pci3 at ppb2 bus 3
ami0 at pci3 dev 11 function 0 Symbios Logic MegaRAID rev 0x01: irq 3
ami0: Dell 520, 64b/lhc, FW 351S, BIOS v1.10, 64MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus1 at ami0: 40 targets, initiator 40
sd0 at scsibus1 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 34680MB, 4421 cyl, 255 head, 63 sec, 512 bytes/sec, 71024640 sec total
scsibus2 at ami0: 16 targets, initiator 16
safte0 at scsibus2 targ 6 lun 0: PE/PV, 1x2 SCSI BP, 1.0 SCSI2 3/processor
fixed
ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci6 at ppb5 bus 6
em2 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11,
address 00:14:22:21:61:6d
ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci7 at ppb6 bus 7
em3 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3,
address 00:14:22:21:61:6e
ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09
pci8 at ppb7 bus 8
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10
uhci2 at pci0 dev 29 function 2 

Re: PF performance problem

[BARDOU Pierre]

The only problem I noticed is an abnormally long ping (usually 0.3ms,
sometimes -3 or 4 times a day says nagios- up to 30ms).

I am worried about the numbers since this firewall is higly critical.
Since it protects Citrix hosted applications, I will get instantly killed if
delays are too long...

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Richard Toohey [mailto:richardtoo...@paradise.net.nz]
Envoyi : mercredi 3 juin 2009 12:50
@ : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: PF performance problem

On 3/06/2009, at 10:02 PM, BARDOU Pierre wrote:

 Hello,

 I have performance issues on a OpenBSD 4.4 firewall.
 CPU load is OK (always below 50%), but system load is always
 between 1 and
 1.5, it may go up to 2 sometimes.

[cut]

And what is the actual *problem*?

What is pf failing to do?

Or are you just worried about the numbers?  Search the archives for
high load ...

http://marc.info/?l=openbsd-miscm=122607853731136w=3

HTH.

Re: PF performance problem

[BARDOU Pierre]

Thanks everybody for the help.
I will stop worrying about the system load and wait a noticeable
performance problem before asking for help :)

I set pfctl -x urgent, and now I'm waiting for something in
/var/log/messages...

--
Cordialement,
Pierre BARDOU

RAM not detected on HP DL580 G4

[BARDOU Pierre]

Hello,

I'm trying to set up an OpenBSD 4.5 amd64 on a HP ProLiant DL580 G4. It has 38
GB RAM, but only ~3 GB is detected.
Is it possible to use all the RAM ?

The dmesg :
# dmesg
OpenBSD 4.5 (GENERIC) #2052: Sat Feb 28 14:55:24 MST 2009
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 3487395840 (3325MB)
avail mem = 3371655168 (3215MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xec000 (109 entries)
bios0: vendor HP version P59 date 09/08/2006
bios0: HP ProLiant DL580 G4
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR SRAT MCFG APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(TM) CPU 3.00GHz, 2992.94 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,CNXT-ID,CX16,
xTPR,LONG
cpu0: 1MB 64b/line 8-way L2 cache
cpu0: apic clock running at 199MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0 apid 1 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0 apid 4 pa 0xfec8, version 20, 24 pins
ioapic2 at mainbus0 apid 5 pa 0xfec80800, version 20, 24 pins
acpimadt0: unknown apic structure type ff
acpimadt0: unknown apic structure type ff
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 9 (PXHA)
acpiprt2 at acpi0: bus 10 (PXHB)
acpiprt3 at acpi0: bus 8 (PTD0)
acpiprt4 at acpi0: bus 2 (PTA0)
acpiprt5 at acpi0: bus 5 (PTA1)
acpiprt6 at acpi0: bus 13 (PTB0)
acpiprt7 at acpi0: bus 16 (PTB1)
acpiprt8 at acpi0: bus 19 (PTC0)
acpiprt9 at acpi0: bus 22 (PTC1)
acpiprt10 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel E8500 Host rev 0x11
ppb0 at pci0 dev 1 function 0 Intel E8500 PCIE rev 0x11
pci1 at ppb0 bus 8
ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci2 at ppb1 bus 9
bnx0 at pci2 dev 1 function 0 Broadcom BCM5706 rev 0x02: apic 4 int 0 (irq
5)
bnx1 at pci2 dev 2 function 0 Broadcom BCM5706 rev 0x02: apic 4 int 3 (irq
7)
ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci3 at ppb2 bus 10
ppb3 at pci3 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci4 at ppb3 bus 11
em0 at pci4 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5
int 2 (irq 10), address 00:0e:0c:c6:be:f8
em1 at pci4 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5
int 3 (irq 7), address 00:0e:0c:c6:be:f9
em2 at pci4 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5
int 0 (irq 5), address 00:0e:0c:c6:be:fa
em3 at pci4 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5
int 1 (irq 10), address 00:0e:0c:c6:be:fb
ppb4 at pci0 dev 2 function 0 Intel E8500 PCIE rev 0x11
pci5 at ppb4 bus 19
Emulex LPe1150 rev 0x02 at pci5 dev 0 function 0 not configured
ppb5 at pci0 dev 3 function 0 Intel E8500 PCIE rev 0x11
pci6 at ppb5 bus 22
ciss0 at pci6 dev 0 function 0 Hewlett-Packard Smart Array rev 0x01: apic 1
int 16 (irq 5)
ciss0: 1 LD, HW rev 1, FW 1.18/1.18
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 1.18 SCSI0 0/direct fixed
sd0: 69973MB, 512 bytes/sec, 143305920 sec total
ppb6 at pci0 dev 4 function 0 Intel E8500 PCIE rev 0x11
pci7 at ppb6 bus 13
em4 at pci7 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 1
int 16 (irq 5), address 00:17:08:7d:cd:d2
em5 at pci7 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 1
int 17 (irq 10), address 00:17:08:7d:cd:d3
ppb7 at pci0 dev 5 function 0 Intel E8500 PCIE rev 0x11
pci8 at ppb7 bus 16
Emulex LPe1150 rev 0x02 at pci8 dev 0 function 0 not configured
ppb8 at pci0 dev 6 function 0 Intel E8500 PCIE rev 0x11
pci9 at ppb8 bus 2
ppb9 at pci0 dev 7 function 0 Intel E8500 PCIE rev 0x11
pci10 at ppb9 bus 5
pchb1 at pci0 dev 8 function 0 Intel E8500 IMI rev 0x11
Intel E8500 XMB rev 0x11 at pci0 dev 9 function 0 not configured
Intel E8500 XMB Misc rev 0x11 at pci0 dev 9 function 1 not configured
Intel E8500 XMB MAI rev 0x11 at pci0 dev 9 function 2 not configured
Intel E8500 XMB DDR rev 0x11 at pci0 dev 9 function 3 not configured
Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 4 not configured
Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 5 not configured
Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 6 not configured
Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 7 not configured
pchb2 at pci0 dev 10 function 0 Intel E8500 IMI rev 0x11
Intel E8500 XMB rev 0x11 at pci0 dev 11 function 0 not configured
Intel E8500 XMB Misc rev 0x11 at pci0 dev 11 function 1 not configured
Intel E8500 XMB MAI rev 0x11 at pci0 dev 11 function 2 not configured
Intel E8500 XMB DDR 

Re: Can't get relayd to work for DNS + problem with relayctl reload

[BARDOU Pierre]

Shame on me, it didn't worked because I allowed connexion to the real IP
(10.60.0.10x) and no to relayd IP (10.31.33.254).

Now it works, thanks for the help :)

But I still have the issue I reported a few monthes ago : when I use a relay,
relayctl reload fails saying command failed.
The relayd logs says nothing. Will I be forced to pkill relayd and restart it
each time ?

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk]
Envoyi : mercredi 14 janvier 2009 02:22
@ : BARDOU Pierre
Objet : Re: Can't get relayd to work for DNS

I have this in my relayd.conf, it's just an extract, only a pass in in
pf.conf
you use either relay or redirect not both at once redirect requires an anchor
in
pf.conf, relay doesn't.

dns protocol dnsudp

tcp protocol dnstcp

relay relaydnsudp {
   protocol dnsudp
   listen on $dns_int port domain
   forward to DNSSERVERS \
   check script /usr/local/bin/dnscheck
}

relay relaydnstcp {
   protocol dnstcp
   listen on $dns_int port domain
   forward to DNSSERVERS \
   check script /usr/local/bin/dnscheck
}


dnscheck script does a dig to check dns is up

#!/bin/ksh
dnsserver=$1
if ping -n -c1 -w 1 $dnsserver /dev/null 21  dig -x \
  $dnsserver @$dnsserver /dev/null
then
   exit 1
fi
exit 0


Regards

Nigel Taylor

BARDOU Pierre wrote:
 Hello,

 I am trying to setup relayd for loadbalancing on my DNS servers.
 The problem is that relayd seems to handle only TCP connexions, UDP isn't
 taken into account.
 I found a known bug on openBSD 4.2, but I am using openBSD 4.4.

 I've tried the same setup with a relay, and still have the same problem.

 Where am I mistaking ?

 # pfctl -a relayd/DNS -s nat
 rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established
 600) - DNS port 53 round-robin

 # cat /etc/relayd.conf
 node1=10.60.0.101
 node2=10.60.0.102
 node3=10.60.0.103

 squid_int=10.31.33.254
 dns_int=10.31.33.254

 # Global Options
 interval 5
 log updates
 prefork 10
 timeout 1500

 table squid { $node1 , $node3 }
 table DNS { $node1 , $node3 }

 redirect squid {
 listen on $squid_int port 3128
 forward to squid mode roundrobin check tcp
 }

 redirect DNS {
 listen on $dns_int port 53
 forward to DNS mode roundrobin check tcp
 }

 Relay config :
 dns protocol dnsfilter {
### TCP performance options
 tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
 }

 relay dns {
### listen and accept redirected connections from pf
 listen on $dns_int port 53

### apply web filters
 protocol dnsfilter

### forward to web server(s)
 forward to DNS mode roundrobin check tcp
 }
 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Picardie Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 31 90 84
 Fax : 05 34 61 51 00
 Mail : bardo...@mipih.fr

Re: Can't get relayd to work for DNS + problem with relayctl reload

[BARDOU Pierre]

Hi,



I tried to send a bug report with sendbug(1), but I am not very familiar with
it.

I hope someone will notice...



--

Cordialement,

Pierre BARDOU



De : uday [mailto:umoorjani@gmail.com]
Envoyi : mercredi 14 janvier 2009 15:52
@ : BARDOU Pierre
Cc : misc@openbsd.org; Nigel J. Taylor
Objet : Re: Can't get relayd to work for DNS + problem with relayctl reload



pierre,

i'm seeing the same result with relayctl i don't know where it's coming from.

um

On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr wrote:

Shame on me, it didn't worked because I allowed connexion to the real IP
(10.60.0.10x) and no to relayd IP (10.31.33.254).

Now it works, thanks for the help :)

But I still have the issue I reported a few monthes ago : when I use a relay,
relayctl reload fails saying command failed.
The relayd logs says nothing. Will I be forced to pkill relayd and restart it
each time ?

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk]
Envoyi : mercredi 14 janvier 2009 02:22
@ : BARDOU Pierre
Objet : Re: Can't get relayd to work for DNS

I have this in my relayd.conf, it's just an extract, only a pass in in
pf.conf
you use either relay or redirect not both at once redirect requires an anchor
in
pf.conf, relay doesn't.

dns protocol dnsudp

tcp protocol dnstcp

relay relaydnsudp {
  protocol dnsudp
  listen on $dns_int port domain
  forward to DNSSERVERS \
  check script /usr/local/bin/dnscheck
}

relay relaydnstcp {
  protocol dnstcp
  listen on $dns_int port domain
  forward to DNSSERVERS \
  check script /usr/local/bin/dnscheck
}


dnscheck script does a dig to check dns is up

#!/bin/ksh
dnsserver=$1
if ping -n -c1 -w 1 $dnsserver /dev/null 21  dig -x \
 $dnsserver @$dnsserver /dev/null
then
  exit 1
fi
exit 0


Regards

Nigel Taylor

BARDOU Pierre wrote:
 Hello,

 I am trying to setup relayd for loadbalancing on my DNS servers.
 The problem is that relayd seems to handle only TCP connexions, UDP isn't
 taken into account.
 I found a known bug on openBSD 4.2, but I am using openBSD 4.4.

 I've tried the same setup with a relay, and still have the same problem.

 Where am I mistaking ?

 # pfctl -a relayd/DNS -s nat
 rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established
 600) - DNS port 53 round-robin

 # cat /etc/relayd.conf
 node1=10.60.0.101
 node2=10.60.0.102
 node3=10.60.0.103

 squid_int=10.31.33.254
 dns_int=10.31.33.254

 # Global Options
 interval 5
 log updates
 prefork 10
 timeout 1500

 table squid { $node1 , $node3 }
 table DNS { $node1 , $node3 }

 redirect squid {
 listen on $squid_int port 3128
 forward to squid mode roundrobin check tcp
 }

 redirect DNS {
 listen on $dns_int port 53
 forward to DNS mode roundrobin check tcp
 }

 Relay config :
 dns protocol dnsfilter {
### TCP performance options
 tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
 }

 relay dns {
### listen and accept redirected connections from pf
 listen on $dns_int port 53

### apply web filters
 protocol dnsfilter

### forward to web server(s)
 forward to DNS mode roundrobin check tcp
 }
 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Picardie Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 31 90 84
 Fax : 05 34 61 51 00
 Mail : bardo...@mipih.fr

Can't get relayd to work for DNS

[BARDOU Pierre]

Hello,

I am trying to setup relayd for loadbalancing on my DNS servers.
The problem is that relayd seems to handle only TCP connexions, UDP isn't
taken into account.
I found a known bug on openBSD 4.2, but I am using openBSD 4.4.

I've tried the same setup with a relay, and still have the same problem.

Where am I mistaking ?

# pfctl -a relayd/DNS -s nat
rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established
600) - DNS port 53 round-robin

# cat /etc/relayd.conf
node1=10.60.0.101
node2=10.60.0.102
node3=10.60.0.103

squid_int=10.31.33.254
dns_int=10.31.33.254

# Global Options
interval 5
log updates
prefork 10
timeout 1500

table squid { $node1 , $node3 }
table DNS { $node1 , $node3 }

redirect squid {
listen on $squid_int port 3128
forward to squid mode roundrobin check tcp
}

redirect DNS {
listen on $dns_int port 53
forward to DNS mode roundrobin check tcp
}

Relay config :
dns protocol dnsfilter {
   ### TCP performance options
tcp { nodelay, sack, socket buffer 1024, backlog 1000 }
}

relay dns {
   ### listen and accept redirected connections from pf
listen on $dns_int port 53

   ### apply web filters
protocol dnsfilter

   ### forward to web server(s)
forward to DNS mode roundrobin check tcp
}
--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Picardie Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : bardo...@mipih.fr

NAT + IPsec : strange pf error

[BARDOU Pierre]

Hello,

I'm trying to setup a config like this :
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

So I created lo1, gave it an IP adress... and since then I can't compile my
firewall script (which used to work like a charm since several months).
I did no modifications to it, so I don't understand.

pfctl -nf /etc/pf.com reports no error.
pfctl -f /etc/pf.conf says :
pfctl: failed to create table __automatic_d96467ff_0 in : Invalid argument
pfctl in free(): error: chunk is already free
Abort trap (core dumped)

I use openBSD 4.3.

Someone knows what is going wrong ?

--
Cordialement,

Pierre BARDOU
CSIM - Bureau 012

Midi Pyrinies Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1

Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: NAT + IPsec : strange pf error - link1 flag

[BARDOU Pierre]

 
I found something more precise about the error : it only occurs when I set
the link1 flag on lo1.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : BARDOU Pierre 
Envoyé : mardi 25 novembre 2008 11:51
À : misc@openbsd.org
Objet : NAT + IPsec : strange pf error

Hello,
 
I'm trying to setup a config like this :
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html
 
So I created lo1, gave it an IP adress... and since then I can't compile my
firewall script (which used to work like a charm since several months).
I did no modifications to it, so I don't understand. 
 
pfctl -nf /etc/pf.com reports no error.
pfctl -f /etc/pf.conf says :
pfctl: failed to create table __automatic_d96467ff_0 in : Invalid argument
pfctl in free(): error: chunk is already free Abort trap (core dumped)

I use openBSD 4.3.
 
Someone knows what is going wrong ?
 
--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Pyrénées Informatique Hospitalière
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Tél : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Problems with relayd

[BARDOU Pierre]

Hello,

I have big trouble with relayd on openBSD 4.4 to loadbalance 2 squid proxies :
* relayctl reload doesn't work. It just says command failed and nothing
appears in relayd logs (relayd launched with relayd -d)
I am testing right now, but when I will go in production to kill and restart
relayd won't be possible.
* even worse, I stopped squid on one machine, using relayctl show hosts the
machine is told to be down. But requests are still forwarded to it !

My relayd.conf :

node1=10.60.0.101
node2=10.60.0.102

squid_int=10.31.33.254

interval 5
log updates
prefork 10
timeout 1000

table squid { $node1 , $node2 }

http protocol http_proxy {
tcp { nodelay, sack, socket buffer 65536 , backlog 1000 }
}

relay squid {
listen on $squid_int port 3128

protocol http_proxy

forward to squid mode loadbalance check tcp
}


Is this a bug, or am I doing wrong ?

--
Cordialement,

Pierre BARDOU
CSIM - Bureau 012

Midi Pyrinies Informatique Hospitalihre
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1

Til : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]

Re: NAT + IPsec problem

[BARDOU Pierre]

Hello,

I succeed to do what I wanted using this : 
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

Many thanks for the help !


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Claer [mailto:[EMAIL PROTECTED] 
Envoyé : dimanche 9 novembre 2008 12:39
À : BARDOU Pierre
Objet : Re: NAT + IPsec problem

Le jeudi 06 novembre 2008 a 15:30, BARDOU Pierre ecrivait :
 Hello,
Bonjour,

 I am trying to setup an IPsec connection.
 Here is the ipsec.conf :
 ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 group modp1024 psk 
 
 Tunnels go up well :
 flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 
 srcid
 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 
 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 
 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 
 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes 
 esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth 
 hmac-sha1 enc aes
 
 As my LAN is adressed using 10.31.0.0/16, I need to nat to 
 10.63.61.xxx before the tunnel.
 So I put this in my pf.conf :
 nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2
 
 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 
 don't go through the tunnel, they are going to the internet.
 
 Here is the pflog :
 Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
 193.164.151.1: icmp: echo request
 Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
 193.164.151.1: icmp: echo request
 
 - Packets are going out through em0 (my inet interface) instead of 
 - enc0
 
 As pf doc says translation occurs before filtering, I don't understand 
 why pf can see my real adress (10.31.30.1).
 And the most important : why outgoing packets -with good adresses- 
 don't go through the tunnel ?
 Have I misconfigured something ?
Oui et non. Cette config ne peut pas fonctionner.

l'action NAT est faite sur l'interface de sortie aprÚs le filtrage l'action 
RDR est faite sur l'interface d'entree  avant le filtrage

Quand un paquet arrive sur l'openbsd, en gros, il se passe ceci :

- analyse du paquet par pf (in)
 - est ce que le paquet doit etre nate (rdr)
 - est ce que le paquet est autorise (nouvelle session ou session
   existante)
 - est ce que le paquet doit etre redirige sur une if particuliere
   (route-to)

- traitement du routage par le kernel
 - le paquet doit il etre encapsuledans un flux ipsec ?
 - Le paquet est analyse facea la table de routage correspondante

- analyse du paquet sur l'interface de sortie (out)
 - est ce que le paquet est autorise (nouvelle session ou session
   existante)
 - est ce que le paquet doit etre redirige sur une if particuliere
   (route-to)
 - est ce que le paquet doit etre nate (nat)

Vue que le paquet est encapsule avant le nat, ce dernier ne peut pas 
s'appliquer. Comme indique dans un reply a ce thread, la solution est de passer 
par une loopback pour appliquer le nat avant le routage. De ce fait, le paquet 
passe 2x dans la table de routage.

Apres je peux pas me permettre de donner plus de confs ce serait aider un 
concurrent ;-) (NextiraOne)

Bonne chance !

Cdlt,

Claer
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: Problem with relayctl - OBSD 4.4

[BARDOU Pierre]

Hello,

Here is the log for relayd -dv.
When I try to relayctl reload I got a command failed and nothing in
relayd output.

# relayd -dv
warning: macro 'squid_adh' not used
warning: macro 'dns_adh' not used
warning: macro 'dns1_ext' not used
warning: macro 'dns2_ext' not used
warning: macro 'mx1_ext' not used
warning: macro 'mx2_ext' not used
warning: macro 'mx_int' not used
warning: macro 'mx_adh' not used
startup
relay_privinit: adding relay squid
protocol 1: name http_proxy
flags: 0x0004
type: http
relay_privinit: adding relay dns
protocol 2: name dnsfilter
flags: 0x0004
type: hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00%
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00%
dns
relay_init: max open files 1024
adding 2 hosts from table squid:3128
adding 2 hosts from table DNS:53
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
init_filter: filter init done
relay_launch: running relay squid
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
adding 2 hosts from table squid:3128
relay_init: max open files 1024
init_tables: created 0 tables
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table DNS:53
adding 2 hosts from table squid:3128
pfe_dispatch_imsg: state 1 for host 2 10.60.0.102
relay_launch: running relay squid
adding 2 hosts from table DNS:53
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay dns
pfe_dispatch_imsg: state 1 for host 4 10.60.0.102
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay squid
relay_launch: running relay squid
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay dns
pfe_dispatch_imsg: state 1 for host 1 10.60.0.101
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay dns
relay_launch: running relay squid
pfe_dispatch_imsg: state 1 for host 3 10.60.0.101
relay_launch: running relay dns
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)
hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful)

 


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Stuart Henderson [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 11 novembre 2008 13:20
À : misc@openbsd.org
Objet : Re: Problem with relayctl - OBSD 4.4

On 2008-11-11, James Records [EMAIL PROTECTED] wrote:
 Pierre,

 I'm seeing the same exact thing, I'm not able to reload the config 
 without killing and restarting relayd.

 I haven't looked at the source yet, but I may get to that in the next 
 couple days, restarting is an ok work around for me at this point, but 
 won't be when it gets into production.

 Jim

Run relayd -dv, try and reload the config, check the output and paste it in
mail.

BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Problem with relayctl - OBSD 4.4

[BARDOU Pierre]

Hello,
 
I have something which looks like a bug using relayctl on openBSD 4.4 :
* My config file is correct according to relayd -n
* I can launch relayd
* I can't reload the config file using relayctl reload : it says command
failed

/var/log/daemon.log and /var/log/messages don't report anything

Someone knows about this problem ?

Thank you

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Pyrénées Informatique Hospitalière
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Tél : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

NAT + IPsec problem

[BARDOU Pierre]

Hello,
 
I am trying to setup an IPsec connection.
Here is the ipsec.conf :
ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
   main auth hmac-sha1 enc aes-256 \
   quick auth hmac-sha1 enc aes-256 group modp1024 psk 

Tunnels go up well :
flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid
212.99.28.26/32 dstid 10.3.2.2/32 type use
flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35
srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require
esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1
enc aes
esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1
enc aes

As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx
before the tunnel.
So I put this in my pf.conf :
nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2

The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go
through the tunnel, they are going to the internet.

Here is the pflog :
Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
193.164.151.1: icmp: echo request
Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
193.164.151.1: icmp: echo request

- Packets are going out through em0 (my inet interface) instead of enc0

As pf doc says translation occurs before filtering, I don't understand why
pf can see my real adress (10.31.30.1).
And the most important : why outgoing packets -with good adresses- don't
go through the tunnel ? 
Have I misconfigured something ?

Thank you for your help

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Pyrénées Informatique Hospitalière
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Tél : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

Hello,
 
I can load balance on the firewalls with pf , but the problem of that 
Solution is that there is no failover AFAIK.
If I loose a link between an ISP and me half of the packets will be lost.

And not loosing packets is more important to me than load balancing...
 
--
Cordialement,
Pierre BARDOU
 



De : Frans Haarman [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 7 octobre 2008 18:54
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)


2008/10/7 BARDOU Pierre [EMAIL PROTECTED]


Hello,

I am trying to set up a configuraion like this :

+--- -+   +-+
|  ISP1   |   |  ISP2   | Cisco
| ROUTER  |   | ROUTER  |
| AS3215  |   | AS12670 |
+-+   +-+
 ||
 ||
+-+   +-+
|   BGP   |   |   BGP   |
| ROUTER  |   | ROUTER  | OpenBSD 4.3
| AS47818 |   | AS45818 |
+-+   +-+
 ||
 ||
+-+
|217.109.108.240/28   |
+-+
 ||
 ||
+++---+
|   FW   ||  FW   |   OpenBSD 4.3
| MASTER | pfsync | SLAVE |
+++---+
 ||
 ||
+-+
| PRIVATE NETWORKS|
+-+

I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations
on how to do this with cisco, but I have never found an openBGP
solution.
Some people speak about it but I have never seen it.

I made a test conf where failover works like a charm (using iBGP on
the
FW's with 'set nexhop self' on BGP routers), but when both
connections
are active only one is used.

Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea
?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?

Many thanks

PS : loadbalancing incoming connections too would be very nice, but
I
understood it was much more difficult.

--
Cordialement,
Pierre BARDOU




just wondering..

What happens when you load balance your
traffic on your firewalls ? So you devide
the traffic over both bgp routers:

http://www.openbsd.org/faq/pf/pools.html

maybe you could even do the route-to 
on the bgp routers ?

something like:

route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin 
from $lan_net to any keep state 
#and on the other bgp router 
route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin 
from $lan_net to any keep state 

Beware: I have no idea if any of this is possible.
But thats what I'd try :)

Gr. FH

BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

Hello,

So the solution would be to activate multipath on FW's, and to use
ospf between BGP routers and my FW's ( I've heard somewhere that
OSPF can announce multiple defaults routes, contrary to BGP )
to ensure failover if I understand properly...

Nice idea, I'm trying to setup that on my test config.

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyi : mardi 7 octobre 2008 21:38
@ : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)

Frans Haarman wrote:
 2008/10/7 BARDOU Pierre [EMAIL PROTECTED]

 Hello,

 I am trying to set up a configuraion like this :

 +--- -+   +-+
 |  ISP1   |   |  ISP2   | Cisco
 | ROUTER  |   | ROUTER  |
 | AS3215  |   | AS12670 |
 +-+   +-+
  ||
  ||
 +-+   +-+
 |   BGP   |   |   BGP   |
 | ROUTER  |   | ROUTER  | OpenBSD 4.3
 | AS47818 |   | AS45818 |
 +-+   +-+
  ||
  ||
 +-+
 |217.109.108.240/28   |
 +-+
  ||
  ||
 +++---+
 |   FW   ||  FW   |   OpenBSD 4.3
 | MASTER | pfsync | SLAVE |
 +++---+
  ||
  ||
 +-+
 | PRIVATE NETWORKS|
 +-+

 I'd like to load balance outgoing connections to the internet, but I
 don't know how to configure openBGPd to do this.
 I searched a lot on the Internet and I found a lot of informations on
 how to do this with cisco, but I have never found an openBGP solution.
 Some people speak about it but I have never seen it.

 I made a test conf where failover works like a charm (using iBGP on
 the FW's with 'set nexhop self' on BGP routers), but when both
 connections are active only one is used.

 Would it be possible to help me please ?
 Is setting up iBGP sessions between FW's and BGP routers a good idea ?
 Should I rather use OSPF for this ?
 And in tha case how to configure it to loadbalance/failover ?

 Many thanks

 PS : loadbalancing incoming connections too would be very nice, but I
 understood it was much more difficult.

 --
 Cordialement,
 Pierre BARDOU



 just wondering..

 What happens when you load balance your traffic on your firewalls ? So
 you devide the traffic over both bgp routers:

 http://www.openbsd.org/faq/pf/pools.html

 maybe you could even do the route-to
 on the bgp routers ?

 something like:

 route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from
 $lan_net to any keep state #and on the other bgp router route-to {
 ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to
 any keep state

 Beware: I have no idea if any of this is possible.
 But thats what I'd try :)

 Gr. FH



You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.

Regards,
 Mariusz Makowski

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

 
Hello,

Failover already works with BGP on my test conf, the problem is that BGP 
only selects ONE route to a destination, so there is no load balancing.

The easiest for me would be to tell BGP to keep TWO routes to each
Destination, and use them in a round-robin way.

That's what Cisco does with BGP multipath
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431
.shtml#bgpmpath

But AFAIK there is no way to setup this with openBGP.

Am I right ?

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Envoyé : mercredi 8 octobre 2008 09:05
À : BARDOU Pierre
Cc : Frans Haarman; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)

BARDOU Pierre wrote:
 Hello,
  
 I can load balance on the firewalls with pf , but the problem of that 
 Solution is that there is no failover AFAIK.
 If I loose a link between an ISP and me half of the packets will be lost.
 
 And not loosing packets is more important to me than load balancing...
  
 --
 Cordialement,
 Pierre BARDOU
  
 
 
 
 De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mardi 7 
 octobre 2008 18:54 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: 
 OpenBGP load balancing between 2 ISP (multihoming)
 
 
 2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
 
 
   Hello,
   
   I am trying to set up a configuraion like this :
   
   +--- -+   +-+
   |  ISP1   |   |  ISP2   | Cisco
   | ROUTER  |   | ROUTER  |
   | AS3215  |   | AS12670 |
   +-+   +-+
||
||
   +-+   +-+
   |   BGP   |   |   BGP   |
   | ROUTER  |   | ROUTER  | OpenBSD 4.3
   | AS47818 |   | AS45818 |
   +-+   +-+
||
||
   +-+
   |217.109.108.240/28   |
   +-+
||
||
   +++---+
   |   FW   ||  FW   |   OpenBSD 4.3
   | MASTER | pfsync | SLAVE |
   +++---+
||
||
   +-+
   | PRIVATE NETWORKS|
   +-+
   
   I'd like to load balance outgoing connections to the internet,
   but I don't know how to configure openBGPd to do this.
   I searched a lot on the Internet and I found a lot of informations
   on how to do this with cisco, but I have never found an openBGP
 solution.
   Some people speak about it but I have never seen it.
   
   I made a test conf where failover works like a charm (using iBGP on
 the
   FW's with 'set nexhop self' on BGP routers), but when both
 connections
   are active only one is used.
   
   Would it be possible to help me please ?
   Is setting up iBGP sessions between FW's and BGP routers a good idea
 ?
   Should I rather use OSPF for this ?
   And in tha case how to configure it to loadbalance/failover ?
   
   Many thanks
   
   PS : loadbalancing incoming connections too would be very nice, but
 I
   understood it was much more difficult.
   
   --
   Cordialement,
   Pierre BARDOU
   
 
 
 
 just wondering..
 
 What happens when you load balance your
 traffic on your firewalls ? So you devide
 the traffic over both bgp routers:
 
 http://www.openbsd.org/faq/pf/pools.html
 
 maybe you could even do the route-to 
 on the bgp routers ?
 
 something like:
 
 route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin 
 from $lan_net to any keep state 
 #and on the other bgp router 
 route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin 
 from $lan_net to any keep state 
 
 Beware: I have no idea if any of this is possible.
 But thats what I'd try :)
 
 Gr. FH
 

If you want to use fail-over capability of bgp, you can use prepend to 
increase length of one path. I have no experience with configuring 
openbgpd but on juniper/cisco it seems to work great.

Regards,
  Marusz
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

Hello,

I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to FW's.

'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.

Besides a 'dirty' solution with ifstated which inserts multipath routes,
and withdraw them when one link/router fails, I am running out of ideas...

Someone has one ?

Thanks

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : Mariusz Makowski [mailto:[EMAIL PROTECTED] 
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman
Cc : BARDOU Pierre; misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)

Frans Haarman wrote:
 2008/10/7 BARDOU Pierre [EMAIL PROTECTED]
 
 Hello,

 I am trying to set up a configuraion like this :

 +--- -+   +-+
 |  ISP1   |   |  ISP2   | Cisco
 | ROUTER  |   | ROUTER  |
 | AS3215  |   | AS12670 |
 +-+   +-+
  ||
  ||
 +-+   +-+
 |   BGP   |   |   BGP   |
 | ROUTER  |   | ROUTER  | OpenBSD 4.3
 | AS47818 |   | AS45818 |
 +-+   +-+
  ||
  ||
 +-+
 |217.109.108.240/28   |
 +-+
  ||
  ||
 +++---+
 |   FW   ||  FW   |   OpenBSD 4.3
 | MASTER | pfsync | SLAVE |
 +++---+
  ||
  ||
 +-+
 | PRIVATE NETWORKS|
 +-+

 I'd like to load balance outgoing connections to the internet, but I 
 don't know how to configure openBGPd to do this.
 I searched a lot on the Internet and I found a lot of informations on 
 how to do this with cisco, but I have never found an openBGP solution.
 Some people speak about it but I have never seen it.

 I made a test conf where failover works like a charm (using iBGP on 
 the FW's with 'set nexhop self' on BGP routers), but when both 
 connections are active only one is used.

 Would it be possible to help me please ?
 Is setting up iBGP sessions between FW's and BGP routers a good idea ?
 Should I rather use OSPF for this ?
 And in tha case how to configure it to loadbalance/failover ?

 Many thanks

 PS : loadbalancing incoming connections too would be very nice, but I 
 understood it was much more difficult.

 --
 Cordialement,
 Pierre BARDOU

 
 
 just wondering..
 
 What happens when you load balance your traffic on your firewalls ? So 
 you devide the traffic over both bgp routers:
 
 http://www.openbsd.org/faq/pf/pools.html
 
 maybe you could even do the route-to
 on the bgp routers ?
 
 something like:
 
 route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from 
 $lan_net to any keep state #and on the other bgp router route-to { 
 ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to 
 any keep state
 
 Beware: I have no idea if any of this is possible.
 But thats what I'd try :)
 
 Gr. FH
 
 

You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath,
although it's not bgp solution.
I think with default configuration you should have multipath capability.
Check if there is not localpref chosen, and check yours ISP prepends length.

Regards,
 Mariusz Makowski
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

The problem is that if the ISP router fails, my corresponding BGP 
router is still up and running, and so keeps the CARP master, 
which makes him a black hole :(
 
--
Cordialement,
Pierre BARDOU
 



De : Frans Haarman [mailto:[EMAIL PROTECTED] 
Envoyé : mercredi 8 octobre 2008 10:56
À : BARDOU Pierre
Cc : misc@openbsd.org
Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)


ospf and bgp are designed to select the best possbile route and
add that to the kernel routing table I think ;)

I still think you could run 2 CARPs on both BGP routers and
load balance on your firewalls. It means if one BGP router
fails you will be load balancing your connections to the
same BGP router..




2008/10/8 BARDOU Pierre [EMAIL PROTECTED]


Hello,

I set up net.inet.ip.multipath to 1
I configured OSPF on the BGP routers to 'redistribute default' to
FW's.

'ospfctl show rib' on FW's shows that they have two defaults routes,
But 'ospfctl show fib' shows that only one is active.

Besides a 'dirty' solution with ifstated which inserts multipath
routes,
and withdraw them when one link/router fails, I am running out of
ideas...

Someone has one ?

Thanks


--
Cordialement,
Pierre BARDOU

-Message d'origine-

De : Mariusz Makowski [mailto:[EMAIL PROTECTED]
Envoyé : mardi 7 octobre 2008 21:38
À : Frans Haarman

Cc : BARDOU Pierre; misc@openbsd.org

Objet : Re: OpenBGP load balancing between 2 ISP (multihoming)


Frans Haarman wrote:
 2008/10/7 BARDOU Pierre [EMAIL PROTECTED]

 Hello,

 I am trying to set up a configuraion like this :

 +--- -+   +-+
 |  ISP1   |   |  ISP2   | Cisco
 | ROUTER  |   | ROUTER  |
 | AS3215  |   | AS12670 |
 +-+   +-+
  ||
  ||
 +-+   +-+
 |   BGP   |   |   BGP   |
 | ROUTER  |   | ROUTER  | OpenBSD 4.3
 | AS47818 |   | AS45818 |
 +-+   +-+
  ||
  ||
 +-+
 |217.109.108.240/28   |
 +-+
  ||
  ||
 +++---+
 |   FW   ||  FW   |   OpenBSD 4.3
 | MASTER | pfsync | SLAVE |
 +++---+
  ||
  ||
 +-+
 | PRIVATE NETWORKS|
 +-+

 I'd like to load balance outgoing connections to the internet,
but I
 don't know how to configure openBGPd to do this.
 I searched a lot on the Internet and I found a lot of
informations on
 how to do this with cisco, but I have never found an openBGP
solution.
 Some people speak about it but I have never seen it.

 I made a test conf where failover works like a charm (using iBGP
on
 the FW's with 'set nexhop self' on BGP routers), but when both
 connections are active only one is used.

 Would it be possible to help me please ?
 Is setting up iBGP sessions between FW's and BGP routers a good
idea ?
 Should I rather use OSPF for this ?
 And in tha case how to configure it to loadbalance/failover ?

 Many thanks

 PS : loadbalancing incoming connections too would be very nice,
but I
 understood it was much more difficult.

 --
 Cordialement,
 Pierre BARDOU



 just wondering..

 What happens when you load balance your traffic on your firewalls
? So
 you devide the traffic over both bgp routers:

 http://www.openbsd.org/faq/pf/pools.html

 maybe you could even do the route-to
 on the bgp routers ?

 something like:

 route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin
from
 $lan_net to any keep state #and on the other bgp router route-to {
 ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from
$lan_net to
 any keep

OpenBGP load balancing between 2 ISP (multihoming)

[BARDOU Pierre]

Hello,
 
I am trying to set up a configuraion like this :
 
 +--- -+   +-+ 
 |  ISP1   |   |  ISP2   | Cisco
 | ROUTER  |   | ROUTER  |
 | AS3215  |   | AS12670 |
 +-+   +-+
  || 
  ||
 +-+   +-+ 
 |   BGP   |   |   BGP   |
 | ROUTER  |   | ROUTER  | OpenBSD 4.3
 | AS47818 |   | AS45818 |
 +-+   +-+
  || 
  ||
 +-+
 |217.109.108.240/28   |
 +-+
  ||
  ||
 +++---+
 |   FW   ||  FW   |   OpenBSD 4.3
 | MASTER | pfsync | SLAVE |
 +++---+
  ||
  ||
 +-+
 | PRIVATE NETWORKS|
 +-+
 
I'd like to load balance outgoing connections to the internet,
but I don't know how to configure openBGPd to do this.
I searched a lot on the Internet and I found a lot of informations 
on how to do this with cisco, but I have never found an openBGP solution.
Some people speak about it but I have never seen it.

I made a test conf where failover works like a charm (using iBGP on the 
FW's with 'set nexhop self' on BGP routers), but when both connections 
are active only one is used.

Would it be possible to help me please ?
Is setting up iBGP sessions between FW's and BGP routers a good idea ?
Should I rather use OSPF for this ?
And in tha case how to configure it to loadbalance/failover ?

Many thanks

PS : loadbalancing incoming connections too would be very nice, but I 
understood it was much more difficult.

--
Cordialement,
Pierre BARDOU
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature