Re: OpenVPN in rdomain 1 error
Hello, We also tried to set up openVPN in non default rdomain, without success. -- Cordialement, Pierre BARDOU -Message d'origine- De : Denis Envoyé : jeudi 13 décembre 2018 13:02 À : Misc Objet : OpenVPN in rdomain 1 error Trying to run OpenVPN in rdomain 1 by command # sh /etc/netstart tap0 # cat /var/openvpn.log ... Thu Dec 13 14:40:27 2018 us=655401 TUN/TAP device /dev/tap0 opened Thu Dec 13 14:40:27 2018 us=655456 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Dec 13 14:40:27 2018 us=655500 /sbin/ifconfig tap0 192.168.1.1 netmask 255.255.255.0 mtu 1500 broadcast 192.168.1.255 Thu Dec 13 14:40:27 2018 us=658571 Data Channel MTU parms [ L:1654 D:1500 EF:122 EB:411 ET:32 EL:3 ] Thu Dec 13 14:40:27 2018 us=659026 Could not determine IPv4/IPv6 protocol. Using AF_INET Thu Dec 13 14:40:27 2018 us=659338 Socket Buffers: R=[41600->41600] S=[9216->9216] Thu Dec 13 14:40:27 2018 us=659481 TCP/UDP: Socket bind failed on local address [AF_INET]127.0.0.1:2294: Can't assign requested address (errno=49) Thu Dec 13 14:40:27 2018 us=659496 Exiting due to fatal error Thu Dec 13 14:40:27 2018 us=659543 Closing TUN/TAP interface # cat /etc/hostname.em0 rdomain 1 dhcp # cat /etc/hostname.tap0 up description 'conn1' inet 192.168.1.1 255.255.255.0 192.168.1.255 !/sbin/route -T1 exec /usr/bin/env LD_LIBRARY_PATH=/usr/lib:/usr/local/lib /usr/local/sbin/openvpn --config /etc/openvpn/server.conf # route -T1 -n show Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface defaultISP_gateway UGS0 84 - 8 em0 ISP_gateway/21em0_IP UCn14 - 4 em0 ISP_gateway 00:1f:6c:cc:ad:ee UHLch 13 - 3 emo emo_IP 00:a1:f3:a0:44:c2 UHLl 05 - 1 emo ISP_destination em0_IP UHb00 - 1 emo
Re: Weird routing problem on simple CARP setup
That makes sense. Thanks for your advices. -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson Envoyé : mercredi 11 juillet 2018 23:24 À : misc@openbsd.org Objet : Re: Weird routing problem on simple CARP setup On 2018-07-11, Tom Smyth wrote: > Hi Pierre, > > with VRRP on other vendors the IP on the Virtual interface is > recommended to be a /32, > > > afaik > it prevents ambiguity when it comes to your connected routes do you > route a packet out the carp interface which as an ip on the configured > /24 network or do you route the packet out the physcial interface > which also has a /24 network configured > > > I note the examples and faq page in openbsd show ips configured with > a /24 configured https://man.openbsd.org/carp > > and a /24 seems to be the default ip if a subnet mask is not specified > > > But I would love to hear / learn more experienced OpenBSD Admins Devs > take on it My GBP0.02 (which isn't worth much these days ;) - generally /32 for addresses on carp - if there are no IPs from the subnet used in carp on another "real" interface (i.e. the address is only on the carp interface) then use the full /XX for one IP in that subnet on carp - if you're redistributing a subnet on a carp interface into OSPF you need the full /XX on the carp interface so it can announce the network rather than a single host (you want to announce it from carp rather than the "real" interface so the priority changes depending on the carp state)
Re: Weird routing problem on simple CARP setup
Hellom Sorry for the long delay, I've been very busy recently. Putting the carp in /32 works. What's the best practice when you have a physical IP + CARP in the same subnet ? The FAQ here https://www.openbsd.org/faq/pf/carp.html#failover uses the same netmask for the CARP and the physical interface. I upgraded to 6.3 and it also works. Thank you for your help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stefan Sperling Envoyé : mardi 3 juillet 2018 13:33 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Weird routing problem on simple CARP setup On Wed, Jun 27, 2018 at 09:30:16AM +, BARDOU Pierre wrote: > Hello, > > I have a strange problem with OpenBSD 6.2, which looks like a bug. > Steps to reproduce : > > * sh /etc/netstart -> everything works. Routing table : > root@fw-t-wan-chut01:~ # netstat -rnf inet > > > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default10.194.119.254 UGS0 16 - 8 bge0 > 224/4 127.0.0.1 URS0 798 32768 8 lo0 > 10.194.116/22 10.194.116.29 UCn11 - 4 bge0 > 10.194.116/22 10.194.116.28 UCn00 -19 carp0 > 10.194.116.28 00:00:5e:00:01:0f UHLl 03 - 1 carp0 > 10.194.116.29 40:a8:f0:36:22:0c UHLl 0 28 - 1 bge0 > 10.194.119.254 00:1b:2a:e9:c4:00 UHLch 25 - 3 bge0 > 10.194.119.255 10.194.116.29 UHb00 - 1 bge0 > 10.194.119.255 10.194.116.28 UHb00 - 1 carp0 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 1 1122 32768 1 lo0 > 192.168.190/24 192.168.190.1 Cn 00 - 4 bge1 > 192.168.190.1 40:a8:f0:36:22:0d UHLl 00 - 1 bge1 > 192.168.190.255192.168.190.1 Hb 00 - 1 bge1 > root@fw-t-wan-chut01:~ # ifconfig carp0 > > > carp0: flags=8843 mtu 1500 > lladdr 00:00:5e:00:01:0f > description: TL-INT-ADM-WAN > index 10 priority 15 llprio 3 > carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10 > groups: carp > status: master > inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255 > > * then sh /etc/netstart carp0 -> routed traffic stops working (ping > 10.194.125.120 says "sendmsg: Invalid argument"). > Same result if I do ifconfig carp0 10.194.116.28/22. Have you tried using a /32 mask on carp0 instead of /22? That might work around the problem. I believe this problem is fixed in 6.3. Can you confirm?
Weird routing problem on simple CARP setup
Hello, I have a strange problem with OpenBSD 6.2, which looks like a bug. Steps to reproduce : * sh /etc/netstart -> everything works. Routing table : root@fw-t-wan-chut01:~ # netstat -rnf inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.194.119.254 UGS0 16 - 8 bge0 224/4 127.0.0.1 URS0 798 32768 8 lo0 10.194.116/22 10.194.116.29 UCn11 - 4 bge0 10.194.116/22 10.194.116.28 UCn00 -19 carp0 10.194.116.28 00:00:5e:00:01:0f UHLl 03 - 1 carp0 10.194.116.29 40:a8:f0:36:22:0c UHLl 0 28 - 1 bge0 10.194.119.254 00:1b:2a:e9:c4:00 UHLch 25 - 3 bge0 10.194.119.255 10.194.116.29 UHb00 - 1 bge0 10.194.119.255 10.194.116.28 UHb00 - 1 carp0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 1 1122 32768 1 lo0 192.168.190/24 192.168.190.1 Cn 00 - 4 bge1 192.168.190.1 40:a8:f0:36:22:0d UHLl 00 - 1 bge1 192.168.190.255192.168.190.1 Hb 00 - 1 bge1 root@fw-t-wan-chut01:~ # ifconfig carp0 carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0f description: TL-INT-ADM-WAN index 10 priority 15 llprio 3 carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10 groups: carp status: master inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255 * then sh /etc/netstart carp0 -> routed traffic stops working (ping 10.194.125.120 says "sendmsg: Invalid argument"). Same result if I do ifconfig carp0 10.194.116.28/22. Routing table and ifconfig look the same : root@fw-t-wan-chut01:~ # netstat -rnf inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.194.119.254 UGS5 58 - 8 bge0 224/4 127.0.0.1 URS0 3918 32768 8 lo0 10.194.116/22 10.194.116.29 UCn159014 - 4 bge0 10.194.116/22 10.194.116.28 UCn00 -19 carp0 10.194.116.28 00:00:5e:00:01:0f UHLl 07 - 1 carp0 10.194.116.29 40:a8:f0:36:22:0c UHLl 0 40 - 1 bge0 10.194.119.254 00:1b:2a:e9:c4:00 UHLc 029528 - 3 bge0 10.194.119.255 10.194.116.29 UHb00 - 1 bge0 10.194.119.255 10.194.116.28 UHb00 - 1 carp0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 1 5498 32768 1 lo0 192.168.190/24 192.168.190.1 Cn 00 - 4 bge1 192.168.190.1 40:a8:f0:36:22:0d UHLl 00 - 1 bge1 192.168.190.255192.168.190.1 Hb 00 - 1 bge1 root@fw-t-wan-chut01:~ # ifconfig carp0 carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0f description: TL-INT-ADM-WAN index 10 priority 15 llprio 3 carp: MASTER carpdev bge0 vhid 15 advbase 1 advskew 10 groups: carp status: master inet 10.194.116.28 netmask 0xfc00 broadcast 10.194.119.255 * then again sh /etc/netstart -> everything is working again. Deleting and readding the default route also does the trick. If I test something like : root@fw-t-wan-chut01:~ # sh /etc/netstart root@fw-t-wan-chut01:~ # ifconfig bge0 10.194.116.29/22 The default route disappears. This is a bit weird, but at least the routing table is consistent with what happens. I figured a workaround by not using the mygate file, and adding a line in the hostname.bge0 and hostname.carp0 : !route add default 10.194.119.254 1>/dev/null || route change default 10.194.119.254 1>/dev/null Additional informations : Network configuration : root@fw-t-wan-chut01:~ # cat /etc/hostname.bge0
Re: Queuing faster than 4 Gbps
syncache 264 62003333 0 1 0 80 rtentry 112407550 42 1079 1076 316 0 80 plcache 128 400 40 2 0 2 2 0 80 plimitpl 152 11770 24 4 3 1 2 0 80 inpcbpl 288 32240 17 5 3 2 3 0 80 arp 56406820 20 518 516 2 8 0 80 pfsync72 41600 1 1 0 1 0 80 ### IFACE LIVELOCKS SIZE ALIVE LWM HWM CWM System0 256 103001114 204871 32 2112 100931176 921634 5 lo0 ix0 2050 25610 256 256 ix1 2050 25610 256 256 bge0 20483417 51234 90321717 25617 bge1 20482317 51223 90321717 25617 enc0 trunk0 vlan3202 vlan3203 vlan4027 carp1 carp2 carp3 carp4 pfsync0 pflog0 -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyé : mardi 27 février 2018 13:52 À : misc@openbsd.org Objet : RE: Queuing faster than 4 Gbps Hello, I reached this conclusion like Stuart says : if I configure a bandwidth above 4G, like for instance 50, pfctl says "number too big". I checked in parse.y, the limit is UINT_MAX. If I use 5G instead, it parses OK, but pfctl -sq shows another number. I guess 50 - UINT_MAX. By the way, with this hardware (dmesg below) I can only get around 2.5 Gbps of firewalled traffic (around 350 kpps)... If you have some tuning advices to pump that up, that would be great. I only tuned ifq.maxlen to 8192 and qlimit to the same value. OpenBSD 6.2 (GENERIC.MP) #5: Fri Feb 2 23:02:19 CET 2018 r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4108201984 (3917MB) avail mem = 3976663040 (3792MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xb7fcb000 (82 entries) bios0: vendor HP version "P80" date 04/02/2015 bios0: HP ProLiant DL320e Gen8 v2 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC BERT HEST DMAR SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PCI0(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xb800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3592.17 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 3592174860 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3591.68 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1
Re: Queuing faster than 4 Gbps
d0 at scsibus1 targ 0 lun 0: <HP, LOGICAL VOLUME, 6.64> SCSI3 0/direct fixed sd0: 139979MB, 512 bytes/sector, 286677120 sectors ppb1 at pci0 dev 1 function 1 "Intel Core 4G PCIE" rev 0x06: msi pci2 at ppb1 bus 7 ix0 at pci2 dev 0 function 0 "Intel 82599" rev 0x01: msi, address 00:11:0a:67:9e:ec ix1 at pci2 dev 0 function 1 "Intel 82599" rev 0x01: msi, address 00:11:0a:67:9e:ed ppb2 at pci0 dev 1 function 2 "Intel Core 4G PCIE" rev 0x06: msi pci3 at ppb2 bus 2 unknown vendor 0x1590 product 0x005f (class memory subclass miscellaneous, rev 0x00) at pci3 dev 0 function 0 not configured xhci0 at pci0 dev 20 function 0 "Intel 8 Series xHCI" rev 0x04: msi usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1 ehci0 at pci0 dev 26 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 21 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb3 at pci0 dev 28 function 0 "Intel 8 Series PCIE" rev 0xd4 pci4 at ppb3 bus 10 ppb4 at pci0 dev 28 function 5 "Intel 8 Series PCIE" rev 0xd4 pci5 at ppb4 bus 3 bge0 at pci5 dev 0 function 0 "Broadcom BCM5720" rev 0x00, BCM5720 A0 (0x572), APE firmware NCSI 1.3.7.0: msi, address 50:65:f3:f0:9d:58 brgphy0 at bge0 phy 1: BCM5720C 10/100/1000baseT PHY, rev. 0 bge1 at pci5 dev 0 function 1 "Broadcom BCM5720" rev 0x00, BCM5720 A0 (0x572), APE firmware NCSI 1.3.7.0: msi, address 50:65:f3:f0:9d:59 brgphy1 at bge1 phy 2: BCM5720C 10/100/1000baseT PHY, rev. 0 ppb5 at pci0 dev 28 function 7 "Intel 8 Series PCIE" rev 0xd4 pci6 at ppb5 bus 1 "Hewlett-Packard iLO3 Slave" rev 0x05 at pci6 dev 0 function 0 not configured vga1 at pci6 dev 0 function 1 "Matrox MGA G200eH" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "Hewlett-Packard iLO3 Management" rev 0x05 at pci6 dev 0 function 2 not configured uhci0 at pci6 dev 0 function 4 "Hewlett-Packard USB" rev 0x02: apic 8 int 16 usb2 at uhci0: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "Hewlett-Packard UHCI root hub" rev 1.00/1.00 addr 1 ehci1 at pci0 dev 29 function 0 "Intel 8 Series USB" rev 0x04: apic 8 int 20 usb3 at ehci1: USB revision 2.0 uhub3 at usb3 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 pcib0 at pci0 dev 31 function 0 "Intel C222 LPC" rev 0x04 "Intel 8 Series RAID" rev 0x04 at pci0 dev 31 function 2 not configured isa0 at pcib0 isadma0 at isa0 com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo com1: probed fifo depth: 0 bytes pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vmm0 at mainbus0: VMX/EPT uhub4 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems product 0x2660" rev 2.00/8.01 addr 2 uhub5 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.04 addr 2 uhub6 at uhub3 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.04 addr 2 uhidev0 at uhub2 port 1 configuration 1 interface 0 "BMC Virtual Keyboard" rev 1.10/0.02 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes, country code 33 wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 1 configuration 1 interface 1 "BMC Virtual Keyboard" rev 1.10/0.02 addr 2 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons wsmouse0 at ums0 mux 0 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (e4426d30edab0280.a) swap on sd0b dump on sd0b -- Cordialement, Pierre BARDOU -Message d'origine- De : Peter N. M. Hansteen [mailto:pe...@bsdly.net] Envoyé : lundi 26 février 2018 18:43 À : misc@openbsd.org Objet : Re: Queuing faster than 4 Gbps On 02/26/18 17:50, BARDOU Pierre wrote: > Hello, > > I'm trying to use queuing on a 10 Gbps interface. > I remind of a conversation on tech@ or misc@ which was about queuing values > being stored in a UINT which prevented configuring values > 4 Gbps. > I can't find it in the mailing list archive logs though. Wasn't the > discussion about using long integers and so remove this limitation ? If I remember correctly, the bandwidth values were 32-bit in ALTQ, effectively limiting the upper bandwidth value to something like what you suggest. The current queueing code is quite different in most respects. > As of today current, it seem to be still present. Any plans to upgrade this > in the (near) future ? I'm a bit curious as to how you reached this conclusion. You're hitting one or more limits in your environment, but how do you identify which one? -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Queuing faster than 4 Gbps
Hello, I'm trying to use queuing on a 10 Gbps interface. I remind of a conversation on tech@ or misc@ which was about queuing values being stored in a UINT which prevented configuring values > 4 Gbps. I can't find it in the mailing list archive logs though. Wasn't the discussion about using long integers and so remove this limitation ? As of today current, it seem to be still present. Any plans to upgrade this in the (near) future ? Thank you -- Cordialement, Pierre Bardou
IPsec (isakmpd) in rdomain non zero needs default route
Hello, I don't know if I should post this to misc@ or bugs@... If this is the wrong list tell me I'll file a proper bug report. I need to add a default route in rdomain 1 to be able to use the tunnels created by isakmpd. That is a bit weird, routes should be injected by isakmpd. Here is my test setup : ++ | em1 (rd1):192.168.0.1 em1(rd1)192.168.0.2 | ++ ++ | rtr1 | | rtr2 | | lo1 (rd1): 127.0.0.1 | | lo1 (rd1): 127.0.0.1 | | alias: 192.168.1.1 | | alias: 192.168.2.1 | ++ ++ on rtr 1 and 2 : created enc1 rdomain 1 up launched route -T 1 exec isakmpd -K tunnel conf rtr 1: ike esp from 192.168.1.0/24 to 192.168.2.0/24 local 192.168.0.2 peer 192.168.0.2 \ main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \ quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef" tunnel conf rtr 2: ike esp from 192.168.2.0/24 to 192.168.1.0/24 local 192.168.0.2 peer 192.168.0.1 \ main auth hmac-md5 enc 3des group modp1024 lifetime 28800 \ quick auth hmac-md5 enc 3des group modp1024 lifetime 3600 psk "deadbeef" routing table rt1 : Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo1 192.168.0/24 192.168.0.1UCn10 - 4 em1 192.168.0.100:50:56:b4:7b:eb UHLl 0 37 - 1 em1 192.168.0.200:50:56:b4:77:82 UHLc 1 16 - 3 em1 192.168.0.255 192.168.0.1UHb00 - 1 em1 192.168.1.1192.168.1.1UHl07 32768 1 lo1 routing table rt2 : Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 127.0.0.1 127.0.0.1 UHhl 12 32768 1 lo1 192.168.0/24 192.168.0.2UCn00 - 4 em1 192.168.0.200:50:56:b4:77:82 UHLl 0 245 - 1 em1 192.168.0.255 192.168.0.2UHb00 - 1 em1 192.168.2.1192.168.2.1UHl0 52 32768 1 lo1 flows rtr1 : # route -T1 exec ipsecctl -sf flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.2 srcid 192.168.0.1/32 dstid 192.168.0.2/32 type use flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.2 srcid 192.168.0.1/32 dstid 192.168.0.2/32 type require flows rtr2 : # route -T1 exec ipsecctl -sf flow esp in from 192.168.1.0/24 to 192.168.2.0/24 peer 192.168.0.1 srcid 192.168.0.2/32 dstid 192.168.0.1/32 type use flow esp out from 192.168.2.0/24 to 192.168.1.0/24 peer 192.168.0.1 srcid 192.168.0.2/32 dstid 192.168.0.1/32 type require On rtr1 : ping -V 1 -I 192.168.1.1 192.168.2.1 won't work until I do on both routers : route -T1 add default 127.0.0.1 My guess is that the problem is quite the same as with inter-domain routing with PF : destination lookup is done BEFORE processing by PF or IPSEC (explained here for PF : https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/). So when there is no default route, it fails. If this guess is right, the problem shoud also happen on rdomain 0. Could you fix the code to make it work without the default route ? Or, as I suspect, is this too difficult and I'll go with my workaround ? -- Cordialement, Pierre Bardou
Re: Read sysctl from file
Hello, I didn't realized that, but you have a point here. For future reference, I got ansible sysctl working tuning the options : Task : - name: "Tuning sysctl" sysctl: name: "{{ item.name }}" value: "{{ item.value }}" reload: no sysctl_set: yes with_items: "{{ sysctl }}" Vars : sysctl: - name: "net.inet.ip.forwarding" value: 1 - name: "net.inet.carp.preempt" value: 1 -- Cordialement, Pierre BARDOU -Message d'origine- De : Theo de Raadt [mailto:dera...@openbsd.org] Envoyé : jeudi 20 juillet 2017 15:46 À : BARDOU Pierre <bardo...@mipih.fr> Cc : misc@openbsd.org Objet : Re: Read sysctl from file > Is there a way to make sysctl re-read its conf file, or even another > file, like sysctl -p does on linux systems ? > Supporting this option would be nice, as it is used by the sysctl > module of= ansible. But sysctl doesn't have a configuration file. there is a file called sysctl.conf, but it isn't a configuration file for the command. It is a list of sysctl changes, which will be made by the rc scripts at startup. someone in linux land went off the map here. and then another piece of software started un-portably assuming that's the way to do things?
Read sysctl from file
Hello, Is there a way to make sysctl re-read its conf file, or even another file, like sysctl -p does on linux systems ? Supporting this option would be nice, as it is used by the sysctl module of ansible. -- Cordialement, Pierre BARDOU
Re: OpenBSD on HPE DL20 G9
Hello, Unfortunately, I don't have this server any more : as it didn't worked I sent it back to HP. But thanks for the info, the trick may be useful for other servers. -- Cordialement, Pierre BARDOU -Message d'origine- De : Naoki Fukaumi [mailto:fuka...@soum.co.jp] Envoyé : lundi 17 avril 2017 09:13 À : BARDOU Pierre <bardo...@mipih.fr> Cc : misc@openbsd.org Objet : Re: OpenBSD on HPE DL20 G9 hi, From: BARDOU Pierre <bardo...@mipih.fr> Subject: OpenBSD on HPE DL20 G9 Date: Mon, 10 Oct 2016 15:12:04 + > I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD > (version 6.0). > > 1s try : UEFI. The boot loader does its work, and then the screen > remains blank. > I can't see any line with blue background. > I tried to see what happend via console, but there is no serial port > on these little beasts :( Can you try to disable "UEFI Optimized Boot"? http://h20565.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=7481826=mmr_kc-0123842=en_US It works for me. # I have no idea why it works... Best Regards, -- FUKAUMI Naoki
Re: Monitoring relayd via SNMP
Hello, Thanks for the idea, but how are you triggering a script on polling ? BTW, I think that if snmp is not available I will stick to check_relayd wth NRPE. Cf. http://undeadly.org/cgi?action=article=20110220204953 -- Cordialement, Pierre BARDOU De : Mik J [mailto:mikyde...@yahoo.fr] Envoyé : samedi 11 mars 2017 15:23 À : BARDOU Pierre <bardo...@mipih.fr>; misc@openbsd.org Objet : Re: Monitoring relayd via SNMP Hello Pierre, I don't use relayd but for some of my needs with snmp, I retrieve the statistics through a script that is executed everytime I poll a specific OID. It might be dirty, but does the job. Regards Le Mardi 7 mars 2017 16h08, BARDOU Pierre <bardo...@mipih.fr> a écrit : I found nothing to implement the relayd MIB in the SNMPD source code apart from the traps part. So it seems this is still a WIP. Anyone could confirm that ? -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyé : lundi 6 mars 2017 16:46 À : misc@openbsd.org Objet : Monitoring relayd via SNMP Hello, I am trying to monitor relayd through snmpd(8). It seems that a MIB exists : http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx t?rev=1.3=text/x-cvsweb-markup But SNMPwalking these OIDs doesn't work. snmpctl show mib doesn't show them either. I tried to setup an AgentX socket, but according to the man relayd.conf(5) it is only for traps. I'm feeling I am doing something wrong here... Could someone point me to the right direction to use this MIB ? Thank you -- Cordialement, Pierre Bardou
Re: Monitoring relayd via SNMP
I found nothing to implement the relayd MIB in the SNMPD source code apart from the traps part. So it seems this is still a WIP. Anyone could confirm that ? -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyé : lundi 6 mars 2017 16:46 À : misc@openbsd.org Objet : Monitoring relayd via SNMP Hello, I am trying to monitor relayd through snmpd(8). It seems that a MIB exists : http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx t?rev=1.3=text/x-cvsweb-markup But SNMPwalking these OIDs doesn't work. snmpctl show mib doesn't show them either. I tried to setup an AgentX socket, but according to the man relayd.conf(5) it is only for traps. I'm feeling I am doing something wrong here... Could someone point me to the right direction to use this MIB ? Thank you -- Cordialement, Pierre Bardou
Monitoring relayd via SNMP
Hello, I am trying to monitor relayd through snmpd(8). It seems that a MIB exists : http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/snmp/OPENBSD-RELAYD-MIB.tx t?rev=1.3=text/x-cvsweb-markup But SNMPwalking these OIDs doesn't work. snmpctl show mib doesn't show them either. I tried to setup an AgentX socket, but according to the man relayd.conf(5) it is only for traps. I'm feeling I am doing something wrong here... Could someone point me to the right direction to use this MIB ? Thank you -- Cordialement, Pierre Bardou
Relayd and rdomains
Hello, Is there a solution tu use relayd (redirect mode) on multiple rdomains on the same host ? I had two ideas, but none of them work : * launch relayd in the default rdomain -> rules are injected with "on rdomain 0", so they do not match on other rdomains * launch one relayd instance by rdomain : the control socket name cannot be specified, so using relayctl is not possible -- Cordialement, Pierre Bardou
Re: 350MHz IBM Intel Pentium II runs 5.9 fine
It is quite stable also :) I love this OS... Congrats to the team for all the good work. This router is used for etherip, and works flawlessly for more than 5 years now (and counting). # uptime 5:59PM up 1890 days, 1:02, 1 user, load averages: 0.17, 0.11, 0.09 # cat /var/run/dmesg.boot OpenBSD 4.9-stable (GENERIC.MP) #0: Wed Sep 28 10:37:22 CEST 2011 r...@rt-t-etherip1.mipih.net:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,C X16,xTPR real mem = 2147000320 (2047MB) avail mem = 2101714944 (2004MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS rev. 2.3 @ 0xec000 (56 entries) bios0: vendor HP version "P52" date 02/14/2006 bios0: HP ProLiant DL360 G4 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP SPCR MCFG APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(TM) CPU 3.60GHz ("GenuineIntel" 686-class) 3.61 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,C X16,xTPR ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 9 pa 0xfec1, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0: apid 10 pa 0xfec82000, version 20, 24 pins ioapic3 at mainbus0: apid 11 pa 0xfec82400, version 20, 24 pins acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (ICHR) acpiprt2 at acpi0: bus 7 (PCXA) acpiprt3 at acpi0: bus 10 (PCXB) acpiprt4 at acpi0: bus 6 (PTB0) acpiprt5 at acpi0: bus 13 (PTA0) acpiprt6 at acpi0: bus 3 (PTC0) acpiprt7 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: FVS, 3600, 3200, 2800 MHz acpicpu1 at acpi0: FVS, 3600, 3200, 2800 MHz acpitz0 at acpi0: critical temperature 31 degC bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! 0xcc000/0x1600 0xee000/0x2000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) bridge io address conflict 0x1000/0x3000 pchb0 at pci0 dev 0 function 0 "Intel E7520 Host" rev 0x0c ppb0 at pci0 dev 2 function 0 "Intel E7520 PCIE" rev 0x0c pci1 at ppb0 bus 13 ppb1 at pci0 dev 4 function 0 "Intel E7520 PCIE" rev 0x0c pci2 at ppb1 bus 6 ppb2 at pci2 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09 pci3 at ppb2 bus 7 ppb3 at pci2 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09 pci4 at ppb3 bus 10 ppb4 at pci0 dev 6 function 0 "Intel E7520 PCIE" rev 0x0c pci5 at ppb4 bus 3 ppb5 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02 pci6 at ppb5 bus 2 ciss0 at pci6 dev 1 function 0 "Compaq Smart Array 64xx" rev 0x01: apic 9 int 0 (irq 5) ciss0: 1 LD, HW rev 1, FW 2.80/2.80, 64bit fifo scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0:SCSI2 0/direct fixed sd0: 34727MB, 512 bytes/sec, 71122560 sec total bge0 at pci6 dev 2 function 0 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): apic 9 int 1 (irq 5), address 00:15:60:ac:ea:1e brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci6 dev 2 function 1 "Broadcom BCM5704C" rev 0x10, BCM5704 B0 (0x2100): apic 9 int 2 (irq 5), address 00:15:60:ac:ea:1d brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: apic 8 int 16 (irq 5) uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: apic 8 int 19 (irq 5) "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: apic 8 int 23 (irq 5) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a pci7 at ppb6 bus 1 vga1 at pci7 dev 3 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "Compaq iLO" rev 0x01 at pci7 dev 4 function 0 not configured "Compaq iLO" rev 0x01 at pci7 dev 4 function 2 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02 pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 disabled (no drives) usb1 at uhci0: USB revision 1.0 uhub1 at usb1
Re: 4th nic for pcengines apu2
Hi, I am planning to try DL320e G8 v2, in the same price range of the DL20 G9. If you have a few weeks I should be able to tell you if it works. For the APU, I would go with a manageable switch and VLAN. -- Cordialement, Pierre BARDOU -Message d'origine- De : Marko Cupać [mailto:marko.cu...@mimar.rs] Envoyé : mercredi 19 octobre 2016 21:03 À : misc@openbsd.org Objet : Re: 4th nic for pcengines apu2 Hi, I have a budget which is a few times the price of single apu2. Actually, initially I planned to use a pair of HPE ProLiant DL20 gen9 for this purpose. Unfortunately, it appears DL20gen9s won't boot OpenBSD: [https://marc.info/?l=openbsd-misc=147611237327210=2] If someone has good experience with OpenBSD on entry level HPE ProLiant servers that are currently being sold new, please let me know. One of requirements for this hardware is that it has to be purchased from a local distributor in Serbia, in order to avoid hassle with customs, import taxes, first import certification, guarantee period etc. PC Engines have distributor here, that's one of the reasons I buy their gear. The same with HP. I doubt Lanner and Jetway have distributor in Serbia, at least web search didn't return anything. My intention was what Florian suggested, to use miniPCIe NIC, and I wanted to ask if someone knows about one that is tested in production on OpenBSD, and works fine. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD on HPE DL20 G9
Nice idea. Sadly, I tried and it seems not to work : the boot can't find any serial boot> set tty com0 switching console to com0 com0 console not present boot> set tty pc0 -- Cordialement, Pierre BARDOU -Message d'origine- De : Todd C. Miller [mailto:todd.mil...@courtesan.com] Envoyé : lundi 10 octobre 2016 17:45 À : BARDOU Pierre <bardo...@mipih.fr> Cc : misc@openbsd.org Objet : Re: OpenBSD on HPE DL20 G9 Can't you enable serial console redirection with the built-in iLO? That should make it easier to get the boot messages in legacy mode. - todd
OpenBSD on HPE DL20 G9
Hello, I have a brand new HPE DL20 G9, on which I am trying to boot OpenBSD (version 6.0). 1s try : UEFI. The boot loader does its work, and then the screen remains blank. I can't see any line with blue background. I tried to see what happend via console, but there is no serial port on these little beasts :( 2nd try : legacy bios. The kernel starts, lines startiong with "cpu" seem OK. But then there are a lot of "mem adress conflict" and "bridge mem address conflict". Then it freezes. Is there something I can do ? Would that be useful that I give you the full messages (long and painful process of copying the text from the video of the boot) ? Thank you -- Cordialement, Pierre Bardou
Re: ratble and rdomain support on dhcpd and openvpn
Hi, OpenVPN does not support rdomains and probably never will, as it is OpenBSD-specific. I had some success by running it in the default rdomain an then dispatching the clients in different rdomains via PF. But this was for server mode. Maybe you can do something like that for the client, like running it in the default rdomain and make PF rules in your rdomain 200 to send relevant packets to the VPN. You might also use "route -T 200 exec openvpn ..." and a script, which will set the rdomain on connection. Look at the --up parameter of the OpenVPN man page. -- Cordialement, Pierre BARDOU -Message d'origine- De : Difan Zhao [mailto:difan.z...@pason.com] Envoyé : vendredi 15 juillet 2016 21:35 À : Chris CappuccioCc : Pierre Emeriaud ; misc@openbsd.org Objet : Re: ratble and rdomain support on dhcpd and openvpn Thank you sir! So I probably just stick with my hacking approach and wait for the 6.0. I see that will come in November so not too much waiting. So any idea how the openvpn might start to support rtable or rdomain? Thanks, Difan -Original Message- From: Chris Cappuccio [mailto:ch...@nmedia.net] Sent: Friday, July 15, 2016 11:07 AM To: Difan Zhao Cc: Pierre Emeriaud ; misc@openbsd.org Subject: Re: ratble and rdomain support on dhcpd and openvpn Difan Zhao [difan.z...@pason.com] wrote: > Hi Pierre, > > I just upgraded the soekris box to openbsd 5.9 however I am still > having the problem setting the rtable... > This requires OpenBSD 6.0 which is not yet released. You can use snapshots at http//ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ to install the beta code.
Re: syslog-ng+ELK
Hello, I use ELK for all my system/firewall logs. It gathers linux, windows, ASA, pflog and all appliances syslogs very well, despite the high number of messages (actually more than 1 000 000 000/week). You can configure logstah filtering to suit your needs. Kibana interface is very efficient, and even gives you graphics. I am very happy with it. -- Cordialement, Pierre BARDOU -Message d'origine- De : trondd [mailto:tro...@kagu-tsuchi.com] Envoyé : samedi 7 mai 2016 18:02 À : Predrag PunosevacCc : misc@openbsd.org Objet : Re: syslog-ng+ELK On Sat, May 7, 2016 12:29 am, Predrag Punosevac wrote: > Michael Shirk wrote: > >> On May 23, 2015 10:42, "Predrag Punosevac" >> wrote: >> > >> > 5. Finally I am open for simpler ideas. Any opinions on >> sysutils/logfmon >> > Is it possible to visualize on the web output from logfmon? >> > >> > Best, >> > Predrag Punosevac >> > >> >> There is another aspect to log analysis tools that bothers me the >> most, why must we risk system security to review log files? >> >> Any of the tools that "work well" open you up to web vulnerabilities, >> or cost money in the case of Splunk. I have not had time to work on >> it, but I would like to create a tool that avoids all of the issues >> of running a web service or requiring java. >> >> My interest is in UNIX system logs and IDS/IPS events, with full >> packet captures. The simplest form I have used is with automated >> processing of IDS events, firewall logs, and full pcap data as static >> files shared on a webserver. I would be interested in a CLI log >> viewer with ncurses, or scripted output (maybe using pipecut to >> process data as you search for what you want in the simplest UNIX >> way). >> >> -- >> Michael Shirk >> Daemon Security, Inc. >> http://www.daemon-security.com > > > I am resurrecting this old thread I started almost a year ago in an > attempt to learn how other OpenBSD users are managing their > centralized logging servers. I also wanted to revisit the issues > raised by Mr. Shirk. > > Namely the problem I am trying to solve seems very common. I am > running centralized logging server (syslog-ng) an OpenBSD host. This > server receives log files from my heterogeneous network consisting of > OpenBSD machines (running syslogd) Red Hat machines (rsyslog), and > FreeBSD machines running FreeBSD version of syslogd. I noticed that > sending log files generates lots of traffic on my monitoring server in > part due to the fact that I am recording lots of noise like > > last message repeated 10 times > > Next problem is properly rotating, archiving, and deleting monthly > directories containing log files of all my servers. For example > directory > > /var/log/syslog-ng/HOSTS/2016-05 > > contains log files of all my servers for this month. That is not too > useful. Storing them per day would be probably better but having fewer > log files just for important things would be even better. > > Log files are useless unless some kind analytics is run on them. > I would like to be able to do real time monitoring for anomalies using > a daemon for. The following seems obvious anomalies: > > 1 . SMART errors (I am big data/machine learning guy so I want to > replace failed HDD in timely fashion) even though SMART deamon is > sending separate e-mail > > 2. failing hardware (sensors, IPMI, mcelog) > > 3. firewall logs > > 4. IDS/IPS events > > > > A daemon should be able to send me an e-mail every couple of hours > containing as little noise as possible. > > So far I have found in ports the following daemons: > > 1. security/logsurfer (package exists only for i386 and I use amd64) > > 2. sysutils/logfmon (From looking at /etc/logfmon.conf it looks like > it is written to monitor log files on the single OpenBSD machine > running syslogd. I don't see how I could monitor entire syslog-ng > directories) > > 3. I noticed that syslog daemons do not work very well as SQL > databases as a storage backends. For example LibreNMS has the > interface for displaying and searching (manually which makes it useless) syslog files. > But MariaDB has to be restarted quite frequently and on the top of it. > > 4. I am not sure what to think of ELK anymore. The more I learn the > less i like it. > > 5. Finally I stumbled upon echofish > > https://echothrust.github.io/echofish/ > > which seems to be repeating old pattern. Using SQL database as a > backend and providing UI for searching messages (I can do that using > grep) but no e-mail notification when troubles are found. > > > What am I missing here? How do people monitor their log files in the > real time. That would seems such an obvious topic for people who care > about security. > > Predrag > Note: I don't centralize my logs, and don't do realtime monitoring. I don't have a NOC, and I'm not on call 24x7. So most of the time, there is no one to respond anyway. I run a couple dozen servers hosting a handful of internal tools.
Announce NAT pools via OSPF
Hello, Il would like to announce the NAT pools used by my firewalls to my backbone using OSPF. Let's say my real network is connected to vmx0. It's address is A/24 and is NATed to N/24. My backbone is reached through vmx1. So I configured a route on the firewall , destination N/24, gateway 127.0.0.1. Then I configured ospf to "redistribute static, area 0.0.0.0 { interface vmx1 }". I can see N/24 with ospfctl sh fib, flagged valid. But the route doesn't show up in the backbone when i use ospfctl sh rib. I tried to add interface lo0 on the firewall ospfd.conf, this adds 127.0.0.1/32 on the backbone RIB, but I still can't see N/24. I also tried to configure a lo1 with the address N/24 and to put it in ospfd.conf, only N/32 shows up on the backbone. Finally I configured a vether0 with the address N/24 and put it in ospfd.conf, and that did the trick. Is that a good way to do what I want, or do someone has any better solution to advise me ? Thank you -- Cordialement, Pierre Bardou Ingénieur réseau Tél. 05.34.61.71.84 bardo...@mipih.fr 12, rue Michel Labrousse CS 93668- 31036 Toulouse cedex 1 Avant d'imprimer cet e-mail, pensons à l'environnement
Re: rdomain with BGP dynamic route
Hello, I think this is what I tried a while ago, which is not possible. Cf http://openbsd-archive.7691.n7.nabble.com/Multi-VRF-bgpd-no-MPLS-td248639.html Bgpd.conf(5) says : Currently the routing table must belong to the default routing domain -- Cordialement, Pierre BARDOU -Message d'origine- De : XU, YANG (YANG) [mailto:y...@research.att.com] Envoyé : dimanche 26 juillet 2015 14:28 À : misc@openbsd.org Objet : Re: rdomain with BGP dynamic route Thanks for the info. I read the rdomain configuration section. My problem is how to put prefix learned dynamically from a BGP neighbor to a specific rdomain (not default rdomain 0). Sadly, I still don't know if that's possible. Regards, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of Alexander Salmin [alexan...@salmin.biz] Sent: 25 July 2015 17:36 To: misc@openbsd.org Subject: Re: rdomain with BGP dynamic route Hey, man 5 bgpd.conf See section Routing Domain Configuration and parameters export-target and import-target. I suspect that is what you want. Alexander Salmin On 2015-07-24 13:47, XU, YANG (YANG) wrote: Let me describe it in another way. Can I create a new rdomain as a VRF and use the rdomain to import/export customer's prefix through BGP? I will greatly appreciate it if you can provide any information. I have seen some information online, but prefix is either from static configuration or connected network. In my case, I need to support dynamic routes from BGP in VRF. Thanks, -Yang From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, YANG (YANG) Sent: 23 July 2015 08:06 To: misc@openbsd.org Subject: rdomain with BGP dynamic route Hi all, I am configuring OpenBSD bgpd so that it can relay the routes learned from customer BGP servers to a route reflector (RR). Customer BGP servers only speak IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and route-target to the dynamic routes learned from each customer BGP neighbor before forwarding to RR. As I understand, I should be able to use rdomain to implement this. What I really need conceptually is to attach a BGP neighbor to a rdomain, so that dynamic routes learned from that BGP neighbor are added to the specified rdomain. But I failed to find a way to do this in OpenBSD. Does anyone know if this is possible and give me an BGP configure example? Many thanks in advance, -Yang
PF monitoring
Hello, I'm looking for performance indicators to be warned if my PF firewall is about to be overwhelmed. I heard about congestion in pfctl -si, net.inet.ip.ifq.drops and kern.netlivelocks. I searched the man pages pfctl(8) and sysctl(3), but I didn't found a clear explanation of what these number means. Could someone around here clarify that please ? Many thanks -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 [Description : Logo MiPih COUL transparent.gif] MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.frhttp://www.mipih.fr/ [cid:image002.png@01CFE47A.06EA5FC0] Avant d'imprimer cet e-mail, pensons à l'environnement [demime 1.01d removed an attachment of type image/png which had a name of image001.png] [demime 1.01d removed an attachment of type image/png which had a name of image002.png]
Re: openbgpd rdomain/rtable (vrf-lite)
Hello, I tried to do a similar setup. I tried different configuration without success. Then I found this in the manpage : Currently the routing table must belong to the default routing domain and nexthop verification happens on table 0. So I think OpenBGPD is not (yet ?) able to do this. -- Cordialement, Pierre BARDOU -Message d'origine- De : Pierre Emeriaud [mailto:petrus.lt+open...@gmail.com] Envoyé : samedi 30 août 2014 17:50 À : misc@openbsd.org Objet : openbgpd rdomain/rtable (vrf-lite) Hello misc@, I'd like to set up bgpd with multiple routing tables, a la vrf-lite (ie without mpls and mp-bgp). What works: - peering within a rtable/rdomain - receiving the routes What doesn't work: - nexthop is never validated - routes are never installed in fib Configuration is pretty straitforward: # cat bgpd.conf AS 64751 router-id 172.22.151.130 listen on 172.22.151.130 # loopback listen on 172.22.151.251 # interface towards peer rtable 10 group ibgp peering AS64751 { remote-as 64751 neighbor 172.22.151.245 { descr beta announce self } } bgpd is started as such: route -n -T10 exec bgpd -d -v -f /etc/bgpd/bgpd.conf Peering gets up, and routes received: # bgpctl -n show sum Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 172.22.151.245 64751 10851 6373 0 2d05h05m338 Routes are received in rtable 0: # bgpctl show rib in | head flags: * = Valid, = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin I 10.0.0.0/16 172.22.151.245 100 0 64734.14918 64734.12596 65112 65530 i I 10.1.0.0/16 172.22.151.245 100 0 64734.14918 64734.12596 65112 65530 i I 10.8.0.0/16 172.22.151.245 100 0 64734.12699 1.10582 65053 i I 10.11.0.0/18 172.22.151.245 100 0 64828 64609 i I 10.11.64.0/18172.22.151.245 100 0 64828 1.10567 1.10594 i I 10.15.0.0/16 172.22.151.245 100 0 64828 1.10604 65079 i And indeed, 172.22.151.245 is not reachable in rtable0. If I use rde rib foo no evaluate, routes are put in the 'foo' rib, but still not installed. If I use the rde rib foo table 10, I get the following error: '/etc/bgpd/bgpd.conf:20: rtable 10 does not belong to rdomain 0' I tried to use 'rdomain 10' in the config file, but that looks very mpls-oriented (mp-bgp peering in GRT, which works fine btw). Have I missed something, or am I asking for something currently unsupported? Thanks, and sorry for the long post, -- petrus
Re: openbgpd rdomain/rtable (vrf-lite)
I ended up with static routing, it was an acceptable setup in my case and I had never heard of brid. But if you succeed please tell me. -- Cordialement, Pierre BARDOU -Message d'origine- De : petrus...@gmail.com [mailto:petrus...@gmail.com] De la part de Pierre Emeriaud Envoyé : lundi 1 septembre 2014 14:35 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: openbgpd rdomain/rtable (vrf-lite) Hi Pierre, I tried to do a similar setup. I tried different configuration without success. Yup, I saw your post on misc@ a few days ago when I was looking for some pointers. Then I found this in the manpage : Currently the routing table must belong to the default routing domain and nexthop verification happens on table 0. I saw that too, but as this is not entirely accurate (multiple rdomains is possible, though with mpbgp), I told myself I had to try. What solution did you ended up with? Have you tried to do the same with bird? -- petrus
Re: Pflow granularity
Hello, Many thanks for the idea, I didn't knew about softflowd. But I wonder if it is production ready : * It seems there are no new developments : https://code.google.com/p/softflowd/source/list * The TODO list is quite long, and has not moved since 2007. * The counters are not 64 bit, thus flows are limited to 2 Gb * There is no multiple interface support, all flows are exported with IfIndex 0 I am testing it anyway, it gives me correct graphs with -t maxlife=60. It's really sad that pflow doesn't have such an option, it would be perfect. -- Cordialement, Pierre BARDOU -Message d'origine- De : Andy [mailto:a...@brandwatch.com] Envoyé : lundi 2 juin 2014 18:01 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Pflow granularity I think you might have to try softflowd instead of the built-in sflowd.. These guys had the same problem and moved to softflowd to allow them to analyse DDOS traffic with netflow.. https://ripe68.ripe.net/presentations/276-DDoS.pdf Cheers, Andy. On Mon 02 Jun 2014 14:38:33 BST, BARDOU Pierre wrote: Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated. I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-t d233952.html Some diff were even posted : http://marc.info/?l=openbsd-miscm=124661838923498w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command ip flow-cache timeout active does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
Pflow granularity
Hello, I sat up NetFlow reporting on a PF firewall, but there seems to be a flaw in the implementation : only global statistics about the flow are given (start time, end time, IP/port source, IP/port dest, bits in both ways, ...). So as an example if somebody establishes an sftp connexion, downloads a file @10 Mbps for 2 mins, then waits 2 min and ends the connexion, all I will see in the netflow report is a 5 Mbps flow, and I will never know that my 10 Mbps link was saturated. I saw questions about this were already posted on misc@ : http://openbsd.7691.n7.nabble.com/pflow-packets-before-state-expires-td233952.html Some diff were even posted : http://marc.info/?l=openbsd-miscm=124661838923498w=2 But it seems they never made their way to the base system. Is there any way to break-up long flows in fragments, like the Cisco command ip flow-cache timeout active does ? -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
Re: Multi-VRF bgpd (no MPLS)
Hello, I think I can reply to myself : bgpd.conf(5) says currently the routing table must belong to the default routing domain. So by now what I'm trying to do is just not possible with OpenBSD + bgpd. Anybody knows if it is planned to implement this functionality ? Maybe I could help testing, as my C skills are far below what is needed to do that ? -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyé : lundi 19 mai 2014 11:30 À : misc@openbsd.org Objet : Multi-VRF bgpd (no MPLS) Hello, I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box instead. NAT on ASA is such a pain... The use would be a WAN firewall, routing for sites with potentially identical IP ranges. Overlapping IP ranges are translated by the firewall so that from the point of view of the main site every IP is different. Actually, this is done using ASA contexts and static routing. I'd like to do the same with openBSD plus BGP routing. So I started to set up a PF box with VRFs (one BSD VRF - one ASA context), this works like a charm. Problems start when I try to do BGP routing : basically what I need is one BGP daemon running in each VRF. I tried to launch BGP with route -T VRF number exec bgpd -f /etc/bgpd.conf.VRF number, it learns route from the WAN, but doesn't injects them in the rdomain VRF number. I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop qualify via default. I have messages like these in my logs : neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm - Established, reason: KEEPALIVE message received nexthop 10.200.18.209 now valid: via 10.194.126.254 send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable My bgpd.conf : # grep -v ^# bgpd.adh200 peer_adh200_int=10.200.6.57 peer_adh200_ext=10.200.18.209 pool_adh200=10.199.12.112/28 AS 65040 router-id 10.194.126.241 listen on 10.200.18.214 listen on 10.200.6.62 rtable 200 nexthop qualify via default neighbor $peer_adh200_int { descr ADH200_INT remote-as 65040 } neighbor $peer_adh200_ext { descr ADH200_EXT remote-as 65041 } Some bgpctl show : # bgpctl sh nex Flags: * = nexthop valid Nexthop Route Prio Gateway Iface * 10.200.18.209 0.0.0.0/0 8 10.194.126.254 vlan3080 (UP, active) # bgpctl sh rib flags: * = Valid, = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *10.199.12.112/28 10.200.18.209 100 0 65041 i *10.199.13.112/28 10.200.18.209 100 0 65041 i # route -T 200 show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.200.18.209 UGS00 - 8 carp450 10/8 sw-t-wan-adh200UGS00 - 8 carp2200 10.200.6.56/29 link#10UC 10 - 4 carp2200 10.200.6.56/29 link#10UC 10 - 4 carp2200 sw-t-wan-adh20000:08:e3:ff:fc:08 UHLc 3 38 - 4 carp2200 10.200.6.6200:00:5e:00:01:01 UHLc 01 - 4 lo0 10.200.14.56/29link#11UC 00 - 4 carp2450 10.200.14.56/29link#11UC 00 - 4 carp2450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 10 - 4 carp450 10.200.18.209 00:1e:c9:49:17:d8 UHLc 2 234 - 4 carp450 172.16/12 sw-t-wan-adh200UGS00 - 8 carp2200 192.168/16 sw-t-wan-adh200UGS00 - 8 carp2200 Any idea of why those routes are not injected ? Thanks -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
Multi-VRF bgpd (no MPLS)
Hello, I'm trying to prevent my boss from buying an ASA 5585-X to use an OpenBSD box instead. NAT on ASA is such a pain... The use would be a WAN firewall, routing for sites with potentially identical IP ranges. Overlapping IP ranges are translated by the firewall so that from the point of view of the main site every IP is different. Actually, this is done using ASA contexts and static routing. I'd like to do the same with openBSD plus BGP routing. So I started to set up a PF box with VRFs (one BSD VRF - one ASA context), this works like a charm. Problems start when I try to do BGP routing : basically what I need is one BGP daemon running in each VRF. I tried to launch BGP with route -T VRF number exec bgpd -f /etc/bgpd.conf.VRF number, it learns route from the WAN, but doesn't injects them in the rdomain VRF number. I dealt with the problem of nexhop qualifying on rdomain 0 using nexthop qualify via default. I have messages like these in my logs : neighbor 10.200.18.209 (ADH200_EXT): state change OpenConfirm - Established, reason: KEEPALIVE message received nexthop 10.200.18.209 now valid: via 10.194.126.254 send_rtmsg: action 1, prefix 10.199.13.112/28: Network is unreachable send_rtmsg: action 1, prefix 10.199.12.112/28: Network is unreachable My bgpd.conf : # grep -v ^# bgpd.adh200 peer_adh200_int=10.200.6.57 peer_adh200_ext=10.200.18.209 pool_adh200=10.199.12.112/28 AS 65040 router-id 10.194.126.241 listen on 10.200.18.214 listen on 10.200.6.62 rtable 200 nexthop qualify via default neighbor $peer_adh200_int { descr ADH200_INT remote-as 65040 } neighbor $peer_adh200_ext { descr ADH200_EXT remote-as 65041 } Some bgpctl show : # bgpctl sh nex Flags: * = nexthop valid Nexthop Route Prio Gateway Iface * 10.200.18.209 0.0.0.0/0 8 10.194.126.254 vlan3080 (UP, active) # bgpctl sh rib flags: * = Valid, = Selected, I = via IBGP, A = Announced, S = Stale origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *10.199.12.112/28 10.200.18.209 100 0 65041 i *10.199.13.112/28 10.200.18.209 100 0 65041 i # route -T 200 show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default10.200.18.209 UGS00 - 8 carp450 10/8 sw-t-wan-adh200UGS00 - 8 carp2200 10.200.6.56/29 link#10UC 10 - 4 carp2200 10.200.6.56/29 link#10UC 10 - 4 carp2200 sw-t-wan-adh20000:08:e3:ff:fc:08 UHLc 3 38 - 4 carp2200 10.200.6.6200:00:5e:00:01:01 UHLc 01 - 4 lo0 10.200.14.56/29link#11UC 00 - 4 carp2450 10.200.14.56/29link#11UC 00 - 4 carp2450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 00 - 4 carp450 10.200.18.208/29 link#12UC 10 - 4 carp450 10.200.18.209 00:1e:c9:49:17:d8 UHLc 2 234 - 4 carp450 172.16/12 sw-t-wan-adh200UGS00 - 8 carp2200 192.168/16 sw-t-wan-adh200UGS00 - 8 carp2200 Any idea of why those routes are not injected ? Thanks -- Cordialement, Pierre BARDOU Ingénieur réseau - P2I Infrastructure 05 67 69 71 84 MiPih 12, rue Michel Labrousse - BP93668 31036 TOULOUSE Cedex 1 www.mipih.fr Avant d'imprimer cet e-mail, pensons à l'environnement
Re: OpenBSD ipsec performance on modern HW
Hi, The testbed has been reused since I ran the tests, but the config was something standard like : ike esp from a.b.c.d/24 to e.f.g.h/24 peer i.j.k.l \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 psk secret If I remember well, for AES-GCM, there is no AUTH parameter, and it is phase 2 only. So it was something like : ike esp from a.b.c.d/24 to e.f.g.h/24 peer i.j.k.l \ main auth hmac-sha1 enc aes-256 \ quick enc aes-256-gcm psk secret If I've made syntax errors ipssecctl will tell you quickly btw. -- Cordialement, Pierre BARDOU De : Evgeniy Sudyr [mailto:eject.in...@gmail.com] Envoyé : dimanche 21 juillet 2013 13:17 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBSD ipsec performance on modern HW All, during my tests I seen that CPU on all cores and memory usage was very low. Just interesting if there are any bottlenecks and how to fix them. 1) Does anybody care tcp stack tuning for high speed IPSEC ? 2) Can I run IPSEC (that's isakmpd ?) on other cores? Pierre, can you share your ipsec config to check same on my side.
Re: OpenBSD ipsec performance on modern HW
Hello, I did some testing with AES-NI enabled CPU. You can find them in the list archives, here : http://old.nabble.com/Re%3A-ipsec-tunnel-speeds-p34080479.html Upgrading CPU number is useless (if I have well understood how it works) : IPsec only runs on the first core. -- Cordialement, Pierre BARDOU -Message d'origine- De : Chris Cappuccio [mailto:ch...@nmedia.net] Envoyé : mardi 16 juillet 2013 00:51 À : Evgeniy Sudyr Cc : misc@openbsd.org; mi...@openbsd.org Objet : Re: OpenBSD ipsec performance on modern HW Evgeniy Sudyr [eject.in...@gmail.com] wrote: BOX1 dmesg: cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.45 MHz cpu1: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu2: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu3: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu4: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu5: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu6: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu7: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu8: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu9: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz cpu10: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz cpu11: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz cpu12: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu13: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.09 MHz cpu14: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz cpu15: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2400.08 MHz BOX2 dmesg: cpu0: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.98 MHz cpu1: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu2: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu3: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu4: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu5: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu6: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz cpu7: Intel(R) Xeon(R) CPU E31240 @ 3.30GHz, 3292.53 MHz I think to get better performance, you need to add more CPUs and more RAM. 16 CPUs and 32GB of RAM is hardly enough to get more than 270Mbps encryption throuhput. Ok, maybe I'm exaggerating. You won't see difference between a dual core CPU of similar spec with 1GB of RAM and what you have now. Really, OpenBSD needs to use more than one of your 16 cores at a time for encryption if you want higher speed. Some people talked about giving the encryption system its own core to work on so it doesn't compete with the rest of the kernel. That would help you get somewhat higher throughput. But the real solution for getting significant speed boosts on kernel-based IPsec with your type of hardware is much farther off. You can only hope for small improvements until that magical work is completed by the master magicians.
Re: PF sync doesn't not work very well
Hello, I don't know if this may help you, but I have a working BGP setup with two routers active/active. I don't use pfsync, but keep state (sloppy). This is less secure according to pf.conf(5), but that's not really a concern for me as those routers are not my border firewalls... But maybe I am mistaking doing this ? -- Cordialement, Pierre BARDOU -Message d'origine- De : David Gwynne [mailto:da...@gwynne.id.au] Envoyé : jeudi 4 juillet 2013 09:47 À : loic.b...@unix-experience.fr Cc : misc@openbsd.org Objet : Re: PF sync doesn't not work very well On 03/07/2013, at 6:23 PM, Loïc Blot loic.b...@unix-experience.fr wrote: Okay, defer is now enabled on pfsync interface (sorry for my last idea, i haven't the man on me :) ). It seems the problem isn't resolved. The transfer starts but blocked at random time. i have hit this too, despite being the person most responsible for trying to make pfsync work in active-active (hi bob!) configurations. the problem is the tcp window tracking pf does, and how pfsync tries to cope with different routers being responsible for different halves of the packet flow. pfsync tries to merge each side of the tcp windows and tries to detect split paths to exchange updates more rapidly for those states. however, i find at some point the actual tcp windows move too fast for pfsync to keep up and all the real packets fall out of the window, causing the stalls you're talking about. my solution is to try and prefer one half of the firewalls for all traffic, and use the second for handling failure. the split path handling works well enough that we can support traffic while we change roles (moving master to slave and slave to master) and the upstream hasnt figured it out yet via ospf. sorry for the bad news. i might try and have a look at the state merge code again and see if there's something obvious i am missing. cheers, dlg -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Networks http://www.unix-experience.fr Le mercredi 03 juillet 2013 à 08:12 +0200, Loïc BLOT a écrit : Hi, Thanks for your reply. I wasn't careful about this section. If i understand i must add defer option to my WAN iface (or i'm wrong i must add it to my vlan995 iface ?) ? I will test it this morning, and i return back to misc :) -- Best regards, Loc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le mercredi 03 juillet 2013 02:02 +0200, mxb a crit : pfsync(4) explains this: The pfsync interface will attempt to collapse multiple state updates into a single packet where possible. The maximum number of times a single state can be updated before a pfsync packet will be sent out is controlled by the maxupd parameter and Where more than one firewall might actively handle packets, e.g. with certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to defer transmission of the initial packet of a connection. The pfsync state insert message is sent immediately; the packet is queued until either this message is acknowledged by another system, or a timeout has expired. This behaviour is enabled with the defer parameter to ifconfig(8). Eg. defer: on, yours is off. //mxb On 2 jul 2013, at 21:54, Loc BLOT loic.b...@unix-experience.fr wrote: Hi all I have a strange issue (or i haven't read pfsync correctly but i don't think this is the problem :D) I'm using 2 OpenBSD as BGP+OSPF routers at the border of one site. Those BGP routers are secure with strong PF in stateful mode, and the stateful is working very well on each router. Because of my full mesh BGP configuration, the outgoing layer 7 sessions can leave my network by one router and responses can income by the other. To resolve this issue, i have created a dedidated VLAN for the pfsync traffic and attached pfsync to this VLAN. Here is a sample output of ifconfig on my first router: vlan995: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr a0:36:9f:10:4a:a6 priority: 0 vlan: 995 parent interface: trunk1 groups: vlan status: active inet6 fe80::a236:9fff:fe10:4aa6%vlan995 prefixlen 64 scopeid 0x10 inet 10.117.1.129 netmask 0xfff8 broadcast 10.117.1.135 pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: vlan995 maxupd: 255 defer: off groups: carp pfsync And here on my second router: vlan995: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr a0:36:9f:17:e2:1e priority: 0 vlan: 995 parent interface: trunk1 groups: vlan status: active inet6 fe80::a236:9fff:fe17:e21e%vlan995 prefixlen 64 scopeid 0x10 inet 10.117.1.130 netmask 0xfff8 broadcast 10.117.1.135 pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: vlan995 maxupd: 255 defer:
Re: Running OpenBSD on Raspberry Pi
Hello, Many thanks for all those advices. All of them make sense, but : * An used computer (I have plenty of them) cost 50-100€ a year in power (and is big and heats a lot, but that's not my main concern). * Alix or soekris are nice hardware, but expensive for me. I intend to build a home router to play a bit with networking, not an enterprise grade solution * Raspberry cost 50€ with power adapter, 16 GB SD card and case. I added 15€ for a wifi USB dongle and 20€ for a 802.1q switch. The power adapter is a 5V 1A, so it uses 5W power or less. TCO on five years : Alix : 200€ hardware (with power supply, CF, WiFi and case), 25€ power = 225€ Used computer from my closet : 0€ hardware, at least 250€ power = 250 € Raspberry : 85€ hardware, 25€ power = 110€ Half price. So I bought a raspberry. I does routing, firewalling, samba PDC with LDAP, DNS and DHCP. The only drawback : I have to use iptables (no need to recompile, works OOTB), and I found its syntax way less pleasant to use than its PF counterpart. Unfortunately, my coding skills are way too limited to try to port OpenBSD... So if nobody around thinks it worth the trouble to do it (with some good reasons I read in this thread), no problem. I'll stick on OpenBSD at work, and play with linux at home. -- Cordialement, Pierre BARDOU De : Andres Genovez [mailto:andresgeno...@gmail.com] Envoyé : mercredi 9 janvier 2013 21:21 À : Gene Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: Running OpenBSD on Raspberry Pi 2013/1/9 Gene gh5...@gmail.com On Wed, Jan 9, 2013 at 10:54 AM, Andres Genovez andresgeno...@gmail.com wrote: 2012/12/31 BARDOU Pierre bardo...@mipih.fr Hello, I would be very interested by an OpenBSD port too. Usage : home router with firewall, DNS and DHCP. I am looking into FreeBSD and NetBSD ports, but I would prefer to have the latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like using it :-) If somebody knows X86 hardware able to do the same (routing/firewlling 20 mbps traffic, VLAN, fits in a tiny box, power consumption below 5W, price around 50$) as the raspberry I am interested BTW. I am interested too, can somebody give an advice on what hardware to use? maybe 5 lan or at least two lan? an below 100? For under $100 USD your best bet is to look for a used computer on craigslist or a yard sale and install another NIC in it. But, this will not get you at 5 watts or less. For under $200 look at either PC Engines ALIX boards or Soekris. eBay has plenty of them. You can manage 5W or less this route. For the Raspberry Pi you will not get OpenBSD. You will have to use Linux and configure it manually, including recompiling the kernel with iptables support. You *might* be able to get under $100, but it won't be under 5 watts and it will be a jalopy. USB ethernet adapters start around $25 new. Thanks, i will look forward those, because a Mikrotik is under 100, and features over 1000. -Gene -- Atentamente Andrés Genovez Tobar / DTIT Elastix ECE - Linux LPI-1 - Novell CLA - Apple ACMT - Mikrotik MTCNA/MTCTCE/MTCRE/MTCWE http://www.cspmsa.com
Re: Running OpenBSD on Raspberry Pi
Hello, I would be very interested by an OpenBSD port too. Usage : home router with firewall, DNS and DHCP. I am looking into FreeBSD and NetBSD ports, but I would prefer to have the latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like using it :-) If somebody knows X86 hardware able to do the same (routing/firewlling 20 mbps traffic, VLAN, fits in a tiny box, power consumption below 5W, price around 50$) as the raspberry I am interested BTW. -- Cordialement, Pierre BARDOU -Message d'origine- De : Doug Brewer [mailto:brewer.d...@gmail.com] Envoyé : lundi 31 décembre 2012 09:39 À : KarlOskar Rikås; misc@openbsd.org Objet : Re: Running OpenBSD on Raspberry Pi On Mon, Dec 31, 2012 at 12:13 AM, Tobias Ulmer wrote: On Sun, Dec 30, 2012 at 05:01:23PM +0100, KarlOskar Rikås wrote: Hi, I wonder if it's possible to run OpenBSD on Raspberry Pi. Is there any image ready for putting on my SD card and boot up? If not, is there any manual or guide how to make one? No it's not possible and there are no plans to change that. Search the archives if you're interested in the reasons. In short, there is plenty of better performing and better documented hardware available for nearly the same price. This makes the rpi unattractive for developers. If so, try install FreeBSD. Last time I checked, it worked pretty well for me. BR, Doug.
Re: ipsec tunnel speeds
Hello, I am just doing some IPsec performance tests on shiny new DL 380 G8 (CPU is Intel(R) Xeon(R) CPU E5-2643 @ 3.30GHz). Here is the setup : Two Optiplex - HP DL380 G8 - HP DL 380 G8 - Two Optiplex Intel Gb NIC in every computer All running 5.2-beta amd64 compiled yesterday 2x1gb trunk between the DL 380 g8 Max throughput is measured with tcpbench -n 10, max PPS is with tcpbench -u -B 64 I got those results : Unencrypted : Max thoughput : 1800 Mbps Max PPS : 250 kpps AES 256 : Max thoughput : 410 Mbps Max PPS : 70 kpps AES 256 GCM : Max thoughput : 570 Mbps Max PPS : 95 kpps AES 128 : Max thoughput : 430 Mbps Max PPS : 75 kpps AES 128 GCM : Max thoughput : 575 Mbps Max PPS : 85 kpps -- Cordialement, Pierre BARDOU -Message d'origine- De : Mike Belopuhov [mailto:m...@crypt.org.ru] Envoyé : mardi 26 juin 2012 14:39 À : Mark Romer Cc : Ted Unangst; misc@openbsd.org; Ryan McBride Objet : Re: ipsec tunnel speeds On Mon, Jun 25, 2012 at 2:53 PM, Mark Romer romesterm...@gmail.com wrote: Great question Ted Does anyone know the answer? sure. Thanks Mark On Jun 22, 2012 12:58 PM, Ted Unangst t...@tedunangst.com wrote: On Fri, Jun 22, 2012 at 12:52, Ryan McBride wrote: 550Mb/s with aes-128-gcm (requires AES-NI and amd64) on hw.model=Intel(R) Xeon(R) CPU E5649 @ 2.53GHz hw.vendor=HP hw.product=ProLiant DL360 G7 what's the reason aes-128-gcm requires amd64? because the assembly is written for amd64. we can't add that code to i386? that specific one? of course not. but the aes-ni and clmul instructions are part of sse and can be executed by both 32-bit and 64-bit programs. apart from that, it might be possible that binutils have to be adjusted (i don't remember if they share the same code) and i386 has to grow fpu_kernel_{enter,exit}.
Re: bnx[01] - trunk0 - vlan119 - carp119 problem
Hello, I have dozens of CARP interfaces over VLAN interfaces over LACP trunk interfaces over physical EM/BGE/BNX. Carp is in multicast mode, multicast routing is disabled. Works like a charm with various OpenBSD versions since 4.4 to 5.0. I can give you my hostname.if if that helps... -- Cordialement, Pierre BARDOU -Message d'origine- De : Matt Hamilton [mailto:ma...@netsight.co.uk] Envoyi : lundi 23 avril 2012 17:49 @ : misc@openbsd.org Objet : Re: bnx[01] - trunk0 - vlan119 - carp119 problem Kapetanakis Giannis bilias at edu.physics.uoc.gr writes: On 23/04/12 17:13, Matt Hamilton wrote: So it appears there is somewhere a problem with multicast packets being filtered out somewhere. This is all running with pfctl -d -Matt Hi, Not sure if multicast routing is related with this since it's a single host, but check netstart(8) and search for multicast. Also /etc/rc.conf and sysctl -a|grep mforwarding I've just had a play with those, but no joy. As you say, as I'm not a multicast router then it shouldn't be anything to do with them. I run 5.0 on other boxes and carp works fine on top of a physical interface. This is the first time I've run carp on top of a vlan interface. I would appear that it is the vlan part that is somehow messing with multicast packets. -Matt
Re: Daily digest, Issue 2282 (37 messages)
Hello, The firewall redirects inbound SMTP to spamd box (let's say its address is 192.168.0.10). Then the spamd box redirects non-spam traffic to the qmail box while doing NAT to 192.168.0.10 (to avoid asymmetrical routing). Should work like a charm. Outgoing mail will go through the default gateway (ie. the firewall), and so save resources on the spamd box. -- Cordialement, Pierre BARDOU -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Envoyi : mardi 25 octobre 2011 12:20 @ : misc@openbsd.org Objet : [misc] Daily digest, Issue 2282 (37 messages) The pre-dawn daily digest Volume 1 : Issue 2282 : mime Format Messages in this Issue: Re: pfsync0 MTU Re: pfsync0 MTU =?iso-8859-1?Q?Viajes_familiares_a_Canc=FAn_-_Ver_precios_y_condiciones?= Re: dhclient, resolv.conf Re: dhclient, resolv.conf Re: Acer aspire one - synaptics regression Re: Acer aspire one - synaptics regression =?iso-8859-1?Q?RECOLETA_2_LOCALES_EN_VENTA_JUNTOS_o_SEPARADOS,_Rodriguez_?= =?iso-8859-1?Q?Pe=F1a_entre_Juncal_y_Av._Las_Heras?= How to disable wireless card ath0 Re: How to disable wireless card ath0 Re: How to disable wireless card ath0 Re: How to disable wireless card ath0 Re: How to disable wireless card ath0 Re: How to disable wireless card ath0 Re: fatal machine check (18) in supervisor mode Re: fatal machine check (18) in supervisor mode I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re: I can use snapshots packages in a release? Re;payment Confirmation El arte de vender cualquier cosa 4686 =?utf-8?B?MTQy44CB56WI5oS/5L2g5oiR77yM5aaC6bKc6Iqx57u/5Y+25oC755u45Ly077yM5 YOP6Z2S?= =?utf-8?B?5bGx57u/5rC05oC755u46ZqP44CCfWFkbWluQG9wZW5hcg==?= =?utf-8?B?Y2guY29t4pag6LSkdnlvenU4OTBxOXVr?= =?utf-8?B?a31hZG1pbkBvcGVuYXJjaC5jb20=?==?utf wt...@terra.com TORRE con todos los Amenities, 2amb desde us 90mil de 48,1m2 TORRE con todos los Amenities, 2amb desde us 90m Keyboard no longer works after upgrading xenocara to -current (amd64, hp g42 laptop) Re: Keyboard no longer works after upgrading xenocara to -current (amd64, hp g42 laptop) Re: Keyboard no longer works after upgrading xenocara to -current (amd64, hp g42 laptop) dedicating a server to spamd Re: dedicating a server to spamd Re: dedicating a server to spamd
Hardware for 1Gbps IPsec
Hello, I'm looking for hardware capable of doing 1bgps IPsec, under OpenBSD of course. Do you think it is possible with a brand new high end server and their new instructions (AES/NI and/or AVX) ? Or would a crypto card be necessary ? If yes, do you have a brand/model to recommend ? In the crypto section most of the devices I see are old chipsets, which are far from 1 Gbps throughput. The only thing I see is the Via Padlock, but I think the CPU is not capable of Gigabit routing. There is also the BCM5862, but I can't find a card embedding it. Thank you -- Cordialement, Pierre BARDOU
Re: Quad-Gigabit 1U mini-itx board recommendations?
Hello, I think the Soekris net6501 has two great advantages : * power consumption : their atom E6XX is between 3,3w and 7w TDP, which is much lower than the 35w of the Pentium G620T. The complete board is said to use under 10w. * the user programmable FPGA, which might be used (I guess) as a crypto acceleration device... if someone knows how to program it, and get it supported by openBSD. -- Cordialement, Pierre BARDOU -Message d'origine- De : Joe S [mailto:js.li...@gmail.com] Envoyi : samedi 1 octobre 2011 17:19 @ : Joakim Aronius Cc : Johan Linner; Paul Suh; misc@openbsd.org Misc Objet : Re: Quad-Gigabit 1U mini-itx board recommendations? On Tue, Aug 30, 2011 at 12:00 AM, Joakim Aronius joa...@aronius.se wrote: I have used Soekris for a few years and are very happy with them. They have a new board that will start shipping soon: http://soekris.com/net6501.htm Curious if anyone has tried these boards out. I'm looking for something similar (low power, small size, em nics). These boards seem really expensive for having an Atom processor. I guess the 4 NICs drives up the cost. Since I don't actually need 4 NICs, I'm looking at the new Intel S1200KP (mini-itx 1155 board with dual intel nics). I can put a g620t and get the same power consumption rates as an atom d525, for the same prices as the Soekris. Plus I can always upgrade my processor down the line.
Re: Load balancing incoming trafic with BGP
Hello, Wow, I didn't thought of that solution, but that's very simple and elegant, just the way I like :) I tested it, it works very well. Thank you very much for your advices. -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : mardi 29 juin 2010 14:47 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I tried to follow your advices, and I set : network 1.1.1.0/24 network 1.1.1.0/25 set prepend-self 5 hmm, I meant that you should announce the larger network (/24) from both sites, and the more-specific (/25) from each site. e.g. from the main site: network 1.1.1.0/24 network 1.1.1.0/25 and from the backup site: network 1.1.1.0/24 network 1.1.1.128/25 No need to mess about with prepends for this. The /25 appears on the RIB of router A, but not in ISP A router RIB. Why ? My only filter rule is allow from any Are you absolutely certain you have allow from any everywhere that you need it? A few details : * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have a true /24, registered with RIPE. It is still bad practice. What if someone were to use your registered /24 in their test network, and then accidentally announce it to the internet? Sometimes things which shouldn't happen do; the point of this is to avoid breaking other people's networks when things go wrong. * I have an MPLS VPN between my two sites, which uses different wires from Internet * I didn't knew the issue about propagating a /25 to the internet. Thanks for the information, I'll have to think about that before setting this in production... Yes, something like the allow from any inet prefixlen 8 - 24 in the sample bgpd.conf (i.e. don't allow longer prefixes) is pretty common practice in many networks. Many thanks for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : samedi 26 juin 2010 12:18 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Re: Load balancing incoming trafic with BGP
Sorry, it's a typo. The real RIB : On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 i AI*217.109.108.128/25 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 65001 i AI*217.109.108.128/25 0.0.0.0 100 0 65001 65001 65001 65001 65001 i -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : mardi 29 juin 2010 17:13 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-29, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I did this on router A : network 217.109.108.0/24 network 217.109.108.128/25 neigbor... allow from any match to any prefix 217.109.108.128/25 set prepend-self 5 On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 i AI* 217.109.108.128/24 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI* 217.109.108.0/240.0.0.0 100 0 65001 i AI* 217.109.108.128/24 0.0.0.0 100 0 65001 65001 65001 65001 65001 i Everything is fine :) Hmm, that's wierd, the received routes are /24!
Re: Load balancing incoming trafic with BGP
Hello, I tried to follow your advices, and I set : network 1.1.1.0/24 network 1.1.1.0/25 set prepend-self 5 The /25 appears on the RIB of router A, but not in ISP A router RIB. Why ? My only filter rule is allow from any A few details : * 1.1.1.0/24 is for testing purposes an used only in my (isolated) lab. I have a true /24, registered with RIPE. * I have an MPLS VPN between my two sites, which uses different wires from Internet * I didn't knew the issue about propagating a /25 to the internet. Thanks for the information, I'll have to think about that before setting this in production... Many thanks for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:s...@spacehopper.org] Envoyi : samedi 26 juin 2010 12:18 @ : misc@openbsd.org Objet : Re: Load balancing incoming trafic with BGP On 2010-06-25, BARDOU Pierre bardo...@mipih.fr wrote: I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I think you will have to rethink a bit. Even if your immediate upstreams accept it (which is unlikely without a special arrangement), there is no way that most of the internet will accept a /25 announcement. You would want to use at least a /23 for the whole net, so your site-specific announcements can be /24. You will also have to ensure connectivity between the two sites under normal conditions (if you don't have a direct link, then you could consider a tunnel between addresses from outside this network; either plain gif/gre and accept the restricted MTU, or you could use a gre+vether+bridge+pf setup which would let you run at the lowest MTU of the physical links between them). I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 From one site you would want to announce x.x.x.0/25 and x.x.x.0/24 From the other you want x.x.x.128/25 and x.x.x.0/24 (or similar with /24 and /23 if you actually want it to work from the rest of the internet). Also: note that 1.0.0.0/8 is an allocated network. Please do not use addresses from this block even as a test network unless they are properly allocated to you (which being in europe, they are not).
Re: Load balancing incoming trafic with BGP
Hello, I did this on router A : network 217.109.108.0/24 network 217.109.108.128/25 neigbor... allow from any match to any prefix 217.109.108.128/25 set prepend-self 5 On router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 i AI*217.109.108.128/24 0.0.0.0 100 0 i On ISP router A bgpctl sh rib : Flags destination gateway lpref med aspath origin AI*217.109.108.0/240.0.0.0 100 0 65001 i AI*217.109.108.128/24 0.0.0.0 100 0 65001 65001 65001 65001 65001 i Everything is fine :) Many, many thanks for your help. -- Cordialement, Pierre BARDOU -Message d'origine- DeB : rh...@hushmail.com [mailto:rh...@hushmail.com] EnvoyC)B : mardi 29 juin 2010 13:30 CB : misc@openbsd.org CcB : BARDOU Pierre ObjetB : Re: Load balancing incoming trafic with BGP Hello, Have you tried a filter based config for your prepends ?
Load balancing incoming trafic with BGP
Hello, I have issues trying to setup this : ISP AISP B || Router ARouter B Main site --- Backup site 1.1.1.0/25 1.1.1.128/25 I'd like that connections to the main site flow through ISP A, to the backup site flow through ISP B, with backup through the other ISP if one fails. So I set up openBGPd like this : Router A : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 neighbor ISP A { remote-as 65002 } neighbor router B { remote-as 65001 } allow from any Router B : AS 65001 network 1.1.1.0/25 network 1.1.1.128/25 set prepend-self 5 neighbor ISP B { remote-as 65003 } neighbor router A { remote-as 65001 } allow from any I'm still during the test phase, so to simulate ISPs routers I've put some other openBSD boxes. Their setup : Router ISP A : AS 65002 neighbor Router A { remote-as 65001 announce default-route } allow from any Router ISP B : AS 65003 neighbor Router B { remote-as 65001 announce default-route } allow from any For now, I only have ISP A and router A set up. My problem : the set prepend-self 5 on router A prevents the network 1.1.1.128/25 from appearing into router ISP A RIB. If I remove the option, everything is fine. Bgpctl sh rib on router A : Flags destination gateway lpref med aspath origin * 0.0.0.0/0 router ISP A 100 0 65002 i AI*1.1.1.0/25 0.0.0.0 100 0 i AI*1.1.1.128/250.0.0.0 100 0 65001 65001 65001 65001 65001 i Bgpctl sh rib on router ISP A : Flags destination gateway lpref med aspath origin * 1.1.1.0/25 router A 100 0 65001 i Could someone tell me where is my mistake ? Thank you very much. -- Cordialement, Pierre BARDOU
Re: Hardware for a PF box
Hello, I'll try to answer every suggestion... I'm going to buy brand new HP servers, DL360 G5 or DL165 G7. So the choice for CPU is between AMD Opteron 24xx or Intel Xeon 55xx. I've read that a PIII would be sufficient : I have performance issues actually, running on a Xeon 2.8GHz (monocore, FSB 800, socket 604). I don't think they come from PF BTW, it should be logging/relayd/OpenVPN which makes the box lag. I'm actually on a test with dual xeon E5420 on GEMERIC.MP, it runs like a charm. But it's borrowed hardware, I have to give it back :) I'm very interested in separated log machine, I think I'll do that. Could you give me an estimation on how many Mbps I need on the log server ? I think I'll put this on a VM, we have an ESX cluster connected to a CX3-40 SAN which should give enough disk I/O... Installing SSD on the machines is way more expensive with HP hardware : 72 GB SAS 15Ktpm costs 260b,, 60 GB SSD costs 950b,. HP offers no way to install a compact flash as disk drive. Networks cards are Intel Gb, using em(4) driver. So, with all your considerations, here's my actual setup : * Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the same prize than the only dual core remaining, E5502 @1.86GHz) * 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal memory bandwidth) * 2x72 Gb SAS drives on raid0 Does it sound correct to you ? Do you have any suggestion/modification ? Thank you very much for the help. -- Cordialement, Pierre BARDOU -Message d'origine- DeB : Aaron Mason [mailto:simplersolut...@gmail.com] EnvoyC)B : mardi 11 mai 2010 14:01 CB : Lars Nooden CcB : misc@openbsd.org ObjetB : Re: Hardware for a PF box On Tue, May 11, 2010 at 4:56 PM, Lars Nooden lars.cura...@gmail.com wrote: On Mon, 10 May 2010, Chris Smith wrote: What about logging in this case? Can PF logs be sent to another system running a syslog daemon? You answered your own question. ;) Look at the 'action' field explanation in the manual page for syslog.conf(5) About the diskless machine, many of the so-called diskless machines actually use flash or ssd instead of a spinning magnetic platter. The base installation of openbsd is still quite small. If you are only running PF, you will have a lot of space left over on a 1GB CF to make a logging partition. Flash can be very slow, so volitile caches can be stored in an mfs partition. /Lars OpenBSD will happily fit into about 160mb by installing only base and etc which provide plenty for a firewall. My 1.4GHz Toshiba laptop acting as a wireless-wired gateway runs OpenBSD 4.6 on a 512mb USB drive (which I'd like to replace with a CF disk on a 2.5 compatible adapter) with space to spare. Sure it doesn't do anywhere near as many packets as you propose, but it handles a constantly-running seedbox and my gaming together without skipping a beat, which is more than I can ask for. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hardware for a PF box
Sorry, typo : SAS drives would be on RAID1. So the config would be : * Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the same prize than the only dual core remaining, E5502 @1.86GHz) * 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal memory bandwidth) * 2x72 Gb SAS drives on raid1 * GENERIC.MP kernel -- Cordialement, Pierre BARDOU -Message d'origine- DeB : BARDOU Pierre EnvoyC)B : mardi 11 mai 2010 15:40 CB : 'misc@openbsd.org' ObjetB : RE: Hardware for a PF box Hello, I'll try to answer every suggestion... I'm going to buy brand new HP servers, DL360 G5 or DL165 G7. So the choice for CPU is between AMD Opteron 24xx or Intel Xeon 55xx. I've read that a PIII would be sufficient : I have performance issues actually, running on a Xeon 2.8GHz (monocore, FSB 800, socket 604). I don't think they come from PF BTW, it should be logging/relayd/OpenVPN which makes the box lag. I'm actually on a test with dual xeon E5420 on GEMERIC.MP, it runs like a charm. But it's borrowed hardware, I have to give it back :) I'm very interested in separated log machine, I think I'll do that. Could you give me an estimation on how many Mbps I need on the log server ? I think I'll put this on a VM, we have an ESX cluster connected to a CX3-40 SAN which should give enough disk I/O... Installing SSD on the machines is way more expensive with HP hardware : 72 GB SAS 15Ktpm costs 260b,, 60 GB SSD costs 950b,. HP offers no way to install a compact flash as disk drive. Networks cards are Intel Gb, using em(4) driver. So, with all your considerations, here's my actual setup : * Xeon E5504 quad core @2Ghz (don't need AMD's 6 cores, and costs nearly the same prize than the only dual core remaining, E5502 @1.86GHz) * 3*1GB memory (Xeon are triple channel, so I need three DIMM for maximal memory bandwidth) * 2x72 Gb SAS drives on raid0 Does it sound correct to you ? Do you have any suggestion/modification ? Thank you very much for the help. -- Cordialement, Pierre BARDOU -Message d'origine- DeB : Aaron Mason [mailto:simplersolut...@gmail.com] EnvoyC)B : mardi 11 mai 2010 14:01 CB : Lars Nooden CcB : misc@openbsd.org ObjetB : Re: Hardware for a PF box On Tue, May 11, 2010 at 4:56 PM, Lars Nooden lars.cura...@gmail.com wrote: On Mon, 10 May 2010, Chris Smith wrote: What about logging in this case? Can PF logs be sent to another system running a syslog daemon? You answered your own question. ;) Look at the 'action' field explanation in the manual page for syslog.conf(5) About the diskless machine, many of the so-called diskless machines actually use flash or ssd instead of a spinning magnetic platter. The base installation of openbsd is still quite small. If you are only running PF, you will have a lot of space left over on a 1GB CF to make a logging partition. Flash can be very slow, so volitile caches can be stored in an mfs partition. /Lars OpenBSD will happily fit into about 160mb by installing only base and etc which provide plenty for a firewall. My 1.4GHz Toshiba laptop acting as a wireless-wired gateway runs OpenBSD 4.6 on a 512mb USB drive (which I'd like to replace with a CF disk on a 2.5 compatible adapter) with space to spare. Sure it doesn't do anywhere near as many packets as you propose, but it handles a constantly-running seedbox and my gaming together without skipping a beat, which is more than I can ask for. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Hardware for a PF box
Hello, I'm going to buy hardware to create 4 PF/relayd/openVPN boxes (2 active, 2 passive). I have an average of 500 new connections/s, 40k states and 40kpps in PF, 20 remote concurrent accesses on OpenVPN. What CPU would you recommend between Intel and AMD ? Since PF is mono threaded, I think more than 2 CPU cores are useless. Am I right ? For the same reason, I think that the CPU with the highest frequency will be the best ? Would it be useful to replace 15ktpm SAS HDDs by SSDs ? Thank you. -- Cordialement, Pierre BARDOU CSIM - Bureau 002 [cid:image001.jpg@01CAF064.EC6665D0] 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.frmailto:bardo...@mipih.fr [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
LACP problem
Hello, I use an LACP trunk on my openBSD firewall since 4.5 It worked during more than a year, but since I upgraded to 4.6 the trunk went down two times. I cant do anything to fix it except reboot the firewall. The switch is a HP Procurve 8412zl. I tried a workaround, to test it I did on my slave firewall : ifconfig trunk0 trunkproto none # simulation of trunk down ifconfig trunk0 = This systematically leads to a kernel panic There was code changes on LACP between 4.5 and 4.6 ? Should I downgrade to 4.5/upgrade to -stable ? TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 MiPih 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: LACP problem
/bsd: pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA Dec 22 11:00:17 fw-intra-slave /bsd: atapiscsi0 at pciide0 channel 1 drive 0 Dec 22 11:00:17 fw-intra-slave /bsd: scsibus0 at atapiscsi0: 2 targets Dec 22 11:00:17 fw-intra-slave /bsd: cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, K.9A ATAPI 5/cdrom removable Dec 22 11:00:17 fw-intra-slave /bsd: cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 Dec 22 11:00:17 fw-intra-slave /bsd: ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 8 int 11 (irq 11), version 1.0, legacy support Dec 22 11:00:17 fw-intra-slave /bsd: pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 LPC rev 0x00 Dec 22 11:00:17 fw-intra-slave /bsd: pchb3 at pci0 dev 16 function 0 ServerWorks CIOB-E rev 0x12 Dec 22 11:00:17 fw-intra-slave /bsd: pchb4 at pci0 dev 16 function 2 ServerWorks CIOB-E rev 0x12 Dec 22 11:00:17 fw-intra-slave /bsd: pci3 at pchb4 bus 2 Dec 22 11:00:17 fw-intra-slave /bsd: bge0 at pci3 dev 0 function 0 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 0 (irq 7), address 00:11:43:5a:86:d1 Dec 22 11:00:17 fw-intra-slave /bsd: brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 Dec 22 11:00:17 fw-intra-slave /bsd: bge1 at pci3 dev 0 function 1 Broadcom BCM5704C rev 0x02, BCM5704 A2 (0x2002): apic 9 int 1 (irq 5), address 00:11:43:5a:86:d2 Dec 22 11:00:17 fw-intra-slave /bsd: brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 Dec 22 11:00:17 fw-intra-slave /bsd: pchb5 at pci0 dev 17 function 0 ServerWorks CIOB-X2 PCIX rev 0x05 Dec 22 11:00:17 fw-intra-slave /bsd: pchb6 at pci0 dev 17 function 2 ServerWorks CIOB-X2 PCIX rev 0x05 Dec 22 11:00:17 fw-intra-slave /bsd: pci4 at pchb6 bus 4 Dec 22 11:00:17 fw-intra-slave /bsd: ami0 at pci4 dev 3 function 0 Dell PERC 4/Di Verde rev 0x02: apic 9 int 2 (irq 7) Dec 22 11:00:17 fw-intra-slave /bsd: ami0: Dell 14a, 32b, FW 412W, BIOS vH406, 128MB RAM Dec 22 11:00:17 fw-intra-slave /bsd: ami0: 2 channels, 0 FC loops, 1 logical drives Dec 22 11:00:17 fw-intra-slave /bsd: scsibus1 at ami0: 40 targets Dec 22 11:00:17 fw-intra-slave /bsd: sd0 at scsibus1 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed Dec 22 11:00:17 fw-intra-slave /bsd: sd0: 34680MB, 512 bytes/sec, 71024640 sec total Dec 22 11:00:17 fw-intra-slave /bsd: scsibus2 at ami0: 16 targets Dec 22 11:00:17 fw-intra-slave /bsd: safte0 at scsibus2 targ 6 lun 0: PE/PV, 1x3 SCSI BP, 1.1 SCSI2 3/processor fixed Dec 22 11:00:17 fw-intra-slave /bsd: scsibus3 at ami0: 16 targets Dec 22 11:00:17 fw-intra-slave /bsd: usb0 at ohci0: USB revision 1.0 Dec 22 11:00:17 fw-intra-slave /bsd: uhub0 at usb0 ServerWorks OHCI root hub rev 1.00/1.00 addr 1 Dec 22 11:00:17 fw-intra-slave /bsd: isa0 at pcib0 Dec 22 11:00:17 fw-intra-slave /bsd: isadma0 at isa0 Dec 22 11:00:17 fw-intra-slave /bsd: com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0 at isa0 port 0x60/5 Dec 22 11:00:17 fw-intra-slave /bsd: pckbd0 at pckbc0 (kbd slot) Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0: using irq 1 for kbd slot Dec 22 11:00:17 fw-intra-slave /bsd: wskbd0 at pckbd0: console keyboard, using wsdisplay0 Dec 22 11:00:17 fw-intra-slave /bsd: pmsi0 at pckbc0 (aux slot) Dec 22 11:00:17 fw-intra-slave /bsd: pckbc0: using irq 12 for aux slot Dec 22 11:00:17 fw-intra-slave /bsd: wsmouse0 at pmsi0 mux 0 Dec 22 11:00:17 fw-intra-slave /bsd: pcppi0 at isa0 port 0x61 Dec 22 11:00:17 fw-intra-slave /bsd: midi0 at pcppi0: PC speaker Dec 22 11:00:17 fw-intra-slave /bsd: spkr0 at pcppi0 Dec 22 11:00:17 fw-intra-slave /bsd: npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 Dec 22 11:00:17 fw-intra-slave /bsd: fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 Dec 22 11:00:17 fw-intra-slave /bsd: fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec Dec 22 11:00:17 fw-intra-slave /bsd: mtrr: Pentium Pro MTRR support Dec 22 11:00:17 fw-intra-slave /bsd: softraid0 at root Dec 22 11:00:17 fw-intra-slave /bsd: root on sd0a swap on sd0b dump on sd0b -- Cordialement, Pierre BARDOU De : Iqigo Ortiz de Urbina [mailto:tarom...@gmail.com] Envoyi : mardi 22 dicembre 2009 12:45 @ : BARDOU Pierre Objet : Re: LACP problem On Tue, Dec 22, 2009 at 11:22 AM, BARDOU Pierre bardo...@mipih.fr wrote: Hello, I use an LACP trunk on my openBSD firewall since 4.5 It worked during more than a year, but since I upgraded to 4.6 the trunk went down two times. I can t do anything to fix it except reboot the firewall. The switch is a HP Procurve 8412zl. I tried a workaround, to test it I did on my slave firewall : ifconfig trunk0 trunkproto none # simulation of trunk down ifconfig trunk0 = This systematically leads to a kernel panic Curious There was code changes on LACP between 4.5 and 4.6 ? See it for yourself http://www.openbsd.org/plus46.html http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_trunk.c Recently there's been some activity on trunk.c maybe
Packets to IPsec blackholed ?
Hello, I had a working ipsec tunnel this morning : Dec 04 09:30:35.086117 rule 375/(match) pass in on vlan100: 10.80.2.135.4685 10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss 1460,nop,nop,sackOK (DF) Dec 04 09:30:35.086154 rule 28/(match) pass out on enc0: 10.80.2.135.4685 10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss 1460,nop,nop,sackOK At noon I rebooted my gateway, and now packets get lost in the wild (no pass out nor block out): Dec 04 13:55:35.054695 rule 375/(match) pass in on vlan100: 10.80.2.135.3265 10.96.37.1.23: S 2811095018:2811095018(0) win 64512 mss 1460,nop,nop,sackOK (DF) But my tunnel is still up according to ipsecctl -sa. I have other tunnels who work like a charm. Anyone could tell me out to get my packets back on the right way ? TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Disk occupation problem
Hello, I have a strange problem with disk occupation. Df says my disk is nearly full (25G occupied), but when I do a du sh on the mountpoint it says only 10M used !? I had the same problem a few days ago on 4.5-stable ; I upgraded to 4.6-stable and it happens again. Some logs : # du -sh /var/ 10.7M /var/ # du -sh /var/* 2.0K/var/account 2.0K/var/audit 2.0K/var/authpf 1.3M/var/backups 4.0K/var/crash 22.0K /var/cron 2.2M/var/db 4.0K/var/empty 44.0K /var/games 12.0K /var/lib 4.2M/var/log 4.0K/var/lost+found 1.1M/var/mail 4.0K/var/msgs 92.0K /var/named 2.0K/var/quotas 96.0K /var/run 2.0K/var/rwho 24.0K /var/spool 4.0K/var/tmp 1.4M/var/www 28.0K /var/yp # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 3.8G2.1G1.5G59%/ /dev/sd0d 28.6G 25.0G2.2G92%/var Could someone give me a clue on how to fix this ? TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Disk occupation problem
Hello, I didn't delete anything by hand. The space comes back after a reboot, yes. I found the problem : log rotation with pflogd. I killed pflogd and started it again, and the free space came back. But why log rotation fails ? It worked like a charm since more than 2 years... If that helps : # cat /etc/newsyslog.conf # $OpenBSD: newsyslog.conf,v 1.26 2007/02/02 14:52:48 ajacoutot Exp $ # # configuration file for newsyslog # # logfile_name owner:group mode count size when flags /var/cron/log root:wheel 600 3 10 * Z /var/log/aculog uucp:dialer 660 7 *24Z /var/log/authlogroot:wheel 640 7 *168 Z /var/log/daemon 640 5 30 * Z /var/log/lpd-errs 640 7 10 * Z /var/log/maillog600 7 *24Z /var/log/messages 644 5 30 * Z /var/log/secure 600 7 *168 Z /var/log/wtmp 644 7 *$W6D4 ZB /var/log/xferlog640 7 250 * Z /var/log/ppp.log640 7 250 * Z #/var/log/pflog 600 3 250 * ZB /var/run/pflogd.pid /var/log/pflog 600 3 *24ZB /var/run/pflogd.pid TYVM for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Richard Toohey [mailto:richardtoo...@paradise.net.nz] Envoyi : lundi 9 novembre 2009 09:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Disk occupation problem On 9/11/2009, at 9:11 PM, BARDOU Pierre wrote: Hello, I have a strange problem with disk occupation. Df says my disk is nearly full (25G occupied), but when I do a du sh on the mountpoint it says only 10M used !? Are you deleting in-use log files? Does the space come back after a reboot? I had the same problem a few days ago on 4.5-stable ; I upgraded to 4.6-stable and it happens again. Some logs : # du -sh /var/ 10.7M /var/ # du -sh /var/* 2.0K/var/account 2.0K/var/audit 2.0K/var/authpf 1.3M/var/backups 4.0K/var/crash 22.0K /var/cron 2.2M/var/db 4.0K/var/empty 44.0K /var/games 12.0K /var/lib 4.2M/var/log 4.0K/var/lost+found 1.1M/var/mail 4.0K/var/msgs 92.0K /var/named 2.0K/var/quotas 96.0K /var/run 2.0K/var/rwho 24.0K /var/spool 4.0K/var/tmp 1.4M/var/www 28.0K /var/yp # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 3.8G2.1G1.5G59%/ /dev/sd0d 28.6G 25.0G2.2G92%/var Could someone give me a clue on how to fix this ? TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7- signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Disk occupation problem
I think you spotted the base problem. I run 2 instances of pflogd since a few of days, and I forgot to set a separate pid file. I put the new pflogd in log rotation with its own pid file, I hope this will solve the problem. Many, many thanks for the help. -- Cordialement, Pierre BARDOU -Message d'origine- De : Otto Moerbeek [mailto:o...@drijf.net] Envoyi : lundi 9 novembre 2009 09:55 @ : BARDOU Pierre Cc : Richard Toohey; misc@openbsd.org Objet : Re: Disk occupation problem On Mon, Nov 09, 2009 at 09:43:24AM +0100, BARDOU Pierre wrote: Hello, I didn't delete anything by hand. The space comes back after a reboot, yes. I found the problem : log rotation with pflogd. I killed pflogd and started it again, and the free space came back. Do you have more than once instance of pflogd running? Or are you actually ruining current? becasue recently something changed here. -Otto But why log rotation fails ? It worked like a charm since more than 2 years... If that helps : # cat /etc/newsyslog.conf # $OpenBSD: newsyslog.conf,v 1.26 2007/02/02 14:52:48 ajacoutot Exp $ # # configuration file for newsyslog # # logfile_name owner:group mode count size when flags /var/cron/log root:wheel 600 3 10 * Z /var/log/aculog uucp:dialer 660 7 *24Z /var/log/authlogroot:wheel 640 7 *168 Z /var/log/daemon 640 5 30 * Z /var/log/lpd-errs 640 7 10 * Z /var/log/maillog600 7 *24Z /var/log/messages 644 5 30 * Z /var/log/secure 600 7 *168 Z /var/log/wtmp 644 7 *$W6D4 ZB /var/log/xferlog640 7 250 * Z /var/log/ppp.log640 7 250 * Z #/var/log/pflog 600 3 250 * ZB /var/run/pflogd.pid /var/log/pflog 600 3 *24ZB /var/run/pflogd.pid TYVM for the help -- Cordialement, Pierre BARDOU -Message d'origine- De : Richard Toohey [mailto:richardtoo...@paradise.net.nz] Envoyi : lundi 9 novembre 2009 09:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: Disk occupation problem On 9/11/2009, at 9:11 PM, BARDOU Pierre wrote: Hello, I have a strange problem with disk occupation. Df says my disk is nearly full (25G occupied), but when I do a du sh on the mountpoint it says only 10M used !? Are you deleting in-use log files? Does the space come back after a reboot? I had the same problem a few days ago on 4.5-stable ; I upgraded to 4.6-stable and it happens again. Some logs : # du -sh /var/ 10.7M /var/ # du -sh /var/* 2.0K/var/account 2.0K/var/audit 2.0K/var/authpf 1.3M/var/backups 4.0K/var/crash 22.0K /var/cron 2.2M/var/db 4.0K/var/empty 44.0K /var/games 12.0K /var/lib 4.2M/var/log 4.0K/var/lost+found 1.1M/var/mail 4.0K/var/msgs 92.0K /var/named 2.0K/var/quotas 96.0K /var/run 2.0K/var/rwho 24.0K /var/spool 4.0K/var/tmp 1.4M/var/www 28.0K /var/yp # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 3.8G2.1G1.5G59%/ /dev/sd0d 28.6G 25.0G2.2G92%/var Could someone give me a clue on how to fix this ? TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7- signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: New functionnality for authpf
I would be hard to ask my boss to hire a developer, since with my script the solution is working. I'll think to OpenBSD people before discarding our old hardware, anyway. My script loads the rules once, and modifies the table within the rule. When the user disconnects, its IP is removed from the table, and its connections are killed with pfctl -k. By the way, your idea of include statement is very good, and doesn't need any further coding of authpf. I'm going to test this right now. Thank you for the precious time you spent on my problem ! -- Cordialement, Pierre BARDOU -Message d'origine- De : Vadim Zhukov [mailto:persg...@gmail.com] EnvoyC) : mardi 13 octobre 2009 18:09 C : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: New functionnality for authpf On 13 October 2009 P3. 18:53:07 BARDOU Pierre wrote: Hello, Id need a new functionnality in authpf It would be nice to do group based rules instead of user based rules. I made this using a script used as shell for the user, which lists the groups of the user, and add them to a table named like the group using pfctl and sudo. I can give it to you if you are interested. But I think it would be better to include this in authPF, and by the way it doesnt seems too difficult. Unfortunately, I dont know how to make this in C. Someone interested in doing this ? Ignoring the fact that it's better for you to prepare money (or some equivalent) to hier someone to do that work. You need it, then either you implement it, or pay for it. For example, you could donate some hardware OpenBSD need - see the www.openbsd.org/want.html . Now, for the request itself, you should clarify exact behavior you want: - Should the rules loaded only once, or every time user logs in? (The real fun part here is detach policy) - Maybe it's simplier to have /etc/authpf/groups/$GROUP/ directory with authpf.rules in it, and make /etc/authpf/users/$USER/authpf.rules be a soft link or contain include statement? The latter allows you very, very much flexibility. - Maybe more, I do not want to spend more time that I better have spent for polishing my own patches. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
New functionnality for authpf
Hello, Id need a new functionnality in authpf It would be nice to do group based rules instead of user based rules. I made this using a script used as shell for the user, which lists the groups of the user, and add them to a table named like the group using pfctl and sudo. I can give it to you if you are interested. But I think it would be better to include this in authPF, and by the way it doesnt seems too difficult. Unfortunately, I dont know how to make this in C. Someone interested in doing this ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Logo MiPih COUL 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : mailto:bardo...@mipih.fr bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: CARP problem : slave rioting
Hello, I found the cause of the problem : the CARP interface vas configured with a /24 mask on the master, and a /25 mask on the slaves. With coherent masks everything works like a charm now. -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyi : lundi 29 juin 2009 10:12 @ : 'uday' Cc : misc@openbsd.org Objet : RE: CARP problem : slave rioting Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1
Re: CARP problem : slave rioting
Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: CARP problem : slave rioting
Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
CARP problem : slave rioting
Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
PF performance problem
Hello, I have performance issues on a OpenBSD 4.4 firewall. CPU load is OK (always below 50%), but system load is always between 1 and 1.5, it may go up to 2 sometimes. I suspected an I/O problem on the HDD because of pflogd, so I shut it down and the system load is always as high. Could you tell me what should I upgrade to solve this ? And what Debug: Urgent means ? Thank you Stats of PF : # pfctl -si Status: Enabled for 29 days 15:27:29 Debug: Urgent State Table Total Rate current entries16592 searches 3611345993314099.9/s inserts286242425 111.8/s removals 286225833 111.8/s Counters match 794705461 310.3/s bad-offset 00.0/s fragment 60.0/s short 00.0/s normalize2720.0/s memory 00.0/s bad-timestamp 00.0/s congestion 64940.0/s ip-option 120.0/s proto-cksum10.0/s state-mismatch1075430.0/s state-insert 109660.0/s state-limit 180.0/s src-limit 00.0/s synproxy 00.0/s dmesg : # cat /var/run/dmesg.boot OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR real mem = 1073053696 (1023MB) avail mem = 1029165056 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf9920 (87 entries) bios0: vendor Dell Computer Corporation version A04 date 09/22/2005 bios0: Dell Computer Corporation PowerEdge 1850 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) PALO(S5) PBLO(S5) VPR0(S5) PBHI(S5) VPR1(S5) PICH(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PALO) acpiprt2 at acpi0: bus 2 (DOBA) acpiprt3 at acpi0: bus 3 (DOBB) acpiprt4 at acpi0: bus 4 (PBLO) acpiprt5 at acpi0: bus 8 (VPR0) acpiprt6 at acpi0: bus 5 (PBHI) acpiprt7 at acpi0: bus 6 (PXB1) acpiprt8 at acpi0: bus 7 (PXB2) acpiprt9 at acpi0: bus 9 (PICH) acpicpu0 at acpi0 bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x800 0xcc800/0x1000 0xcd800/0x2600 0xd/0x1800 0xec000/0x4000! ipmi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x09 ppb0 at pci0 dev 2 function 0 Intel E7520 PCIE rev 0x09 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel IOP332 PCIE-PCIX rev 0x06 pci2 at ppb1 bus 2 mpi0 at pci2 dev 5 function 0 Symbios Logic 53c1030 rev 0x08: irq 7 scsibus0 at mpi0: 16 targets, initiator 7 em0 at pci2 dev 12 function 0 Intel PRO/1000MT (82546EB) rev 0x01: irq 10, address 00:11:0a:64:32:74 em1 at pci2 dev 12 function 1 Intel PRO/1000MT (82546EB) rev 0x01: irq 11, address 00:11:0a:64:32:75 ppb2 at pci1 dev 0 function 2 Intel IOP332 PCIE-PCIX rev 0x06 pci3 at ppb2 bus 3 ami0 at pci3 dev 11 function 0 Symbios Logic MegaRAID rev 0x01: irq 3 ami0: Dell 520, 64b/lhc, FW 351S, BIOS v1.10, 64MB RAM ami0: 1 channels, 0 FC loops, 1 logical drives scsibus1 at ami0: 40 targets, initiator 40 sd0 at scsibus1 targ 0 lun 0: AMI, Host drive #00, SCSI2 0/direct fixed sd0: 34680MB, 4421 cyl, 255 head, 63 sec, 512 bytes/sec, 71024640 sec total scsibus2 at ami0: 16 targets, initiator 16 safte0 at scsibus2 targ 6 lun 0: PE/PV, 1x2 SCSI BP, 1.0 SCSI2 3/processor fixed ppb3 at pci0 dev 4 function 0 Intel E7520 PCIE rev 0x09 pci4 at ppb3 bus 4 ppb4 at pci0 dev 5 function 0 Intel E7520 PCIE rev 0x09 pci5 at ppb4 bus 5 ppb5 at pci5 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci6 at ppb5 bus 6 em2 at pci6 dev 7 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:14:22:21:61:6d ppb6 at pci5 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci7 at ppb6 bus 7 em3 at pci7 dev 8 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 3, address 00:14:22:21:61:6e ppb7 at pci0 dev 6 function 0 Intel E7520 PCIE rev 0x09 pci8 at ppb7 bus 8 uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 10 uhci2 at pci0 dev 29 function 2
Re: PF performance problem
The only problem I noticed is an abnormally long ping (usually 0.3ms, sometimes -3 or 4 times a day says nagios- up to 30ms). I am worried about the numbers since this firewall is higly critical. Since it protects Citrix hosted applications, I will get instantly killed if delays are too long... -- Cordialement, Pierre BARDOU -Message d'origine- De : Richard Toohey [mailto:richardtoo...@paradise.net.nz] Envoyi : mercredi 3 juin 2009 12:50 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: PF performance problem On 3/06/2009, at 10:02 PM, BARDOU Pierre wrote: Hello, I have performance issues on a OpenBSD 4.4 firewall. CPU load is OK (always below 50%), but system load is always between 1 and 1.5, it may go up to 2 sometimes. [cut] And what is the actual *problem*? What is pf failing to do? Or are you just worried about the numbers? Search the archives for high load ... http://marc.info/?l=openbsd-miscm=122607853731136w=3 HTH.
Re: PF performance problem
Thanks everybody for the help. I will stop worrying about the system load and wait a noticeable performance problem before asking for help :) I set pfctl -x urgent, and now I'm waiting for something in /var/log/messages... -- Cordialement, Pierre BARDOU
RAM not detected on HP DL580 G4
Hello, I'm trying to set up an OpenBSD 4.5 amd64 on a HP ProLiant DL580 G4. It has 38 GB RAM, but only ~3 GB is detected. Is it possible to use all the RAM ? The dmesg : # dmesg OpenBSD 4.5 (GENERIC) #2052: Sat Feb 28 14:55:24 MST 2009 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3487395840 (3325MB) avail mem = 3371655168 (3215MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xec000 (109 entries) bios0: vendor HP version P59 date 09/08/2006 bios0: HP ProLiant DL580 G4 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR SRAT MCFG APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(TM) CPU 3.00GHz, 2992.94 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,CNXT-ID,CX16, xTPR,LONG cpu0: 1MB 64b/line 8-way L2 cache cpu0: apic clock running at 199MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0 apid 1 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 4 pa 0xfec8, version 20, 24 pins ioapic2 at mainbus0 apid 5 pa 0xfec80800, version 20, 24 pins acpimadt0: unknown apic structure type ff acpimadt0: unknown apic structure type ff acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 9 (PXHA) acpiprt2 at acpi0: bus 10 (PXHB) acpiprt3 at acpi0: bus 8 (PTD0) acpiprt4 at acpi0: bus 2 (PTA0) acpiprt5 at acpi0: bus 5 (PTA1) acpiprt6 at acpi0: bus 13 (PTB0) acpiprt7 at acpi0: bus 16 (PTB1) acpiprt8 at acpi0: bus 19 (PTC0) acpiprt9 at acpi0: bus 22 (PTC1) acpiprt10 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E8500 Host rev 0x11 ppb0 at pci0 dev 1 function 0 Intel E8500 PCIE rev 0x11 pci1 at ppb0 bus 8 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 9 bnx0 at pci2 dev 1 function 0 Broadcom BCM5706 rev 0x02: apic 4 int 0 (irq 5) bnx1 at pci2 dev 2 function 0 Broadcom BCM5706 rev 0x02: apic 4 int 3 (irq 7) ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 10 ppb3 at pci3 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01 pci4 at ppb3 bus 11 em0 at pci4 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5 int 2 (irq 10), address 00:0e:0c:c6:be:f8 em1 at pci4 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5 int 3 (irq 7), address 00:0e:0c:c6:be:f9 em2 at pci4 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5 int 0 (irq 5), address 00:0e:0c:c6:be:fa em3 at pci4 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 5 int 1 (irq 10), address 00:0e:0c:c6:be:fb ppb4 at pci0 dev 2 function 0 Intel E8500 PCIE rev 0x11 pci5 at ppb4 bus 19 Emulex LPe1150 rev 0x02 at pci5 dev 0 function 0 not configured ppb5 at pci0 dev 3 function 0 Intel E8500 PCIE rev 0x11 pci6 at ppb5 bus 22 ciss0 at pci6 dev 0 function 0 Hewlett-Packard Smart Array rev 0x01: apic 1 int 16 (irq 5) ciss0: 1 LD, HW rev 1, FW 1.18/1.18 scsibus0 at ciss0: 1 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 1.18 SCSI0 0/direct fixed sd0: 69973MB, 512 bytes/sec, 143305920 sec total ppb6 at pci0 dev 4 function 0 Intel E8500 PCIE rev 0x11 pci7 at ppb6 bus 13 em4 at pci7 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 1 int 16 (irq 5), address 00:17:08:7d:cd:d2 em5 at pci7 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 1 int 17 (irq 10), address 00:17:08:7d:cd:d3 ppb7 at pci0 dev 5 function 0 Intel E8500 PCIE rev 0x11 pci8 at ppb7 bus 16 Emulex LPe1150 rev 0x02 at pci8 dev 0 function 0 not configured ppb8 at pci0 dev 6 function 0 Intel E8500 PCIE rev 0x11 pci9 at ppb8 bus 2 ppb9 at pci0 dev 7 function 0 Intel E8500 PCIE rev 0x11 pci10 at ppb9 bus 5 pchb1 at pci0 dev 8 function 0 Intel E8500 IMI rev 0x11 Intel E8500 XMB rev 0x11 at pci0 dev 9 function 0 not configured Intel E8500 XMB Misc rev 0x11 at pci0 dev 9 function 1 not configured Intel E8500 XMB MAI rev 0x11 at pci0 dev 9 function 2 not configured Intel E8500 XMB DDR rev 0x11 at pci0 dev 9 function 3 not configured Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 4 not configured Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 5 not configured Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 6 not configured Intel E8500 XMB Reserved rev 0x11 at pci0 dev 9 function 7 not configured pchb2 at pci0 dev 10 function 0 Intel E8500 IMI rev 0x11 Intel E8500 XMB rev 0x11 at pci0 dev 11 function 0 not configured Intel E8500 XMB Misc rev 0x11 at pci0 dev 11 function 1 not configured Intel E8500 XMB MAI rev 0x11 at pci0 dev 11 function 2 not configured Intel E8500 XMB DDR
Re: Can't get relayd to work for DNS + problem with relayctl reload
Shame on me, it didn't worked because I allowed connexion to the real IP (10.60.0.10x) and no to relayd IP (10.31.33.254). Now it works, thanks for the help :) But I still have the issue I reported a few monthes ago : when I use a relay, relayctl reload fails saying command failed. The relayd logs says nothing. Will I be forced to pkill relayd and restart it each time ? -- Cordialement, Pierre BARDOU -Message d'origine- De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk] Envoyi : mercredi 14 janvier 2009 02:22 @ : BARDOU Pierre Objet : Re: Can't get relayd to work for DNS I have this in my relayd.conf, it's just an extract, only a pass in in pf.conf you use either relay or redirect not both at once redirect requires an anchor in pf.conf, relay doesn't. dns protocol dnsudp tcp protocol dnstcp relay relaydnsudp { protocol dnsudp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } relay relaydnstcp { protocol dnstcp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } dnscheck script does a dig to check dns is up #!/bin/ksh dnsserver=$1 if ping -n -c1 -w 1 $dnsserver /dev/null 21 dig -x \ $dnsserver @$dnsserver /dev/null then exit 1 fi exit 0 Regards Nigel Taylor BARDOU Pierre wrote: Hello, I am trying to setup relayd for loadbalancing on my DNS servers. The problem is that relayd seems to handle only TCP connexions, UDP isn't taken into account. I found a known bug on openBSD 4.2, but I am using openBSD 4.4. I've tried the same setup with a relay, and still have the same problem. Where am I mistaking ? # pfctl -a relayd/DNS -s nat rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established 600) - DNS port 53 round-robin # cat /etc/relayd.conf node1=10.60.0.101 node2=10.60.0.102 node3=10.60.0.103 squid_int=10.31.33.254 dns_int=10.31.33.254 # Global Options interval 5 log updates prefork 10 timeout 1500 table squid { $node1 , $node3 } table DNS { $node1 , $node3 } redirect squid { listen on $squid_int port 3128 forward to squid mode roundrobin check tcp } redirect DNS { listen on $dns_int port 53 forward to DNS mode roundrobin check tcp } Relay config : dns protocol dnsfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dns { ### listen and accept redirected connections from pf listen on $dns_int port 53 ### apply web filters protocol dnsfilter ### forward to web server(s) forward to DNS mode roundrobin check tcp } -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: Can't get relayd to work for DNS + problem with relayctl reload
Hi, I tried to send a bug report with sendbug(1), but I am not very familiar with it. I hope someone will notice... -- Cordialement, Pierre BARDOU De : uday [mailto:umoorjani@gmail.com] Envoyi : mercredi 14 janvier 2009 15:52 @ : BARDOU Pierre Cc : misc@openbsd.org; Nigel J. Taylor Objet : Re: Can't get relayd to work for DNS + problem with relayctl reload pierre, i'm seeing the same result with relayctl i don't know where it's coming from. um On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr wrote: Shame on me, it didn't worked because I allowed connexion to the real IP (10.60.0.10x) and no to relayd IP (10.31.33.254). Now it works, thanks for the help :) But I still have the issue I reported a few monthes ago : when I use a relay, relayctl reload fails saying command failed. The relayd logs says nothing. Will I be forced to pkill relayd and restart it each time ? -- Cordialement, Pierre BARDOU -Message d'origine- De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk] Envoyi : mercredi 14 janvier 2009 02:22 @ : BARDOU Pierre Objet : Re: Can't get relayd to work for DNS I have this in my relayd.conf, it's just an extract, only a pass in in pf.conf you use either relay or redirect not both at once redirect requires an anchor in pf.conf, relay doesn't. dns protocol dnsudp tcp protocol dnstcp relay relaydnsudp { protocol dnsudp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } relay relaydnstcp { protocol dnstcp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } dnscheck script does a dig to check dns is up #!/bin/ksh dnsserver=$1 if ping -n -c1 -w 1 $dnsserver /dev/null 21 dig -x \ $dnsserver @$dnsserver /dev/null then exit 1 fi exit 0 Regards Nigel Taylor BARDOU Pierre wrote: Hello, I am trying to setup relayd for loadbalancing on my DNS servers. The problem is that relayd seems to handle only TCP connexions, UDP isn't taken into account. I found a known bug on openBSD 4.2, but I am using openBSD 4.4. I've tried the same setup with a relay, and still have the same problem. Where am I mistaking ? # pfctl -a relayd/DNS -s nat rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established 600) - DNS port 53 round-robin # cat /etc/relayd.conf node1=10.60.0.101 node2=10.60.0.102 node3=10.60.0.103 squid_int=10.31.33.254 dns_int=10.31.33.254 # Global Options interval 5 log updates prefork 10 timeout 1500 table squid { $node1 , $node3 } table DNS { $node1 , $node3 } redirect squid { listen on $squid_int port 3128 forward to squid mode roundrobin check tcp } redirect DNS { listen on $dns_int port 53 forward to DNS mode roundrobin check tcp } Relay config : dns protocol dnsfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dns { ### listen and accept redirected connections from pf listen on $dns_int port 53 ### apply web filters protocol dnsfilter ### forward to web server(s) forward to DNS mode roundrobin check tcp } -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Can't get relayd to work for DNS
Hello, I am trying to setup relayd for loadbalancing on my DNS servers. The problem is that relayd seems to handle only TCP connexions, UDP isn't taken into account. I found a known bug on openBSD 4.2, but I am using openBSD 4.4. I've tried the same setup with a relay, and still have the same problem. Where am I mistaking ? # pfctl -a relayd/DNS -s nat rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established 600) - DNS port 53 round-robin # cat /etc/relayd.conf node1=10.60.0.101 node2=10.60.0.102 node3=10.60.0.103 squid_int=10.31.33.254 dns_int=10.31.33.254 # Global Options interval 5 log updates prefork 10 timeout 1500 table squid { $node1 , $node3 } table DNS { $node1 , $node3 } redirect squid { listen on $squid_int port 3128 forward to squid mode roundrobin check tcp } redirect DNS { listen on $dns_int port 53 forward to DNS mode roundrobin check tcp } Relay config : dns protocol dnsfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dns { ### listen and accept redirected connections from pf listen on $dns_int port 53 ### apply web filters protocol dnsfilter ### forward to web server(s) forward to DNS mode roundrobin check tcp } -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
NAT + IPsec : strange pf error
Hello, I'm trying to setup a config like this : http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html So I created lo1, gave it an IP adress... and since then I can't compile my firewall script (which used to work like a charm since several months). I did no modifications to it, so I don't understand. pfctl -nf /etc/pf.com reports no error. pfctl -f /etc/pf.conf says : pfctl: failed to create table __automatic_d96467ff_0 in : Invalid argument pfctl in free(): error: chunk is already free Abort trap (core dumped) I use openBSD 4.3. Someone knows what is going wrong ? -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrinies Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: NAT + IPsec : strange pf error - link1 flag
I found something more precise about the error : it only occurs when I set the link1 flag on lo1. -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyé : mardi 25 novembre 2008 11:51 À : misc@openbsd.org Objet : NAT + IPsec : strange pf error Hello, I'm trying to setup a config like this : http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html So I created lo1, gave it an IP adress... and since then I can't compile my firewall script (which used to work like a charm since several months). I did no modifications to it, so I don't understand. pfctl -nf /etc/pf.com reports no error. pfctl -f /etc/pf.conf says : pfctl: failed to create table __automatic_d96467ff_0 in : Invalid argument pfctl in free(): error: chunk is already free Abort trap (core dumped) I use openBSD 4.3. Someone knows what is going wrong ? -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrénées Informatique Hospitalière 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Tél : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Problems with relayd
Hello, I have big trouble with relayd on openBSD 4.4 to loadbalance 2 squid proxies : * relayctl reload doesn't work. It just says command failed and nothing appears in relayd logs (relayd launched with relayd -d) I am testing right now, but when I will go in production to kill and restart relayd won't be possible. * even worse, I stopped squid on one machine, using relayctl show hosts the machine is told to be down. But requests are still forwarded to it ! My relayd.conf : node1=10.60.0.101 node2=10.60.0.102 squid_int=10.31.33.254 interval 5 log updates prefork 10 timeout 1000 table squid { $node1 , $node2 } http protocol http_proxy { tcp { nodelay, sack, socket buffer 65536 , backlog 1000 } } relay squid { listen on $squid_int port 3128 protocol http_proxy forward to squid mode loadbalance check tcp } Is this a bug, or am I doing wrong ? -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrinies Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED]
Re: NAT + IPsec problem
Hello, I succeed to do what I wanted using this : http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html Many thanks for the help ! -- Cordialement, Pierre BARDOU -Message d'origine- De : Claer [mailto:[EMAIL PROTECTED] Envoyé : dimanche 9 novembre 2008 12:39 À : BARDOU Pierre Objet : Re: NAT + IPsec problem Le jeudi 06 novembre 2008 a 15:30, BARDOU Pierre ecrivait : Hello, Bonjour, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of - enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Oui et non. Cette config ne peut pas fonctionner. l'action NAT est faite sur l'interface de sortie aprÚs le filtrage l'action RDR est faite sur l'interface d'entree avant le filtrage Quand un paquet arrive sur l'openbsd, en gros, il se passe ceci : - analyse du paquet par pf (in) - est ce que le paquet doit etre nate (rdr) - est ce que le paquet est autorise (nouvelle session ou session existante) - est ce que le paquet doit etre redirige sur une if particuliere (route-to) - traitement du routage par le kernel - le paquet doit il etre encapsuledans un flux ipsec ? - Le paquet est analyse facea la table de routage correspondante - analyse du paquet sur l'interface de sortie (out) - est ce que le paquet est autorise (nouvelle session ou session existante) - est ce que le paquet doit etre redirige sur une if particuliere (route-to) - est ce que le paquet doit etre nate (nat) Vue que le paquet est encapsule avant le nat, ce dernier ne peut pas s'appliquer. Comme indique dans un reply a ce thread, la solution est de passer par une loopback pour appliquer le nat avant le routage. De ce fait, le paquet passe 2x dans la table de routage. Apres je peux pas me permettre de donner plus de confs ce serait aider un concurrent ;-) (NextiraOne) Bonne chance ! Cdlt, Claer BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: Problem with relayctl - OBSD 4.4
Hello, Here is the log for relayd -dv. When I try to relayctl reload I got a command failed and nothing in relayd output. # relayd -dv warning: macro 'squid_adh' not used warning: macro 'dns_adh' not used warning: macro 'dns1_ext' not used warning: macro 'dns2_ext' not used warning: macro 'mx1_ext' not used warning: macro 'mx2_ext' not used warning: macro 'mx_int' not used warning: macro 'mx_adh' not used startup relay_privinit: adding relay squid protocol 1: name http_proxy flags: 0x0004 type: http relay_privinit: adding relay dns protocol 2: name dnsfilter flags: 0x0004 type: hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00% dns relay_init: max open files 1024 adding 2 hosts from table squid:3128 adding 2 hosts from table DNS:53 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 init_filter: filter init done relay_launch: running relay squid adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 relay_init: max open files 1024 init_tables: created 0 tables adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table squid:3128 pfe_dispatch_imsg: state 1 for host 2 10.60.0.102 relay_launch: running relay squid adding 2 hosts from table DNS:53 relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay dns pfe_dispatch_imsg: state 1 for host 4 10.60.0.102 relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay dns pfe_dispatch_imsg: state 1 for host 1 10.60.0.101 relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay squid pfe_dispatch_imsg: state 1 for host 3 10.60.0.101 relay_launch: running relay dns hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:[EMAIL PROTECTED] Envoyé : mardi 11 novembre 2008 13:20 À : misc@openbsd.org Objet : Re: Problem with relayctl - OBSD 4.4 On 2008-11-11, James Records [EMAIL PROTECTED] wrote: Pierre, I'm seeing the same exact thing, I'm not able to reload the config without killing and restarting relayd. I haven't looked at the source yet, but I may get to that in the next couple days, restarting is an ok work around for me at this point, but won't be when it gets into production. Jim Run relayd -dv, try and reload the config, check the output and paste it in mail. BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Problem with relayctl - OBSD 4.4
Hello, I have something which looks like a bug using relayctl on openBSD 4.4 : * My config file is correct according to relayd -n * I can launch relayd * I can't reload the config file using relayctl reload : it says command failed /var/log/daemon.log and /var/log/messages don't report anything Someone knows about this problem ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrénées Informatique Hospitalière 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Tél : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
NAT + IPsec problem
Hello, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Thank you for your help -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Pyrénées Informatique Hospitalière 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Tél : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : [EMAIL PROTECTED] BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello, I can load balance on the firewalls with pf , but the problem of that Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be lost. And not loosing packets is more important to me than load balancing... -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mardi 7 octobre 2008 18:54 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU just wondering.. What happens when you load balance your traffic on your firewalls ? So you devide the traffic over both bgp routers: http://www.openbsd.org/faq/pf/pools.html maybe you could even do the route-to on the bgp routers ? something like: route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from $lan_net to any keep state #and on the other bgp router route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to any keep state Beware: I have no idea if any of this is possible. But thats what I'd try :) Gr. FH BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello, So the solution would be to activate multipath on FW's, and to use ospf between BGP routers and my FW's ( I've heard somewhere that OSPF can announce multiple defaults routes, contrary to BGP ) to ensure failover if I understand properly... Nice idea, I'm trying to setup that on my test config. -- Cordialement, Pierre BARDOU -Message d'origine- De : Mariusz Makowski [mailto:[EMAIL PROTECTED] Envoyi : mardi 7 octobre 2008 21:38 @ : Frans Haarman Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) Frans Haarman wrote: 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU just wondering.. What happens when you load balance your traffic on your firewalls ? So you devide the traffic over both bgp routers: http://www.openbsd.org/faq/pf/pools.html maybe you could even do the route-to on the bgp routers ? something like: route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from $lan_net to any keep state #and on the other bgp router route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to any keep state Beware: I have no idea if any of this is possible. But thats what I'd try :) Gr. FH You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath, although it's not bgp solution. I think with default configuration you should have multipath capability. Check if there is not localpref chosen, and check yours ISP prepends length. Regards, Mariusz Makowski [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello, Failover already works with BGP on my test conf, the problem is that BGP only selects ONE route to a destination, so there is no load balancing. The easiest for me would be to tell BGP to keep TWO routes to each Destination, and use them in a round-robin way. That's what Cisco does with BGP multipath http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431 .shtml#bgpmpath But AFAIK there is no way to setup this with openBGP. Am I right ? -- Cordialement, Pierre BARDOU -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : mercredi 8 octobre 2008 09:05 À : BARDOU Pierre Cc : Frans Haarman; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) BARDOU Pierre wrote: Hello, I can load balance on the firewalls with pf , but the problem of that Solution is that there is no failover AFAIK. If I loose a link between an ISP and me half of the packets will be lost. And not loosing packets is more important to me than load balancing... -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mardi 7 octobre 2008 18:54 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU just wondering.. What happens when you load balance your traffic on your firewalls ? So you devide the traffic over both bgp routers: http://www.openbsd.org/faq/pf/pools.html maybe you could even do the route-to on the bgp routers ? something like: route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from $lan_net to any keep state #and on the other bgp router route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to any keep state Beware: I have no idea if any of this is possible. But thats what I'd try :) Gr. FH If you want to use fail-over capability of bgp, you can use prepend to increase length of one path. I have no experience with configuring openbgpd but on juniper/cisco it seems to work great. Regards, Marusz BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
Hello, I set up net.inet.ip.multipath to 1 I configured OSPF on the BGP routers to 'redistribute default' to FW's. 'ospfctl show rib' on FW's shows that they have two defaults routes, But 'ospfctl show fib' shows that only one is active. Besides a 'dirty' solution with ifstated which inserts multipath routes, and withdraw them when one link/router fails, I am running out of ideas... Someone has one ? Thanks -- Cordialement, Pierre BARDOU -Message d'origine- De : Mariusz Makowski [mailto:[EMAIL PROTECTED] Envoyé : mardi 7 octobre 2008 21:38 À : Frans Haarman Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) Frans Haarman wrote: 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU just wondering.. What happens when you load balance your traffic on your firewalls ? So you devide the traffic over both bgp routers: http://www.openbsd.org/faq/pf/pools.html maybe you could even do the route-to on the bgp routers ? something like: route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from $lan_net to any keep state #and on the other bgp router route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to any keep state Beware: I have no idea if any of this is possible. But thats what I'd try :) Gr. FH You might want to read about http://www.openbsd.org/faq/faq6.html#Multipath, although it's not bgp solution. I think with default configuration you should have multipath capability. Check if there is not localpref chosen, and check yours ISP prepends length. Regards, Mariusz Makowski BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: OpenBGP load balancing between 2 ISP (multihoming)
The problem is that if the ISP router fails, my corresponding BGP router is still up and running, and so keeps the CARP master, which makes him a black hole :( -- Cordialement, Pierre BARDOU De : Frans Haarman [mailto:[EMAIL PROTECTED] Envoyé : mercredi 8 octobre 2008 10:56 À : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) ospf and bgp are designed to select the best possbile route and add that to the kernel routing table I think ;) I still think you could run 2 CARPs on both BGP routers and load balance on your firewalls. It means if one BGP router fails you will be load balancing your connections to the same BGP router.. 2008/10/8 BARDOU Pierre [EMAIL PROTECTED] Hello, I set up net.inet.ip.multipath to 1 I configured OSPF on the BGP routers to 'redistribute default' to FW's. 'ospfctl show rib' on FW's shows that they have two defaults routes, But 'ospfctl show fib' shows that only one is active. Besides a 'dirty' solution with ifstated which inserts multipath routes, and withdraw them when one link/router fails, I am running out of ideas... Someone has one ? Thanks -- Cordialement, Pierre BARDOU -Message d'origine- De : Mariusz Makowski [mailto:[EMAIL PROTECTED] Envoyé : mardi 7 octobre 2008 21:38 À : Frans Haarman Cc : BARDOU Pierre; misc@openbsd.org Objet : Re: OpenBGP load balancing between 2 ISP (multihoming) Frans Haarman wrote: 2008/10/7 BARDOU Pierre [EMAIL PROTECTED] Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU just wondering.. What happens when you load balance your traffic on your firewalls ? So you devide the traffic over both bgp routers: http://www.openbsd.org/faq/pf/pools.html maybe you could even do the route-to on the bgp routers ? something like: route-to { ($ext_if $ext_ISP1), ($local_if $BGP2 ) } round-robin from $lan_net to any keep state #and on the other bgp router route-to { ($ext_if $ext_ISP2), ($local_if $BGP1 ) } round-robin from $lan_net to any keep
OpenBGP load balancing between 2 ISP (multihoming)
Hello, I am trying to set up a configuraion like this : +--- -+ +-+ | ISP1 | | ISP2 | Cisco | ROUTER | | ROUTER | | AS3215 | | AS12670 | +-+ +-+ || || +-+ +-+ | BGP | | BGP | | ROUTER | | ROUTER | OpenBSD 4.3 | AS47818 | | AS45818 | +-+ +-+ || || +-+ |217.109.108.240/28 | +-+ || || +++---+ | FW || FW | OpenBSD 4.3 | MASTER | pfsync | SLAVE | +++---+ || || +-+ | PRIVATE NETWORKS| +-+ I'd like to load balance outgoing connections to the internet, but I don't know how to configure openBGPd to do this. I searched a lot on the Internet and I found a lot of informations on how to do this with cisco, but I have never found an openBGP solution. Some people speak about it but I have never seen it. I made a test conf where failover works like a charm (using iBGP on the FW's with 'set nexhop self' on BGP routers), but when both connections are active only one is used. Would it be possible to help me please ? Is setting up iBGP sessions between FW's and BGP routers a good idea ? Should I rather use OSPF for this ? And in tha case how to configure it to loadbalance/failover ? Many thanks PS : loadbalancing incoming connections too would be very nice, but I understood it was much more difficult. -- Cordialement, Pierre BARDOU BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature