Re: Intl I350 Network Card Not Found

2020-09-17 Thread Daniel Ouellet
Hi Brandon,

The key point here for the answer provided to iyou was "Firmware" not
"driver"

Two different things.

Driver for Linux for example is use to allow the network stack of Linux
to use the card based on what the actual card support.

Firmware is what actually run on the flash of the card to initialize the
card itself an, etc.

That's what OpenBSD install when you do a fresh install, but that can't
be distributed because of license issue and that you download at install
time, not part of the OS.

Think about it as a BLOB, not driver.

Hope this clarify the answer you got more.

Daniel


On 9/17/20 6:55 PM, Brandon Woodford wrote:
> Should this really be necessary though? The card is listed under the 
> supported em(4) devices.
> 
> I've found the drivers on Intel's website but only for Linux specific 
> systems. Not really sure where to go from here...
> 
> On Thu, Sep 17, 2020, at 2:07 PM, Tom Smyth wrote:
>> Try 
>> Getting the intel firmware from the intel download site or 
>> From your pci card manufacturer... 
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thursday, 17 September 2020, Brandon Woodford  wrote:
>>> Hello,
>>>
>>> I've been trying  to fix an issue with my Intel I350-T4 PCI Network card 
>>> not being reported to the OpenBSD 6.7 system during boot. Looking through 
>>> dmesg, I was not able to find any reference to the card or the em interface 
>>> name that it should have. I've also tried updating all firmware with 
>>> fw_update. After that I tried creating a /etc/hostname.em1 file that just 
>>> has dhcp included in it and ran sh /etc/netstart. Unfortunately, no luck as 
>>> of yet. I was able to find the boot_config(8) man page that describes a 
>>> similar issue with the ne(4) driver. I went into the boot configuration and 
>>> ran: find em and received a response of: em* at pci* dev -1 function -1 
>>> flags 0x0. Not sure if that means anything.
>>>
>>> Quick note: the card does work on a separate system that is not OpenBSD but 
>>> FreeBSD.
>>>
>>> Any help in the right direction is appreciated!
>>>
>>> Thanks.
>>
>>
>> -- 
>> Kindest regards,
>> Tom Smyth.



Re: pf.conf parser/lint

2020-09-04 Thread Daniel Ouellet
> We provide over FIVE ways to identify ports without using the hardware
> driver names, but hey... this discussion is about the theory you can
> check overall behaviour of a system by ignoring the important parts.

I always put a description and group field in my hostname config so that
it allow me to have pf use a more generic syntax and it's been doing
wonder for me for years.

But you said 5 ways? This is most likely a stupid question, but what
other way is there? I don't mean to be sound like a jerk, I am truly
curious as I don't know 5 ways for sure, and i sure would love to learn
them.

Thanks

Daniel



Re: Microsoft's war on plain text email in open source

2020-08-26 Thread Daniel Ouellet
On 8/26/20 3:08 PM, Chris Bennett wrote:
> On Wed, Aug 26, 2020 at 12:28:00PM -0500, Mike Hammett wrote:
>> Text-only was great in 1985. 
>>
>>
> 
> And it's still pretty badass in 2020.
> I really love the way company networks are brought down by a little
> helpful Javascript in an HTML email.

I truly HATE HTML emails.

Anyone that needs HTML emails really have nothing interesting to say as
it add absolutely NOTHING to the conversation and is useless.

I would gladly live in 1985 for ever if that mean I don't have to deal
with the bulky crap of HTML emails.

Amen!

Daniel



Adding more syspatch platform.

2020-08-11 Thread Daniel Ouellet
Just a general question as I got to really love syspatch and sysupgrade
to the point that oppose to before, now my platforms are pretty much
always up to date and patch in just a few days after patches are release
or even in some cases the same day.

To add more platform, I guess that mean man power right, or is that an
hardware issue?

Not a complain at all, I love where we are, just a real generic question
and if that's a hardware issue, I think there is more then that, I would
be happy to contribute some if that help.

If more then that, I apologies for the question.

Many thanks for all you do! Greatly appreciated!

Daniel



Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

2020-06-23 Thread Daniel Ouellet
OpenBSD does run on some old Cisco routers, it's been done before. Sure
it's not officially supported nor does it support all the various
interfaces but it's known to work on some.

I am trying to dig up a dmesg showing it too.

Plus Cisco have some firewall type of device that are over price PC that
can run OpenBSD.

Here is an example using the4 old Cisco IDS-4215

https://komlositech.wordpress.com/2018/12/30/revive-a-cisco-ids-into-a-capable-openbsd-firewall/

I was just curious as to what stage it might be now.

I am not saying it make sense to do really power wise for sure.

May be Juniper instead as Juniper is based on FreeBSD anyway and it's an
over price PC with specialize network cards. (; Ok more then that, but
you get the picture I think.

I was just curious as to what it may be running on these days?

Could be Cisco routers, Cisco IDS, Cisco firewall, unless I am mistaken
they also have servers or used too anyway, and why not Juniper gear?

In short any box that appear to be Cisco or Juniper but that have
something different under the hood.

And yes, this is stupid if you look only at what you get compare to
other better choices.

I am not doing it for best performance, but for fell comfortable.

Call it marketing bullshit, because that's exactly what it is! (;

Daniel


On 6/23/20 12:37 PM, Kaya Saman wrote:
> Hi, I totally understand the position you're in and sympathize.
> 
> I've never heard of Cisco routers being able to run OpenBSD though IOS
> is based on BSD as far as I'm aware.
> 
> Not a direct solution to your use case but you could always run a
> small mini-itx or SBC system behind the Cisco router. You could put it
> as a firewall solution and have the OBSD box doing all the major
> routing, vlans, firewall (pf) etc... while the Cisco could just simply
> forward information between the private and public IP ranges. Or if
> using dial-in then you can bridge the OBSD and Cisco then use OBSD as
> the PPPoE device
> 
> It is one suggestion in any case though it might not be the most ideal.
> 
> Regards,
> 
> Kaya
> 
> On Tue, Jun 23, 2020 at 5:03 PM Daniel Ouellet  wrote:
>>
>> Hi,
>>
>> This might be a bit weird question, but I saw the wireguard being put in
>> the kernel in the last few days and I am very existed abut it oppose to
>> use the package on it and even today there was more on it.
>>
>> Many thanks for this!!!
>>
>> I also know there was effort and some Cisco router can run OpenBSD very
>> well, however I have no clue as to any of this stand now.
>>
>> I don't have a problem to use APU type or other Ubiquit for small
>> OpenBSD router, but I wonder about using Cisco instead. The only reason
>> is for may be more stability, most likely less performance for sure, but
>> less change to have corrupted reboot on power lost, etc.
>>
>> And sadly for some customers having what they see as computer as router
>> don't make them fell good, but seeing a Cisco box kind of wipe out the
>> impression. I am not saying it's justify, but perception is sometime
>> everything, but if I have my say in it I want all my routers to be
>> OpenBSD as much as I can where the needs is not to multiple Gb in speed.
>>
>> So, any suggestion or updates as to what's now available and hopefully
>> in use now.
>>
>> I really don't care for any special model, or even Juniper, as long as I
>> can put OpenBSD on it.
>>
>> So any feedback as to where it's stand now and what's usable in a
>> reliable way would be greatly appreciated.
>>
>> And yes I know I may well get better performance in some cases with a
>> small APU device then a Cisco one, but that's for what we all know may
>> not be logical to be used, but for sadly how some clients may fell, not
>> knowing any better.
>>
>> I guess you can see that as some people do security by obstruction, but
>> we al know it's not more secure, this is routing by obstruction I guess
>> and may be less performant, but achieve comfort obstruction confidence.
>>
>> I just have no clue if wireguard needs to be run, what can be achieve as
>> the CPU in all Cisco device is always under power, we all know that.
>>
>> This may not go anywhere, however I liked to look even if for nothing
>> else then just being fun to do if that can't even be usable.
>>
>> Many thanks for your time and feedback.
>>
>> Daniel
>>
>> PS; And yes, that's most likely stupid I know. Sometime what's used is
>> not always what make sense for other reason that are stupid.
>>
> 



Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

2020-06-23 Thread Daniel Ouellet
Thanks

I have run Edge router for a very long time, but that doesn't fit the
marketing bullshit needed. (;

I run my first one as far back as 2015.

https://marc.info/?l=openbsd-misc=144747982003992=2

And the new Ubiquiti most likely would have better performance compare
to many old cisco box possibly running OpenBSD.

That's sadly not the goal here.


On 6/23/20 1:40 PM, Jordan Geoghegan wrote:
> I don't know much about Cisco hardware, but I've had great luck with the
> Edgerouter line of products. I've run my home network on an Edgerouter
> Pro for several years now without issue, and have dozens of ER4 and
> ER-Lite devices out in the wild.
> 
> If you're looking for non-x86 routing solutions, then the Edgerouter is
> one of the best bets.
> 
> Regards,
> 
> Jordan
> 
> On 2020-06-23 09:01, Daniel Ouellet wrote:
>> Hi,
>>
>> This might be a bit weird question, but I saw the wireguard being put in
>> the kernel in the last few days and I am very existed abut it oppose to
>> use the package on it and even today there was more on it.
>>
>> Many thanks for this!!!
>>
>> I also know there was effort and some Cisco router can run OpenBSD very
>> well, however I have no clue as to any of this stand now.
>>
>> I don't have a problem to use APU type or other Ubiquit for small
>> OpenBSD router, but I wonder about using Cisco instead. The only reason
>> is for may be more stability, most likely less performance for sure, but
>> less change to have corrupted reboot on power lost, etc.
>>
>> And sadly for some customers having what they see as computer as router
>> don't make them fell good, but seeing a Cisco box kind of wipe out the
>> impression. I am not saying it's justify, but perception is sometime
>> everything, but if I have my say in it I want all my routers to be
>> OpenBSD as much as I can where the needs is not to multiple Gb in speed.
>>
>> So, any suggestion or updates as to what's now available and hopefully
>> in use now.
>>
>> I really don't care for any special model, or even Juniper, as long as I
>> can put OpenBSD on it.
>>
>> So any feedback as to where it's stand now and what's usable in a
>> reliable way would be greatly appreciated.
>>
>> And yes I know I may well get better performance in some cases with a
>> small APU device then a Cisco one, but that's for what we all know may
>> not be logical to be used, but for sadly how some clients may fell, not
>> knowing any better.
>>
>> I guess you can see that as some people do security by obstruction, but
>> we al know it's not more secure, this is routing by obstruction I guess
>> and may be less performant, but achieve comfort obstruction confidence.
>>
>> I just have no clue if wireguard needs to be run, what can be achieve as
>> the CPU in all Cisco device is always under power, we all know that.
>>
>> This may not go anywhere, however I liked to look even if for nothing
>> else then just being fun to do if that can't even be usable.
>>
>> Many thanks for your time and feedback.
>>
>> Daniel
>>
>> PS; And yes, that's most likely stupid I know. Sometime what's used is
>> not always what make sense for other reason that are stupid.
>>
> 



Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

2020-06-23 Thread Daniel Ouellet
Hi,

This might be a bit weird question, but I saw the wireguard being put in
the kernel in the last few days and I am very existed abut it oppose to
use the package on it and even today there was more on it.

Many thanks for this!!!

I also know there was effort and some Cisco router can run OpenBSD very
well, however I have no clue as to any of this stand now.

I don't have a problem to use APU type or other Ubiquit for small
OpenBSD router, but I wonder about using Cisco instead. The only reason
is for may be more stability, most likely less performance for sure, but
less change to have corrupted reboot on power lost, etc.

And sadly for some customers having what they see as computer as router
don't make them fell good, but seeing a Cisco box kind of wipe out the
impression. I am not saying it's justify, but perception is sometime
everything, but if I have my say in it I want all my routers to be
OpenBSD as much as I can where the needs is not to multiple Gb in speed.

So, any suggestion or updates as to what's now available and hopefully
in use now.

I really don't care for any special model, or even Juniper, as long as I
can put OpenBSD on it.

So any feedback as to where it's stand now and what's usable in a
reliable way would be greatly appreciated.

And yes I know I may well get better performance in some cases with a
small APU device then a Cisco one, but that's for what we all know may
not be logical to be used, but for sadly how some clients may fell, not
knowing any better.

I guess you can see that as some people do security by obstruction, but
we al know it's not more secure, this is routing by obstruction I guess
and may be less performant, but achieve comfort obstruction confidence.

I just have no clue if wireguard needs to be run, what can be achieve as
the CPU in all Cisco device is always under power, we all know that.

This may not go anywhere, however I liked to look even if for nothing
else then just being fun to do if that can't even be usable.

Many thanks for your time and feedback.

Daniel

PS; And yes, that's most likely stupid I know. Sometime what's used is
not always what make sense for other reason that are stupid.



Re: Correct subnet mask for alias IPs?

2020-06-19 Thread Daniel Ouellet
On 6/19/20 7:15 AM, Robert wrote:
> Hi,
> 
> I want to configure multiple alias IPs on the same interface and in the same 
> subnet.
> (reason: hosting services with dedicated DNS names and IPs)
> 
> inet 10.0.0.1 255.255.255.0
> inet alias 10.0.0.2 255.255.255.0
> inet alias 10.0.0.3 255.255.255.255
> ...
> 
> What is the correct subnet mask for those alias IPs?

If you have multiple IP's in the same subnet you enter then as /32

If you have two different subnet NOT in the same range, the first one of
the new subnet you enter it as it's full subnet and any additional one
in that second subnet you enter them as /32.

Example:

inet 10.0.0.1 255.255.255.0
inet alias 10.0.0.2 255.255.255.255
inet alias 10.0.0.3 255.255.255.255
inet 10.1.0.1 255.255.255.0
inet alias 10.1.0.2 255.255.255.255
inet alias 10.1.0.3 255.255.255.255
inet 10.2.0.1 255.255.255.0
inet alias 10.2.0.2 255.255.255.255
inet alias 10.2.0.3 255.255.255.255

It's always how I did it. If I am doing it wrong, then I never
understood it properly. May be the man page might benefit from
clarifying it.

Hope this help you.

Daniel



Re: IKEv2 difference with 6.7

2020-06-17 Thread Daniel Ouellet
Hi Tobias,

> So the error message is probably in the other side's logs but here is
> a guess: 5.6 doesn't know curve25519.
> 
> Try adding the following to your iked.conf:
> 
>   ikesa group modp2048

Many thanks!!!

That was the issue and you saved me from pulling what I have left of hairs.

Thank you!

Daniel



Re: IKEv2 difference with 6.7

2020-06-16 Thread Daniel Ouellet
Hi,

> What I see is that the initial message is received but ignored, so this
> side here probably runs into some kind of error.
> To find out what exactly causes this, a more verbose log would help.
> You could manually start iked with -dvv and share the log for an
> incoming IKE_SA_INIT request from 72.83.103.147:500 (best without the
> grep because the following lines may contain the actual error messages).

gateway# iked -dvv
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/ipv4/66.63.5.250
set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
ikev2 "VPN" active tunnel esp inet from 72.83.103.147 to 66.63.5.250
local 72.83.103.147 peer 66.63.5.250 ikesa enc
aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
esn,noesn lifetime 10800 bytes 536870912 rsa
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/ipv4/66.63.5.250
set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
ikev2 "Flow" active tunnel esp inet from 66.63.44.66 to 0.0.0.0/0 from
66.63.44.90 to 0.0.0.0/0 from 66.63.44.96/28 to 0.0.0.0/0 from
66.63.44.67 to 66.63.0.0/18 from 66.63.44.79 to 45.7.36.0/22 from
66.63.44.79 to 185.40.64.0/22 from 66.63.44.79 to 43.229.64.0/22 from
66.63.44.79 to 162.249.72.0/21 from 66.63.44.79 to 104.160.128.0/19 from
66.63.44.79 to 192.64.168.0/21 from 66.63.44.79 to 103.240.224.0/22 from
66.63.44.65 to 66.63.5.245 from 66.63.44.65 to 66.63.5.250 local any
peer 66.63.5.250 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
esn,noesn lifetime 10800 bytes 536870912 rsa
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
config_getfragmentation: no fragmentation
config_getnattport: nattport 4500
ikev2_init_ike_sa: initiating "VPN"
ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22
ikev2_add_proposals: length 156
ikev2_next_payload: length 160 nextpayload KE
ikev2_next_payload: length 40 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe6b00a86abde210d 0x
72.83.103.147:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe6b00a86abde210d
0x 66.63.5.250:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe6b00a86abde210d rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 334 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE
spisize 0 xforms 17 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024

Re: IKEv2 difference with 6.7

2020-06-16 Thread Daniel Ouellet
> The retransmits tell us that the peer doesn't answer.  Or, to be more
> precise, it doesn't receive *any* message from the peer.  Can you have
> a look at the peer's logs?  Does the peer see these packets but chooses
> not to reply?  Is the peer also an OpenBSD?  6.6?  6.7?

Not a big deal, but yes the remote received and send reply back. I
pointed it out in my reply as well.

"Now if I put the iked 6.7 binary instead, I see the traffic going out,
enter the remote tunnel, getting out of the tunnel to come back, but
never coming in the gateway unit."

Here is the logs from the remote device. I filter by the source IP to
reduce the logs as there is a lots of different clients on that box.

And you can see the reply as well at Jun 16 16:39:48 below.

# tail -f /var/log/daemon | grep 72.83.103.147
Jun 16 16:36:27 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:36:27 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:36:43 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:36:43 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:37:15 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:37:15 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:05 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:05 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:07 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:07 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:11 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:11 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:19 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:19 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:35 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:35 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:39:48 tunnel iked[5075]: ikev2_msg_send: CREATE_CHILD_SA
request from 66.63.5.250:500 to 72.83.103.147:500 msgid 0, 256 bytes
Jun 16 16:40:07 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes
Jun 16 16:40:07 tunnel iked[5075]: ikev2_recv: IKE_SA_INIT request from
initiator 72.83.103.147:500 to 66.63.5.250:500 policy 'Vadim-flow' id 0,
278 bytes


> If you can't look at the looks, you could tcpdump on both sides port 500
> and check if a) the packet arrives at the peer b) the peer tries to
> respond.

Here with the 6.7 binary:

gateway$ doas tcpdump -nnttti re0 host 66.63.5.250 and udp port 500
tcpdump: listening on re0, link-type EN10MB
Jun 16 16:51:53.161393 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 5910d1be1404a0fb-> msgid:  len: 278
Jun 16 16:51:53.178950 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 1c613d84d5a295ac-> msgid:  len: 278
Jun 16 16:51:55.183540 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 5910d1be1404a0fb-> msgid:  len: 278
Jun 16 16:51:55.183697 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 1c613d84d5a295ac-> msgid:  len: 278
Jun 16 16:51:59.193888 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 5910d1be1404a0fb-> msgid:  len: 278
Jun 16 16:51:59.194092 72.83.103.147.500 > 66.63.5.250.500: isakmp v2.0
exchange IKE_SA_INIT
cookie: 

Re: IKEv2 difference with 6.7

2020-06-16 Thread Daniel Ouellet



On 6/16/20 1:35 PM, Patrick Wildt wrote:
> On Tue, Jun 16, 2020 at 01:09:32PM -0400, Daniel Ouellet wrote:
>> Hi Tobias,
>>
>> I put below the full configuration and the flows as well with the 6.6
>> binary and switch to the 6.7 binary without any other changes as well as
>> the full config.
>>
>> The config may be a bit weird at first as I tunnel routable IP's over
>> the iked over a Verizon Fios line. You can't get routable IP's from Fios
>>  and I have needs for it. So that was my way around it for years now.
>>
>> Anyway, here below:
>>
>> gateway$ doas cat /etc/ipsec.conf
>> flow esp out from ::/0 to ::/0 type deny
>> flow esp from 66.63.44.64/27 to 66.63.44.96/28 type bypass
>> flow esp from 66.63.44.96/28 to 66.63.44.64/27 type bypass
>> flow esp from 66.63.44.67 to 66.63.44.97 type bypass
>> flow esp from 66.63.44.90 to 66.63.44.97 type bypass
>>
>> (This above was to allow the two local subnet to take to one an other as
>> they are in different dmz. I can delete that config and it changed
>> nothing anyway. Just wanted to write why in case you wonder.)
>>
>> gateway$ doas cat /etc/iked.conf
>> # All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in
>> Ashburn.
>> ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
>>
>> ikev2 "Flow" active \
>> from re1 to tunnel.realconnect.com \
>> from re1 to stats.realconnect.com \
>> from 66.63.44.66 to 0.0.0.0/0 \
>> from 66.63.44.67 to 66.63.0.0/18 \
>> from home.ouellet.us to 0.0.0.0/0 \
>> from 66.63.44.96/28 to 0.0.0.0/0 \
>>  from 66.63.44.79 to 43.229.64.0/22 \
>>  from 66.63.44.79 to 45.7.36.0/22 \
>>  from 66.63.44.79 to 103.240.224.0/22 \
>>  from 66.63.44.79 to 104.160.128.0/19 \
>>  from 66.63.44.79 to 162.249.72.0/21 \
>>  from 66.63.44.79 to 185.40.64.0/22 \
>>  from 66.63.44.79 to 192.64.168.0/21 \
>> peer tunnel.realconnect.com
>>
>> (Here above for the 66.63.44.79, again a weird stuff, that's only for my
>> older son. When he play LoL over Fios it suck! But when I tunnel it to
>> my tunnel and then directly to Equinix where Riot is and I peer at, all
>> is great and hard to believe I am sure, but latency is much lower. Again
>> not relevant, just in case you wonder. I know, it's stupid, but I do a
>> lots of work from home and I need to keep the family happy too. (;)
>>
>> On 6/16/20 6:09 AM, Tobias Heider wrote:
>>> Hi Daniel,
>>>
>>> On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote:
>>>>> Probably related to the following change documented in
>>>>> https://www.openbsd.org/faq/upgrade67.html:
>>>>>
>>>>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by 
>>>>> iked(8) or
>>>>> isakmpd(8) was changed from "use" to "require". This means unencrypted 
>>>>> traffic
>>>>> matching the flows will no longer be accepted. Flows of type "use" can 
>>>>> still be
>>>>> set up manually in ipsec.conf(5). 
>>>>
>>>> I have what appear to be similar problem. I used iked form 5.6 all the
>>>> way to 6.6 no problem, wel some, but I worked it out. All in archive.
>>>>
>>>> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
>>>> changed, same configuration, just a sysupgrade and that's it.
>>>>
>>>> I read this and I can understand the words, but may be I am think, but I
>>>> don't understand what to do with it.
>>>
>>> The default behavior if IPsec flows was changed to not accept unencrypted
>>> packets matching a registered flow.
>>> You can list your flows with 'ipsecctl -sf'.
>>
>> gateway$ doas ipsecctl -sf
>> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us 

Re: IKEv2 difference with 6.7

2020-06-16 Thread Daniel Ouellet
Hi Tobias,

I put below the full configuration and the flows as well with the 6.6
binary and switch to the 6.7 binary without any other changes as well as
the full config.

The config may be a bit weird at first as I tunnel routable IP's over
the iked over a Verizon Fios line. You can't get routable IP's from Fios
 and I have needs for it. So that was my way around it for years now.

Anyway, here below:

gateway$ doas cat /etc/ipsec.conf
flow esp out from ::/0 to ::/0 type deny
flow esp from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp from 66.63.44.67 to 66.63.44.97 type bypass
flow esp from 66.63.44.90 to 66.63.44.97 type bypass

(This above was to allow the two local subnet to take to one an other as
they are in different dmz. I can delete that config and it changed
nothing anyway. Just wanted to write why in case you wonder.)

gateway$ doas cat /etc/iked.conf
# All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in
Ashburn.
ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com

ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/0 \
from 66.63.44.67 to 66.63.0.0/18 \
from home.ouellet.us to 0.0.0.0/0 \
from 66.63.44.96/28 to 0.0.0.0/0 \
from 66.63.44.79 to 43.229.64.0/22 \
from 66.63.44.79 to 45.7.36.0/22 \
from 66.63.44.79 to 103.240.224.0/22 \
from 66.63.44.79 to 104.160.128.0/19 \
from 66.63.44.79 to 162.249.72.0/21 \
from 66.63.44.79 to 185.40.64.0/22 \
from 66.63.44.79 to 192.64.168.0/21 \
peer tunnel.realconnect.com

(Here above for the 66.63.44.79, again a weird stuff, that's only for my
older son. When he play LoL over Fios it suck! But when I tunnel it to
my tunnel and then directly to Equinix where Riot is and I peer at, all
is great and hard to believe I am sure, but latency is much lower. Again
not relevant, just in case you wonder. I know, it's stupid, but I do a
lots of work from home and I need to keep the family happy too. (;)

On 6/16/20 6:09 AM, Tobias Heider wrote:
> Hi Daniel,
> 
> On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote:
>>> Probably related to the following change documented in
>>> https://www.openbsd.org/faq/upgrade67.html:
>>>
>>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by 
>>> iked(8) or
>>> isakmpd(8) was changed from "use" to "require". This means unencrypted 
>>> traffic
>>> matching the flows will no longer be accepted. Flows of type "use" can 
>>> still be
>>> set up manually in ipsec.conf(5). 
>>
>> I have what appear to be similar problem. I used iked form 5.6 all the
>> way to 6.6 no problem, wel some, but I worked it out. All in archive.
>>
>> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
>> changed, same configuration, just a sysupgrade and that's it.
>>
>> I read this and I can understand the words, but may be I am think, but I
>> don't understand what to do with it.
> 
> The default behavior if IPsec flows was changed to not accept unencrypted
> packets matching a registered flow.
> You can list your flows with 'ipsecctl -sf'.

gateway$ doas ipsecctl -sf
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type u

Re: IKEv2 difference with 6.7

2020-06-15 Thread Daniel Ouellet
> Probably related to the following change documented in
> https://www.openbsd.org/faq/upgrade67.html:
> 
> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) 
> or
> isakmpd(8) was changed from "use" to "require". This means unencrypted traffic
> matching the flows will no longer be accepted. Flows of type "use" can still 
> be
> set up manually in ipsec.conf(5). 

I have what appear to be similar problem. I used iked form 5.6 all the
way to 6.6 no problem, wel some, but I worked it out. All in archive.

But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
changed, same configuration, just a sysupgrade and that's it.

I read this and I can understand the words, but may be I am think, but I
don't understand what to do with it.

I see the require type modifier in ipsec.conf man page, not into
iked.conf man page.

Do you mean what ever rules we had in iked.conf needs to be in
ipsec.conf now?

I am really sorry if I don't follow the meaning or what you tried to
say, but how can this be fix, or changed?

My guess is that it is simple and I don't think about it properly, but I
am hitting a road block trying to figure it out.

I am a bit at a lost and any clue stick would be greatly appreciated.

Thanks

Daniel



Re: IKEv2 difference with 6.7

2020-06-15 Thread Daniel Ouellet
On 6/15/20 8:04 PM, Daniel Ouellet wrote:
>> Probably related to the following change documented in
>> https://www.openbsd.org/faq/upgrade67.html:
>>
>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) 
>> or
>> isakmpd(8) was changed from "use" to "require". This means unencrypted 
>> traffic
>> matching the flows will no longer be accepted. Flows of type "use" can still 
>> be
>> set up manually in ipsec.conf(5). 
> 
> I have what appear to be similar problem. I used iked form 5.6 all the
> way to 6.6 no problem, wel some, but I worked it out. All in archive.
> 
> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
> changed, same configuration, just a sysupgrade and that's it.
> 
> I read this and I can understand the words, but may be I am think, but I
> don't understand what to do with it.
> 
> I see the require type modifier in ipsec.conf man page, not into
> iked.conf man page.
> 
> Do you mean what ever rules we had in iked.conf needs to be in
> ipsec.conf now?
> 
> I am really sorry if I don't follow the meaning or what you tried to
> say, but how can this be fix, or changed?
> 
> My guess is that it is simple and I don't think about it properly, but I
> am hitting a road block trying to figure it out.
> 
> I am a bit at a lost and any clue stick would be greatly appreciated.
> 
> Thanks
> 
> Daniel

Just for the records, I just took a copy of iked version 6.6 and used
that instead of 6.7 and all is good. I saved the 6.7 version.

gateway# ls -al /sbin/iked*
-r-xr-xr-x  1 root  bin  436584 Jun 15 20:42 /sbin/iked
-r-xr-xr-x  1 root  bin  448744 May  7 12:52 /sbin/iked.original

So it's definitely nothing else that is stopping it from working.

Just a new requirement for iked to use this new way and so far I am
coming short as to how to get this done right.



Re: pf table for all publicly routable ipv4 addresses

2020-05-04 Thread Daniel Ouellet
Just a question and a thought may be.

I am not sure why having this pass valid table oppose to block.

The reason is that if you pass all valid IP's then some service you want
to block, don't you have to add more rules to do that oppose to only
allow incoming from service you want?

Look to me you do

1. Block all.

2. Pass all valid IPv4

3. Block to protect devices you want not to be open to all.

4. allow specific services on the above one.

May be I don't get it. You may have a very valid reason or preference,
but thinking about it, I see it as being more confusing and less
efficient in global numbers or rules.

Me I have for the relevant part.


# Block of IP's that shouldn't ever be seen on the Interent.
# Refer to RFC 919, 922, 1122, 1918, 3171, 3927, 5735, 5736,
# 5737 and 5771
# When CARP is use, without peercarp, don't block multicast 224.0.0.0/24
table  const { 0/8, 10/8, 100.64/10, 127/8, 169.254/16, /
172.16/12, 192/24, 192.0.2/24, 192.168/16, 198.18/15, /
198.51.100/24, 203.0.113/24, 224/4, 240/4, 255.255.255.255/32 }

...

# Drop all packets from the reserved address space.
block drop quick on egress inet from 
block drop quick on egress inet to 



May be this is useful or not.

Just wanted to offer you food for thought just in case.

Do as you see fit, may be I am wrong, I assume no one else or sure a
very limited numbers of users would do as you want, pass all and then
block later. In any case what do I know really, I am more then welling
to be wrong.

I think you have way less chance of mistake when you block all and only
allow what you need.

Daniel


On 5/4/20 4:42 PM, Marko Cupać wrote:
> On 2020-05-04 19:23, Stuart Henderson wrote:
>> On 2020-05-04, Marko Cupać  wrote:
>>> Hi,
>>>
>>> I'd like to create pf table "all publicly routable ipv4 addresses". Is
>>> this possible with some short syntax?
>>>
>>> Thank you in advance.
>>>
>>
>> something like this?
>>
>> # https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt
>> table  {
>> !0.0.0.0/8
>> !10.0.0.0/8
>> !100.64.0.0/10
>> !127.0.0.0/8
>> !169.254.0.0/16
>> !172.16.0.0/12
>> !192.0.0.0/24
>> !192.0.2.0/24
>> !192.168.0.0/16
>> !198.18.0.0/15
>> !198.51.100.0/24
>> !203.0.113.0/24
>> !224.0.0.0/3
>> }
> 
> Yes. I want to have the opposite of  table described in pf faq:
> https://www.openbsd.org/faq/pf/example1.html#pf
> 
> ...so I can permit hosts on guest vlan access Internet hosts, but not
> hosts on other private vlans similar to:
> 
> block log all
> pass in on $guest_vlan from $guest_vlan:network to 
> 
> However, this apparently doesn't work. If I tested well, your 
> table expands to "no addresses", not "all addresses but those".
> 
> I thought I could do such table like this:
> 
> table  {    0.0.0.0/0 \
>  !0.0.0.0/8 \
>  ...
>    !224.0.0.0/3 }
> 
> ...but https://www.openbsd.org/faq/pf/tables.html#addr states that "One
> limitation when specifying addresses is that 0.0.0.0/0 and 0/0 will not
> work in tables".
> 
> I know I can solve this by reordering rules, and using block instead of
> pass, but I'd really like to have a table of all publicly routable ip
> addresses in pf.
> 
> Regards,



Re: Certain size packets not passing through a L2 over L3 IPsec tunnel

2019-10-10 Thread Daniel Ouellet
On 10/10/19 4:25 PM, Russell Sutherland wrote:
> I've set up a L2overL3 tunnel using the template as found in "man etherip". I 
> am running OpenBSD 5.9, which I believe is the first version to support the 
> etherip interface.
> 
> I find the bridge/tunnel does not pass a small range of specific sized 
> packets.
> 
> E.g. if 1.2.3.4 is at the far end of the tunnel and I am pinging from the 
> local end:
> 
> ping -s 1388 1.2.3.4 works
> ping -s 1396 1.2.3.4 works
> 
> All other sizes, 1389 to 1395 inclusive fail.
> 
> Is there some way to remedy this?

Just a friendly advice here. I am almost sure you will not get an answer
on this as 5.9 is pretty old and not supported anymore for a few years now.

We are at 6.5 and may be one week or two max to the release at 6.6

I would try 6.6 first and see how it works for you.

There have been a truck load of changes from the 5.9

Hope this help you some even if that doesn't answer your question.

However the suggestion is very valid.

Daniel



Re: Incoming connection via VLAN

2019-09-02 Thread Daniel Ouellet
It's hard trying to help you as.

Vlan syntax changed from the upgrade or 6.1 to 6.2 and the pf queuing
changed from 6.3 to 6.4.

So looks like you skip a few version and no where did you provide any
details on your configuration.

So I would suggest to go and read either the man page or look at the
upgrade from 61. to 6.2 for your vlan part.

https://www.openbsd.org/faq/upgrade62.html

and then 6.3 to 6.4 for your pf part.

https://www.openbsd.org/faq/upgrade64.html

If you do upgrade a system it's always a good idea to go read the
excellent upgrade page before doing it.

Assuming things never changed is not a good idea.

OpenBSD will changed everything if that make sense to do at time, but
they also document it as well.

For what I can read anyway and guess from your info is that look to me
to upgrade or skip a few version, or run an old configuration on a much
newer system without looking changes that happens.

Worst case get your system working again and then read the vlan part if
you still have issue and experiment with that and get it back where you
want it.

In any case with what you provided it's not possible to help or tell you
more, everything I wrote here is simply a guess based on your info.

Hope this help you some.

Daniel




On 9/1/19 9:04 AM, Felix Hanley wrote:
> I had assumed I would be able to use the existing pf.conf (which has worked 
> for years) even after the introduction of the 
> vlan2 interface as the pppoe0 parent. To get anything to work I had to remove 
> all queueing references.
> 
> BTW, I am running 6.5:
> 
> # uname -a
> OpenBSD malkmus.xx.xx 6.5 GENERIC.MP#3 amd64
> 
> Thank you for any suggestions to try.
> 
> -felix
> 



Re: What is you motivational to use OpenBSD

2019-08-28 Thread Daniel Ouellet
On 8/28/19 10:32 AM, Mohamed salah wrote:
> I wanna put something in discussion, what's your motivational to use
> OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work
> fine on openbsd and you love this os so much what will do?

- Simplicity.
- Clean
- Lean and Slim
- Work as advertise
- Secure

And the most important fact a few decades ago got me turn to OpenBSD
without ever turning back is the man page.

I can't say how many times I wasted trying to figure out how to get shit
working on other Linux flavors and simply give up.

I have to say I am short of time and anything that make me save some it
a plus for me. So when I discover OpenBSD totally by mistake, I never
look back.

My son tells me that some Linux have improved their man page some today,
but some to me mean nothing and I really could case less.

However searching for ever and reading a lots of stuff that you realize
simply doesn't apply drives me nuts.

I am sure the list is difference for everyone, instead of asking just
try it and see for yourself.

No one will know more then you what you are looking for or like.



Re: Max Speed: configuration in smnpd.conf for display in mrtg

2019-08-28 Thread Daniel Ouellet
On 8/28/19 5:44 AM, Stuart Henderson wrote:
> On 2019-08-26, Daniel Ouellet  wrote:
>> Thanks Stuart,
>>
>> I guess I had the right oid before, but the fact that is doesn't allow
>> the replacement always give me a fail at restart, I assume I wasn't
>> using the right oid.
>>
>> Oh well.
>>
>> Doing the max speed in mrtg is possible, sure ,but as I have to many
>> routers that do change a lot as new customers are added or removed, it
>> was a lot simpler to do it in the actual router then trying to always go
>> back and over write the final configuration or mrtg each time.
> 
> Can the mrtg config not just be generated by whatever is generating router 
> configs?

Nope. Way more Cisco routers and time to time changes are done on
increase access based on new contracts.

If it was simple and possible it would have been done long ago.

I am just not sure why the bandwidth command on Cisco allow to use the
effective bandwidth oppose to be fix on the interface bandwidth and
snmpd doesn't allow to overwrite the same things.

The fact that it is possible may not be an RFC fix things in the OID
definitions, but it is what it is.

When I get some time I will look if I can change the snmpd to may be
allow it or not.

For now every time this apply I manually changes it.

Not the end of the world, just very annoying, but I can deal with it.



Re: Max Speed: configuration in smnpd.conf for display in mrtg

2019-08-25 Thread Daniel Ouellet
Thanks Stuart,

I guess I had the right oid before, but the fact that is doesn't allow
the replacement always give me a fail at restart, I assume I wasn't
using the right oid.

Oh well.

Doing the max speed in mrtg is possible, sure ,but as I have to many
routers that do change a lot as new customers are added or removed, it
was a lot simpler to do it in the actual router then trying to always go
back and over write the final configuration or mrtg each time.

Daniel


On 8/23/19 12:12 PM, Stuart Henderson wrote:
> On 2019-08-22, Daniel Ouellet  wrote:
>> Hi,
>>
>> Wonder if anyone would know the answer for this.
>>
>> I try to figure out what is the entry needed in the snmpd.conf for the
>> specific display that would show in mrtg when the scan is done.
>>
>> In short the display as
>>
>> Max Speed:   1000.0 Mbits/s
>>
>> to be display as for example
>>
>> Max Speed:   150.0 Mbits/s
>>
>> I have all other variable set properly for what's needed, but can't
>> figure this one out.
>>
>> IN Cisco router you can just do
>>
>> bandwidth 15
>>
>> for example to do this
>>
>> In smtpd.conf I can do
>>
>> system location "Your city location"
>>
>> But I haven't been able to figure what's the entry for the display of
>> the bandwidth itself oppose to the Interface speed.
>>
>> I thought this would do:
>>
>> system ifSpeed "150"
>>
>> but it doesn't and I really can't figure this one out.
>>
>> The man page does provide plenty but come short for this one.
>>
>> I process all the stats from an OpenBSD server and the router I query
>> are mostly Cisco but many are also OpenBSD too.
>>
>> Any clue stick?
>>
>> Many thanks
>>
>> Daniel
>>
>>
> 
> I think you need to just configure MaxBytes in mrtg config for the port.
> 
> Looking at snmpd.conf(5) and looking up the oid you might think of trying
> this,...
> 
> oid 1.3.6.1.2.1.2.2.1.5.$ifindex name ifSpeed read-only integer 123456
> 
> (replace $ifindex with the correct index for the port), but it doesn't
> actually work, snmpd doesn't allow overriding an existing oid in this way.
> 
> 



Max Speed: configuration in smnpd.conf for display in mrtg

2019-08-22 Thread Daniel Ouellet
Hi,

Wonder if anyone would know the answer for this.

I try to figure out what is the entry needed in the snmpd.conf for the
specific display that would show in mrtg when the scan is done.

In short the display as

Max Speed:  1000.0 Mbits/s

to be display as for example

Max Speed:  150.0 Mbits/s

I have all other variable set properly for what's needed, but can't
figure this one out.

IN Cisco router you can just do

bandwidth 15

for example to do this

In smtpd.conf I can do

system location "Your city location"

But I haven't been able to figure what's the entry for the display of
the bandwidth itself oppose to the Interface speed.

I thought this would do:

system ifSpeed "150"

but it doesn't and I really can't figure this one out.

The man page does provide plenty but come short for this one.

I process all the stats from an OpenBSD server and the router I query
are mostly Cisco but many are also OpenBSD too.

Any clue stick?

Many thanks

Daniel



Re: Code of Conduct location

2019-04-28 Thread Daniel Ouellet
On 4/28/19 9:33 AM, Rachel Roch wrote:
> Apr 28, 2019, 9:16 AM by cho...@jtan.com :
> 
>> Strahil Nikolov writes:
>>
>>> Hello All,
>>>
>>> can someone point me to the link of the OpenBSD code of Conduct ?
>>>
>>
>> I believe OpenBSD's code of conduct can be summed up as "if you are the
>> type of person who needs a code of conduct to teach to you how to human
>> then you are not welcome here".
>>
>> At least I hope so.
>>
>> Matthew
>>
> 
> I always thought it could be summed up as "Don't piss off Theo".  ;-)

That's a good one! It made me chuckles today thanks for that!

I needed to smile today.

And it's mostly true, If you are an ass, you will get him on you real fast!.

So don't be an ass and you will be fine..



Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-16 Thread Daniel Ouellet
Just to add more on this, something that makes no sense to me and that I
do not understand.

Just adding to what's below a simple additional flow as this

gateway$ doas echo 'flow from 66.63.44.90 to 66.63.44.100 type bypass' |
ipsecctl -vf -

even if there isn't anything at 66.63.44.100, will make the flow from
66.63.44.90 to anything else all work

Looks like somehow the bypass flows will not process CIDR properly
without some additional one.

gateway# ipsecctl -sf
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 100.36.20.77 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp in from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp in from 66.63.44.100 to 66.63.44.90 type bypass
flow esp in from 216.15.33.137 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp out from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 216.15.33.137 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 66.63.44.100 type bypass
flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp out from 100.36.20.77 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from ::/0 to ::/0 type deny



On 1/16/19 5:36 PM, Daniel Ouellet wrote:
>> You don't actually even need an ipsec.conf file, you could just do
>>
>> $ echo 'flow from 192.0.2.1/32 to 192.0.2.2/32 type bypass' | doas ipsecctl 
>> -vf -
> 
> That would actually be a very simple solution and I would sure love it!
> 
> But testing doesn't show that as being the case. packets are still being
> forwarded to enc0 even if they show as being bypass in the ipsecctl -sf
> 
> I did the forward and reverse entry to see the results. Setup two server
> real quick to test and here the results with the simpler shorter version
> of iked.conf and adding the bypass:
> 
> gateway$ doas cat /etc/iked.conf
> ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
> 
> ikev2 "Flow" active \
> from re1 to tunnel.realconnect.com \
> from re1 to stats.realconnect.com \
> from 66.63.44.66 to 0.0.0.0/0 \
> from 66.63.44.67 to 66.63.0.0/18 \
> from 66.63.44.67 to christine-home.realconnect.com \
> from home.ouellet.us to 0.0.0.0/0 \
> from 66.63.44.96/28 to 0.0.0.0/0 \
> peer tunnel.realconnect.com
> 
> gateway$ echo 'flow from 66.63.44.96/28 to 66.63.44.64/27 type bypass' |
> doas ipsecctl -vf -
> 
> gateway$ echo 'flow from 66.63.44.64/27 to 66.63.44.96/28 type bypass' |
> doas ipsecctl -vf -
> 
> And then check the flow to see if the bypass are present and they are as
> below:
> 
> gateway$ doas ipsecctl -sf
> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 pee

Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-16 Thread Daniel Ouellet
> You don't actually even need an ipsec.conf file, you could just do
> 
> $ echo 'flow from 192.0.2.1/32 to 192.0.2.2/32 type bypass' | doas ipsecctl 
> -vf -

That would actually be a very simple solution and I would sure love it!

But testing doesn't show that as being the case. packets are still being
forwarded to enc0 even if they show as being bypass in the ipsecctl -sf

I did the forward and reverse entry to see the results. Setup two server
real quick to test and here the results with the simpler shorter version
of iked.conf and adding the bypass:

gateway$ doas cat /etc/iked.conf
ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com

ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/0 \
from 66.63.44.67 to 66.63.0.0/18 \
from 66.63.44.67 to christine-home.realconnect.com \
from home.ouellet.us to 0.0.0.0/0 \
from 66.63.44.96/28 to 0.0.0.0/0 \
peer tunnel.realconnect.com

gateway$ echo 'flow from 66.63.44.96/28 to 66.63.44.64/27 type bypass' |
doas ipsecctl -vf -

gateway$ echo 'flow from 66.63.44.64/27 to 66.63.44.96/28 type bypass' |
doas ipsecctl -vf -

And then check the flow to see if the bypass are present and they are as
below:

gateway$ doas ipsecctl -sf
flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.5.250 to 100.36.20.77 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp in from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp in from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp in from 216.15.33.137 to 66.63.44.67 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
flow esp out from 66.63.44.64/27 to 66.63.44.96/28 type bypass
flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.67 to 216.15.33.137 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from 66.63.44.96/28 to 66.63.44.64/27 type bypass
flow esp out from 100.36.20.77 to 66.63.5.250 peer 66.63.5.250 srcid
FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
flow esp out from ::/0 to ::/0 type deny

But the packets are still sent to the enc0 however.

tcpdump show that:

gateway$ doas tcpdump -nli enc0 | grep icmp
tcpdump: listening on enc0, link-type ENC
17:29:15.778857 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:15.784287 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:16.789014 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:16.793698 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:17.799066 (authentic,confidential): SPI 0x1a672fb3: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
17:29:17.803543 (authentic,confidential): SPI 0xac2b658e: 66.63.44.90 >
66.63.44.99: icmp: echo request (encap)
^C
44 packets received by filter
0 packets dropped by kernel

if the bypass was active it shouldn't reach enc0 but go between re1 and
re2 as shown in the routing table for the test:

gateway$ doas route -n show -inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default100.36.20.1 

Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-16 Thread Daniel Ouellet
> Can someone point out an example of this gif+ipsec setup somewhere ?
> 
> I failed at finding any GIF ref when looking IPSEC+OPENBSD, also man
> ipsec does not list gif, only enc.

This is dated obviously and for full disclosure I didn't try it, so look
at it as such.

https://undeadly.org/cgi?action=article=20131105075303

There is more then what you asked, however the idea is the same I suppose.

It may be what you need or not.



Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-16 Thread Daniel Ouellet
> Maybe you misunderstood - I am just talking about a couple of lines in
> ipsec.conf to setup the bypass flow, but still use iked for the
> actual vpn connection.

I should have added that may not be the best idea but I was/am trying
rdomain for this, (having the bypass in rdomain 1 as an idea) not being
successful yet at having a rdomain working to know the answer to this at
this time, I was/am trying to find out if iked address space that it
interact on is ONLY what would it normally be seen in the rdomain 0 or not.

Is that the case and safe to assume that what ever address space you
have in other rdomain, when iked have flow configure what ever they
might be, will not interact with the table of other rdomain unless
specifically sent there (rdomain 0) by pf or by route added specifically
to that effect in the routing table?

In other words are the flow of iked or when you do the

ipsecctl -sf

They will affect ONLY the space normally in rdomain 0 or any/all of them
regardless of their rdomain space?



Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-16 Thread Daniel Ouellet
> Maybe you misunderstood - I am just talking about a couple of lines in
> ipsec.conf to setup the bypass flow, but still use iked for the
> actual vpn connection.

That's fair. May be I miss understood you, I thought that you
recommended to actually switch to use the ipsec one instead.

The setup the bypass flow doesn't it actually need to be up and running
first, meaning setup both side of the vpn fro this?

As for other solutions, sure there is other choice, but for decades I
stick to the most simpler solution possible and call me stuburn, I do
everything with OpenBSD, sure some stuff may be best with something
else, but over time I got so comfortable with OpenBSd that I am welling
to have a bit weird setup at times, or less efficient as well, just use
more hardware when that happens.

At my age I value piece of mind and sleep without disruption.

The last time I use something else was NetBSD 1.61, Solaris 9, Debian
Woody if I recall properly, The last release of BSDI, only commercial
version I even used, RedHat 5.0 and FreeBSD 3.2. I tried Caldera in that
same era, but could never setup it up properly so never touched it again
after that wasted time with it.  believe I tried 2 more distribution of
Linux/GNU, but I can't recall them nor do I really care too either!

So, call me OpenBSD limited mind fan boy and I will accept that. My son
does! (;

You reach an age where searching for days to try to find how to do
something on the net with Linux or others, is really not where I want to
pend my time and the fact that the man page on opneBSD are so good, yes
I time they drive me crazy as some example are missing a bit, but after
to get it to work once then after that fact you understand what they
mean by their example in the man page. That's my one critic really.

Sometime it take me a few days to get new stuff done, but still better
then searching for weeks to find the version of Linus, of freebsd, or
what not to try.

My last test with with FreeBSD, just a few months ago and their NAT is
in uselan and performance sucked real bad as my son convince me to give
FreeBSD a trial on router performance that I needed, but that was a show
stopper for me.

So, yes Stuart, there is other choice out there you are 100% right, but
consider me a stuborn bastard that like simple clean setup, that's why I
will spend more time trying to have OpenBSD do what I need even if that
might not be the best tool for the job simply because I am very
comfortable with it and I trust it without questions!

I have no clue how old you are and that's none of my business, but you
will see as time goes, you will too try to make your life simpler and
value the time you have more. (;

So, if there is a way to do the flow bypass without having the full
ikev1 running between the tunnels, I sure will give it a run.

I didn't understood your statement as such sorry for my bad.

Daniel



Re: iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-10 Thread Daniel Ouellet
> OpenBSD's implementation of ipsec doesn't use the routing table, if you
> want that (unless you make code changes) you will need to use a
> different tunnel interface (gif or others) and just use ipsec to protect
> the gif traffic.

The point is to keep the configuration simple and gif doesn't make it
so. But when the source is with changing IP's often it end up not being
very possible is it...

So not really an option.

May be time to check wireguard instead then. But not having it into the
kernel or fully mature yet on OpenBSD is also limiting.

> Sounds like you want bypass flows for 66.63.44.96/27 <> 66.63.44.64/27.
> IIRC you can still use ipsecctl/ipsec.conf to configure them even
> with iked running (the only bypass flows iked will add itself are the
> automatic "mess with v6 traffic" ones, there's no iked.conf way to do
> this flexibly).

The point of ikev2 was to keep things simple and light. Doing the full
ipsec even doable is really a real pain in the butts.

As you saw I can make ikev2 works as is. Yes I hate how I have to do it,
but I can make it work. I was really hoping that may be something I
didn't think of or a different work around the limitation was possible
and someone might get a different idea.

I thought that may be with rdomain it might be a way to bypass the issue
with ikev2, nut I must admit my limitation on rdomain didn't offer me a
solution there either.

If my solution is to use gif/ipsec oppose to my ugly ikev2 ways, I will
stick with the ugly one. Kiss served me well over the year and I will
not use a more complicated solution.

Never the less thanks for your time and consideration to even have read
my email Stuart, I appreciated it!

Daniel



iked.conf insanity (passing traffic locally between two tunneled subnets)

2019-01-09 Thread Daniel Ouellet
Hi,

I have two separate subnets (on different interfaces) on a router. I am
trying to tunnel both subnets over the internet to another router on my
network. I can tunnel one subnet easily and everything works as
expected, but when I tunnel the 2nd subnet, then traffic from one local
subnet is no longer forwarded to the other subnet, but is
unconditionally sent into the ipsec tunnel, bypassing the routing table.
Traffic flows between the two subnets as expected when iked is disabled.

I thought I should be able to use config like this:

ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/0 \
from 66.63.44.67 to 66.63.0.0/18 \
from 66.63.44.67 to christine-home.realconnect.com \
from home.ouellet.us to 0.0.0.0/0 \
from 66.63.44.96/27 to 0.0.0.0/0 \
peer tunnel.realconnect.com

but then I get the problem described above, where traffic stops flowing
between the local subnets - machines on subnet 66.63.44.96/27 (behind
re1) cannot talk to machines on 66.63.44.64/27 (behind re1) - the
traffic is unconditionally sent to enc0 instead.

To get this to work, I've had to configure each flow to cover the entire
ipv4 space except for the two local subnets. This gets even uglier,
because doing so results in lines which are apparently too long to
parse, and iked refuses to start unless I break it into multiple smaller
flows.

Horrific (but working) config below:


ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com

ikev2 "Flow" active \
from re1 to tunnel.realconnect.com \
from re1 to stats.realconnect.com \
from 66.63.44.66 to 0.0.0.0/2 \
from 66.63.44.66 to 64.0.0.0/8 \
from 66.63.44.66 to 65.0.0.0/8 \
from 66.63.44.66 to 66.0.0.0/11 \
from 66.63.44.66 to 66.32.0.0/12 \
from 66.63.44.66 to 66.48.0.0/13 \
from 66.63.44.66 to 66.56.0.0/14 \
from 66.63.44.66 to 66.60.0.0/15 \
from 66.63.44.66 to 66.62.0.0/16 \
from 66.63.44.66 to 66.63.0.0/19 \
from 66.63.44.66 to 66.63.32.0/21 \
from 66.63.44.66 to 66.63.40.0/22 \
from 66.63.44.66 to 66.63.44.0/26 \
from 66.63.44.66 to 66.63.44.128/25 \
from 66.63.44.66 to 66.63.45.0/24 \
from 66.63.44.66 to 66.63.46.0/23 \
from 66.63.44.66 to 66.63.48.0/22 \
from 66.63.44.66 to 66.63.52.0/22 \
from 66.63.44.66 to 66.63.56.0/21 \
from 66.63.44.66 to 66.64.0.0/10 \
from 66.63.44.66 to 66.128.0.0/9 \
from 66.63.44.66 to 67.0.0.0/8 \
from 66.63.44.66 to 68.0.0.0/6 \
from 66.63.44.66 to 72.0.0.0/5 \
from 66.63.44.66 to 80.0.0.0/4 \
from 66.63.44.66 to 96.0.0.0/3 \
from 66.63.44.66 to 128.0.0.0/1 \
from 66.63.44.67 to 66.63.0.0/19 \
from 66.63.44.67 to 66.63.32.0/21 \
from 66.63.44.67 to 66.63.40.0/22 \
from 66.63.44.67 to 66.63.44.0/26 \
from 66.63.44.67 to 66.63.44.128/25 \
from 66.63.44.67 to 66.63.45.0/24 \
from 66.63.44.67 to 66.63.46.0/23 \
from 66.63.44.67 to 66.63.48.0/22 \
from 66.63.44.67 to 66.63.52.0/22 \
from 66.63.44.67 to 66.63.56.0/21 \
from 66.63.44.67 to christine-home.realconnect.com \
peer tunnel.realconnect.com

ikev2 "Flow2" active \
from home.ouellet.us to 0.0.0.0/2 \
from home.ouellet.us to 64.0.0.0/8 \
from home.ouellet.us to 65.0.0.0/8 \
from home.ouellet.us to 66.0.0.0/11 \
from home.ouellet.us to 66.32.0.0/12 \
from home.ouellet.us to 66.48.0.0/13 \
from home.ouellet.us to 66.56.0.0/14 \
from home.ouellet.us to 66.60.0.0/15 \
from home.ouellet.us to 66.62.0.0/16 \
from home.ouellet.us to 66.63.0.0/19 \
from home.ouellet.us to 66.63.32.0/21 \
from home.ouellet.us to 66.63.40.0/22 \
from home.ouellet.us to 66.63.44.0/26 \
from home.ouellet.us to 66.63.44.128/25 \
from home.ouellet.us to 66.63.45.0/24 \
from home.ouellet.us to 66.63.46.0/23 \
from home.ouellet.us to 66.63.48.0/22 \
from home.ouellet.us to 66.63.52.0/22 \
from home.ouellet.us to 66.63.56.0/21 \
from home.ouellet.us to 66.64.0.0/10 \
from home.ouellet.us to 66.128.0.0/9 \
from home.ouellet.us to 67.0.0.0/8 \
from home.ouellet.us to 68.0.0.0/6 \
from home.ouellet.us to 72.0.0.0/5 \
from home.ouellet.us to 80.0.0.0/4 \
from home.ouellet.us to 96.0.0.0/3 \
from home.ouellet.us to 128.0.0.0/1 \
peer tunnel.realconnect.com

ikev2 "Flow3" active \
from 66.63.44.96/27 to 0.0.0.0/2 \
from 66.63.44.96/27 to 64.0.0.0/8 \
from 66.63.44.96/27 to 65.0.0.0/8 \
from 66.63.44.96/27 to 66.0.0.0/11 \
from 66.63.44.96/27 to 

Re: [OpenIKED] Is it impossible to differentiate the policies by dstid?

2018-11-06 Thread Daniel Ouellet
The source ID does default yes, but I have a tunnel gateway for multiple
VPN and I HAD to specify the dstid on the passive side as well or ONLY
the last rule was picked up for the 0.0.0.0/0 of some of them as an
example for all the traffic flowing via the VPN.

Any overlapping routes where not going as one might think if not dstid
specified.

example:

ikev2 "test1-flow" passive from 0.0.0.0/0 to 1.2.3.4/28 peer any dstid
test1.example.com

ikev2 "test2-flow" passive from 0.0.0.0/0 to 1.3.3.4/28 peer any dstid
test2.example.com

ikev2 "test3-flow" passive from 0.0.0.0/0 to 1.4.3.4/28 peer any dstid
test3.example.com

..etc

If no dstid was specified, then you didn't have all 3 above as an
example working.

May be it is suppose to, that I can't say for sure as the idea of it,
but it sure wasn't and isn't if I remove the dstid with everything else
staying the same.

So what he suggested to you was valid and true.

But it is your setup and you sure can do as you see fit.

Hope this help anyway.

Daniel

On 11/6/18 3:16 PM, 雷致强 wrote:
> Thanks for the input, however, I think srcid defaults to the hostname when 
> it’s omitted. Explicitly setting it didn’t give me any luck.
> 
>> On Nov 7, 2018, at 2:33 AM, J Evans <3...@startmail.com> wrote:
>>
>> I am by no means an expert, but for my setup, in order to get multiple 
>> policies working, I had to specify both srcid and dstid for each policy on 
>> the passive peer. And then I set srcid and dstid for the policies on the 
>> active peers.
>>
> 



Re: want.html: Unifi wifi gear for interop debugging

2018-10-06 Thread Daniel Ouellet
On 10/6/18 11:48 AM, Tim Jones wrote:
>> Thank you for handling the logistics so I don't have to do that
>> on top of everything else I'm doing.
>> I am looking forward to receiving your shipment.
> 
> 
> Oh right, and the rest of us don't have day-jobs, plus other commitments 
> outside of working hours ?
> 
> From now on, I'll take a simple stance.  If you want my spare Unifi kit, 
> you'll pay for the packaging and the postage.
> 
> If you want another financial donation ?  Well, be prepared for it to come 
> with tight restrictions.
> 

WOW.

I wonder what restriction OpenBSD put on you for the usage of the project...

Oh wait NONE

You are barking to the wrong tree man!

You use and accept totally free gift, but you fell you need to put
restriction on your...

WOW I wonder how your friends and family fell when you give them gift!!!

Oh wait, may be you have no friends...



Re: "no route to host" from pkg_add

2018-08-10 Thread Daniel Ouellet
Sorry for the double posting.

But Just to add to the info, the RFC 3177 did specify assignment to
remote site even house being /48 and big site like /47

https://tools.ietf.org/html/rfc3177

Crazy.

The revise version of it RFC 6177 correct that crazy assignment and
specif that you should do /56.

https://tools.ietf.org/html/rfc6177

But that is still even crazy specially when you see users using NAT64 on
IPv6...

Anyway, back to my rock and I hope it help you address your assignment
anyway.

Daniel


On 8/10/18 10:38 PM, Daniel Ouellet wrote:
> Hi,
> 
> I am not sure you got that right.
> 
> If you are an ISP the minimum assignment is /32 and you assigned /48 to
> end company and /56 to users.
> 
> If you asked me that's a wasted, but that's what they suggest.
> 
> For end users, a /64 would be plenty if you asked me and /56 for company
> would be plenty as well.
> 
> But if you truly follow their policy, then well may be will run out
> there too like in IPv4 when it really start to be assigned, but anyway
> that's for a different discussion.
> 
> Anyway see ARIN policy for it:
> 
> https://www.arin.net/vault/policy/archive/ipv6_policy.html
> 
> If you are not under ARIN, but RIPE, APNIC, AfriNIC, Lacnic, etc.
> 
> They have similar policy.
> 
> I would encourage you to check that if your problem is really that you
> got to small assignment.
> 
> Unless your a very small ISP that got his assignment from your transit
> provider oppose to your own and get your own AS number, you will have
> plenty to work with.
> 
> I really do not know of ANY ISP that get /56 for real.
> 
> I got my assignment in 2003 and the policy still haven't changed.
> 
> Hope this help you some.
> 
> Daniel.
> 
> 
> On 8/10/18 9:12 PM, Walt wrote:
>> On August 10, 2018 3:57 PM, Henry Bonath he...@thebonaths.com wrote:
>>
>>> Also could it be that you are using IPv6, not IPv4? (and your IPv6 is
>>> missing its gateway)
>>> If the IPv6 gateway is bad/missing you'll get that "no route to host"
>>> message.
>>
>> I've encountered that issue before, but it isn't that big a problem with me. 
>> As an ISP, the /56 we have been allocated is too small to be very useful so 
>> I'm holding back on working on it much until such time as we get at least a 
>> /48 if not a /40.  I'd like to be able to assign each customer a /56 but 
>> would settle for a /60 for each.  With a /60, I could only handle sixteen 
>> customers.  We have a number of customers for whom a /64 wouldn't cut it at 
>> all.
>>
>> I never have figured out the proper way to configure rtadvd.conf. In 
>> particular, there is an addr and an rtprefix.
>>
>> addr is, according to the man page, "The address filled into Prefix field" 
>> while rtprefix is " The prefix filled into the Prefix field of route 
>> information option". And then there are the proper prefix lengths -- do I 
>> use 64 or 56? It seems like prefixlen must be 64, but rtplen doesn't seem to 
>> make much difference.
>>
>> And then there is the kea side for prefix delegations.
>>
>> Since I can just put the IPv6 gateway into /etc/mygate, it's not a problem 
>> from the OpenBSD machines and it will never be a big issue if I can't get a 
>> properly sized allocation of addresses from AT
>>
>> Walt
>>
>>
> 



Re: "no route to host" from pkg_add

2018-08-10 Thread Daniel Ouellet
Hi,

I am not sure you got that right.

If you are an ISP the minimum assignment is /32 and you assigned /48 to
end company and /56 to users.

If you asked me that's a wasted, but that's what they suggest.

For end users, a /64 would be plenty if you asked me and /56 for company
would be plenty as well.

But if you truly follow their policy, then well may be will run out
there too like in IPv4 when it really start to be assigned, but anyway
that's for a different discussion.

Anyway see ARIN policy for it:

https://www.arin.net/vault/policy/archive/ipv6_policy.html

If you are not under ARIN, but RIPE, APNIC, AfriNIC, Lacnic, etc.

They have similar policy.

I would encourage you to check that if your problem is really that you
got to small assignment.

Unless your a very small ISP that got his assignment from your transit
provider oppose to your own and get your own AS number, you will have
plenty to work with.

I really do not know of ANY ISP that get /56 for real.

I got my assignment in 2003 and the policy still haven't changed.

Hope this help you some.

Daniel.


On 8/10/18 9:12 PM, Walt wrote:
> On August 10, 2018 3:57 PM, Henry Bonath he...@thebonaths.com wrote:
> 
>> Also could it be that you are using IPv6, not IPv4? (and your IPv6 is
>> missing its gateway)
>> If the IPv6 gateway is bad/missing you'll get that "no route to host"
>> message.
> 
> I've encountered that issue before, but it isn't that big a problem with me. 
> As an ISP, the /56 we have been allocated is too small to be very useful so 
> I'm holding back on working on it much until such time as we get at least a 
> /48 if not a /40.  I'd like to be able to assign each customer a /56 but 
> would settle for a /60 for each.  With a /60, I could only handle sixteen 
> customers.  We have a number of customers for whom a /64 wouldn't cut it at 
> all.
> 
> I never have figured out the proper way to configure rtadvd.conf. In 
> particular, there is an addr and an rtprefix.
> 
> addr is, according to the man page, "The address filled into Prefix field" 
> while rtprefix is " The prefix filled into the Prefix field of route 
> information option". And then there are the proper prefix lengths -- do I use 
> 64 or 56? It seems like prefixlen must be 64, but rtplen doesn't seem to make 
> much difference.
> 
> And then there is the kea side for prefix delegations.
> 
> Since I can just put the IPv6 gateway into /etc/mygate, it's not a problem 
> from the OpenBSD machines and it will never be a big issue if I can't get a 
> properly sized allocation of addresses from AT
> 
> Walt
> 
> 



Re: "no route to host" from pkg_add

2018-08-10 Thread Daniel Ouellet



On 8/10/18 10:38 PM, Daniel Ouellet wrote:
> Hi,
> 
> I am not sure you got that right.
> 
> If you are an ISP the minimum assignment is /32 and you assigned /48 to
> end company and /56 to users.
> 
> If you asked me that's a wasted, but that's what they suggest.
> 
> For end users, a /64 would be plenty if you asked me and /56 for company
> would be plenty as well.
> 
> But if you truly follow their policy, then well may be will run out
> there too like in IPv4 when it really start to be assigned, but anyway
> that's for a different discussion.
> 
> Anyway see ARIN policy for it:
> 
> https://www.arin.net/vault/policy/archive/ipv6_policy.html
> 
> If you are not under ARIN, but RIPE, APNIC, AfriNIC, Lacnic, etc.
> 
> They have similar policy.
> 
> I would encourage you to check that if your problem is really that you
> got to small assignment.
> 
> Unless your a very small ISP that got his assignment from your transit
> provider oppose to your own and get your own AS number, you will have
> plenty to work with.
> 
> I really do not know of ANY ISP that get /56 for real.
> 
> I got my assignment in 2003 and the policy still haven't changed.
> 
> Hope this help you some.
> 
> Daniel.
> 
> 
> On 8/10/18 9:12 PM, Walt wrote:
>> On August 10, 2018 3:57 PM, Henry Bonath he...@thebonaths.com wrote:
>>
>>> Also could it be that you are using IPv6, not IPv4? (and your IPv6 is
>>> missing its gateway)
>>> If the IPv6 gateway is bad/missing you'll get that "no route to host"
>>> message.
>>
>> I've encountered that issue before, but it isn't that big a problem with me. 
>> As an ISP, the /56 we have been allocated is too small to be very useful so 
>> I'm holding back on working on it much until such time as we get at least a 
>> /48 if not a /40.  I'd like to be able to assign each customer a /56 but 
>> would settle for a /60 for each.  With a /60, I could only handle sixteen 
>> customers.  We have a number of customers for whom a /64 wouldn't cut it at 
>> all.
>>
>> I never have figured out the proper way to configure rtadvd.conf. In 
>> particular, there is an addr and an rtprefix.
>>
>> addr is, according to the man page, "The address filled into Prefix field" 
>> while rtprefix is " The prefix filled into the Prefix field of route 
>> information option". And then there are the proper prefix lengths -- do I 
>> use 64 or 56? It seems like prefixlen must be 64, but rtplen doesn't seem to 
>> make much difference.
>>
>> And then there is the kea side for prefix delegations.
>>
>> Since I can just put the IPv6 gateway into /etc/mygate, it's not a problem 
>> from the OpenBSD machines and it will never be a big issue if I can't get a 
>> properly sized allocation of addresses from AT
>>
>> Walt
>>
>>



Re: Daily insecurity output on valid users using key with valid shell and without password.

2018-07-01 Thread Daniel Ouellet
Hi Stuart,

The counting to 13 was actually a sarcastic joke. (:

But thanks never the less.

Daniel



On 7/1/18 5:54 PM, Stuart Henderson wrote:
> On 2018-07-01, Daniel Ouellet  wrote:
>> Ha the old man page.
>>
>> Not good to read to quickly. (:
>>
>> Sorry for the noise.
>>
>> Now I just need to learn to count up to 13.
> 
> Edit in vi, '13i*^[' or '13i*'
> 
> 



Re: Daily insecurity output on valid users using key with valid shell and without password.

2018-07-01 Thread Daniel Ouellet
Ha the old man page.

Not good to read to quickly. (:

Sorry for the noise.

Now I just need to learn to count up to 13.

Daniel


By convention,
 accounts that are not intended to be logged in to (e.g. bin, daemon,
 sshd) only contain a single asterisk in the password field.  Note that
 there is nothing special about `*', it is just one of many characters
 that cannot occur in a valid encrypted password (see crypt(3)).
 Similarly, login accounts not allowing password authentication but
 allowing other authentication methods, for example public key
 authentication, conventionally have 13 asterisks in the password field.



On 7/1/18 2:44 PM, Remco wrote:
> Op 07/01/18 om 19:22 schreef Daniel Ouellet:
>> I find this annoying and sometime I over look this because I always get
>> the example:
>>
>> ==
>> Running security(8):
>>
>> Checking the /etc/master.passwd file:
>> Login share is off but still has a valid shell and alternate access
>> files in
>>  home directory are still readable.
>> Login xxx is off but still has a valid shell and alternate access
>> files in
>>  home directory are still readable.
>> =
>>
>> Is there a better or different way to do this?
>>
>> I always disable the login password on users with * oppose to password
>> in the master.passwd file after keys are installed as I DO NOT want to
>> allow login password when ssh keys are use, but still get the above
>> warning daily on multiples servers & users.
>>
>> The Running security(8): is nice as you see possible changes done by sys
>> admin and you get the feedback, but getting daily warning for the same
>> things sometime will get overlook because of noise.
>>
>> Is there a better way to disable login and not get these warning for ssh
>> key users and keep the valid idea and use of the cronjob as is?
>>
>> Daniel
>>
>>
> 
> I think you need to use 13 asterisks for the password, passwd(5) has a
> brief mentioning of this.



Daily insecurity output on valid users using key with valid shell and without password.

2018-07-01 Thread Daniel Ouellet
I find this annoying and sometime I over look this because I always get
the example:

==
Running security(8):

Checking the /etc/master.passwd file:
Login share is off but still has a valid shell and alternate access files in
 home directory are still readable.
Login xxx is off but still has a valid shell and alternate access files in
 home directory are still readable.
=

Is there a better or different way to do this?

I always disable the login password on users with * oppose to password
in the master.passwd file after keys are installed as I DO NOT want to
allow login password when ssh keys are use, but still get the above
warning daily on multiples servers & users.

The Running security(8): is nice as you see possible changes done by sys
admin and you get the feedback, but getting daily warning for the same
things sometime will get overlook because of noise.

Is there a better way to disable login and not get these warning for ssh
key users and keep the valid idea and use of the cronjob as is?

Daniel



Re: OT: Temperature sensors suggestions?

2018-05-18 Thread Daniel Ouellet
Thanks,

That look interesting. I wonder how the wifi works on this ESP8266 module.

It's so cheap that it's nothing lost to try. (;

Will see if I get other suggestions, but that's interesting and may well
be fun to program a driver for the SHT31-D too. (;

Daniel.



On 5/18/18 5:53 PM, Base Pr1me wrote:
> I roll SHT31-Ds through ESP8266s via I2C. Of course, there is programming
> involved.
> Good hardware though, if that's what you're looking for.
> 
> On Fri, May 18, 2018 at 2:42 PM, Daniel Ouellet <dan...@presscom.net> wrote:
> 
>> Does anyone have a decent temperature sensors that can connect to an
>> OpenBSD server and be reliable and give any decent reading via either
>> USB or Serial port or even stand alone via Ethernet?
>>
>> I asked because yes I can use the sensors on some servers, but I got a
>> pretty expensive router blowing up because an AC unit stop working and
>> in a few hours the router was history and I need something reliable so I
>> can graph the changes in temperature to keep track of things.
>>
>> I got lucky this time as that using was providing 192 VoIP channels and
>> I had just moved them from PRI to full SIP like a month earlier. If I
>> haven't done that it would have been a disaster for me!
>>
>> So, I need more then just servers sensors so I can place these at
>> various location to get a better idea of what's going on.
>>
>> I don't understand why it is so difficult to have decent AC technician
>> keep AC units working properly. It's not like brain surgery, but that's
>> always a problem.
>>
>> Anything you know or use that is reliable that you can recommend would
>> be very much appreciated.
>>
>> I am trying to keep it simple, so using base tools in OpenBSD is a must,
>> no proprietary shit or Windows crap like I found tonnes of them. I have
>> NO Windows systems for 20+ years already and I am sure hell not going to
>> install any either. I try to keep it simple. Even snmp reading is find.
>> Simpler the better. I can grab the reading and save to a database to
>> graph later and what not. I got two self standing units in the pass,
>> nice but they get hacked and not useful obviously, so add-on to OpenBSD
>> is better to me. I trust that way more then all the self standing units,
>> records proving it...
>>
>> If that's no interest for the list fell free to reply off line as well,
>> but I guess some might like to know too.
>>
>> Thanks in advance for any suggestions...
>>
>> Daniel
>>
>>



OT: Temperature sensors suggestions?

2018-05-18 Thread Daniel Ouellet
Does anyone have a decent temperature sensors that can connect to an
OpenBSD server and be reliable and give any decent reading via either
USB or Serial port or even stand alone via Ethernet?

I asked because yes I can use the sensors on some servers, but I got a
pretty expensive router blowing up because an AC unit stop working and
in a few hours the router was history and I need something reliable so I
can graph the changes in temperature to keep track of things.

I got lucky this time as that using was providing 192 VoIP channels and
I had just moved them from PRI to full SIP like a month earlier. If I
haven't done that it would have been a disaster for me!

So, I need more then just servers sensors so I can place these at
various location to get a better idea of what's going on.

I don't understand why it is so difficult to have decent AC technician
keep AC units working properly. It's not like brain surgery, but that's
always a problem.

Anything you know or use that is reliable that you can recommend would
be very much appreciated.

I am trying to keep it simple, so using base tools in OpenBSD is a must,
no proprietary shit or Windows crap like I found tonnes of them. I have
NO Windows systems for 20+ years already and I am sure hell not going to
install any either. I try to keep it simple. Even snmp reading is find.
Simpler the better. I can grab the reading and save to a database to
graph later and what not. I got two self standing units in the pass,
nice but they get hacked and not useful obviously, so add-on to OpenBSD
is better to me. I trust that way more then all the self standing units,
records proving it...

If that's no interest for the list fell free to reply off line as well,
but I guess some might like to know too.

Thanks in advance for any suggestions...

Daniel



Re: Date of yesterday

2018-04-09 Thread Daniel Ouellet
On 4/9/18 4:36 PM, Stephane HUC "PengouinBSD" wrote:
> what?
> 
> please, explain-me!

EDT EST for example.

Some days are even 82800 long.

Some time zone even have 1/2 hour if these still exists, so the would be

84600 or 88200.



Re: Date of yesterday

2018-04-09 Thread Daniel Ouellet
Here to confuse you even more, there is time zone that have 30 minutes
and even 45 minutes differences.

https://www.timeanddate.com/time/time-zones-interesting.html

Have fun.


On 4/9/18 4:44 PM, Daniel Ouellet wrote:
> On 4/9/18 4:36 PM, Stephane HUC "PengouinBSD" wrote:
>> what?
>>
>> please, explain-me!
> 
> EDT EST for example.
> 
> Some days are even 82800 long.
> 
> Some time zone even have 1/2 hour if these still exists, so the would be
> 
> 84600 or 88200.
> 



Re: OpenBSD Foundation on HTTPS

2018-02-06 Thread Daniel Ouellet
Come on guys.

If you actually donate and click on any links there you would see it
bring you to a secure page.

No need to have this one https type really there isn't any information
you enter on it...

I guess the sand is way more think some places then others

Must be nice beaches there and pretty bikini too I hope!


On 2/6/18 1:03 PM, Charlie Eddy wrote:
> agreed - using HTTP instead of HTTPS is a great way to encourage that
> activity, and since I love having my head in the sand like an ostrich I
> encourage us to not encrypt the donation links to the most secure operating
> system available to the public. That way we can't donate securely to the
> foundation we support - the sand is great from down here
> 
> On Tue, Feb 6, 2018 at 3:32 AM, Hess THR  wrote:
> 
>> troll on
>>
>> hey, yeah, you are absolutely right!
>>
>> no one would ever modify (since plain http) the example.:
>>
>> http://www.openbsdfoundation.org/donations.html
>>
>> page, where are the PayPal donation links, bitcoin donation links are,
>> without anybody noticing!
>>
>> Why would someone do something like this? we live in a perfect world
>> without bad people! yay pink ponies!
>>
>> troll off
>>
>>
>>> Sent: Tuesday, February 06, 2018 at 12:23 PM
>>> From: "Ian Sutton" 
>>> To: "Hess THR" 
>>> Cc: "misc@OpenBSD.org" 
>>> Subject: Re: OpenBSD Foundation on HTTPS
>>>
>>> Hi,
>>>
>>> There is no need. There is nothing secret on those web servers, there
>>> is no logical reason to encrypt it. This issue has been discussed to
>>> death. Please check archives.
>>>
>>> Ian
>>>
>>> On Tue, Feb 6, 2018 at 4:03 AM, Hess THR  wrote:
 Hello,

 because HTTPS increases the authenticity, integrity, privacy:
>> https://en.wikipedia.org/wiki/HTTPS

 going to apache/iis/nginx/linux will not increase "security". since
>> they have very buggy code.

 but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting
>> the code in the base?


> Sent: Friday, December 15, 2017 at 12:11 PM
> From: "Vivek Vinod" 
> To: "Hess THR" 
> Subject: Re: OpenBSD Foundation on HTTPS
>
> 1) Why do you want https support?
> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest
>> we shift to IIS as well? Wait, I guess more people use Linux, so we should
>> stop using OpenBSD all together.
>
>
> -Original Message-
> From:  on behalf of Hess THR <
>> hessnovth...@mail.com>
> Date: Friday, 15 December 2017 at 4:20 PM
> To: , 
> Subject: OpenBSD Foundation on HTTPS
>
> Hello, Just noticed that the: http://www.openbsdfoundation.org/
>> doesn't
> supports HTTPS, while in 2017 Dec, ~70% of the websites does:
> https://letsencrypt.org/stats/#percent-pageloads Can we have
>> HTTPS for
> the OpenBSD Foundation? Which Official OpenBSD related domain
>> hasn't got
> HTTPS yet? I whish you happy holidays and again, Thanks for all
>> the work!
> BTW, wow:
> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_
>> donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
>

>>>
>>
>>



Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Daniel Ouellet
On 1/4/18 11:46 AM, Marcus MERIGHI wrote:
> andreasthu...@gmail.com (Andreas Thulin), 2018.01.04 (Thu) 15:17 (CET):
>> Thought I'd create an OpenBSD wiki somewhere, where anyone (especially
> 
>> existing tutorials become outdated, and was thinking that a wiki would
>> make updates easier.  
> 
> You don't know you are standing on an ancient battle ground :-)
> 
> https://marc.info/?l=openbsd-misc=141611711607893

This is NOT officially bless and it is old as the site say this is for
the community to do it, but I did that in 2004 after I was fed up with
all these comments that it should be done.

https://marc.info/?l=openbsd-misc=110029083800034=2

I thought to delete it for many years now but that was an exercise in
shut up and hack mentality.

Only 2 person step in 15 years to do anything and they did it may be 3
or 4 times.

The site is total SHIT!!!

But it is there is show how useless all these comments are as talks is
cheap, but doing the work, not so much.

> I dare to forecast the answer: 
> If there's a lack of documentation, improve it in-place, send patches.

Obviously that wasn't a wiki, 15 years is a long time but it's proven
the point everyone talks and no one does the work.

> Do not expect anyone to be grateful if you put information out on the
> web and misc@ gets the spam because your four year old examples do not
> work anymore.

Amen. misc@ get a lots of crap and frankly I must admit the devs have a
very think skin to take all the sad comments you see on it.

I thought many times to delete the site, just kept it for the joke if it
I guess.

But if anyone was actually serious and I really don;t think anyone is
yet after 15 years then it could be changed.

I would be more then happy to redo it and host it like this at Equinix
in Ashburn Virginia where I have over 125 network peering connections so
connectivity is not the issue, doing the work is.

If anyone comes with a decent setup that work, I would be more then
happy to find it a home and even give some restricted shell access to
that person/persons if that's actually serious.

But experience has proven it time and time again when the subject come
up, it will die soon.

Going back under my rock...



Re: NTP issue on Lanner FW-7526B

2017-12-08 Thread Daniel Ouellet
It is adjusting the time, but your clock is way off, so it try to do it
slowly as to not mess any logs, but if you want to adjust it al at once
and don't care about that for now

rdate -n4 pool.ntp.org

Simple.



On 12/8/17 9:58 AM, mabi wrote:
> Hi,
> 
> I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say 
> it's a nice small firewall but unfortunately the ntp daemon does not seem to 
> manage to set the time correctly with this hardware. The time is off by 
> approximately 1:20h and every 2-3 minutes I see the following log entries:
> 
> Dec  9 14:26:10 fw ntpd[828]: adjusting local clock by -85381.687984s
> Dec  9 14:29:53 fw ntpd[828]: adjusting local clock by -85380.584607s
> Dec  9 14:31:33 fw ntpd[828]: adjusting local clock by -85380.084014s
> Dec  9 14:33:12 fw ntpd[828]: adjusting local clock by -85379.589606s
> 
> ​ntpctl reports:
> 
> 4/4 peers valid, constraint offset -85442s, clock unsynced, clock offset is 
> -85378257.156ms
> 
> Any ideas what could be wrong here? I use the default ntp.conf file delivered 
> with OpenBSD 6.2.
> 
> In case I pasted below the dmesg output.
> 
> Regards,
> Mabi
> 
> OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017
> 
> r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8559403008 (8162MB)
> avail mem = 8292978688 (7908MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52 (53 entries)
> bios0: vendor American Megatrends Inc. version "5.6.5" date 02/26/2016
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST 
> BERT ERST EINJ
> acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) 
> EHC1(S0)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu0: 1MB 64b/line 16-way L2 cache
> cpu0: TSC frequency 1750324380 Hz
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 83MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu1: 1MB 64b/line 16-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu2: 1MB 64b/line 16-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
> cpu3: 1MB 64b/line 16-way L2 cache
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (PEX1)
> acpiprt2 at acpi0: bus 2 (PEX2)
> acpiprt3 at acpi0: bus 3 (PEX3)
> acpiprt4 at acpi0: bus 4 (PEX4)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpicpu2 at acpi0: C1(@1 halt!)
> acpicpu3 at acpi0: C1(@1 halt!)
> "PNP0003" at acpi0 not configured
> "PNP0F03" at acpi0 not configured
> "PNP0C33" at acpi0 not configured
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0d rev 0x02
> ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
> pci1 at ppb0 bus 1
> em0 at pci1 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address 
> 
> ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
> pci2 at ppb1 bus 2
> em1 at pci2 dev 0 function 0 "Intel I210 Fiber" 

Re: EdgeRouter Lite VS Alix2D3

2017-12-04 Thread Daniel Ouellet
On 12/4/17 12:12 PM, Daniel Ouellet wrote:
> On 12/4/17 8:49 AM, Ivo Chutkin wrote:
>> Hello list,
>>
>> When I read OpenBSD could run on EdgeRouter Lite, I give it a try (now
>> with 6.2 current as of 28.11.2017).
>> I expected closer performance to Alix, but ERL even do not respond on
>> console in reasonable times, for example, it takes 10-15 sec to log in.
>> After reboot, it takes about 5 min on "reordering libraries:" vs 30 sec
>> on Alix.
>>
>> Is it what I should expect from ERL or I am doing something wrong here?
>>
>> Thanks for your input,
>> Ivo
> 
> Get better USB Flash Drive!
> 
> Mine is:
> 
> sd0 at scsibus0 targ 1 lun 0: <SanDisk, Cruzer Fit, 1.27> SCSI4 0/direct
> removable serial.07815571360927117103
> 
> When I simply ping the box to see how long the reboot is and include the
> full reorder of library...
> 
> Well here it is:
> 
> 64 bytes from 10.0.0.13: icmp_seq=21 ttl=255 time=0.404 ms
> 64 bytes from 10.0.0.13: icmp_seq=72 ttl=255 time=274.757 ms
> 
> See 51 lost ping at 1 per/sec, so 51 sec to be out of service to be back
> online ready for processing again.
> 
> $ dmesg
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.2 (GENERIC) #0: Wed Oct  4 04:56:39 UTC 2017
> visa@octeon:/usr/src/sys/arch/octeon/compile/GENERIC
> real mem = 536870912 (512MB)
> avail mem = 524009472 (499MB)
> mainbus0 at root
> cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation
> cpu0: cache L1-I 32KB 4 way D 8KB 64 way, L2 128KB 8 way
> clock0 at mainbus0: int 5
> iobus0 at mainbus0
> simplebus0 at iobus0: "soc"
> octciu0 at simplebus0
> cn30xxsmi0 at simplebus0
> com0 at simplebus0: ns16550a, 64 byte fifo
> com0: console
> dwctwo0 at iobus0 base 0x118006800 irq 56
> usb0 at dwctwo0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "Octeon DWC2 root hub" rev
> 2.00/1.00 addr 1
> octrng0 at iobus0 base 0x14000 irq 0
> cn30xxgmx0 at iobus0 base 0x118000800
> cnmac0 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:f8
> atphy0 at cnmac0 phy 7: AR8035 10/100/1000 PHY, rev. 2
> cnmac1 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:f9
> atphy1 at cnmac1 phy 6: AR8035 10/100/1000 PHY, rev. 2
> cnmac2 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:fa
> atphy2 at cnmac2 phy 5: AR8035 10/100/1000 PHY, rev. 2
> /dev/ksyms: Symbol table not valid.
> umass0 at uhub0 port 1 configuration 1 interface 0 "SanDisk Cruzer Fit"
> rev 2.00/1.27 addr 2
> umass0: using SCSI over Bulk-Only
> scsibus0 at umass0: 2 targets, initiator 0
> sd0 at scsibus0 targ 1 lun 0: <SanDisk, Cruzer Fit, 1.27> SCSI4 0/direct
> removable serial.07815571360927117103
> sd0: 15267MB, 512 bytes/sector, 31266816 sectors
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> boot device: sd0
> root on sd0a (55072c2137c3a4e7.a) swap on sd0b dump on sd0b
> WARNING: No TOD clock, believing file system.
> WARNING: CHECK AND RESET THE DATE!
> 

I was wrong for one thing.

The kernel reordering happened after the reboot, not before like when
you install the OS. My bad sorry about miss leading you here!

The reordering time is 2 minutes 16 seconds on mine

But this below is still true.

I should also have added that in this very small box, the re-order of
the kernel is pointless I guess as the kernel the box load is the one
form the FAT partition. Look it up:

mount_msdos /dev/sd0i /mnt

and when you reboot and the kernel is reorder, the one that is replace
is the one on /, not the one the box boot on the fat partition.

SO, in this case, unless you write a script that actually mount the fat
partition, copy the new kernel to it for the next reboot, then you still
are NOT using a different kernel every time.

So, if you don't do that then may as well disable the kernel re-link part...

Just a simple thing missing in my previous observation.

So, you may not get what you think your getting



Re: EdgeRouter Lite VS Alix2D3

2017-12-04 Thread Daniel Ouellet
On 12/4/17 8:49 AM, Ivo Chutkin wrote:
> Hello list,
> 
> When I read OpenBSD could run on EdgeRouter Lite, I give it a try (now
> with 6.2 current as of 28.11.2017).
> I expected closer performance to Alix, but ERL even do not respond on
> console in reasonable times, for example, it takes 10-15 sec to log in.
> After reboot, it takes about 5 min on "reordering libraries:" vs 30 sec
> on Alix.
> 
> Is it what I should expect from ERL or I am doing something wrong here?
> 
> Thanks for your input,
> Ivo

Get better USB Flash Drive!

Mine is:

sd0 at scsibus0 targ 1 lun 0:  SCSI4 0/direct
removable serial.07815571360927117103

When I simply ping the box to see how long the reboot is and include the
full reorder of library...

Well here it is:

64 bytes from 10.0.0.13: icmp_seq=21 ttl=255 time=0.404 ms
64 bytes from 10.0.0.13: icmp_seq=72 ttl=255 time=274.757 ms

See 51 lost ping at 1 per/sec, so 51 sec to be out of service to be back
online ready for processing again.

$ dmesg
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2017 OpenBSD. All rights reserved.
https://www.OpenBSD.org

OpenBSD 6.2 (GENERIC) #0: Wed Oct  4 04:56:39 UTC 2017
visa@octeon:/usr/src/sys/arch/octeon/compile/GENERIC
real mem = 536870912 (512MB)
avail mem = 524009472 (499MB)
mainbus0 at root
cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation
cpu0: cache L1-I 32KB 4 way D 8KB 64 way, L2 128KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
simplebus0 at iobus0: "soc"
octciu0 at simplebus0
cn30xxsmi0 at simplebus0
com0 at simplebus0: ns16550a, 64 byte fifo
com0: console
dwctwo0 at iobus0 base 0x118006800 irq 56
usb0 at dwctwo0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Octeon DWC2 root hub" rev
2.00/1.00 addr 1
octrng0 at iobus0 base 0x14000 irq 0
cn30xxgmx0 at iobus0 base 0x118000800
cnmac0 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:f8
atphy0 at cnmac0 phy 7: AR8035 10/100/1000 PHY, rev. 2
cnmac1 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:f9
atphy1 at cnmac1 phy 6: AR8035 10/100/1000 PHY, rev. 2
cnmac2 at cn30xxgmx0: RGMII, address 44:d9:e7:40:ac:fa
atphy2 at cnmac2 phy 5: AR8035 10/100/1000 PHY, rev. 2
/dev/ksyms: Symbol table not valid.
umass0 at uhub0 port 1 configuration 1 interface 0 "SanDisk Cruzer Fit"
rev 2.00/1.27 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  SCSI4 0/direct
removable serial.07815571360927117103
sd0: 15267MB, 512 bytes/sector, 31266816 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
boot device: sd0
root on sd0a (55072c2137c3a4e7.a) swap on sd0b dump on sd0b
WARNING: No TOD clock, believing file system.
WARNING: CHECK AND RESET THE DATE!



Re: Lanner NCA-4010D

2017-11-30 Thread Daniel Ouellet
No I don't have that one.

To small for a router for me where I want to use it.

I am not saying it's good or bad, I don't have a clue, just that I need
way more port then this have and it is NOT to use at home either.

Now as to where I but them, I sure can put you in touch with my rep. I
have been working with him as far back as December 1989.

I always buy my stuff from him for many years and he always been good to
me oppose to any others that just want the sale and move on, or big
company that have no clue who you are!!!

Not sure where you are, but if in the US, I am sure he would be happy to
help you.

I can provide you his contact in private if you like that.

I sure can recommend him and I did many times in the pass.

Good luck for your setup.

Daniel


On 12/1/17 1:45 AM, Rupert Gallagher wrote:
> Do you have a dmesg for nca-1510?
> 
> http://www.lannerinc.com/products/network-appliances/x86-desktop-network-appliances/nca-1510
> 
> Besides, how did you buy them?
> 
> Sent from ProtonMail Mobile
> 
> On Fri, Dec 1, 2017 at 05:24, Daniel Ouellet <dan...@presscom.net> wrote:
> 
>> Just for the records as I know I was looking to find a dmesg for them and 
>> see if that would run OpenBSD before taking the chance to get them and it 
>> might be of interest to others as well. Here it goes with 4 more to come all 
>> run well so far. More update later after I test them as routers and see. 
>> That's why I got them in the first place so will see what I can do with 
>> these to replace Cisco gears! This may help others too. 
>> +++ OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 
>> CEST 2017 
>> r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>>  real mem = 34239832064 (32653MB) avail mem = 33195106304 (31657MB) mpath0 
>> at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: 
>> SMBIOS rev. 3.0 @ 0xeddc0 (101 entries) bios0: vendor American Megatrends 
>> Inc. version "5.11" date 07/29/2016 bios0: Default string Default string 
>> acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC 
>> FPDT FIDT MCFG UEFI DBG2 HPET MSCT SLIT SRAT WDDT SSDT SSDT SSDT PRAD DMAR 
>> acpi0: wakeup devices IP2P(S0) XHCI(S0) EHC1(S0) EHC2(S0) RP01(S0) RP02(S0) 
>> RP03(S0) RP04(S0) RP05(S0) RP06(S0) RP07(S0) RP08(S0) BR1A(S0) BR1B(S0) 
>> BR2A(S0) BR2B(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 
>> at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot 
>> processor) cpu0: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.61 MHz cpu0: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
>>  cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 1995611240 Hz cpu0: 
>> smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 
>> fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, 
>> C-substates=0.2.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) 
>> cpu1: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz cpu1: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
>>  cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at 
>> mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU D-1548 @ 
>> 2.00GHz, 1995.38 MHz cpu2: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
>>  cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at 
>> mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU D-1548 @ 
>> 2.00GHz, 1995.38 MHz cpu3: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,M

Lanner FW-8759A

2017-11-30 Thread Daniel Ouellet
OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17104031744 (16311MB)
avail mem = 16578637824 (15810MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec200 (78 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 03/02/2015
bios0: INTEL Corporation DENLOW_WS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT SSDT MCFG HPET SSDT SSDT ASF! DMAR
EINJ ERST HEST BERT
acpi0: wakeup devices PXSX(S0) RP01(S0) PXSX(S0) RP02(S0) PXSX(S0)
RP03(S0) PXSX(S0) RP04(S0) PXSX(S0) RP05(S0) PXSX(S0) RP06(S0) PXSX(S0)
RP07(S0) PXSX(S0) GLAN(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.50 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3600496320 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.00 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu6: 256KB 64b/line 8-way L2 cache
cpu6: smt 1, core 2, package 0
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) 

Lanner FW-7573B

2017-11-30 Thread Daniel Ouellet
OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17149325312 (16354MB)
avail mem = 16622563328 (15852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4e3000 (54 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 04/07/2017
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR
HEST BERT ERST EINJ
acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1750316400 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (PEX2)
acpiprt3 at acpi0: bus 3 (PEX3)
acpiprt4 at acpi0: bus 4 (PEX4)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicpu2 at acpi0: C1(@1 halt!)
acpicpu3 at acpi0: C1(@1 halt!)
"PNP0003" at acpi0 not configured
"PNP0400" at acpi0 not configured
"PNP0C33" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0d
rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:32:a2
ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:32:a3
ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci4 at ppb3 bus 4
vendor "Intel", unknown product 0x1f18 (class processor subclass
Co-processor, rev 0x02) at pci0 dev 11 function 0 not configured
pchb1 at pci0 dev 14 function 0 "Intel Atom C2000 RAS" rev 0x02
"Intel Atom C2000 RCEC" rev 0x02 at pci0 dev 15 function 0 not configured
"Intel Atom C2000 SMBus" rev 0x02 at pci0 dev 19 function 0 not configured
em2 at pci0 dev 20 function 0 "Intel I354 SGMII" rev 0x03: msi, address
00:90:0b:68:32:9e
em3 at pci0 dev 20 function 1 "Intel I354 SGMII" rev 0x03: msi, address
00:90:0b:68:32:9f
em4 at pci0 dev 20 function 2 "Intel I354 SGMII" rev 0x03: msi, address
00:90:0b:68:32:a0
em5 at pci0 dev 20 function 3 "Intel I354 SGMII" rev 0x03: msi, address
00:90:0b:68:32:a1
ehci0 at pci0 dev 22 function 0 "Intel Atom C2000 USB" rev 0x02: apic 2
int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev
2.00/1.00 addr 1
ahci0 at pci0 dev 23 function 0 "Intel Atom C2000 AHCI" rev 0x02: msi,
AHCI 1.3
ahci0: port 3: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 3 lun 0:  SCSI3 

Lanner NCA-5510A

2017-11-30 Thread Daniel Ouellet
OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 68589015040 (65411MB)
avail mem = 66503278592 (63422MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xeca30 (50 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 08/16/2016
bios0: Default string Default string
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG UEFI HPET MSCT SLIT SRAT
WDDT SSDT SSDT SSDT PRAD DMAR
acpi0: wakeup devices IP2P(S4) XHCI(S4) EHC1(S4) EHC2(S4) RP01(S4)
RP02(S4) RP03(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4)
BR1B(S4) BR2A(S4) BR2B(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2594.40 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2594398760 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2593.99 MHz
cpu6:

Lanner NCA-5210B

2017-11-30 Thread Daniel Ouellet
OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3428722 (32698MB)
avail mem = 33241083904 (31701MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x9fae8000 (82 entries)
bios0: vendor American Megatrends Inc. version "5.12" date 07/14/2017
bios0: Default string Default string
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT HPET SSDT
SSDT UEFI SSDT LPIT SSDT SSDT SSDT SSDT DBGP DBG2 DMAR ASF! WSMT
acpi0: wakeup devices PEGP(S0) PEG0(S0) PEGP(S0) PEG1(S0) PEGP(S0)
PEG2(S0) PXSX(S0) RP09(S0) PXSX(S0) RP10(S0) PXSX(S0) RP11(S0) PXSX(S0)
RP12(S0) PXSX(S0) RP13(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 391200 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 23MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3912.00 MHz
cpu6:

Lanner NCA-4010D

2017-11-30 Thread Daniel Ouellet
Just for the records as I know I was looking to find a dmesg for them
and see if that would run OpenBSD before taking the chance to get them
and it might be of interest to others as well.

Here it goes with 4 more to come all run well so far.

More update later after I test them as routers and see.

That's why I got them in the first place so will see what I can do with
these to replace Cisco gears!

This may help others too.

+++

OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34239832064 (32653MB)
avail mem = 33195106304 (31657MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xeddc0 (101 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 07/29/2016
bios0: Default string Default string
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG UEFI DBG2 HPET MSCT SLIT
SRAT WDDT SSDT SSDT SSDT PRAD DMAR
acpi0: wakeup devices IP2P(S0) XHCI(S0) EHC1(S0) EHC2(S0) RP01(S0)
RP02(S0) RP03(S0) RP04(S0) RP05(S0) RP06(S0) RP07(S0) RP08(S0) BR1A(S0)
BR1B(S0) BR2A(S0) BR2B(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.61 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 1995611240 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 8 (application processor)
cpu4: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 4, package 0
cpu5 at mainbus0: apid 10 (application processor)
cpu5: Intel(R) Xeon(R) CPU D-1548 @ 2.00GHz, 1995.38 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache

Re: CoDel Flows

2017-10-12 Thread Daniel Ouellet
> Also, the pf.conf man page says the default qlimit is 1024, but, if I
> don't specify a qlimit, pfctl –vsq shows a qlength of 50 when I was
> expecting it to be 1024.  What am I missing?

Why would you want to have a pool of 1024 oppose to the default of 50
slots for your queue?

You will increase latency when you have congestion. It's not because you
can have a 1024 limits that it make sense to use it by default.

The default is 50 and that's plenty good for most usage.

As Peter Hansteen would write, Quote

"Cranking up queue sizes here means we’re a little less likely to drop
packets when the traffic approaches the set limits, but it also means
that when the traffic shaping kicks in, we’ll see increased latency for
connections that end up in these larger than default pools."

It's a trade off, just know the impact of your choice.

As for the CoDel I will let someone that actually use it explain it
better then I could.

Hope this help some.

Daniel



SoC Intel Xeon D-1518 & D-1548

2017-09-09 Thread Daniel Ouellet
Hi,

Is there anyone that know of have one of the Intel Xeon D-1548 SoC that
works on OpenBSD?

I know the D-1518 does, I find the DMESG in the archive, but I can't
find anything at all on the D-1548.

Any clue.

Here is the D-1518
https://marc.info/?l=openbsd-misc=146236157518744=2

I am asking as I am very much interested in testing this:

http://www.lannerinc.com/network-appliances/x86-rackmount-network-appliances/?option=com_content=article=1680:nca-4010=25:rackmount

Many thanks in advance for your time!

Daniel



Re: Qubes-OS is "fake" security

2017-05-12 Thread Daniel Ouellet
May I suggest you go read the FAQ before you spread misinformation. Qubes 
doesn't use KVM, it's built on Xen, and calling it just a GUI is like calling 
OpenBSD just a bunch of masturbating monkeys.

> On May 12, 2017, at 2:37 PM, flipchan  wrote:
> 
> Qubes os is just linux with a gui for some kvm vms(it sux)
> 
>> On May 12, 2017 5:57:11 PM GMT+02:00, I love OpenBSD  
>> wrote:
>> 
>> Both OpenBSD and Qubes OS don't guarantee
>> perfect security.
>> Qubes OS has a different take on security
>> than OpenBSD. Both have different
>> advantages and disadvantages.
>> Physical separation is more expensive
>> and you need to transport more devices
>> from place to place.
>> Qubes OS lets you run mainstream OSes.
>> OpenBSD is a OS and is a great tool to
>> get to know Unix-like OSes. It is also
>> a great environment to practise programming
>> in C language. See "Developing Software
>> in a Hostile Environment". There is a
>> "The J for junk option", pledge(2).
> 
> -- 
> Take Care Sincerely flipchan layerprox dev



Disable memory bank via sysctl, LOM or other on Sun V100?

2016-12-02 Thread Daniel Ouellet
Hi,

Is there a way to make the kernel think a full bank of memory is in use
by any chance on a Sun V100? I have what appear to be a bad memory in it
and the server crash however it is on a remote server that I will not be
able to get physically to for a week if lucky. I wonder if there is a
way to make the kernel think it is full, or no there so that the DMA
doesn't try to use it and then as such crash.

I use the LOM to reset the server when that happen, but it does crash a
lots always with the same DMA error messages.

I know ti is dumm, but I just need to buy some time if that's possible
until I can replace the hardware totally. A quick work around the issue
for now.

Just thought to try this may be, if not then so be it.

Best,

Daniel



Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

2016-09-29 Thread Daniel Ouellet
On 9/29/16 7:20 PM, Murk Fletcher wrote:
> There's Kickstarter's Rack::Attack if you're willing to "upgrade" to ie.
> Ruby on Rails:
> 
> https://github.com/kickstarter/rack-attack
> 
> I find this quite nice along with those pf bruteforce tables mentioned
> earlier.

Sure I guess you can, but personally I prefer smaller solutions and
suggestions, that are efficient and need minimum resources. This is like
saying install Windows 10 to just use notepad here...

I am fine with just vi/vim at time. (:

I think installing the full blown Ruby on Rails suite for just limiting
simple to block bruteforce is overkill, but it's a shrinking free world
for most of it. One can choose what he/she see fit.

Peace

Daniel



Re: Looking for a way to deal with unwanted HTTP requests using mod_perl

2016-09-29 Thread Daniel Ouellet
> I don't think bruteforce will be helpful in my case. I do occasionally
> get bruteforce attacks, but not very often.
> What I usually get are identical attacks of a certain set of variations
> of URLs from one IP address. A little later the same thing from another
> IP, then another, etc.
>
> One of the reasons I am thinking of a mod_perl solution is that mod_perl
> can step in very early in the Apache process. All kinds of things can be
> done long before normal access is available to other processes.
> But I have no experience using any of these parts of mod_perl. I have
> only used later functions in the cycle.

You can look in the archive.

I did and continue to do some where Appache is still in use a redirect
instead to the origin. You can sure redirect to some well funded
government agency instead if you like as it is faster for them to react
to attack on themselves oppose to you reporting them. Just a funny
thought. The only part is this setup works very well and is pretty darn
efficient too, but it also mean you need to add to your filters time to
time when you see something new in your logs.

You could even redirect to the origin anything that is NOT valid on your
site if you want, not sure that's a good idea, may well be stupid one,
but that's up to you if you run your own site. Just a thought.

Anyway, look in this thread, I put plenty of examples 11 years ago using
Apache rewite mod.

https://marc.info/?l=openbsd-misc=110745960831277=2

or the start of the thread

https://marc.info/?t=11074573194=1=2

Some even push the idea to redirect them to various government agency.
After all that's just your tax dollar at work isn't it I just do not
do this for ethical reason, but as you see many see it differently.

For me, I return them to the origin instead, or drop it.

I did also add n the pass a log to sql for bad url to get feedback in
real time by doing a redirect to a simple sh script to log directly in
the database, just to suppose high volume, but you can do the same with
php only if your traffic level is high but not huge. Up to you. Plenty
of ideas on the subject and it is limited only by your imagination of
how aggressive you want to be.

https://marc.info/?l=openbsd-misc=110772972803127=2

Anyway, that was 11 years ago and was working very well and still do
well if you still use Apache and is all easy to use and setup. And I can
say it is surprisingly very efficient too, specially if you redirect it
to the right location. Looks like some attack are welling to go attack
who ever, but when they are redirected to big bad boys, curiously the
attack on you stop as I can only guess they do no like to be send back
on places that have resources to fight back I guess. (:'

In any case, this was a very old idea I put to work long ago, I am sure
if you want you can improve on it. I never used PERL for this as the
volume I was dealing with at the time was way to high for it, but in a
decade, servers improve in performance as well, your mileages may vary.

Have fun!

Daniel



Re: New FAQ14 on Installing to a mirror

2016-09-21 Thread Daniel Ouellet
> fixed these two things and hope i got all your questions.

You did many thanks! I thought I had it right, but as age advance,
verifying facts is a good things! (:

Daniel



New FAQ14 on Installing to a mirror

2016-09-21 Thread Daniel Ouellet
Hi,

No problem all works, but I would love to clarify below to be sure I
don;t do something wrong as the old and new FAQ14 changed in that aspect
and I don't see a reason for the changes.

In the new FaQ14 revised version here:

http://www.openbsd.org/faq/faq14.html#softraid

I wonder if there is a reason to offset so much space at the start of
the disk for the mirror setup but not for the encrypted full disk version?

I used to do it as this at the install time based on the old write up
from Nick@.

basically full disk as p partition on each drive with the offset [64]
and use the p partition as the RAID 1 and proceed as normal.

Now I see the fill disk only as full disk encryption, not as mirror one.

May be a stupid question, but just want to be sure I didn't miss
something in the last few changes that may need this for something I do
not know.

Also, last question I see the example use a instead of p. I guess it
doesn't make any differences as partition on each disks and the softraid
have nothing in common? I thought that may be the partition on each
drive and the RAID 1 had to be different based on the previous FAQ version.

Sorry for the question that may be stupid. I have the old habit to
always read the FAQ on new version before doing the work in case
something changed from the previous version of OS setup.

Best,

Daniel

PS: On this part:

"Because the new device probably has a lot of garbage where you expect a
master boot record and disklabel, zeroing the first chunk of it is
highly recommended. Be very careful with this command; issuing it on the
wrong device could lead to a very bad day. This assumes that the new
softraid device was created as sd0.

# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1"

Shouldn't the sd0 be sd2 as it used the raw version rsd2c in the last
part of the text "...was created as sd0."?



Welcome to the OpenBSD/amd64 6.0 installation program.
Starting non-interactive mode in 5 seconds...
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell? s
# cd /dev
# sh  MAKEDEV sd1 sd2
# fdisk -iy sd0
Writing MBR at offset 0.
# fdisk -iy sd1
Writing MBR at offset 0.
# disklabel -E sd0
Label editor (enter '?' for help at any prompt)
> a p
offset: [64]
size: [586067201] *
FS type: [4.2BSD] RAID
> w
> q
No label changes.
# disklabel -E sd1
Label editor (enter '?' for help at any prompt)
> a p
offset: [64]
size: [586067201] *
FS type: [4.2BSD] RAID
> w
> q
No label changes.
# bioctl -c 1 -l sd0p,sd1p softraid0
sd2 at scsibus1 targ 1 lun 0:  SCSI2 0/direct fixed
sd2: 286165MB, 512 bytes/sector, 586066673 sectors
softraid0: RAID 1 volume attached as sd2
# dd if=/dev/zero of=/dev/rsd2c bs=1m count=1
1+0 records in
1+0 records out
1048576 bytes transferred in 0.004 secs (225742949 bytes/sec)
# exit



Just a quick thank you for all and every devs of OpenBSD!

2016-09-16 Thread Daniel Ouellet
This may be obvious to some, but I just wanted to take some time to say
thanks for the 6.0 release and all previous one. So many improvements in
the last few releases, it is really more fun to use at each new one!

Some features as simple as the auto partitioning configurable, makes
maintenance and re-install from scratch for each new release so simple
and quick.

I only took this as an example, but don't take it as being the key
feature, so many new things and improvement makes it FUN and EASY to use.

And when you run your business with OpenBSD any new things that improve
speed, setup time, security, reliability and all and that's a sadly very
simplistic list to be honest! I just wanted to take the time to say
THANK YOU!

Sadly way to many troll comments, or complains on the list and
definitely WAY TO LITTLE IF ANY thank you.

Each new release you guys make the OS better and life of working with
servers easier, faster and more secure each time!

On a side note I fell sad to see my collection of DVD/CD end with 6.0 if
that's the end looks like by some comments, but know some of us
appreciate all the hard work and time put into making this OS the best
one and easiest to use!

Long live Puffy!

Thanks again!

Truly

Daniel



Re: Sun V100 with >127Gb drives on 6.0 supported and working now?

2016-09-09 Thread Daniel Ouellet
On 9/7/16 12:31 PM, Daniel Ouellet wrote:
> I always used to re-install, but only rename my partition, not redoing
> them. However I changed my auto-install as well and in the proceed
> forgot to NOT partition above 127Gb  or to be exact 268,435,440 block of
> 512 bytes as in the pass the server ALWAYS crash if you try to go beyond
> and the V100 simply doesn't support >127Gb.
> 
> I never had a problem with doing that, it's fine, but now I notice in
> 6.0 and may be earlier as well, just never tested it as it was a
> discover by mistake this time around that I sure can format now drives
> bigger then 127GB and no issue so far.

Just to close the loop on this. It does work and digging up to find out
why I find this finally:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/pciide.c.diff?r1=1.321=1.322=h

"Revision 0xc4 and earlier of the Acer Labs M5229 UDMA IDE controller
can't do DMA for LBA48 commands.  Work around this issue by (silently)
falling back to PIO for LBA48 commands.  Access to the tail end of large
disks will be much slower, but at least it works."

>From NetBSD (Takeshi Nakayama).

ok jsg@, krw@, deraadt@

Now I know I wasn't crazy and thanks for the improvement! And sadly I
miss that commit I guess. Better late then never...

The only thing is as the diff said the speed is slower. Not so bad however.

from average 42 sec for writing a 1GB file to 164 secs for the same size
when it reach the area >137GB on the drive.

Sure looks like it can now.

I did with this to see it:

for n in `jot 100`; do dd if=/dev/zero of=/free/test$n bs=1m count=1000
>> /tmp/test 2>&1; done;

and look at the stats for each write.

That's a big partition at the end of a 160GB drive.

But my boxes do not operate at UDMA mode 5 to start with. So switching
to PIO mode 4 is not a huge difference in this setup.

wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2

I do not believe I have any of the shielded cables to allow to run >
UDMA mode 2 anyway.



Re: Sun V100 with >127Gb drives on 6.0 supported and working now?

2016-09-08 Thread Daniel Ouellet
On 9/7/16 4:55 PM, Michael Plura wrote:
> On Wed, 7 Sep 2016 12:31:58 -0400
> Daniel Ouellet <dan...@presscom.net> wrote:
> 
>> A quick question on this as I only notice this in the last few days by
>> accident actually, and I want to know if that's real or not.
>> ...
>> and the V100 simply doesn't support >127Gb.
>> ...
>> discover by mistake this time around that I sure can format now drives
>> bigger then 127GB and no issue so far.
>> ...
>> Am I shooting myself in the foot if I try now as so far I haven't see
>> any problems doing it, but it's been only a week so far.
> 
> Probably. From dmesg on my V100:
> 
>  ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0xc3
> 
> The Sun V100 is using an AcerLabs (ALi) south-bridge chipset M1535D,
> that supports ATA-5/UDMA66 which supports CHS 28-bit mode - that
> is 128 GiB / 137 GB.
> 
> ALi did a M1535D+ chipset that supported ATA-6/UDMA100 with LBA48 which
> can address bigger drives. Some BIOS on x86 didnt support this, but there
> you could use bigger drives with a apropiate driver of the OS.
> 
> For your V100 I think you just start overwriting the first bytes of the
> driver if you reach 128 GiB... but I'm not sure. You might test that with
> dd.
> 

That's just it, I am not sure. It appear not to write over, but I will
test this more aggressively.

Here is an example of DMESG for one I work with for testing now.

The controller is still not any advance one:

ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00

But I also see this:

wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
^
And I sure don't see  ATA-6/UDMA100 or M1535D+ anywhere.

But I do see this one: Acer Labs M5229 UDMA IDE

It's just that before you couldn't even format it at all, as soon as you
pass 268,435,440 sectors, the server crash, but now well so far it
format it. I copy data on it and will do more and still works.
I just wanted to know exactly what I should be looking for to know if
that was just a fluck, or if there is something supported now that
wasn't before and that somehow pass the previous limits I had.

I will need to go in each one and check carefully what I see, if there
is differences or not.

I wish I would know exactly what I may be looking for. I would save a
lots of testing, but in the end if that's what it takes I will do it.

Having a way to know for sure would be nice.

It's just that coming to this by accident and now I am really trying to
find the answer for it. More curious then not I suppose as it's not like
these servers are so powerful to put them to great work, but I guess I
really love them.

Thanks for your feedback, I appreciate it!


console is /pci@1f,0/isa@7/serial@0,3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2016 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 6.0 (GENERIC) #1094: Tue Jul 26 16:40:58 MDT 2016
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 2147483648 (2048MB)
avail mem = 2094309376 (1997MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root: Sun Fire V100 (UltraSPARC-IIe 548MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 3.3) @ 548 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 512K
external (64 b/l)
psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-0, PCI bus 0
psycho0: dvma map 6000-7fff
pci0 at psycho0
ebus0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
"dma" at ebus0 addr 0- ivec 0x2a not configured
rtc0 at ebus0 addr 70-71: m5819
power0 at ebus0 addr 2000-2007 ivec 0x23
lom0 at ebus0 addr 8010-8011 ivec 0x2a: LOMlite2 rev 3.12
com0 at ebus0 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
com0: console
com1 at ebus0 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
"flashprom" at ebus0 addr 0-7 not configured
alipm0 at pci0 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: 74KHz
clock
iic0 at alipm0
"max1617" at alipm0 addr 0x18 skipped due to alipm0 bugs
spdmem0 at iic0 addr 0x54: 512MB SDRAM registered ECC PC133CL2
spdmem1 at iic0 addr 0x55: 512MB SDRAM registered ECC PC133CL2
spdmem2 at iic0 addr 0x56: 512MB SDRAM registered ECC PC133CL2
spdmem3 at iic0 addr 0x57: 512MB SDRAM registered ECC PC133CL2
dc0 at pci0 dev 12 function 0 "Davicom DM9102" rev 0x31: ivec 0x7c6,
address 00:03:ba:2b:62:16
amphy0 at dc0 phy 1: DM9102 10/100 PHY, rev. 0
dc1 at pci0 dev 5 function 0 "Davicom DM9102" rev 0x31: ivec 0x7dc,
address 00:03:ba:2b:62:17
amphy1 at dc1 phy 1: DM9102 10/100 PHY, rev. 0
ohci0 at pci0 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec
0x7e4, version 1.0, legacy support
pciide0 at pci0 dev 13 function 0 "

Sun V100 with >127Gb drives on 6.0 supported and working now?

2016-09-07 Thread Daniel Ouellet
A quick question on this as I only notice this in the last few days by
accident actually, and I want to know if that's real or not.

I always used to re-install, but only rename my partition, not redoing
them. However I changed my auto-install as well and in the proceed
forgot to NOT partition above 127Gb  or to be exact 268,435,440 block of
512 bytes as in the pass the server ALWAYS crash if you try to go beyond
and the V100 simply doesn't support >127Gb.

I never had a problem with doing that, it's fine, but now I notice in
6.0 and may be earlier as well, just never tested it as it was a
discover by mistake this time around that I sure can format now drives
bigger then 127GB and no issue so far.

I am not saying it is good or normal or support or will work for ever. I
do not know, that's why my question is about.

Is this due to the work done in disklabel and all a few years ago and is
now somehow bypassing the BIOS or what ever it is on the V100 now that
is it possible to use drive bigger then 127GB?

Am I shooting myself in the foot if I try now as so far I haven't see
any problems doing it, but it's been only a week so far.

I would very much appreciate to know for sure as I still run >100 of
them. Nothing critical on these servers, but extending them more would
be nice as so many new one are put in place, not having to replace these
too for lack of space is nice as I still have plenty of new IDE drives
in boxes as I did purchase them in bulk years ago planing ahead for dead
one, that still run great.

Anyone knows for sure if >127GB is no problem to use at all now on these
so loved servers?

Thanks,

Daniel



Re: OpenBSD 6.0 release and errata60.html

2016-09-01 Thread Daniel Ouellet
On 9/1/16 2:59 PM, R0me0 *** wrote:
> Hello misc,
> 
> I have a little doubt
> 
> Today was a Official Release of 6.0
> 
> This release already include errata60.html patches or I need to apply ?

Yes you need to apply the patch.

The release was done long ago already it was release to the public
today. Takes time to get all piece together you know.

Might be more welcome to say thanks to the devs instead don't you think?

I am sure they would appreciate that more...

Best,

Daniel



Re: DMARC and misc@ (and likely other OpenBSD lists)

2016-08-26 Thread Daniel Ouellet
On 8/26/16 8:11 PM, li...@wrant.com wrote:
>> But my question for sure that I am not sure of the answer is if you have
>> emails that happened to have multiple DKIM signature added to the header
>> along the way.
> 
> Why would you have these, if email is not getting changed after sending?
> Simply abandon the concept of changing the email message after sending..

Why would you have multiple DKIM signature? Simple. You run your own
mail server at home and it add a DKIM signature and then it forward your
emails to an other server to do the final delivery that also is program
to add DKIM signature as well. IN that case will you not have two DKIM
signature, one by each servers in the delivered path?

I am not saying the email should be changed, but isn't it that if a
server IS using KDIM it put his signature anyway?

So, in the scenario above you will have two signatures...

>> The answer to that question is not clear to me.
> 
> If you explain to us, why we need to have multiple signatures added then
> perhaps we (you) could start getting clearer position on your question..

No I do NOT asked to have multiple signatures. Isn't it possible ot have
more then one if the path taken by an email go through multiple servers
that are configure to use DKIM? In that situation will you NOT end up
with multiple signature in your header?

>> Why does that make a difference, well if you run your own server and you
>> control it pretty close and absolutely ONLY allow senders to use it by
>> authenticate to it, then the chance of forgery are reduce as much as you
>> control it to be nil if you use it just for you and are the only one
>> using it, or very limited trusted friends and all.
>>
>> Then the signature can be trusted, the SPF records can be trusted and
>> then the DMARC can be enforce.
> 
> Done.  Then remove these flawed tools & revert to open clear text mail..
> as we have it now, and anybody that needs something more: encrypt yours.

You are not helping here and really got a short point of view! I use
encrypted emails with users that support it. But that doesn't solve the
problem asked originally in this thread...

I asked one question and suggested a possible work around to solve the
issue raise in the first place and explain the consequences of doing it
as well.

And asked if I was mistaken in what I suggested based on how I
understand it.

> Advertising generates it, these same advertising companies run public
> email services.  There is your answer, they propose these ideas: SPF,
> DKIM, DMARC, and future-to-see more.  If marketers are getting paid..

None of these cost anything to use... You can chose to use it or not. I
don't see your point.

> The solution is to make it as convenient as SSH, raising malpractices
> costs by making them practically unfeasible.  What we see now, is the
> reverse, making it impractically complex & ubiquitous to use $GOOG's.

Again miss conception I think. To use SSH you need an account where you
log in. I fail to see what SSH will solve here in emails you send to
anyone, or someone you may never had contact with before. I can log
using SSH on my server to send you an email. You log via SSH to read my
email, so what? Doesn't mean it was form me...

Sorry I totally fail to see your point with SSH here.



Re: DMARC and misc@ (and likely other OpenBSD lists)

2016-08-26 Thread Daniel Ouellet
On 8/26/16 5:37 PM, li...@wrant.com wrote:
> Fri, 26 Aug 2016 15:36:16 -0400 Daniel Ouellet <dan...@presscom.net>
>> On 2016-08-26, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
>>
>>> The only downside is, the traditional forwarding that mailing lists do
>>> *also* triggers the DMARC dark magic, and there is a significant risk
>>> that messages sent with senders in DMARC domains via the mailing list
>>> to recipients with a somewhat DMARC-aware setup will be discarded.  
>>
>> I still have question on this subject that is not 100% clear to me.
> [...] 
>> Am I missing something so far?
> 
> Hi Daniel,
> 
> Yes, these are all incomplete semi-solutions designed to do one thing,
> and only one thing well: deliver you commercial email that you'd trust
> is coming from the paying sender and not others that have not paid up.
> What I'm saying is that they address corporate, not very public needs.

I kind of disagree with this statement. I fell actually it is less
efficient for commercial providers simply because of the number of users
and the easy way to create an account and then assuming someone else
identify in forge emails.

Even based on your link below it sustain that point. Look in your link a
bit lower:

https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Arbitrary_forwarding

Some someone having access to your mail server to send emails will get
it signed and then can miss use it. If your a commercial provider the
volume of users you have are way bigger then if you control your own
server(s) and you need each users limited n scale and hopefully only for
your company, or your own personal mail server and domain, will not
allow this process.

So, your DKin signature will be valid and hopefully unless your mail
servers get compromise or allow relay to users that shouldn't relay
through it, will be good to use.

Now if you also control your SPF records, that add to it as well and if
you add on top the DMARC, it will possibly enforce it if you choose to
do so at the recipient that support it.

Nothing is absolute regardless, I wish there was a solution, but trying
to work around the problem doing rewrite doesn't help I think, but I am
more then welling to see the other side.

> https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Weaknesses
> https://en.wikipedia.org/wiki/DMARC#Compatibility

But my question for sure that I am not sure of the answer is if you have
emails that happened to have multiple DKIM signature added to the header
along the way. Will the DKIM actually process the one from the original
sender form the FROM: field and look for the DKIM signature if available
for that sender domain or not?

Or will it process only the more recent one received?

The answer to that question is not clear to me.

Why does that make a difference, well if you run your own server and you
control it pretty close and absolutely ONLY allow senders to use it by
authenticate to it, then the chance of forgery are reduce as much as you
control it to be nil if you use it just for you and are the only one
using it, or very limited trusted friends and all.

Then the signature can be trusted, the SPF records can be trusted and
then the DMARC can be enforce.

The part that break it some was my suggestion to add the server(s) of
lists you use to your SPF records allow to send emails on your domain
behalf, but I am not sure it is a good idea. It is a way around the
problem for now, but is it a good one that I am not sure!

Other input on the subject may be welcome.

I guess the validity of your DKIM signature is ONLY as valid as the
users trust you put on them to relay through your server that add the
DKIM signature. I guess if you can demonstrate that they are all
trusted, then I guess all your emails signed with DKIM should be authentic?

Add proper SPF records to enforce that a but more and put a very strict
DMARC to tell domains recipient that support DMARC to reject all others
may help protect your domains from forgery some. But as this is not
widely used, it has it's limitation too.

Now unless I miss understand something that how I see it...

So, if what I said above is true in the process of DKIM and SPF, if you
add the lists you use to your SPF records and that the proper DKIM is
process, then it should be fine for the domain that actually use DMARC.

It will see the from field as you.

If process properly it will see your DKIM signature for it.

It will see your SPF entry for that list.

So, DMARC should accept it.

Draw back, if a site doesn't use DMARC and doesn't check for SPF either,
then you just added a wide possibility of abuse from the lists.

But the choice is yours to make.

I am really NOT in favor to rewrite any header what so ever. Or I am
definitely not convince of the benefit it may add yet!

> Had to cut some text, sorry for the intrusion in your message body ;-)
> If t

Re: DMARC and misc@ (and likely other OpenBSD lists)

2016-08-26 Thread Daniel Ouellet
On 2016-08-26, Peter N. M. Hansteen  wrote:

> The only downside is, the traditional forwarding that mailing lists do
> *also* triggers the DMARC dark magic, and there is a significant risk
> that messages sent with senders in DMARC domains via the mailing list
> to recipients with a somewhat DMARC-aware setup will be discarded.

I still have question on this subject that is not 100% clear to me. For
what I understand, when you use SPF and DKIM, what DMARC is based on if
you forget the ASPF part, and you have multiple mail servers in the path
that may all have their own DKIM signature for example, only the most
recent one for the last mail server to deliver to the final destination
is checked? So, DMARC will based is judgement on the last header part
with DKIM and SPF is present or not? I think so, but not 100% sure.

So, the problem comes form the fact that DMARC only look at the From:
field here being

From: "Peter N. M. Hansteen" 

and then check DKIM and SPF in DNS for that domain and doesn't see the
last entry as valid being here:

Received: from openbsd.org (lists.openbsd.org [192.43.244.163])

Am I missing something so far?

> However, the solution or workaround is to set up the mailing list for
> the DMARC magic to do some benign rewriting of headers - the message
> at [2] describes how the FreeBSD list admins solved the problem for
> their lists.

So, may be the way to go around it without modifying the header as I
don;t thin it should or that would be a good idea may just be for you to
add to your SPF records the entry for the mailing list used as this:

host-2:~ daniel$ dig txt bsdly.net +short
"v=spf1 a mx ip4:213.187.179.198 ip4:194.54.103.54/26
ip6:2001:16d8:ff00:1a9::2 ip6:2001:16d8:ccbc:dead:beef::1 -all"

To this may be:

"v=spf1 a mx a:lists.openbsd.org ip4:213.187.179.198
ip4:194.54.103.54/26 ip6:2001:16d8:ff00:1a9::2
ip6:2001:16d8:ccbc:dead:beef::1 -all"

This way you still control it, however it does open a different problem
that I think you want to use DMARC for is that now anyone that present
itself as someone @bsdly.net using the lists.openbsd.org will be also
accepted as the DKIM is not verify as not in the most recent header of
the email.

I think it is like some company that use outlook.com to preserve their
identity and setup SPF, but then if oyu look at the SPF you add, it's so
darn big that anyone that want to hard your business only need an
outlook account and can assume your identity too the same way with valid
SPF you the company would have put it in place for the bad guy. Am I
missing something?

Or is the DKIM actually check ALL entry in the header to fidn one that
match the From: field in this case

From: "Peter N. M. Hansteen" 

check the DKIM to be this one:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple;
d=bsdly.net; s=x;
h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:
Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date
:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
List-Owner:List-Archive;
bh=xV4BhTR1l3nZo2a7lVgLRZp28B12IgQRQJUApJOXkB8=; b=W
hIDoIFBynQIDHHE06LTL0u+KHT47etyEzIk9lZexMkoTD4rSeXNVubLhLwwy6nxOXXMCdPYV/bPnS
BD4he3d5/h4CDpEqZ/8Ojx4W5G7zf1u6VfHcTyehkcAv6jnOXJzjQtCYzeCEua+//hufU6nVdZaGf
VXE75oJcED8xwwrQ=;

then the SPF to be this one:

dig txt bsdly.net +short
"v=spf1 a mx ip4:213.187.179.198 ip4:194.54.103.54/26
ip6:2001:16d8:ff00:1a9::2 ip6:2001:16d8:ccbc:dead:beef::1 -all"

And then reject or accept based on that?

If so, and that's the part I am not sure about and it is not clear
anywhere, but if so, then you only need to add to your SPF the lists you
use and you would achieve your goal no?

I would appreciate feedback on this as I am not 100% clear on how I
think the process actually is done for checked of the email header and
DKIM, specially if you happened to have multiple servers adding heir own...

If so, shouldn't this solved your problem of delivery by mailing lists?

In the end the burden is on you to maintain your SPF records based on
the mailing lists you use and I will admit if you used a lots, then it
may be a pain, but isn't it the goal to keep control of your emails?

Hope this help some if I understand it correctly.

Daniel



Re: Fwd: DigitalOcean and OpenBSD

2016-08-24 Thread Daniel Ouellet
On 8/24/16 2:18 PM, Troy Frericks wrote:
> -- Forwarded message --
> From: Troy Frericks <troy.freri...@gmail.com>
> Date: Wed, Aug 24, 2016 at 1:17 PM
> Subject: Re: DigitalOcean and OpenBSD
> To: Daniel Ouellet <dan...@presscom.net>
> 
> 
> OpenBSD is not supported on/by DigitalOcean.

I never said it was.

What I wrote was:

"not the easier place to install and run quickly weird setup"

What part of this mean supported

But you sure can do it. If you need instructions I can have the kid send
it in!

However you can't install directly from OpenBSD right away, need help
from linux and then have the bsd.rd, dd to drive and then it install
like normal. Gross summery above, but that's the idea anyway.



Re: DigitalOcean and OpenBSD

2016-08-24 Thread Daniel Ouellet
On 8/24/16 12:24 PM, R0me0 *** wrote:
> Ok, here is a reply for you and all other motherfuckers that think and
> answer like you.

Love you too.

But note that someone wanted to help you. Quote:

"A dmesg would be nice. And maybe a less snarky attitude."

As I said we have no clue what you run, version and all. How do you
frankly expect an answer?

Have a nice day.

Peace,

Daniel

PS: No, your mother told you we had a date last week? Holy shit... I
didn't remember that one



Re: DigitalOcean and OpenBSD

2016-08-24 Thread Daniel Ouellet
On 8/24/16 10:52 AM, R0me0 *** wrote:
> Just asked if someone already faced this issue after a simple reboot
> 
> # reboot
> 
> Do you need a draw ?
> 
> KIND Regards,

OK here is an answer as good as your question.

Not so far. My son use Digital Ocean, only because they are cheap and he
put up with shit more then I do. Not that they are shit, but his word,
is "not the easier place to install and run quickly weird setup", but no
problem or crash so far. When he needs more serious space, EC2 is where
he goes.

So, no issue so far, but he also keep installing current on Digital
Ocean when/if he install it. No ne have a clue what you run there, so
why bother to answer you!

So, do you also " Do you need a draw ?"?

Peace,

Daniel



Re: Installer overwrites partition table

2016-08-24 Thread Daniel Ouellet
On 8/24/16 7:15 AM, Bertram Scharpf wrote:
> Hi,

Hi,

I don't write much on misc@ anymore because of emails like yours. But
this time I fell I had too. I am not a OpenBSD dev, but I fell your
insults as well I am sure.

> first of all, I am an experienced OS installer and I did a
> heck of partitioning in my life. Now I had some unused disk
> space and I found it a good idea to install OpenBSD.

Big statement. But questionable validity I guess...

> The installers partitioning tool didn't offer me a variant
> that keeps my existing partitions. Therefore I immediately
> stopped it. But yet it was too late. The partition table was
> overwritten.

If you stop right away the disk wouldn't have been damage at all. So you
didn't! fact. I suppose for you to say above "experienced OS installer"
mean as long as someone or something is holding your hand...

> The damage is not hard for me because I tersely do backups.
> But this behaviour is impudent. This blowfish is not a safe
> operating system, it rather is a poorly prepared fugu.

Now if you read the FAQ or read the display on the screen, none of this
would have happened. How do I know that. Well just a little story, my
son did install OpenBSD many times in his life. To many to count and I
never made it easy for him either.

Always told him to RTFM first (believe me, he return this to me now
every chance he has and I love him for it too!) and then if he has
questions, to asked. He is on this list time to time when not busy with
school, and he sure can confirmed this.

Now why do I say that. Well his first "***experienced OS installer***"
install was on his own build custom computer at age 6. Windows 95 at the
time as he wanted to program his RCX back then for who knows about Lego!

And his first OpenBSD installation was not to far after that. I used to
asked him to install OpenBSD for me on load of Sun's servers and he do
them happily, check the memory, add some, replace drives with new one,
sometime 15 to 20 servers per night! The funny part about this is I have
a few engineers working for me at the time and sadly I trusted my son
more to do the proper install then they would have at the time!

See most of them are "experienced OS installer" too! But don't know shit
about hardware...

His first multi boot installation was around the time he was 10 or so I
think. Been so many years now I can't recall the details and it doesn't
makes me any younger either! By the way his first multiboot was on his
mac 1,1 at the time back then. May be he tried it on Windows I may have
had around possibly but don't think so. However the first usable one was
definitely on his mac that he used for school then and that wasn't the
easiest one to do it on either!

And he did multiple times before one day he did one mistake that I
helped correct for him with the Golden help of Nick on this list.
Believe me when I say he tried himself and only came to me at the last
resource, he felt bad having made that mistake! So, what a Dad got to
do, well help, we are there for that after all aren't we...

See here history telling the truth, that was 2009!

https://marc.info/?l=openbsd-misc=124122973208531=2

But that was after he succeeded multiple times without me telling him
shit! So, what does that make him or you for that matter?

Who's the "experienced OS installer"?

So, I think you made a very big statement in your opening and you may
have made a big fool of yourself as if your statement is true, then you
shouldn't give up at the first trial! It only makes you looks like
vaporware in statement, or proving you really need handing at every
step, not creating your statement of "experienced OS installer", or if
you want to live to your own words, then try again and do it right!

There is nothing wrong making mistakes, we all do and I sure do my fair
share of them too. But telling others that "This blowfish is not a safe
operating system, it rather is a poorly prepared fugu." is way out of
reason

Or may be I should refer you to help provided by a 13 years old at the
time for multi boot installed here:

http://marc.info/?t=12694577022=1=4

And that was on his mac 5,5 however he had it running way before that on
his very old mac 1,1 model.

If your really interested I am sure you can find it in the archive.

So, live up to your own words or eat them!

Peace,

Daniel

PS: Statement like your remind me why I don't write as much as I used to
on this list...



Re: Quick APU2 review

2016-04-15 Thread Daniel Ouellet
> That's nice.  I don't have a ferrari, I have a rather basic truck.
> 
> You are off topic.

Sorry Theo,

He asked for

"real world through put?"

I provided some to be helpful.



Re: Quick APU2 review

2016-04-15 Thread Daniel Ouellet
I don't have the APU2C4, I have the APU1C4

and I can push 80Mb/sec of IPSec on it, way more obviously when I don't
do the IPSec.

My setup use ikedv2 from Rek@

When I reach the 80Mb/sec, well it reach the full CPU utilization.

When I do NAT only the CPU cores ( I have only 2 on that APU1) are use
only at 45% each for 150Mb/sec real traffic.

I wish I could test faster, but my line for now is 150Mb upgrading to
300Mb/sec soon.

If I do not do nat but use only fix IP's. it's even lower.

And my PF rules have 37 active lines. Well my config is bigger
obviously, but see the rules output for exact feedback.

It run routing, pf, IKEDv2, NAT, unbound, dhcpd, ntpd, smtpd just for
the local feedback, NOT for all my emails. I have a different server for
that.

# pfctl -sr | wc -l
  37

I am upgrading it for the APU2c4 because if the AES-NI instruction set
on the CPU to improve my traffic under IKED, NOT because it is not
capable. I just want more traffic under encryption and the new CPU will
improve that.

But this one already can saturate the line I have already without IKED
traffic, so I can't imagine that it woudln't do what you want assuming
you are not running a fortune 500 company obviously.

here is without IKED:

http://www.speedtest.net/my-result/5253974103

And if I push it via tcpbench OVER IKED, instead of normal traffic (
from a server behind that APU1c4 that is not that box obviously and that
need routing and all), it gets a bit lower, but here is the output
anyway on average with the rest of the traffic running now. I stream
Spottily and have a video running and about 9 ssh connection at the
moment doing my work, and a few more stuff as well as my kid playing
games League of Legends, etc.

Conn:   1 Mbps:   55.166 Peak Mbps:   58.288 Avg Mbps:   55.166

As you can see, plenty of capacity and the APU2C4 I am sure beat this
hands down!

It has 4 cores oppose to two and the encryption set on the CPU.

Hope this help you.

Daniel


On 4/15/16 3:06 PM, Heine Lysemose wrote:
> Hi
> 
> Can you give some real world through put? How much can you push through it
> from a NAT’et device? And what is the device stats when doing so?
> 
> Best,
> Lysemise
> 
> 
> 
> From: Christian Weisgerber
> Sent: 15. april 2016 18:19
> To: misc@openbsd.org
> Subject: Quick APU2 review
> 
> I bought a PC Engines APU2 this week and thought I'd write up my
> impressions.
> 
> TL;DR: Recommended.
> 
> The obvious point of reference is the Soekris net6501.  Now, that
> comparison isn't really fair since the net6501 is several years old
> and the APU2 is a new design.  Then again, Soekris canceled their
> successor model (after stringing along potential customers for a
> year), so they're without a competitive product now.  Tough for them.
> 
> http://pcengines.ch/apu2c4.htm
> https://soekris.com/products/net6501-1.html
> 
> Here's what the APU2 lacks: It has only three Ethernet ports instead
> of four, no front-side Ethernet LEDs, no PCI-Express expansion slot,
> no LOM.  On the plus side, it has two USB 3.0 ports instead of a
> single USB 2.0 one.
> 
> Performance: Single-core speed of the APU2 seems to be comparable
> to the net6501-70 (the fast model), but the APU2 has four cores
> instead of two and it has AES-NI, which provides a big boost for
> many crypto applications.  A "make -j4 build" took exactly 120
> minutes.
> 
> Heat: The APUs have an innovative design where the CPU heat sink
> is coupled to the case.  Since this is typically assembled by the
> customer, a lot of attention is drawn to it and people obsess over
> the CPU temperature.  It's a nonissue.  Case temperature is about
> the same as for the net6501, where people are far less concerned,
> even a "make -j4 build" didn't raise the CPU temperature much (57C
> to 64.5C), and the design ensures good heat flow.  Ask me again in
> six months how it did in a 33C summer environment, but I expect no
> problems whatsoever.
> 
> The firmware is still being worked on; it's cobbled together from
> coreboot, a MemTest86 module (takes about 1h45 for one pass on the
> apu2c4), and iPXE.  It works.  I've booted via PXE, from an external
> USB key, and from mSATA.
> 
> Miscellaneous: The case is really compact.  The order of the Ethernet
> ports is reversed when compared to the Soekris and not marked on
> the case.
> 
> And yes, the APU2 is fully supported by OpenBSD 5.9.
> 
> Overall, I like it a lot.  Compared to the net6501, the APU2 is
> much cheaper and more powerful.  Compared to Intel Rangeley devices,
> it is readily available in small quantities (like, one) and, to
> pick the one that you can easily buy, again much cheaper than the
> RCC-VE 2440.
> 
> My APU2 is serving as my home gateway now, replacing a net6501.
> It feels good to be running an AMD CPU again. :-)
> 
> 
> PS: I bought mine from NRG Systems GmbH, Augsburg, Germany, who
> sell convenient board/case/PSU/SSD kits.  Board and case were
> already assembled.
> --
> Christian 

Re: date not respect for 5.8 and 5.9

2016-03-31 Thread Daniel Ouellet
On 3/31/16 4:58 AM, Max Power wrote:
> Hi guys!
> Why the release 5.8 and 5.9 did not comply with the canonical date
> of the 1th November and of the 1th May?
> 
> Thanks in advance for your reply.

Because Buffy swim upstream with the salmons this year in the cold
rivers of Canada and felt he could take a break sooner then usual for
his considerable effort!

See Salmons dead after that and have laid their eggs, but our brave
Puffy survive the exercise and made a time leap forward.

Why can people not just say THANKS YOU and be grateful and appreciative
for a grace of an early release but question everything all the time is
beyond me...

Why should this comply with anything really?

I for one will say it as I haven;'t seen any yet on the list.

Thank you guys to release 5.9 sooner it very much appreciated!

Again THANK YOU

Long live Puffy.

Daniel

PS: Hmm. Now does this mean we will have some spiky little puffy/salmons
hybrid this season... I wonder.



Re: OpenBSD on AMD Embedded G-Series T40E APU?

2016-03-07 Thread Daniel Ouellet
On 3/7/16 12:43 PM, Noth wrote:
> On 03/07/16 02:04, Theo de Raadt wrote:
>>> Hey folks,
>>>
>>> The website does not seem to have a lot of info on what CPUs are
>>> supported.  I'm looking at this box for a home firewall with OpenBSD
>>>
>>> http://www.corpshadow.biz/bizstore/apu1d-red-combo-kit-p-345.html?cPath=51
>>>
>> All of them work.
>>
> PC Engines APU models 1D & D4 and 2C2 & 2C4 are fully supported,
> although you need -CURRENT or the upcoming 5.9 release to get the
> correct identity of the thermal sensor. They're very good boxes for home
> & SMB usage.

Not sure about the APU2b and c series yet.

The APU1* yes no issue, the 2* based on their own site it is not fully
working yet.

http://pcengines.ch/apu2b4.htm

But I do not have one for the 2* series to test, i have the previous
version.

Their site does show this clearly:

 BIOS is not feature complete yet, in particular -

• No boot from SD card.
• ECC not working yet.
• iPXE module not included yet.

So, this may need to be confirmed to be sure at 100%.

Do you have one of these boxes?



Re: OpenBSD on AMD Embedded G-Series T40E APU?

2016-03-07 Thread Daniel Ouellet
On 3/7/16 1:55 PM, Theo de Raadt wrote:
>> On 3/7/16 12:43 PM, Noth wrote:
>>> On 03/07/16 02:04, Theo de Raadt wrote:
> Hey folks,
>
> The website does not seem to have a lot of info on what CPUs are
> supported.  I'm looking at this box for a home firewall with OpenBSD
>
> http://www.corpshadow.biz/bizstore/apu1d-red-combo-kit-p-345.html?cPath=51
>
 All of them work.

>>> PC Engines APU models 1D & D4 and 2C2 & 2C4 are fully supported,
>>> although you need -CURRENT or the upcoming 5.9 release to get the
>>> correct identity of the thermal sensor. They're very good boxes for home
>>> & SMB usage.
>>
>> Not sure about the APU2b and c series yet.
>>
>> The APU1* yes no issue, the 2* based on their own site it is not fully
>> working yet.
>>
>> http://pcengines.ch/apu2b4.htm
>>
>> But I do not have one for the 2* series to test, i have the previous
>> version.
>>
>> Their site does show this clearly:
>>
>>  BIOS is not feature complete yet, in particular -
>>
>> • No boot from SD card.
>> • ECC not working yet.
>> • iPXE module not included yet.
>>
>> So, this may need to be confirmed to be sure at 100%.
>>
>> Do you have one of these boxes?
> 
> The original question was as to whether the cpu works.
> 
> Daniel, you are wrong.  The CPU works fine.  Furthermore, these
> machines being talked about WORK COMPLETELY FINE.
> 
> Please stop the factless rumour mongering about hardware you don't have.

Not a rumor. That's why I asked as I said I didn't have one to test and
I can only go with what their site said. That's why I asked.

Sorry if that created confusion, but I am glad to know it is working.



Re: LibreNMS chroot issues

2015-12-27 Thread Daniel Ouellet
> I was wondering if anybody tried running LibreNMS with httpd from the
> base and even more fundamentally does httpd from the base support
> "unsecure" mode. I read up and down httpd several times but I didn't see
> anything about insecure mode.

Yes, "unsecure mode" is call Linux.

Or FreeBSD these days with all security they talked about not enable by
default.

Take your pick.



Any idea for table replacement configuration in iked.con

2015-12-19 Thread Daniel Ouellet
I am trying to find a more efficient way then creating a long list of
policy in iked.conf that would be in in pf using table, but there isn;'t
any table in iked.conf.

As a simple example if I had this in pf

table  { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }

would match all the /16, but not the /24 however allow the /32 from  the
/24 anyway.

This is a simple one, but how one would go to do something similar in
iked.conf without tables support other the creating a much longer lists
of policy to achieve the same other then creating a bunch of subnet to
cover the same address space?

Any truck may be?

Not a show stopper, but it sure would make the policy much shorter and
avoid human errors down the road.

I would appreciate any possible truck, so far I can't come up with any.



Re: IKEDv2 lost tunnel. How to reproduce at will, effects and work around.

2015-12-15 Thread Daniel Ouellet
OK,

Here is more updates on this after now 3 weeks of testing any possible
variation and configurations.

I finally find a way to have it stable. I don't like it, but it works.
72 hours so far, or close to it.

May be it wasn't notice before because I get the feeling that it is
mostly use in NAT setup, so the issue doesn't show up for most users.

One thing I have to say, I would love a way to DISABLE the NAT
capability oppose to have the system try it by default. I also
understand that switch is NOT something love and I also agree. Not sure
what the RFC say about it, but anyway I thought that if oyu know you do
not have NAT, nor will you have it, it would be wise to make sure it
wouldn't try it ever for any reason.

Now what works, and ONLY that combination actually works, is this one:

Remote site:
ikev2 Ouellet passive from em0 to 108.56.142.37 from 0.0.0.0/0 to
66.63.50.16/28 peer 108.56.142.37 srcid tunnel.realconnect.com dstid
gateway.ouellet.us lifetime 0 bytes 0

Local site:
ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
0.0.0.0/0 peer 66.63.5.250 srcid gateway.ouellet.us dstid
tunnel.realconnect.com lifetime 0 bytes 0

if you remove both or even only one of

srcid gateway.ouellet.us dstid tunnel.realconnect.com it iwll not work.

If you do not include

lifetime 0 bytes 0

It will not work, so, ALL 4 elements needs to be there for the remote
site NOT try to switch to NAT-T and then kill the flows and the only way
to restore them is via the source restart of iked

I now this may not make sense, but I see the

Dec 11 19:19:01 tunnel iked[9794]: ikev2_msg_send: INFORMATIONAL request
from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 1, 80 bytes, NAT-T

messages with NAY other configurations and I trial ALL possible
variation of it to find out what works.

I would have assume that to setup the lifetime to not expired would have
done it, even if you shouldn't do that as it weaken the ipsec
configuration as it rely on rekey to make =it strong, it iwll still try
NAT-T even if set to never expire.

Something has to be wrong in the logic here. I started to look at the
code, nothing yet and I am not sure I will find why, may be Reyk might
have an idea, as he wrote it, but I am also sure he is very busy with
other things.

But that's the final results of 3 weeks or research and frustration on
this. Now I can get it stable. Well 72 hours anyway so far, so will see,
but that's what all the tests provide and i hope that somehow it is
useful to someone and may be allow to find why when NAT is not in the
path it will regardless try to do NAT-T. That part doesn't make sense to me.

What I had below is still true, but the same scenario with NAT-T will
show up, just somewhat less frequently, but still present. Above so far,
none.

Best,

Daniel



On 12/11/15 8:51 PM, Daniel Ouellet wrote:
> I sure hope this will help.
> 
> ***Setup***
> Two server on 5.8. Establish VPN with IKEDv2. One side active, one side
> passive. Use rsa keys, or pass phrase if you like.
> 
> Active side:
> # cat /etc/iked.conf
> ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
> 0.0.0.0/0 peer 66.63.5.250
> 
> Passive side:
> # cat /etc/iked.conf
> ikev2 Ouellet passive from em0 to 108.56.142.37 from 0.0.0.0/0 to
> 66.63.50.16/28 peer 108.56.142.37
> 
> ***Issues***
> 1. On heavy traffic, you will get many instance of SAD that will only
> get clean up on the expiration of the lifetime in time, even if the
> lifetiem is size has pass multiple times. Meaning clean up is only done
> on timer, not on data limit reach.
> 
> 2. On heavy download the destination (Passive side), when the data
> limits is reach in a few occasion, the passive side wil try to change
> the tunnel to use NAT-T, even if there is no NAT and then the only
> solution is to stop/start the active side to establish the tunnel again.
> 
> ***How to trigger and reproduce at will***
> To easily trigger the issue often, just reduce the default with adding
> on both sides a much shorter life time
> 
> lifetime 1m bytes 100k
> 
> as this:
> 
> ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
> 0.0.0.0/0 peer 66.63.5.250 lifetime 1m bytes 100k
> 
> And then just watch the logs live with
> tail -f /var/log/daemon | grep iked
> on passive side, you will see very quickly this:
> 
> 
> Dec 11 20:01:32 tunnel iked[1801]: pfkey_reply: message: No such process
> Dec 11 20:01:32 tunnel iked[1801]: ikev2_pld_delete: deleted 1 spis
> Dec 11 20:01:32 tunnel iked[1801]: ikev2_msg_send: INFORMATIONAL
> response from 66.63.5.250:500 to 108.56.142.37:500 msgid 3, 80 bytes, NAT-T
> 
> 
> Then you will loose access to the tunnel completely and it will

Re: Can't build kernel GENERIC.MP on Dell Inspiron E1045

2015-12-15 Thread Daniel Ouellet
On 12/15/15 5:10 PM, Jack J. Woehr wrote:
> Just installed 5.8 on an old Dell laptop, cvs'ed src -rOPENBSD_5_8 then
> config'ed and tried to build GENERIC.MP:



> Any tips? This has to be something silly ...

Sure, use snapshots!

You can get one already done every single day if you want...

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/i386/



Re: syscall 5 "cpath" continues with octeon

2015-12-13 Thread Daniel Ouellet
Sorry about that by the way.

The file is big, 156494156 Dec 13 02:40 Octeon-Install.mov


On 12/13/15 2:58 AM, Daniel Ouellet wrote:
> Hi,
> 
> I thought about your problem and as i can't figure out what may be going
> on, I thought a picture would be worth a thousands words and as my
> English is not as good as I wish, I did a video instead.
> 
> Not sure how many words that would be worth, but what ever, I am sure it
> would be way better then anything I could possibly write!
> 
> I have done with it QuickTime only because that's what I had available
> around right now, hopefully you can watch it. I just do not have any
> Window$ computer around. Plus I wouldn't want it to crash on me as I was
> doing the video! (;>
> 
> Anyway, you have it from the start to the end, including the show of the
> fdisk, disklabel, as well as the U-Boot env section and what you can do
> to boot it quickly without making changes to it as well when it is setup
> to boot.
> 
> I also load it from scratch and put the files on the FAT partition as
> well and did a complete install, NOT an upgrade.
> 
> If that doesn't get you going, I can't say what will.
> 
> Enjoy and hopefully it will be useful.
> 
> As for the stall not much I can do there, my flash drive is pretty slow,
> but still everything from start to finish, wipe, install reboot, etc was
> 18 minutes or so including my typing mistakes.
> 
> You can get it here:
> 
> http://www.openbsdsupport.org/octeon/Octeon-Install.mov
> 
> And no before you asked that has NOTHING to do with the official
> project. It's just a very old (11 years and counting) demonstration to
> show talk on misc@ is cheap and doing is not.
> 
> Best,
> 
> Daniel.
> 
> 
> 
> On 12/12/15 10:42 PM, jungle Boogie wrote:
>> Hello All,
>>
>> Despite the very helpful reply from Daniel on this thread:
>> http://marc.info/?l=openbsd-misc=14493626054=2
>>
>> I'm faced with the same message upon accepting the default partition
>> and disk layout:
>> disklabel(19593): syscall 5 "cpath"
>> Abort trap
>>
>> When attempting to use the Octeon snapshot from November:
>> http://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/
>>
>> Is there something more I can do to get this working or is this some
>> pledge issue? To rule out a USB disk problem or edge router lite
>> problem, I can load the previous bsd.rd file but I would need someone
>> to share that with me because I don't have it anymore.
>>
>> Thanks!



Re: syscall 5 "cpath" continues with octeon

2015-12-13 Thread Daniel Ouellet
Hi,

I thought about your problem and as i can't figure out what may be going
on, I thought a picture would be worth a thousands words and as my
English is not as good as I wish, I did a video instead.

Not sure how many words that would be worth, but what ever, I am sure it
would be way better then anything I could possibly write!

I have done with it QuickTime only because that's what I had available
around right now, hopefully you can watch it. I just do not have any
Window$ computer around. Plus I wouldn't want it to crash on me as I was
doing the video! (;>

Anyway, you have it from the start to the end, including the show of the
fdisk, disklabel, as well as the U-Boot env section and what you can do
to boot it quickly without making changes to it as well when it is setup
to boot.

I also load it from scratch and put the files on the FAT partition as
well and did a complete install, NOT an upgrade.

If that doesn't get you going, I can't say what will.

Enjoy and hopefully it will be useful.

As for the stall not much I can do there, my flash drive is pretty slow,
but still everything from start to finish, wipe, install reboot, etc was
18 minutes or so including my typing mistakes.

You can get it here:

http://www.openbsdsupport.org/octeon/Octeon-Install.mov

And no before you asked that has NOTHING to do with the official
project. It's just a very old (11 years and counting) demonstration to
show talk on misc@ is cheap and doing is not.

Best,

Daniel.



On 12/12/15 10:42 PM, jungle Boogie wrote:
> Hello All,
> 
> Despite the very helpful reply from Daniel on this thread:
> http://marc.info/?l=openbsd-misc=14493626054=2
> 
> I'm faced with the same message upon accepting the default partition
> and disk layout:
> disklabel(19593): syscall 5 "cpath"
> Abort trap
> 
> When attempting to use the Octeon snapshot from November:
> http://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/
> 
> Is there something more I can do to get this working or is this some
> pledge issue? To rule out a USB disk problem or edge router lite
> problem, I can load the previous bsd.rd file but I would need someone
> to share that with me because I don't have it anymore.
> 
> Thanks!



Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

2015-12-13 Thread Daniel Ouellet
> Secondly, this whole thread should have ended long ago.

So why you keep it going then.

Let it die please



Re: syscall 5 "cpath" continues with octeon

2015-12-12 Thread Daniel Ouellet
I am really not sure what problem you are facing for sure.

I did a few times form scratch and every time it goes without any
problems what so ever and I really don't see where your cpath can come
from at all.

And I see no pledge issue what so ever either.

Are you sure that you are actually using the proper bsd.rd, NOT a
previous version somehow.

You need to make sure to put it on your fat partition BEFORE trying to
do the install and then create your own partition, no need to use the
default one, plus it's not like you will do development on this box.

What partition is your bsd.rd installed on?

If you do.

mount_msdos /dev/sd0i /mnt

where the   ^ is your fat partition.

The ^ point to the i of sd0i, your may well be at a different place.
After you mount it, what ls -al show. Is it really the proper one.

If, not then just:

cd /mnt

and then download it

ftp http://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/bsd.rd

and then make sure you load that one to do the install.

I would want to help you more, but it's hard to know what you do or do
not do.

Daniel


On 12/12/15 10:42 PM, jungle Boogie wrote:
> Hello All,
> 
> Despite the very helpful reply from Daniel on this thread:
> http://marc.info/?l=openbsd-misc=14493626054=2
> 
> I'm faced with the same message upon accepting the default partition
> and disk layout:
> disklabel(19593): syscall 5 "cpath"
> Abort trap
> 
> When attempting to use the Octeon snapshot from November:
> http://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/
> 
> Is there something more I can do to get this working or is this some
> pledge issue? To rule out a USB disk problem or edge router lite
> problem, I can load the previous bsd.rd file but I would need someone
> to share that with me because I don't have it anymore.
> 
> Thanks!



Re: syscall 5 "cpath" continues with octeon

2015-12-12 Thread Daniel Ouellet
Worst case, delete all partitions (EXCEPT the first one, the FAT one)
and use only one, install, test and then redo as you see fit.

You can mount your FAT partition and access it right?

You do have the bsd.rd file on that FAT partition right?

May be your fat partition conflict with one of the default install. I
don't really know as i can see it.

But really it works.

I also fell like ssh to one of your box you have terminal to this one,
where you have nothing to show you and then install it for you, then
when you see it working you redo it for both the ssh box and this one as
you shouldn't trust me anyway! I know I wouldn't trust anyone to do an
install for me, but I have so many boxes around to lay with and that I
am testing with, setting one just for this and have a terminal to an
other is easy and then I would have no problem to wipe it out after that
if you have the same I could help you as a LAST resort, but really you
can do it!

This is something I would never do or really have someone do to me
except if I am totally stuck, but your setup is not difficult and it
does work, so if you provide more details may be I can help you, however
it really does work.

I fell, you have to do something wrong someplace or skip a set or
something, unless your USB flash drive IS REALLY BAD may be, but I
really don't think it is what's going on!

Daniel



On 12/12/15 10:42 PM, jungle Boogie wrote:
> Hello All,
> 
> Despite the very helpful reply from Daniel on this thread:
> http://marc.info/?l=openbsd-misc=14493626054=2
> 
> I'm faced with the same message upon accepting the default partition
> and disk layout:
> disklabel(19593): syscall 5 "cpath"
> Abort trap
> 
> When attempting to use the Octeon snapshot from November:
> http://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/
> 
> Is there something more I can do to get this working or is this some
> pledge issue? To rule out a USB disk problem or edge router lite
> problem, I can load the previous bsd.rd file but I would need someone
> to share that with me because I don't have it anymore.
> 
> Thanks!



IKEDv2 lost tunnel. How to reproduce at will, effects and work around.

2015-12-11 Thread Daniel Ouellet
I sure hope this will help.

***Setup***
Two server on 5.8. Establish VPN with IKEDv2. One side active, one side
passive. Use rsa keys, or pass phrase if you like.

Active side:
# cat /etc/iked.conf
ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
0.0.0.0/0 peer 66.63.5.250

Passive side:
# cat /etc/iked.conf
ikev2 Ouellet passive from em0 to 108.56.142.37 from 0.0.0.0/0 to
66.63.50.16/28 peer 108.56.142.37

***Issues***
1. On heavy traffic, you will get many instance of SAD that will only
get clean up on the expiration of the lifetime in time, even if the
lifetiem is size has pass multiple times. Meaning clean up is only done
on timer, not on data limit reach.

2. On heavy download the destination (Passive side), when the data
limits is reach in a few occasion, the passive side wil try to change
the tunnel to use NAT-T, even if there is no NAT and then the only
solution is to stop/start the active side to establish the tunnel again.

***How to trigger and reproduce at will***
To easily trigger the issue often, just reduce the default with adding
on both sides a much shorter life time

lifetime 1m bytes 100k

as this:

ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
0.0.0.0/0 peer 66.63.5.250 lifetime 1m bytes 100k

And then just watch the logs live with
tail -f /var/log/daemon | grep iked
on passive side, you will see very quickly this:


Dec 11 20:01:32 tunnel iked[1801]: pfkey_reply: message: No such process
Dec 11 20:01:32 tunnel iked[1801]: ikev2_pld_delete: deleted 1 spis
Dec 11 20:01:32 tunnel iked[1801]: ikev2_msg_send: INFORMATIONAL
response from 66.63.5.250:500 to 108.56.142.37:500 msgid 3, 80 bytes, NAT-T


Then you will loose access to the tunnel completely and it will not
recover until you manually reset the active side with rc.d/iked stop and
start.

The data limit is small, so you can trigger it with just:

ping -s 1500 66.63.5.250 from the active side of the network. Or what
ever way you want to generate traffic and before you know it you coudl
see this:

# ipsecctl -sa | wc -l
 493

and the number of SAD will ONLY get reduce when the time limits is
reach, even if they are not valid anymore and have been trigger by the
data limits.

May be the clean up should happen on both, time and data limits. Just a
thought.

***Work Around***
Now to work around the problem for now, simply change the lifetime of
the PASSIVE side. I just pick 2x the Active side for both time and data
so that it NEVER trigger the NAT-T issue. Not an ideal solution, but for
now it fix the lost of VPN at random time.

You can test and do the same as above to see it with only have the
active side with the same

lifetime 1m bytes 100k

and then the passive side with

lifetime 2m bytes 200k

And just flow traffic.

You still will see the huge increase in SAD on the active side as the
data limits get reach and new child get created, as they don't get clean
up then, but only on time limits reach.

But this way at a minimum, you will NOT loose your VPN.

The same issue show up as well even if both side are active. It's more
like a timing issue I guess possibly, but really if a VPN works without
NAT I think it should never try to establish NAT-T anyway, specially if
it has pass traffic constantly all the way to 500Mb, being he default
and when the VPN carry huge traffic, may be it should clean up the old
child on the SAD when a data limit is reach and a new child is created
instead of doing it only on time limit reach, so that if you decide to
setup no limit on time, then you box don't explode because of lack of
resources or what not and old child are not release.

Hopefully this will be useful to someone as it took me a week to isolate
why in hell I loose VPN at random time on an otherwise perfectly working
VPN.

Best,

Daniel



When iked re-key, leave ghost behind

2015-12-11 Thread Daniel Ouellet
One question. Is it the only way to re-key the iked process when it
reach it's 3 hours usage and/or the 500 Mb data exchange to restart a
new process?

Isn't it possible to kill the old one then that is not use anymore and
stop having some routing problem that may be cause by it.

I collect a HUGE amount of old process that appear to finally get clean
after a while, but I wonder if it actually need to have a process
restart instead of just the key change on that same process, or if it
needs to be a new process, then make sure they old one is killed?

Here is an example of how many times there is old process here. See logs
below for examples.

Also, one question, researching on google I saw a few example done as
below and it create less duplicate process for the same flow and wonder
if that's not better and it appear to be more stable a bit. In both
cases, I still sadly need to reset the iked originating side regularly
however, just wonder if the simpler solution is not better and if not why?

One line setup and need less restart of the iked daemon.

ikev2 Ouellet active from re0 to 66.63.5.250 from 66.63.50.16/28 to
0.0.0.0/0 peer 66.63.5.250

And setup as per the man page:

ikev2 Ouellet active from re0 to 66.63.5.250
ikev2 Ouellet active from 66.63.50.16/28 to 0.0.0.0/0 peer 66.63.5.250

And here is the logs for how many times there is ghost process left
behind that are cleared up hours after new process have been created.

If a process has to be re-created, then why not kill the old one before
doing so? Just wonder if that may not help the stability and possibly
eliminate the constant needs for the daemon restart.

Thanks

Daniel

Example of logs with left over ghost iked process.

# cat daemon | grep "pfkey_sa_last_used: message: No such process"
Dec 11 09:41:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:41:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:42:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:42:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:43:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:44:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:45:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 09:58:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 10:26:06 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 10:45:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 10:52:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:13:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:13:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:14:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:14:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:15:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:15:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:16:07 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:44:08 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:44:08 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:45:08 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
Dec 11 11:55:08 gateway iked[28392]: pfkey_sa_last_used: message: No
such process
# zcat daemon.?.gz | grep "pfkey_sa_last_used: message: No such process"
| sort -r
Dec 10 22:32:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:32:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:31:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:31:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:25:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:11:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 22:07:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 21:45:57 gateway iked[22948]: pfkey_sa_last_used: message: No
such process
Dec 10 00:00:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec 10 00:00:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:59:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:59:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:58:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:58:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:57:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:57:32 gateway iked[18024]: pfkey_sa_last_used: message: No
such process
Dec  9 23:56:32 

Interaction seen between dhcp renewal and iked session forcing it to try to switch to NAT-T and die form then on.

2015-12-09 Thread Daniel Ouellet
Sorry for the long details here.

It may be relevant or related to some comment I have seen in regards to
DHCP client killing traffic in the last few days on tech@ I have seen
and that may be it might be useful.

If not just ignore as i am still digging why iked session are unstable
long term.

But what is sure and seen n the logs is that somehow a perfectly stable
iked session with somehow after running well try for no reason to switch
to NAT-T when at the same time I see DHCP renewal or request on the
originating side of the iked session.

The only thing I can think of is that somehow because of the timing of
the dhcp renewal, one side of the iked didn't receive a confirmation
back and then initiate a NAT-T instead, then it was receive after the
DHCP renewal process was completed and then somehow the iked session
never recover from tit because it try to do nat from this point and
there isn;t any NAT in the path.

Logs appear to show this is the common elements I have seen a few times
so far and it appear to always be the common factor on an otherwise
perfectly stable and running iked session.

So, I think I may have found why my IKEDv2 doesn't stay up long term,
but i am not sure how to go around it yet.

Somehow the remote IKED node, even if program for passive mode, down the
road it will send a request for NAT-T to the originating side of the
session on a perfectly stable session.

I can't fugue out why it would even do that, but I see it in the logs.

Then form that point on, the session will never recover at all until I
actually simply restart the session on the active side of the session.

Log from remote session. Look at teh last two lines from the extract here.


Dec  9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_SA_INIT request from
initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 0,
534 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_SA_INIT response
from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 437 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_AUTH request from
initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 1,
800 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_AUTH response
from 66.63.5.250:500 to 108.56.142.37:500 msgid 1, 768 bytes
Dec  9 14:28:24 tunnel iked[15183]: sa_state: VALID -> ESTABLISHED from
108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet'
Dec  9 15:21:05 tunnel iked[15183]: ikev2_recv: CREATE_CHILD_SA request
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
2, 288 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_msg_send: CREATE_CHILD_SA
response from 66.63.5.250:500 to 108.56.142.37:500 msgid 2, 240 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_recv: INFORMATIONAL request
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
3, 80 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_pld_delete: deleted 1 spis
Dec  9 15:21:05 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
response from 66.63.5.250:500 to 108.56.142.37:500 msgid 3, 80 bytes
Dec  9 16:16:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 80 bytes
Dec  9 16:16:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
0, 80 bytes
Dec  9 16:20:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 1, 80 bytes, NAT-T
Dec  9 16:20:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response
from initiator 108.56.142.37:4500 to 66.63.5.250:4500 policy 'Ouellet'
id 1, 80 bytes
Dec  9 16:31:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 2, 80 bytes, NAT-T


And then from that point on, it will ONLY try to use NAT-T and never go
back to the normal setup, not even try it as the original side somehow
see it as good. and if you do ipsecctl -sa, you see that it appear to be
up. But from that point on, no matter what traffic is not flowing
anymore and stop exactly from that point forward and never recover until
done manually.

Now this may be a coincidence, but it appear to happen when there is a
DHCP renewal on the source side, even if that's NOT on the interface
where the session is on.

Looks like a message was receive to but may be not reply to, then a
NAT-T message arrive after that point and then all went dead until
manually reset.

Strange thing is why a DHCP renewal on a different interface affect
traffic on an other interface that also operate with DHCP, BUT is not in
the process of renewal at that point?

Is it possible that all interface that are configure with DHCP are
affected when one of them is in a renewal cycle.

I saw a few DHCP commit in the last few days and one comment form Bob@
regarding DHCP session dying etc.
Tjois may not have anything to do with it, but I thought that may be it
may have, or becasue of the events I see and the cvs 

Ikedv2 proper usage questions.

2015-12-08 Thread Daniel Ouellet
I have a few questions that I really need to clarify fro myself and I
would very much appreciate some input.

Reason is that I am having problem to keep the session up for a long
time and just doing /etc/rc.d/iked stop and the start on the client side
will bring the session back up, even if I see what suppose to be proper
flow with ipsecctl -s all

And For testing as I was trying to see what happen, I setup a gateway
between my home router and a data center gateway, both OpenBSD, home on
5.8 and gateway and data center for now on 5.7. Then I started to watch
Netflix on it to see and about every 50 minutes to 60, or so, the
connection went down for may be 50 seconds to 2 minutes every time, I
suppose to do the re-key things I guess, but shouldn't the flow continue
as it does this, or is it not possible? I guess the man page said it
should redo this every 3 hours by default or 500Mb of data transfer.
Will it always cut off the traffic when it redo this?

Anyway around this may be?

Also, doing ipsecctl reload or reset for testing will hang the client
side and you can't kill it. 100% CPU utilization and you can only do
kill -9 processid multiple times to kill it.

/etc/rc.d/iked stop will not do it ever.

Also, if no traffic for a while, over night for testing, then somehow
you see to reset the iked client to get it going again and in the
ipsecctl -s all you see more then the normal flow there, may be 6 or 8
at times and still no traffic.

So, some questions come to mind and it may be stupid, or not, but I do
wonder and try to find the answers for them.

1. Why does it need to be two connections(setup in iked.conf), one
between gateways and then networks when one does the same thing and works?

>From the mane page:

# Set up a VPN:
# First between the gateway machines 192.168.3.1 and 192.168.3.2
# Second between the networks 10.1.1.0/24 and 10.1.2.0/24
ikev2 esp from 192.168.3.1 to 192.168.3.2
ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2

But this works as well and do not duplicate the SAD. May be that's what
create some kind of routing issue may be. I do not know but continue
testing this to find out.

ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2

as long as oyu have the reverse on the other side as this:
ikev2 esp from 10.1.2.0/24 to 10.1.1.0/24 peer 192.168.3.1

you would see for example two of the same:
SAD:
esp tunnel from 192.168.3.1 to 192.168.3.2 spi 0x2ce28601 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.3.1 to 192.168.3.2 spi 0x6d67d248 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.3.2 to 192.168.3.1 spi 0xd5760dc0 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.3.2 to 192.168.3.1 spi 0xf5b3b824 auth
hmac-sha2-256 enc aes-256

Why two???

2. If you have the connection establish between the gateway only, oppose
to the network to peer as in question 1. and you configure a routing
protocol being eigrpd or ospfd and you that tpo announce client network
to gateway assuming you control both side as to not inject bad routers,
it is not safe or correct to say that the traffic woudl be also
encrypted when it flows through enc0 and it doesn't need to have the
network statement in the iked.conf? Or is that a very bad idea and if so
why? Wouldn't it achieve the same things? Is it safe s well. I just find
it easier and faster to manage routing protocol oppose to iked.cong
flows. But is there a reason not to do so, or a bad idea as well? After
all the man page said:

"IPsec traffic appears unencrypted on the enc(4) interface and can be
filtered accordingly using the OpenBSD packet filter, pf(4).  The
grammar for the packet filter is described in pf.conf(5)."

"enc0
Default interface for outgoing traffic before it's been
encapsulated, and incoming traffic after it's been decapsulated.
State on this interface should be interface bound; see enc(4) for
further information."

3. Not a big deal, but even if the man page said the active is the
default mode, why do I need to actually specifically say in iked.conf:

ikev2 active esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2

to get it going as this will not do so:

ikev2 esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2

even if I have also this in the iked.conf file

set active

Or am I really miss understanding the man page in regards to the set
active part?

4. Do I need to setup some kind of keep alive or something to make sure
the flow between the boxes is always up. Or what could I look at to find
out what may be happening for the traffic to stop flowing properly.

Every time, nothing needs to be done other then /etc/rc.d/iked stop and
then start to get it going again after it wasn't used for a while.

Thanks

Daniel



bsd.rd on Octeon ubnt_e200 doesn't fully boot

2015-12-05 Thread Daniel Ouellet
Not the end of the world, I was trying to see if I could boot OpenBSD on
this version of the EdgeRouter Pro from Ubiquiti. I try the latest
Octeon available just in case.

I am still trying, but start to run out of idea and i do need to get
some sleep now.

Anyone have a possible Idea as what I may try to load this may be.

Look like the processor may not be configure here, or may be I don't
read it right:

Anyway, this all from the start at the boot and then when it crash, it
retry to boot and then keep cycling in.

I just wanted to give this a trill as the box is nice and have 8 Gb
ports, of witch 2 can also be SFP in a very small 1U may be 7 inch deep.

Anyway, here it is.

==


Octeon ubnt_e200# resetJumping to start of image at address 0xbfca


U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27
2014 - 11:19:05)

Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.
Skipping PCIe port 1 BIST, reset not done. (port not configured)
BIST check passed.
UBNT_E200 r1:0, r2:15, serial #: 44D9E7410ECB
MPR 13-00317-15
Core clock: 1000 MHz, IO clock: 600 MHz, DDR clock: 533 MHz (1066 Mhz DDR)
Base DRAM address used by u-boot: 0x8f80, size: 0x80
DRAM: 2 GiB
Clearing DRAM.. done
Flash: 8 MiB
Net:   octeth0, octeth1, octeth2, octeth3, octeth4, octeth5, octeth6,
octeth7
MMC:   Octeon MMC/SD0: 0
USB:   USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
Type the command 'usb start' to scan for USB storage devices.

Hit any key to stop autoboot:  0
(Re)start USB...
USB:   USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
   scanning bus for storage devices... 1 Storage Device(s) found
reading bsd.rd

7568951 bytes read
Allocating memory for ELF segment: addr: 0x8100 (adjusted
to: 0x100), size 0x768c20
## Loading big-endian Linux kernel with entry point: 0x8100 ...
Bootloader: Done loading app on coremask: 0x1
Starting cores 0x1
Total DRAM Size 0x8000
Bank 0 = 0x0176C000   ->  0x0FFF
Bank 1 = 0x00041000   ->  0x00041FFF
Bank 2 = 0x2000   ->  0x7FFFC001
mem_layout[0] page 0x05DB -> 0x3FFF
mem_layout[1] page 0x8000 -> 0x0001
mem_layout[2] page 0x00104000 -> 0x00107FFF
boot_desc->argv[1] = rootdev=/dev/sd0
Initial setup done, switching console.
boot_desc->desc_ver:7
boot_desc->desc_size:400
boot_desc->stack_top:0
boot_desc->heap_start:0
boot_desc->heap_end:0
boot_desc->argc:2
boot_desc->flags:0x5
boot_desc->core_mask:0x1
boot_desc->dram_size:2048
boot_desc->phy_mem_desc_addr:0
boot_desc->debugger_flag_addr:0xc84
boot_desc->eclock:10
boot_desc->boot_info_addr:0x1001f0
boot_info->ver_major:1
boot_info->ver_minor:3
boot_info->stack_top:0
boot_info->heap_start:0
boot_info->heap_end:0
boot_info->boot_desc_addr:0
boot_info->exception_base_addr:0x1000
boot_info->stack_size:0
boot_info->flags:0x5
boot_info->core_mask:0x1
boot_info->dram_size:2048
boot_info->phys_mem_desc_addr:0x48108
boot_info->debugger_flags_addr:0
boot_info->eclock:10
boot_info->dclock:53300
boot_info->board_type:20003
boot_info->board_rev_major:0
boot_info->board_rev_minor:15
boot_info->mac_addr_count:8
boot_info->cf_common_addr:0
boot_info->cf_attr_addr:0
boot_info->led_display_addr:0
boot_info->dfaclock:0
boot_info->config_flags:0x8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2015 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 5.8-current (RAMDISK) #1: Thu Nov 26 17:33:10 CET 2015
jas...@erl-2.jasper.la:/usr/src/sys/arch/octeon/compile/RAMDISK
real mem = 2122907648 (2024MB)
avail mem = 2106032128 (2008MB)
mainbus0 at root
cpu0 at mainbus0: Cavium OCTEON II CPU rev 0.1 1000 MHz, Software FP
emulation
cpu0: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
dwctwo0 at iobus0 base 0x118006800 irq 56cn30xxgmx0 at iobus0 base
0x118000800 irq 48
unsupported octeon model: 0xd9301
uar: ns16550, no working fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550, no working fifo
root on rd0a swap on rd0b dump on rd0b
WARNING: No TOD clock, believing file system.
WARNING: CHECK AND RESET THE DATE!
panic: pool_do_get: filepl free list modified: page 0x98041e984000;
item addr 0x98041e984000; offset 0x0=0x0 != 0xc45e62ccb6b162fe
syncing disks... done
System restart.
   �Jumping to start of image at address 0xbfca


U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27
2014 - 11:19:05)



Re: Octeon snapshots

2015-12-05 Thread Daniel Ouellet
it's a nice box. Not the most powerful, but for most case it works well
so far.

I did a few tcpbench on it to see.

About 85 to 90Mb routing before the CPU is 100% in use and then well,
that's as much as you get.

If you do both ways at the same time, then it goes down to ~42 to 45.

I also try with GRE tunnel to see. The 85 - 90 got down to ~62Mb and
then full duplex goes down to 28 to 32.

Full pf running, doing nat as well, stand smtp, not sending, dhcp.

Anyway, these tests are NOT very exhausting, but just an idea and it's
not bad for the $85 I pay for the new unit and the very low power this
needs to work.

I was curious and i will test more. I was trying to see if the
EdgeRouter Pro works, so far, no success yet, or may be never, but I am
just to tired to figure it out now.

I can say for sure that it does WAY, WAY more then a Cisco 2651XM
router! (:>

Daniel


On 12/5/15 8:20 AM, Peter Kay wrote:
>  
> 
> On 5 December 2015 09:36:29 GMT+00:00, Daniel Ouellet <dan...@presscom.net> 
> wrote:
>> On 11/13/15 12:02 PM, Daniel Ouellet wrote:
>> To the kind sole.
>>
>> Not sure who did the new current updated release, but many thanks to
>> who
>> ever did it!
> It cod not have come at a better time, it stopped me going 'oh roe is me, my 
> Octeon does not work well'. I for one am r-eel-y grateful ;)



Re: Octeon snapshots

2015-12-05 Thread Daniel Ouellet
On 12/5/15 8:01 PM, jungle Boogie wrote:
> On 5 December 2015 at 01:36, Daniel Ouellet <dan...@presscom.net> wrote:
>> I very much appreciate it.
> 
> 
> I appreciate this too, but I can't complete the install. I tried an
> update and now an install.
> 
> Like the first time, I'm following the network boot instructions here:
> ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/INSTALL.octeon
> 
> I can get the bsd.rd file fine from my server and boot into the installer.
> 
> This is the problem:
> Available disks are: sd0.
> Which disk is the root disk? ('?' for details) [sd0]
> Disk: sd0   geometry: 1946/255/63 [31266816 Sectors]
> Offset: 0   Signature: 0xAA55
> Starting Ending LBA Info:
>  #: id  C   H   S -  C   H   S [   start:size ]
> ---
> *0: 0C  0   1   2 -  2  11   9 [  64:   32768 ] Win95 
> FAT32L
>  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
>  3: A6  2  11  10 -   1946  68  42 [   32832:31233984 ] OpenBSD
> Use (W)hole disk, use the (O)penBSD area or (E)dit the MBR? [OpenBSD]
> The auto-allocated layout for sd0 is:
> #size   offset  fstype [fsize bsize  cpg]
>   a:   464.9M32832  4.2BSD   2048 163841 # /
>   b:   465.1M   984896swap
>   c: 15267.0M0  unused
>   d:   735.8M  1937472  4.2BSD   2048 163841 # /tmp
>   e:  1080.7M  316  4.2BSD   2048 163841 # /var
>   f:  1284.9M  5657696  4.2BSD   2048 163841 # /usr
>   g:   742.9M  8289120  4.2BSD   2048 163841 # /usr/X11R6
>   h:  2817.8M  9810624  4.2BSD   2048 163841 # /usr/local
>   i:16.0M   64   MSDOS
>   j:  1178.0M 15581408  4.2BSD   2048 163841 # /usr/src
>   k:  1607.9M 17993856  4.2BSD   2048 163841 # /usr/obj
>   l:  4872.9M 21286848  4.2BSD   2048 163841 # /home
> Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]
> disklabel(27018): syscall 5 "cpath"
> Abort trap
> 
> 
> What's syscall 5 cpath and why does it cause an abort trap?
> 
> I've tried with two different thumb drives with the same abort trap message.
> 
> Thanks!

Well I can't say what you did or didn't do.

Below there is WAY more information then needed.

But I just did it again all the way and here are all the steps by steps
I did and here is what my layout is before I started:

# fdisk sd0
Disk: sd0   geometry: 1946/255/63 [31266816 Sectors]
Offset: 0   Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
*0: 0C  0   1   2 -  2  11   9 [  64:   32768 ]
Win95 FAT32L
 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
 3: A6  2  11  10 -   1946  68  42 [   32832:31233984 ] OpenBSD

# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: Cruzer Fit
duid: 55072c2137c3a4e7
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 1946
total sectors: 31266816
boundstart: 32832
boundend: 31266816
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:  105958432832  4.2BSD   2048 163841 # /
  b:  1044229  1092416swap   # none
  c: 312668160  unused
  d:  2104480  2136672  4.2BSD   2048 163841 # /tmp
  e: 10474368  4241152  4.2BSD   2048 163841 # /var
  f:  2088448 14715520  4.2BSD   2048 163841 # /var/log
  g: 10474400 16803968  4.2BSD   2048 163841 # /usr
  h:  3988448 27278368  4.2BSD   2048 163841 # /home
  i:32768   64   MSDOS

And here are the step by step:

# mount_msdos /dev/sd0i /mnt
# cd /mnt
# ls -al
total 22664
drwxr-xr-x   1 root  wheel16384 Dec 31  1979 .
drwxr-xr-x  13 root  wheel  512 Dec  5 00:11 ..
-rwxr-xr-x   1 root  wheel  4020931 Nov 14 17:29 bsd
-rwxr-xr-x   1 root  wheel  7562057 Nov 14 17:29 bsd.rd

# ftp ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/bsd.rd
Connected to openbsd.sunsite.ualberta.ca.
220 openbsd.srv.ualberta.ca FTP server ready.
...
Retrieving pub/OpenBSD/snapshots/octeon/bsd*.*
local: bsd.mp remo

Re: bsd.rd on Octeon ubnt_e200 doesn't fully boot

2015-12-05 Thread Daniel Ouellet
ci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
octeon-ohci 16f000400.ohci: Octeon OHCI
octeon-ohci 16f000400.ohci: new USB bus registered, assigned bus
number 2
octeon-ohci 16f000400.ohci: irq 56, io mem 0x16f000400
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver libusual
i2c-octeon 118001000.i2c: version 2.0
i2c-octeon 118001200.i2c: version 2.0
octeon_wdt: Initial granularity 5 Sec
TCP: cubic registered
NET: Registered protocol family 17
NET: Registered protocol family 15
L2 lock: TLB refill 256 bytes
L2 lock: General exception 128 bytes
L2 lock: low-level interrupt 128 bytes
L2 lock: interrupt 640 bytes
L2 lock: memcpy 1152 bytes
118000800.serial: ttyS0 at MMIO 0x118000800 (irq = 34) is a OCTEON
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
118000c00.serial: ttyS1 at MMIO 0x118000c00 (irq = 35) is a OCTEON
Bootbus flash: Setting flash for 8MB flash at 0x1f40
phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bank.
Manufacturer ID 0xc2 Chip ID 0xc9
Amd/Fujitsu Extended Query Table at 0x0040
  Amd/Fujitsu Extended Query version 1.1.
phys_mapped_flash: Swapping erase regions for top-boot CFI table.
number of CFI chips: 1
Waiting 10sec before mounting root device...
mmc0: new high speed MMC card at address 0001
mmcblk0: mmc0:0001 SEM04G 3.68 GiB
mmcblk0boot0: mmc0:0001 SEM04G partition 1 2.00 MiB
mmcblk0boot1: mmc0:0001 SEM04G partition 2 2.00 MiB
 mmcblk0: p1 p2
 mmcblk0boot1: unknown partition table
 mmcblk0boot0: unknown partition table
kjournald starting.  Commit interval 5 seconds
EXT3-fs (mmcblk0p2): using internal journal
EXT3-fs (mmcblk0p2): recovery complete
EXT3-fs (mmcblk0p2): mounted filesystem with writeback data mode
VFS: Mounted root (unionfs filesystem) on device 0:10.
Freeing unused kernel memory: 232k freed
Algorithmics/MIPS FPU Emulator v1.5
INIT: version 2.88 booting
INIT: Entering runlevel: 2
Starting routing daemon: rib.
Starting EdgeOS router: migrate rl-system configure.

Welcome to EdgeOS ubnt ttyS0

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

ubnt login:


On 12/5/15 6:18 PM, Daniel Ouellet wrote:
> I got a little bit more now. Not much, but still some progress I guess,
> or not.
> 
> I am the wrong person to judge if so or not...
> 
> But looks to be a tiny bit more ahead.
> 
> At this point it is more trial and errors, no doc to play with...
> 
> 
> Hit any key to stop autoboot:  0
> (Re)start USB...
> USB:   USB EHCI 1.00
> scanning bus for devices... 2 USB Device(s) found
>scanning bus for storage devices... 1 Storage Device(s) found
> reading bsd
> 
> 4032753 bytes read
> Allocating memory for ELF segment: addr: 0x8100 (adjusted
> to: 0x100), size 0x3fb2e0
> ## Loading big-endian Linux kernel with entry point: 0x8100 ...
> Bootloader: Done loading app on coremask: 0x1
> Starting cores 0x1
> Total DRAM Size 0x8000
> Bank 0 = 0x013FC000   ->  0x0FFF
> Bank 1 = 0x00041000   ->  0x00041FFF
> Bank 2 = 0x2000   ->  0x7FFFC001
> mem_layout[0] page 0x04FF -> 0x3FFF
> mem_layout[1] page 0x8000 -> 0x0001
> mem_layout[2] page 0x00104000 -> 0x00107FFF
> boot_desc->argv[1] = rootdev=/dev/sd0
> Initial setup done, switching console.
> boot_desc->desc_ver:7
> boot_desc->desc_size:400
> boot_desc->stack_top:0
> boot_desc->heap_start:0
> boot_desc->heap_end:0
> boot_desc->argc:2
> boot_desc->flags:0x5
> boot_desc->core_mask:0x1
> boot_desc->dram_size:2048
> boot_desc->phy_mem_desc_addr:0
> boot_desc->debugger_flag_addr:0xc84
> boot_desc->eclock:10
> boot_desc->boot_info_addr:0x1001f0
> boot_info->ver_major:1
> boot_info->ver_minor:3
> boot_info->stack_top:0
> boot_info->heap_start:0
> boot_info->heap_end:0
> boot_info->boot_desc_addr:0
> boot_info->exception_base_addr:0x1000
> boot_info->stack_size:0
> boot_info->flags:0x5
> boot_info->core_mask:0x1
> boot_info->dram_size:2048
> boot_info->phys_mem_desc_addr:0x48108
> boot_info->debugger_flags_addr:0
> boot_info->eclock:10
> boot_info->dclock:53300
> boot_info->board_type:20003
> boot_info->board_rev_major:0
> boot_info->board_rev_minor:15
> boot_info->mac_addr_count:8
> boot_info->cf_common_addr:0
> boot_info->cf_attr_addr:0
> boot_info->led_display_addr:0
> boot_info->dfaclock:0
> boo

Re: bsd.rd on Octeon ubnt_e200 doesn't fully boot

2015-12-05 Thread Daniel Ouellet
I got a little bit more now. Not much, but still some progress I guess,
or not.

I am the wrong person to judge if so or not...

But looks to be a tiny bit more ahead.

At this point it is more trial and errors, no doc to play with...


Hit any key to stop autoboot:  0
(Re)start USB...
USB:   USB EHCI 1.00
scanning bus for devices... 2 USB Device(s) found
   scanning bus for storage devices... 1 Storage Device(s) found
reading bsd

4032753 bytes read
Allocating memory for ELF segment: addr: 0x8100 (adjusted
to: 0x100), size 0x3fb2e0
## Loading big-endian Linux kernel with entry point: 0x8100 ...
Bootloader: Done loading app on coremask: 0x1
Starting cores 0x1
Total DRAM Size 0x8000
Bank 0 = 0x013FC000   ->  0x0FFF
Bank 1 = 0x00041000   ->  0x00041FFF
Bank 2 = 0x2000   ->  0x7FFFC001
mem_layout[0] page 0x04FF -> 0x3FFF
mem_layout[1] page 0x8000 -> 0x0001
mem_layout[2] page 0x00104000 -> 0x00107FFF
boot_desc->argv[1] = rootdev=/dev/sd0
Initial setup done, switching console.
boot_desc->desc_ver:7
boot_desc->desc_size:400
boot_desc->stack_top:0
boot_desc->heap_start:0
boot_desc->heap_end:0
boot_desc->argc:2
boot_desc->flags:0x5
boot_desc->core_mask:0x1
boot_desc->dram_size:2048
boot_desc->phy_mem_desc_addr:0
boot_desc->debugger_flag_addr:0xc84
boot_desc->eclock:10
boot_desc->boot_info_addr:0x1001f0
boot_info->ver_major:1
boot_info->ver_minor:3
boot_info->stack_top:0
boot_info->heap_start:0
boot_info->heap_end:0
boot_info->boot_desc_addr:0
boot_info->exception_base_addr:0x1000
boot_info->stack_size:0
boot_info->flags:0x5
boot_info->core_mask:0x1
boot_info->dram_size:2048
boot_info->phys_mem_desc_addr:0x48108
boot_info->debugger_flags_addr:0
boot_info->eclock:10
boot_info->dclock:53300
boot_info->board_type:20003
boot_info->board_rev_major:0
boot_info->board_rev_minor:15
boot_info->mac_addr_count:8
boot_info->cf_common_addr:0
boot_info->cf_attr_addr:0
boot_info->led_display_addr:0
boot_info->dfaclock:0
boot_info->config_flags:0x8
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2015 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 5.8-current (GENERIC) #1: Thu Nov 26 15:01:01 CET 2015
jas...@erl-2.jasper.la:/usr/src/sys/arch/octeon/compile/GENERIC
real mem = 2126512128 (2028MB)
avail mem = 2109603840 (2011MB)
warning: no entropy supplied by boot loader
mainbus0 at root
cpu0 at mainbus0: Cavium OCTEON II CPU rev 0.1 1000 MHz, Software FP
emulation
cpu0: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
clock0 at mainbus0: int 5
iobus0 at mainbus0
dwctwo0 at iobus0 base 0x118006800 irq 56octrng0 at iobus0 base
0x14000 irq 0
cn30xxgmx0 at iobus0 base 0x118000800 irq 48
unsupported octeon model: 0xd9301
uar: ns16550, no working fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550, no working fifo
/dev/ksyms: Symbol table not valid.
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root device:


On 12/5/15 2:56 PM, Janne Johansson wrote:
> My ERL would not run SMP if coremask was 0x1 (ie, use only one cpu) so I
> setenv:ed the bootmask to add coremask=0x3 so that the bsd.mp would find
> both cores, otherwise it bombed while probing for the second.
> 
> 
> 2015-12-05 14:21 GMT+01:00 Daniel Ouellet <dan...@presscom.net>:
> 
>> Not the end of the world, I was trying to see if I could boot OpenBSD on
>> this version of the EdgeRouter Pro from Ubiquiti. I try the latest
>> Octeon available just in case.
>>
>> I am still trying, but start to run out of idea and i do need to get
>> some sleep now.
>>
>> Anyone have a possible Idea as what I may try to load this may be.
>>
>> Look like the processor may not be configure here, or may be I don't
>> read it right:
>>
>> Anyway, this all from the start at the boot and then when it crash, it
>> retry to boot and then keep cycling in.
>>
>> I just wanted to give this a trill as the box is nice and have 8 Gb
>> ports, of witch 2 can also be SFP in a very small 1U may be 7 inch deep.
>>
>> Anyway, here it is.
>>
>> ==
>>
>>
>> Octeon ubnt_e200# resetJumping to start of image at address 0xbfca
>>
>>
>> U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27
>> 2014 - 11:19:05)
>>
>> Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.
>> Skipping PCIe port 1 BIST, reset not done. (port not configured)
>> BIST che

Re: Octeon snapshots

2015-12-05 Thread Daniel Ouellet
On 11/13/15 12:02 PM, Daniel Ouellet wrote:
> I saw a commit today on this platform. The last snapshot is almost a
> month old.
> 
> 10/18/15  2:19:00 AM.
> 
> Just wonder if the snapshot might get some love.
> 
> If not, totally fine, just wonder.
> 
> I may just go buy myself a bigger USB drive to try to compile it on my
> Ubiquiti box and see how many days that might take. (;>

To the kind sole.

Not sure who did the new current updated release, but many thanks to who
ever did it!

I very much appreciate it.

Daniel



Re: bsd.rd on Octeon ubnt_e200 doesn't fully boot

2015-12-05 Thread Daniel Ouellet
On 12/5/15 8:55 AM, Ted Unangst wrote:
> Daniel Ouellet wrote:
>> Not the end of the world, I was trying to see if I could boot OpenBSD on
>> this version of the EdgeRouter Pro from Ubiquiti. I try the latest
>> Octeon available just in case.
> 
>> panic: pool_do_get: filepl free list modified: page 0x98041e984000;
>> item addr 0x98041e984000; offset 0x0=0x0 != 0xc45e62ccb6b162fe
>> syncing disks... done
>> System restart.
> 
> Not an expert here, but this kinda looks like we are trying to use something
> that's not RAM as memory. Some memory mapped device instead of RAM...

That's what Jonathan Mathew wrote to me as well.

I am far from an expert, but I am still digging in to this here.

May be during Christmas when my son comes in, we may have fun trying to
see if we can get this up, not sure, or if he will have time. We always
have so much crap to do all the time, not even funny!

But poking around codes and computers, etc is always a lots of fun for
us and it keep us close too! (:>

Not a bad thing when most of the kids these days send their parents to
hell. (:>



Fwd: CVS: cvs.openbsd.org: src

2015-11-30 Thread Daniel Ouellet
Even removed the table password?

NO way anymore to have difference password for emails then the system
password without smtp-extra install?

I can understand may be sqlite and ldap, but as a base system having
different password from the system was and is very useful and I do it on
all systems.

Or am I missing something or miss understand the commit?



 Forwarded Message 
Subject: CVS: cvs.openbsd.org: src
Date: Mon, 30 Nov 2015 12:54:26 -0700 (MST)
From: Joerg Jung 
To: source-chan...@openbsd.org

CVSROOT:/cvs
Module name:src
Changes by: j...@cvs.openbsd.org2015/11/30 12:54:26

Modified files:
usr.sbin/smtpd : Makefile
Removed files:
usr.sbin/smtpd : aldap.c aldap.h ber.c ber.h table_ldap.c
 table_passwd.5 table_passwd.c table_sqlite.c
usr.sbin/smtpd/table-ldap: Makefile
usr.sbin/smtpd/table-passwd: Makefile
usr.sbin/smtpd/table-sqlite: Makefile

Log message:
remove table-passwd, table-sqlite, and table-ldap
about 4k lines seldom used code

people who rely on this install mail/opensmtpd-extras

direction discussed (and agreed) with many

ok gilles



Re: A branded USB stick as an alternative to the CD set?

2015-11-30 Thread Daniel Ouellet
On 11/30/15 8:43 PM, Theo de Raadt wrote:
>> On Nov 30, 2015, at 2:34 PM, Theo de Raadt  wrote:
>>>
>>> These days the CD revenue is about what a cashier at a store makes.
> 
> Uncertain of the veracity of this site,
> 
> http://www.payscale.com/research/CA/Job=Cashier/Hourly_Rate/725daaa6/Entry-Level-Calgary-AB
> 
> I was wrong.  the CD revenue is far less.  The cashier makes more.

Sorry to read that!

Got every CD from when I started, only missing 2.1, 2.2 and 2.4 on my
self. And a few copy of the same are there too and given to friends.

The good news if any, is that Gifts are tax free in Canada, so that part
is helpful and users should fell they get more out of their money freely
given as a gift.

http://www.taxtips.ca/personaltax/giftsandinheritances.htm

Now to be clear Theo, are donation via the paypal on the donations page
are directly to you and you can do as you see fit, and/or only checks
would be best?

I know that was discuss a few times on this list, just try to be clear
as it is now, and I can setup paypal and do recurring gifts to
compensate some for the sad CD sales reduction and if so, I sure would
encourage users to do the same so that you can continue to do what you
love and what we all benefit from obviously!

I know first hand that most of the time work of love is not always well
paid!

Last thing I want to see is you loose your Love and Passion for my
favorite OS that even pass to my sons and one see why and start to be a
big advocate of it as well.

Nice to see family traditions be pass around like this, so I want to
make sure this continue so that may be my grand son will use it too! (:>

I know I will tell in him/here the old days, that's what grandpa used! (:>

Daniel



  1   2   3   4   5   6   7   8   9   10   >