Re: hardware

[Kaya Saman]

On 4/20/23 17:12, Katherine Mcmillan wrote:

According to ChatGPT, unfortunately, it doesn't work on plants.

Me to ChatGPT: Can I run OpenBSD on my ficus?

ChatGPT: No, it is not possible to run OpenBSD on a ficus plant. OpenBSD is an 
operating system designed to run on computer hardware, not on plants. Plants do 
not have the necessary hardware components or architecture to support an 
operating system. Additionally, attempting to install an operating system on a 
plant would be considered nonsensical and impossible. It is important to 
respect the natural world and not attempt to impose technology on living 
organisms that are not designed to use it.

Bummer, I guess that wasn't the secret behind Audrey 2.  Back to the drawing 
board.



Plants have their own OS... it's bio chemical! Just like us though add 
bio electrical to the mix.



To run OpenBSD on a plant you would need one hell of a recompiler to 
convert digital impulses into chemical ones.



I agree in this case with ChatGPT... why bother? Plants are fine as they 
are - not touched by human hands (at least in the wild)

Re: dns priority from different network connections - or disabling?

[Kaya Saman]

On 4/12/23 20:20, Theo de Raadt wrote:

Stuart Henderson  wrote:


On 2023-04-11, Theo de Raadt  wrote:

Kaya Saman  wrote:


This somehow is overriding my resolv.conf file; another words the
information is *not* being used from resolv.conf and is instead being
used from the ipcp negotiation as part of the pppoe kernel module.

then the pppoe code should submit a RTM_PROPOSAL route message ...

it does.

i still don't see how this information can *override* resolv.conf

But I do not understand what "override" means.  resolvd intentionally
has NO MECHANISM to allow choice, the list of addresses is chosen by a
fixed internal heuristic, INTENTIONALLY without configuration knobs.
There is one knob:  If one doesn't want resolvd semantics, stop the
daemon.  So easy.  But by default, the system runs with it, because
that means 99% of users get the semantics which satisfy 99% of
users without having to handle a configuration file.

What I don't understand from the complaint is why that ppooe dynamic
address doesn't rise to the top of the file, because dynamic requests
of that kind always rise to the top.  Therefore they get used.

So if it isn't in the file, then something else has been broken, probably
by the user, right?

But it is probably best to ignore this entire discussion because some
piece of configuration has been done to BREAK the default behaviour,
and then the user owns all the pieces.




Hi Theo, I apologize if it sounded like a complaint?? It was not meant 
to be. honestly.



Like I mentioned previously, it may have had something to do with me 
running: sh /etc/netstart pppoe0 a few times after the system had been 
booted. I was at the time trying to make use of 2 isp's and route 
accordingly per subnet or even ip address. It might have even been 
triggered by my altering of the pf.conf file... they are the only two 
things that I have been touching.



What I meant by *override* is that the default behavior that I had set 
the machine up for was not being seen. The information which I have 
input into /etc/resolv.conf has not changed for years.



I accept maybe i fiddled with things and caused unwanted behavior... it 
can happen.



All I was trying to figure out is why the resolv.conf file was not being 
used and instead the information obtained through ipcp was being used 
for dns lookups. If I had caused it that's fine but I didn't understand 
what I did to have caused it and was just seeking help and advice that 
maybe someone might suggest things to try.



But as it is, the system is back to how I want it to be so for sure 
please feel free to ignore the thread. There is no more problem ;-)



Thanks for chiming in by the way, it is appreciated.


Potentially, would it be a good idea to have setting to disable the dns 
or other information obtained by ipcp within the kernel ppp codeset? I 
just might be in the minority here so please feel free to ignore it's 
fine, I'm just thinking out loud




Regards,


Kaya

Re: dns priority from different network connections - or disabling?

[Kaya Saman]

Thanks Stu, and everyone else who responded :-)


On 4/11/23 09:01, Stuart Henderson wrote:

On 2023-04-10, Kaya Saman  wrote:

On 4/10/23 16:24, Daniele B. wrote:

Apr 10, 2023 12:52:22 Kaya Saman :


how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?

My solution both for security reasons (I'm using unbound)
for for practical reasons (as per your concerns) is to set immutable
resolv.conf by chflags.

Not the Solution but a very good workaround. Please investigate also
when you can take off the immutable flag too.

I take this time to wish you all an Happy Easter and obviously
lots of compliments for the 54th release of the ball fish system!


Do you mean setting resolv.conf as ReadOnly?

immutable is different, see chflags(1) schg. Used to be popular with
FreeBSD users to make it harder to change the kernel. Can only be
reset if sysctl kern.securelevel is at a low level (usually by booting
single user). I wouldn't recommend it here.



Oh ok... I'll check it out - I understood file permissions?





My resolv.conf file is fine and has the correct dns servers inside.

The issue is that pppoe negotiates the dns servers through ipcp. The dns
servers therefor do *not* get loaded into the resolv.conf file but
instead show up under: ifconfig pppoe0

This somehow is overriding my resolv.conf file; another words the
information is *not* being used from resolv.conf and is instead being
used from the ipcp negotiation as part of the pppoe kernel module.

The question is how to disable this behavior?

If resolvd is running (on by default) and unwind is running (off by
default), resolv.conf will point to 127.0.0.1 for unwind (with some
commented-out entries for other learned nameservers), and unwind
will normally learn forwarders from various sources including a pppoe
connection.

If resolvd is running and unwind is not running, resolvd will rewrite
resolvd.conf while it's running to include nameservers learnt from
pppoe etc.

The only place most of the rest of the system looks for resolvers
is in resolv.conf so what you describe ("rssolv.conf is fine") seems
unlikely. Double check what's actually in resolv.conf while pppoe is
connected?

To override learned nameservers, it depends whether you want to run
unwind on the system (used for resolution on localhost only) - if so,
use unwind.conf to set specific forwarders. If not, disable resolvd.

Check resolvd and unwind manpages for more info about what each does.




Perhaps I wasn't clear and confused everyone?


In the meantime I read both manpages of resolv.conf and unwind.


As far as I can understand unwind points to a remote resolver unless 
something goes wrong where it then looks for one defined locally.



In my resolv.conf I have 3x local dns servers (same subnet I know I 
know) defined:


x.x.x.1

x.x.x.2

x.x.x.3


*but* my system was using:

A.A.A.1

A.A.A.2


from my ISP which it acquired through ipcp from pppoe.


Possibly this behavior started while I messed with things and performed 
a: sh /etc/netstart pppoe0



Nothing got written to resolv.conf but the system was using the isp 
acquired servers.




I ran a quick test of unwind and popped: x.x.x.1 into it. Nothing seemed 
to have changed as the resolution was still being carried out on the isp 
dns machines.



Re-checking resolv.conf it seemed that the isp entries had actually been 
written there in the end? Does unwind do this?



I just simply deleted them and now the system works as before using my 
locally defined systems.



Strange issue and behavior but solved for now. Just reconfirmed using 
nslookup right now on the obsd box and all is fine :-D



Many thanks.


Kaya

Re: dns priority from different network connections - or disabling?

[Kaya Saman]

On 4/10/23 16:24, Daniele B. wrote:

Apr 10, 2023 12:52:22 Kaya Saman :


how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?

My solution both for security reasons (I'm using unbound)
for for practical reasons (as per your concerns) is to set immutable
resolv.conf by chflags.

Not the Solution but a very good workaround. Please investigate also
when you can take off the immutable flag too.

I take this time to wish you all an Happy Easter and obviously
lots of compliments for the 54th release of the ball fish system!



Do you mean setting resolv.conf as ReadOnly?


My resolv.conf file is fine and has the correct dns servers inside.


The issue is that pppoe negotiates the dns servers through ipcp. The dns 
servers therefor do *not* get loaded into the resolv.conf file but 
instead show up under: ifconfig pppoe0



This somehow is overriding my resolv.conf file; another words the 
information is *not* being used from resolv.conf and is instead being 
used from the ipcp negotiation as part of the pppoe kernel module.



The question is how to disable this behavior?

Re: dns priority from different network connections - or disabling?

[Kaya Saman]

On 4/10/23 11:40, Jonathan Gray wrote:

On Mon, Apr 10, 2023 at 11:26:22AM +0100, Kaya Saman wrote:

Hi,


I'll ask the second question first as it might be easier to implement...


Currently I have found that the dns servers specified in the resolv.conf
file are not being used. Instead my machine is prioritizing the ISP obtained
servers from the ipcp protocol through the kernel ppp service. Within the
hostname.pppoe(x) file is there a way to disable the dns portion of the
negotiation?


If not, then this leads to my second question of how do I override OpenBSD's
behavior to explicitly not use the dns servers obtained through ipcp but
instead use the ones form the resolv.conf file?


in /etc/rc.conf.local
resolvd_flags=NO


Ok strange! This is already set and before emailing I checked that the 
resolvd, unbound, unwind, and even nsd services were not running using 'ps'.



Just attempted to stop resolvd using: /etc/rc.d/resolvd stop (incase it 
was running and I missed something) , it said "OK".


nslookup still shows the dns servers from ipcp and not the locally 
defined ones in resolv.conf






I'm not sure when the behavior changed but it is a recent thing either done
by an update or by adding my secondary ISP. Right now my system can't send
emails because it's using the wrong dns.

changed in sys/net/if_spppsubr.c rev 1.188
first release with that was OpenBSD 7.1



No no this odd behavior started recently?? I'm on: 7.3 
GENERIC.MP#1125 amd64



Maybe I ran: sh /etc/netstart pppoe0 which decided to override the 
resolv.conf file, I really am not sure but still...

dns priority from different network connections - or disabling?

[Kaya Saman]

Hi,


I'll ask the second question first as it might be easier to implement...


Currently I have found that the dns servers specified in the resolv.conf 
file are not being used. Instead my machine is prioritizing the ISP 
obtained servers from the ipcp protocol through the kernel ppp service. 
Within the hostname.pppoe(x) file is there a way to disable the dns 
portion of the negotiation?



If not, then this leads to my second question of how do I override 
OpenBSD's behavior to explicitly not use the dns servers obtained 
through ipcp but instead use the ones form the resolv.conf file?



I'm not sure when the behavior changed but it is a recent thing either 
done by an update or by adding my secondary ISP. Right now my system 
can't send emails because it's using the wrong dns.




Thanks for any ideas.


Kaya

Re: rdomains finally working!!

[Kaya Saman]

On 4/3/23 11:25, Claudio Jeker wrote:

On Mon, Apr 03, 2023 at 10:53:26AM +0100, Kaya Saman wrote:

Hey guys,


...


Taking an excerpt from the website I was following:

https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/

Citing:

Creating a loopback interface in rdomain 2 so that Host 1 can talk to Host 2
would look like:

ifconfig lo2 rdomain 2 127.0.0.1
route -T 2 add 192.168.1/24 127.0.0.1
Since lo2 is created inside rdomain 2, the IP address assigned to it doesn't
conflict with lo0 in rdomain 0.


Sure I can see traffic inside one of the loopbacks and tcpdump does claim
"pass out" but then nothing else happens. The other loopback interfaces have
no traffic in them and the destination network has no traffic either.

This is very much expected since you probably did not carefully read the
cited website.

You need a special pf.conf setup to make that work. As one caveat
mentioned in the article is that the default pf.conf rulesets skips lo(4)
interfaces and so the traffic will just be dropped (since there is no
state lookup and so no way to bounce the reverse traffic back into the
other rdomain).

In general I would suggest use pair(4) to route traffic between rdomains.
Doing it in pf(4) gives you more control but it requires careful handling
of the rulesets (as you noticed).



Hi Claudio,


thanks for the response and advice on pair (4), I will definitely read it.


Maybe you are correct in that I didn't carefully read or perhaps I 
confused things badly I have a mixture of ASD and most likely ADHD 
and when the panic kicks in things become difficult including 
communication and understanding.



I wish I had a spare system to test things properly and understand 
better, unfortunately I am having to adapt a live production system and 
with a large number of lines in the PF rule set is not easy.



The caveat you mention about skipping lo (4) I disabled (I think?) as 
per changing the 'set skip' to this:


#set skip on { lo, enc0 }
set skip on { enc0 }


so the loopback should be active in PF, further down in my config I have 
a clause like this too:



#Allow Internal Communications


pass in on lo0
pass out on lo0

pass in on lo2
pass out on lo2

pass in on lo3
pass out on lo3


Maybe due to my existing PF things might not work properly in anycase, I 
just wish I knew more about what I was doing to really have a handle on 
the situation.



I'm still eager to contribute with a write up if you are interested but 
due to my "circumstances" I maybe the only one with these issues :-( 
so maybe writing things up in my case maybe useless and will probably 
not be understood by anyone in general.



With PF the biggest handling issue is when mixing and matching using the 
'quick' keyword as things get handled differently. Both the websites I 
cited do *not* contain the 'quick' keyword at all. My local pf ruleset 
contains many "pass in quick" or "block in quick" statements.



I would definitely be extremely happy to hear any more suggestions if 
there are any but for now I will look at studying "pair (4)".



Thank you so much for chiming in! I really appreciate it :-D


Best regards,


Kaya

rdomains finally working!!

[Kaya Saman]

Hey guys,


I can't spend too much time right now in writing up what I have done 
right now as I'm just about to head out of town to a local nature 
reserve in order to clear my head, but basically things are working!!



At this stage with such limited documentation on the topic I wonder if I 
should do some kind of a writeup of it to share my own experiences? 
Hopefully later in the week and I'll pop it up on my GDrive maybe it 
can be turned into part of the doc or faq or an example page on the OBSD 
website?



What I can gloss over right now is that the setup is very sensitive with 
minute changes having drastic effects. To be honest I don't even know 
how or when things started working but I checked my laptop test machine 
and icmp packet responses were being received properly.



Running tcpdump on pflog does lie sometimes. It will often suggest 
"block" when in fact the problem is routing. Another issue that I came 
across is that the loopback addresses don't inter-route. I don't know 
how to make that one work at all?



Taking an excerpt from the website I was following:

https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/

Citing:

Creating a loopback interface in rdomain 2 so that Host 1 can talk to 
Host 2 would look like:


ifconfig lo2 rdomain 2 127.0.0.1
route -T 2 add 192.168.1/24 127.0.0.1
Since lo2 is created inside rdomain 2, the IP address assigned to it 
doesn't conflict with lo0 in rdomain 0.



Sure I can see traffic inside one of the loopbacks and tcpdump does 
claim "pass out" but then nothing else happens. The other loopback 
interfaces have no traffic in them and the destination network has no 
traffic either.



Over the weekend having gotten completely fedup I decided to try to use 
one of the rdomains as a transit system and connected my Cisco 2801 
BGP/IPSec/GRE test bed to the vlan in question and attempted to use it 
as a simple WAN Edge gateway. At first I managed to ping the interface 
of the Cisco, as I set OSPF up so that I didn't need to bother with 
static routes. As soon as I moved the rdomain of the vlan from 0 over to 
3, everything stopped working and I couldn't find a way to use OSPF 
within two separate routing tables. The man page does have a setting for 
this in the config but there is no mention if you can use 2x instances 
between rdomains.


After that I fought with static routes and of course the strange 
behavior kicked in where sending icmp packets between the Cisco and 
OpenBSD machines just wasn't working. I really didn't understand this at 
all as they are Next-Hop connected devices. No specific PF rule and a 
default route was set to be the interface of the Cisco routers internal 
IP address.



I ended up moving the setup back to what I had originally with 3x 
rdomains and again I could not communicate between rdomain 2 and rdomain 
3, though I did have communication to rdomain 0 from rdomain 2. Having 
done some more thinking about it and looking at the Cisco setup I 
decided to try creating an extra vlan in rdomain 3 with the intention of 
using it as a transit vlan. I already had success in pinging the 
internal IP address of the OpenBSD machine from domain 2 to domain 3, so 
I figured what the heck I'll give it a try.


It did work but I still couldn't ping the public address.


I then moved the test machine from rdomain 2 to rdomain 3 to see if that 
would help with internal communication between the machine and the 
public IP address. Oddly enough it did work and local traffic sent to 
rdomain 0 was still working too.. though I was still unable to get 
any response from public address.



This is a bit of a black hole for me because I left the system for a 
while and came back to find that it actually started to work?? It isn't 
logical of course but I can't recall if I made changes in the meantime 
and simply wasn't aware of anything happening.



After testing a bit and confirming that in fact things were working and 
I was *not* sending traffic over my existing PlusNET WAN link, I 
proceeded to migrate my OpenVPN tunnel across. This proved to be tricky 
as I kept running into dreaded "tcpdump -enipflog" "block in on tun0" 
issues in fact that turned out to be a routing problem instead of a 
PF issue.


Currently this is working too but with some strange adjustments to PF. 
The current 'pass' per port rulesets don't seem to work even with the 
'rtable (x)' clause added. What does seem to work however is a generic 
'pass to  rtable (x)' ruleset



I'll probably need to study my rules further in order to try to 
understand the behavior here



Anyway, am gona shoot over to the Warburg Nature Reserve now and 
continue with my photography to hopefully share more images with the 
BBOWT later. Oh and of course to try to get rid of my headache too ;-)



Thanks to everyone for trying to help on a subject that contains very 
limited documentation and examples. Like I said hopefully if I can do 

Fwd: Understanding PF behavior

[Kaya Saman]

Well... somehow I managed to get inter rdomain forwarding.


I have no idea how...?


I think things started to work when I changed this statement in PF: 
block log on rdomain 0 from "block log"



Right now I can only communicate between rdomain 2 and rdomain 0.


I moved my ISP-B interface onto rdomain 3 and now can't ping the public 
IP address either from domain 2 or domain 0



I did take a snapshot of the routing tables for each domain and of 
course pf.conf is unaltered but I should back it up and transfer it locally.



Like I wrote previously about using 'tcpdump enipflog'... the rule 
numbers don't make any sense at all to me. I don't understand why I keep 
seeing "rule 1" for just about all traffic. - It's definitely strange?? 
Perhaps my pf.conf file is totally messed up as far as rules go? I am 
not sure. It would be really nice to see the matched evaluation numbers 
from: pfctl -vv -sr


so something like 'rule 1183' or so


Currently I am seriously thinking about just spending $$$ and buying a 
Cisco router with 3x interfaces to use as a multi WAN gateway, though 
it's probably more out of frustration then anything else. I'm sure it is 
possible to get working in OpenBSD as Stu has said already but not 
making any headway or little headway after so long is well gr lol



I guess right now my goal is just to be able to ping the ISP-B interface 
from rdomain 2. If I can managed that I should have a better path 
forward. Really what I do need is a test box... something with 2x or 3x 
physical interfaces that won't cause my whole system to stop working by 
starting with a clean pf.conf file. That said I the SuperMicro uATX box 
I have doesn't work either :-( as it's started clicking so no idea where 
the fault is? M/B or PSU?? More headache :-(



Too much crap on my shoulders right now also with 5x HDD failures and a 
15 year old Cisco WLC system which is flaky to connect to meaning that 
more often then not 802.11 devices are not connected. I really wish I 
could just upgrade to a nice Gen6 system sigh.



What a frustrating way to spend a Saturday evening but I guess it won't 
get any better so bla :-(



Anyway will keep trying to solve this darn riddle

Understanding PF behavior

[Kaya Saman]

Hi guys,


So far I have spent a week on this and I feel like I'm not progressing, 
now I just feel like I'm banging against a brick wall.



To start with, I managed to send icmp echos over my WAN link through 
ISP-B within the same routing domain rdomain 2.



I then started looking at inter-Rdomain communication. The only 
reference material I have got outside of the man pages are a few 
outdated websites and other material which at least have gotten me in 
the right direction.



From here on I have two issues.


The first issue is that my WAN communication for rdomain 2 broke. I 
haven't adjusted any rules at all so the original working ruleset is 
still in place.



Currently what I can see is tcpdump telling me that I have icmp 
echo-reply packets on my test vlan for rdomain 2. I have checked pflog0 
and the external IF for ISP-B using tcpdump and all seem normal too with 
lots of "pass" statements and of course NAT is being hit.



Unfortunately the machine sending the icmp requests is claiming that 
there is 100% packet loss.



I don't see any relevant "Block" information in tcpdump when initiating 
"tcpdump -enipflog0 host x.x.x.2" - where x.x.x.2 is my test machine 
address.



What could be  going on here? I have considered the fact that it maybe a 
rule blocking on the outbound side of the interface (local test vlan), 
but I tried adding a generic: pass out quick on $test_vlan rule which 
didn't seem to do anything at all :-(




The second issue I have is to do with the routing domains. At the moment 
I have a ruleset which allows me to get from my test vlan to one of the 
internal vlans on rdomain0. I can verify with tcpdump that the pinged 
machine can see the icmp packets and respond to them. What I am seeing 
however in pflog0 is the lo0 is blocking traffic outbound.



As this is the reference guide I'm following: 
https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/



I'm using y.y.y.y/24 subnet for the icmp destination in rd0


I created routes to the loopback addresses:


route -T 0 add y.y.y/24 127.0.0.1

route -T 2 add y.y.y/24 127.0.0.1


I found that if I didn't add this rule, information to the source of the 
icmp echos would be routed to my egress interface on ISP-A (existing ISP):


route -T 0 add x.x.x/24 127.0.0.1


Now, the unfortunate part is that I am seeing:

rule 2/(match) block out on lo0: y.y.y.N > x.x.x.2 icmp: echo reply


The thing I don't understand is that adding: pass out log quick on lo0

unfortunately doesn't seem to do anything??


Just to confirm that "set skip on lo" is disabled additionally.


If anyone could help in suggesting ideas of what to look at because I 
have tried many things up till now and none have worked so I'm probably 
approaching the problem in the wrong way.




Another quick question regarding the output of tcpdump. When it says 
"rule 2" which rule is it referring to and how to tell this information? 
In the past I recall the rule numbers given by tcpdump where the actual 
rule line numbers as were written in pf.conf. Now I am completely 
confused of what this means...


If I use "pfctl -sr" to show the rules, the second rule inline is 
actually: "match in all scrub (no-df)" ???



Many thanks.


Kaya

Re: Static default route for a subnet

[Kaya Saman]

On 3/28/23 17:27, Stuart Henderson wrote:

On 2023-03-28, Kaya Saman  wrote:

Anyway, what I am trying to figure out is how to NAT the rdomain's?


At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...

That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.


The rule in use is this one:

match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2

If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.

For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).

It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)





Sorry for the noise just updating everyone here... I have 
communication finally!! icmp echo requests are being responded to by the 
8.8.8.8 address. Really super happy about this :-D



It's basically a case of a few things that I screwed up duh :-S


PF rules are these:


match on $gnet_if scrub (max-mss 1440)
pass out quick on $gnet_if from $wan_gnet
pass in quick on vlan_if from subnet to !
match out on $gnet_if from subnet to ! nat-to {$wan_gnet}
pass out on $gnet_if from subnet to any nat-to {$wan_gnet} modulate state
pass out on $gnet_if


(do I need to scrub with a max-mss? isn't that for *DSL connections?)


In the meantime I moved the interface across from a vlan over to em2 
which was part of a 4 port trunk (lagg) interface provisioned with LACP.



Also I was using a broadcast address in the hostname file which was 
incorrect! I was shown a sample recently where the bcast was set to NONE 
but because I was given the bcast address my understanding was to use 
it, well turned out to be a misunderstanding ;-)



hostname.em2 looks like this now:

inet public_ip 255.255.255.240 NONE description "G-NET"

dest 0.0.0.1
!/sbin/route -T2 add public_subnet/28  public_subnet_gateway
!/sbin/route -T2 add default public_subnet_gateway


Now I just need to figure out how to communicate with the traffic on the 
default rdomain then I can start looking further ahead.



Been up all night working on this plus a radius issue, got a bad 
headache now... yup I stressed a lot and panicked so now am gona go get 
some rest.



Thanks to everyone for your help - you all get a big virtual hug :-) :-) 
hopefully there won't be anything more now that I'm gona need - cross 
fingers ;-)



Kaya

Re: Static default route for a subnet

[Kaya Saman]

On 3/28/23 17:27, Stuart Henderson wrote:

On 2023-03-28, Kaya Saman  wrote:

Anyway, what I am trying to figure out is how to NAT the rdomain's?


At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...

That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.


The rule in use is this one:

match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2

If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.

For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).

It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)




I'm wondering for rdomains as I'm using a vlan as my egress interface, 
do I need to use an svlan for Q-in-Q?



Just going through the man 4 vlan doc: https://man.openbsd.org/vlan.4


I rejigged things a bit and created a test vlan with an old laptop as 
client that I'm trying to ping one of the Goolge addresses with. Both my 
WAN vlan and internal vlan are on rdomain 2 but for some reason I'm not 
able to activate NAT at all despite using a modified version of one of 
my already existing match ... nat-to rules



So far tcpdump is showing LAN traffic on the external vlan instead of my 
public IP which indicates that my NAT rules aren't working actually 
I also have pftop -vr running too which isn't showing any packets 
hitting the match rule for the G-NET default route.



Unfortunately till now I have not been able to get any traffic working 
properly on rdomain 2 :-( and really stuck on what and how to do about 
it

Re: Static default route for a subnet

[Kaya Saman]

On 3/28/23 17:27, Stuart Henderson wrote:

On 2023-03-28, Kaya Saman  wrote:

Anyway, what I am trying to figure out is how to NAT the rdomain's?


At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...

That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.


I think I can confirm this. Certainly I don't see any difference between 
putting the 'rtable' clause at the end of the 'match' statement






The rule in use is this one:

match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2

If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.

For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).

It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)




Stu you were there many years ago when I turned this same box into a 
point-of-presence server and used it in conjunction with a DSLAM and 
RADIUS backend. I'm sure you've forgotten as you help many people and 
have many better things to do *but* your last sentence should be 
turned into doctrine :-)


Of course though I plowed through things and managed to get the setup 
done, I wasn't aware of my ASD at the time. So that means that we didn't 
know or understand that when tuning into FM signals my brain also picks 
up iHeart radio hahaha uh



Somehow I'm going in reverse order here lol I added the 
'match(log)' entry and it is really helping a lot!!



So far I can definitely hit the NAT. The weird thing is unlike my pppoe0 
interface I need to define ACL's (aka PF rules) to be able to access the 
NAT in the first place. Right now I'll probably have to re-order the 
rules to make the 'match' NAT rule come towards the bottom. Large PF 
subsets can become very complicated very quickly and when you've defined 
many lines in your fw then things can get a little messy right now 
I'm at around ~1000 give or take :-S



Just in case this will help another reader, the current temporary 
ruleset I have defined looks like this:



pass out on $gnet_if from $wan_gnet
pass in quick on $vpn_if1
match out on $gnet_if from $vpn_net1 nat-to ($gnet_if)


I'm still trying to figure out what is what as tcpdump is giving me a 
few 'block' alarms still, judging from things I think my NAT is 
translating forwards but not the other way around yet. So essentially 
Internal-IP -> Public-IP -> INTERNET works but what isn't working is the 
reverse. Packet responses from INTERNET -> Public-IP -> Internal-IP are 
either getting blocked or not translated at all



ps. Quick Note: both interfaces need to be on rdomain 2. I tried what 
you suggested to keep my internal IF in rdomain 0 but then it hits the 
other NAT rules and gets blocked as the 'match' statement has been 
disabled. I could try reordering but for now I just want to get the 
basics setup before moving further ahead.



This is what I'm currently seeing from tcpdump:

18:28:58.627858 rule 2/(match) block out on vlan_EXT: 8.8.8.8 > x.x.x.x: 
icmp: echo reply


Of course on the external if itself I'm getting:

A.A.A.2 > 8.8.8.8: icmp: x.x.x.x protocol 1 port 34560 unreachable


(again A.A.A.A is public while x.x.x.x is private)


I don't think I want to see my private IP on the external interface 
cross comparing with tcpdump -eni pppoe0 , there are no private 
addresses to be seen here

Re: Static default route for a subnet

[Kaya Saman]

Thanks Stuart!

On 3/28/23 16:19, Stuart Henderson wrote:

On 2023-03-28, Kaya Saman  wrote:

On my WAN vlan for what I am going to call ISP-B, as ISP-A is existing
for a long time. What I'm trying to do right now is set this as a
default gateway for a particular subnet.

There's no such thing as "default gateway for a subnet".

One way to do what you want is with PF "route-to" rules applying only
to packets with a source address in the subnet of interest (and likewise
for "reply-to" to handle incoming connections, maybe in conjunction with
rdr-to). This is a little messier config, but if the old setup will be
going away after not too long, it might be easier to handle.

Another way is to use multiple route tables (put the relevant interfaces
in a different rdomain, e.g. "rdomain 2" in the hostname.if files), and
use "-T 2" when adding routes relating to that), this is cleaner/simpler
in some ways, though it can also be more tricky if you're running any
services on the router itself (you may need to run a second instance
bound to the second rdomain).


My mind has Cisco Route-Map pre-programmed in I think :-(


I am looking at rdomains now, which might be the solution.

In addition to the OpenBSD FAQ and MAN pages I found this website too: 
https://unfriendlygrinch.info/posts/openbsd-routing-tables-and-routing-domains/


of course taking it with a pinch of salt as the content hosted on 
openbsd.org is the correct one ;-)



Also going through this: 
https://www.openbsd.org/papers/bsdcan2015-rdomains.pdf - I know an old 
paper and probably much has changed in the meantime.



Anyway, what I am trying to figure out is how to NAT the rdomain's?


At the moment from what I understand one has to put "rtable (n)" at the 
end of the NAT rule... checking with pfctl -ss |grep x.x.x.x does not 
show any NAT translations unfortunately.



The rule in use is this one:

match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2


I'm a little bit stuck here. I even tried replacing the $gnet_if with 
"rdomain 2" but that didn't seem to work either.



Guess I've got more reading to do




https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route

I think the above was more to do with using 2x default routes in a
multipath setup rather then simply trying to get one particular subnet
to use another ISP specifically.

multipath is not what you're looking for here


Also one last note: I'm not using the /etc/mygate at all it was my
understanding that when building a router you didn't need it and
certainly for now I have never needed it with the VSDL2 link from ISP-A.

that's ok, your default route is over pppoe which you can't do via /etc/mygate.

Static default route for a subnet

[Kaya Saman]

Hi again,


so my shiny new fiber has been installed yesterday and currently I can 
ping the gateway IP address but not much more.



It was interesting as they gave me this whole subnet and told me I get a 
gateway address. What they should have said to eliminate my confusion 
was that there is a gateway address within the subnet that they have to 
provision on their end that would have stopped me from trying to 
provision the vlan that I'm using with an IP address used by them :-S uh 
- the problem here was wording and terminology used that threw me off. 
It seems to happen too much currently either it's my medical 
condition or perhaps they could just create a page on their web portal 
to show with a diagram the general setup uh :-(



Now here again I'm confusing like hell and it's frustrating :-(


On my WAN vlan for what I am going to call ISP-B, as ISP-A is existing 
for a long time. What I'm trying to do right now is set this as a 
default gateway for a particular subnet. As I have already got many 
mappings with ISP-A, I don't want to break those just yet and migrate 
them across then have them not work. I tried searching around for it and 
found a similar yet I think different situation on the mailing lists:


https://misc.openbsd.narkive.com/lCGUlP2Q/two-default-route

I think the above was more to do with using 2x default routes in a 
multipath setup rather then simply trying to get one particular subnet 
to use another ISP specifically.



Currently I have provisioned the vlan like so and created these routes 
on the interface:


inet A.A.A.2 255.255.255.240 A.A.A.15 vlan VLAN_ID vlandev trunk0 
description "G-NET VLAN"

dest 0.0.0.1

!/sbin/route add -mpath A.A.A.0/28  A.A.A.1
!/sbin/route add -mpath x.x.x.1/24  A.A.A.1


Note... that I'm calling my ISP-B subnet: A.A.A.A and my local subnet: 
x.x.x.x



Unfortunately, the above "route add" mappings don't seem to work.

Adding this route map does allow me to ping the ISP-B gateway address of 
A.A.A.1:


route add x.x.x.6 A.A.A.1


Do I actually need the 'gateway of last resort' set for this internal 
subnet and if so where do I provision it? If I provision it system wide 
then everything will try to go over this way which is not what I want 
yet



I'm pretty sure that what I've hit is a routing problem and not much 
more, it's just a matter of trying to sort out the confusion about 
provisioning the system correctly.



Also one last note: I'm not using the /etc/mygate at all it was my 
understanding that when building a router you didn't need it and 
certainly for now I have never needed it with the VSDL2 link from ISP-A.



In the meantime I'm going to try reading the man pages again to see if I 
can figure anything out ;-)



Many thanks.


Kaya

Re: Possible to handle fiber WAN connection with OpenBSD using PCIe card?

[Kaya Saman]

On 3/25/23 09:33, Stuart Henderson wrote:

On 2023-03-24, Kaya Saman  wrote:

Just responding to this for completeness as I have some more information
on my side

On 3/24/23 07:21, Stuart Henderson wrote:

On 2023-03-23, Kaya Saman  wrote:

Unfortunately I haven't been well for a long time hence the delay in
upgrade and at first found it a little difficult but the way forward
after a bit of reading around was to go to 7.1-release then 7.2 and
finally jump back to Current which I believe is called Beta now? (unless
I missed something or am confusing)

The main release cycle is -current, -beta, , -current - this
hasn't changed. (The "no suffix" includes a few snapshots prior to an
actual finished release, and that's the stage we are at right now).


Ah ok I see, I also understand what has happened in the meantime... no
problem. I'll see if I really need to upgrade to current again as right
now Beta seems to be doing everything I need

I suggest waiting until the actual 7.3 release and install that
(sysupgrade -r) n order that you can install errata patches.

It will be simpler if you do _not_ upgrade to a newer snapshot first -
sysupgrade can't go from a snapshot labelled "7.3" (as they are now)
to the actual release without modifying it.


Great advice, will wait in this case.





Just got off a lengthy phone call with Tier2 tech support at G-Net,
which was a lot of fun!! It's so rare to talk in technical terms with
someone and have them understand you.

That's a good sign.


It's amazing how well this company is willing to deal with what they 
consider "vulnerable" people, as I explained about my condition: ASD 
(Autism/Asperger's Spectral Disorder - if after all these years you 
hadn't guessed already :-) ), and basically they do training to cater 
for people with ADD, ADHD, ASD etc






Currently there is a little confusion in how to setup the block of IP
addresses as I have had to upgrade to a block of 16. Right now my
connection gets a single IPv4 address through ipcp with the rest of the
IP addresses being handled in PF through NAT/PAT mappings. I have
forgotten how it is handled but I am willing to bet that my current ISP
is forwarding those addresses in static routes??

I am wondering if it will be similar except for the gateway IP address
which will need to be provisioned on the WAN facing ethernet interface
along with default 0 dot quaded route, or if I'm going to have to create
sub interfaces for the rest of the provisioned IP addresses?? I am told
that out of the 16 addresses I loose 3 - network, broadcast, gateway ,
so I should have 13 addresses to play around with.

Typically you have pppoe pick up its own address - see examples in
pppoe(4) for this and setting the default route - and configure an
address from the /28 on another network interface on the router.



Exactly how things are done currently as I'm using pppoe - interface 
hostname.pppoe0:



inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \
    pppoedev em5 authproto chap \
    authname '*' authkey '' \
    up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1


Then the rest of the IP's are handled like so:

match out on $ext_if from { IP or Macro } to any nat-to { IP or Macro } 
for outbound.


So if ipcp gets (imaginary) ip address of 1.1.1.1, I can fit the next 
one in the block into the PF "match" rule so it becomes:


match out on $ext_if from { 10.10.10.100 } to any nat-to { 1.1.1.2 }



If you will be addressing other machines directly from that /28 (easier)
that would be a physical interface or vlan connected to those machines.

If you're doing that via NAT/rdr-to then you might want to use a vether
interface with one address configured as /28 and the others as /32
aliases.



Not directly addressing. I will use "rdr-to" PF rules. Basically I want 
to keep my current configuration as much the same as possible but just 
adjust enough to handle the new connection.




I think right now what was said is that I don't get a subnet mask (if I 
understood correctly) so I will need to provision each IP address 
with a /32 or 255.255.255.255, even though they will be providing the 
network and broadcast addresses.



Had a flick through vether as you suggested... currently I'm unsure to 
be honest. Do I need it? As I'm not using that currently for my current 
6x IP block...


To be honest my mindset right now is pointing towards the Cisco 
sub-interface way of doing things so I'm probably reading and confusing 
a lot :-(


I guess it will be needed judging by the description:

DESCRIPTION
 The vether interface simulates a normal Ethernet interface by
 encapsulating standard network frames with an Ethernet header,
 specifically for use as a member in a bridge(4).

 To use vether the administrator needs to configure an address onto the
 interface so that packets can be routed to it.  An Ethernet header 
will
 be prepended and

Re: Possible to handle fiber WAN connection with OpenBSD using PCIe card?

[Kaya Saman]

Just responding to this for completeness as I have some more information 
on my side


On 3/24/23 07:21, Stuart Henderson wrote:

On 2023-03-23, Kaya Saman  wrote:

Unfortunately I haven't been well for a long time hence the delay in
upgrade and at first found it a little difficult but the way forward
after a bit of reading around was to go to 7.1-release then 7.2 and
finally jump back to Current which I believe is called Beta now? (unless
I missed something or am confusing)

The main release cycle is -current, -beta, , -current - this
hasn't changed. (The "no suffix" includes a few snapshots prior to an
actual finished release, and that's the stage we are at right now).



Ah ok I see, I also understand what has happened in the meantime... no 
problem. I'll see if I really need to upgrade to current again as right 
now Beta seems to be doing everything I need





Unfortunately right now I'm a little panicked because my (new) ISP will
provide me with either a Huwei or Nokia device which seem to be very
basic in functionality and don't seem to support RFC 1483 bridging which
I'm using currently for my VDSL2 connection. I've read the manual for
the Nokia which I was suggested that they "thought" would be able to do
what I want it to do, but it doesn't seem possible.

IIRC you're UK based aren't you? Which ISP?

If the ISP is using Openreach's FTTP you will need to use their ONT
which will act as a bridge, then you use your own or an ISP-provided
router connected over ethernet. Typically it's PPPoE though the backhaul
supports plain ethernet and some ISPs (notably Sky) use it, normally
with DHCP. The ONT is not user-configurable and you have to use it.

Non-Openreach-based vary. If you're lucky you might get pppoe out of the
ONT and be able to connect your own router (likely with at least some of
the ISPs selling CityFibre-based lines). Some others are often much more
locked down - if you're lucky you might get to put their kit in bridge
mode, if not you might be behind a NAT router and can't do anything
about it. (Some don't even let you make changes to even things as simple
as wifi SSID yourself and you need to get them to do it for you).
I haven't seen any that will let you connect to the incoming fibre
directly.


I'm wondering if anyone knows if one can get a PCIe card... possibly
Intel chipset will be best that can take an SFP or SFP+ module to
accommodate what I assume currently is an SC/APC LR connection which I
can feed directly to OpenBSD? - again I'm just basing this according to
the manual as I don't have any fiber experience at all.

You can get various cards that will take SFP/SFP+. You can get GPON SFPs.
But you can't enrol a custom router in the provider's provisioning system
that sets up crypto keys etc (GPON is a shared medium; other subscribers
will get the same light carrying your connection and encryption is used
so they can't see your packets).

As far as your connection is concerned the demarc is pretty much always
the ethernet port on either the provider's ONT or their supplied router.




Just got off a lengthy phone call with Tier2 tech support at G-Net, 
which was a lot of fun!! It's so rare to talk in technical terms with 
someone and have them understand you.



Apparently their take is that everything up to and including 1Gb/s must 
be handled by their own ONT... which is in fact a transparent RFC 1483 
network bridge. The only difference comes for 10Gb/s customers which get 
a dedicated Cisco WAN switch with SFP+ module. I'm not sure if they 
service speeds up to 100Gb/s but I can only imagine high throughput data 
centers (especially those with high bit rate streaming services) will 
need them.



In terms of connection to their network: it is not handled by PPPoE or 
even DHCP. DHCP is used for dynamically allocated customers such as 
those on residential packages only, so no static IP reservation system 
in place. I am told no credentials either



Currently there is a little confusion in how to setup the block of IP 
addresses as I have had to upgrade to a block of 16. Right now my 
connection gets a single IPv4 address through ipcp with the rest of the 
IP addresses being handled in PF through NAT/PAT mappings. I have 
forgotten how it is handled but I am willing to bet that my current ISP 
is forwarding those addresses in static routes??


I am wondering if it will be similar except for the gateway IP address 
which will need to be provisioned on the WAN facing ethernet interface 
along with default 0 dot quaded route, or if I'm going to have to create 
sub interfaces for the rest of the provisioned IP addresses?? I am told 
that out of the 16 addresses I loose 3 - network, broadcast, gateway , 
so I should have 13 addresses to play around with.


I guess I'll have to figure things out on Monday once the installation 
is complete.



You could say right now I'm excited but nervous at the same time :-S


Kaya

Possible to handle fiber WAN connection with OpenBSD using PCIe card?

[Kaya Saman]

Hi everyone,


it's been a long time since I've posted here and in the meantime I have 
just upgraded from 7.0-current to 7.3-beta through sysupgrade which is 
amazing! Thanks so much for all the hard work and effort put in to the 
tool!!



Unfortunately I haven't been well for a long time hence the delay in 
upgrade and at first found it a little difficult but the way forward 
after a bit of reading around was to go to 7.1-release then 7.2 and 
finally jump back to Current which I believe is called Beta now? (unless 
I missed something or am confusing)



I'm about to jump onto the full fiber band wagon with my WAN connection 
and was wondering what advice or recommendations I could get for the 
hardware in this.



Unfortunately right now I'm a little panicked because my (new) ISP will 
provide me with either a Huwei or Nokia device which seem to be very 
basic in functionality and don't seem to support RFC 1483 bridging which 
I'm using currently for my VDSL2 connection. I've read the manual for 
the Nokia which I was suggested that they "thought" would be able to do 
what I want it to do, but it doesn't seem possible.


I found the manual here: 
https://www.manualslib.com/manual/2084440/Nokia-7368-Intelligent-Services-Access-Manager-Ont.html


Model: Nokia G-2425G-B


Currently I am using transparent bridging between a Cisco 887VA VDSL2 
router/modem and my OpenBSD installation which I let OBSD take care of 
everything from Layer3 and above using the kernel PPP module and PF.



I'm wondering if anyone knows if one can get a PCIe card... possibly 
Intel chipset will be best that can take an SFP or SFP+ module to 
accommodate what I assume currently is an SC/APC LR connection which I 
can feed directly to OpenBSD? - again I'm just basing this according to 
the manual as I don't have any fiber experience at all.


As the OpenBSD machine in question runs SuperMicro hardware I will have 
a look on their website as well as they do have their own brand of cards 
which might be more easily obtainable then any other type..??



The ISP has not given me any information on connection type or even 
settings yet so I'm still quite in the dark with this and I'm still 
trying to get a hold of someone who actually can provide that 
information. Right now I'm basing what I have read in the Nokia models 
manual.



Like with *DSL if such a system doesn't exist for PC hardware then it 
might be possible to look at getting something like a Cisco 11xx series 
with the correct SFP module and again just bridging as I'm doing now.



Right now I just want to run it by here in case someone has experience 
with this type of setup and can suggest a better or alternative method 
to achieve what I'm trying to do.



For me right now what's a little frustrating is that I don't know if 
they are using PPP dialup style connection or simply DHCP on their end. 
It also doesn't seem to be written down anywhere either like it used to 
be done with ADSL/VDSL providers.




As a side note the unfortunate part is my current ISP is ceasing 
operations on their business services, and there are only a handful of 
ISP's left servicing my area. It seems like the trend has shifted 
towards mobile and wireless technologies with LTE being really popular :-(



Many thanks,


Kaya

Re: NIC Port L2 Switching capability

[Kaya Saman]

Thanks Stuart!


On 1/26/21 11:36 AM, Stuart Henderson wrote:

On 2021-01-25, Kaya Saman  wrote:

Thanks a lot Tom for your response.


Perhaps I wasn't quite clear in what I am trying to achieve?


When I say trunk, I meant from a switch perspective as in a 802.1Q trunk
port on a switch.


I think I got mixed up with the OpenBSD terminology since it is slightly
different:

yes.


So now I just need to find out how the switch interface works in OpenBSD
and see if I can get it working with 802.1q tagging and the rest of the
L2 networking protocols.

You do not want the "switch" interface type. "bridge" is the one you
need for what you're asking to do, but...



I figured this one out in my VM setup which was basically that I needed 
to activate 'promiscuous mode' on the NIC's. Afterwards, bridging the 
Trunks worked fine. I haven't tested anything other then basic 
connectivity yet though so I do not know how the setup will behave.





 Of course an alternate would be to link the 1GbE switch to the 10GbE
 switch and do things that way, but the above would be more practical
 from a cabling sense.

...that alternative is the real answer. Using bridge for this will
be a mess (you haven't mentioned PF yet but configuring that will be
a pain) and won't perform particularly well.

With bridge, I *think* you will want to bridge the vlan interfaces
together, not the trunk interfaces.




Hmm. this is the exact area that I'm trying to explore currently.


Currently what I have in place is this:


Router (4 port lacp trunk - multiple vlans , no bridging , PF rules for 
vlans and NAT ) ->


<- Switch1 (lacp trunk to router) ->

Switch1 (lacp trunk to Switch2)

Switch1 (lacp trunk to Switch3)

Switch1 (lacp trunk to Switch4)


Switch2 (lacp trunk to Switch5)



So basically Switch1 is being used as an aggregation switch to link to 
multiple other switches.




If I changed things around by adding a new higher performance (10GbE) 
switch above Switch1 then I would need to re-cable and change my main 
trunk interface over from using the 1GbE NICs to 10GbE NICs. Outside of 
this nothing much else would need to change as PF would stay the same.



However, if I created a new 2 port lacp trunk using the 10GbE interfaces 
then bridged the new trunk with the existing trunk will that mean that 
all the sub-interfaces will be bridged additionally?


For example if data is sent on vlan1 then will all the vlans see this? I 
will verify this in my VM setup additionally but I'm curious as to how 
PF would be affected by this?



It would be really nice if there was a mechanism to just do something 
like which is perfectly fine on a switch then have PF working as normal 
on top:



switchport g0/1

trunk

lagg-group 1


switchport g0/2

trunk

lagg-group 2



But of course in OpenBSD vlans are bound to an interface which makes the 
configuration a little different.




Regards,


Kaya

Re: NIC Port L2 Switching capability

[Kaya Saman]

Thanks a lot Tom for your response.


Perhaps I wasn't quite clear in what I am trying to achieve?


When I say trunk, I meant from a switch perspective as in a 802.1Q trunk 
port on a switch.



I think I got mixed up with the OpenBSD terminology since it is slightly 
different:



TRUNK(4) Device Drivers Manual    
TRUNK(4)


NAME
 trunk - link aggregation and link failover interface


Of course different vendors call this differently and would be more like 
EtherChannel in Cisco terminology.



So now I just need to find out how the switch interface works in OpenBSD 
and see if I can get it working with 802.1q tagging and the rest of the 
L2 networking protocols.



Regards,


Kaya


On 1/25/21 10:51 PM, Tom Smyth wrote:

Hi Kaya

you need to create   a bridge interface and add the interfaces you 
want to switch packets between into the bridge,


man bridge
man switch
man ifconfig
will give you the information you need,


trunk is a bonding / team  / fail over interface and not for switching

because you are using a virtualisation platform you need to be wary of 
hypervisor / virtualisation network stack  Security features / hacks / 
shortcuts
some hypervisors filter traffic comming from a vm which has a 
different source mac to the mac assigned to the vm network card  by 
the hyper-visor  and somehypervispors will only switch traffic to a vm 
if the destination mac is the same as the mac of the virtual machine 
network card


all the best



On Mon, 25 Jan 2021 at 22:06, Kaya Saman <mailto:kayasa...@gmail.com>> wrote:


Hi,


I'm wondering if it's possible to get OpenBSD to make the NIC
ports act
like a layer 2 switch?


I made a quick test in VirtualBox (unfortunately I don't have any
bare
bones systems free to test with) and tried the following:


create two systems, one called router , the other called client


create vlans: vlan1, vlan2, vlan3


create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1
(em1),
trunk2 (em2)


I then added the vlans to trunk0 by setting the vlandev to trunk0
in the
hostname.if files.


Of course a basic router-on-a-stick method like the above works
fine but
if I wanted the 3 vlans to also be on the trunk1 interface in a
similar
way to provisioning an L2 switch how would I go about it?


I attempted to bridge trunk0 and trunk1. The result I got was that
dhcp
worked and the client was able to get an IPv4 address, I also had
multicast traffic working when dynamically sending the client routes
through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd
packets
being sent to 224.0.0.5 .

What didn't work was ICMP packets were not being seen on the router
systems NIC when I tried to use the ping command and in addition the
OSPF routes would not propagate either.

If I changed the virtual configuration back to trunk0 then everything
worked as expected. It may just be a limitation of Vbox?


In the meantime I have been looking at the docs:

https://www.openbsd.org/papers/bsdcan2016-switchd.pdf
<https://www.openbsd.org/papers/bsdcan2016-switchd.pdf>

https://man.openbsd.org/switch <https://man.openbsd.org/switch>


for the switch interface but is this really what I need here?


Has anyone tried and succeeded with this kind of config?


My main reason for wanting to use something like this is that I
want to
add a 10GbE NIC and switch into my production router platform while
still keeping the same setup going to the 1GbE switch which is
running
in a 4-port LACP trunk.



Of course an alternate would be to link the 1GbE switch to the 10GbE
switch and do things that way, but the above would be more practical
from a cabling sense.



Has anyone got any ideas?


Thanks a lot!


Kaya





--
Kindest regards,
Tom Smyth.

NIC Port L2 Switching capability

[Kaya Saman]

Hi,


I'm wondering if it's possible to get OpenBSD to make the NIC ports act 
like a layer 2 switch?



I made a quick test in VirtualBox (unfortunately I don't have any bare 
bones systems free to test with) and tried the following:



create two systems, one called router , the other called client


create vlans: vlan1, vlan2, vlan3


create trunk interfaces on 3x virtual NIC's: trunk0 (em0), trunk1 (em1), 
trunk2 (em2)



I then added the vlans to trunk0 by setting the vlandev to trunk0 in the 
hostname.if files.



Of course a basic router-on-a-stick method like the above works fine but 
if I wanted the 3 vlans to also be on the trunk1 interface in a similar 
way to provisioning an L2 switch how would I go about it?



I attempted to bridge trunk0 and trunk1. The result I got was that dhcp 
worked and the client was able to get an IPv4 address, I also had 
multicast traffic working when dynamically sending the client routes 
through OpenOSPF, as in I could see OSPFv2-hello and OSPFv2-dd packets 
being sent to 224.0.0.5 .


What didn't work was ICMP packets were not being seen on the router 
systems NIC when I tried to use the ping command and in addition the 
OSPF routes would not propagate either.


If I changed the virtual configuration back to trunk0 then everything 
worked as expected. It may just be a limitation of Vbox?



In the meantime I have been looking at the docs:

https://www.openbsd.org/papers/bsdcan2016-switchd.pdf

https://man.openbsd.org/switch


for the switch interface but is this really what I need here?


Has anyone tried and succeeded with this kind of config?


My main reason for wanting to use something like this is that I want to 
add a 10GbE NIC and switch into my production router platform while 
still keeping the same setup going to the 1GbE switch which is running 
in a 4-port LACP trunk.




Of course an alternate would be to link the 1GbE switch to the 10GbE 
switch and do things that way, but the above would be more practical 
from a cabling sense.




Has anyone got any ideas?


Thanks a lot!


Kaya

Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

[Kaya Saman]

On 6/24/20 11:58 AM, Stuart Henderson wrote:

On 2020-06-23, Daniel Ouellet  wrote:

Have a look through https://www.supermicro.com/en/products/embedded/servers /
https://www.supermicro.com/en/products/embedded/rackmount and you'll find
quite a few things that give the perception "solid custom network device"
rather than either "repurposed server" or "cisco junk, well past it's
sell-by date, <$100 on ebay" - things like these

https://www.supermicro.com/en/products/system/1U/1019/SYS-1019D-FRN8TP.cfm
https://www.supermicro.com/en/products/system/1U/5019/SYS-5019D-4C-FN8TP.cfm

(some equipment from other vendors will fit the bill too, but supermicro is
a lot easier to buy from than portwell etc).



I agree totally here with Stuart! In the past I have built a router 
using a SuperMicro 4U chassis with Xeon E5 cpu.



https://www.supermicro.com/en/products/chassis/4U/842/SC842TQC-668B


Originally OpenBSD didn't support the RAID controller so I used the root 
backup cron dd script. Everything else was fine however, and it's 
performance has been incredible with the only downtime being during 
maintenance periods -> transitioning to new version of 'Current'.


Consequently it is tied to a Cisco router :-)

That is really only to bridge the VDSL2 line to Ethernet - 
https://tools.ietf.org/html/rfc1483



Another option depending on availability could be Jetway -

http://www.jetwayipc.com/product-category/emb-board-en/embedded-x86-en/mini-itx-en/

https://www.jetwaycomputer.com/


Example (yes they do look like vendor based network equipment and not 
rack mount servers): 
https://www.jetwaycomputer.com/1U-Rackmount-Barebones.html



One common place for their availability is the Mini-ITX store: 
https://www.mini-itx.com/store/category?type=motherboard=1=4GB-or-more=from-1=from-1=price=1



I don't have experience with them in general but if OpenBSD works well 
on them they could become a really big game changer.



Regards,


Kaya

Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

[Kaya Saman]

Actually you reminded me about the Cisco Voice appliances which are 
basically PC servers. If I recall correctly they ran a Linux kernel too.


Unfortunately I never got to play around with the capabilities of one 
but you might have some luck with something like that. Of course it 
wouldn't be running Call Manager ;-)


- hang on... my memory is slowly coming back (it's been over 10 years 
lol), CCM used to also be available as a VM which could be run on 
VMware. Maybe the dedicated appliance would be a good choice of hardware 
to run OpenBSD on?


The ASA appliances may also be x86 based which could make them a 
candidate but with large price tags for new ones I'm not sure if anyone 
has tried doing anything crazy with them.



A quick google for the Unified Communication System came up with this:

https://www.google.com/search?q=cisco+call+manager+server=ALeKk03xeYq4NLgIyiUGtaNmoUnR3iaXnQ:1592950661912=lnms=isch=X=2ahUKEwi_7OPS-5jqAhUpTxUIHRbnCOkQ_AUoAXoECA0QAw=1918=955#imgrc=yRjG43cRTHU1nM


You might be really lucky with one of those devices! Hopefully someone 
with more experience will chime in and confirm.



Regards,


Kaya


On 2020-06-23 23:03, Daniel Ouellet wrote:

OpenBSD does run on some old Cisco routers, it's been done before. Sure
it's not officially supported nor does it support all the various
interfaces but it's known to work on some.

I am trying to dig up a dmesg showing it too.

Plus Cisco have some firewall type of device that are over price PC that
can run OpenBSD.

Here is an example using the4 old Cisco IDS-4215

https://komlositech.wordpress.com/2018/12/30/revive-a-cisco-ids-into-a-capable-openbsd-firewall/

I was just curious as to what stage it might be now.

I am not saying it make sense to do really power wise for sure.

May be Juniper instead as Juniper is based on FreeBSD anyway and it's an
over price PC with specialize network cards. (; Ok more then that, but
you get the picture I think.

I was just curious as to what it may be running on these days?

Could be Cisco routers, Cisco IDS, Cisco firewall, unless I am mistaken
they also have servers or used too anyway, and why not Juniper gear?

In short any box that appear to be Cisco or Juniper but that have
something different under the hood.

And yes, this is stupid if you look only at what you get compare to
other better choices.

I am not doing it for best performance, but for fell comfortable.

Call it marketing bullshit, because that's exactly what it is! (;

Daniel


On 6/23/20 12:37 PM, Kaya Saman wrote:

Hi, I totally understand the position you're in and sympathize.

I've never heard of Cisco routers being able to run OpenBSD though IOS
is based on BSD as far as I'm aware.

Not a direct solution to your use case but you could always run a
small mini-itx or SBC system behind the Cisco router. You could put it
as a firewall solution and have the OBSD box doing all the major
routing, vlans, firewall (pf) etc... while the Cisco could just simply
forward information between the private and public IP ranges. Or if
using dial-in then you can bridge the OBSD and Cisco then use OBSD as
the PPPoE device

It is one suggestion in any case though it might not be the most ideal.

Regards,

Kaya

On Tue, Jun 23, 2020 at 5:03 PM Daniel Ouellet  wrote:

Hi,

This might be a bit weird question, but I saw the wireguard being put in
the kernel in the last few days and I am very existed abut it oppose to
use the package on it and even today there was more on it.

Many thanks for this!!!

I also know there was effort and some Cisco router can run OpenBSD very
well, however I have no clue as to any of this stand now.

I don't have a problem to use APU type or other Ubiquit for small
OpenBSD router, but I wonder about using Cisco instead. The only reason
is for may be more stability, most likely less performance for sure, but
less change to have corrupted reboot on power lost, etc.

And sadly for some customers having what they see as computer as router
don't make them fell good, but seeing a Cisco box kind of wipe out the
impression. I am not saying it's justify, but perception is sometime
everything, but if I have my say in it I want all my routers to be
OpenBSD as much as I can where the needs is not to multiple Gb in speed.

So, any suggestion or updates as to what's now available and hopefully
in use now.

I really don't care for any special model, or even Juniper, as long as I
can put OpenBSD on it.

So any feedback as to where it's stand now and what's usable in a
reliable way would be greatly appreciated.

And yes I know I may well get better performance in some cases with a
small APU device then a Cisco one, but that's for what we all know may
not be logical to be used, but for sadly how some clients may fell, not
knowing any better.

I guess you can see that as some people do security by obstruction, but
we al know it's not more secure, this is routing by obstruction I guess
and may be less performant, but achieve comfort

Re: Any idea/suggestion for old Cisco router to be use running OpenBSD current for WG?

[Kaya Saman]

Hi, I totally understand the position you're in and sympathize.

I've never heard of Cisco routers being able to run OpenBSD though IOS
is based on BSD as far as I'm aware.

Not a direct solution to your use case but you could always run a
small mini-itx or SBC system behind the Cisco router. You could put it
as a firewall solution and have the OBSD box doing all the major
routing, vlans, firewall (pf) etc... while the Cisco could just simply
forward information between the private and public IP ranges. Or if
using dial-in then you can bridge the OBSD and Cisco then use OBSD as
the PPPoE device

It is one suggestion in any case though it might not be the most ideal.

Regards,

Kaya

On Tue, Jun 23, 2020 at 5:03 PM Daniel Ouellet  wrote:
>
> Hi,
>
> This might be a bit weird question, but I saw the wireguard being put in
> the kernel in the last few days and I am very existed abut it oppose to
> use the package on it and even today there was more on it.
>
> Many thanks for this!!!
>
> I also know there was effort and some Cisco router can run OpenBSD very
> well, however I have no clue as to any of this stand now.
>
> I don't have a problem to use APU type or other Ubiquit for small
> OpenBSD router, but I wonder about using Cisco instead. The only reason
> is for may be more stability, most likely less performance for sure, but
> less change to have corrupted reboot on power lost, etc.
>
> And sadly for some customers having what they see as computer as router
> don't make them fell good, but seeing a Cisco box kind of wipe out the
> impression. I am not saying it's justify, but perception is sometime
> everything, but if I have my say in it I want all my routers to be
> OpenBSD as much as I can where the needs is not to multiple Gb in speed.
>
> So, any suggestion or updates as to what's now available and hopefully
> in use now.
>
> I really don't care for any special model, or even Juniper, as long as I
> can put OpenBSD on it.
>
> So any feedback as to where it's stand now and what's usable in a
> reliable way would be greatly appreciated.
>
> And yes I know I may well get better performance in some cases with a
> small APU device then a Cisco one, but that's for what we all know may
> not be logical to be used, but for sadly how some clients may fell, not
> knowing any better.
>
> I guess you can see that as some people do security by obstruction, but
> we al know it's not more secure, this is routing by obstruction I guess
> and may be less performant, but achieve comfort obstruction confidence.
>
> I just have no clue if wireguard needs to be run, what can be achieve as
> the CPU in all Cisco device is always under power, we all know that.
>
> This may not go anywhere, however I liked to look even if for nothing
> else then just being fun to do if that can't even be usable.
>
> Many thanks for your time and feedback.
>
> Daniel
>
> PS; And yes, that's most likely stupid I know. Sometime what's used is
> not always what make sense for other reason that are stupid.
>

npppd docs for tun change to pppac

[Kaya Saman]

Hi,


I just updated my system from 6.6 (old current) to 6.7 (current) which 
went through fine.


I realized that the npppd setup I had stopped working. Something that 
threw me off in the man pages was the lingering reference to the old tun 
interface which has since been reworked to pppac.



man npppd:

SEE ALSO
 gre(4), pipex(4), pppx(4), tun(4), npppd.conf(5), npppctl(8), 
sysctl(8)



Of course the actual code has been changed based on the mail threads here:

openbsd-archive.7691.n7.nabble.com/move-PIPEX-from-tun-4-into-pppac-4-a-dedicated-PPP-access-concentrator-td382139.html

https://bsdsec.net/articles/openbsd-6-7-released-may-19-2020


I guess the tun(4) reference needs to be removed? Currently the pppac 
manual command is an alias to pppx(4) so I'm not entirely sure if 
pppac(4) needs to be added in place of tun(4) or a dedicated manual page 
specifically for pppac needs to be written (as it would kind of 
duplicate the existing pppx(4)), or just a simple removal of tun as it 
has been already done with npppd.conf(5)??



Regards,


Kaya

Re: Networking/pf question, I am not sure ?

[Kaya Saman]

On 5/10/20 2:12 PM, Kaya Saman wrote:

On 5/10/20 2:04 PM, Tom Smyth wrote:

Hello Clarence,

you would need to provide some more information about your setup,

ip addresses on interfaces , what is your pf.conf etc...

In your experia ( I believe they are android)
you can download the  hurricane electric network tools  (HE network
tools)  (a free app to run rudimentary network diagnostic commands,
such as ping traceroute dns lookup tests to identify the problem
associated with your connection when using openBSD..
that would help you diagnose the source of the connectivity problems
you are having...
Hope this helps

Tom Smyth


On Sun, 10 May 2020 at 13:09, man Chan  wrote:

Hello,
I recently setup a home network as followings (Just for fun):
ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits 
switch (TP-Link TL-SG1008D) <-> linksys ea8300 (with wireless)


everything works except that I can't use my sony xperia tablet to 
access internet using the wireless function provide by the 
linksys-ea8300.
When I replace the openbsd-router and switch with another wireless 
router, I can use my sony xperia to access the internet.  Does any 
one try this before ?

If yes, please let me to know how you do it.  Thanks.
Clarence




I totally agree with the suggestion by @Tom above!


Another good tool for Android is 'fing', it will give you access to 
Traceroute and Ping functions on your Xperia.



The first thing to try would be to see if the Xperia can communicate 
with the gateway (OpenBSD router) then if that is successful public IP 
addresses. If something strange is going on you can further run 
Traceroute to narrow down where the issue is occurring.



On the OpenBSD side, it could be a number of things like PF rules, 
routing, NAT but without further information it is basically a guess 
as to what it could be.


Just to elaborate here a little; you can run the 'tcpdump' program on 
OpenBSD to give you more information.



To get started: man tcpdump


If you want to see where the packets from the Xperia are traveling then 
something like:



tcpdump -eni (inside_interface) host (ip_of_Xperia)


For debugging PF rules a good start is to use: tcpdump -eni pflog0 <- 
you can further narrow things down by using the 'action' option eg. 
'block' / 'allow'



Hope this helps a little more :-)

Re: Networking/pf question, I am not sure ?

[Kaya Saman]

On 5/10/20 2:04 PM, Tom Smyth wrote:

Hello Clarence,

you would need to provide some more information about your setup,

ip addresses on interfaces , what is your pf.conf etc...

In your experia ( I believe they are android)
you can download the  hurricane electric network tools  (HE network
tools)  (a free app to run rudimentary network diagnostic commands,
such as ping traceroute dns lookup tests to identify the problem
associated with your connection when using openBSD..
that would help you diagnose the source of the connectivity problems
you are having...
Hope this helps

Tom Smyth


On Sun, 10 May 2020 at 13:09, man Chan  wrote:

Hello,
I recently setup a home network as followings (Just for fun):
ISP  <> openbsd router (version 6.6 Stable) <--->  gigabits switch (TP-Link 
TL-SG1008D) <-> linksys ea8300 (with wireless)

everything works except that I can't use my sony xperia tablet to access 
internet using the wireless function provide by the linksys-ea8300.
When I replace the openbsd-router and switch with another wireless router, I 
can use my sony xperia to access the internet.  Does any one try this before ?
If yes, please let me to know how you do it.  Thanks.
Clarence




I totally agree with the suggestion by @Tom above!


Another good tool for Android is 'fing', it will give you access to 
Traceroute and Ping functions on your Xperia.



The first thing to try would be to see if the Xperia can communicate 
with the gateway (OpenBSD router) then if that is successful public IP 
addresses. If something strange is going on you can further run 
Traceroute to narrow down where the issue is occurring.



On the OpenBSD side, it could be a number of things like PF rules, 
routing, NAT but without further information it is basically a guess as 
to what it could be.



Regards,


Kaya

Re: setup authoritative DNS for myself with nsd + unbound

[Kaya Saman]

It really depends on what you want/need.


If you would like to host your own DNS servers, then multi location is a 
good idea:



Example: Master NS1 in LA and Slave NS2 in Miami.


I have no idea about GoDiddy but my US based domain hosting company 
let's me specify my own ns servers, as their DNS hosting is a little 
limited for what I need.



Just whack Bind9 onto both systems in master/slave setup, and away you 
go. DNS isn't really complicated so you should be up and running in no 
time. ;-)



Once that's done a good online tool for checking certain parts of the 
domain is: https://mxtoolbox.com/ but then don't forget your local tools 
such as nslookup and dig!!



Regards,


Kaya


On 1/18/19 6:38 PM, Chris Bennett wrote:

I have had problems with setting up DNS for myself and I need it to be
authoritative.
I have my domains registered with Godaddy and they do not support for
domains not hosted on their servers. I have been using their DNS without
big problems, except that I'm not getting proper results with regards to
email. I've got a pretty bad problem with spam. I now have two servers,
each with a different company.

Will that then solve the problems with PTR, DKIM and DMARC?
I also particularly hate the web GUI that Godaddy uses and it's SOA
record is much too long timewise.

Should I set it up with just one of my servers or both?
One is in Los Angeles and the other is in Miami.
Do I need to use a different one to cover the other server or can I just
use the same one to cover the email stuff like DKIM and DMARC?

Since I'm having problems from the ground up, this seems like a good
idea to start at.

I'm also seeing conflicting advice on whether I should use multiple A
records for subdomains, like www. smtp. etc. or CNAME.
Plus it's not clear to me whether to use records like _smtp.tcp or not
bother with those.

I have spent a lot of time reading pages on all of these subjects but I
have yet to find a complete example of all DNS records for a site.
Would anyone care to share one with me?

Thanks,
Chris Bennett

Re: [OT?] I have 4 IPs. How is outbound IP selected, say run lynx URL on server?

[Kaya Saman]

On 11/30/18 8:31 PM, Chris Bennett wrote:

I'm just curious. Is there a default method to select on this? Random?
Can I control this somehow?
It's clear how everything else selects IP, but I just wanted to know in
case that ever mattered, say one of my IPs were blocked.
And I wanted to be sure which IP outbound is or is not used for running
something like lynx, etc.

Not terribly important, but at least interesting question for me.

Thanks,
Chris Bennett




If you say 'outbound IP' I am guessing you WAN facing public address.


There are several ways to do this


The first would be to use a NAT Pool. This would effectively pop all 
your public addresses a selectable group:



eg. { 1.1.1.1 , 2.2.2.2 , 3.3.3.3 , 4.4.4.4 }


Depending on the pool configuration ie. if there was any weighting put 
on for IP selection or it would simply use a round-robbin type of selection.



https://www.openbsd.org/faq/pf/nat.html


https://www.openbsd.org/faq/pf/example1.html


Another method would be to setup a static route. So in the above example 
with NAT pool you could simply say something like:



IP 172.16.40.52 -> 1.1.1.1


So your PF rule would then be something like:


match out on $ext_if from 172.16.40.52 to any nat-to {1.1.1.1}



The weighted option or a load balanced option would have something like 
this:



https://www.openbsd.org/faq/pf/pools.html


Regards,


Kaya

Re: With all this CPU/hardware mess, any advice on what to use for an organization?

[Kaya Saman]

On 11/20/18 8:11 PM, Chris Bennett wrote:

On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote:

On 11/20/18 11:43, Chris Bennett wrote:

Unfortunately, if you have performance requirements, your choices are
AMD and Intel.  Older Intel and AMD chips aren't getting any support to
deal with these problems, so your choices are incredibly old chips which
are probably not in the most reliable hardware, and a whole bunch of
other old, unreliable, and slow hardware platforms.  But be realistic.
Your bosses will probably mandate a VM on someone else's hw, a wordpress
website, one box for everything, and that you give him the root password
which he'll e-mail to himself to keep it "secure".  Your most likely
breach points will be an easily guessed password (usually, a manager's),
a bug in a web content management system, or someone believing that
"secure e-mail" is a thing.  In other words, Same Old Shit.  It probably
won't be breached by a Spectre or Meltdown-like attack.  But it MIGHT
be.  Obsessing about them is generally missing the real day-to-day risks.


Does no one at all use OpenBSD for anything but making money or looking
cool?
Does no one at all do any kind of work for charity?
Is there some virus going around that makes everyone so hostile?

Why assume that I have some idiotic boss that wants to fuck things up?
Did it ever occur to you that I might be doing this work for free?
Did it ever occur to you that the organization might be doing major
disaster relief from all of the recent hurricanes devastating the
Southern US. That they might be helping to protect first responders
doing wellness checks on homes? That they might be stopping homes and
businesses from being looted?
That the primary members of the organization are law enforcement,
paramedics and veterans?

But hey, if I can't fill up my bank account, I guess the usage of
OpenBSD is discouraged.




I don't think the response was assumed as such. It just is that there 
are so many issues with corporate politics and higher ups thinking they 
know things that gives OpenSource software a bad rep! Even once people 
didn't understand what OpenSource was and asked me what I did while 
'working at OpenSource' lol



As to different H/W yes there are still some different systems around... 
like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own 
UX capable machines are dead now; though my info could be several years 
out of date as I haven't dealt with this type of system in a long time.



Agreed that Cloud is a lot of corporate hype in many aspects as to lower 
expenditure.



Will you be building just the mail server or the whole infrastructure??


Virtually what you want to do is a good firewall protecting everything. 
OpenBSD excels at security so definitely recommended. As to mail server, 
I really think you need to research the different components first that 
make up the system.


Firstly for power reasons what type of usage do you estimate?

Will you be needing a separate external mail gateway?

Does your ISP offer Reverse DNS?


After that the best thing to do would be to setup a small lab with a 
test machine and try different setups out. Like say using Sendmail, 
Postfix etc for SMTP. Many people here have different opinions and 
takes on this but really it is up to you to decide what you like best 
and also what you need it to do - you can only find that out by testing 
out different things.


Then how your users will connect... IMAP, POP, HTTP?? In todays day and 
age IMAP is the preferred protocol but there of course are others - 
please do not ever mention M$ Exchange as it should be obliterated!



Once you understand the core components necessary then you will start to 
formulate specific questions of how/why is (x) needed etc... then 
answers can be more specific too but for now read a lot and test out 
different things to see which one fits you best :-)



Regards,


Kaya

Re: Routing stops after ipsec/gre tunnel activates

[Kaya Saman]

On 10/1/18 4:36 PM, Claudio Jeker wrote:

On Mon, Oct 01, 2018 at 04:16:48PM +0100, Kaya Saman wrote:

On 10/1/18 4:12 PM, Janne Johansson wrote:


Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman mailto:kayasa...@gmail.com>>:

 Hi,
 I've got an issue where something strange is happening with the
 routing
 table after establishing an ipsec connection it's quite hard to
 describe but what happens is that the tunnel establishes then routing
 goes down completely. The netstat -r command when run on the
 router just
 hangs and doesn't complete (show any routes).


Perhaps you can't reach your resolver, try running "netstat -rn" to
prevent netstat
from trying to resolve all ips and networks it lists.
--
May the most significant bit of your life be positive.


The resolver is local. However, the issue is deeper as inter-subnet
communications go down and these are ipv4 -> ipv4


If I kill the isakmpd process then communication resumes, as in all layer3+
services start functioning again: icmp, nfs, ssh etc


Since your policy is from 0.0.0.0/0 to 0.0.0.0/0 all traffic will end up
in the ipsec tunnel. I doubt this is what you want. IPsec flows steal the
traffic before routing happens. I think you need to refine your policy
also check with tcpdump what happens on enc0, etc. pp.



I changed the policy to this:


ike esp transport \
    from IP_local to IP_remote main auth hmac-md5 enc \
    3des group modp1536 quick auth hmac-md5 enc 3des group none 
lifetime 3600 psk "mykey"



Now phase 1 establishes fine but there seems to be an issue negotiating 
phase 2 I have exactly the same thing configured on the other end: 
"auth hmac-md5 enc 3des"



When I look at the debug output from the remote box, it uses a "byte 
lifetime" attribute in phase 2 when connecting to machines of the same 
make - Cisco. Additionally there seems to be some sort of 'proxy' 
connection too: 0.0.0.0 to remote / remote to 0.0.0.0



That would probably explain why the "from 0.0.0.0/0 to 0.0.0.0/0" worked 
but nothing else does



On the OpenBSD side in the logs I get this:


isakmpd[93469]: responder_recv_HASH_SA_NONCE: peer proposed invalid 
phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, responder id 0.0.0.0/0.0.0.0


isakmpd[93469]: dropped message from  port 500 due to 
notification type INVALID_ID_INFORMATION



I have gone through the ipsec.conf man page thoroughly but can't seem to 
find any type of setting that would allow for this.



Doing something like:


from 0.0.0.0/0 to 0.0.0.0/0 local {IP} peer {IP} doesn't work either; or 
putting the '0.0.0.0/0.0.0.0' field into the srcid and dstid doesn't 
work either.



Checking back years ago, I managed to make it work with the global 
0.0.0.0/0 from/to setting but it looks like things have changed since 
then maybe?



Perhaps it simply isn't possible to get the two devices to establish 
phase 2 due to incompatibility?

Re: Routing stops after ipsec/gre tunnel activates

[Kaya Saman]

On 10/1/18 4:36 PM, Claudio Jeker wrote:

On Mon, Oct 01, 2018 at 04:16:48PM +0100, Kaya Saman wrote:

On 10/1/18 4:12 PM, Janne Johansson wrote:


Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman mailto:kayasa...@gmail.com>>:

 Hi,
 I've got an issue where something strange is happening with the
 routing
 table after establishing an ipsec connection it's quite hard to
 describe but what happens is that the tunnel establishes then routing
 goes down completely. The netstat -r command when run on the
 router just
 hangs and doesn't complete (show any routes).


Perhaps you can't reach your resolver, try running "netstat -rn" to
prevent netstat
from trying to resolve all ips and networks it lists.
--
May the most significant bit of your life be positive.


The resolver is local. However, the issue is deeper as inter-subnet
communications go down and these are ipv4 -> ipv4


If I kill the isakmpd process then communication resumes, as in all layer3+
services start functioning again: icmp, nfs, ssh etc


Since your policy is from 0.0.0.0/0 to 0.0.0.0/0 all traffic will end up
in the ipsec tunnel. I doubt this is what you want. IPsec flows steal the
traffic before routing happens. I think you need to refine your policy
also check with tcpdump what happens on enc0, etc. pp.



I had a hunch that was the case!!


So I will try to make the other end work now without the "default route" 
style policy.

Re: Routing stops after ipsec/gre tunnel activates

[Kaya Saman]

On 10/1/18 4:12 PM, Janne Johansson wrote:



Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman <mailto:kayasa...@gmail.com>>:


Hi,
I've got an issue where something strange is happening with the
routing
table after establishing an ipsec connection it's quite hard to
describe but what happens is that the tunnel establishes then routing
goes down completely. The netstat -r command when run on the
router just
hangs and doesn't complete (show any routes).


Perhaps you can't reach your resolver, try running "netstat -rn" to 
prevent netstat

from trying to resolve all ips and networks it lists.
--
May the most significant bit of your life be positive.



The resolver is local. However, the issue is deeper as inter-subnet 
communications go down and these are ipv4 -> ipv4



If I kill the isakmpd process then communication resumes, as in all 
layer3+ services start functioning again: icmp, nfs, ssh etc

Routing stops after ipsec/gre tunnel activates

[Kaya Saman]

Hi,


I've got an issue where something strange is happening with the routing 
table after establishing an ipsec connection it's quite hard to 
describe but what happens is that the tunnel establishes then routing 
goes down completely. The netstat -r command when run on the router just 
hangs and doesn't complete (show any routes).



What I'm doing is this:


start isakmp: isakmpd -Kv

run ipsecctl: ipsecctl -f /etc/ipsec.conf


my gre0 interface is setup like so:

hostname.gre0 ->

  netmask 0x up
tunnel  


inside ipsec.conf I have:


ike esp transport \
    from 0.0.0.0/0 to 0.0.0.0/0 peer  main auth hmac-md5 
enc \

    3des group modp1536 quick auth hmac-md5 enc 3des psk "mykey"


(I need to have the 0.0.0.0/0 address in the "to" and "from" field 
otherwise the connection doesn't establish with the other end - non 
OpenBSD box)



I can see the connection fine using ipsecctl -sa and icmp packets are 
able traverse the tunnel, but routing completely goes down??



I'm not sure what else I can provide in terms of information as the 
messages log doesn't show anything useful outside of "phase 1 done" 
followed by "quick mode done"; the system version is CURRENT: 6.4 
GENERIC.MP#290 amd64



Any assistance would be appreciated.


Kaya

Re: Running your own mail server

[Kaya Saman]

Oh is it dead??


It used to be THE thing mind you it was the turn of the century that we 
are talking about! looks like I'm a little out of date lol



Personally I haven't played around with Mail Web clients for a while; 
yeah there is Roundcube or Horde which was quite cool when I ran it in 
the day.



Like many others have said IMAPssl is the way to go, though I wouldn't 
expose it to the web. Use a nice VPN system instead. Either a dedicated 
machine running OpenVPN as an example or a second hand Cisco ASA or any 
other enterprise equivalent firewall/VPN concentrator that you can pick 
up for cheap. Even OpenBSD has L2TP vpn built in which works well with 
Android clients.



Regards,


Kaya


On 9/18/18 11:18 PM, Duncan Guthrie wrote:

Hi,

Please do not recommend SquirrelMail. It is unmaintained. Its last
release was 5 years ago.

User interfaces like Roundcube and Rainloop work well enough and still
are actively maintained. I do not know how well those other ones you
listed work.

Alternatively, direct your users to some clear and well-written
instructions that would allow them to configure a mail client of their
choice.

Best wishes,
Duncan

On 09/08/18 16:39, Kaya Saman wrote:

I agree here!


Basically you would need a few components:


MTA / MDA / MUA


https://en.wikipedia.org/wiki/Message_transfer_agent


One way to do it would be something like: Postfix / Courier IMAP / Then
bolt something like SquirrelMail on top for web UI client


There are many ways to achieve the same goal as in you don't have to use
Postfix you could go for Sendmail or any other


However for you it might be a better option to go with Linux as @Jay
suggested and then whack something like Scalix or Zimbra on top..


http://www.scalix.com/en/


https://www.zimbra.com/


That way you have a fully managed mail system right out of the box with
granular control of what users can and can't do.


Regards,


Kaya

Re: Running your own mail server

[Kaya Saman]

On 9/9/18 5:54 PM, Ken M wrote:

On Sun, Sep 09, 2018 at 05:49:31PM +0100, Stuart Henderson wrote:

In a nutshell, monitoring email is concentrating on what is really
likely to be one of the less problematic areas. The others, which IMO
are MUCH more likely to be involved if any problems do occur, are less
amenable to this sort of treatment.

(For my children, 12-16, email is pretty much a last resort if other
methods aren't available, I think that's pretty common nowadays).


It's funny how things change per generation in tech. Even though I have a smart
phone if I really have to compose a message I want a keyboard. And for
communication I so prefer email because it can truly work on all connected
devices where chat, and texts and other apps I am more at the mercy of an app or
proprietary api, meanwhile with email I sync my mutt config and I have the
terminal and vi style interface to work with that can be the same everywhere.

I am now the fuddy duddy...

Ken



Lol... :-) Perhaps showing the kids a DEC VT100 style terminal might get 
their attention (though in good way or bad??) as through serial port 
text based mail will work great on those; Mutt or Alpine etc...



Though this is completely off-topic now! ;-)

Re: Running your own mail server

[Kaya Saman]

On 9/9/18 5:42 PM, Ken M wrote:

On Sun, Sep 09, 2018 at 11:24:38AM -0500, Ed Ahlsen-Girard wrote:

While you should not take technical advice on mail servers from me,
I've raised two kids to adulthood with a 17 year old to go, and had
almost 200 foster children.

The impedance mismatch you have with the missus is more important than
the mail.


Yeah, I know, and maybe I am exaggerating it in this discourse. Her words are,
"they can have all the privacy they want when they are 18" and I don't feel that
is a completely practical stand point. And in fact her own experience should
tell her that might not be the best approach.

I think what I want is something that I could monitor if need be, but would
rather not.

I am starting to lean more towards either paying for email service or paying for
something that is a stronger parental control for all of their devices. My
bigger concern is the link jacking porn sites can do. I recall once in the 90's
mistyping msnbc.com at work and the carnage from a site called cafe flesh that
came out.

Ken



Maybe your ISP has option for "Parental Control"?? I know these days it 
is a big concern so many do offer this type of service



Just a thought??


--K

Re: Running your own mail server

[Kaya Saman]

On 9/8/18 6:01 PM, Chris Bennett wrote:

[snip]

IMHO, I would skip using partially insecure OS's like Linux. These are
your kids!



Of course security at the OS level is important but also a lot of work 
must be done around in the infrastructure area too for security... 
running a good IDS for example: OpenBSD with Snort totally rocks in this 
area going through a web proxy... again OpenBSD with Squid and Clamd.



Additionally perhaps a VPN to whatever mail solution the OP chooses if 
'in house' like OpenVPN running on an OBSD gateway for example then lock 
down the mail system to just have port 25 open inbound in PF maybe even 
with queueing enabled.



Encryption of the storage medium can also be suggested so wherever the 
maildir store is located the FS becomes encrypted as added layer of 
security.



There's a lot one can do even just by sticking to a few OpenBSD based 
boxes but it really is a matter of locking things down as opposed to 
doing something silly even OpenBSD will become insecure if port 22 
(ssh) is opened up with root account available and password something 
easily guessed like 'root' or 'admin'.



It's not really a short topic that has one specific answer but I will 
state that OpenBSD for router/gateways and servers is an excellent 
solution as unlike other OS's is not resource intensive and overall 
pretty secure right out of the box.



--K

Re: Running your own mail server

[Kaya Saman]

I agree here!


Basically you would need a few components:


MTA / MDA / MUA


https://en.wikipedia.org/wiki/Message_transfer_agent


One way to do it would be something like: Postfix / Courier IMAP / Then 
bolt something like SquirrelMail on top for web UI client



There are many ways to achieve the same goal as in you don't have to use 
Postfix you could go for Sendmail or any other



However for you it might be a better option to go with Linux as @Jay 
suggested and then whack something like Scalix or Zimbra on top..



http://www.scalix.com/en/


https://www.zimbra.com/


That way you have a fully managed mail system right out of the box with 
granular control of what users can and can't do.



Regards,


Kaya


On 9/8/18 4:32 PM, Jay Hart wrote:

Ken,

I've run my own email server for 15 years now I think. I stick with Linux for 
email server,
OpenBSD for routing/firewall. I personally find this is the best of both 
worlds...

Just my 35 cents...

Jay


Just curious how many of you use openbsd to run your own personal email server?
Do you find it a hassle to manage in any way?

I know openbsd is perfectly fine for a mail server, don't get me wrong the
question is more about is it worth it to do yourself. Specifically I will
probably be doing it through a guest on vultr.

Back story my family all has email addresses through the domain I have. Which
basically will forward to a gmail account. The kids accounts don't really
forward anywhere, they are place holders I guess. But they are getting old
enough to use their own accounts for things and not just through the school
which sets them up with google accounts to use through their chromebook.

So my wife really doesn't like the idea of setting them loose on their own email
accounts, and I don't necessarily disagree with her, but I disagree on the way
to do it. In a gmail point of view all I can think of is shared passwords for
for the kids. I don't like that because first of all they could change it,
second of all monitoring their email means literally reading their email.

My wife and I have different views on privacy as well.

I was thinking I could run my own email server to give them accounts there, and
at the same time instead of reading their email be able to more specifically
block certain senders, but also to scan the email for troubling words. In my
mind that is things like suicide, kill, etc.

So I guess the end question, is for protecting the email of minors is running my
own email server, when I have never done it before on any OS, worth it over some
other solution. And yes I am very open to other suggestions for a solution, even
if it is something I have to pay for, to avoid sharing passwords or grotesque
privacy infringement of literally reading all their emails.

Welcome to differences of opinion as well.  Thank you.

Ken

Re: New laptop recommendations

[Kaya Saman]

I couldn't say for the compatibility with OpenBSD though I have read 
other people running on them, but how about Lenovo??



I've got an X220 which I run a Linux distro on which I'm really happy 
with though the i7 CPU does seem to overheat for some reason, though I 
seem to have this issue with all laptops I've gone through?? Must be me :-S


- only system that never overheated was my old PowerBook G3 Firewire 
running Mac OS 9



I might be remembering wrong but I'm sure I've seen people on the list 
running OBSD on X-series Lenovo's so it might be worth a shot unless 
anyone else has better suggestions :-)



Regards,


Kaya


On 06/19/18 11:37, Rupert Gallagher wrote:

I'm done with my 10 years old 1200EUR MacBookPro. It served me well, every day, 
but is now falling apart, finally.

I would buy a new one if only Steve Jobs would be alive and keeping Apple 
inspired. The new models are meticulously designed to make you suffer: 
expensive, slow cpu, soldered ram, soldered disk, small disk, bad keyboard 
keys, wifi only, must pay extra for standard connectors.

I have 1500EUR for a new laptop. What would you buy with it?

Re: Bandwidth Queuing on Asymmetrical Connections?

[Kaya Saman]

Hi Jordan,


I ask this a while back too and many thanks to Stuart Henderson who 
might chime in? Basically the queuing is done on the outbound interface.



So when you make your rules if you have 15Mbs upstream bandwidth then 
that is where you do the queuing. See the OBSD and PF manual for how to 
set queues up in PF. You can then monitor them through 'systat q' or 
'pfctl -sq'.



Something like eg. pass out quick on $ext_if proto tcp from 
{WAN_ADDRESS} to any port 80  modulate state set queue http_out set prio 4



Regards,


Kaya


On 02/17/18 20:30, Jordan Geoghegan wrote:
Hi folks, I was wondering how one goes about maintaining separate 
upload and download queues in pf. I have been playing with various 
combinations and I can't seem to get both queues to apply simultaneously.


For example, I have a 150 down 15 up connection. I want to limit a 
specific device on the network to 100 down and 10 up. I can't for the 
life of me figure out how to make this apply. I either end up setting 
a 10 megabit limit or 100. How do the pf gurus manage their 
asymmetrical connections?

Re: pfstat not generating graphs after upgrading to -current

[Kaya Saman]

On 02/15/18 07:48, Glenn Faustino wrote:

After deleting and installing pfstat it now works, thanks guys!

Feb 15 14:26:37 OpenBSD pkg_delete: Removed pfstat-2.5p1
Feb 15 14:27:02 OpenBSD pkg_add: Added pfstat-2.5p1

$ doas pfstat -q -d /var/db/pfstat.db
$


Regards,
Glenn


Hi,

I'm experiencing the exact same issues for both pfstat and pftop however,
running pkg_delete / pkg_add doesn't seem to work for me as a fix :-(


pfstat -q -p
ioctl: DIOCGETSTATUS: Permission denied
pf_query: query_counters() failed

pftop: DIOCGETSTATUS: Permission denied


uname -a : 6.2 GENERIC.MP#408 amd64 <- also CURRENT updated a few days ago


Regards,

Kaya


Mine is OpenBSD 6.2-current (GENERIC) #6: Tue Feb 13 20:12:04 MST 2018

Can you try installing the latest snapshot?

Regards,
Glenn


Hi Glenn,

just updated now and ran pkg_delete / pkg_install again for pftop / 
pfstat but unfortunately they still come up with the same error. 
Probably because I have a few tunnel interfaces and pppoe interfaces ?? 
{wild guess}


Also it seems that at boot pf doesn't seem to read or like my pf.conf. 
After the system has booted I can manually get pf to read the file using 
pfctl -f /etc/pf.conf but it should be automatic.



Regards,


Kaya

Re: pfstat and queueing

[Kaya Saman]

On 02/15/2018 01:34 PM, Stuart Henderson wrote:

On 2018/02/15 13:27, Kaya Saman wrote:


On 02/15/2018 12:13 PM, Stuart Henderson wrote:

On 2018-02-15, Kaya Saman <kayasa...@gmail.com> wrote:

does queueing still function with pfstat? As far as I'm aware it still
uses the old altq method which has long been abandoned.

you're correct, pfstat hasn't been updated to follow changes in PF for
a long time. the only change in pfstat since 2007 has been adding the
-f flag to copy/clean the database.



Thanks Stuart for the confirmation.


Hmm looks like this might be a feature request to Daniel then. or
someone who's working on pfstat :-)

Nobody is visibly working on pfstat.

If anyone did want to work on queue monitoring I'd encourage them to
look at adding to snmpd instead (it will need a custom MIB). There are
plenty of things that can monitor SNMP stats, and as it's in base,
there are no real worries about ABI getting out of sync.


Interesting!

I think I agree with SNMP. It would be great if pf could be monitored 
through net-snmp or the built in snmp. To be able to see what PF is 
doing in something like Observium, Zabbix, Cacti or any other SNMP based 
monitoring software would be a really nice asset.


Regards,

Kaya

Re: pfstat and queueing

[Kaya Saman]

On 02/15/2018 12:13 PM, Stuart Henderson wrote:

On 2018-02-15, Kaya Saman <kayasa...@gmail.com> wrote:

does queueing still function with pfstat? As far as I'm aware it still
uses the old altq method which has long been abandoned.

you're correct, pfstat hasn't been updated to follow changes in PF for
a long time. the only change in pfstat since 2007 has been adding the
-f flag to copy/clean the database.




Thanks Stuart for the confirmation.


Hmm looks like this might be a feature request to Daniel then. or 
someone who's working on pfstat :-)



Regards,


Kaya

pfstat and queueing

[Kaya Saman]

Hi,


does queueing still function with pfstat? As far as I'm aware it still 
uses the old altq method which has long been abandoned.



It would be great if pfstat would graph queues again but the config 
example in: /usr/local/share/examples/pfstat/pfstat.conf still has the 
old altq style?



Whenever I try to run it, the output is "queueing not supported". As I'm 
on -current the last os update broke it as referenced in the @list 
previously so will wait on the fix before testing again.



Regards,


Kaya

Re: pfstat not generating graphs after upgrading to -current

[Kaya Saman]

On 02/15/2018 06:39 AM, Glenn Faustino wrote:

On Thu, Feb 15, 2018 at 1:48 PM, Sebastien Marie  wrote:

On Thu, Feb 15, 2018 at 12:29:23AM +, Stuart Henderson wrote:

On 2018-02-14, Glenn Faustino  wrote:

Hi,


Did you upgrade your packages after upgrading to -current? Can you
share your /etc/pfstat.conf?

Every time I upgrade to -current I also update packages.

Try forcing pfstat to update (pkg_delete and pkg_add maybe, if that
doesn't help then build it yourself from ports). If that helps then let
me know because we need to figure out what change necessitated this and
track down which ports need REVISION bumps to force updates..


I had a similar problem with pftop (pftop-0.7p16).

$ doas pftop
pftop: DIOCGETSTATUS: Permission denied

After forcing a reinstall (pkg_delete + pkg_add) it works again.

 From my /var/log/messages, the previous reinstall (done using pkg_ad -u)
was from Jan 20:

$ grep pftop /var/log/messages
Dec 30 10:10:58 alf pkg_add: Added pftop-0.7p16->0.7p16
Jan 20 11:20:49 alf pkg_add: Added pftop-0.7p16->0.7p16
Feb 15 06:40:54 alf pkg_delete: Removed pftop-0.7p16
Feb 15 06:41:03 alf pkg_add: Added pftop-0.7p16

Thanks.
--
Sebastien Marie


After deleting and installing pfstat it now works, thanks guys!

Feb 15 14:26:37 OpenBSD pkg_delete: Removed pfstat-2.5p1
Feb 15 14:27:02 OpenBSD pkg_add: Added pfstat-2.5p1

$ doas pfstat -q -d /var/db/pfstat.db
$


Regards,
Glenn



Hi,

I'm experiencing the exact same issues for both pfstat and pftop 
however, running pkg_delete / pkg_add doesn't seem to work for me as a 
fix :-(



pfstat -q -p
ioctl: DIOCGETSTATUS: Permission denied
pf_query: query_counters() failed

pftop: DIOCGETSTATUS: Permission denied


uname -a : 6.2 GENERIC.MP#408 amd64 <- also CURRENT updated a few days ago


Regards,

Kaya

Dansguardian port

[Kaya Saman]

Hi,

I've got the Dansguardian port installed and it still seems to be part
of the packages list too. https://ftp.openbsd.org/pub/OpenBSD/6.1/packa
ges/amd64/

However, I think that the actual software isn't maintained anymore as
it's original home: http://dansguardian.org/ has vanished.


There is however, a content filter replacement which is based on DG
called called e2guardian.
http://e2guardian.org/cms/index.php
https://github.com/e2guardian/e2guardian

I have tried to compile all the versions for testing purposes and seems
that v3.4 and v3.5 do compile though when doing a ./configure one has
to set the CC value as /usr/local/bin/x86_64-unknown-openbsd6.1-gcc-
4.9.4
and CXX value to /usr/local/bin/x86_64-unknown-openbsd6.1-eg++
as it requires gcc version 4.7 or later to build.

I was unable to get the v4.x line to build however, so I may need to
ask on github for some assistance on that one; but I'm not sure who is
maintaining the DG port, if they would consider switching to e2g??

Currently testing with e2g as it does run unlike the current DG port as
I think the libraries that it was built with are probably too old now.
I'm hoping it should work as a sort of 'inplace' replacement but able
to do more - hopefully?!


Regards,

Kaya 

Re: Using queueing on asynchronous interface

[Kaya Saman]

On 07/27/2017 05:30 PM, Stuart Henderson wrote:

On 2017-07-26, Kaya Saman <kayasa...@gmail.com> wrote:

[snip]

I'm finding that I don't really need much in the way of "downstream"
queueing though. It might be needed in special cases but using mikeb's
shiny new fq-codel code in -current, one single queue definition on the
upstream interface is keeping traffic flowing nicely.

queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 
qlimit 1000 default

Is fq_codel already implemented in -current yet?

Yes.


I just grabbed the latest snapshot but can't find the files in the
sys/net directory??

https://github.com/openbsd/src/tree/master/sys/net

https://github.com/openbsd/src/commits/master/sys/net/fq_codel.c
(and other files).




Sorry if I wasn't clear... I was trying to say that I don't have those 
files:


fq_codel.c
fq_codel.h

in my sys/net directory:

# ls |sort
CVS
bpf.c
bpf.h
bpf_filter.c
bpfdesc.h
bridgestp.c
bsd-comp.c
ethertypes.h
hfsc.c
hfsc.h
if.c
if.h
if_aoe.c
if_aoe.h
if_arp.h
if_bridge.c
if_bridge.h
if_dl.h
if_enc.c
if_enc.h
if_ethersubr.c
if_gif.c
if_gif.h
if_gre.c
if_gre.h
if_llc.h
if_loop.c
if_media.c
if_media.h
if_mpe.c
if_pflog.c
if_pflog.h
if_pflow.c
if_pflow.h
if_pfsync.c
if_pfsync.h
if_ppp.c
if_ppp.h
if_pppoe.c
if_pppoe.h
if_pppvar.h
if_pppx.c
if_sl.c
if_slvar.h
if_sppp.h
if_spppsubr.c
if_trunk.c
if_trunk.h
if_tun.c
if_tun.h
if_types.h
if_var.h
if_vether.c
if_vlan.c
if_vlan_var.h
if_vxlan.c
if_vxlan.h
netisr.c
netisr.h
pf.c
pf_if.c
pf_ioctl.c
pf_lb.c
pf_norm.c
pf_osfp.c
pf_ruleset.c
pf_table.c
pfkey.c
pfkeyv2.c
pfkeyv2.h
pfkeyv2_convert.c
pfkeyv2_parsemessage.c
pfvar.h
pipex.c
pipex.h
pipex_local.h
ppp-comp.h
ppp-deflate.c
ppp_defs.h
ppp_tty.c
radix.c
radix.h
radix_mpath.c
radix_mpath.h
raw_cb.c
raw_cb.h
raw_usrreq.c
route.c
route.h
rtsock.c
slcompress.c
slcompress.h
slip.h
trunklacp.c
trunklacp.h

which is odd - maybe I updated from a mirror which hadn't been sync'ed 
yet with the latest. Just checked the "snapshots" directory and looks 
like it got updated today so will try again now  :-)


Thanks again Stuart for all your help!

Regards,

Kaya

Re: Using queueing on asynchronous interface

[Kaya Saman]

[snip]

I'm finding that I don't really need much in the way of "downstream"
queueing though. It might be needed in special cases but using mikeb's
shiny new fq-codel code in -current, one single queue definition on the
upstream interface is keeping traffic flowing nicely.

queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 
qlimit 1000 default


Is fq_codel already implemented in -current yet?

I just grabbed the latest snapshot but can't find the files in the 
sys/net directory??


https://github.com/openbsd/src/tree/master/sys/net


Kaya

Re: Using queueing on asynchronous interface

[Kaya Saman]

Many thanks Stuart!



On 07/26/2017 11:37 AM, Stuart Henderson wrote:

On 2017-07-25, Kaya Saman <kayasa...@gmail.com> wrote:

My goal is to use a different queue for up/down were I can change the
max bandwidth accordingly.

Queuing is done outbound, your "in" queues actually need to be on the
outbound interfaces. The trick is that "queue foo on em0" and "queue foo
on em1" are separate queues but traffic assignment is done using the
"foo" part. Don't try to split traffic between _in and _out queues.
The queue is stored with the PF state; the PF state covers traffic in
both directions. So you just want "somequeue", not "somequeue_in"
and "somequeue_out", and get rid of the received-on.


I have revised my queueing statements as you suggested and will 
definitely look further into adjusting them via your input.



I created a list of vlan interfaces called q_if though in one of the
links above Stuart Henderson doesn't advise it but the vlans are bound
to an lacp trunk with a group of physical interfaces

Generally I prefer simple failover for trunk, then this would be easy
(a separate queue on each physical interface - the interfaces don't need
to interact with each other, only one is used at a time).

If you must have load-balancing you could play with queueing on the trunk
interface rather than the physical ones, though I haven't tried this.


It's not really load-balancing that is needed but rather a solution to 
allow for extra throughput-bandwidth when needed. I find the trunk does 
go up to and over 2Gbps at times.




I'm finding that I don't really need much in the way of "downstream"
queueing though. It might be needed in special cases but using mikeb's
shiny new fq-codel code in -current, one single queue definition on the
upstream interface is keeping traffic flowing nicely.

queue hfsq-em1 on em1 flows 1024 bandwidth $BW_ZEN max $BW_ZEN quantum 400 
qlimit 1000 default


Fantastic! I will take a look at flows, quantum and qlimit and try to 
understand how these options affect the traffic.




(I am also throttling wifi per-user. OpenBSD's queueing isn't geared up
for that - with v4 you can sort-of do it with loads of separate per-IP
queues but it's horribly ugly, and no good at all for v6 - so I'm doing
that in the APs instead.)



Yeah... wifi is one of those connection types that can be a pain to get 
to function well. I'm going to have to revise my 802.11 setup at some 
point to go from "Standalone" AP's to a controller based solution for 
device handover etc...



Best Regards,

Kaya

Using queueing on asynchronous interface

[Kaya Saman]

Hi,


I'm trying to setup packet queueing on a WAN interface with 80Mb/s 
downstream bandwidth and 20Mb/s upstream bandwidth.



The first point of call of course is the PF manual: 
https://man.openbsd.org/pf.conf.5



Then had a look to see what others had issues with and solutions suggested:

http://openbsd-archive.7691.n7.nabble.com/Debugging-queues-on-pf-td290829.html

http://misc.openbsd.narkive.com/lWIShFZi/per-vlan-traffic-control


My goal is to use a different queue for up/down were I can change the 
max bandwidth accordingly.



So far I created a default queue outbound on the ext_if which works fine:


queue rootq_out on $ext_if bandwidth 20M
queue mail_out parent rootq_out bandwidth 2M min 1M max 20M
queue http_out parent rootq_out bandwidth 2M min 1M max 20M
queue voice_out parent rootq_out bandwidth 10M min 2M max 20M
queue dns_out parent rootq_out bandwidth 1M min 512K max 20M

queue else_out parent rootq_out bandwidth 5M max 20M default


match out on $ext_if proto tcp from  to any port { 80, 443 } set 
queue http_out set prio 5


match out on $ext_if proto tcp from  to any port { 25, 465, 587, 
993 } set queue mail_out set prio 4


match out on $ext_if proto udp from  to any port 5060 set queue 
voice_out set prio 7


queue rootq_out on $ext_if bandwidth 20M
queue mail_out parent rootq_out bandwidth 2M min 1M max 20M
queue http_out parent rootq_out bandwidth 2M min 1M max 20M
queue voice_out parent rootq_out bandwidth 10M min 2M max 20M
queue dns_out parent rootq_out bandwidth 1M min 512K max 20M


I have a block of IPv4 addresses hence the IP1 and IP2.


But for the downstream I am struggling to get the inbound packets to add 
to the appropriate queue.



I created a list of vlan interfaces called q_if though in one of the 
links above Stuart Henderson doesn't advise it but the vlans are bound 
to an lacp trunk with a group of physical interfaces



queue rootq_in on $q_if bandwidth 80M
queue mail_in parent rootq_in bandwidth 10M min 1M max 80M
queue http_in parent rootq_in bandwidth 10M min 1M max 80M
queue else_in parent rootq_in bandwidth 5M max 80M default


So then tying those to the interface I used:


match out on $q_if proto tcp from any port { 80, 443 } to any set queue 
http_in set prio 5 received-on pppoe0


match out on $q_if proto tcp from any port { 25, 465, 587, 993 } to any 
set queue mail_in set prio 5 received-on pppoe0



I probably am approaching this in the wrong way as the state-table as 
pointed out by Stuart to check, only shows packets travelling outbound 
towards the public net and not back again.



So basically how would one assign queueing to this type of interface? 
There is NAT involved which is why I added the "received-on pppoe0" 
option but even with it off it doesn't function meaning that I am 
confused and doing something wrong :-(




Regards,


Kaya

Re: xntp mlockall issue patched yet?

[Kaya Saman]

On 07/07/2017 10:11 PM, Allan Streib wrote:

Kaya Saman <kayasa...@gmail.com> writes:


I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this
message when trying to start ntp from @ports:

ntpd 4.2.8p10@1.3728-o Fri Jun  2 02:18:56 UTC 2017 (1): Starting

mlockall(): Cannot allocate memory

fatal out of memory (32 bytes)

Why not use ntpd(8), provided in the base install?

Allan
Yes, that would be fine however, I am running some scripts which need 
the output of the ntpq command which is part of xntp.

Re: xntp mlockall issue patched yet?

[Kaya Saman]

On 07/08/2017 12:11 AM, Christian Weisgerber wrote:

On 2017-07-07, Kaya Saman <kayasa...@gmail.com> wrote:


I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this
message when trying to start ntp from @ports:

ntpd 4.2.8p10@1.3728-o Fri Jun  2 02:18:56 UTC 2017 (1): Starting

mlockall(): Cannot allocate memory

fatal out of memory (32 bytes)

What exactly is your problem?

The ntpd from the net/ntp port runs fine.  It logs a harmless error
"mlockall(): Cannot allocate memory", but this doesn't affect its
operation.



The exact problem is that the service doesn't start... I have disabled 
the ntpd from base in rc.conf then execute the rc.d script and no 
service?? - just the error above.


The service is added in rc.conf.local as such:

xntpd=YES
xntpd_flags=""

so it should just kick in as expected but it doesn't :-(

xntp mlockall issue patched yet?

[Kaya Saman]

Hi,


found this posting back from 2013 and wondering if there was ever a 
commit on the proposed patch?


http://openbsd-archive.7691.n7.nabble.com/PATCH-mlockall-problem-in-OpenBSD-5-2-td166000.html


I'm running current (6.1 GENERIC.MP#99 amd64) and keep getting this 
message when trying to start ntp from @ports:



ntpd 4.2.8p10@1.3728-o Fri Jun  2 02:18:56 UTC 2017 (1): Starting

mlockall(): Cannot allocate memory

fatal out of memory (32 bytes)


"top" is showing that I have 5.6GB memory Free so it definitely isn't a 
memory issue as I'm sure unless there was a leak that ntpd wouldn't use 
'that' much.



As writing I managed to start the daemon manually by issuing 
/usr/local/sbin/ntpd from the cli; checking /var/log/messages these are 
the errors coming up:



ntpd 4.2.8p10@1.3728-o Fri Jun  2 02:18:56 UTC 2017 (1): Starting

mlockall(): Cannot allocate memory

./../lib/isc/unix/ifiter_getifaddrs.c:99: unexpected error:

getting interface addresses: getifaddrs: Cannot allocate memory



If this is an interface issue, I just killed the process and tried to 
issue the command: /usr/local/sbin/ntpd -I vlan(num)



and unfortunately again it is bombing out with the above error :-(


Can anyone offer any inspiration on this?


Many thanks.


Kaya

ntpd 4.2.8p10@1.3728-o Fri Jun  2 02:18:56 UTC 2017 (1): Starting

fatal out of memory (32 bytes)

fatal out of memory (32 bytes)

Re: FTP proxy not listing certain directories?

[Kaya Saman]

This is interesting!


I have diagnosed the issue thus far:


ftpproxy has issues with some directories. that are large from FTP 
servers.



I thought I had run into one of these:


CAVEATS
 pf(4) does not allow the ruleset to be modified if the system is 
running

 at a securelevel(7) higher than 1.  At that level ftp-proxy cannot add
 rules to the anchors and FTP data connections may get blocked.

 Negotiated data connection ports below 1024 are not allowed.

 The negotiated IP address for active modes is ignored for security
 reasons.  This makes third party file transfers impossible.

 Since ftp-proxy acts as a man-in-the-middle it breaks explicit FTP TLS
 connections (RFC 4217).


however, it doesn't seem to be the case; I think it is something to do 
with a timeout somewhere in that the server closes the connection early 
before the client has a chance to list the directory:



 -t timeout
 Number of seconds that the control connection can be idle, 
before
 the proxy will disconnect.  The maximum is 86400 seconds, 
which

 is also the default.  Do not set this too low, because the
 control connection is usually idle when large data 
transfers are

 taking place.

-> though it seems not the ftp-proxy timeout as that is set to 86400 by 
default.



Not using the proxy is completely possible as PF seems to handle 
outbound client FTP sessions fine, however, tracking the port usage, it 
looks as though even if port 21 is opened within the firewall the FTP 
connection can be made but if other ports are being negotiated in the 
background eg:



# tcpdump -eni pflog0 net 129.250.47.99
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
11:13:23.613052 rule 823/(match) pass out on pppoe0: <***>.52444 > 
129.250.47.99.21: S 1808394633:1808394633(0) win 29200 1460,sackOK,timestamp 21801766 0,nop,wscale 7>
11:13:25.026958 rule 823/(match) pass out on pppoe0: <***>.56190 > 
129.250.47.99.1070: S 1729383519:1729383519(0) win 29200 1460,sackOK,timestamp 21802190 0,nop,wscale 7>



of course the dynamic port allocation won't work if everything else is 
being blocked.


This leads to the question: is there a way to handle opening up extra 
ports in PF after the condition of "pass in quick to port 21" has been met??


 passive [on | off]
 Toggle passive mode.  If passive mode is turned on 
(default
 is on), ftp will send a EPSV command for all data 
connections
 instead of the usual PORT command.  The PASV command 
requests

 that the remote server open a port for the data connection
 and return the address of that port.  The remote server
 listens on that port and the client connects to it.  When
 using the more traditional PORT command, the client 
listens

 on a port and sends that address to the remote server, who
 connects back to it.  Passive mode is useful when 
using ftp

 through a gateway router or host that controls the
 directionality of traffic.  (Note that though FTP 
servers are

 required to support the PASV command by RFC 1123, some do
 not.)

Or simply attempt to use Active ftp on port 20 - though this seems to be 
now legacy....



---K



On 01/29/2017 04:14 PM, Kaya Saman wrote:

Hi,


as I have now managed to get back into my OBSD system I have tested 
ftp again from clients yet still even with the recent upgrade I seem 
to be unable to list certain directories??



I have checked the option flags for ftpproxy (man ftpproxy) however, 
couldn't find anything of help.



An example is the Shrubbery ftp site:


this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/


while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/


tcpdump -eni doesn't show anythng specific:


16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: 
<***>.54958 > 129.250.47.99.21: . ack 2344340832 win 229 
<nop,nop,timestamp 1070904 3015288354> (DF)
16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 
129.250.47.99.21 > <***>.54958: . ack 1 win 271 <nop,nop,timestamp 
3015288444 0>
16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: 
<***>.54962 > 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 
 (DF)
16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 
129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 
3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558>




16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 
129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 
<nop,nop,timestamp 2400821070 1077862>
16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 

FTP proxy not listing certain directories?

[Kaya Saman]

Hi,


as I have now managed to get back into my OBSD system I have tested ftp 
again from clients yet still even with the recent upgrade I seem to be 
unable to list certain directories??



I have checked the option flags for ftpproxy (man ftpproxy) however, 
couldn't find anything of help.



An example is the Shrubbery ftp site:


this directory lists fine: ftp://ftp.shrubbery.net/pub/astraceroute/


while this one doesn't list at all?? ftp://ftp.shrubbery.net/pub/rancid/


tcpdump -eni doesn't show anythng specific:


16:01:40.755991 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54958 
> 129.250.47.99.21: . ack 2344340832 win 229  (DF)
16:01:40.756004 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 66: 
129.250.47.99.21 > <***>.54958: . ack 1 win 271 
16:01:42.938689 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 74: <***>.54962 
> 129.250.47.99.21: S 3566867037:3566867037(0) win 29200 1460,sackOK,timestamp 1071558 0,nop,wscale 7> (DF)
16:01:42.938725 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 78: 
129.250.47.99.21 > <***>.54962: S 3753545844:3753545844(0) ack 
3566867038 win 16384 6,nop,nop,timestamp 2390749407 1071558>




16:02:04.356644 00:25:90:d0:ba:00 10:0b:a9:5c:a4:2c 0800 120: 
129.250.47.99.21 > <***>.54974: P 401:455(54) ack 112 win 271 

16:02:04.357548 10:0b:a9:5c:a4:2c 00:25:90:d0:ba:00 0800 66: <***>.54974 
> 129.250.47.99.21: . ack 455 win 229  (DF)



--> then the report waits


I'm just wondering as the last statement is (DF) - the Do Not Fragment 
flag, could this be an MTU issue??



Though the odd thing is that this was working fine until two upgrades 
ago which are still quite recent 2017 dated.



In PF I have the standard rule:


# Proxy rules

anchor "ftp-proxy/*"

pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021


And as I'm on a VDSL2 line I have:


net.inet.tcp.mssdflt=1452


in sysctl.conf


and the MTU set on the PPPoE interface as: mtu 1492


All other web based traffic operates fine apart from certain ftp 
transactions??



Would anyone be able to suggest anything?


Many Thanks.


Kaya

Re: isakmpd quits out after running ipsec on CURRENT

[Kaya Saman]

On 12/03/2014 07:39 PM, Christian Weisgerber wrote:
 On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote:

 This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
 Check your system logs for isakmpd: backwards memcpy.
 It may not be that change, since it was only committed two days ago.
 I've
 seen the same symptoms in i386 snapshots from Nov 26 and 30.
 Exactly, that change _fixes_ it.  In recent snapshots, memcpy()
 checks for overlap and aborts.

 For some background, see
 http://www.tedunangst.com/flak/post/memcpy-vs-memmove


When you mention the change **fixes** the bug, is there something in 
addition that needs to be done in order to get isakmpd and ipsec working 
together?


I am seeing this in the logs:

Dec  4 09:35:33 Gamma-Ray isakmpd: backwards memcpy

Dec  4 09:35:33 sys_name isakmpd: backwards memcpy


which is what was stated earlier.


Or does the **fix** exaggerate another bug in the code?


Regards,


Kaya

Re: isakmpd quits out after running ipsec on CURRENT

[Kaya Saman]

On 12/04/2014 04:28 PM, Ted Unangst wrote:

On Thu, Dec 04, 2014 at 12:29, Kaya Saman wrote:

On 12/03/2014 07:39 PM, Christian Weisgerber wrote:

On 2014-12-03, Josh Grosse j...@jggimi.homeip.net wrote:


This could be the bug fixed in src/sbin/isakmpd/ui.c rev 1.56.
Check your system logs for isakmpd: backwards memcpy.

It may not be that change, since it was only committed two days ago.
I've
seen the same symptoms in i386 snapshots from Nov 26 and 30.

Exactly, that change _fixes_ it.  In recent snapshots, memcpy()
checks for overlap and aborts.

For some background, see
http://www.tedunangst.com/flak/post/memcpy-vs-memmove


When you mention the change **fixes** the bug, is there something in
addition that needs to be done in order to get isakmpd and ipsec working
together?


I am seeing this in the logs:

Dec  4 09:35:33 Gamma-Ray isakmpd: backwards memcpy

Dec  4 09:35:33 sys_name isakmpd: backwards memcpy


which is what was stated earlier.


Or does the **fix** exaggerate another bug in the code?

There was *one* fix to isakmpd for *one* bug. There may be more than
one bug. There's certainly a lot more than one memcpy in it.


Thanks everyone for the responses sorry for the cross-wires in 
understanding the situation at present.


Will wait for a fix :-)


Regards,


Kaya

isakmpd quits out after running ipsec on CURRENT

[Kaya Saman]

Hi,

for some reason, this seems to have been for a while now; isakmpd will 
simply quit running after initiating: ipsecctl -f /etc/ipsec.conf

Starting isakmpd manually with flags -Kdv doesn't give any indication as 
to what might be causing the service to crash or segfault and nothing is 
reported in the logs - I checked both daemon and messages.

ipsec.conf consists of standard config:

ike passive esp transport \
 proto udp from 212.159.80.17 to any port 1701 \
 main auth hmac-sha enc aes group modp1024 \
 quick auth hmac-sha enc aes \
 psk Sclr11XP99

ike passive esp transport \
 proto udp from IP to any port 1701 \
 main auth hmac-sha enc aes group modp1024 \
 quick auth hmac-sha enc aes \
 psk Some_crazy_pass

Basically the setup used to work fine a few upgrades ago while I was on 
5.5 but then something seems to have changed and it stopped.

Along with the above I'm running npppd for ipsec/l2tp so I can run the 
native Android VPN client. I do run OpenVPN in addition but their seems 
to be some issue with routing on some apps so to get round that the 
choice is either: add default route manually when using OpenVPN / or use 
native client.


I managed to find this thread from the list:

http://comments.gmane.org/gmane.os.openbsd.misc/209636

and managed to pretty much validate my config in comparison but for some 
reason I cannot work this one out.

System is up to date as per last night and build is:

5.6 GENERIC.MP#633 amd64

5.6 GENERIC.MP#633 amd64


Would anyone be able to suggest anything?


Thanks.


Kaya

Re: Dansguardian not working after updating OBSD Current

[Kaya Saman]

Ok, so this is just a quick follow up.

Squid started dying too, checking the logs showed not enough file 
descriptors.

After looking at both /etc/login.conf openfiles-cur and the sysctl 
kern.maxfiles limits which were set extremely high to begin with 
turns out that the:

ulimit -n

was only showing as 64.

Changing that over to a value of 1 (overkill but better safe then 
sorry), Dansguardian managed to start and now both DG and Squid seem to 
be online and stable!

I wonder if it has something to do with the:

openfiles parameter in /etc/login.conf?


A response by Philip suggests this:

http://openbsd.7691.n7.nabble.com/setting-resource-limits-login-conf-and-ulimit-td223656.html


Just a quick observation, not sure if by design or other but ulimit 
doesn't seem to have a man page?

man ulimit
man: no entry for ulimit in the manual.

man ulimit
man: no entry for ulimit in the manual.

Though I did find a copy here:

http://ss64.com/bash/ulimit.html

:-)


So thanks Philip, looks like you saved my day twice!


Regards,


Kaya

On 09/17/2014 03:55 AM, Philip Guenther wrote:
 On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman kayasa...@gmail.com wrote:
 I'm not sure what happened but after updating OpenBSD today, then
 updating the installed packages Dansguardian seems to not be working.
 ...
 The only error in the logs that I can see is:

 dansguardian[11832]: Error polling child process sockets: Invalid argument
 dansguardian[11832]: Error polling child process sockets: Invalid argument
 So the error means that poll() is being passed an nfds argument too
 large, larger than the process could have open as fds.  It looks like
 the code, for some reason I cannot understand, passes poll() a pollfd
 structure for each child process...with fd=-1, so that it will be
 ignored.  Uh, why?  Why is it passing pollfd structures to the kernel
 that it *wants* the kernel to ignore?  It seems that the code could
 simply skip over allocating and filling in those pollfd structures and
 have the exact same effect.

 As for what changed, well, something changed the number of child
 processes you're experiencing (load?), or the process fd limit
 (RLIMIT_NOFILE) for dansguardian changed.


 Philip Guenther

Re: Dansguardian not working after updating OBSD Current

[Kaya Saman]

On 09/17/2014 03:32 PM, Stefan Olsson wrote:



Date: Wed, 17 Sep 2014 15:08:48 +0100
From: kayasa...@gmail.com
Just a quick observation, not sure if by design or other but ulimit
doesn't seem to have a man page?

-It is a ksh builtin.
man ksh

-It would be nice to have it show up when doing apropos though...




Thanks for the clarification :-)

Re: Dansguardian not working after updating OBSD Current

[Kaya Saman]

On 09/17/2014 03:34 PM, Alexander Hall wrote:


On September 17, 2014 4:08:48 PM CEST, Kaya Saman kayasa...@gmail.com wrote:

Ok, so this is just a quick follow up.

Squid started dying too, checking the logs showed not enough file
descriptors.

After looking at both /etc/login.conf openfiles-cur and the sysctl
kern.maxfiles limits which were set extremely high to begin with
turns out that the:

ulimit -n

was only showing as 64.

Changing that over to a value of 1 (overkill but better safe then

For some definition of safe. The limits exists for a reason. ;-)

But sure, one size does not fit all.


sorry), Dansguardian managed to start and now both DG and Squid seem to

be online and stable!

I wonder if it has something to do with the:

openfiles parameter in /etc/login.conf?


A response by Philip suggests this:

http://openbsd.7691.n7.nabble.com/setting-resource-limits-login-conf-and-ulimit-td223656.html


Just a quick observation, not sure if by design or other but ulimit
doesn't seem to have a man page?

man ulimit
man: no entry for ulimit in the manual.

man ulimit
man: no entry for ulimit in the manual.

Though I did find a copy here:

http://ss64.com/bash/ulimit.html

Hint is in the url: bash.

ulimit is a shell command, not a binary.

man $SHELL

/Alexander


Yep I see that now :-)

Next time will understand better!




:-)


So thanks Philip, looks like you saved my day twice!


Regards,


Kaya

On 09/17/2014 03:55 AM, Philip Guenther wrote:

On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman kayasa...@gmail.com

wrote:

I'm not sure what happened but after updating OpenBSD today, then
updating the installed packages Dansguardian seems to not be

working.

...

The only error in the logs that I can see is:

dansguardian[11832]: Error polling child process sockets: Invalid

argument

dansguardian[11832]: Error polling child process sockets: Invalid

argument

So the error means that poll() is being passed an nfds argument too
large, larger than the process could have open as fds.  It looks like
the code, for some reason I cannot understand, passes poll() a pollfd
structure for each child process...with fd=-1, so that it will be
ignored.  Uh, why?  Why is it passing pollfd structures to the kernel
that it *wants* the kernel to ignore?  It seems that the code could
simply skip over allocating and filling in those pollfd structures

and

have the exact same effect.

As for what changed, well, something changed the number of child
processes you're experiencing (load?), or the process fd limit
(RLIMIT_NOFILE) for dansguardian changed.


Philip Guenther

Dansguardian not working after updating OBSD Current

[Kaya Saman]

Hi,

I'm not sure what happened but after updating OpenBSD today, then 
updating the installed packages Dansguardian seems to not be working.

My OpenBSD version is: 5.6 GENERIC.MP#376 amd64

as stated just been updated today.

then used: pkg_add -vui

to update the packages.

Just checking one of the mirrors, it seems all packages were synced 
recently, so not sure if that actually refers to being updated.


The version available seems to be 2.12.0.3, though checking the 
Sourceforge page:
http://sourceforge.net/projects/dansguardian/files/

it seems that the code hasn't been updated since 2012

The only error in the logs that I can see is:

dansguardian[11832]: Error polling child process sockets: Invalid argument

dansguardian[11832]: Error polling child process sockets: Invalid argument

Upon researching the error I found:

http://comments.gmane.org/gmane.comp.web.dansguardian.general/1342

which is way out of date! Changing the settings stated using sysctl 
didn't help either:

kern.shminfo.shmmni=512
kern.shminfo.shmseg=512

I also attempted to compile directly from source incase something went 
amiss somewhere with my setup. That also didn't seem to work.


The port won't build as it throws this error:

  *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1876 
'/var/db/pkg/dansguardian-2.12.0.3/+CONTENTS': @ /usr/bin/env -i 
PKG_TMPDIR=...)
*** Error 1 in /usr/ports/www/dansguardian 
(/usr/ports/infrastructure/mk/bsd.port.mk:2388 'install')


Though checking around previously there was something about the port not 
being signed?


Would anyone be able to suggest a fix or help out?

Even an 'alternative' more upto date solution would be fine.

I'm running it in conjunction with Squid, c-icap, and clamav. So as well 
as simply filtering websites it also hooks into clam with a virus scan 
and then the Squid proxy to get to the web.


Thanks.


Kaya

5.6 GENERIC.MP#376 amd64

Re: Dansguardian not working after updating OBSD Current

[Kaya Saman]

On 09/17/2014 03:55 AM, Philip Guenther wrote:

On Tue, Sep 16, 2014 at 4:27 PM, Kaya Saman kayasa...@gmail.com wrote:

I'm not sure what happened but after updating OpenBSD today, then
updating the installed packages Dansguardian seems to not be working.

...

The only error in the logs that I can see is:

dansguardian[11832]: Error polling child process sockets: Invalid argument
dansguardian[11832]: Error polling child process sockets: Invalid argument

So the error means that poll() is being passed an nfds argument too
large, larger than the process could have open as fds.  It looks like
the code, for some reason I cannot understand, passes poll() a pollfd
structure for each child process...with fd=-1, so that it will be
ignored.  Uh, why?  Why is it passing pollfd structures to the kernel
that it *wants* the kernel to ignore?  It seems that the code could
simply skip over allocating and filling in those pollfd structures and
have the exact same effect.

As for what changed, well, something changed the number of child
processes you're experiencing (load?), or the process fd limit
(RLIMIT_NOFILE) for dansguardian changed.


Philip Guenther


Thanks Philip for the response.

It wouldn't be load that's causing this issue as I'm monitoring the 
machine using multiple monitoring tools.


As to the process limit, I've got infinity set for the daemon under 
login.conf though root user is at defaults.


Since Dansguardian is being run as it's own user the root portion 
shouldn't apply.


The kernel maxproc value is set to 1310 (default??).

Outside of modifying the source code is there anything I can try within 
the system to allow Dansgaurdian to run?



I'm not sure if the upgrade changed any default values that may have 
effected this as the last update went through fine??


Weird!


Regards,


Kaya

Re: adsl card advice

[Kaya Saman]

On 04/25/2014 11:32 AM, Stuart Henderson wrote:

[...]

About separate adsl router I think they are pretty unsafe and very easy
download the firmware from the vendor site, hack it and flash the
device. And all the home adsl router u can find are linux based with
all security problems that linux has.
For these reasons I want make my own obsd router but what other choice
I have to connect it to an adsl ??
it's very strange to have so many problems to make a router under
openbsd when it should born for it.

Personally I use an external router configured as a bridge, and
configure pppoe on the OpenBSD side (with baby jumbos and RFC4638 where
possible to avoid getting a restricted MTU). That way the router doesn't
have external IP connectivity thus avoiding many of the problems you
might run into, and meaning that any complex configuration is done on
the OpenBSD box; it's then also pretty easy to swap out a spare router
in case of hardware failure (which in my experience is more likely to
occur for something that connects to a phone line).

Even with something like the Solos you still have hardware running some
proprietary firmware/dsp code on a processor with potential for bugs.
Mind you, it's even the same for a lot of ethernet NICs...




I agree with Stuart on this one.

Before building my router I considered using an ADSL PCI card. To be 
honest it's probably a better and easier practice to use ATM-to-Ethernet 
bridging. That way the OpenBSD box does everything including firewall 
and NAT so really how secure you make the system is up to you.


p.s. am just butting in here as Stuart helped me a lot with that too so 
am just offering my take :-)



Regards,


Kaya

Re: High Fan Speed in Current 5.5

[Kaya Saman]

On 04/20/2014 11:52 AM, Stuart Henderson wrote:

On 2014-04-19, Kaya Saman kayasa...@gmail.com wrote:

I hope someone can help me with this...

For some reason my fans are spinning up at 3000RPM and making a lot of
noise. I have a similar chassis m/b combo running FreeBSD 10 which runs
almost silent.

The processor usage on this machine isn't very high at all and is even
being throttled.

I had some machines with a problem like this that was introduced between
5.4 and 5.5 which was tracked down to the mwait idle loop.

Do you need to run MP on it? If not, and if mwait is the problem,
switching to GENERIC is probably the easiest workaround.



Many thanks Stuart for the response.

What's the difference between GENERIC and MP I'm guessing MP stands 
for MultiProcessor?



Basically the machine is a router/firewall. Routing is only done on the 
first core in OpenBSD but things like MySQL and Apache are 
multi-threaded so I'd like to keep the multi-threading support if possible.



Not sure. what would you suggest?


Regards,


Kaya

Re: High Fan Speed in Current 5.5

[Kaya Saman]

On 04/20/2014 03:16 PM, Stuart Henderson wrote:
 On 2014/04/20 15:11, Kaya Saman wrote:
 On 04/20/2014 11:52 AM, Stuart Henderson wrote:
 On 2014-04-19, Kaya Saman kayasa...@gmail.com wrote:
 I hope someone can help me with this...

 For some reason my fans are spinning up at 3000RPM and making a lot of
 noise. I have a similar chassis m/b combo running FreeBSD 10 which runs
 almost silent.

 The processor usage on this machine isn't very high at all and is even
 being throttled.
 I had some machines with a problem like this that was introduced between
 5.4 and 5.5 which was tracked down to the mwait idle loop.

 Do you need to run MP on it? If not, and if mwait is the problem,
 switching to GENERIC is probably the easiest workaround.

 Many thanks Stuart for the response.

 What's the difference between GENERIC and MP I'm guessing MP stands for
 MultiProcessor?
 Yes, right.

 Basically the machine is a router/firewall. Routing is only done on the
 first core in OpenBSD but things like MySQL and Apache are multi-threaded so
 I'd like to keep the multi-threading support if possible.
 Not sure. what would you suggest?
 Well this may (if it works) be a quick easy fix to quieten down the
 machine and reduce power consumption if you can live with it.. anything
 better than this is probably going to involve digging in to cpu power-
 saving states.

 So really it depends what's more important to you.


Hmm. I'll give it a whirl and see what happens.


Just read this in the meantime:

http://www.openbsd.org/faq/faq4.html

and this:

http://www.openbsd.org/faq/faq8.html

so I am going to try the /bsd image however my system doesn't have a 
/etc/boot.conf file so if I wanted to make it permanent do I just simply 
do this (taken from from boot man page):

*EXAMPLES*  
http://www.openbsd.org/cgi-bin/man.cgi?query=bootsektion=8arch=i386#end
  Boot the default kernel:

boot boot

  Remove the 5 second pause at boot-time permanently, causing*boot*  to load
  the kernel immediately without prompting:

# echo boot  /etc/boot.conf

Regards,


Kaya

Re: High Fan Speed in Current 5.5

[Kaya Saman]

On 04/20/2014 03:16 PM, Stuart Henderson wrote:

On 2014/04/20 15:11, Kaya Saman wrote:

On 04/20/2014 11:52 AM, Stuart Henderson wrote:

On 2014-04-19, Kaya Saman kayasa...@gmail.com wrote:

I hope someone can help me with this...

For some reason my fans are spinning up at 3000RPM and making a lot of
noise. I have a similar chassis m/b combo running FreeBSD 10 which runs
almost silent.

The processor usage on this machine isn't very high at all and is even
being throttled.

I had some machines with a problem like this that was introduced between
5.4 and 5.5 which was tracked down to the mwait idle loop.

Do you need to run MP on it? If not, and if mwait is the problem,
switching to GENERIC is probably the easiest workaround.


Many thanks Stuart for the response.

What's the difference between GENERIC and MP I'm guessing MP stands for
MultiProcessor?

Yes, right.


Basically the machine is a router/firewall. Routing is only done on the
first core in OpenBSD but things like MySQL and Apache are multi-threaded so
I'd like to keep the multi-threading support if possible.
Not sure. what would you suggest?

Well this may (if it works) be a quick easy fix to quieten down the
machine and reduce power consumption if you can live with it.. anything
better than this is probably going to involve digging in to cpu power-
saving states.

So really it depends what's more important to you.



Just did the switch:

hw.sensors.lm2.fan2=3835 RPM
hw.sensors.lm2.fan3=3781 RPM


5.5 GENERIC#46 amd64

The fans have got even noisier?

Re: High Fan Speed in Current 5.5

[Kaya Saman]

On 04/20/2014 03:56 PM, Stuart Henderson wrote:

On 2014/04/20 15:49, Kaya Saman wrote:

On 04/20/2014 03:16 PM, Stuart Henderson wrote:

On 2014/04/20 15:11, Kaya Saman wrote:

On 04/20/2014 11:52 AM, Stuart Henderson wrote:

On 2014-04-19, Kaya Saman kayasa...@gmail.com wrote:

I hope someone can help me with this...

For some reason my fans are spinning up at 3000RPM and making a lot of
noise. I have a similar chassis m/b combo running FreeBSD 10 which runs
almost silent.

The processor usage on this machine isn't very high at all and is even
being throttled.

I had some machines with a problem like this that was introduced between
5.4 and 5.5 which was tracked down to the mwait idle loop.

Do you need to run MP on it? If not, and if mwait is the problem,
switching to GENERIC is probably the easiest workaround.


Many thanks Stuart for the response.

What's the difference between GENERIC and MP I'm guessing MP stands for
MultiProcessor?

Yes, right.


Basically the machine is a router/firewall. Routing is only done on the
first core in OpenBSD but things like MySQL and Apache are multi-threaded so
I'd like to keep the multi-threading support if possible.
Not sure. what would you suggest?

Well this may (if it works) be a quick easy fix to quieten down the
machine and reduce power consumption if you can live with it.. anything
better than this is probably going to involve digging in to cpu power-
saving states.

So really it depends what's more important to you.


Just did the switch:

hw.sensors.lm2.fan2=3835 RPM
hw.sensors.lm2.fan3=3781 RPM


5.5 GENERIC#46 amd64

The fans have got even noisier?

I guess it's a different problem then :)



My best and easiest solution was to find a 5.25 Fan Controller like 
they do for 'modified/gamer' chassis but unfortunately none are 
available for PWM fans.



I guess I'm just gona have to look for an acoustic rack enclosure to 
muffle out the sound.



Thanks in any case for all the help!


Regards,

Kaya

High Fan Speed in Current 5.5

[Kaya Saman]

Hi,

I hope someone can help me with this...


For some reason my fans are spinning up at 3000RPM and making a lot of  
noise. I have a similar chassis m/b combo running FreeBSD 10 which runs  
almost silent.


The processor usage on this machine isn't very high at all and is even  
being throttled.



Here is what I've done so far:

Enable APMD with the -C option; taken from the man page -

 -C  Start apmd in cool running performance adjustment mode.  In this
 mode, when CPU idle time falls below 10%, apmd raises  
hw.setperf
 as much as necessary.  Otherwise when CPU idle time is above  
30%,
 apmd lowers hw.setperf as much as possible to reduce heat,  
noise,

 and power consumption.

and also enable SENSORSD

sysctl output:

hw.sensors.cpu0.temp0=51.00 degC
hw.sensors.cpu1.temp0=51.00 degC
hw.sensors.cpu2.temp0=51.00 degC
hw.sensors.cpu3.temp0=51.00 degC
hw.sensors.lm1.temp0=34.00 degC
hw.sensors.lm1.temp1=57.00 degC
hw.sensors.lm1.temp2=33.50 degC
hw.sensors.lm1.volt0=1.08 VDC (VCore)
hw.sensors.lm1.volt1=12.04 VDC (+12V)
hw.sensors.lm1.volt2=3.36 VDC (+3.3V)
hw.sensors.lm1.volt3=3.36 VDC (+3.3V)
hw.sensors.lm1.volt4=-10.92 VDC (-12V)
hw.sensors.lm1.volt5=1.26 VDC
hw.sensors.lm1.volt6=1.06 VDC
hw.sensors.lm1.volt7=3.33 VDC (3.3VSB)
hw.sensors.lm1.volt8=1.60 VDC (VBAT)
hw.sensors.lm2.temp0=34.00 degC
hw.sensors.lm2.temp1=57.00 degC
hw.sensors.lm2.temp2=33.50 degC
hw.sensors.lm2.fan0=1622 RPM
hw.sensors.lm2.fan1=164 RPM
hw.sensors.lm2.fan2=3013 RPM
hw.sensors.lm2.fan3=2986 RPM
hw.sensors.lm2.fan4=164 RPM
hw.sensors.lm2.volt0=1.08 VDC (VCore)
hw.sensors.lm2.volt1=12.04 VDC (+12V)
hw.sensors.lm2.volt2=3.36 VDC (+3.3V)
hw.sensors.lm2.volt3=3.36 VDC (+3.3V)
hw.sensors.lm2.volt4=-10.92 VDC (-12V)
hw.sensors.lm2.volt5=1.26 VDC
hw.sensors.lm2.volt6=1.06 VDC
hw.sensors.lm2.volt7=3.33 VDC (3.3VSB)
hw.sensors.lm2.volt8=1.60 VDC (VBAT)
hw.cpuspeed=1200
hw.setperf=0
hw.vendor=Supermicro
hw.product=X9SRE/X9SRE-3F/X9SRi/X9SRi-3F


The CPU is a Xeon E5 which the above output tells me it's been downclocked  
to 1.2GHz (is rated at 3.7GHz) hooked up to a SuperMicro system board and  
4U chassis with 80mm?? fans.



More output:

# apropos fan | grep 4
adl (4) - Andigilog aSC7621 temperature, voltage, and fan sensor
adt (4) - Analog Devices ADT7460 temperature, voltage, and fan sensor
adtfsm (4) - Analog Devices ADT7462 temperature, voltage, and fan sensor
aibs (4) - ASUSTeK AI Booster ACPI ATK0110 temperature, voltage, and fan  
sensor

andl (4) - Andigilog aSC7611 temperature, voltage, and fan sensor
fcu (4/macppc) - Apple Fan Control Unit sensor device
glenv (4) - Genesys Logic GL518SM temperature, voltage, and fan sensor
it (4) - ITE IT87xxF and SiS SiS950 temperature, voltage, and fan sensor  
with watchdog timer
lm (4) - National Semiconductor LM78/79/81 temperature, voltage, and fan  
sensor
lmenv (4) - National Semiconductor LM87 temperature, voltage, and fan  
sensor

lmn (4) - National Semiconductor LM93 temperature, voltage, and fan sensor
nvt (4) - Nuvoton W83795G/ADG temperature, voltage, and fan sensor
tda (4/sparc64) - Philips TDA8444 fan controller
uguru (4) - ABIT temperature, voltage and fan sensors
wbenv (4) - Winbond W83L784R/W83L785R/W83L785TS-L temperature, voltage,  
and fan sensor

wbng (4) - Winbond W83793G temperature, voltage, and fan sensor



DMESG:


OpenBSD 5.5-current (GENERIC.MP) #50: Thu Apr  3 12:37:31 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8537219072 (8141MB)
avail mem = 8301203456 (7916MB)
warning: no entropy supplied by boot loader
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec640 (117 entries)
bios0: vendor American Megatrends Inc. version 3.0 date 07/05/2013
bios0: Supermicro X9SRE/X9SRE-3F/X9SRi/X9SRi-3F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC FPDT HPET PRAD SSDT SPCR EINJ ERST HEST BERT  
DMAR MCFG
acpi0: wakeup devices PS2K(S4) PS2M(S4) P0P9(S1) EUSB(S4) USBE(S4)  
PEX0(S4) PEX1(S4) PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) PEX6(S4) NPE2(S4)  
NPE4(S4) NPE5(S4) PXHA(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, 3600.43 MHz
cpu0:  
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-1620 0 @ 3.60GHz, 3599.99 MHz
cpu1:  

Android 4.4 and L2TP/IPSEC VPN

[Kaya Saman]

Hi,

I'm wondering if anyone has had any experience with VPN and Android 4.4??

I used to use OpenVPN with versions 4.1 through 4.3 however, 4.4 
apparently broke the tun interface so the app doesn't work now.

As I need vpn access I configured ipsec and npppd however, I keep 
getting these errors when trying to establish connection:

responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: 
initiator id 2.2.2.2, responder id 1.1.1.1

dropped message from 2.2.2.2 port 500 due to notification type 
INVALID_ID_INFORMATION

ok my IP range is different but the error still stands where phone is 
2.2.2.2 and OpenBSD IP is 1.1.1.1


On the Droid I setup L2TP/IPsec PSK

with server address and IPSec PSK; and my npppd credentials.


The config I have is standard:

ipsec.conf:

ike passive esp transport \
 proto udp from any to any port 1701  \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes \
 psk some_key


npppd.conf:

# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file.  see npppd.conf(5)

authentication LOCAL type local {
 users-file /etc/npppd/npppd-users
}
#authentication RADIUS type radius {
#   authentication-server {
#   address 192.168.0.1 secret hogehoge
#   }
#   accounting-server {
#   address 192.168.0.1 secret hogehoge
#   }
#}

tunnel L2TP protocol l2tp {
 listen on 0.0.0.0
 listen on ::
}

ipcp IPCP {
 pool-address vpn_ip_pool
 dns-servers dns_pool
}

# I elected to go with Tun interface over Pipex

# use tun(4) interface.  multiple ppp sessions concentrate one interface.
interface tun1  address ip ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun1

/etc/hostname.tun1
up


Looking through the @Misc archive I found a similar issue:

http://permalink.gmane.org/gmane.os.openbsd.misc/202338

which also incorporates (I assume) working config; very similar to my own.


My version of OpenBSD is: 5.5 GENERIC.MP#50 amd64 (Current as of a few 
days ago)


The Phase 2 ID issues usually happen when the devices remote and local 
IP addresses aren't what the system is expecting however, I have 
configured this to any.

I do recall a separate issue I had when configuring IPSEC/GRE 
site-to-site tunnel with Cisco's where I had to specifically set:

ike esp from 0.0.0.0/0 to 0.0.0.0/0 peer ip_address

and then configure hostname.greX accordingly.


Even using the Pipex interface:

#interface pppx0 address vpn_ip ipcp IPCP
#bind tunnel from L2TP authenticated by LOCAL to pppx0


as a test I still get the same error of Invalid Phase 2 ID's.

I have analyzed /var/log/messages which gives above output, and in 
addition done a tcpdump -eni (IF) -vvv host (IP) to see what was going 
on but found nothing substantial


npppd output:

npppd[10593]: l2tpd ctrl=9 logtype=Started RecvSCCRQ 
from=2.2.2.2:46783/udp tunnel_id=9/30318 protocol=1.0 winsize=1 
hostname=anonymous vendor=(no vendorname) firm=

npppd[10593]: l2tpd ctrl=9 timeout waiting ack for ctrl packets.

npppd[10593]: l2tpd ctrl=9 logtype=Finished


Could this be a bug with Android 4.4 or is it simply something 
misconfigured on my behalf?

...oh and my handset is rooted so I don't know if that makes a difference?


Thanks.


Kaya

Re: Network appliance recomendation.

[Kaya Saman]

On 08/10/2013 06:01 PM, Francisco Valladolid H. wrote:
 On Sat, Aug 10, 2013 at 2:51 AM, Maurice Janssen maur...@z74.net wrote:
 On 08/09/13 17:05, Francisco Valladolid H. wrote:
 Hi folks.

 Currently I have a Wireless network serving in my town using a small
 form factor (mini-itx) PC with OpenBSD for pf,squid, and dns cache.

 I need recommendations for a network appliance in rack mode with flash
 storage and five rj45 ports.

 Can anyone recommended a solution for my needs ?

 Axiomtek NA-320R might be an alternative.  Rack mount, 6 gbit ports,
 CF-storage and Atom 1.6 GHz CPU.
 Thank you Maurice, excellente recomendation.

 Maurice


I know you say appliance however, how about an embedded system? Since 
you already run OpenBSD on a Mini-ITX system, a 1U rack chassis for 
Mini-ITX plus Intel based Network card should also give up to 6-7GbE 
ports plus SSD or other flash drive alternative..


e.g. http://www.steatite-embedded.co.uk/

as examples for chassis and systemboard.

It might not be what you want since you did say appliance but still it 
is a thought :-)


Regards,


Kaya

Re: pppoe(4) slow for Annex M DSL connection

[Kaya Saman]

On 11/01/2012 11:12 PM, Sevan / Venture37 wrote:

On 31/10/2012 18:49, Kaya Saman wrote:


I've just got my dsl line reprovisioned for Annex M compatibility and
the line speed showing currently on the modem is 20Mbps downstream with
2Mbps upstream.

Upon the reprovisioning I got ask to do a speed test by my ISP and only
~5Mbps was shown for downstream while upstream was shown as ~700kbps.


The system in place is VDSL2+/ADSL2+(Annex M) router running in RFC2684
ATM to Ethernet bridge mode, linked to a Sun Microsystems Netra T105 -
440MHz, 360MB RAM box. With the Netra I have tested various routing
capacities including inter-vlan and dynamic running OSPF and it managed
between 80-90Mbps transfer rates for large files.



I don't think this is an OpenBSD issue
From http://www.cisco.com/en/US/products/ps9565/index.html

ADSl2/2+ over POTS, with annex M support for increased upstream 
throughput through Cisco 887M models



Sevan / Venture37



Thanks for the response!

That's the router I have; connecting directly to the router with it 
configured as NAT/Gateway produces good results.


In addition to that I created a test where I used Packet Filter as a 
firewall then ran OSPF between the routers, so basically we had:


(LAN) Cisco 1801 - OpenBSD - Cisco 887VA (WAN)

Again I had the same speeds.

However, hooking the Cisco's together Cisco 1801 - Cisco 887VA

I now have 18Mbps downstream with 2Mbps upstream.

It looks like the throughput on the Sun Netra isn't high for whatever 
reason?? Or that Packet Filter is simply slow to process?


I have a spare Sun Fire V210 so I will try with that and see if the 
increased CPU power coupled with more memory increases speeds at all.


Outside of that I'm slightly puzzled :-S

pppoe(4) slow for Annex M DSL connection

[Kaya Saman]

Hi,

I've just got my dsl line reprovisioned for Annex M compatibility and 
the line speed showing currently on the modem is 20Mbps downstream with 
2Mbps upstream.


Upon the reprovisioning I got ask to do a speed test by my ISP and only 
~5Mbps was shown for downstream while upstream was shown as ~700kbps.



The system in place is VDSL2+/ADSL2+(Annex M) router running in RFC2684 
ATM to Ethernet bridge mode, linked to a Sun Microsystems Netra T105 - 
440MHz, 360MB RAM box. With the Netra I have tested various routing 
capacities including inter-vlan and dynamic running OSPF and it managed 
between 80-90Mbps transfer rates for large files.


I'm using pppoe(4) with config pretty much taken from the man page:

inet 0.0.0.0 255.255.255.255 NONE mtu 1492 \
pppoedev hme0 authproto chap \
authname authuser authkey authkey \
up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

running over the hme0 interface:

up mtu 1500


Everything is working fine and I have internet connectivity.

Packet Filter is of course taking care of the NAT/PAT side of things and 
the firewalling.


Doing a bit of research on the net I came across a few postings:

http://forums.whirlpool.net.au/archive/481579

http://forums.whirlpool.net.au/forum-replies.cfm?t=116165

http://comments.gmane.org/gmane.os.openbsd.misc/196051


which suggested to edit the /etc/sysctl.conf file with some values that 
aren't available in OBSD5.1 as they are now allocated dynamically.


This is what I've got towards the bottom of my sysctl.conf file:

net.inet.tcp.mssdflt=1452
#net.inet.tcp.recvspace=131072
#net.inet.tcp.sendspace=131072
net.inet.udp.recvspace=139264
net.inet.udp.sendspace=139264
net.inet.ip.mforwarding=1
ddb.panic=0
kern.bufcachepercent=60
net.inet.ip.ifq.maxlen=512
net.inet.tcp.rfc3390=1

I have also made the necessary adjustments to the pf.conf file:

match on $ext_if scrub (max-mss 1440)

however, my speeds are still really low :-(


The router/modem I'm using is a Cisco 887VA which should be pretty 
high-performance but I don't trust Cisco's with NAT as they keep running 
out of memory on me when the number of connections starts going up; then 
they crash!



Is there anything else I can do to get better performance or this simply 
it for the Netra?


I've tried checking with all kinds of tools like nload and darkstat for 
bandwidth which confirms what the speed-test site claimed.


Running netstat -m I get:

# netstat -m
111 mbufs in use:
20 mbufs allocated to data
62 mbufs allocated to packet headers
29 mbufs allocated to socket names and addresses
19/88/4096 mbuf 2048 byte clusters in use (current/peak/max)
0/8/4096 mbuf 4096 byte clusters in use (current/peak/max)
0/8/4096 mbuf 8192 byte clusters in use (current/peak/max)
0/14/4102 mbuf 9216 byte clusters in use (current/peak/max)
0/8/4096 mbuf 12288 byte clusters in use (current/peak/max)
0/8/4096 mbuf 16384 byte clusters in use (current/peak/max)
0/8/4096 mbuf 65536 byte clusters in use (current/peak/max)
536 Kbytes allocated to network (12% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines


vmstat -i shows:

# vmstat -i
interrupt   total rate
com0 49881
hme082113   19
siop090262
hme186683   21
clock  412347   99
Total  595157  144


Netstat -i doesn't come up with any errors on any interfaces 
either... and finally top doesn't show much cpu usage at all either.



Surely the Netra must be able to do more then 4.5Mbps down with 0.7Mbps 
up??? What about my LAN routing test which got 80-90Mbps?



Can anyone suggest anything?


Thanks.

Re: question_about_OpenBSD_on_ADSL_modems/routers

[Kaya Saman]

I think this is what you might be looking for:

http://www.rocksolidelectronics.com/pages/products.php

Not sure where you are based but if in Europe then Linitx can help
you is in the UK however.

http://linitx.com/viewcategory.php?catid=148


Regards,


Kaya


On Mon, Jun 25, 2012 at 9:47 AM, soko.tica soko.t...@gmail.com wrote:
 Hallo list,

 I ask for information about ADSL modems/routers (preferably low-cost)
 on which OpenBSD can run.

 I know there was a possibility to get Traverse Technologies Viking PCI
 ADSL card on any box, but I have learned recently it is out of
 production.

 Thanking you in advance.

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/12/2012 09:59 AM, Peter Hessler wrote:

On 2012 Mar 12 (Mon) at 00:44:15 + (+), Kaya Saman wrote:
:Would it not just be easier and cleaner to create a new list for
:newbies? That way the more advanced stuff could be taken care of on
:this list and only people willing to help others could post useful
:comments and help on the other list.

This mailing list does exist.  I've been running it (in a very lazy
fasion) since 2002.

You can sign up for it at http://mailman.theapt.org/listinfo/openbsd-newbies



Thanks :-)

And additionally I am sorry for annoying almost the whole of this list :-(

I didn't mean to rant or to tick anybody off!

Using OpenBSD for a bit I really do like but hence need to learn it.


Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/12/2012 10:50 AM, Stuart Henderson wrote:

On 2012-03-11, Kaya Samankayasa...@gmail.com  wrote:

Now I do know these without even needing to read the documentation...
however even **IF** I tried to compile on one of those platforms which I
do all the time I never need to adjust system variables or tell the
configure script what compiler or other I'm using as it is intelligent
enough to autodetect it.

You don't usually need to run autoconf to regenerate the configure
script unless you edit configure.in or other m4 files.
The software authors are supposed to do that for you as
part of their release process


I eventually figured that one out by reading the scripts themselves, but 
it seems that a lot of software is unsupported on OpenBSD and the devels 
don't want to know either as other OS's have larger user bases.




Pretty sure there is some selection mechanism for different autoconf
versions on FreeBSD as well but maybe they picked a default version
(at least by making it an explicit requirement OpenBSD users are
less likely to be affected by incompatible autoconf versions).

I will keep searching and studying this as it might be just the config 
scripts as you mentioned above.



Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/12/2012 11:21 AM, Stuart Henderson wrote:

On 2012-03-11, Kaya Samankayasa...@gmail.com  wrote:

Well in mean time I found this:

http://openports.se/devel/metaauto

although I don't think it's installed as **find** didn't come up with
anything.

pkg_info | grep metaauto

Also look at locate(1) which uses a database generated weekly(8) to
speed up filename searches, and the pkglocate package (a locate
database of files from *all* packages, not just the installed ones,
also showing the package names).


Oh locate is available in OpenBSD? That's good news!


ntop is in ports but horribly out of date. Newer versions had some
problems, I suspect many of these relating to how our old thread
library worked - I might take a look at updating the port sometime
now we're using rthreads. If you're looking at building it yourself
I would suggest waiting for base and package snapshots to start up
again, then upgrade everything to -current, before spending more
time on ntop.



I'll do just that :-)


Regards,


Kaya

Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

Hi,

I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE 
5.0 x64 but am running into issues regarding automake and autoconfig.



Basically I installed:

automake-1.11.1p2

autoconf-2.67



The install script comes up saying this:

# ./autogen.sh

Starting ntop automatic configuration system v.0.2.3

  Please be patient, there is a lot to do...

1. Testing gnu tools

You must have automake installed to compile ntop.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/automake
 We recommend version 1.6.3 or higher

You must have autoconf installed to compile autogen.sh.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf
 We recommend version 2.53 or higher


It's weird because both packages are installed and have confirmed that 
running: find / -name auto(conf and make).



Can anyone suggest anything?


I'm actually puzzled as to why the Ntop version on the public FTP 
servers are s old and out of date, I mean v1.x?


With that there's no Web GUI and actually works more like some of the 
other cli packet sniffers am used to such as trafshow, jnettop, 
iptraf-ng etc..



It would be so awsome to see these on the FTP servers so that all one 
needs to do is just pkg_add them but am stuck now compiling and not sure 
if it's even gona work



Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/11/2012 08:10 PM, Remco wrote:

Kaya Saman wrote:


Hi,

I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD RELEASE
5.0 x64 but am running into issues regarding automake and autoconfig.


Basically I installed:

automake-1.11.1p2

autoconf-2.67



The install script comes up saying this:

# ./autogen.sh

Starting ntop automatic configuration system v.0.2.3

Please be patient, there is a lot to do...

1. Testing gnu tools

You must have automake installed to compile ntop.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/automake
   We recommend version 1.6.3 or higher

You must have autoconf installed to compile autogen.sh.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf
   We recommend version 2.53 or higher


It's weird because both packages are installed and have confirmed that
running: find / -name auto(conf and make).


Can anyone suggest anything?



try: automake --version
  autoconf --version

The messages should be self-explanatory if you didn't define certain
environment variables, e.g., I have this in my environment:
$ set |grep AUTO
AUTOCONF_VERSION=2.65
AUTOMAKE_VERSION=1.11




automake --version
autoconf --version

come up with this


# automake --version
Provide an AUTOMAKE_VERSION environment variable, please
# autoconf --version
Provide an AUTOCONF_VERSION environment variable, please

??


set |grep AUTO


also doesn't display anything???


However, the packages are installed in /usr/local/bin which is confirmed 
using **find**



actually just seeing this now it turns out that automake is 
proceeded by a version number.



So it works then I guess but why can't Ntop install script pick it out?

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/11/2012 08:20 PM, Marc Espie wrote:

On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote:

Hi,

I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD
RELEASE 5.0 x64 but am running into issues regarding automake and
autoconfig.


Basically I installed:

automake-1.11.1p2

autoconf-2.67



The install script comes up saying this:

# ./autogen.sh

Starting ntop automatic configuration system v.0.2.3

   Please be patient, there is a lot to do...

1. Testing gnu tools

You must have automake installed to compile ntop.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/automake
  We recommend version 1.6.3 or higher

You must have autoconf installed to compile autogen.sh.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf
  We recommend version 2.53 or higher

See how the metaauto port works. autoconf and automake are actually scripts
that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right
ones.
Ok thankyou! .this makes sense now to me. But how to set 
AUTOCONF_VERSION and AUTOMAKE_VERSION???


You say metaauto port but I thought that in OpenBSD one was not supposed 
to used ports unlike FreeBSD which I'm used to?



hmm

# man metaauto
man: no entry for metaauto in the manual.

looks like I need to do some further Google'ing!


Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/11/2012 08:20 PM, Marc Espie wrote:

On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote:

Hi,

I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD
RELEASE 5.0 x64 but am running into issues regarding automake and
autoconfig.


Basically I installed:

automake-1.11.1p2

autoconf-2.67



The install script comes up saying this:

# ./autogen.sh

Starting ntop automatic configuration system v.0.2.3

   Please be patient, there is a lot to do...

1. Testing gnu tools

You must have automake installed to compile ntop.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/automake
  We recommend version 1.6.3 or higher

You must have autoconf installed to compile autogen.sh.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf
  We recommend version 2.53 or higher

See how the metaauto port works. autoconf and automake are actually scripts
that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right
ones.

Well in mean time I found this:

http://openports.se/devel/metaauto

although I don't think it's installed as **find** didn't come up with 
anything.



Does this mean that without the metaauto port that the **system** or 
**any** install script will not know how to handle a basic compile?


Am really confused now as I don't understand anything of what's going on!


This might be an easier to answer question then:

how do I tell the system to use one particular version of autoconf and 
automake...???


Which files do I need to edit to do that?


Am so sorry for being slow but am just so used to running:

cd /usr/ports/*/portname
make install clean

and everything being done in the background for me!


Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/11/2012 08:20 PM, Marc Espie wrote:

On Sun, Mar 11, 2012 at 07:42:43PM +, Kaya Saman wrote:

Hi,

I'm trying to compile the latest NTOP version 4.1.0 on OpenBSD
RELEASE 5.0 x64 but am running into issues regarding automake and
autoconfig.


Basically I installed:

automake-1.11.1p2

autoconf-2.67



The install script comes up saying this:

# ./autogen.sh

Starting ntop automatic configuration system v.0.2.3

   Please be patient, there is a lot to do...

1. Testing gnu tools

You must have automake installed to compile ntop.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/automake
  We recommend version 1.6.3 or higher

You must have autoconf installed to compile autogen.sh.
Download the appropriate package for your distribution, or get the
source tarball from ftp://ftp.gnu.org/pub/gnu/autoconf
  We recommend version 2.53 or higher

See how the metaauto port works. autoconf and automake are actually scripts
that depend on AUTOCONF_VERSION and AUTOMAKE_VERSION to select the right
ones.
Well I actually sort-of figured this out but turned out to be a very 
messy hack and probably have broken other things. meaning am totally 
not sure of the implications of my actions!



I basically moved the autoconf and automake scripts to files called 
auto*.scr,


then symlinked the highest versions of each software to automake and 
autoconf respectively.



i have no idea down-the-line if this will break anything but for now it 
works :-)



Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/11/2012 10:34 PM, Ted Unangst wrote:

On Sun, Mar 11, 2012, Kaya Saman wrote:

try: automake --version
   autoconf --version

The messages should be self-explanatory if you didn't define certain
environment variables, e.g., I have this in my environment:

automake --version
autoconf --version

come up with this

# automake --version
Provide an AUTOMAKE_VERSION environment variable, please
# autoconf --version
Provide an AUTOCONF_VERSION environment variable, please

How are those messages not self explanatory?  Did you read them?

Sure I read them it's a bit difficult not to!

I also managed to get round them by providing the versions:

eg. automake-1.11 --version


my issue was how to get the Ntop config script to understand that 
automake and autoconf **are** installed on the system!!!


Luckily a friendly person did explain that I should first **export** the 
versions then run the config gen script which indeed worked!!!


export AUTOMAKE_VERSION=1.11  AUTOCONF_VERSION=2.67



However, please note that am still learning OpenBSD after coming over 
from Linux and FreeBSD and additionally I am NOT a programmer or even 
good at programming



My main base in fact is network engineering so forgive me if I don't 
know the intricate details of the OpenBSD OS


Using FreeBSD I would just do this:

cd /usr/ports/*/ntop
make install clean

and providing my **ports** tree is uptodate it will work flawlessly. 
Additionally on Linux for RPM based would be yum install ntop or DEB 
based would be apt-get install ntop



Now I do know these without even needing to read the documentation... 
however even **IF** I tried to compile on one of those platforms which I 
do all the time I never need to adjust system variables or tell the 
configure script what compiler or other I'm using as it is intelligent 
enough to autodetect it.



I understand OpenBSD is different and I'm trying to get used to it but 
please cut new users some slack as not everyone is God's gift to 
computing... {I don't say this as an attack or with any bad 
intentions just frustration at how unforgiving this list is sometimes}



Regards,


Kaya

Re: Which automake and autoconfig versions to compile NTOP v4?

[Kaya Saman]

On 03/12/2012 12:21 AM, hex wrote:

On Sun, Mar 11, 2012 at 10:48:24PM +, Kaya Saman wrote:

On 03/11/2012 10:34 PM, Ted Unangst wrote:

On Sun, Mar 11, 2012, Kaya Saman wrote:

try: automake --version
autoconf --version

The messages should be self-explanatory if you didn't define certain
environment variables, e.g., I have this in my environment:

automake --version
autoconf --version

come up with this

# automake --version
Provide an AUTOMAKE_VERSION environment variable, please
# autoconf --version
Provide an AUTOCONF_VERSION environment variable, please

How are those messages not self explanatory?  Did you read them?

Sure I read them it's a bit difficult not to!

I also managed to get round them by providing the versions:

eg. automake-1.11 --version


my issue was how to get the Ntop config script to understand that
automake and autoconf **are** installed on the system!!!

Luckily a friendly person did explain that I should first **export** the
versions then run the config gen script which indeed worked!!!


That's what providing the environment variable means.


I didn't know that so thanks for pointing that out.


export AUTOMAKE_VERSION=1.11  AUTOCONF_VERSION=2.67



However, please note that am still learning OpenBSD after coming over
from Linux and FreeBSD and additionally I am NOT a programmer or even
good at programming


One exclamation point is enough.


Sorry frustration got the better of me!


My main base in fact is network engineering so forgive me if I don't
know the intricate details of the OpenBSD OS


Those are not intricate details. Environment variables exist in virtually every 
operating system available.


I do understand that compiling software is part of UNIX and I accept 
that I don't know enough about it but the other types of OS's stated all 
work without issues which ok is not the OS fault, rather that 
software is mostly being designed for Linux and a really great effort to 
**port** the stuff is being done by FreeBSD. But without knowing the 
characteristics of an OS it's very difficult to debug issues if one 
doesn't understand how it handles certain things.



Using FreeBSD I would just do this:

cd /usr/ports/*/ntop
make install clean

and providing my **ports** tree is uptodate it will work flawlessly.
Additionally on Linux for RPM based would be yum install ntop or DEB
based would be apt-get install ntop


Great story.


Uh sorry was just trying to stress or rather emphasize my point. I 
think eventually the only thing that got stressed was me :-(



Now I do know these without even needing to read the documentation...
however even **IF** I tried to compile on one of those platforms which I
do all the time I never need to adjust system variables or tell the
configure script what compiler or other I'm using as it is intelligent
enough to autodetect it.


The configure script is not part of the operating system, it is part of the 
package/tarball, if you're using something that needs automake/autoconf you're 
probably checking out development versions of software and then complaining to 
the OS developers who have nothing to do with it.


Erm I wasn't complaining. I just needed a hand to figure out how to 
get the script to interact with the OS. Now it's time to take my case to 
the Ntop team as the script is blocking me claiming unsupported OS. 
True though it maybe I would still like to get Ntop (the current 
version) working on OpenBSD as unfortunately it's not available natively.



I understand OpenBSD is different and I'm trying to get used to it but
please cut new users some slack as not everyone is God's gift to
computing... {I don't say this as an attack or with any bad
intentions just frustration at how unforgiving this list is sometimes}


I love this list for that.


Uh! :-(

Would it not just be easier and cleaner to create a new list for 
newbies? That way the more advanced stuff could be taken care of on this 
list and only people willing to help others could post useful comments 
and help on the other list.


.actually this list may become really quiet then??? As in all of my 
1 week being here not much help goes on just arguments and flames.






Regards
Hektor Oksenberg


Regards,

--K

Re: Snappy Answers to Stupid Questions - WTF?

[Kaya Saman]

On 03/10/2012 08:27 AM, Lars wrote:

Kaya Saman wrote:

On 03/09/2012 10:35 PM, Ingo Schwarze wrote:

Brett wrote on Sat, Mar 10, 2012 at 09:12:11AM +1100:


I noticed and think its a great title, because it would never be
approved by a marketing department.

See, Nick *is* the honorary marketing department.
Er... well... among other functions.
(He is a bit into support as well, kind of.)
And the title *was* approved by the CTO - smilingly, no doubt :).


Sorry guys am confused what are you on about?

What's OpenBSD?

How do I install an OS?

My computer doesn't start after I posted on this list?

Does OpenBSD have a marketing department, I thought it was opensource
free software not a product and end users where supposed to be
intelligent?


I typed in man but nothing happened


Type in woman at your unix terminal or on google images.
Problem solved.


I typed in woman and plural but each time the machine crashes and turns 
off???


Is it possible that my kernel maybe gay?

touch /usr/bin/woman

vi
#!/sbin/sh
halt -p

:-P

How do I connect OpenBSD to the internet?


Not sure, possibly you mean teh internets and not the internet.


Everybody called it the web so I decided to seek out an arachnologist, 
although she laughed at me at the next thing I knew I was in a white 
room with no windows and doors :-(





Is OpenBSD the inernet?



You mean teh internets?


Spider Webs!

Tried catching fish once but our pond was dry :-(




Installed X11 now firefox doesn't start?



Not sure what your pet animal has to do with anything, you mean your cat?
or an actual fox? Did you set your cat on fire? Or your fox?

Hmm. when I moved in the council told us that there would be city 
foxes living in the garden and cats roaming around wild too. Just didn't 
expect to see any on X11?? I still can't!

Re: Request for a new list: trolling

[Kaya Saman]

On 03/10/2012 01:33 PM, 0xAAA wrote:

It is  quite interesting that  any trolling message  gets more attention  than a
real, OpenBSD  related problem (view  the threads of  the stupid guy  which cant
read installation instructions...)


It could be just that people need to let off steam once in a while and 
have some fun rather then being all serious.


Basically creating an OpenBSD playground and letting the animals out 
of the zoo for a while so to speak would be a good idea.




My suggestion: We  create a new list, eg. trolling  or smalltalk where other
users can discuss about senseless questions.


misc (miscellaneous) sounds perfect for this: might be better to create 
a legitimate questi...@openbsd.org list - like we do on FreeBSD, that 
way people could kinda separate things more clearly Actually as a 
FreeBSD user for round 3+ years now I'm pretty much signed up to all 
non-devel based FBSD lists as they all come in useful for legitimate 
problems and issues.




And misc  should be about real  problems/discussions (like it was  before stupid
linus-nerds arrived on this list...)


Never knew being a nerd was associated with stupidity thought they 
were spectrally at opposite ends :-P


Or is this just an OpenBSD superiority thing?? Hmm. the BSD Daemon 
insignia. didn't they do that back in 1939??? Look where they got! 
:-P :-P :-P :-P




(sorry for that non-misc related message)



P.s. just because am new to OpenBSD and posting back with my thoughts 
and opinions it doesn't mean that I'm trolling!!! :-)


To be honest from what I've seen with OpenBSD to this date: 
gateway/NAT/router/firewall/VPN concentrator (yep done all this), I 
really like it and will continue to use it for many years to come and 
hopefully contribute myself, to help the community. OS wars aside 
OpenBSD is really cool and as router and network appliance capable OS 
kicks Cisco right in their ASCII.


P.p.s. no lynching me please


Regards,


Kaya

Re: Snappy Answers to Stupid Questions - WTF?

[Kaya Saman]

On 03/09/2012 10:35 PM, Ingo Schwarze wrote:

Brett wrote on Sat, Mar 10, 2012 at 09:12:11AM +1100:


I noticed and think its a great title, because it would never be
approved by a marketing department.

See, Nick *is* the honorary marketing department.
Er... well... among other functions.
(He is a bit into support as well, kind of.)
And the title *was* approved by the CTO - smilingly, no doubt :).



Sorry guys am confused what are you on about?

What's OpenBSD?

How do I install an OS?

My computer doesn't start after I posted on this list?

Does OpenBSD have a marketing department, I thought it was opensource 
free software not a product and end users where supposed to be intelligent?



I typed in man but nothing happened

How do I connect OpenBSD to the internet?

Is OpenBSD the inernet?


Installed X11 now firefox doesn't start?


Added send/receive RIPv1 to my router, now running ripctl show fib 
doesn't show my subnets?



Why do these types of questions make regular list users swear (sometimes 
even in their graves)?



.et al.


sighh


ok I feel less stressed! Back to watching Grey's Anatomy :-)



Regards,


Kaya

ISAKMP Phase-2 not completing with Cisco ISR - IPSEC over GRE

[Kaya Saman]

Hi,

I am trying to create a VPN between my OpenBSD test box running in a 
Virtual Box instance, with bridged interface to my NIC and my Cisco 857 
router.



I am getting these error messages in /var/log/messages:


Mar  5 21:24:31 OpenBSD isakmpd[27722]: dropped message from 192.168.0.1 
port 500 due to notification type INVALID_ID_INFORMATION
Mar  5 21:25:14 OpenBSD isakmpd[27722]: transport_send_messages: giving 
up on exchange peer-192.168.0.2, no response from peer 192.168.0.2:500
Mar  5 21:26:41 OpenBSD isakmpd[27722]: responder_recv_HASH_SA_NONCE: 
peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, 
responder id 0.0.0.0/0.0.0.0




Running; debug crypto isakmp on the Cisco I get this:

010554: Mar  5 21:45:03.871: ISAKMP:(0): beginning Main Mode exchange
Cisco857W#
010555: Mar  5 21:45:03.871: ISAKMP:(0): sending packet to 192.168.0.2 
my_port 500 peer_port 500 (I) MM_NO_STATE

010556: Mar  5 21:45:03.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010557: Mar  5 21:45:13.875: ISAKMP:(0): retransmitting phase 1 
MM_NO_STATE...
010558: Mar  5 21:45:13.875: ISAKMP (0:0): incrementing error counter on 
sa, attempt 1 of 5: retransmit phase 1

010559: Mar  5 21:45:13.875: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010560: Mar  5 21:45:13.875: ISAKMP:(0): sending packet to 192.168.0.2 
my_port 500 peer_port 500 (I) MM_NO_STATE

010561: Mar  5 21:45:13.875: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco857W#
010562: Mar  5 21:45:23.874: ISAKMP:(0): retransmitting phase 1 
MM_NO_STATE...
010563: Mar  5 21:45:23.874: ISAKMP (0:0): incrementing error counter on 
sa, attempt 2 of 5: retransmit phase 1

010564: Mar  5 21:45:23.874: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
010565: Mar  5 21:45:23.874: ISAKMP:(0): sending packet to 192.168.0.2 
my_port 500 peer_port 500 (I) MM_NO_STATE

010566: Mar  5 21:45:23.874: ISAKMP:(0):Sending an IKE IPv4 Packet.



So far after lots of research and reading I have got this config:


OpenBSD 5.0-RELEASE-x64:

{ipsec.conf}

ike esp transport from 192.168.0.2 to 192.168.0.1 main auth hmac-md5 enc 
3des group modp1536 quick auth hmac-md5 enc 3des psk secret

ike esp transport from 10.255.255.101 to 10.255.255.102 peer 192.168.0.2


{gre1 interface}


10.255.255.101 10.255.255.102 netmask 0x link0 up
tunnel 192.168.0.2 192.168.0.1


Cisco 857:

{Crypto information}

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
 lifetime 60
crypto isakmp key secret address 192.168.0.2
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile geo-sync-profile-01
 set transform-set geo-sync-set-01
!
!
crypto map geo-sync-01 10 ipsec-isakmp
 set peer 192.168.0.2
 set transform-set geo-sync-set-01
 match address 101


{Tunnel interface}

interface Tunnel0
 bandwidth 100
 ip address 10.255.255.102 255.255.255.252
 ip accounting output-packets
 ip accounting access-violations
 ip rip send version 2
 ip rip receive version 2
 tunnel source BVI2
 tunnel destination 192.168.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile geo-sync-profile-01


{BVI2}

interface BVI2
 description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip rip send version 2
 ip rip receive version 2
 no ip virtual-reassembly
 no ip route-cache
 crypto map geo-sync-01

{Access-list 101}

access-list 101 permit udp any host 192.168.0.2 eq isakmp
access-list 101 permit esp any host 192.168.0.1
access-list 101 permit gre host 10.255.255.101 host 10.255.255.102
access-list 101 permit gre any host 192.168.0.1


I'm quite puzzled by where the problem lies as the above Cisco config 
was working fine using Cisco-Cisco between 3 separate gateways.



Could anyone help me identify what the issue could be and define a 
resolution??



I do realize that am using internal IP addresses. but this is only a 
test bed in preparation for production use later!



Regards,


Kaya

Monitoring PF rules on egress interface not showing pass definitions

[Kaya Saman]

Hi,

I created a virtual instance of OpenBSD 5.0 x64 RELEASE edition using 
VirtualBox and set it up to be used as router/gateway with NAT.

Taking this:

http://www.openbsd.org/faq/pf/example1.html

as an example for practically getting to know packet filter which I've 
never used before and get more familiar with OpenBSD in itself.


Through reading the FAQ on PF and trying to understand the way it works 
can someone clarify that the rule weightings are in bottom-up order.

what I'm trying to clarify is that if I use a pseudo Cisco ACL statement:

deny any any
permit ip 1.1.1.1 any ip 2.2.2.2 80

line 2 with permit will **never** get matched because there is an 
implicit deny statement before which has full weighting. Therefor one 
must first specify the permit then the deny in order for the ACL to have 
relevance.

In Pack Filter this seems to be the reverse according to the example 
page shown above or the FAQ:

http://www.openbsd.org/faq/pf/filter.html

meaning that using PF syntax, something like:

block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
 port $tcp_services


will block everything from the statement: block in log but if a pass 
statement is put after the filter's block statement the weighting will 
be on the pass line and hence a match will try to be determined.



In accordance to the above I activated RIPD, took down packet filter 
using: pfctl -d and setup a connection to my router/gateway.


Once everything was working, I activated packet filter again using: 
pfctl -e and restarted RIPD for good measure: /etc/rc.d/ripd restart

All was good and RIPD wasn't able to send or receive any updates - 
actually due to the customization of Exmaple1 from the FAQ, I think RIP 
updates were being sent but not able to be received! --please correct me 
if wrong.

So adding the line:


pass in on egress inet proto tcp from any to (egress) \
 port $tcp_services


#--
pass in on egress inet proto udp from any to (egress) \
 port $udp_services

in the mix, RIP information was now being passed internally **to** 
OpenBSD (but not through to the other side of the NAT).


The major issue I'm having with all of this is that I can't see anything!


Even SSH'ing into the OBSD instance using tcpdump, from the example 
shown here:

http://www.openbsd.org/faq/pf/logging.html

[quote]

 # tcpdump -n -e -ttt -r /var/log/pflog port 80 

 This can be further refined by limiting the display of packets to a 
 certain host and port combination:

 # tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3 

 The same idea can be applied when reading from the pflog0 interface:

 # tcpdump -n -e -ttt -i pflog0 host 192.168.4.2 



[/quote]


I get lines stating:

Mar 02 16:38:38.875426 rule 3/(match) block in on em0: 192.168.0.1.520  
255.255.255.255.520: RIPv2-resp [items 3]: {0.0.0.0}(1)[|rip] [tos 0xc0]

which means that information is being matched by rule 3 and being blocked!


However, running tcpdump without as many restrictions directly on 
interface em0 (external interface):

tcpdump port 520 (automatically defaults to int. em0)


16:41:18.563311 OpenBSD.optiplex-networks.com.route  
rip2-routers.mcast.net.route: RIPv2-resp [items 2]: 
{88.88.88.0/255.255.254.0}(1) {192.168.0.0/255.255.255.0}(16) [tos 0xc0] 
[ttl 1]
16:41:24.354945 192.168.0.1.route  255.255.255.255.route: RIPv2-resp 
[items 3]: {0.0.0.0}(1) {192.168.1.0/255.255.255.0}(1) 
{192.168.2.0/255.255.255.0}(1) [tos 0xc0]


Which also doesn't make sense as the router seems to be using Broadcast 
for RIP while OpenBSD is sending the updates to a multicast address 
located at 224.0.0.9:520.


Neither of which however, tells me what the system is doing in terms 
of diagnostic or verbose output of if packet filter is accepting or 
rejecting this information.


Taken from: ripctl:
 # ripctl show fib
 flags: * = valid, R = RIP, C = Connected, S = Static
 Flags  Destination  Nexthop
 *S 0.0.0.0/0192.168.0.1
 *R 0.0.0.0/0192.168.0.1
 *C 88.88.88.0/23link#2
 *S 127.0.0.0/8  127.0.0.1
 *C 127.0.0.1/8  link#0
 *  127.0.0.1/32 127.0.0.1
 *C 192.168.0.0/24   link#1
 *S 192.168.0.55/32  127.0.0.1
 *R 192.168.1.0/24   192.168.0.1
 *R 192.168.2.0/24   192.168.0.1
 *S 224.0.0.0/4  127.0.0.1

 # ripctl show neighbor
 ID  State   Address Iface Uptime
 192.168.0.1 ACTIVE/ACTIVE   192.168.0.1 em0   00:00:38


 # ripctl show fib rip
 flags: * = valid, R = RIP, C = Connected, S = Static
 Flags  Destination  Nexthop
 *R 0.0.0.0/0192.168.0.1
 *R 192.168.1.0/24   192.168.0.1
 *R 192.168.2.0/24   192.168.0.1


Which shows from the rip side of things that everything's fine.

or using:


 # pfctl -ss
 all tcp 192.168.0.55:22 - 192.168.0.82:32929   
 

Re: Router project on OpenBSD questions

[Kaya Saman]

On 02/28/2012 01:57 PM, Stuart Henderson wrote:

I also would like to know if anyone knows of any ADSL2+ Annex M standard
PCI (/x/) based modem card that I can use to connect to my ISP with
instead of using an external device?

So far in my search I came across this:

http://linitx.com/viewcategory.php?catid=47

This is basically an ADSL router on a PCI card presenting as an ethernet
interface. iirc, you configure it with telnet/http. In a normal config then
this card will be actively routing packets.

Personally I prefer to have a separate router/modem that can be swapped
out without powering down the machine, and usually connected by a better
quality network interface than an rl(4) Main advantage I see
with these particular carsd is that if you have a dual-PSU machine
you can get some power protection.

If you want to terminate ppp in OpenBSD then you can do that just
as well with an external box as you can with one of these (configure
in bridge mode, run pppoe(4) in OpenBSD).


Thanks a lot Stuart for the response!!

I think that particular interface isn't around any more as the company 
that builds them have gone here:


http://www.rocksolidelectronics.com/pages/products/v1.php


This makes more sense to me personally as I've had Cisco router 
experience as discussed; unfortunately while 'maxing' out connections 
Cisco's tend to blow up!!! They crash, get slow and start acting funny


What I'm trying to do is replace my Cisco 857, 877, and 1801 as the 
performance is **not** there for me :-( CPU driven into 100% on all 
boxes and memory used up also.



I was planning on getting a 2901 with VDSL2/ADSL2/2+ Annex M card and 8 
port Gb switch card. But after careful consideration I decided against 
it as it would issue the same problems for me and be more expensive then 
going down the OpenBSD route as discussed previously.


Also 75Mbps is mentioned by Cisco for the 2900 series:

http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html


which is pathetic as in the UK fiber networks are slowly becoming more 
available to the masses - in terms of offerings of up to 1Gbps are 
available for round #50/month ($75/month (US)).



Even a VDSL2 solution offers up to 100Mbps - depending on distance 
between local loop and CPE but I'm sure that the 2900 series or 800 
series VDSL provisioned ISR would struggle to meet those speeds.


Couple that with 1000+ TCP/IP flows through UDP or TCP packet 
transactions and any **standard** branch based ISR wouldn't be able to 
cope :-(





Are these going to be OpenBSD compatible or are there others???

Yes should be compatible, it just looks like a nic.


On the site even mentions xBSD compatibility as post read now :-)




Does anyone know of a VDSL2 solution like this also?

Don't know of one. My same comments would apply about preferring a
separate box.


See my comments above - otherwise wouldn't spend hassle on this design 
and would have gone directly to a 2901 with VDSL2 card.


Other option is this:

http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-613481.html

and link to OpenBSD based router design... but if telco chipset (modem) 
of router gets maxed then the whole box will become saturated :-(





For software I plan to use Quagga/Zebra which should be in the ports or
compatible easily coupled with NAT, ACL's, Firewall using PF or so

In OpenBSD there are actually usable routing daemons, OpenBGPD,
OpenRIPD and OpenOSPFD.

Ugh quagga. Maybe when someone pulls together all the various
internally-maintained forks of it it'll be a bit more usable..

The OpenBSD routing daemons are pretty good. Other than that for
open-source routing there are some circumstances where BIRD running on
Linux might be useful (personally I can't stand the config but I'd
rather run this than Quagga..).


Coming from FreeBSD background I didn't know of the OpenBSD integration 
with routing etc... so thanks for the 'wake up call' :-)



Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco
switches?

I'm not familiar with VTP, the rest will be fine.

Standard 802.1q works fine - vlan(4) and we also do QinQ
(ethertype 0x88a8 only) with svlan(4).

We don't do VTP (or GVRP), you need to configure vlans separately.
Personally I don't see that as a disadvantage :)

STP is for bridging not for vlan support, we do support STP/RSTP but
not MSTP though switches should fallback to RSTP in that case. (I try
and leave bridging to switches though).


I see where you're headed with this!

Leave spanning-tree to the switches to block redundant ports and prevent 
loops but trunk everything to OpenBSD and inter-Vlan route/switch from 
there.


Rather then link aggregation using Etherchannel et el

Get a multi port NIC on the OpenBSD box then according to b/w 
requirements can trunk on different port if needed.





I did discover this already:

http://fengnet.com/book/icuna/ch05lev1sec5.html

so it would seem so, 

Router project on OpenBSD questions

[Kaya Saman]

Hi,

this is my first posting here :-)


I have currently only used OpenBSD as a test vector setup on VirtualBox 
and 2x Sun Fire V240's as a DNS server (master/slave) using Bind9. So 
basically in short am an OpenBSD newbee :-)


Ok so here goes;

I've been using FreeBSD for around 3+ years now and really enjoy it, in 
comparing OpenBSD to FreeBSD I first would like to get some user 
experience of the major advantages over it. From my reading it's meant 
to be more secure, from my (vastly) limited experience it's quite 
different to work with then FreeBSD.
-Could anyone give me any summarized answers to compare the two?


Now here comes the major project

For the last past 4 years or so I've been hosting various OpenSource 
projects from home and have a setup similar to the OpenBSD rack pics on 
the openbsd.org site :-)

To fill the role of router I have used till now, a Cisco 857, 877, and 
1801 all of who's power I've managed to max out!! :-(

As a qualified Cisco engineer but also budding UNIX engineer/enthusiast 
I've come to understand that Cisco boxes are underpowered and 
overpriced Graphing the Cisco's using SNMP and RRD tools using 
Cacti, the CPU's tend to max-out after the TCP/IP flows start reaching 
1000+ and so goes the memory too. Then I loose all kind of connectivity 
as the router either crashes or becomes unstable.

So I would like to build a router out of a Quad Core Xeon system. I've 
selected the hardware for it already and the software barring the base OS.


The hardware will run a socket 1366 Xeon using a Supermicro system 
board. (I'm sure this will be 100% compatible with OpenBSD or FreeBSD 
whichever I chose)

http://www.supermicro.nl/products/motherboard/Xeon3000/X58/X8SAX.cfm


Additionally I would like to run a 5.25 LCD in the chassis front to 
monitor on the fly system output using Lcdproc - this is available on 
FreeBSD using ports but not sure about OpenBSD though I'm sure can be 
easily compiled if necessary.

Something like the PicoLCD from Mini-Box or Matrix-Orbital displays or 
similar. --actually I think VFD's are kinda cool but need to find a 
5.25 one :-)

I also would like to know if anyone knows of any ADSL2+ Annex M standard 
PCI (/x/) based modem card that I can use to connect to my ISP with 
instead of using an external device?

So far in my search I came across this:

http://linitx.com/viewcategory.php?catid=47

Of which manufacturers seem to be:

http://www.rocksolidelectronics.com/pages/products.php


Are these going to be OpenBSD compatible or are there others???


Does anyone know of a VDSL2 solution like this also?



For software I plan to use Quagga/Zebra which should be in the ports or 
compatible easily coupled with NAT, ACL's, Firewall using PF or so


In this case comparing FreeBSD, what's OpenBSD's performance like for 
Firewall/IDS/IPS systems??


Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco 
switches?


I did discover this already:

http://fengnet.com/book/icuna/ch05lev1sec5.html

so it would seem so, however I do not know if link-aggregation would 
work?? As in Cisco Etherchannel to multiple ports on the router.

There are many more questions I have but will refrain from asking at 
this phase as most of them can be got round by researching; like Cisco 
IPSEC/GRE VPN compatibility et el.


i think am just worried about the ADSL2 modem card mainly as most of the 
above can be got over with testing and trying things out :-)


It's just a pain that a Cisco 2901 for example as claimed by Cisco can 
only route at 75Mbps (ok routing uses PPS but wirespeed is not available 
unless going carrier grade). Especially now that companies are slowly 
starting to release Residential Fiber networks upto 1Gbps... would 
render the Cisco's maxed-out power wise.



I know there are a lot of questions here but am hoping that some of them 
can be answered or at least advise given pre-testing :-)


Many thanks and best regards,


Kaya

Re: Router project on OpenBSD questions

[Kaya Saman]

snip



Good luck


Many thanks Christiano for such a quick and comprehensive response :-)


Regards,


Kaya

Re: Router project on OpenBSD questions

[Kaya Saman]

So I would like to build a router out of a Quad Core Xeon system. I've
selected the hardware for it already and the software barring the base OS.



You want the highest cache and highest frequency cpu you can find.
MP will not help you with routing performance at all.





Something like this:

http://ark.intel.com/products/53580/Intel-Xeon-Processor-E7-8870-%2830M-Cache-2_40-GHz-6_40-GTs-Intel-QPI%29

30MB cache @ 2.4GHz


However this does raise the question, 32bit or 64bit??? And what would 
be the benefit for having multi CPU sockets or cores???


--I mean for an integrated Firewall/router yes one can offload processes 
and threads per core or socket


With this though I'm betting that a Core2Quad Q8400s CPU (which I 
currently run on a FreeBSD based Mini-NAS mainframe) will be more 
powerful then any Cisco SMB based router? - I can see it being more 
powerful then my 8xx or 18xx series in anycase!



Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel 
ATOMs or VIA processors or Vyatta running standard x86 Multi-core 
architecture for their appliances; how does this relate to the equation?



--K

Re: Router project on OpenBSD questions

[Kaya Saman]

With this though I'm betting that a Core2Quad Q8400s CPU (which I currently
run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any
Cisco SMB based router? - I can see it being more powerful then my 8xx or
18xx series in anycase!


I don't know cisco, it's all about how much data you need to route.
But if you were concerned about 75mbps, even my sun ultra 5 400mhz can
do more than that.

Do the math, I'd guess you can do *at least* 300mpps with any fairly
modern cpu.
Now do 300mpps * 1500bytes, that's your throughput for full sized packets.


Hmm I think I OD'd and got a bit excited on the CPU mentioned as I 
don't even think it's out yet at least not in consumer land


Something like this:  Intel XeonX3680 Six Core 3.33GHz 12MB Cache

might be more cost effective and better suited to my needs :-)


Sun Ultra 5... you should have said something earlier ;-P I could then 
just whack OpenBSD onto my E420r lol - to be honest I was considering 
going for a used Sun Fire V210 but I don't think there are **any** ADSL 
modem cards available for SPARC! :-( otherwise that would have been an 
awsome box!!





You may want to read this:

http://www.undeadly.org/cgi?action=articlesid=2011101406


Thanks, that was interesting.

Ok I know now that I'm going down the right road :-)




Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs
or VIA processors or Vyatta running standard x86 Multi-core architecture for
their appliances; how does this relate to the equation?


Those are very weak processors, again, it's all about how much pps you need.


for SOHO's not engineers then :-)



Thanks for all the support!!!


Best regards,



Kaya