Re: OpenLDAP under 6.8 - no intermediate certs in chain

2020-11-16 Thread Paul B. Henson
On 11/16/2020 6:52 AM, Stuart Henderson wrote: ...actually I have now added a workaround to the databases/openldap port in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable packages and it should fix things. Cool, I was actually already building from source in order to

Re: OpenLDAP under 6.8 - no intermediate certs in chain

2020-11-16 Thread Paul B. Henson
On 11/16/2020 2:30 AM, Stuart Henderson wrote: Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that commit (or build LibreSSL with TLS 1.3 server support disabled). As far as I can tell there's no method to disable TLS 1.3 via config. Hmm, yah, you can disable old versions,

Re: OpenLDAP under 6.8 - no intermediate certs in chain

2020-11-16 Thread Paul B. Henson
On 11/15/2020 10:18 PM, Brad Smith wrote: I remember seeing this commit recently. Not sure if this is your problem or not. https://marc.info/?l=openbsd-cvs=160511882917510=2 That definitely looks like it, thanks for the pointer.

OpenLDAP under 6.8 - no intermediate certs in chain

2020-11-15 Thread Paul B. Henson
I just updated one of my servers running 6.7 to 6.8, and am having a problem with openldap. I have the intermediate cert and root CA in a file referenced by the openldap config: TLSCACertificateFile/etc/openldap/cabundle.crt Under 6.7 with the openldap port from that version, this results in

Re: pfsync interface in carp group

2020-06-09 Thread Paul B. Henson
On 6/9/2020 1:42 PM, Markus Wernig wrote: Neither jumbo frames nor multicast will prevent group demotion when the other side of a crosslink cable goes physically down. Only not having the sync interface in the carp group will. True. But I think he was just discussing general best practices,

Re: pfsync interface in carp group

2020-06-09 Thread Paul B. Henson
On 6/9/2020 7:36 AM, Stuart Henderson wrote: IME the best setup for pfsync between 2 machines is to use a dedicated cross-connect (preferably configured for jumbo frames). Obviously that's not possible with >2 machines though. Hmm, I had never considered using jumbo frames. It looks like

Re: pfsync interface in carp group

2020-06-08 Thread Paul B. Henson
On 6/8/2020 6:29 AM, Philipp Buehler wrote: did you follow some "howto" and set net.inet.carp.preempt=1? Well, if you consider the official openBSD documentation a "how-to", then yes :). In the example in https://www.openbsd.org/faq/pf/carp.html under the section "Combining CARP and

Re: pfsync interface in carp group

2020-06-08 Thread Paul B. Henson
On 6/7/2020 5:21 PM, Markus Wernig wrote: I don't see that behaviour on my carp pair. Are you using a cross-link cable between the two firewalls? (You shouldn't, in my experience.) Yes, I am using a direct link between the two physical firewalls. It seems to be the configuration recommended

pfsync interface in carp group

2020-06-07 Thread Paul B. Henson
I've had a pair of redundant firewalls using pfsync for years. I've noticed in the past that whenever I rebooted the secondary firewall, the carp interfaces on the primary would flip to backup and then back to master as the secondary one rebooted. I never really noticed any issues with it, so

Re: pfsync and rule specific state timeouts

2020-06-07 Thread Paul B. Henson
On 6/5/2020 11:15 PM, obs...@loopw.com wrote: 1) “egress” can be used to reference the external nic in a rule, instead of having a specific IP. Egress is defined as the nic with the default route. pass in quick log on egress inet proto tcp to (egress) port 22 Ah, I think I seen that in the

pfsync and rule specific state timeouts

2020-06-05 Thread Paul B. Henson
Where is it documented that in order for pfsync to properly synchronize rule specific state timeouts that the rule sets on the systems being synchronized must be *exactly* the same? I have a pair of redundant firewalls synchronizing state, and recently added a couple rules that increase the

state replication bug in pfsync?

2020-06-04 Thread Paul B. Henson
I've been trying to diagnose a mysterious issue where a UDP state disappears before it's supposed to expire. I finally tracked it down to pfsync. On the primary server, the state entries look like: all udp 198.148.6.55:9430 <- 10.128.110.73:9430 MULTIPLE:MULTIPLE age 00:02:21, expires

Re: lost pf state - disappeared before expiration?

2020-05-18 Thread Paul B. Henson
On 5/17/2020 8:40 PM, Strahil Nikolov wrote: > What is your conf having as a timeout ? Both of the rules explicitly override the default timeout with a six minute rule level timeout: pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP keep state (udp.multiple 360)

lost pf state - disappeared before expiration?

2020-05-17 Thread Paul B. Henson
I'm trying to set a longer timeout on a udp state, and for some reason it seems to be disappearing before the expiration 8-/. There are 3 rules involved: pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP keep state (udp.multiple 360) pass out quick on $ext_if proto udp

mysteriously disappearing pf state entries

2020-05-08 Thread Paul B. Henson
I'm running OpenBSD 6.6 operating as an inter-VLAN and border router using pf. Recently I wanted to use a nondefault state timeout for some UDP traffic traversing from my voip subnet to a provider off site. Within pf, there are three rules involved. The first is for traffic coming from the

isc bind - error sending response: would block

2018-11-16 Thread Paul B. Henson
I recently updated a couple servers that were running OpenBSD 6.3 with bind 9.11.3 to OpenBSD 6.4 and bind 9.11.4pl2. Since then, I'm been getting a large number of "error sending response: would block" log messages: Nov 15 11:03:58 lisa named[79587]: client @0x6f2f02bc440 10.128.30.77#65198

Re: smtpd new "relay as" syntax?

2018-10-31 Thread Paul B. Henson
On Wed, Oct 31, 2018 at 08:07:09PM -0400, TronDD wrote: > Mail-from in the action options, I believe. Ah, yes; that seems to work, thanks. The previous implementation was documented as: If the as parameter is specified, smtpd(8) will rewrite the sender advertised in the SMTP session. address

smtpd new "relay as" syntax?

2018-10-31 Thread Paul B. Henson
I just upgraded to OpenBSD 6.4, and I'm trying to figure out how to do this with the new syntax: accept from local for any relay via smtp://smtp.domain.com as "@domain.com" This would rewrite the outbound message to masquerade as being from the TLD rather than a specific machine. Right now I've

Re: opensmtpd / ldap unreliable

2018-05-26 Thread Paul B. Henson
On Sat, May 26, 2018 at 08:16:28AM +0200, Gilles Chehade wrote: > please do so we have more people able to test Done, thanks. What are your thoughts design-wise on dealing with ldap not being available at startup? Should layer 7 issues (ldap auth failed, etc) be handled differently than

Re: opensmtpd / ldap unreliable

2018-05-24 Thread Paul B. Henson
> From: Gilles Chehade > Sent: Wednesday, May 23, 2018 1:20 PM > > That's bad but could easily be fixed if you want to help us So I dropped in the latest table-ldap from git, and it still failed authentications after an LDAP server outage. It looks like the check is only in the table_ldap_check

Re: opensmtpd / ldap unreliable

2018-05-23 Thread Paul B. Henson
> From: Gilles Chehade > Sent: Wednesday, May 23, 2018 1:20 PM > > That's bad but could easily be fixed if you want to help us Definitely; I'll pull the latest github head down and see if that fixes the LDAP connection recovery after startup issue, and then I can try any suggestions to make it

Re: opensmtpd / ldap unreliable

2018-05-23 Thread Paul B. Henson
> From: justina colmena > Sent: Tuesday, May 22, 2018 9:08 PM > > Are they being started in the wrong order at boot time? The LDAP server in use is not running on the local openBSD system. It might not be available due to an underlying network issue or some other problem that temporarily

opensmtpd / ldap unreliable

2018-05-22 Thread Paul B. Henson
So I recently converted my opensmtpd server to use ldap as the backend for user authentication. It seems it's a bit untolerant to ldap issues? If the ldap server isn't available when opensmtpd is started, it says it started: # /etc/rc.d/smtpd start smtpd(ok) But it isn't there: # ps -aux |

Re: pcengines apu boards

2018-01-28 Thread Paul B. Henson
On Wed, Jan 17, 2018 at 12:56:04PM +0100, Christopher Zimmermann wrote: > I have the same problem and have tried to hunt the bug, but failed so > far. Have you already identified the quirks linux and freebsd use to > fix this problem? No :(, I worked on it for a while but kernel hacking isn't my

Re: rdomain/rtable

2017-12-24 Thread Paul B. Henson
Thanks for the info. I don't want to move any interfaces to a non-default routing domain, I just want to be able to run a process with a different default route. I can make that work, via the route -T 10 exec you mention after setting a default route in that domain. But I can't seem to get

Re: Solved IPMI, but I can't get onto network to outside

2017-12-21 Thread Paul B. Henson
On Thu, Dec 21, 2017 at 12:52:33PM -0700, Chris Bennett wrote: > > > IP: 104.217.196.248/29 > > > Gateway: 104.217.196.249 > > > Netmask: 255.255.255.248 > > > > > > > What is your network interface? > > > > I have two, em0 and em1 > > em0: > inet 104.217.196.248 255.255.255.248 > > And I

rdomain/rtable

2017-12-19 Thread Paul B. Henson
I've got a box with an LTE cellular modem in it whose purpose is to provide a backup connection to the Internet if the hardwire service goes down. It's running OSPF to connect to the rest of the network, and the only time any traffic should go over the cellular link (which is slower and bandwidth

Re: help updating EHCI driver

2017-12-07 Thread Paul B. Henson
> From: Martin Pieuchot > Sent: Thursday, December 7, 2017 3:18 AM > > Which issue are you having? Sorry, there was more context in an earlier thread. Basically, I have a pc engines APU3 board which has AMD Hudson-2 EHCI USB ports on it. If devices are plugged in when the system boots and the

Re: 3g modem support

2017-12-06 Thread Paul B. Henson
> From: Marko Cupac > Sent: Wednesday, December 6, 2017 2:47 AM > > ...which suggests some Sierra Wireless modems, none of which are > available for purchase in the country I live in. I've got the MC7455, which I believe is basically the same as the EM7455. Presumably this might be one of the

help updating EHCI driver

2017-12-05 Thread Paul B. Henson
I'm trying to port some quirks for AMD USB chipsets from other operating systems to OpenBSD to hopefully resolve issues I am having with the pc engines APU3 EHCI ports, as they seem to work fine on those systems. I've got a pretty rough draft of one of them, which disables low-power mode during

Re: pcengines apu boards

2017-12-04 Thread Paul B. Henson
> From: Marko Cupac > Sent: Monday, December 4, 2017 3:54 AM > > I have just ordered one APU3b4, as I wanted to test mobile provider as > a backup link. I see it probably won't be any good as OpenBSD router > (yet), but at least I'll be able to test and give feedback. Assuming you're planning to

Re: pcengines apu boards

2017-12-02 Thread Paul B. Henson
On Sat, Dec 02, 2017 at 10:40:14PM +1000, Douglas Ray wrote: > On the APU3a4 the internal USB headers were broken. > I had email from pcengines (March 2017) saying this would > be addressed in the APU3b series., but we went for APU2. I have a APU3b series, they fixed the incorrect pinout on the

Re: broken EHCI USB on AMD chipset?

2017-12-01 Thread Paul B. Henson
> From: Stefan Sperling > Sent: Friday, December 1, 2017 10:35 AM > > Problems with ehci(4) on AMD SB700 are known. > For instance, athn(4) USB devices don't work on such ports. Interesting; that's a similar device to the LTE network modem I'm working with. > Could you try adding missing

Re: broken EHCI USB on AMD chipset?

2017-11-30 Thread Paul B. Henson
On Tue, Nov 28, 2017 at 08:03:05PM -0800, Paul B. Henson wrote: > The EHCI ports seem to work fine under Linux, including the LTE modem > when attached to them, so this seems to be an issue with openbsd, not > faulty hardware per se. I tested FreeBSD on this box as well, it detected

Re: pcengines apu boards

2017-11-30 Thread Paul B. Henson
> From: Eike Lantzsch > Sent: Thursday, November 30, 2017 3:12 PM > > here: APU2C4 with one SATA drive of 6TB and one 4TB via USB3 and an Hmm, I didn't think the apu2 had USB3, but double checking the specs I see it does. My friend that said he had an APU2 must actually have an original APU, as

Re: pcengines apu boards

2017-11-30 Thread Paul B. Henson
> From: Bryan Everly > Sent: Thursday, November 30, 2017 2:46 PM > > I'm running my primary firewall at home on an apu2... Cool. Have you ever tried using an internal Mini PCI card in it?

Re: pcengines apu boards

2017-11-30 Thread Paul B. Henson
> From: Base Pr1me > Sent: Thursday, November 30, 2017 2:08 PM > > I run 5 apu2 devices with no problems. I don't have any apu3 devices ... yet. Thanks for the feedback. Do you by any chance have any USB type Mini PCI cards installed internally? I initially noticed the issue with a mini PCI LTE

pcengines apu boards

2017-11-30 Thread Paul B. Henson
I was wondering if anybody is successfully running openbsd on pcengines apu boards? I have one of their APU3 series, specifically a apu3b4 with OpenBSD 6.2 on it but I can't get the USB2 EHCI ports functioning correctly (for one thing, they don't detect a hot plugged device), I'm not sure if it's

broken EHCI USB on AMD chipset?

2017-11-28 Thread Paul B. Henson
I have a pcengines APU 3 system, which has both USB3 and USB2 ports: ehci0 at pci0 dev 18 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18 ehci1 at pci0 dev 19 function 0 "AMD Hudson-2 USB2" rev 0x39: apic 4 int 18 xhci0 at pci0 dev 16 function 0 "AMD Bolton xHCI" rev 0x11: msi The USB2

Re: umb device, SIM has no PIN?

2017-11-24 Thread Paul B. Henson
On Fri, Nov 24, 2017 at 11:08:25AM +, Stuart Henderson wrote: > > booted under openbsd. The umb driver doesn't support accessing the card > > directly for debugging and diagnostics? > > Correct, you can't get at those from OpenBSD atm. That's a bummer; guess you wouldn't care too much if

Re: umb device, SIM has no PIN?

2017-11-23 Thread Paul B. Henson
> The card is a Sierra Wireless MC7455; to get it working with the umb Looking at the source code, I see that there's an workaround for the EM7455 card, something about requiring an "FCC Authentication" command? >From what I understand the MC7455 is the same as the EM7455 other than form factor,

umb device, SIM has no PIN?

2017-11-22 Thread Paul B. Henson
I'm trying to get an LTE card working in MBIM mode with the umb device driver, but it just keeps saying "SIM not initialized PIN required". The SIM isn't PIN locked, as far as I know the SIM has no PIN. I've tested the card and SIM under linux on the exact same system and was able to get it

Re: kernel reordering and config -e

2017-11-22 Thread Paul B. Henson
On Wed, Nov 22, 2017 at 04:45:59PM +, Kevin Chadwick wrote: > I believe the second scenario would need /dev/mem access making it a > larger change than it first appears (config with a new option could > possibly save the original kernel file and compare the two kernel > files). Ah, I didn't

Re: kernel reordering and config -e

2017-11-21 Thread Paul B. Henson
On Tue, Nov 21, 2017 at 09:49:37AM +, Dimitris Papastamos wrote: > This is what I do in rc.shutdown to handle this case: > > /usr/bin/printf "disable inteldrm*\nquit\n" | /usr/sbin/config -ef /bsd > /bin/sha256 -h /var/db/kernel.SHA256 /bsd Cool, thanks for the suggestion; that should be

Re: kernel reordering and config -e

2017-11-21 Thread Paul B. Henson
On Mon, Nov 20, 2017 at 02:01:56PM -0700, Theo de Raadt wrote: > If someone wants to solve this fully there have been some proposals > for keeping track of the instruction sequence, and attempting to > reapply it upon each relink in the build directory. There just hasn't > been any scripting

Re: kernel reordering and config -e

2017-11-20 Thread Paul B. Henson
On Mon, Nov 20, 2017 at 08:37:43AM +, Roderick wrote: > Commenting out the line "/usr/libexec/reorder_kernel &" at the > end of rc? > > I suspect it is not forseen not to benefice of KARL. No, actually, if the hash of the kernel is different than expected, the reorder_kernel aborts and

Sierra Wireless MC7455 LTE cell network card

2017-11-19 Thread Paul B. Henson
I'm trying to get the subject card to work under OpenBSD 6.2; it works fine under Linux so I know the card itself and its SIM etc are correctly configured and functional. The card is set to MBIM mode, and I'd like to use the umb driver rather than the umsm driver as not to have to muck with PPP.

Re: kernel reordering and config -e

2017-11-19 Thread Paul B. Henson
On Mon, Nov 20, 2017 at 06:50:30AM +0100, Sebastien Marie wrote: > When it did that, it uses the object (I didn't recall the exact name) > with the previous mentioned array, with *default* configuration. So the > previous modification done with config(8) is cleared. Yeah, I figured that out

kernel reordering and config -e

2017-11-19 Thread Paul B. Henson
I just updated a server to 6.2; unfortunately this box has an oddball SOL com2 on irq10 so I need to run 'config -e' on the kernel to update it and make the serial console work. I noticed afterwards in the boot messages it was complaining about kernel reordering failures, and thinking I was fixing

Re: OpenBSDI 6.1 some Warnings when using OpenLDAP Tools

2017-08-10 Thread Paul B. Henson
On Wed, Aug 09, 2017 at 09:06:19AM +0200, Markus Rosjat wrote: > this is more an info then a problem though since it seems to work. > When I use the slap tool like slapcat I get a size mismatch warning like > this Heh, we were just talking about that:

Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program

2017-08-05 Thread Paul B. Henson
On Sat, Aug 05, 2017 at 12:35:24AM +, Stuart Henderson wrote: > The ports@ list is a better venue for ports-related queries, > please see this: https://marc.info/?l=openbsd-ports=150157643516239=2 Ah, ok, thanks for the pointer. > This is not preventing programs from running. Hmm, I

Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program

2017-08-03 Thread Paul B. Henson
On Thu, Aug 03, 2017 at 05:33:15PM -0400, Predrag Punosevac wrote: > It is well known issue. > > https://marc.info/?l=openbsd-misc=149271724912565=2 > > It seems to be benign at least for my use case. Yah, I saw that discussion from back in April, but then it just stopped with no resolution.

Re: openldap port mdb support

2017-08-03 Thread Paul B. Henson
On Mon, Jul 10, 2017 at 07:34:11AM +, Stuart Henderson wrote: > Feel free to try it, I believe the required patch to force MDB_WRITEMAP > is still in there..but I don't think there were any major changes upstream > since the last attempt so I wouldn't hold out too much hope for it working >

Re: WARNING: symbol(icudt58_dat) size mismatch, relink your program

2017-08-03 Thread Paul B. Henson
On Wed, Aug 02, 2017 at 05:37:40PM -0700, Paul B. Henson wrote: > I'm trying to compile openldap from ports under 6.1, and running it > fails with the error: > > slapd:/usr/local/lib/libicuuc.so.12.0: /usr/local/lib/libicudata.so.12.0 > : WARNING: symbol(icudt58_dat) size mismat

WARNING: symbol(icudt58_dat) size mismatch, relink your program

2017-08-02 Thread Paul B. Henson
I'm trying to compile openldap from ports under 6.1, and running it fails with the error: slapd:/usr/local/lib/libicuuc.so.12.0: /usr/local/lib/libicudata.so.12.0 : WARNING: symbol(icudt58_dat) size mismatch, relink your program I see there was some dicussion of this back around April, but no

openldap port mdb support

2017-07-10 Thread Paul B. Henson
mdb has been disabled in the openldap port since it looks like 2015/02/16, I was wondering if anyone has tried it since then to see if maybe the issues with it have been resolved? The other backends are deprecated upstream, it would be nice to get mdb working under openbsd. I'm going to try

Re: ipmi driver broken

2017-06-29 Thread Paul B. Henson
> From: Ted Unangst > Sent: Wednesday, June 28, 2017 8:50 PM > > i'm afraid i won't make a very good ipmi maintainer, but i think i applied the > patch in the right spot. Cool, thanks; much appreciated.

Re: ipmi driver broken

2017-06-29 Thread Paul B. Henson
> From: Theo de Raadt > Sent: Wednesday, June 28, 2017 8:41 PM > > If you want it working, you will need to get it fixed. On all > machines, so that we can renable it. I definitely don't want to be one of those entitled people demanding work from developers without providing anything that you

Re: ipmi driver broken

2017-06-28 Thread Paul B. Henson
On Wed, Jun 28, 2017 at 06:31:34PM -0400, Predrag Punosevac wrote: > My understanding is that ipmi driver used by ipmitool is disabled > intensionally due to the security problems. IPMI pose a grave security > risk. IPMI on the SP is available whether or not the openbsd driver is enabled or in

ipmi driver broken

2017-06-28 Thread Paul B. Henson
I noticed back when I upgraded to 5.9 the ipmi driver stopped working, it just said: ipmi0: get header fails ipmi0: no SDRs IPMI disabled I found the following post at the time which appeared to point out the issue and suggest a fix:

Re: what all touches the carp demote counter?

2016-10-14 Thread Paul B. Henson
On Fri, Oct 14, 2016 at 01:27:42PM -0700, Paul B. Henson wrote: > Arg, I'm still having issues with the carp demote counter. I disabled > ospfd for now, but something is still changing it. After a reboot > without ospfd, the counter is changing between 0 and 1: Ah, I tracked it do

Re: what all touches the carp demote counter?

2016-10-14 Thread Paul B. Henson
Arg, I'm still having issues with the carp demote counter. I disabled ospfd for now, but something is still changing it. After a reboot without ospfd, the counter is changing between 0 and 1: bash-4.3# ifconfig -g carp carp: carp demote count 1 bash-4.3# ifconfig -g carp carp: carp demote count

Re: what all touches the carp demote counter?

2016-10-12 Thread Paul B. Henson
On Wed, Oct 12, 2016 at 08:37:59AM +0200, mxb wrote: > But as R0me0 stated, you should probably re-check your configuration. The configuration checked out. I rebooted a few more times, and I couldn't reproduce the problem. I still have no idea why the carp demotion counter was set to 2 the first

Re: what all touches the carp demote counter?

2016-10-11 Thread Paul B. Henson
On Tue, Oct 11, 2016 at 08:44:05AM +0200, mxb wrote: > Master-Backup setup with pfsync in place, means that you synchronize > states between boxes. Then Master is rebooted, it becomes out-of-sync > then it comes to states. So until it is in sync with Backup (which > became Master after reboot),

Re: what all touches the carp demote counter?

2016-10-10 Thread Paul B. Henson
On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote: > Did you adjust advskew value on the machine you want to be Backup ? Yes, the backup has an advskew of 5 and the primary an advskew of 1. As I mentioned, when I first configured the interfaces by hand the two systems properly negotiated

what all touches the carp demote counter?

2016-10-10 Thread Paul B. Henson
I'm setting up a second router that's going to sit next to an existing one and become a redundant failover system. The current one is in production, and I've been converting some of the existing LAN subnets on it to use carp interfaces and making them primary and the new box secondary. I also set

no SDRs IPMI disabled?

2016-04-02 Thread Paul B. Henson
I just installed 5.9 on a Supermicro X11SSL-F board, and tried to enable the ipmi driver. During boot, it shows: ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 spacing 1 iic0: skipping sensors to avoid ipmi0 interactions ipmi0: get header fails ipmi0: no SDRs IPMI disabled ipmi at

Re: Supermicro X11SSL-F freezes probing USB 3

2016-03-31 Thread Paul B. Henson
On Wed, Mar 30, 2016 at 03:34:25PM -0400, Sonic wrote: > Ahha! Who would have thought... com0 was the ticket. Thanks much! Sweet, glad to hear you got it working. Usually the IPMI SOL comes after the physical serial ports, I've never seen it be the first one. But hey, it's Dell :). Maybe now

Re: Supermicro X11SSL-F freezes probing USB 3

2016-03-31 Thread Paul B. Henson
On Tue, Mar 29, 2016 at 10:46:15PM -0400, Sonic wrote: > The IPMI is part of Dell's iDRAC stuff and the only thing I've found [...] > may be the iDRAC license level as well, anything above the "basic" > level, providing a limited feature set, requires purchasing a license Eeew. We've got some HP

Re: Supermicro X11SSL-F freezes probing USB 3

2016-03-29 Thread Paul B. Henson
On Tue, Mar 29, 2016 at 07:06:41PM -0400, Sonic wrote: > On Tue, Mar 29, 2016 at 6:15 PM, Paul B. Henson <hen...@acm.org> wrote: > > stty com1 115200 > > set tty com1 > > Yes, tried that with no luck, SOL still stops forwarding. The box does Hmm, that sounds brok

Re: Supermicro X11SSL-F freezes probing USB 3

2016-03-29 Thread Paul B. Henson
On Tue, Mar 29, 2016 at 04:55:05PM -0400, Sonic wrote: > Unfortunately that option isn't available for me. The IPMI SOL on this > Dell stops forwarding the console once the system boots. The usb keyboard should still work when the bootloader is running, that's being handled by the BIOS. You just

Re: Supermicro X11SSL-F freezes probing USB 3

2016-03-28 Thread Paul B. Henson
On Mon, Mar 28, 2016 at 03:06:39PM -0400, Sonic wrote: > If I wait long enough the install will finally finish booting but the > keyboard (no ps2 ports) doesn't work. Could I trouble you to be more specific as to the duration of "long enough" :)? I think my patience ran out after about 15-20

Supermicro X11SSL-F freezes probing USB 3

2016-03-07 Thread Paul B. Henson
I just put together a new server with a Supermicro X11SSL-F motherboard and a Xeon E3-1240L v5 processor, and was trying to install openbsd 5.8 on it. The install cd freezes while booting after it probes the USB 3 devices: >>> xhci probe won xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI"

skylake Xeon, C232 chipset, i210-AT ethernet

2015-12-17 Thread Paul B. Henson
I'm about to build a server with a supermicro X11SSL-F motherboard and a Xeon E3-1240L v5 processor. The SATA ports should be AHCI compliant, and it looks like the i210-AT ethernet is supported by the em driver, so I think everything should work ok. But it's pretty new stuff, so I wanted to check

Re: npppd with two pppx interfaces causes kernel panic

2014-03-20 Thread Paul B. Henson
From: YASUOKA Masahiko Sent: Wednesday, March 19, 2014 9:44 PM Should I just keep an eye on the changelog for mention of pppx changes to tell when it's safe to try again? Sorry I cannot understand the point of this question. Sorry to be confusing; I switched to tun because of this bug,

Re: npppd with two pppx interfaces causes kernel panic

2014-03-20 Thread Paul B. Henson
From: Jonathan Gray Sent: Thursday, March 20, 2014 3:36 AM The following diff prevents the panic here: Interesting, given the XXX, it seems somebody was already a little suspicious of this section :). From a cursory glance, it seems pppx_dev_lookup is supposed to return data about a

npppd can't open /dev/pppx1

2014-03-19 Thread Paul B. Henson
I set up an L2TP VPN with npppd recently using pppx, and other than some routing issues with ospfd it works great. I'm trying to add a second VPN connection, but that doesn't seem to work using pppx. With this config: interface pppx0 address 10.128.120.1 ipcp IPCP_admin interface pppx1 address

Re: npppd can't open /dev/pppx1

2014-03-19 Thread Paul B. Henson
up in ifconfig for the clients, which I guess led me to believe I didn't have to do anything special to use pppx1 in the npppd config. Thanks, and sorry for the noise. On Wed, Mar 19, 2014 at 02:29:35PM -0700, Paul B. Henson wrote: I set up an L2TP VPN with npppd recently using pppx, and other

npppd with two pppx interfaces causes kernel panic

2014-03-19 Thread Paul B. Henson
After successfully setting up an L2TP VPN with npppd and pppx, I tried to add a second VPN subnet with a different authentication base. I was working remotely, and after starting npppd in debug mode: bash-4.2# npppd -d 2014-03-19 14:41:50:NOTICE: Starting npppd pid=32407 version=5.0.0 2014-03-19

Re: npppd with two pppx interfaces causes kernel panic

2014-03-19 Thread Paul B. Henson
On Thu, Mar 20, 2014 at 10:22:51AM +0900, YASUOKA Masahiko wrote: pppx will be fixed. Great :). This is a known bug then? Should I just keep an eye on the changelog for mention of pppx changes to tell when it's safe to try again? You can use tun(4) instead if you want to use multiple

Re: ospfd and L2VPN routes

2014-03-05 Thread Paul B. Henson
From: YASUOKA Masahiko Sent: Wednesday, March 05, 2014 1:48 AM framed-ip-netmask in npppd-user to set the netmask of the route to the PPP link. But it is not to set the client netmask (on iPhone). AFAIK to set the client netmask, DHCP inform can be used. Hmm, I thought the VPN client

Re: ospfd and L2VPN routes

2014-03-05 Thread Paul B. Henson
From: YASUOKA Masahiko Sent: Wednesday, March 05, 2014 3:20 AM % ospfctl show fib | grep 128 *56 10.128.120.0/24 127.0.0.1 *56 10.128.120.213/3210.0.0.1 Interesting, not only does it show a /24 route, it looks like it has it marked as valid. Is this with pppx

Re: npppd ipcp pool address configuration

2014-03-01 Thread Paul B. Henson
On Sat, Mar 01, 2014 at 12:56:16PM +0900, YASUOKA Masahiko wrote: Currently the parser needs to surrounding the address-mask with double quote like below: pool-address 10.128.120.0/24 Ah, yes; that's much better: 2014-03-01 15:59:13:INFO: ipcp=IPCP pool dyn_pool=[10.128.120.0/24]

Re: ospfd and L2VPN routes

2014-03-01 Thread Paul B. Henson
On Sat, Mar 01, 2014 at 01:48:06PM +0900, YASUOKA Masahiko wrote: on the other side? Right now it looks like the client is setting a route to 10.0.0.0/8 across the tunnel, that should actually be 10.128.0.0/16, would setting the netmask in npppd-users fix that remote route? Can I set the

Re: ospfd and L2VPN routes

2014-03-01 Thread Paul B. Henson
On Sat, Mar 01, 2014 at 07:41:10PM +0900, YASUOKA Masahiko wrote: I could repeat the problem. ospfd seems not to be able to use routes set by npppd. The problem seems to be come from pppx(4)'s behavior of its link state. Using tun(4) instead of pppx(4) avoid the problem. If I switch

npppd ipcp pool address configuration

2014-02-28 Thread Paul B. Henson
According to the npppd.conf man page: pool-address address-range | address-mask [for dynamic | static] Specify the IP address space that is pooled for this IPCP setting. The address space can be specified by address-range (e.g.

npppd l2tp-require-ipsec option

2014-02-28 Thread Paul B. Henson
After getting the basic functionality of an L2TP VPN working with npppd, I tried turning on the l2tp-require-ipsec option, as that seemed desirable; I don't really want an l2tp session set up that's not encapsulated in ipsec. However, with that option on, the attempted VPN connection doesn't seem

ospfd and L2VPN routes

2014-02-28 Thread Paul B. Henson
I'm currently setting up an L2TP VPN with npppd. I've got the VPN piece working, and can send packets between the client and the openbsd box running the vpn. However, I'm currently using ospfd for routing between the rest of the network and the openbsd box, and it doesn't seem to be pushing routes

Re: npppd l2tp-require-ipsec option

2014-02-28 Thread Paul B. Henson
On Fri, Feb 28, 2014 at 01:54:13PM -0800, Jeff Goettsch wrote: That's a known bug: http://www.openbsd.org/cgi-bin/man.cgi?query=npppdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html#end Ah, I see; I hadn't actually looked at the npppd man page, only the npppd.conf man page. The

Re: ospfd and L2VPN routes

2014-02-28 Thread Paul B. Henson
On Sat, Mar 01, 2014 at 11:23:01AM +0900, YASUOKA Masahiko wrote: I'm not sure whether it works. Can you try it by static route? A static route on the network on the other side of the openbsd box? I'm sure that would work; when I try to ping a box out in the network from the vpn client, I can

Re: L2TP VPN / pf

2014-02-27 Thread Paul B. Henson
From: YASUOKA Masahiko Sent: Wednesday, February 26, 2014 8:46 PM set skip on pppx0 needs to be improved because npppd may use pppx1, pppx2 ... Once I've got things working, I'm probably going to want to have more explicit rules rather than skipping; if I understand correctly I can just use

Re: L2TP VPN / pf

2014-02-27 Thread Paul B. Henson
From: YASUOKA Masahiko Sent: Thursday, February 27, 2014 5:44 PM In L2TP/IPsec, transport mode IPsec is used instead of tunnel mode. This means enc(4) is not used. And de-capsulated L2TP packets are received on the same interface which receives IPsec packet. Hmm, that's not what I'm

L2TP VPN / pf

2014-02-26 Thread Paul B. Henson
I'm trying to get a L2TP VPN working using npppd; I think I'm most of the way there but packets just aren't quite flowing. I'm not sure why, but I think I might be missing something or misunderstanding something with pf. I've got ipsec=YES and isakmpd_flags=-K in rc.conf.local, and

Re: Poor CARP Interface Performance with NAT

2014-01-28 Thread Paul B. Henson
On Tue, Jan 21, 2014 at 03:51:23PM -0800, Gabriel Kuri wrote: I am running obsd 5.4 as my NAT router. I decided to setup a second obsd box and run carp between the two for the external NATed interface (facing the ISP). After I setup everything and switched pf to NAT using the address on the

Re: IPMI SOL serial console wedges

2013-11-25 Thread Paul B. Henson
On Mon, Nov 25, 2013 at 12:09:33PM +, Stuart Henderson wrote: How come freebsd dynamically detects the correct irq, but openbsd has it hardcoded? linux and freebsd kernels use acpi to configure isa serial ports, openbsd uses static allocations. Ah, ok; now that I know what's going

Re: Intel 82574L vs 82579LM

2013-11-25 Thread Paul B. Henson
On Mon, Nov 25, 2013 at 04:30:36PM +0400, Alexander Pakhomov wrote: Both should not load CPU a lot. But that doesn't mean they wouldn't. Write here if notice intense interrupts CPU load. My OpenBSD 5.4 amd64 laptop fail to handle 2 MB/s wifi due to some drivers issues (they load CPU up to

IPMI SOL serial console wedges

2013-11-24 Thread Paul B. Henson
I've got a supermicro X9SCL-F board with ipmi support, and I'm trying to use it for the serial console. It shows up as a third com port. After booting the latest install cd, I run the usual stty com2 115200 and set tty com2, and then boot. The kernel messages show up fine, and then the output just

Re: IPMI SOL serial console wedges

2013-11-24 Thread Paul B. Henson
but then userland borks it. The SOL port works fine as a console when I boot linux on the box, so either there's an openbsd bug with it or linux must be implementing some workaround for a problem. Thanks anyway... Paul B. Henson(hen...@acm.org) on 2013.11.24 00:16:52 -0800: I've got a supermicro X9SCL-F

Re: IPMI SOL serial console wedges

2013-11-24 Thread Paul B. Henson
On Sun, Nov 24, 2013 at 04:13:27PM -0500, Jiri B wrote: Supermicro IPMI is crap. Use normal serial console and add a power strip which you can manage via ethernet to poweroff/power cycle the server. Well, I can't say it's the greatest implementation ever, but arguably it doesn't seem much

Re: IPMI SOL serial console wedges

2013-11-24 Thread Paul B. Henson
On 11/24/2013 2:00 PM, Theo de Raadt wrote: Well, I can't say it's the greatest implementation ever, but arguably it doesn't seem much worse than on my Sun or IBM servers. [...] You just cannot compare this to what Sun did, by (almost always) using a seperate ethernet port. Probably still

  1   2   >