Re: iBGP: losing routes after eBGP flap
Claudio Jeker a icrit : On Fri, Aug 03, 2007 at 07:56:02PM +0200, Toni Mueller wrote: Hi, I've got a setup on two i386 family PCs with 4.1-stable which includes the following: Internet 1 - p1 - r1 -- r2 - p2 - Internet 2 r1 and r2 have an iBGP session running, and the Internet connections go to different ISPs, running eBGP on each (r1-p1, r2-p2). I receive full routes from both ISPs mentioned, and have announce all in my iBGP configuration (this is the default, too, but anyway...). Today, I had to take one line down for testing, thus ending the corresponding eBGP session (r1-p1). When the line came back up, it was collecting starting to collect routes from p1 again, as one would expect, but at the same time dropping routes from r2, leaving some 300 routes from the iBGP peer (r2) left. On r2, everything looks normal, it receives a full table from both r1 and p2. So, on r1, I tried to bgpctl nei r2 refresh, but to no avail. What gives? This is more or less expected. iBGP session only transmit eBGP pathes that are valid and best for the router. So on r2 you have all the iBGP routes from r1 and r2 has no reason to send something back to r1 because his routes are not better than the ones from r1. I was observing this behiviour you are describing until yesterday, when i re-installed my two border routers to 4.1, then updated to 4.1-stable. My two borders have now the full tables from each other (iBGP), plus the full route from the peer it's attached to (eBGP). [EMAIL PROTECTED]:~# bgpctl sh sum Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd TRANSIT-11 99584 1212 0 20:09:29 222366 IBGP 7 91488 96015 0 20:09:29 223170 [EMAIL PROTECTED]:~# bgpctl sh sum Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd TRANSIT-24 289859 4204 0 2d22h02m 223141 IBGP 7 192558 301618 0 20:17:45 222315 They both have two route to every network : *3.0.0.0/8 149.6.80.149 100 94101 4 701 703 80 i I 3.0.0.0/8 85.31.195.9100 0 1 3356 701 703 80 i *4.0.0.0/8 149.6.80.149 100 94001 3356 i I 4.0.0.0/8 85.31.195.9100 0 1 3356 i This is not a problem for me, but i had to let you know Best, -- Ronnie Garcia r.garcia at ovea dot com
4.1-release packages with 4.1-stable system ?
Hello, I was used to run only -release systems until yesterday. I updated to 4.1-stable, built a release, and installed other fresh 4.1-stable systems. Now i wonder if i still can use 4.1-release packages, from any mirror. Reading http://www.openbsd.org/faq/faq5.html#Flavors make me feel that it is not recommended, but its not clear. Then, maybe i should switch to using ports ? Best, -- Ronnie Garcia r.garcia at ovea dot com
Re: Quad ethernet card
Henning Brauer a icrit : * nate [EMAIL PROTECTED] [2007-06-05 21:44]: I built 3 OpenBSD 3.6(?) servers in mid 2005 with these cards, and was able to get a peak throughput of about 520Mbps in bridged mode (pf disabled) measured using iperf. the single-stream tcp test iperf uses is pretty meaningless (unless.. well, that's another story) What other tool would you recommend, then ? The idea is to simulate legit Internet traffic and/or DDoS traffic. -- Ronnie Garcia r.garcia at ovea dot com
Re: sk or em
Chris C. a icrit : I'm in the need to replace my two 100mbit fxp nic's in my firewall with a 1000mbit one. The hardware is kinda old. (PIII) I'm looking for an inexpensive but not bad (so I think no realtek chips) nic. Have looked at sk and bge, but couldn't find any bge nics at my local vendors. So... which driver to go? sk? em? Do you expect doing more than 100mbits with this hadware (with PF anabled) ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines pf.conf -- Ronnie Garcia r.garcia at ovea dot com
Re: sk or em
Clint Pachl a icrit : Ronnie Garcia wrote: Chris C. a icrit : I'm in the need to replace my two 100mbit fxp nic's in my firewall with a 1000mbit one. The hardware is kinda old. (PIII) I'm looking for an inexpensive but not bad (so I think no realtek chips) nic. Have looked at sk and bge, but couldn't find any bge nics at my local vendors. So... which driver to go? sk? em? Do you expect doing more than 100mbits with this hadware (with PF anabled) ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines pf.conf What is your packets/sec when your pushing 40Mbs? Does the traffic flow in one em and out the other or is the dual em in a trunk (i.e. 2Gbs)? Traffic gets in one em, is filtered by pf, and gets out from the other em (and the other way around). Its doing 11kpps in and 6kpps out of each em, plus 7kpps on the pfsync interface, which is a sis -- Ronnie Garcia r.garcia at ovea dot com
Re: sk or em
Bryan Vyhmeister a icrit : On Apr 16, 2007, at 1:58 AM, Ronnie Garcia wrote: Clint Pachl a icrit : Ronnie Garcia wrote: Do you expect doing more than 100mbits with this hadware (with PF anabled) ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines pf.conf What is your packets/sec when your pushing 40Mbs? Does the traffic flow in one em and out the other or is the dual em in a trunk (i.e. 2Gbs)? Traffic gets in one em, is filtered by pf, and gets out from the other em (and the other way around). Its doing 11kpps in and 6kpps out of each em, plus 7kpps on the pfsync interface, which is a sis This brings up a question I have had for a while. Does pfsync generate enough traffic that running gigabit cards for your $ext_if and $int_if and a 100base-TX card for your pfsync interface cause a major bottleneck? It depends on the rate of the states changes. Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!) -- Ronnie Garcia r.garcia at ovea dot com
Re: sk or em
Kian Mohageri a icrit : On 4/16/07, Ronnie Garcia [EMAIL PROTECTED] wrote: Bryan Vyhmeister a icrit : On Apr 16, 2007, at 1:58 AM, Ronnie Garcia wrote: Clint Pachl a icrit : Ronnie Garcia wrote: Do you expect doing more than 100mbits with this hadware (with PF anabled) ? I'm maxing a P4 2.4Ghz at 40mbits, with a dual em, and a ~300 lines pf.conf What is your packets/sec when your pushing 40Mbs? Does the traffic flow in one em and out the other or is the dual em in a trunk (i.e. 2Gbs)? Traffic gets in one em, is filtered by pf, and gets out from the other em (and the other way around). Its doing 11kpps in and 6kpps out of each em, plus 7kpps on the pfsync interface, which is a sis This brings up a question I have had for a while. Does pfsync generate enough traffic that running gigabit cards for your $ext_if and $int_if and a 100base-TX card for your pfsync interface cause a major bottleneck? It depends on the rate of the states changes. Here, we have ~30mbits on pfsync, for ~40mbits of traffic (!) On our college campus with 50Mbps, we see ~8Mbps pfsync traffic. Your ratio amazes me... What type of environment is that in? Content delivery (web servers, streaming). Approx 100 servers. -- Ronnie Garcia r.garcia at ovea dot com
ifconfig pfsync0 down
Hey, I was expecting to stop pfsync with : ifconfig pfsync0 down But it did not. I could stop pfsync by down'ing the physical device, but is there any other way around ? I'm using 4.0 Rgds, -- Ronnie Garcia r.garcia at ovea dot com
Re: OpenBGPD MIB
Henning Brauer a icrit : * Sylwester S. Biernacki [EMAIL PROTECTED] [2007-03-25 10:52]: Any chances to add that to the wishlist for next releases? I won't stop you from putting sth on a wishlist, but I can guarantee you I won't be working on anything snmp-mib related for openbgpd (well, unless somebody pays me so massively for it that I consider that a sufficient solatium) How much is massive ? ;) -- Ronnie Garcia r.garcia at ovea dot com
Re: Clock running 1/4 of real time
Daniel Ouellet a icrit : But luck I happen to monitor the sessions and realize that the clock on the server run about 1/4 of real time. Everything run 1/4 of what it should be. Ping answer oneping each 4 seconds instead of one. Top refresh every 20 seconds instead of 5, etc. [...] dmesg below: cpu0: Dual Core AMD Opteron(tm) Processor 280, 2394.36 MHz cpu1: Dual Core AMD Opteron(tm) Processor 280, 8139.45 MHz I don't know if that could be related, but look how your two cores are probed. One is 4 times faster than the other. -- Ronnie Garcia r.garcia at ovea dot com
Re: Performance problems with bge under OpenBSD4.0/i386
Pete Vickers a icrit : I'm trying to track down the cause of poor network performance under OpenBSD4.0/i386 on HP Proliants (DL380-G4 and DL360-G4p), which seems to be concerning ethernet 802.3x flow control on the bge NICs. Test topology is: HP DL380-G4 int bge0 (BCM5704C auto at 1000baseT full-duplex) | | int Gig 13/6 (auto at 1000baseT full-duplex) Cisco 6513 chassis + WS-X6548-GE-TX + WS-X6748-GE-TX int Gig 12/47 (auto at 1000baseT full-duplex) | | int bge0 (BCM5704C auto at 1000baseT full-duplex) HP DL360-G4p [...] Has anyone an ideas on fixes for this, or how to debug the issue further ? Did you tweek kernel parameters, like net.inet.ip.ifq.maxlen ? What is the CPU usage during the transfer ? Did you try with autonegotiation off, and with speed fixed at 1000base-T FD on each port ? -- Ronnie Garcia r.garcia at ovea dot com
Re: BGP Connection For Two OpenBSD Machines
[EMAIL PROTECTED] a icrit : Anyone, I have one OpenBGP machine running OpenBGPd that is currently connected to the Internet running OpenBGPd. Furthermore, it has two NIC interfaces. The external NIC is designated as xl0(3com) whereas the internal NIC is rl0(rtlink). From the internal NIC, I connected it to another OpenBSD machine running OpenBPGd. I run ospfd and bgpd in these two machines. The results for both bgpctl and ospfctl showed that bgp and ospf is working. But from the OpenBSD machine behind the one that has internet connection, I cannot ping the internet. I added entries in /etc/resolv.conf and an entry /etc/sysctl.conf has been commented out. Which one ? net.inet.ip.forwarding ? -- Ronnie Garcia r.garcia at ovea dot com
Re: pf memory problems?
Matt Hamilton a icrit : I'm trying to debug an issue in which sporadically our openbsd 3.9 based firewall suddenly stops responding to pings from the monitoring server. However traffic is still going through it and I can ssh in and look around. Not really sure where to start, but looking at the pf stats I see a large number under 'memory', what exactly does that count? I've got optimization set to conservative and currently have around 14,000 states. Anyone give me any pointers as to where to start looking? I've pasted the output from pfctl and netstat below Can you also provide a vmstat -i and a sysctl net.inet.ip.ifq ? # pfctl -s info Status: Enabled for 0 days 00:23:18 Debug: None Interface Stats for em0 IPv4 IPv6 Bytes In 14015964121500 Bytes Out 21660623591220 Packets In Passed 30120381990 Blocked 126747410 Packets Out Passed 30507913930 Blocked95624730 State Table Total Rate current entries15698 searches 13326658870 9532660.1/s inserts251127020 179633.1/s removals 251120479 179628.4/s Counters match 7605008048 5439919.9/s bad-offset 00.0/s fragment 26599 19.0/s short 29869 21.4/s normalize 00.0/s memory 6294656 4502.6/s bad-timestamp 00.0/s congestion542144 387.8/s ip-option 30.0/s proto-cksum 366932 262.5/s state-mismatch 1433466 1025.4/s state-insert 00.0/s state-limit00.0/s src-limit3280.2/s synproxy 00.0/s # netstat -m 563 mbufs in use: 559 mbufs allocated to data 1 mbuf allocated to packet headers 3 mbufs allocated to socket names and addresses 558/930/6144 mbuf clusters in use (current/peak/max) 2032 Kbytes allocated to network (61% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines --Matt Hamilton [EMAIL PROTECTED] Netsight Internet Solutions, Ltd.Business Vision on the Internet http://www.netsight.co.uk +44 (0)117 9090901 Web Design | Zope/Plone Development Consulting | Co-location | Hosting -- Ronnie Garcia r.garcia at ovea dot com Directeur ovea Til : +33 4 6767 Gsm : +33 6 29500295 http://www.ovea.com
Re: OpenBGPD in ISP-Planet's article
Alexey Suslikov a icrit : OpenBGPD/OpenBSD: Free OpenBSD-based EGP/IGP routing platform. Solid, secure, free, and very scalable. Again, you're operating without vendor support. Non-standard of BGP functionality (modeled after PF). Awesome integration with CARP and PF, makes for great firewalls, routers and route servers. If you are system administrator and appreciate Unix, you will fall in love with OpenBGPD. If you are a Linux admin, you will be surprised at the lack of learning curve involved. Community support is actually pretty good. http://www.isp-planet.com/equipment/2007/routers_bol.html While you are at it, and because i did not see it mentionned in this list, there is a very good prez made by claudio@ : Routing with OpenBSD using OpenOSPFD and OpenBGPD http://www.openbsd.org/papers/linuxtag06-network.pdf -- Ronnie Garcia r.garcia at ovea dot com
Re: Firewall, high interrupt load, is this a driver problem (dc) ?
Hey Henning, Henning Brauer a icrit : * Ronnie Garcia [EMAIL PROTECTED] [2007-01-22 21:10]: I'm graphing a lot of kernel/pf variables with cacti, and i'm clearly seeing the box maxing at 15k interrupts/s. that is not necessarily a problem. I'm raising 15k interrupts/s when the box is routing approx 13k pps and then the CPU is at 50-55%. at 13k pps you definately want good nics which have proper interrupt mitigation. most gigE NICs fall into that category; sk, msk and em fall definately into that category. Thanks for your detailled reply. I guess that you are using (or used) obsd routers/firewalls at BS Web Services. They might also handle a high packets rate. May i ask what kind of hardware you are using ? Motherboard, CPU, NIC, PCI type ? I'm considering buying new hardware for these firewalls, and i'd like them to handle a bunch of pps ;) Regards, -- Ronnie Garcia r.garcia at ovea dot com Directeur ovea Til : +33 4 6767 Gsm : +33 6 29500295 http://www.ovea.com
Re: Firewall, high interrupt load, is this a driver problem (dc) ?
Here is usefull details from Henning (thanks!) Message original Sujet: Re: Firewall, high interrupt load, is this a driver problem (dc) ? Date: Tue, 23 Jan 2007 11:42:22 +0100 De: Henning Brauer [EMAIL PROTECTED] Pour: Ronnie Garcia [EMAIL PROTECTED] Rifirences: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] * Ronnie Garcia [EMAIL PROTECTED] [2007-01-23 11:19]: Hey Henning, Henning Brauer a icrit : * Ronnie Garcia [EMAIL PROTECTED] [2007-01-22 21:10]: I'm graphing a lot of kernel/pf variables with cacti, and i'm clearly seeing the box maxing at 15k interrupts/s. that is not necessarily a problem. I'm raising 15k interrupts/s when the box is routing approx 13k pps and then the CPU is at 50-55%. at 13k pps you definately want good nics which have proper interrupt mitigation. most gigE NICs fall into that category; sk, msk and em fall definately into that category. Thanks for your detailled reply. I guess that you are using (or used) obsd routers/firewalls at BS Web Services. They might also handle a high packets rate. yup May i ask what kind of hardware you are using ? Motherboard, CPU, NIC, PCI type ? varying. I'm considering buying new hardware for these firewalls, and i'd like them to handle a bunch of pps ;) the install with the highest forwarding rate I know of uses a Supermicro X6DH8-XB, a 3.2 GHz Xeon and a bunch of em(4. I have seen it doing 750 MBit/s of real-world traffic at approx 150k pps. With a full routing table (~205k entries) and a GENERIC kernel it was running at roughly 80..90% CPU load; the slightly optimized for the task kernel I have in place there now gives quite some extra headroom. Also, I expect sk/msk(4) to perform better than em(4), but that has yet to be proven in real-world conditions. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Firewall, high interrupt load, is this a driver problem (dc) ?
Ronnie Garcia a icrit : I recently switched one of our firewalls from Linux to oBSD 4.0. Its handling approx 8-9 kpps (in+out) on both interfaces. It has a D-Link DFE-570TX quad ports NIC (dc driver), two ports are used. On Linux, the CPU was loaded at approx 20% when, and on oBSD, its actually loaded at ~30%. No big deal, but on Linux we had queueing (shaping) with TC/HTB, whereas ALTQ is not (yet) enabled on oBSD. The CPU usage is almost only interrupt, as you can see on this top output : [The rest of the message is left bellow for the record.] I can now tell that i have the exact same behaviour with bsd.mp. I'm graphing a lot of kernel/pf variables with cacti, and i'm clearly seeing the box maxing at 15k interrupts/s. I'm raising 15k interrupts/s when the box is routing approx 13k pps and then the CPU is at 50-55%. When i disable pf (pfctl -d), the CPU downs to ~40% but the interrupts rate does not decrease. This means that the high interrupts rate is due to network activity, and not to pf. The interrupts rate is higher than the packets rate ! I might try with an Intel Pro/1000MT quad instead of the D-Link DFE-570TX quad to see if my problem is the NIC or the PCI bus/chipset. Again, my dmesg : syncing disks... 0 OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 528035840 (515660K) avail mem = 473710592 (462608K) using 4256 buffers containing 26505216 bytes (25884K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(fc) BIOS, date 06/11/03, BIOS32 rev. 0 @ 0xf10a0, SMBIOS rev. 2.3 @ 0xf2d10 (44 entries) bios0: ASUSTeK Computer INC. P4S533MX apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown apm0: flags b0102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x16d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1640/144 (7 entries) pcibios0: PCI Interrupt Router at 000:02:0 (SiS 962 ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 SiS 651 PCI rev 0x02 ppb0 at pci0 dev 1 function 0 SiS 86C201 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SiS 650 VGA rev 0x00: aperture at 0xf000, size 0x40 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 SiS 962 ISA rev 0x25 pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 651: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST3802110A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: , 54X CD-ROM, 6.53 SCSI0 5/cdrom removable cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: irq 12, SiS7012 AC97 ac97: codec id 0x41445370 (Analog Devices AD1980) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: SiS OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: irq 9, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: SiS OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 3 function 3 SiS 7002 USB rev 0x00: irq 9 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: SiS EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 6 ports with 6 removable, self powered sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 3, address 00:0c:6e:d8:4a:59 rlphy0 at sis0 phy 1: RTL8201L 10/100 PHY, rev. 1 ppb1 at pci0 dev 14 function 0 Intel S21152BB PCI-PCI rev 0x00 pci2 at ppb1 bus 2 dc0 at pci2 dev 4 function 0 DEC 21142/3 rev 0x41: irq 10, address 00:80:c8:cd:c8:21 nsphyter0 at dc0 phy 1: DP83843 10/100 PHY, rev. 0 dc1 at pci2 dev 5 function 0 DEC 21142/3 rev 0x41: irq 12, address 00:80:c8:cd:c8:22 nsphyter1 at dc1 phy 1: DP83843 10/100 PHY, rev. 0 dc2 at pci2 dev 6 function 0 DEC 21142/3 rev 0x41: irq 3, address 00:80:c8:cd:c8:23 nsphyter2 at dc2 phy 1: DP83843 10/100 PHY, rev. 0 dc3 at pci2 dev 7 function 0 DEC 21142/3 rev 0x41: irq 11, address 00:80:c8:cd:c8:24 nsphyter3 at dc3 phy 1: DP83843 10/100 PHY
Is there a typo in the CARP FAQ/documentation ?
Hey, On http://www.openbsd.org/faq/pf/carp.html I can read: advskew This optional parameter specifies how much to skew the advbase when sending CARP advertisements. By manipulating *advbase*, the master CARP host can be chosen. The higher the number, the less preferred the host will be when choosing a master. The default is 0. Acceptable values are from 1 to 254. Shouldn't it read : advskew This optional parameter specifies how much to skew the advbase when sending CARP advertisements. By manipulating *advskew*, the master CARP host can be chosen. The higher the number, the less preferred the host will be when choosing a master. The default is 0. Acceptable values are from 1 to 254. ? -- Ronnie Garcia r.garcia at ovea dot com
Firewall, high interrupt load, is this a driver problem (dc) ?
Hi, I recently switched one of our firewalls from Linux to oBSD 4.0. Its handling approx 8-9 kpps (in+out) on both interfaces. It has a D-Link DFE-570TX quad ports NIC (dc driver), two ports are used. On Linux, the CPU was loaded at approx 20% when, and on oBSD, its actually loaded at ~30%. No big deal, but on Linux we had queueing (shaping) with TC/HTB, whereas ALTQ is not (yet) enabled on oBSD. The CPU usage is almost only interrupt, as you can see on this top output : # top load averages: 0.09, 0.10, 0.08 19 processes: 18 idle, 1 on processor CPU states: 0.0% user, 0.0% nice, 0.0% system, 30.4% interrupt, 69.6% idle Memory: Real: 9768K/76M act/tot Free: 413M Swap: 0K/2048M used/tot Note : %CPU interrupt goes from ~15 to ~35% I tryed to disable PF by loading a minimal conf (pass in all, pass out all), but the %interrupt did not decrease. I'm not trying to compare Linux to oBSD but I'm wondering if this could be because of a bad PCI bus, a bad NIC, or a bad driver implementation. I might change the NIC if its the culprit. What do you think ? Another oBSD 4.0 box, which is a router in front of the firewall (thus handling the same traffic), is only loaded at ~10-15% interrupt. This one has an Intel PRO/1000MT quad ports card (em driver). (It has other hardware differences). Other usefull infos about the firewall : # uname -a OpenBSD XX 4.0 GENERIC#1107 i386 # sysctl net.inet.ip.ifq net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=512 net.inet.ip.ifq.drops=13183292 Note : since i set ifq.maxlen to 512 (was 50), the ifq.drops stopped growing. # dmesg |grep cpu cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID cpu0 at mainbus0 # dmesg |grep dc dc0 at pci2 dev 4 function 0 DEC 21142/3 rev 0x41: irq 10, address 00:80:c8:cd:c8:21 nsphyter0 at dc0 phy 1: DP83843 10/100 PHY, rev. 0 dc1 at pci2 dev 5 function 0 DEC 21142/3 rev 0x41: irq 12, address 00:80:c8:cd:c8:22 nsphyter1 at dc1 phy 1: DP83843 10/100 PHY, rev. 0 dc2 at pci2 dev 6 function 0 DEC 21142/3 rev 0x41: irq 3, address 00:80:c8:cd:c8:23 nsphyter2 at dc2 phy 1: DP83843 10/100 PHY, rev. 0 dc3 at pci2 dev 7 function 0 DEC 21142/3 rev 0x41: irq 11, address 00:80:c8:cd:c8:24 nsphyter3 at dc3 phy 1: DP83843 10/100 PHY, rev. 0 # dmesg |grep pci pcib0 at pci0 dev 2 function 0 SiS 962 ISA rev 0x25 pciide0 at pci0 dev 2 function 5 SiS 5513 EIDE rev 0x00: 651: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST3802110A wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 1 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 auich0 at pci0 dev 2 function 7 SiS 7012 AC97 rev 0xa0: irq 12, SiS7012 AC97 ohci0 at pci0 dev 3 function 0 SiS 5597/5598 USB rev 0x0f: irq 5, version 1.0, legacy support ohci1 at pci0 dev 3 function 1 SiS 5597/5598 USB rev 0x0f: irq 9, version 1.0, legacy support ehci0 at pci0 dev 3 function 3 SiS 7002 USB rev 0x00: irq 9 sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 3, address 00:0c:6e:d8:4a:59 ppb1 at pci0 dev 14 function 0 Intel S21152BB PCI-PCI rev 0x00 pci2 at ppb1 bus 2 dc0 at pci2 dev 4 function 0 DEC 21142/3 rev 0x41: irq 10, address 00:80:c8:cd:c8:21 dc1 at pci2 dev 5 function 0 DEC 21142/3 rev 0x41: irq 12, address 00:80:c8:cd:c8:22 dc2 at pci2 dev 6 function 0 DEC 21142/3 rev 0x41: irq 3, address 00:80:c8:cd:c8:23 dc3 at pci2 dev 7 function 0 DEC 21142/3 rev 0x41: irq 11, address 00:80:c8:cd:c8:24 isa0 at pcib0 pcibios0 at bios0: rev 2.1 @ 0xf/0x16d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1640/144 (7 entries) pcibios0: PCI Interrupt Router at 000:02:0 (SiS 962 ISA rev 0x00) pcibios0: PCI bus #2 is the last bus pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 SiS 651 PCI rev 0x02 ppb0 at pci0 dev 1 function 0 SiS 86C201 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SiS 650 VGA rev 0x00: aperture at 0xf000, size 0x40 Kind regards, -- Ronnie Garcia r.garcia at ovea dot com
Re: links in the OpenBSD FAQs
Nick Holland a icrit : Igor Sobrado wrote: I cannot see why making a patch to change the links is difficult. I will look at the cvs repository as soon as I get some time and submit a patch. In any case, I would appreciate a carefully review of it, just to fit it to the taste of the developers. Igor. It's harder than it looks (at least for me). Keep in mind, the PRIMARY usage by most readers is via web browser, so making it an awkward read to the majority so the text and PDF readers are happier is not really what I'm after. The result should be comfortably readable, not yelling at the reader, THE AUTHOR WAS WORKING HARD TO AVOID SAYING 'click _here_' AND WROTE THIS LONG, AWKWARD SENTENCE. W3C recommends to use clear and consistant link texts in their WAI guidelines [1]. This is especially important to people with cognitive disabilities or blindness, even if there might not be much of them in the OBSD world (but who knows), but benefit all users anyways. Moreover, links should be unique. This means that if you have several click here links (that's bad, but you already know) in one page, they should point to the same target. [1] http://www.w3.org/TR/WAI-WEBCONTENT (see 13.1) -- Ronnie Garcia r.garcia at ovea dot com
Re: Failover routers with OpenBGPD and independent BGP sessions
X Y a icrit :
I have two routers, two independent BGP connections, and a block of
provider independent address space. The routers are arranged in a
redundant pair. The public network and some private subnets have
gateway addresses provided with CARP. The two routers use pfsync.
The BGP connections are actually completely independent (I'll be
adding two more in due course for a total of four). They have
different network addresses, cables and route to the rest of the
world. The cables are plugged directly into the routers, and there's
no CARP on those interfaces. Packets will arrive via either of those
routes.
I have got a basic configuration working. This maintains the BGP
sessions, packets go in and out, and the firewalls will fail over as
they should. I use depend on carp0 ... carp3 on the master router
(chosen via advskew) to drop that session if it fails, and demote on
the backup to make sure it doesn't like being master if it doesn't
have a BGP session.
I have been recommended by our ISPs that I should also advertise
routes between the routers, so that if one's BGP session fails, it can
route packets to the other for a cleaner failover. I have not managed
to get this configuration working.
Yes you should, this is called iBGP. All of your BGP routers should have
a iBGP session with all of the others, in a full mesh (unless you are
using a route reflector).
In your design, you will then get the best routes on each of your border
routers.
Some configuration information, with the real details removed to
protect the guilty.
AS: 9
PI subnet: A.A.A.0/23
PI gateway: A.A.A.1
Master: A.A.A.2
Backup: A.A.A.3
BGP connection 1: X.X.X.4 - X.X.X.200 on X.X.X.0/24, AS 8
BGP connection 2: Y.Y.Y.4 - Y.Y.Y.200 on Y.Y.Y.0/24, AS 8
(Y.Y.Y != X.X.X)
[...]
neighbor A.A.A.3 {
remote-as 9
descr backup
local-address A.A.A.2
announce all
tcp md5sig password PASSWORD2
set nexthop A.A.A.3# A.A.A.2 didn't help
set localpref -10
}
You shouldn't need a nexthop here.
In iBGP sessions, you should set the neighbor address to be the loopback
address of your other border router.
Your router-id parameter should also be the IP adress of your local
loopback interface.
Your loopback interfaces should have a /32 IP adress set.
Regards,
--
Ronnie Garcia r.garcia at ovea dot com
Re: ospf and carp
stan a icrit : On Fri, Oct 13, 2006 at 08:44:15AM +0200, Claudio Jeker wrote: On Thu, Oct 12, 2006 at 10:40:57PM -0400, stan wrote: Is it feasible to run ospf on a carp pair of firewalls? Is there any documntation as to how to do this? OSPF does not work on carp(4) interfaces. If you use interface carp0 ospfd will enforce it to be passive. A link state protocol can not run on a failover interface because the result is not predictable. Thanks. Is there an alternative way to acomplish this? What I'm trying to do is failry simple. I have a couple of networks with OpenBSD CARP's redundant firewalls connecting to a corporate admistered network. The corporate network runs OSPF. I don't want to have to depend on static routes to these networks, as corporate keeps loosing the static routes. I'm also interrested in this problem since you (Claudio) told me two days ago, in the thread OSPFd, CARP and pfsync : It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)) Which i understood as only the active firewall (the one owning the shared CARP IP) will announce routes thru OSPF over the CARP interface. Regards =] -- Ronnie Garcia r.garcia at ovea dot com
Re: OSPFd, CARP and pfsync
Claudio Jeker a icrit : On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote: I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. My idea is to setup OSPFd on the interfaces plugged to the core, and CARP on the interfaces plugged to the other side (servers network). I have no routing protocol inside the servers network. From the servers side, trafic will go out from the firewall owning the shared IP (the master firewall). From the internet side, trafic will go in from both firewalls, whichever is the neerest from the core router. With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? You normaly don't want to do split routing through firewalls. Eventhough pfsync may allow it, it will hurt performance because pfsync updates are done in batches. It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)). Thanks for all your replies, i will go for the active/standby solution. Instead of using direct connections into your two core routers it would be better to use two interconnected switches to connect all four routers on one LAN. What i called core routers are actually two cisco 3560, which are layer 3 switches. Regards, -- Ronnie Garcia r.garcia at ovea dot com
Re: Simple Networking Newbie questions
Girish Venkatachalam a icrit : 2) My second question relates to vlan(4). Is my understanding that you can extend ethernet segments logically across the Internet with vlans correct? I am sure there is much more to it. I am getting some idea from recent threads but I am interested in more practical anecdotes as to where it is really useful. This is more or less the definition of a VPN, not VLANs. -- Ronnie Garcia r.garcia at ovea dot com
OSPFd, CARP and pfsync
Hello, I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. My idea is to setup OSPFd on the interfaces plugged to the core, and CARP on the interfaces plugged to the other side (servers network). I have no routing protocol inside the servers network. From the servers side, trafic will go out from the firewall owning the shared IP (the master firewall). From the internet side, trafic will go in from both firewalls, whichever is the neerest from the core router. With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? Kind regards, -- Ronnie Garcia r.garcia at ovea dot com
Re: OpenOSPFD Redistribution
Claudio Jeker a icrit : On Wed, Oct 04, 2006 at 09:21:22PM -0400, Nick Davey wrote: Hello, I was wondering if there was a way to control if the routes redistributed by openospfd are advertised as type 1 or type 2 external routes. Also, is there a way to specify a metric on redistributed routes? Currently all as-external routes are announced with a default metric of 100 and as type 1 routes. I planned to add support for a set metric and set type type option for the redistribute keyword but had no time to finish the implementation. That would just rock =] -- Ronnie Garcia r.garcia at ovea dot com
ospfd : network feature to annouce specific routes ?
Hey, Is it planned at any time to implement a (cisco-like) network parameter, to be able to tell ospfd which network it should annouce ? Actually i need a mix of default and static/connected as i would like my border routers (also running bgpd) to announce a default route, and a few static/connected routes into the IGP. Regards, -- Ronnie Garcia r.garcia at ovea dot com
Re: ospfd : network feature to annouce specific routes ?
Stuart Henderson a icrit : On 2006/09/30 21:59, Ronnie Garcia wrote: Is it planned at any time to implement a (cisco-like) network parameter, to be able to tell ospfd which network it should annouce ? Actually i need a mix of default and static/connected as i would like my border routers (also running bgpd) to announce a default route, and a few static/connected routes into the IGP. You can have more than one 'redistribute' line. Alright, it's just not quite clear in the man page =] Works well, thanks. Also did you notice 'redistribute prefix'? This one did not work. I'm using -stable (3.9) so it might be a new feature ? In ospfd.conf : redistribute X.Y.Z.0/30 /usr/sbin/ospfd gives : /etc/ospfd.conf:10: unknown redistribute type I tryed with several syntaxes, with no luck. Regards, -- Ronnie Garcia r.garcia at ovea dot com
