Re: pf failover state problem
--- Quoting ed on 2005/12/28 at 18:40 +: Hello, I have the following pf.conf on two identical firewalls, which combine two external ISP connections to a single RFC1819 network, providing complete failover if the ISP drops off the edge of the world. However, I notice that when I force the firewall to fail over that the states do not appear to function any longer, new states can be established just fine though. I am wondering if this is related to the tagging, or that the firewall has no default gateway, but neither seem to be definite causes. When you compare pfctl -ss on either firewall, do you see state information being replicated? The addresses that you're NATing to, are those the carp IPs or the IPs on the physical interfaces? .joel
Re: Zero PF Counters
--- Quoting William Bloom on 2005/10/10 at 13:56 -0700: The PF man page gives meager detail about the congestion counter. And the only FAQ items for this that I can find are related to queueing (and I don't have queues in my ruleset). What is the meaning of a non-zero congestion counter, and what action is PF taking when the congestion counter is incremented? If the output interface queue is congested (i.e., is full), pf will just drop the packet and then increment the counter. This is independant of altq.
Re: PF performance question
--- Quoting Vinicius Pavanelli Vianna on 2005/09/19 at 22:24 -0300: They say all their ifaces are forced to 100 full duplex, when i try to autoneg with their switches i always got 100 half duplex, and the speed is bad, so i forced all to 100 full duplex so i can get some speed, don't ask me why they switch didn't autoneg to full duplex since they asked me to put all my machines in full duplex... That's exactly what should happen. You can't have one side set to autoneg and one hard set. If you do, you'll get a duplex mismatch. .joel
Re: BGP peering, 2 peers, hardware reqirements questions
Karl O. Pinc wrote: I do recall some OpenBGP hooks into pf. Maybe there's a way to use these to make failover work. You need BGP pure and simple. The only caveat with BGP on OpenBSD is that you cannot do equal cost load balancing. For instance, if your providers send you a default route, you can only install 1 of those routes in the routing table (due to the current multipath route limitation in OpenBSD). All this means though is that all traffic being routed to the default route will use one pipe instead of both (i.e., one pipe will most likely be much less used than the other). For most people this is a non-issue. The ins and outs of setting BGP up is beyond what can be described in this thread and that's why I recommended a good book right from the start :) .joel
Re: BGP peering, 2 peers, hardware reqirements questions
--- Quoting Darrin Chandler on 2005/09/13 at 13:56 -0700: You might also want to read http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml, which will try to talk you out of using BGP for load balancing and present a simpler alternative. This solution talks about using dual static routes. This doesn't (yet) work on OpenBSD as the support isn't there. Best bet if this track is taken is to involve pf's load balancing features (http://www.openbsd.org/faq/pf/pools.html and pf.conf(5)). .joel
Re: isakmpd: openbsd - cisco = problems
--- Quoting Mattias R. Lindgren on 2005/09/13 at 19:31 -0600: bash-3.00# isakmpd -d 191943.477359 Default ipsec_validate_id_information: dubious ID information accepted 191951.404865 Default ipsec_validate_id_information: dubious ID information accepted 192010.536856 Default transport_send_messages: giving up on message 0x3c069780, exchange VPN-home-240 192010.537309 Default transport_send_messages: giving up on message 0x3c069900, exchange VPN-home-10_0 192010.537697 Default transport_send_messages: giving up on message 0x3c069a80, exchange VPN-home-172 192010.538067 Default transport_send_messages: giving up on message 0x3c069c00, exchange VPN-home-10_10 192010.538467 Default transport_send_messages: giving up on message 0x3c069d80, exchange VPN-home-10_20 Crank up the debugging info by using the -D switch to isakmpd and see what you see then. .joel
Re: OpenBGPd and /24 announces... that still lose their netmasks.
--- Quoting Xavier Beaudouin on 2005/09/04 at 22:37 +0200: rbgp2#sh ip bgp BGP table version is 19, local router ID is 192.168.0.31 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * 19.218.104.0/23 192.168.0.241 0 65336 i r 192.168.0.0 192.168.0.241 0 65336 i * 193.218.105.0192.168.0.241 0 65336 i As you se the netmask for /24 network has gone between cisco and openbgpd. IOS won't show classful masks. 192.168.0.0 is a legacy Class C block being advertised with a classful 255.255.255.0 mask so IOS drops the mask. Same applies to 193.218.105.0. There's nothing broken here. .joel
Re: isakmp vpn configuration
--- Quoting Daniel Eyholzer on 2005/08/24 at 08:33 +0200: Yes, I have tried to filter on VPN client ip addresses on the enc0 interface. This works, but the problem is that not all users should be allowed to do the same things. Since the VPN client ip address can be chosen arbitrary on the VPN client, the user can chose an ip address that is allowed to do what he wants to do. Therefore it is not secured, the user has just to know which ip address has full access, and he can access all he wants on all vlans. You definitely want to setup a policy then and to use x509 certs for client authentication. Create a policy that delegates to sub policies for each client. The licensees of each sub policy should match the distinguished name of the client's key. Specify the appropriate remote_filter/local_filter options in the policy as well. Obviously this doesn't scale so well for large numbers of users. Check out the isakmpd.policy(5) man page for all the details. .joel
Re: IPsec / routing problem in OpenBSD 3.7
--- Quoting [EMAIL PROTECTED] on 2005/08/24 at 18:35 +0200: 1) From Client1, I cannot ping its default gateway (.3.254) anymore. No ping replies. ssh connection is frozen. What machine and interface is .3.254 on? From the information below it does not look like it's on PC_B. PC_B is .3.70. 2) If I run a tcpdump -i rl1, I see that the pings from Client1 to PC_B are *routed* to PC_A!! Of course, PC_A doesn't know what to do with them; something is getting back, however (encrypted) : # tcpdump -i rl1 17:54:15.803747 esp 10.0.0.6 10.0.0.1 spi 0x1F3A4307 seq 70 len 132 (DF) 17:54:15.810208 esp 10.0.0.1 10.0.0.6 spi 0x8A4C7C72 seq 58 len 132 (DF) Doubtful. You have no idea what packets are encapsulated here. Do your sniffing on enc0 instead. 6) Not all of PC_B 's traffic is going through the tunnel; for example, DNS queries are still in clear: netstat -rnf encap is your friend. You are not building a phase-2 connection that includes 10.0.0.x so no encryption for you. Same reasoning applies to your ping from 10.0.0.1 to .6. .joel
Re: isakmp vpn configuration
--- Quoting Daniel Eyholzer on 2005/08/17 at 15:58 +0200: I have tried to change Network and Netmask in the [default-route] section from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but it does not help. I can still connect to the other subnet if I define them in the client. Anyone knows how I can restrict access to only one of the vlan subnets? I don't know why those changes aren't working, however, have you tried: - setting a policy via isakmpd.policy that restricts 'remote_filter' - blocking traffic using pf .joel
Re: ARP resolution for destination NAT'd addresses
--- Quoting Spruell, Darren-Perot on 2005/06/29 at 11:16 -0700: How does a firewall configured to NAT connections for the outside interface on a given IP to an IP address behind the firewall handle the ARP replies for those addresses to the upstream router? Add an alias on that interface.
Re: arplookup
--- Quoting kevin on 2005/06/28 at 10:00 -0500: Hi all, After my business cable provider replaced the router, I get the usual arplookup: unable to locate address 10.19.240.183 unable to locate or unable to enter? This happens in more places than you might think. What impact is it having on the box? You should be able to just ignore it.
Re: Some Sites Don't Load Behind pf NAT
--- Quoting Serban Giuroiu on 2005/06/12 at 14:59 -0700: scrub random-id scrub fragment reassemble scrub reassemble tcp scrub out on $ppp max-mss 1440 These scrub rules aren't doing what you think they're doing. scrub is a rule, not an option such as the set parameters. The first matching scrub rule wins. pfctl -vvsr and see just which rules are having an affect. .joel
Re: Weird MAC Address Problem with 3.7 on Dell 600 series
--- Quoting eric on 2005/06/07 at 00:18 -0500: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:b3:b1:a8:9a description: ipv6_if media: Ethernet 100baseTX full-duplex status: active inet6 2001:x:y:z::133 prefixlen 96 inet6 fe80::202:b3ff:feb1:a89a%fxp0 prefixlen 64 scopeid 0x1 fxp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 address: 00:02:b3:b1:a8:9b description: public_if media: Ethernet 100baseTX full-duplex status: active inet x.y.z.135 netmask 0x8cc01580 broadcast 140.192.21.255 inet6 fe80::202:b3ff:feb1:a89b%fxp1 prefixlen 64 scopeid 0x2 Both these interfaces are plugged into something and both are admin up. When I look at my switch cam table, I see the following... swt sh mac-address-table 10002.b3b1.a89aDYNAMIC Gi1/0/7 10002.b3b1.a89bSTATIC Gi1/0/7 Note the second one is a static entry. .joel
Re: OpenBGP Setup Question
Manon Goo wrote: Hi, I have setup openbgp on two routers (Config below). I am connecting to two uplink routers at my ISP. My ISP Complains that one of the his sessions allways is idle. (He is running a cisco 12000 IOS 12.0.something) and this is filling his logs. Might this be because of the state of your carp interfaces? (carp1124 and carp1146) From bgpd.conf(5): depend on interface The neighbor session will be kept in state IDLE as long as interface reports no link. For carp(4) interfaces, no link means that the interface is currently backup. This is primarily in- tended to be used with carp(4) to reduce failover times. The state of the network interfaces on the system can be viewed using the show interfaces command to bgpctl(8). .joel
