Re: Router project on OpenBSD questions
On Tue, Sep 25, 2012 at 05:51:42PM +0100, Stuart Henderson wrote: On 2012/09/25 18:24, Otto Moerbeek wrote: On Tue, Sep 25, 2012 at 11:11:19AM +, Stuart Henderson wrote: On 2012-09-25, Christoph Leser le...@sup-logistik.de wrote: Thank you for this hint. I indeed have ike.c r=1.76. So why did you say you were running 5.2? The art of problem reporting is much underappreciated, sadly. -Otto Quite. I even considered this as a possible problem, then saw that it was 5.2, so discounted it... So any news on this? -Otto
Re: Router project on OpenBSD questions
Thank you for asking. I refreshed my system to -current as of 24. Sep 2012, so I now have sbin/ipsecctl/ike.c 1.77 Following the suggestion of Stuard Henderson I start isakmpd as isakmpd -K -T Now I get the same behaviour as I have with OpenBSD 4.6. All configured VPNs get connected. So thanks for your help. I still have some problems with some of the VPNs, i.e. some fail to renegotiate after a while but I do not have the details yet for a decent problem report. Regards Christoph -Ursprüngliche Nachricht- Von: Otto Moerbeek [mailto:o...@drijf.net] Gesendet: Freitag, 28. September 2012 13:45 An: misc@openbsd.org Cc: Christoph Leser Betreff: Re: Router project on OpenBSD questions On Tue, Sep 25, 2012 at 05:51:42PM +0100, Stuart Henderson wrote: On 2012/09/25 18:24, Otto Moerbeek wrote: On Tue, Sep 25, 2012 at 11:11:19AM +, Stuart Henderson wrote: On 2012-09-25, Christoph Leser le...@sup-logistik.de wrote: Thank you for this hint. I indeed have ike.c r=1.76. So why did you say you were running 5.2? The art of problem reporting is much underappreciated, sadly. -Otto Quite. I even considered this as a possible problem, then saw that it was 5.2, so discounted it... So any news on this? -Otto
Re: Router project on OpenBSD questions
Thank you for this hint. I indeed have ike.c r=1.76. I will refresh my system tonight, give it a try and report my result. Best Regards Christoph -Ursprüngliche Nachricht- Von: Otto Moerbeek [mailto:o...@drijf.net] Gesendet: Montag, 24. September 2012 22:03 An: Christoph Leser Cc: Stuart Henderson; misc@openbsd.org Betreff: Re: Router project on OpenBSD questions On Mon, Sep 24, 2012 at 06:57:26PM +, Christoph Leser wrote: Thanks for clarification. I disabled NAT-T with isakmpd -K -T. A few of my VPNs came to life with this setting, but were instable ( rapid renegotiation ). Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work with OpenBSD 5.2. Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', or 'PAYLOAD MALFORMED' or 'INVALID ID' For some of those I see messages in /var/log/messages like : Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). No idea what this means. Are you running an ipsecctl from about a week ago? For two days or so there was a bug in it. This bug was fixed by this commit: http://www.openbsd.org/cgi- bin/cvsweb/src/sbin/ipsecctl/ike.c.diff?r1=1.76;r2=1.77;only_with_tag=MAI N -Otto Regards -Urspr??ngliche Nachricht- Von: Stuart Henderson [mailto:s...@spacehopper.org] Gesendet: Montag, 24. September 2012 16:41 An: Christoph Leser Cc: misc@openbsd.org Betreff: Re: Router project on OpenBSD questions On 2012/09/24 13:24, Christoph Leser wrote: It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@ has not made it into ???current yet. I only forwarded it, the patch is from hshoexer. Also it is only a partial diff, not suitable to be committed, the encap mode value needs to be controllable per-peer so it needs a config option, changes to ipsecctl, etc. This problem certainly would have affected older OpenBSD versions though, if they negotiated NAT-T they would have used the value from the RFC not the one from the internet-draft that cisco use. Have you tried just disabling nat-t completely, see the options list in isakmpd(8), to see what happens?
Re: Router project on OpenBSD questions
On 2012-09-25, Christoph Leser le...@sup-logistik.de wrote: Thank you for this hint. I indeed have ike.c r=1.76. So why did you say you were running 5.2?
Re: Router project on OpenBSD questions
On Tue, Sep 25, 2012 at 11:11:19AM +, Stuart Henderson wrote: On 2012-09-25, Christoph Leser le...@sup-logistik.de wrote: Thank you for this hint. I indeed have ike.c r=1.76. So why did you say you were running 5.2? The art of problem reporting is much underappreciated, sadly. -Otto
Re: Router project on OpenBSD questions
On 2012/09/25 18:24, Otto Moerbeek wrote: On Tue, Sep 25, 2012 at 11:11:19AM +, Stuart Henderson wrote: On 2012-09-25, Christoph Leser le...@sup-logistik.de wrote: Thank you for this hint. I indeed have ike.c r=1.76. So why did you say you were running 5.2? The art of problem reporting is much underappreciated, sadly. -Otto Quite. I even considered this as a possible problem, then saw that it was 5.2, so discounted it...
Re: Router project on OpenBSD questions
Thanks for the replies. You say, there have been problems with NAT-T but these have been fixed. I am on openBSD 5.2 current and have problems with NAT-T to cisco, which I have not had when I was on openBSD 4.7. The problem is, as seen in the debug output from isakmpd, that isakmpd detects that there is a NAT device in between ( it even tells that âwe are behind itâ ) and then proposes âENCAPULATION_MODE=TUNNELâ instead of âENCAPLULATION_MODE=UDP_ENC_TUNNELâ for phase two, which is ( correctly ? ) rejected by the remote peer. Regards Christoph Von: Stuart Henderson [mailto:s...@spacehopper.org] Gesendet: Samstag, 22. September 2012 16:52 An: Christoph Leser; misc@openbsd.org Betreff: Re: Router project on OpenBSD questions Search the archives for the cisco nat-t problem, I sent a mail with more details and I think there was a patch with it. Pretty sure that would have affected older OpenBSD versions too though. Christoph Leser le...@sup-logistik.demailto:le...@sup-logistik.de wrote: On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20!%20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen GrüÃen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.demailto:le...@sup-logistik.de
Re: Router project on OpenBSD questions
It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@ has not made it into âcurrent yet. Von: Stuart Henderson [mailto:s...@spacehopper.org] Gesendet: Samstag, 22. September 2012 16:52 An: Christoph Leser; misc@openbsd.org Betreff: Re: Router project on OpenBSD questions Search the archives for the cisco nat-t problem, I sent a mail with more details and I think there was a patch with it. Pretty sure that would have affected older OpenBSD versions too though. Christoph Leser le...@sup-logistik.demailto:le...@sup-logistik.de wrote: On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20!%20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen GrüÃen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.demailto:le...@sup-logistik.de
Re: Router project on OpenBSD questions
On 2012/09/24 13:24, Christoph Leser wrote: It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@ has not made it into –current yet. I only forwarded it, the patch is from hshoexer. Also it is only a partial diff, not suitable to be committed, the encap mode value needs to be controllable per-peer so it needs a config option, changes to ipsecctl, etc. This problem certainly would have affected older OpenBSD versions though, if they negotiated NAT-T they would have used the value from the RFC not the one from the internet-draft that cisco use. Have you tried just disabling nat-t completely, see the options list in isakmpd(8), to see what happens?
Re: Router project on OpenBSD questions
Thanks for clarification. I disabled NAT-T with isakmpd -K -T. A few of my VPNs came to life with this setting, but were instable ( rapid renegotiation ). Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work with OpenBSD 5.2. Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', or 'PAYLOAD MALFORMED' or 'INVALID ID' For some of those I see messages in /var/log/messages like : Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). No idea what this means. Regards -Ursprüngliche Nachricht- Von: Stuart Henderson [mailto:s...@spacehopper.org] Gesendet: Montag, 24. September 2012 16:41 An: Christoph Leser Cc: misc@openbsd.org Betreff: Re: Router project on OpenBSD questions On 2012/09/24 13:24, Christoph Leser wrote: It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@ has not made it into –current yet. I only forwarded it, the patch is from hshoexer. Also it is only a partial diff, not suitable to be committed, the encap mode value needs to be controllable per-peer so it needs a config option, changes to ipsecctl, etc. This problem certainly would have affected older OpenBSD versions though, if they negotiated NAT-T they would have used the value from the RFC not the one from the internet-draft that cisco use. Have you tried just disabling nat-t completely, see the options list in isakmpd(8), to see what happens?
Re: Router project on OpenBSD questions
On Mon, Sep 24, 2012 at 06:57:26PM +, Christoph Leser wrote: Thanks for clarification. I disabled NAT-T with isakmpd -K -T. A few of my VPNs came to life with this setting, but were instable ( rapid renegotiation ). Still only about one third of my vpns (that worked with OpenBSD 4.6 ) work with OpenBSD 5.2. Many negotiations get rejected by OpenBSD with 'NO PROPOSAL CHOSEN', or 'PAYLOAD MALFORMED' or 'INVALID ID' For some of those I see messages in /var/log/messages like : Sep 24 20:00:09 q-dsl isakmpd[3828]: attribute_unacceptable: attr ENCRYPTION_ALGORITHM does not exist in phase1-transform-peer-a.b.c.d-PRE_SHARED-MD5-AES128 ( for a VPN peer which is configured with MD5-AES-128 in ipsec.conf and which, according to tcpdump, tries to negotiate exactly MD5 and AES-128 ). No idea what this means. Are you running an ipsecctl from about a week ago? For two days or so there was a bug in it. This bug was fixed by this commit: http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/ipsecctl/ike.c.diff?r1=1.76;r2=1.77;only_with_tag=MAIN -Otto Regards -Urspr??ngliche Nachricht- Von: Stuart Henderson [mailto:s...@spacehopper.org] Gesendet: Montag, 24. September 2012 16:41 An: Christoph Leser Cc: misc@openbsd.org Betreff: Re: Router project on OpenBSD questions On 2012/09/24 13:24, Christoph Leser wrote: It seems that the patch from Stuart Henderson, proposed on Aug.4 2012 on tech@ has not made it into ???current yet. I only forwarded it, the patch is from hshoexer. Also it is only a partial diff, not suitable to be committed, the encap mode value needs to be controllable per-peer so it needs a config option, changes to ipsecctl, etc. This problem certainly would have affected older OpenBSD versions though, if they negotiated NAT-T they would have used the value from the RFC not the one from the internet-draft that cisco use. Have you tried just disabling nat-t completely, see the options list in isakmpd(8), to see what happens?
Re: Router project on OpenBSD questions
On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20! %20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen Grüßen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de
Re: Router project on OpenBSD questions
Search the archives for the cisco nat-t problem, I sent a mail with more details and I think there was a patch with it. Pretty sure that would have affected older OpenBSD versions too though. Christoph Leser le...@sup-logistik.de wrote: On Feb 28, 2012, Stuart Henderson wrote: List: openbsd-mischttp://marc.info/?l=openbsd-miscr=1w=2 Subject:Re: Router project on OpenBSD questionshttp://marc.info/?t=13303717306r=1w=2 From: Stuart Henderson stu () spacehopper ! orghttp://marc.info/?a=10397134052r=1w=2 Date: 2012-02-28 13:57:45http://marc.info/?l=openbsd-miscr=1w=2b=201202 Message-ID: slrnjkpnao.r14.stu () naiad ! spacehopper ! orghttp://marc.info/?i=slrnjkpnao.r14.stu%20()%20naiad%20!%20spacehopper%20 !%20org [Download message RAWhttp://marc.info/?l=openbsd-miscm=133043766530365q=raw] IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). I think I have read similar remarks about NAT-T and Cisco interoperability. But I have found no details about what the problem is with cisco. I completely failed when I tried to move from OBSD 4.6 to OBSD 5.2, because of NAT-T trouble with cisco. I described my experience in a message to this list 'ISAMPD NAT trouble with openBSD 5.2 Any hints to information about interoperabilty issues with cisco ( and possible solutions ) would be highly welcome Mit freundlichen GrüÃen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de
Re: Router project on OpenBSD questions
On 2012-02-28, Kaya Saman kayasa...@gmail.com wrote: I was planning on getting a 2901 with VDSL2/ADSL2/2+ Annex M card and 8 port Gb switch card. But after careful consideration I decided against it as it would issue the same problems for me and be more expensive then going down the OpenBSD route as discussed previously. Also 75Mbps is mentioned by Cisco for the 2900 series: http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html which is pathetic as in the UK fiber networks are slowly becoming more available to the masses - in terms of offerings of up to 1Gbps are available for round #50/month ($75/month (US)). For the current deployments in the UK the VDSL modem (FTTC) or ONT (for FTTP) is provided by BT, the demarc point is their ethernet interface which speaks pppoe. I have OpenBSD boxes running with both of these now (and you can get 1500 MTU in -current / 5.1 as long as your network interface supports jumbo frames). Even a VDSL2 solution offers up to 100Mbps - depending on distance between local loop and CPE but I'm sure that the 2900 series or 800 series VDSL provisioned ISR would struggle to meet those speeds. Couple that with 1000+ TCP/IP flows through UDP or TCP packet transactions and any **standard** branch based ISR wouldn't be able to cope :-( Yep. I think they may cope in some conditions but for real-world usage they are going to run out of steam with this type of line speed. The OpenBSD routing daemons are pretty good. Other than that for open-source routing there are some circumstances where BIRD running on Linux might be useful (personally I can't stand the config but I'd rather run this than Quagga..). Coming from FreeBSD background I didn't know of the OpenBSD integration with routing etc... so thanks for the 'wake up call' :-) We have route priorities, multiple routing tables, MPLS, LDP, pretty decent BGP support including IP-VPN (OpenBGPd is run at a number of places including some busy internet exchange points as route- servers). Yes the routing support is pretty good as far as open-source OS go :) Cool. as once my design is physically built and established I will look at building a PPPoE server and getting a Zyxell cheap DSLAM for #150 (GB) + line cards and emulate an ISP using my would be then redundant Cisco DSL routers.. You'll have to build it from source for now (it's not fully integrated with the OS yet), but /usr/src/usr.sbin/npppd is a decent daemon for L2TP LNS and PPPoE. You may already know this but you can get BT (21cn/20cn)/Be ADSL and Three 3g presented as an L2TP feed by some UK ISPs. Huge project I know but that's what keeps me going :-) enjoy (:
Re: Router project on OpenBSD questions
Le Mon, 27 Feb 2012 19:38:45 +, Kaya Saman kayasa...@gmail.com a icrit : Hello, I have currently only used OpenBSD as a test vector setup on VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave) using Bind9. So basically in short am an OpenBSD newbee :-) Ok so here goes; I've been using FreeBSD for around 3+ years now and really enjoy it, in comparing OpenBSD to FreeBSD I first would like to get some user experience of the major advantages over it. Well, I mostly use FreeBSD and I prefer it in general. But for router/firewall I think that OpenBSD suits better. All the tools are available out of the box and that just works. There are few things missing in FreeBSD (for our need at work): - missing tcp signature in OpenBGDd. - missing pflow. - some problem with carp (for example flip-flop of master/backup when a machine boots up, but carp would be better in FreeBSD 10.0). OpenBSD is not perfect too, it would be nice that pflow handles ipv6 and the support of one year is a bit short. But nothing is perfect. from my (vastly) limited experience it's quite different to work with then FreeBSD. Not really.
Re: Router project on OpenBSD questions
Le Mon, 27 Feb 2012 16:58:05 -0300, Christiano F. Haesbaert haesba...@haesbaert.org a icrit : Hello, With a decent hardware, I think you can reach 1mpps (that's million packets per second). I don't think. As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt.
Re: Router project on OpenBSD questions
On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere wrote: :OpenBSD is not perfect too, it would be nice that pflow handles ipv6 pflow now handles ipv6 (in 5.1) :and the support of one year is a bit short. But nothing is perfect. If you need support for longer than a year, you will need to contact a vendor offering openbsd support. -- Fights between cats and dogs are prohibited by statute in Barber, North Carolina.
Re: Router project on OpenBSD questions
On Wed, Feb 29, 2012 at 1:10 PM, Patrick Lamaiziere patf...@davenulle.org wrote: Le Mon, 27 Feb 2012 16:58:05 -0300, Christiano F. Haesbaert haesba...@haesbaert.org a icrit : Hello, With a decent hardware, I think you can reach 1mpps (that's million packets per second). I don't think. As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt. What eth card?
Re: Router project on OpenBSD questions
On Wed, Feb 29, 2012 at 01:10:27PM +0100, Patrick Lamaiziere wrote: Le Mon, 27 Feb 2012 16:58:05 -0300, Christiano F. Haesbaert haesba...@haesbaert.org a icrit : Hello, With a decent hardware, I think you can reach 1mpps (that's million packets per second). I don't think. As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt. So maybe your hardware is not decent? -Otto
Re: Router project on OpenBSD questions
Le Wed, 29 Feb 2012 13:13:30 +0100, Peter Hessler phess...@theapt.org a icrit : Hello, On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere wrote: :OpenBSD is not perfect too, it would be nice that pflow handles ipv6 pflow now handles ipv6 (in 5.1) That's cool! Thanks. :and the support of one year is a bit short. But nothing is perfect. If you need support for longer than a year, you will need to contact a vendor offering openbsd support. I don't believe they will be able to support if the support is ended upstream, only few are able to dig into the code. Sure, I will find tons of them able to sell support. But if they sell some wind I can do it myself for free. That was not a criticism, I understand well the release process on OpenBSD and the limited ressources available. But this is something to consider when you choose a system. Regards.
Re: Router project on OpenBSD questions
On Wed, Feb 29, 2012 at 1:43 PM, Patrick Lamaiziere patf...@davenulle.org wrote: Le Wed, 29 Feb 2012 13:13:30 +0100, Peter Hessler phess...@theapt.org a icrit : Hello, On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere wrote: :OpenBSD is not perfect too, it would be nice that pflow handles ipv6 pflow now handles ipv6 (in 5.1) That's cool! Thanks. :and the support of one year is a bit short. But nothing is perfect. If you need support for longer than a year, you will need to contact a vendor offering openbsd support. I don't believe they will be able to support if the support is ended upstream, only few are able to dig into the code. Sure, I will find tons of them able to sell support. But if they sell some wind I can do it myself for free. That was not a criticism, I understand well the release process on OpenBSD and the limited ressources available. But this is something to consider when you choose a system. Bugs are in every system including OpenBSD. The question is how many of them comparing to other products and how many is mitigated because of other layers of protection available in OpenBSD. From that point of view 2 years old OpenBSD is better then latest Solaris or whatever :-) And if someone needs corporate support like 10 years then they have HA/clusters/, right? So they can be fine even with OpenBSD to do update on node once a year. Regarding ABI support...paying good developer seems to be cheaper then support contracts offered by big vendors. Regards.
Re: Router project on OpenBSD questions
* Patrick Lamaiziere patf...@davenulle.org [2012-02-29 13:12]: I don't think. it is very tempting to comment on that :) As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt. oh, really! that applies to each and every box and usage scenario on the planet of course. details just complicate things. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: Router project on OpenBSD questions
Brauer spewed: * Patrick Lamaiziere patf...@davenulle.org [2012-02-29 13:12]: I don't think. it is very tempting to comment on that :) As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt. oh, really! that applies to each and every box and usage scenario on the planet of course. details just complicate things. What a surprise, another 100% noise level post from Henning. For a smart guy you sure have alot of free time. Maybe you ought to be designing and coding more and flaming less huh buddy?
Re: Router project on OpenBSD questions
On 29 February 2012 14:15, Anonymous Remailer (austria) mixmas...@remailer.privacy.at wrote: Brauer spewed: * Patrick Lamaiziere patf...@davenulle.org [2012-02-29 13:12]: I don't think. it is very tempting to comment on that :) As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt. oh, really! that applies to each and every box and usage scenario on the planet of course. details just complicate things. What a surprise, another 100% noise level post from Henning. For a smart guy you sure have alot of free time. Maybe you ought to be designing and coding more and flaming less huh buddy? What a surprise, another anonymous shithead who has nothing to add to a conversation.
Re: Router project on OpenBSD questions
I also would like to know if anyone knows of any ADSL2+ Annex M standard PCI (/x/) based modem card that I can use to connect to my ISP with instead of using an external device? So far in my search I came across this: http://linitx.com/viewcategory.php?catid=47 This is basically an ADSL router on a PCI card presenting as an ethernet interface. iirc, you configure it with telnet/http. In a normal config then this card will be actively routing packets. Personally I prefer to have a separate router/modem that can be swapped out without powering down the machine, and usually connected by a better quality network interface than an rl(4) Main advantage I see with these particular carsd is that if you have a dual-PSU machine you can get some power protection. If you want to terminate ppp in OpenBSD then you can do that just as well with an external box as you can with one of these (configure in bridge mode, run pppoe(4) in OpenBSD). Are these going to be OpenBSD compatible or are there others??? Yes should be compatible, it just looks like a nic. Does anyone know of a VDSL2 solution like this also? Don't know of one. My same comments would apply about preferring a separate box. For software I plan to use Quagga/Zebra which should be in the ports or compatible easily coupled with NAT, ACL's, Firewall using PF or so In OpenBSD there are actually usable routing daemons, OpenBGPD, OpenRIPD and OpenOSPFD. Ugh quagga. Maybe when someone pulls together all the various internally-maintained forks of it it'll be a bit more usable.. The OpenBSD routing daemons are pretty good. Other than that for open-source routing there are some circumstances where BIRD running on Linux might be useful (personally I can't stand the config but I'd rather run this than Quagga..). Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco switches? I'm not familiar with VTP, the rest will be fine. Standard 802.1q works fine - vlan(4) and we also do QinQ (ethertype 0x88a8 only) with svlan(4). We don't do VTP (or GVRP), you need to configure vlans separately. Personally I don't see that as a disadvantage :) STP is for bridging not for vlan support, we do support STP/RSTP but not MSTP though switches should fallback to RSTP in that case. (I try and leave bridging to switches though). I did discover this already: http://fengnet.com/book/icuna/ch05lev1sec5.html so it would seem so, however I do not know if link-aggregation would work?? As in Cisco Etherchannel to multiple ports on the router. Yep, trunk will work fine with a cisco. trunk(4) supports LACP and static configs ('trunkproto loadbalance' should be compatible with the statically-configured Cisco FEC, though LACP is preferred if you have the option). There are many more questions I have but will refrain from asking at this phase as most of them can be got round by researching; like Cisco IPSEC/GRE VPN compatibility et el. IPsec is mostly compatible but there's a bit of breakage if the ipsec gateways are behind NAT (because Cisco still follows a very old nat-t draft rather than the standard). gre(4) should work fine.
Re: Router project on OpenBSD questions
On 02/28/2012 01:57 PM, Stuart Henderson wrote: I also would like to know if anyone knows of any ADSL2+ Annex M standard PCI (/x/) based modem card that I can use to connect to my ISP with instead of using an external device? So far in my search I came across this: http://linitx.com/viewcategory.php?catid=47 This is basically an ADSL router on a PCI card presenting as an ethernet interface. iirc, you configure it with telnet/http. In a normal config then this card will be actively routing packets. Personally I prefer to have a separate router/modem that can be swapped out without powering down the machine, and usually connected by a better quality network interface than an rl(4) Main advantage I see with these particular carsd is that if you have a dual-PSU machine you can get some power protection. If you want to terminate ppp in OpenBSD then you can do that just as well with an external box as you can with one of these (configure in bridge mode, run pppoe(4) in OpenBSD). Thanks a lot Stuart for the response!! I think that particular interface isn't around any more as the company that builds them have gone here: http://www.rocksolidelectronics.com/pages/products/v1.php This makes more sense to me personally as I've had Cisco router experience as discussed; unfortunately while 'maxing' out connections Cisco's tend to blow up!!! They crash, get slow and start acting funny What I'm trying to do is replace my Cisco 857, 877, and 1801 as the performance is **not** there for me :-( CPU driven into 100% on all boxes and memory used up also. I was planning on getting a 2901 with VDSL2/ADSL2/2+ Annex M card and 8 port Gb switch card. But after careful consideration I decided against it as it would issue the same problems for me and be more expensive then going down the OpenBSD route as discussed previously. Also 75Mbps is mentioned by Cisco for the 2900 series: http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html which is pathetic as in the UK fiber networks are slowly becoming more available to the masses - in terms of offerings of up to 1Gbps are available for round #50/month ($75/month (US)). Even a VDSL2 solution offers up to 100Mbps - depending on distance between local loop and CPE but I'm sure that the 2900 series or 800 series VDSL provisioned ISR would struggle to meet those speeds. Couple that with 1000+ TCP/IP flows through UDP or TCP packet transactions and any **standard** branch based ISR wouldn't be able to cope :-( Are these going to be OpenBSD compatible or are there others??? Yes should be compatible, it just looks like a nic. On the site even mentions xBSD compatibility as post read now :-) Does anyone know of a VDSL2 solution like this also? Don't know of one. My same comments would apply about preferring a separate box. See my comments above - otherwise wouldn't spend hassle on this design and would have gone directly to a 2901 with VDSL2 card. Other option is this: http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-613481.html and link to OpenBSD based router design... but if telco chipset (modem) of router gets maxed then the whole box will become saturated :-( For software I plan to use Quagga/Zebra which should be in the ports or compatible easily coupled with NAT, ACL's, Firewall using PF or so In OpenBSD there are actually usable routing daemons, OpenBGPD, OpenRIPD and OpenOSPFD. Ugh quagga. Maybe when someone pulls together all the various internally-maintained forks of it it'll be a bit more usable.. The OpenBSD routing daemons are pretty good. Other than that for open-source routing there are some circumstances where BIRD running on Linux might be useful (personally I can't stand the config but I'd rather run this than Quagga..). Coming from FreeBSD background I didn't know of the OpenBSD integration with routing etc... so thanks for the 'wake up call' :-) Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco switches? I'm not familiar with VTP, the rest will be fine. Standard 802.1q works fine - vlan(4) and we also do QinQ (ethertype 0x88a8 only) with svlan(4). We don't do VTP (or GVRP), you need to configure vlans separately. Personally I don't see that as a disadvantage :) STP is for bridging not for vlan support, we do support STP/RSTP but not MSTP though switches should fallback to RSTP in that case. (I try and leave bridging to switches though). I see where you're headed with this! Leave spanning-tree to the switches to block redundant ports and prevent loops but trunk everything to OpenBSD and inter-Vlan route/switch from there. Rather then link aggregation using Etherchannel et el Get a multi port NIC on the OpenBSD box then according to b/w requirements can trunk on different port if needed. I did discover this already: http://fengnet.com/book/icuna/ch05lev1sec5.html so it would seem so,
Re: Router project on OpenBSD questions
On 27 February 2012 16:38, Kaya Saman kayasa...@gmail.com wrote: Hi, this is my first posting here :-) I have currently only used OpenBSD as a test vector setup on VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave) using Bind9. So basically in short am an OpenBSD newbee :-) Ok so here goes; I've been using FreeBSD for around 3+ years now and really enjoy it, in comparing OpenBSD to FreeBSD I first would like to get some user experience of the major advantages over it. From my reading it's meant to be more secure, from my (vastly) limited experience it's quite different to work with then FreeBSD. -Could anyone give me any summarized answers to compare the two? Now here comes the major project For the last past 4 years or so I've been hosting various OpenSource projects from home and have a setup similar to the OpenBSD rack pics on the openbsd.org site :-) To fill the role of router I have used till now, a Cisco 857, 877, and 1801 all of who's power I've managed to max out!! :-( As a qualified Cisco engineer but also budding UNIX engineer/enthusiast I've come to understand that Cisco boxes are underpowered and overpriced Graphing the Cisco's using SNMP and RRD tools using Cacti, the CPU's tend to max-out after the TCP/IP flows start reaching 1000+ and so goes the memory too. Then I loose all kind of connectivity as the router either crashes or becomes unstable. So I would like to build a router out of a Quad Core Xeon system. I've selected the hardware for it already and the software barring the base OS. You want the highest cache and highest frequency cpu you can find. MP will not help you with routing performance at all. The hardware will run a socket 1366 Xeon using a Supermicro system board. (I'm sure this will be 100% compatible with OpenBSD or FreeBSD whichever I chose) http://www.supermicro.nl/products/motherboard/Xeon3000/X58/X8SAX.cfm Additionally I would like to run a 5.25 LCD in the chassis front to monitor on the fly system output using Lcdproc - this is available on FreeBSD using ports but not sure about OpenBSD though I'm sure can be easily compiled if necessary. Something like the PicoLCD from Mini-Box or Matrix-Orbital displays or similar. --actually I think VFD's are kinda cool but need to find a 5.25 one :-) I also would like to know if anyone knows of any ADSL2+ Annex M standard PCI (/x/) based modem card that I can use to connect to my ISP with instead of using an external device? So far in my search I came across this: http://linitx.com/viewcategory.php?catid=47 Of which manufacturers seem to be: http://www.rocksolidelectronics.com/pages/products.php Are these going to be OpenBSD compatible or are there others??? Does anyone know of a VDSL2 solution like this also? For software I plan to use Quagga/Zebra which should be in the ports or compatible easily coupled with NAT, ACL's, Firewall using PF or so In OpenBSD there are actually usable routing daemons, OpenBGPD, OpenRIPD and OpenOSPFD. In this case comparing FreeBSD, what's OpenBSD's performance like for Firewall/IDS/IPS systems?? That's something only you can test, there are tons of variables in place here. Is OpenBSD compatible with Cisco VTP and STP to trunk VLANs to Cisco switches? I'm not familiar with VTP, the rest will be fine. I did discover this already: http://fengnet.com/book/icuna/ch05lev1sec5.html so it would seem so, however I do not know if link-aggregation would work?? As in Cisco Etherchannel to multiple ports on the router. Yep, trunk will work fine with a cisco. There are many more questions I have but will refrain from asking at this phase as most of them can be got round by researching; like Cisco IPSEC/GRE VPN compatibility et el. i think am just worried about the ADSL2 modem card mainly as most of the above can be got over with testing and trying things out :-) It's just a pain that a Cisco 2901 for example as claimed by Cisco can only route at 75Mbps (ok routing uses PPS but wirespeed is not available unless going carrier grade). Especially now that companies are slowly starting to release Residential Fiber networks upto 1Gbps... would render the Cisco's maxed-out power wise. With a decent hardware, I think you can reach 1mpps (that's million packets per second). I know there are a lot of questions here but am hoping that some of them can be answered or at least advise given pre-testing :-) Many thanks and best regards, Kaya Good luck
Re: Router project on OpenBSD questions
snip Good luck Many thanks Christiano for such a quick and comprehensive response :-) Regards, Kaya
Re: Router project on OpenBSD questions
So I would like to build a router out of a Quad Core Xeon system. I've selected the hardware for it already and the software barring the base OS. You want the highest cache and highest frequency cpu you can find. MP will not help you with routing performance at all. Something like this: http://ark.intel.com/products/53580/Intel-Xeon-Processor-E7-8870-%2830M-Cache-2_40-GHz-6_40-GTs-Intel-QPI%29 30MB cache @ 2.4GHz However this does raise the question, 32bit or 64bit??? And what would be the benefit for having multi CPU sockets or cores??? --I mean for an integrated Firewall/router yes one can offload processes and threads per core or socket With this though I'm betting that a Core2Quad Q8400s CPU (which I currently run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any Cisco SMB based router? - I can see it being more powerful then my 8xx or 18xx series in anycase! Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs or VIA processors or Vyatta running standard x86 Multi-core architecture for their appliances; how does this relate to the equation? --K
Re: Router project on OpenBSD questions
On 27 February 2012 17:12, Kaya Saman kayasa...@gmail.com wrote: So I would like to build a router out of a Quad Core Xeon system. I've selected the hardware for it already and the software barring the base OS. You want the highest cache and highest frequency cpu you can find. MP will not help you with routing performance at all. Something like this: http://ark.intel.com/products/53580/Intel-Xeon-Processor-E7-8870-%2830M-Cache-2_40-GHz-6_40-GTs-Intel-QPI%29 30MB cache @ 2.4GHz However this does raise the question, 32bit or 64bit??? And what would be amd64, wow I had no idea such cpu was out already, I'm not sure if anyone ever tried running openbsd on such cpu. the benefit for having multi CPU sockets or cores??? Almost none for routing purposes, the kernel is big locked and all interrupts go to cpu0, so this basically means: You'll be routing packets on cpu0 *only*. But you'll get the benefit of of having the userland processes running on multiple cpus, so if you're basically routing/filtering with pf, MP won't make much difference. --I mean for an integrated Firewall/router yes one can offload processes and threads per core or socket Userland process will benefit from MP when running in userland, they'll get the biglock when doing a system call. You only have one process running in kernel land at-a-time. With this though I'm betting that a Core2Quad Q8400s CPU (which I currently run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any Cisco SMB based router? - I can see it being more powerful then my 8xx or 18xx series in anycase! I don't know cisco, it's all about how much data you need to route. But if you were concerned about 75mbps, even my sun ultra 5 400mhz can do more than that. Do the math, I'd guess you can do *at least* 300mpps with any fairly modern cpu. Now do 300mpps * 1500bytes, that's your throughput for full sized packets. You may want to read this: http://www.undeadly.org/cgi?action=articlesid=2011101406 Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs or VIA processors or Vyatta running standard x86 Multi-core architecture for their appliances; how does this relate to the equation? Those are very weak processors, again, it's all about how much pps you need.
Re: Router project on OpenBSD questions
With this though I'm betting that a Core2Quad Q8400s CPU (which I currently run on a FreeBSD based Mini-NAS mainframe) will be more powerful then any Cisco SMB based router? - I can see it being more powerful then my 8xx or 18xx series in anycase! I don't know cisco, it's all about how much data you need to route. But if you were concerned about 75mbps, even my sun ultra 5 400mhz can do more than that. Do the math, I'd guess you can do *at least* 300mpps with any fairly modern cpu. Now do 300mpps * 1500bytes, that's your throughput for full sized packets. Hmm I think I OD'd and got a bit excited on the CPU mentioned as I don't even think it's out yet at least not in consumer land Something like this: Intel XeonX3680 Six Core 3.33GHz 12MB Cache might be more cost effective and better suited to my needs :-) Sun Ultra 5... you should have said something earlier ;-P I could then just whack OpenBSD onto my E420r lol - to be honest I was considering going for a used Sun Fire V210 but I don't think there are **any** ADSL modem cards available for SPARC! :-( otherwise that would have been an awsome box!! You may want to read this: http://www.undeadly.org/cgi?action=articlesid=2011101406 Thanks, that was interesting. Ok I know now that I'm going down the right road :-) Most DIY/Linux router boxes all seem to run Mini-ITX hardware on Intel ATOMs or VIA processors or Vyatta running standard x86 Multi-core architecture for their appliances; how does this relate to the equation? Those are very weak processors, again, it's all about how much pps you need. for SOHO's not engineers then :-) Thanks for all the support!!! Best regards, Kaya