[smartos-discuss] softether vpn

2018-01-10 Thread H. William Welliver III 
Good evening, all:

I have a physical server running the SoftEther VPN as a remote access device, 
and I’ve been trying to migrate it onto a zone without much success. I was 
wondering if anyone has had any luck using it. I’ve found a little material 
online suggesting that it’s possible, but I’ve not had any luck. Everything 
seems to work on the client <-> soft ether side, but it seems that outbound 
packets onto the destination network don’t ever make it anywhere (according to 
snoop). 

My first indication of a problem was when the tunnel wasn’t able to get a DHCP 
address from the local DHCP server. My working assumption is that it has 
something to do with one of the spoofing options, but I’ve not found a 
combination that seems to improve the situation.

I’ve also noticed that I’m not able to set the allow_unfiltered_promisc option 
using "vmadm update" , despite being able to set the other spoofing options. Is 
it possible that this is part of the problem?

I’m pretty much stumped at this point. Technically this is an SDC install, but 
it doesn’t seem like that is part of the equation here. I’m running the latest 
SmartOS update. Any thoughts?

Best,

Bill

---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] softether vpn

2018-01-10 Thread H. William Welliver III 
Good evening, all:

I have a physical server running the SoftEther VPN as a remote access device, 
and I’ve been trying to migrate it onto a zone without much success. I was 
wondering if anyone has had any luck using it. I’ve found a little material 
online suggesting that it’s possible, but I’ve not had any luck. Everything 
seems to work on the client <-> soft ether side, but it seems that outbound 
packets onto the destination network don’t ever make it anywhere (according to 
snoop). 

My first indication of a problem was when the tunnel wasn’t able to get a DHCP 
address from the local DHCP server. My working assumption is that it has 
something to do with one of the spoofing options, but I’ve not found a 
combination that seems to improve the situation.

I’ve also noticed that I’m not able to set the allow_unfiltered_promisc option 
using "vmadm update" , despite being able to set the other spoofing options. Is 
it possible that this is part of the problem?

I’m pretty much stumped at this point. Technically this is an SDC install, but 
it doesn’t seem like that is part of the equation here. I’m running the latest 
SmartOS update. Any thoughts?

Best,

Bill

---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-01-30 Thread H. William Welliver III 
And my final followup:

It appears that "allow_unfiltered_promisc" is silently ignored for non-kvm zone 
brands (ref /usr/lib/brand/joyent/statechange). Is there a particular reason 
for that? I understand that it's a powerful and dangerous option, but it's 
already relatively difficult to enable. Is there any way to work around this, 
short of rolling my own boot image/platform image?

Bill

January 29, 2018 9:41 PM, "H. William Welliver III" <will...@welliver.org 
(mailto:%22H.%20William%20Welliver%20III%22%20<will...@welliver.org>)> wrote:
Hi Jason,
Thanks for the tip about libdlpi… the existing approach seems a little brittle 
so I’ll have a look at this. 
As for the vnic protection flags, I’ve definitely been able to save the 
“allow_unflitered_promisc” option using vmadm, but it doesn’t seem to take 
effect, despite being present and in the zone configuration. If I set it 
manually using dladm, it reverts after a zone reboot. I am just a little bit 
puzzled. 
On Jan 29, 2018, at 7:47 PM, Jason King <jason.brian.k...@gmail.com 
(mailto:jason.brian.k...@gmail.com)> wrote: 
 For the SoftEther code changes, I’d suggest looking into libdlpi(3DLPI). It’ll 
take care of most of the DLPI details for you (including handling both style 1 
and style 2 devices — it sounds like it can’t handle style 1 devices — e.g. 
/dev/net0), it’s also something that’s been around since Solaris 10 IIRC, so 
there shouldn’t much compatibility concerns.  As for the dladm properties, 
those are usually set via vmadm(1M) in SmartOS and persisted as part of a zone 
configuration (look at the various nics.* properties). If you’re trying to do 
this for interfaces in the global zone, I’m not aware of any method of 
persisting it for global zone devices (you’d probably just need to script it). 
smartos-discuss | Archives 
(https://www.listbox.com/member/archive/184463/=now)  
(https://www.listbox.com/member/archive/rss/184463/29348524-04b3e250) | Modify 
(https://www.listbox.com/member/?;) Your Subscription
 (http://www.listbox.com)



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-02-02 Thread H. William Welliver III 
Building a new platform image using a fork of smartos-live that uncomments the 
option for unfiltered promisc seems to solve the problem. A bit of a 
complicated solution to the problem (I guess I am tying myself to a lifetime of 
smartos compilations) but it works and seems less of a hack than the 
alternatives.

Bill

January 30, 2018 11:04 AM, "H. William Welliver III" <will...@welliver.org 
(mailto:%22H.%20William%20Welliver%20III%22%20<will...@welliver.org>)> wrote:
And my final followup:

It appears that "allow_unfiltered_promisc" is silently ignored for non-kvm zone 
brands (ref /usr/lib/brand/joyent/statechange). Is there a particular reason 
for that? I understand that it's a powerful and dangerous option, but it's 
already relatively difficult to enable. Is there any way to work around this, 
short of rolling my own boot image/platform image?

Bill



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] Re: softether vpn

2018-01-27 Thread H. William Welliver III 
Just a follow-up; I’ve tried softether in a zone running ubuntu as well as a 
kvm zone running ubuntu, and neither works properly (the client is able to 
connect but no traffic leaves the zone.

I was able to run and use softether successfully from the global zone, so this 
leads me to believe that there’s some sort of restriction when running within a 
non-global zone, despite having given the nic in the zone full spoofing 
privileges. 

Can anyone think of a reason this shouldn’t work (or something I might be 
missing)?
  
Best,

Bill

> On Jan 10, 2018, at 8:31 PM, H. William Welliver III <will...@welliver.org> 
> wrote:
> 
> Good evening, all:
> 
> I have a physical server running the SoftEther VPN as a remote access device, 
> and I’ve been trying to migrate it onto a zone without much success. I was 
> wondering if anyone has had any luck using it. I’ve found a little material 
> online suggesting that it’s possible, but I’ve not had any luck. Everything 
> seems to work on the client <-> soft ether side, but it seems that outbound 
> packets onto the destination network don’t ever make it anywhere (according 
> to snoop). 
> 
> My first indication of a problem was when the tunnel wasn’t able to get a 
> DHCP address from the local DHCP server. My working assumption is that it has 
> something to do with one of the spoofing options, but I’ve not found a 
> combination that seems to improve the situation.
> 
> I’ve also noticed that I’m not able to set the allow_unfiltered_promisc 
> option using "vmadm update" , despite being able to set the other spoofing 
> options. Is it possible that this is part of the problem?
> 
> I’m pretty much stumped at this point. Technically this is an SDC install, 
> but it doesn’t seem like that is part of the equation here. I’m running the 
> latest SmartOS update. Any thoughts?
> 
> Best,
> 
> Bill



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-01-27 Thread H. William Welliver III 
Just a further clarification: things work against physical nics in the global 
zone but not against a vnic; I’ve verified that all of the protections are 
disabled on the vnic but to no avail.

> On Jan 27, 2018, at 7:31 PM, H. William Welliver III <will...@welliver.org> 
> wrote:
> 
> Just a follow-up; I’ve tried softether in a zone running ubuntu as well as a 
> kvm zone running ubuntu, and neither works properly (the client is able to 
> connect but no traffic leaves the zone.
> 
> I was able to run and use softether successfully from the global zone, so 
> this leads me to believe that there’s some sort of restriction when running 
> within a non-global zone, despite having given the nic in the zone full 
> spoofing privileges. 
> 
> Can anyone think of a reason this shouldn’t work (or something I might be 
> missing)?
> 
> Best,
> 
> Bill
> 
>> On Jan 10, 2018, at 8:31 PM, H. William Welliver III <will...@welliver.org> 
>> wrote:
>> 
>> Good evening, all:
>> 
>> I have a physical server running the SoftEther VPN as a remote access 
>> device, and I’ve been trying to migrate it onto a zone without much success. 
>> I was wondering if anyone has had any luck using it. I’ve found a little 
>> material online suggesting that it’s possible, but I’ve not had any luck. 
>> Everything seems to work on the client <-> soft ether side, but it seems 
>> that outbound packets onto the destination network don’t ever make it 
>> anywhere (according to snoop). 
>> 
>> My first indication of a problem was when the tunnel wasn’t able to get a 
>> DHCP address from the local DHCP server. My working assumption is that it 
>> has something to do with one of the spoofing options, but I’ve not found a 
>> combination that seems to improve the situation.
>> 
>> I’ve also noticed that I’m not able to set the allow_unfiltered_promisc 
>> option using "vmadm update" , despite being able to set the other spoofing 
>> options. Is it possible that this is part of the problem?
>> 
>> I’m pretty much stumped at this point. Technically this is an SDC install, 
>> but it doesn’t seem like that is part of the equation here. I’m running the 
>> latest SmartOS update. Any thoughts?
>> 
>> Best,
>> 
>> Bill
> 
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Migrating to a new root pool

2018-01-31 Thread H William Welliver III 
Hi Gareth,

I did this a few months ago and I seem to recall the trick being to reboot into 
recovery mode so that the pools aren’t imported. You have to do all the work 
without mounting the zones pool. If somehow it gets mounted you’re out of luck 
and will have to reboot try again. 

I’m pretty sure I disabled auto mount on the old zones pool and did the pool 
imports without mounting. From there you can switch the mount points on the 2 
pools and try mounting the new zones pool. 

Sadly I didn’t write down the exact steps but that’s the gist... keeping zfs 
from mounting file systems from zones is the key.

If that doesn’t help let me know and  I can probably refresh my memory from the 
man pages... 

Bill 

> On Jan 31, 2018, at 1:05 PM, Gareth Howell  wrote:
> 
> Hi
> I’m trying to migrate my home server to a new pool - the server was 
> originally created with a mirror and I want to move to raidz1.
> 
> I created the new pool as ‘tempzone’ and then used zfs send/recv to copy all 
> the data from ‘zones’ to ‘tempzone’. I then thought I could simply stop all 
> services, export the two pools and reimport using the oppposite names - i.e. 
> zfs import newzone zones…
> 
> zfs export zones failed due to busy filesystems: basically /var. I couldn’t 
> get past this so I rebooted into recovery mode and then tried again.
> 
> This seemed to work but I notice that in fact /var /usb and a couple of 
> others are still being mounted from the old pool.
> 
> Any ideas on how to achieve my desired result?
> 
> Gareth
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] KVM, failing to boot/start when memory > 1024

2018-02-01 Thread H. William Welliver III 
You might also look in /zones//root/tmp... there are some logs in that 
directory that may give you a clue as to the problem.

Bill

> I’m playing around with KVM on SmartOS for the first time. I’ve noticed that 
> when I attempt to
> create a KVM with RAM of say 1024, it works. If I bump that to 2048 or 4096 
> then it fails with the
> following
> 
> timed out waiting for /var/svc/provisioning to move for 
> 0f5b30fb-8a5d-4fc2-ccd1-b0a578fa3377
> 
> I’ve tried using the following image
> 
> d42c37f4-2956-413f-b12a-32a79dfe84af ubuntu-certified-16.04 20180109 linux 
> zvol 2018-01-10
> 
> as well as trying to roll my own, that is boot from an os install cdrom. With 
> 1024 or less it works
> and I can get to the vnc console. I found a log file in /var/log/ related to 
> my latest test,
> attached.
> 
> Any suggestions/pointers are welcomed.


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-01-29 Thread H. William Welliver III 
Good afternoon all,

I've come to a temporary solution to the problem I've been having with 
softether:

First, softether uses DLPI to access the network, and there are 2 ways to do 
attach to an interface. One involves opening the root node of a network device 
(like /dev/bnx) and then attaching to the device number (0, 1, etc). 
Unfortunately, that doesn't work with crossbow vnics, which exist only as 
/dev/net/net0, for example. So when softether was trying to connect to 
/dev/net, it was attempting to open a directory and silently failing. A 
permanent fix will require some code changes in Softether. As a side note, I've 
also seen this problem in some code built using libnet, which just assumes 
network devices are located at /dev/interfacename.

The other part of the problem is that in order to receive data destined for all 
of the VPN clients that will be connected, the interface will need to receive 
unicast packets for multiple mac addresses. The datalink property to allow that 
is called "promisc-filtered", and it's normally set to "on". dladm can be used 
to change that property, but it isn't persistent across zone restarts, which 
leads me to my next question:

Does anyone know how to get the promisc-filtered=off property to remain across 
reboots? If I use dladm to turn it off, it comes back on when the zone 
restarts. It seems that allow_unfiltered_promisc is only allowed for KVM 
zones...

Bill
January 28, 2018 10:22 AM, "H. William Welliver III" <will...@welliver.org 
(mailto:%22H.%20William%20Welliver%20III%22%20<will...@welliver.org>)> wrote:
Yes, I assumed that was necessary, however I’ve confirmed that the interface is 
running without protections (as shown below). The vpn server logs indicate that 
it’s trying to fetch an address using DHCP, but I don’t see any DHCP packets 
going out the interface. Is there something special about VNICs that I’m 
missing?
 dladm show-linkprop net0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
...



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-01-29 Thread H. William Welliver III 
Hi Jason,

Thanks for the tip about libdlpi… the existing approach seems a little brittle 
so I’ll have a look at this. 

As for the vnic protection flags, I’ve definitely been able to save the 
“allow_unflitered_promisc” option using vmadm, but it doesn’t seem to take 
effect, despite being present and in the zone configuration. If I set it 
manually using dladm, it reverts after a zone reboot. I am just a little bit 
puzzled.



> On Jan 29, 2018, at 7:47 PM, Jason King  wrote:
> 
> For the SoftEther code changes, I’d suggest looking into libdlpi(3DLPI).  
> It’ll take care of most of the DLPI details for you (including handling both 
> style 1 and style 2 devices — it sounds like it can’t handle style 1 devices 
> — e.g. /dev/net0), it’s also something that’s been around since Solaris 10 
> IIRC, so there shouldn’t much compatibility concerns.
> 
> As for the dladm properties, those are usually set via vmadm(1M) in SmartOS 
> and persisted as part of a zone configuration (look at the various nics.* 
> properties).  If you’re trying to do this for interfaces in the global zone, 
> I’m not aware of any method of persisting it for global zone devices (you’d 
> probably just need to script it).
> 




---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] softether vpn

2018-01-28 Thread H. William Welliver III 
Yes, I assumed that was necessary, however I’ve confirmed that the interface is 
running without protections (as shown below). The vpn server logs indicate that 
it’s trying to fetch an address using DHCP, but I don’t see any DHCP packets 
going out the interface. Is there something special about VNICs that I’m 
missing?

dladm show-linkprop net0
LINK PROPERTYPERM VALUE  DEFAULTPOSSIBLE
net0 state   r-   ?  up up,down 
net0 secondary-macs  ??  -- -- 
net0 maxbw   ??  -- -- 
net0 cpus??  -- -- 
net0 cpus-effective  r-   ?  -- -- 
net0 pool??  -- -- 
net0 pool-effective  r-   ?  -- -- 
net0 priority??  high   low,medium,high 
net0 tagmode ??  vlanonly   normal,vlanonly 
net0 protection  ??  -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof 
net0 promisc-filtered ?   ?  on off,on 
net0 allowed-ips ??  -- -- 
net0 allowed-dhcp-cids ?  ?  -- -- 
net0 rxrings ??  -- ?
net0 rxrings-effective r- ?  -- -- 
net0 txrings ??  -- ?
net0 txrings-effective r- ?  -- -- 

> On Jan 27, 2018, at 10:24 PM, Daniel Carosone <daniel.caros...@gmail.com> 
> wrote:
> 
> You probably need to allow IP or Mac spoofing by the zone in question. See 
> the relevant properties in vmadm manpage
> 
> On 28 Jan. 2018 12:26, "H. William Welliver III" <will...@welliver.org 
> <mailto:will...@welliver.org>> wrote:
> Just a further clarification: things work against physical nics in the global 
> zone but not against a vnic; I’ve verified that all of the protections are 
> disabled on the vnic but to no avail.
> 



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] Strange USB 3.0 USB key behavior

2018-03-14 Thread H. William Welliver III 
Hi all,

Yesterday I installed the latest build of SmartOS on a small form factor PC (a 
Protectli FW4, https://protectli.com/product/fw4a/), and after installing I 
tried to mount the USB Key but to my surprise, the key wasn’t listed in 
diskinfo. I thought it strange because the system booted from the key, so I 
investigated a bit further and noticed that if I remove the key and plug it 
back in, it appears. But after rebooting, it’s back to not being found:

[immediately following boot]
- SmartOS (build: 20180203T031130Z)
[root@smartos-charles ~]# prtconf -dD | grep -i xhci
pci8086,f35 (pciex8086,f35) [Intel Corporation Atom Processor 
Z36xxx/Z37xxx, Celeron N2000 Series USB xHCI], instance #0 (driver name: xhci)
[root@smartos-charles ~]# diskinfo
TYPEDISKVID  PID  SIZE  RMV SSD
SATAc1t0d0  ATA  MV-32  29.50 GiB   no  yes
[root@smartos-charles ~]# mdb -ke '::prtusb'
INDEX   DRIVER  INST  NODE  GEN  VID.PID PRODUCT 
1   xhci0 pci8086,f35   3.0  .   No Product String


[ I remove the USB Key and immediately re-insert it]

2018-03-15T00:32:00.815871+00:00 smartos-charles usba: [ID 691482 kern.warning] 
WARNING: /pci@0,0/pci8086,f35@14 (xhci0): Connecting device on port 1 failed
[root@smartos-charles ~]# mdb -ke '::prtusb'
INDEX   DRIVER  INST  NODE  GEN  VID.PID PRODUCT 
1   xhci0 pci8086,f35   3.0  .   No Product String
2   scsa2usb0 storage   3.0  0781.5583   Ultra Fit
[root@smartos-charles ~]# diskinfo
TYPEDISKVID  PID  SIZE  RMV SSD
SATAc1t0d0  ATA  MV-32  29.50 GiB   no  yes
SCSIc2t0d0  SanDisk  Ultra Fit  57.28 GiB   yes no 

I repeated this process a few times with the same result (though not always 
getting the warning).

If I plug the drive into the non-usb 3.0 port, it seems to always be detected 
on startup:

INDEX   DRIVER  INST  NODE  GEN  VID.PID PRODUCT 
1   xhci0 pci8086,f35   3.0  .   No Product String
2   scsa2usb0 storage   2.1  0781.5583   Ultra Fit

I’ve included the console messages below, if they’re of interest.

Any ideas what might be causing this? I’m happy to perform any additional 
debugging as required.

Best,

Bill

- - - CUT - - -
WARNING: Couldn't read ACPI SRAT table from BIOS. lgrp support will be limited 
to one group.

SunOS Release 5.11 Version joyent_20180203T031130Z 64-bit
Copyright (c) 2010-2018, Joyent Inc. All rights reserved.
2018-03-15T01:02:38.299231+00:00 smartos-charles rsyslogd3: No files configured 
to be monitored [try http://www.rsyslog.com/e/-3 ]
2018-03-15T01:02:38.310999+00:00 smartos-charles genunix: [ID 540533 
kern.notice] #015SunOS Release 5.11 Version joyent_20180203T031130Z 64-bit
2018-03-15T01:02:38.311028+00:00 smartos-charles genunix: [ID 265948 
kern.notice] Copyright (c) 2010-2018, Joyent Inc. All rights reserved.
2018-03-15T01:02:38.314809+00:00 smartos-charles acpica: [ID 455275 
kern.notice] ACPI: RSDP 0x000F0580 24 (v02 ALASKA)
2018-03-15T01:02:38.314821+00:00 smartos-charles acpica: [ID 931657 
kern.notice] ACPI: XSDT 0x79845088 8C (v01 ALASKA A M I01072009 
AMI  00010013)
2018-03-15T01:02:38.314835+00:00 smartos-charles acpica: [ID 357500 
kern.notice] ACPI: FACP 0x7984C708 00010C (v05 ALASKA A M I01072009 
AMI  00010013)
2018-03-15T01:02:38.314847+00:00 smartos-charles acpica: [ID 583076 
kern.notice] ACPI BIOS Warning (bug): 32/64X length mismatch in FADT/Gpe0Block: 
128/32 (20160527/tbfadt-652)
2018-03-15T01:02:38.314858+00:00 smartos-charles acpica: [ID 318178 
kern.notice] ACPI: DSDT 0x798451A8 00755C (v02 ALASKA A M I01072009 
INTL 20120913)
2018-03-15T01:02:38.314870+00:00 smartos-charles acpica: [ID 784687 
kern.notice] ACPI: FACS 0x798E1F80 40
2018-03-15T01:02:38.314882+00:00 smartos-charles acpica: [ID 804065 
kern.notice] ACPI: APIC 0x7984C818 84 (v03 ALASKA A M I01072009 
AMI  00010013)
2018-03-15T01:02:38.314919+00:00 smartos-charles acpica: [ID 933663 
kern.notice] ACPI: FPDT 0x7984C8A0 44 (v01 ALASKA A M I01072009 
AMI  00010013)
2018-03-15T01:02:38.314935+00:00 smartos-charles acpica: [ID 970121 
kern.notice] ACPI: FIDT 0x7984C8E8 9C (v01 ALASKA A M I01072009 
AMI  00010013)
2018-03-15T01:02:38.314947+00:00 smartos-charles acpica: [ID 647751 
kern.notice] ACPI: LPIT 0x7984C988 000104 (v01 ALASKA A M I0003 
VLV2 010D)
2018-03-15T01:02:38.314970+00:00 smartos-charles acpica: [ID 531969 
kern.notice] ACPI: MCFG 0x7984CA90 3C (v01 ALASKA A M I01072009 
MSFT 0097)
2018-03-15T01:02:38.315014+00:00 smartos-charles acpica: [ID 535416 
kern.notice] ACPI: HPET 0x7984CAD0 38 (v01

Re: [smartos-discuss] DHCPv6 Client Prefix Delegation

2018-04-06 Thread H. William Welliver III 
Hi Jorge,

Thanks for the info. I was able to include “addrconf” to the list of ips for my 
nic and got a v6 address from my upstream provider (I’m using a SmartOS zone as 
an IPv4 router for my enclave). If SmartOS supported PD, I could get a network 
allocation and then be able to assign routable v6 addresses to all of my 
clients. PD uses DHCP but it’s not strictly about configuring a given 
interface, so I can see the rationale why it isn’t supported.

Thinking out loud.. I wonder if LX zones use the illumos dhcpagent or the one 
typically used by the LX distro in use? Perhaps some more research is in order.

Best,

Bill
 
> On Apr 5, 2018, at 3:23 PM, Jorge Schrauwen <sjorge...@blackdot.be> wrote:
> 
> Hi Bill,
> 
> There is some IPv6 support but Prefix Delegation is not amoung it AFAIK.
> 
> the basics are ```ipadm create-addr -T addrconf net0/v6auto``` to grab SLAAC 
> address, static works by ```ipadm create-addr -T static -a 
> my:ad:dr:es:he:re/64 net/v6static```
> 
> I think the -T addrconf will also grab a stateful address but I do not run 
> DHCPv6 in my network.
> 
> 
> 
> Regards
> 
> 
> 
> Jorge
> 
>  
> 
> 
> On 2018-04-05 20:49, H. William Welliver III wrote:
> 
>> Hi all,
>> 
>> I've got a project coming up and have been getting (back) up to speed with 
>> IPv6... My understanding is that the SmartOS/Illumos DHCP client does not 
>> support Prefix Delegation. Can anyone confirm that, or have I missed some 
>> nugget buried deep in the documentation?
>> 
>> Thanks in advance!
>> 
>> Bill
>> smartos-discuss | Archives 
>> <https://www.listbox.com/member/archive/184463/=now> | Modify 
>> <https://www.listbox.com/member/?;> Your Subscription
>> <http://www.listbox.com/>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] Problems with IPF + IPv6

2018-04-20 Thread H. William Welliver III 
Hi all,

I’m having some trouble trying to set up some firewall rules on a IPv6 router 
zone and have come to the conclusion that something is broken.

The following is an illustrative example (though I’ve tried all manner of other 
rules without success):

net0 is connected to an upstream provider and has a /128 address.

I’ve set up the following in /etc/ipf/ipf6.conf (this is the only rule present):

block in quick on net0 proto icmp

I’ve reloaded the IPv6 filters using:

ipf -6 -F a
ipf -6 -f /etc/ipf/ipf6.conf

And a ping to the /128 global address coming into net0 still return.

The only way to get any blocking is to use a rule like:

block in all on net0

Which obviously is not as fine grained as I’d like it to be. Things seem to be 
fine on the IPv4 side of things (I’ve verified the exact same rules in ipf.conf 
work as expected), but it seems to be an everything gets through or nothing 
gets though situation on IPv6. 

I’m running a build of SmartOS from 3/31.

Has anyone else had success using ipf against IPv6 traffic? Am I missing 
something obvious?

Thanks in advance!

Bill




---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] SmartOS on KVM (Networking)

2018-04-02 Thread H. William Welliver III 
Hi Benni,

What OS is your KVM host running? Linux, or are you trying to run SmartOS 
within a SmartOS KVM? If Linux, I assume you’ve set up something like public 
bridge networking? If your KVM host is running SmartOS, then yes, you’ll 
probably need to disable some of the anti-spoofing protections.

You might try running snoop -r -d vioif0 to see if the traffic is getting out 
of the main SmartOS interface... That would hopefully tell you if networking is 
operating properly on the SmartOS guest side.

Bill 

> On Apr 2, 2018, at 4:49 PM, Benjamin Beier  
> wrote:
> 
> Hello,
> 
> tried to use SmartOS as KVM guest today to see if it fits my needs.
> Looks really great so far, but I am struggling with the networking part.
> 
> I have configured an IP on SmartOS installation and set a gateway IP outside 
> of KVM with internet access.
> That worked perfectly fine and I started a base-64 zone with an IP address 
> within the same subnet.
> My assumption was it would use something like a bridge to connect the virtual 
> interface with the SmartOS interface.
> 
> Now the situation is the following:
> Ping SmartOS -> Gateway: OK
> Ping SmartOS -> Base-64-Zone: OK
> Ping Base-64-Zone -> Gateway: FAIL
> Ping Gateway -> Base-64-Zone: FAIL
> 
> Gateway is 10.159.9.1/24
> SmartOS is 10.159.9.110/24
> Base-64 is 10.159.9.200/24
> 
> Used the dladm tool to see if I can get it to work somehow without success.
> 
> [root@smartos1 ~]# dladm show-phys
> LINK MEDIASTATE  SPEED  DUPLEXDEVICE
> vioif0   Ethernet up 1000   full  vioif0
> 
> [root@smartos1 ~]# dladm show-vnic
> LINK OVER   SPEED MACADDRESSMACADDRTYPE VID  ZONE
> net0 vioif0 0 12:51:b6:c7:7c:41 fixed   0
> 64a26b0b-a7d1-60b7-81a7-bceebf5b1dba
> 
> [root@smartos1 ~]# dladm show-link
> LINKCLASS MTUSTATEBRIDGE OVER
> vioif0  phys  1500   up   -- --
> net0vnic  1500   ?-- vioif0
> 
> root@engine:~# cat test1-zone.json 
> {
>  "brand": "joyent",
>  "image_uuid": "390639d4-f146-11e7-9280-37ae5c6d53d4",
>  "alias": "test1",
>  "hostname": "test1",
>  "max_physical_memory": 512,
>  "quota": 4,
>  "resolvers": ["8.8.8.8", "8.8.4.4"],
>  "nics": [
>   {
> "nic_tag": "admin",
> "ip": "10.159.9.200",
> "netmask": "255.255.255.0",
> "gateway": "10.159.9.1"
>   }
>  ],
>  "internal_metadata":
>   {
> "root_pw": "...",
> "admin_pw": "..."
>   }
> }
> 
> Also found some info about protections and tried to deactivate those:
> dladm reset-linkprop -z 64a26b0b-a7d1-60b7-81a7-bceebf5b1dba -p protection 
> net0
> 
> Still not working... :/
> Maybe someone else already used a similar setup and knows how to fix it?
> 
> Many thanks!
> Benni
> 
> smartos-discuss | Archives 
>  | Modify 
>  Your Subscription  
> 



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com