tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Fwd: 10-BETA : some network issues



	Hello,

	I have written a mail to -users this morning and I have done some other
tests. I'm pretty sure that issue I see comes from network framework.

	I have upgraded my main server from -9.3 to -10_BETA (to test iscsi
initiator, 9.3 initiator randomly enters in a dead lock).

	This server (hostname: legendre) contains:
- wm0 and wm1 in bridge0: NAS access
- wm2: WAN
- wm3 and wm4 in lagg0: lan1

	tap0 (openvpn) is created on wm2 to establish a connection to another
lan (lan2) connected to IPv6 network. This IPv4 route is through wm2 and
IPv6 default route through tap0.

	My configuration ran fine with -9.x.

	Now, all workstations from LAN can access to WAN (IPv4), can ping lagg0
IPv6 address. All workstations from LAN can ping server on WAN or lan2
but only with IPv4.

	Legendre cannot ping lan2 or openvpn server through IPv4 (but
workstations on lan1 can ping workstations on lan2 !).

	Legendre cannot ping lan2 or openvpn server through ipv6 (workstations
on lan1 cannot ping stations on lan2 as legendre doesn't route ipv6
packets).

	And I don't understand why a workstation on lan1 can ping openvpn
server and why opevpn client itself cannot...

	Best regards,

	JB

-------- Message transféré --------

	Hello,

	As my server randomly crashes (deadlock) when it tries to acces to an
iSCSI NAS, I have upgraded my 9.3 installation to 10-BETA.

	Network configuration :

                            2 NAS (iSCSI)
                               |
                         192.168.12.1 (bridge0:wm0+wm1)
WAN---192.168.15.14(wm2)    legendre 192.168.10.128(lagg0:wm3+wm4)--LAN1
                         192.168.1.2 (tap0)
                               |
                         192.168.1.1 (tap1)
WAN---192.168.254.254(eth1) rayleigh 192.168.0.128 (eth0)------LAN2
                               |
WAN---192.168.253.254(eth2)----+

	First constatations: 10-BETA reboots when it tries to configure agr0
(it doesn't panic, only reboots). Thus, I have replaced agr0 by lagg0
but... when I have tried lacp protocol, interface always returns 'no
carrier' and doesn't run. I have tried in a second time loadbalance that
runs better :

lagg0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        capabilities=0x7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>

capabilities=0x7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
        capabilities=0x7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
        enabled=0
        ec_capabilities=0x7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
        ec_enabled=0x2<VLAN_HWTAGGING>
        laggproto loadbalance
        laggport:
                wm3 pri=32768 flags=0x1c<ACTIVE,COLLECTING,DISTRIBUTING>
                wm4 pri=32768 flags=0x1c<ACTIVE,COLLECTING,DISTRIBUTING>
        address: 68:05:ca:02:b2:59
        status: active
        inet6 fe80::6a05:caff:fe02:b259%lagg0/64 flags 0 scopeid 0x8
        inet6 2001:7a8:a8ed:10::128/64 flags 0
        inet 192.168.10.128/24 broadcast 192.168.10.255 flags 0

	Automatic configuration doesn't run. I have written in /etc/ifconfig.lagg0:
legendre# cat /etc/ifconfig.lagg0
create
laggproto loadbalance laggport wm3 laggport wm4
inet 192.168.10.128 netmask 255.255.255.0
inet6 2001:7a8:a8ed:10::128 prefixlen 64 alias
up
!ifconfig wm3 up
!ifconfig wm4 up

	Interface is created but "inet6 2001:7a8:a8ed:10::128 prefixlen 64
alias" is ignored. I have to add in a terminal
ifconfig lagg0 inet6 2001:7a8:a8ed:10::128 prefixlen 64 alias
to add this static ipv6 address to lagg0.

	IPv6 seems to run. Partially.
legendre can ping6 a workstation on lan1:

legendre# ping6 2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b
PING6(56=40+8+8 bytes) 2001:7a8:a8ed:10::128 -->
2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b
16 bytes from 2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b, icmp_seq=0 hlim=64
time=0.191 ms

and this workstation can ping main server:

hilbert:[~] > ping6 2001:7a8:a8ed:10::128
PING 2001:7a8:a8ed:10::128(2001:7a8:a8ed:10::128) 56 data bytes
64 bytes from 2001:7a8:a8ed:10::128: icmp_seq=1 ttl=64 time=0.107 ms

But legendre cannot ping6 rayleigh over VPN :
legendre# ping6 2001:7a8:a8ed:1::1
PING6(56=40+8+8 bytes) 2001:7a8:a8ed:10::128 --> 2001:7a8:a8ed:1::1
ping6: sendmsg: Host is down

legendre cannot ping4 rayleigh over VPN :
legendre# ping 192.168.1.1
PING rayleigh.systella.fr (192.168.1.1): 56 data bytes
^C
----rayleigh.systella.fr PING Statistics----
10 packets transmitted, 0 packets received, 100.0% packet loss

hilbert (on lan1) _can_ ping4 rayleigh through legendre:
hilbert:[~] > ping rayleigh
PING rayleigh.systella.fr (192.168.254.1) 56(84) bytes of data.
64 bytes from rayleigh.systella.fr (192.168.254.1): icmp_seq=1 ttl=63
time=47.8 ms

	Thus, legendre (openvpn client) cannot ping rayleigh (openvpn server),
but a workstation of lan1 can ping rayleigh through nat and openvpn link
(!).

	The same configuration worked fine with 9.x.

	Maybe this issue is not related to ipv6 but with network stack as tap0
has some <detached> flags :

tap0: flags=0x8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=0x5<VLAN_MTU,JUMBO_MTU>
        ec_enabled=0
        address: f2:0b:a4:7e:49:c1
        status: no carrier
        inet6 2001:7a8:a8ed:1::2/64 flags 0x8<DETACHED>
        inet6 fe80::f00b:a4ff:fe7e:49c1%tap0/64 flags 0x8<DETACHED>
scopeid 0x9
        inet 192.168.1.2/24 broadcast 192.168.1.255 flags 0x4<DETACHED>

	Of course, I have rebuilt openvpn against NetBSD-10.

	I use npf.conf. My configuration is :

$lan_if = "lagg0"
$wan_if = "wm2"
$bacula_if = "wm0"
$video_if = "wm1"
$ext_v4 = inet4($wan_if)
$tap_if = "tap0"

set bpf.jit on;
alg "icmp"

# Outgoing NAT
map inet4($wan_if) dynamic 192.168.10.0/24 -> $ext_v4
map inet4($wan_if) dynamic 192.168.12.0/24 -> $ext_v4

group "wan" on $wan_if {
        # ICMP
        pass in final family inet4 proto icmp all
        pass out final family inet4 proto icmp all

        # OpenVPN
        pass in final family inet4 proto udp from 213.41.149.211 \
                        port openvpn to $wan_if
        pass out final family inet4 proto udp from $wan_if \
                        to 213.41.149.211 port openvpn
        pass in final family inet4 proto udp from 213.41.150.218 \
                        port openvpn to $wan_if
        pass out final family inet4 proto udp from $wan_if \
                        to 213.41.150.218 port openvpn

        # ntp
        pass stateful in final family inet4 from 192.168.15.20 to any
port ntp

        # ssh
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port ssh

        # ftp
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port ftp

        # http/https
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port http
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port https
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port 8080

        # SVN
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port svn

        # git
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port git

        # DNS
        pass stateful out final family inet4 from $wan_if to any port domain

        # NAT
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port http
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port https
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port ssh
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port imaps
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port pop3s
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port submission
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port smtp
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port ftp
        pass stateful out final family inet4 \
                        from 192.168.10.0/24 to any port ntp
        pass stateful out final family inet4 \
                        from 192.168.10.0/24 to any port nntp
        pass stateful out final family inet4 \
                        from 192.168.10.0/24 to any port git
        pass stateful out final family inet4 proto icmp \
                        from 192.168.10.0/24
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port openvpn

        pass stateful out final family inet4 proto tcp \
                        from 192.168.12.0/24 to any port https

        # jitsi
        pass out final family inet4 proto udp \
                        from 192.168.10.0/24 to any port 10000
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port 4443
        pass in final family inet4 proto udp \
                        from $wan_if to 192.168.10.0/24 port 10000

        # mx2
        pass stateful in final family inet4 proto tcp \
                        from any to 192.168.15.14 port smtp

        # Default
        block final all
}

group "lan" on $lan_if {
        pass final all
}

group "vpn" on $tap_if {
        pass final all
}

group "bacula" on $bacula_if {
        pass final all
}

group "video" on $video_if {
        pass final all
}

group default {
        pass final on lo0 all
        pass final on tap0 all
        block all
}

	I have tried with "pass all" in default group without success. Routing
table seems to be good :

legendre# route show
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu
Interface
default            192.168.15.20      UGS         -        -      -  wm2
dns.google         192.168.15.19      UGHS        -        -      -  wm2
dns.google         192.168.15.20      UGHS        -        -      -  wm2
79.170.216.0/28    rayleigh           UGS         -        -      -  tap0
91.196.180.225     rayleigh           UGHS        -        -      -  tap0
127/8              localhost          UGRS        -        -  33624  lo0
localhost          lo0                UHl         -        -  33624  lo0
www.nerim.com      192.168.15.20      UGHS        -        -      -  wm2
192.168.0/24       rayleigh           UGS         -        -      -  tap0
192.168.1/24       link#9             UC          -        -      -  tap0
legendre           link#9             UHl         -        -      -  lo0
192.168.2/24       rayleigh           UGS         -        -      -  tap0
192.168.10/24      link#8             UC          -        -      -  lagg0
legendre           link#8             UHl         -        -      -  lo0
192.168.12/24      link#1             UC          -        -      -  wm0
legendre           link#1             UHl         -        -      -  lo0
192.168.15/24      link#3             UC          -        -      -  wm2
legendre           link#3             UHl         -        -      -  lo0
192.168.253/24     rayleigh           UGS         -        -      -  tap0
192.168.254/24     rayleigh           UGS         -        -      -  tap0
rayleigh           32:f3:6d:94:8c:9b  UHL         -        -      -  tap0
euler              18:a6:f7:57:76:cc  UHL         -        -      -  lagg0
pythagore          38:2c:4a:70:14:d1  UHL         -        -      -  lagg0
hilbert            d4:5d:64:b4:9a:3b  UHL         -        -      -  lagg0
heisenberg         d8:cb:8a:35:21:95  UHL         -        -      -  lagg0
fermat             08:00:2b:7a:39:2e  UHL         -        -      -  lagg0
abel               b8:27:eb:a3:dd:a8  UHL         -        -      -  lagg0
192.168.10.250     88:75:56:07:d4:08  UHL         -        -      -  lagg0
192.168.10.253     34:db:fd:5d:1e:88  UHL         -        -      -  lagg0
192.168.15.20      60:a4:b7:73:c9:26  UHL         -        -      -  wm2
192.168.15.19      5c:a6:e6:8d:87:52  UHL         -        -      -  wm2
euclide            24:5e:be:3b:96:e9  UHL         -        -      -  wm0
leibnitz           24:5e:be:14:44:57  UHL         -        -      -  wm0

Internet6:
Destination        Gateway            Flags    Refs      Use    Mtu
Interface
::/104             localhost          UGRS        -        -  33624  lo0
::/96              localhost          UGRS        -        -  33624  lo0
default            2001:7a8:a8ed:1::1 UGS         -        -      -  tap0
localhost          lo0                UHl         -        -  33624  lo0
::127.0.0.0/104    localhost          UGRS        -        -  33624  lo0
::224.0.0.0/100    localhost          UGRS        -        -  33624  lo0
::255.0.0.0/104    localhost          UGRS        -        -  33624  lo0
::ffff:0.0.0.0/96  localhost          UGRS        -        -  33624  lo0
2001:7a8:a8ed:1::/ link#9             UC          -        -      -  tap0
2001:7a8:a8ed:1::2 link#9             UHl         -        -      -  lo0
2001:7a8:a8ed:10:: link#8             UC          -        -      -  lagg0
2001:7a8:a8ed:10:: link#8             UHl         -        -      -  lo0
2001:db8::/32      localhost          UGRS        -        -  33624  lo0
2002::/24          localhost          UGRS        -        -  33624  lo0
2002:7f00::/24     localhost          UGRS        -        -  33624  lo0
2002:e000::/20     localhost          UGRS        -        -  33624  lo0
2002:ff00::/24     localhost          UGRS        -        -  33624  lo0
fc00::/7           localhost          UGRS        -        -  33624  lo0
fe80::/10          localhost          UGRS        -        -  33624  lo0
fe80::%wm0/64      link#1             UC          -        -      -  wm0
fe80::b696:91ff:fe link#1             UHl         -        -      -  lo0
fe80::%wm1/64      link#2             UC          -        -      -  wm1
fe80::b696:91ff:fe link#2             UHl         -        -      -  lo0
fe80::%wm2/64      link#3             UC          -        -      -  wm2
fe80::a62:66ff:fe4 link#3             UHl         -        -      -  lo0
fe80::%lo0/64      fe80::1            U           -        -      -  lo0
fe80::1            lo0                UHl         -        -      -  lo0
fe80::%lagg0/64    link#8             UC          -        -      -  lagg0
fe80::6a05:caff:fe link#8             UHl         -        -      -  lo0
fe80::%tap0/64     link#9             UC          -        -      -  tap0
fe80::f00b:a4ff:fe link#9             UHl         -        -      -  lo0
ff01:1::/32        link#1             UC          -        -      -  wm0
ff01:2::/32        link#2             UC          -        -      -  wm1
ff01:3::/32        link#3             UC          -        -      -  wm2
ff01:6::/32        localhost          UC          -        -  33624  lo0
ff01:8::/32        link#8             UC          -        -      -  lagg0
ff01:9::/32        link#9             UC          -        -      -  tap0
ff02::%wm0/32      link#1             UC          -        -      -  wm0
ff02::%wm1/32      link#2             UC          -        -      -  wm1
ff02::%wm2/32      link#3             UC          -        -      -  wm2
ff02::%lo0/32      localhost          UC          -        -  33624  lo0
ff02::%lagg0/32    link#8             UC          -        -      -  lagg0
ff02::%tap0/32     link#9             UC          -        -      -  tap0
2001:7a8:a8ed:1::1 link#9             UHL         -        -      -  tap0
fe80::18db:1aff:fe 32:f3:6d:94:8c:9b  UHL         -        -      -  tap0
fe80::d65d:64ff:fe d4:5d:64:b4:9a:3b  UHL         -        -      -  lagg0
2001:7a8:a8ed:10:d d4:5d:64:b4:9a:3b  UHL         -        -      -  lagg0
fe80::6a05:caff:fe 68:05:ca:02:b2:59  UHL         -        -      -  lagg0

	Help will be welcome,

	JKB

PS: /etc/rc.d/altqd stop doesn't run as expected. altqd only takes 100%
of a CPU and is not stopped after this command.


Home | Main Index | Thread Index | Old Index