tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Fwd: 10-BETA : some network issues
Hello,
I have written a mail to -users this morning and I have done some other
tests. I'm pretty sure that issue I see comes from network framework.
I have upgraded my main server from -9.3 to -10_BETA (to test iscsi
initiator, 9.3 initiator randomly enters in a dead lock).
This server (hostname: legendre) contains:
- wm0 and wm1 in bridge0: NAS access
- wm2: WAN
- wm3 and wm4 in lagg0: lan1
tap0 (openvpn) is created on wm2 to establish a connection to another
lan (lan2) connected to IPv6 network. This IPv4 route is through wm2 and
IPv6 default route through tap0.
My configuration ran fine with -9.x.
Now, all workstations from LAN can access to WAN (IPv4), can ping lagg0
IPv6 address. All workstations from LAN can ping server on WAN or lan2
but only with IPv4.
Legendre cannot ping lan2 or openvpn server through IPv4 (but
workstations on lan1 can ping workstations on lan2 !).
Legendre cannot ping lan2 or openvpn server through ipv6 (workstations
on lan1 cannot ping stations on lan2 as legendre doesn't route ipv6
packets).
And I don't understand why a workstation on lan1 can ping openvpn
server and why opevpn client itself cannot...
Best regards,
JB
-------- Message transféré --------
Hello,
As my server randomly crashes (deadlock) when it tries to acces to an
iSCSI NAS, I have upgraded my 9.3 installation to 10-BETA.
Network configuration :
2 NAS (iSCSI)
|
192.168.12.1 (bridge0:wm0+wm1)
WAN---192.168.15.14(wm2) legendre 192.168.10.128(lagg0:wm3+wm4)--LAN1
192.168.1.2 (tap0)
|
192.168.1.1 (tap1)
WAN---192.168.254.254(eth1) rayleigh 192.168.0.128 (eth0)------LAN2
|
WAN---192.168.253.254(eth2)----+
First constatations: 10-BETA reboots when it tries to configure agr0
(it doesn't panic, only reboots). Thus, I have replaced agr0 by lagg0
but... when I have tried lacp protocol, interface always returns 'no
carrier' and doesn't run. I have tried in a second time loadbalance that
runs better :
lagg0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
capabilities=0x7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
capabilities=0x7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
capabilities=0x7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
enabled=0
ec_capabilities=0x7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
ec_enabled=0x2<VLAN_HWTAGGING>
laggproto loadbalance
laggport:
wm3 pri=32768 flags=0x1c<ACTIVE,COLLECTING,DISTRIBUTING>
wm4 pri=32768 flags=0x1c<ACTIVE,COLLECTING,DISTRIBUTING>
address: 68:05:ca:02:b2:59
status: active
inet6 fe80::6a05:caff:fe02:b259%lagg0/64 flags 0 scopeid 0x8
inet6 2001:7a8:a8ed:10::128/64 flags 0
inet 192.168.10.128/24 broadcast 192.168.10.255 flags 0
Automatic configuration doesn't run. I have written in /etc/ifconfig.lagg0:
legendre# cat /etc/ifconfig.lagg0
create
laggproto loadbalance laggport wm3 laggport wm4
inet 192.168.10.128 netmask 255.255.255.0
inet6 2001:7a8:a8ed:10::128 prefixlen 64 alias
up
!ifconfig wm3 up
!ifconfig wm4 up
Interface is created but "inet6 2001:7a8:a8ed:10::128 prefixlen 64
alias" is ignored. I have to add in a terminal
ifconfig lagg0 inet6 2001:7a8:a8ed:10::128 prefixlen 64 alias
to add this static ipv6 address to lagg0.
IPv6 seems to run. Partially.
legendre can ping6 a workstation on lan1:
legendre# ping6 2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b
PING6(56=40+8+8 bytes) 2001:7a8:a8ed:10::128 -->
2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b
16 bytes from 2001:7a8:a8ed:10:d65d:64ff:feb4:9a3b, icmp_seq=0 hlim=64
time=0.191 ms
and this workstation can ping main server:
hilbert:[~] > ping6 2001:7a8:a8ed:10::128
PING 2001:7a8:a8ed:10::128(2001:7a8:a8ed:10::128) 56 data bytes
64 bytes from 2001:7a8:a8ed:10::128: icmp_seq=1 ttl=64 time=0.107 ms
But legendre cannot ping6 rayleigh over VPN :
legendre# ping6 2001:7a8:a8ed:1::1
PING6(56=40+8+8 bytes) 2001:7a8:a8ed:10::128 --> 2001:7a8:a8ed:1::1
ping6: sendmsg: Host is down
legendre cannot ping4 rayleigh over VPN :
legendre# ping 192.168.1.1
PING rayleigh.systella.fr (192.168.1.1): 56 data bytes
^C
----rayleigh.systella.fr PING Statistics----
10 packets transmitted, 0 packets received, 100.0% packet loss
hilbert (on lan1) _can_ ping4 rayleigh through legendre:
hilbert:[~] > ping rayleigh
PING rayleigh.systella.fr (192.168.254.1) 56(84) bytes of data.
64 bytes from rayleigh.systella.fr (192.168.254.1): icmp_seq=1 ttl=63
time=47.8 ms
Thus, legendre (openvpn client) cannot ping rayleigh (openvpn server),
but a workstation of lan1 can ping rayleigh through nat and openvpn link
(!).
The same configuration worked fine with 9.x.
Maybe this issue is not related to ipv6 but with network stack as tap0
has some <detached> flags :
tap0: flags=0x8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ec_capabilities=0x5<VLAN_MTU,JUMBO_MTU>
ec_enabled=0
address: f2:0b:a4:7e:49:c1
status: no carrier
inet6 2001:7a8:a8ed:1::2/64 flags 0x8<DETACHED>
inet6 fe80::f00b:a4ff:fe7e:49c1%tap0/64 flags 0x8<DETACHED>
scopeid 0x9
inet 192.168.1.2/24 broadcast 192.168.1.255 flags 0x4<DETACHED>
Of course, I have rebuilt openvpn against NetBSD-10.
I use npf.conf. My configuration is :
$lan_if = "lagg0"
$wan_if = "wm2"
$bacula_if = "wm0"
$video_if = "wm1"
$ext_v4 = inet4($wan_if)
$tap_if = "tap0"
set bpf.jit on;
alg "icmp"
# Outgoing NAT
map inet4($wan_if) dynamic 192.168.10.0/24 -> $ext_v4
map inet4($wan_if) dynamic 192.168.12.0/24 -> $ext_v4
group "wan" on $wan_if {
# ICMP
pass in final family inet4 proto icmp all
pass out final family inet4 proto icmp all
# OpenVPN
pass in final family inet4 proto udp from 213.41.149.211 \
port openvpn to $wan_if
pass out final family inet4 proto udp from $wan_if \
to 213.41.149.211 port openvpn
pass in final family inet4 proto udp from 213.41.150.218 \
port openvpn to $wan_if
pass out final family inet4 proto udp from $wan_if \
to 213.41.150.218 port openvpn
# ntp
pass stateful in final family inet4 from 192.168.15.20 to any
port ntp
# ssh
pass stateful out final family inet4 proto tcp from $wan_if \
to any port ssh
# ftp
pass stateful out final family inet4 proto tcp from $wan_if \
to any port ftp
# http/https
pass stateful out final family inet4 proto tcp from $wan_if \
to any port http
pass stateful out final family inet4 proto tcp from $wan_if \
to any port https
pass stateful out final family inet4 proto tcp from $wan_if \
to any port 8080
# SVN
pass stateful out final family inet4 proto tcp from $wan_if \
to any port svn
# git
pass stateful out final family inet4 proto tcp from $wan_if \
to any port git
# DNS
pass stateful out final family inet4 from $wan_if to any port domain
# NAT
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port http
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port https
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port ssh
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port imaps
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port pop3s
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port submission
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port smtp
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port ftp
pass stateful out final family inet4 \
from 192.168.10.0/24 to any port ntp
pass stateful out final family inet4 \
from 192.168.10.0/24 to any port nntp
pass stateful out final family inet4 \
from 192.168.10.0/24 to any port git
pass stateful out final family inet4 proto icmp \
from 192.168.10.0/24
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port openvpn
pass stateful out final family inet4 proto tcp \
from 192.168.12.0/24 to any port https
# jitsi
pass out final family inet4 proto udp \
from 192.168.10.0/24 to any port 10000
pass stateful out final family inet4 proto tcp \
from 192.168.10.0/24 to any port 4443
pass in final family inet4 proto udp \
from $wan_if to 192.168.10.0/24 port 10000
# mx2
pass stateful in final family inet4 proto tcp \
from any to 192.168.15.14 port smtp
# Default
block final all
}
group "lan" on $lan_if {
pass final all
}
group "vpn" on $tap_if {
pass final all
}
group "bacula" on $bacula_if {
pass final all
}
group "video" on $video_if {
pass final all
}
group default {
pass final on lo0 all
pass final on tap0 all
block all
}
I have tried with "pass all" in default group without success. Routing
table seems to be good :
legendre# route show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.15.20 UGS - - - wm2
dns.google 192.168.15.19 UGHS - - - wm2
dns.google 192.168.15.20 UGHS - - - wm2
79.170.216.0/28 rayleigh UGS - - - tap0
91.196.180.225 rayleigh UGHS - - - tap0
127/8 localhost UGRS - - 33624 lo0
localhost lo0 UHl - - 33624 lo0
www.nerim.com 192.168.15.20 UGHS - - - wm2
192.168.0/24 rayleigh UGS - - - tap0
192.168.1/24 link#9 UC - - - tap0
legendre link#9 UHl - - - lo0
192.168.2/24 rayleigh UGS - - - tap0
192.168.10/24 link#8 UC - - - lagg0
legendre link#8 UHl - - - lo0
192.168.12/24 link#1 UC - - - wm0
legendre link#1 UHl - - - lo0
192.168.15/24 link#3 UC - - - wm2
legendre link#3 UHl - - - lo0
192.168.253/24 rayleigh UGS - - - tap0
192.168.254/24 rayleigh UGS - - - tap0
rayleigh 32:f3:6d:94:8c:9b UHL - - - tap0
euler 18:a6:f7:57:76:cc UHL - - - lagg0
pythagore 38:2c:4a:70:14:d1 UHL - - - lagg0
hilbert d4:5d:64:b4:9a:3b UHL - - - lagg0
heisenberg d8:cb:8a:35:21:95 UHL - - - lagg0
fermat 08:00:2b:7a:39:2e UHL - - - lagg0
abel b8:27:eb:a3:dd:a8 UHL - - - lagg0
192.168.10.250 88:75:56:07:d4:08 UHL - - - lagg0
192.168.10.253 34:db:fd:5d:1e:88 UHL - - - lagg0
192.168.15.20 60:a4:b7:73:c9:26 UHL - - - wm2
192.168.15.19 5c:a6:e6:8d:87:52 UHL - - - wm2
euclide 24:5e:be:3b:96:e9 UHL - - - wm0
leibnitz 24:5e:be:14:44:57 UHL - - - wm0
Internet6:
Destination Gateway Flags Refs Use Mtu
Interface
::/104 localhost UGRS - - 33624 lo0
::/96 localhost UGRS - - 33624 lo0
default 2001:7a8:a8ed:1::1 UGS - - - tap0
localhost lo0 UHl - - 33624 lo0
::127.0.0.0/104 localhost UGRS - - 33624 lo0
::224.0.0.0/100 localhost UGRS - - 33624 lo0
::255.0.0.0/104 localhost UGRS - - 33624 lo0
::ffff:0.0.0.0/96 localhost UGRS - - 33624 lo0
2001:7a8:a8ed:1::/ link#9 UC - - - tap0
2001:7a8:a8ed:1::2 link#9 UHl - - - lo0
2001:7a8:a8ed:10:: link#8 UC - - - lagg0
2001:7a8:a8ed:10:: link#8 UHl - - - lo0
2001:db8::/32 localhost UGRS - - 33624 lo0
2002::/24 localhost UGRS - - 33624 lo0
2002:7f00::/24 localhost UGRS - - 33624 lo0
2002:e000::/20 localhost UGRS - - 33624 lo0
2002:ff00::/24 localhost UGRS - - 33624 lo0
fc00::/7 localhost UGRS - - 33624 lo0
fe80::/10 localhost UGRS - - 33624 lo0
fe80::%wm0/64 link#1 UC - - - wm0
fe80::b696:91ff:fe link#1 UHl - - - lo0
fe80::%wm1/64 link#2 UC - - - wm1
fe80::b696:91ff:fe link#2 UHl - - - lo0
fe80::%wm2/64 link#3 UC - - - wm2
fe80::a62:66ff:fe4 link#3 UHl - - - lo0
fe80::%lo0/64 fe80::1 U - - - lo0
fe80::1 lo0 UHl - - - lo0
fe80::%lagg0/64 link#8 UC - - - lagg0
fe80::6a05:caff:fe link#8 UHl - - - lo0
fe80::%tap0/64 link#9 UC - - - tap0
fe80::f00b:a4ff:fe link#9 UHl - - - lo0
ff01:1::/32 link#1 UC - - - wm0
ff01:2::/32 link#2 UC - - - wm1
ff01:3::/32 link#3 UC - - - wm2
ff01:6::/32 localhost UC - - 33624 lo0
ff01:8::/32 link#8 UC - - - lagg0
ff01:9::/32 link#9 UC - - - tap0
ff02::%wm0/32 link#1 UC - - - wm0
ff02::%wm1/32 link#2 UC - - - wm1
ff02::%wm2/32 link#3 UC - - - wm2
ff02::%lo0/32 localhost UC - - 33624 lo0
ff02::%lagg0/32 link#8 UC - - - lagg0
ff02::%tap0/32 link#9 UC - - - tap0
2001:7a8:a8ed:1::1 link#9 UHL - - - tap0
fe80::18db:1aff:fe 32:f3:6d:94:8c:9b UHL - - - tap0
fe80::d65d:64ff:fe d4:5d:64:b4:9a:3b UHL - - - lagg0
2001:7a8:a8ed:10:d d4:5d:64:b4:9a:3b UHL - - - lagg0
fe80::6a05:caff:fe 68:05:ca:02:b2:59 UHL - - - lagg0
Help will be welcome,
JKB
PS: /etc/rc.d/altqd stop doesn't run as expected. altqd only takes 100%
of a CPU and is not stopped after this command.
Home |
Main Index |
Thread Index |
Old Index