DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default ping question

Hello everyone

I have a machine that is connected to two different ISP's. One of them is currently my default GW, the other one is unused.

I need to constantly ping a known internet host (e.g. google) through each of these ISPs. I was pretty confident that a script that loops through 'ping -I interface_1 8.8.8.8' and 'ping -I interface_2 8.8.8.8' will do the job.

But it turned out that my ping always transmits packets from the egress interface (that has the default route configure). This is useless for me - I cannot change the default gateway everytime the loop continues. My internet connection would suffer greatly from this.

How can I ping an internet host from two different interfaces?

Thank you in advance,
Simeon


PS. I am using OpenBSD 4.9, if this makes any difference.
Reply With Quote
  #2   (View Single Post)  
Old 10th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

maybe some trick with pf would do the job?

Last edited by zealer; 10th November 2011 at 04:10 PM.
Reply With Quote
  #3   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You're going to have to add a route for the second NIC, I think, or set up ECMP as per FAQ 6.14.

See http://marc.info/?l=openbsd-misc&m=112672120932213 from 2005.

Edited later to add:

You may find the route-to PF rule option helpful for outbound ICMP echo requests. It should override the default route, though I am not certain. I've never used it.

My personal choice would be to just use multipath routing and ifstated(8).

Last edited by jggimi; 10th November 2011 at 04:43 PM. Reason: bunches of edits
Reply With Quote
  #4   (View Single Post)  
Old 10th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

Thank you again, jggimi

I am concerned about the ECMP, because the machine also does a NAT for the network behind... i.e. each time my BSD decides to use the other route, it will do a NAT with a different source address of the outgoing packets. I am afraid this will not be good, as users behind the NAT need a good and persistent connection.

I tried reading the RFC 2992 for ECMP and there is something like a statement that the hash threshhold method will keep TCP connections' routes persistent, but i am not sure about it

i will try reading the bpf man, although I got scared when I looked at the manual

Thank you again jggimi, please feel free to share any other thoughts you might have here. Thanks!
Reply With Quote
  #5   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hmmm.... I've never tested ECMP with NAT, for all I know it works just fine.

If not, perhaps PF's NAT address pools can be used to provide the appropriate NAT connectivity?
Reply With Quote
  #6   (View Single Post)  
Old 10th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

There's an example configuration (and much discussion, before and after) in this thread on misc@...

http://marc.info/?t=128277520600001&r=1&w=2
Reply With Quote
  #7   (View Single Post)  
Old 10th November 2011
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

OpenBSD has an awesome feature called routing domains that might be usable in your scenario.

Lets say you wish to send pings through interface if_2 (which has ip address a.b.c.d), while your default route is through interface if_1. Try the following:

Code:
# ifconfig if_2 rdomain 1
# route -T 1 add 0.0.0.0/0 a.b.c.d
This adds if_2 to routing table 1 (0 is default), and adds a default route through the if_2 interface for the new rdomain. The ip address might need to be set again for the interface if_2 after the first command.

Now, to use the new routing domain:

Code:
# route -T 1 exec ping <whatever host you needed to ping>
Packets will exit through interface if_2.

Last edited by denta; 10th November 2011 at 09:23 PM.
Reply With Quote
  #8   (View Single Post)  
Old 10th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

I must thank you, jggimi

I played around with pf + ECMP and actually I even have a better solution now.

My first idea was to have a single ISP as GW, and constantly monitor both of the ISPs in case one of them goes down. If it was my primary - then I wanted to change it to the other one.


But this is not worth the cost - I found found the wonderful PF's load-balancing, and now I set all my internal traffic to flow through both of the ISPs.
One problem is that if one of the ISPs looses internet connection, the load-balancing still throws half of the connections to a black hole.
Pings from the BSD itself did not work (no route to host: I have not set a primary route), so I added both of them as a ECMP route. This way I could ise the -I parameter correctly And the ECMP is only for the pings - all other connections coming from the internal networks are explicitly routed to only one of the primary routes.
I don't know if anyone understood me, but for now I think it is a good idea


Now I see denta's answer too. AWESOME!! It looks just like the thing i was looking for, now i can experiment a lot more! thanks denta, thanks jggimi, I learned some very useful (and probably very basic also) things from you two today. Can't wait to apply this new knowledge into some pseudo-practice

I'll work & read on these topics and get back to you if I run into trouble.

Thanks!
Reply With Quote
  #9   (View Single Post)  
Old 11th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Denta, your suggestion of using rdomain is one I had not thought of. They're relatively new, and something I have not yet experimented with. Excellent idea!

The OpenBSD Journal recently highlighted Joel Knight's article about rdomains, Virtualizing the OpenBSD Routing Table. Here's a link to the former, which has commentary and a link to the latter: http://undeadly.org/cgi?action=artic...panded&count=2
Reply With Quote
Old 12th November 2011
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Yes, thats the article that got me started playing around with rdomains too!
Reply With Quote
Old 14th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

Hi guys,

I ran into a problem. I did set up rdomain for one of the interfaces. Now ping to anywhere works from the desired interface. But there is a problem.
As i already mentioned, i have two interfaces connecting to two ISPs. Both are UP, but there is a problem: after i set one of the interfaces in rdomain1, i can no longer SSH to that address. SSH only works on the other interface, which is still in rdomain0. I tried even connecting from the BSD to itself on the problematic interface, i get an instant connection refused.
Problem is not in the ip address or in pf, as I tried reproducing on a VM here and got the same result (the interface that I set in rdomain1 is directly connected to PC) . Even with pfctl turned off, ssh session is sill refused.

no luck with my searches... rdomains are poorly documented. I read up the link referring to rdomain setup, but it did not help me with the ssh thing

I did found... something... that was pretty much my only 'finding': OBSD 4.7 release notes: Make it possible to set the rdomain in ssh(1)/sftp(1)/scp(1)/sshd(8)
There is nothing regarding rdomains in ssh man though, I couldnt find any more info about this

Any ideas?
Thanks,
Simeon

Last edited by zealer; 14th November 2011 at 12:18 AM. Reason: add some info
Reply With Quote
Old 14th November 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Have you tried using $ route -T 1 exec ssh <system>? While I've never used rdomains, it is described in the article mentioned above, and should work, according to route(8).
Reply With Quote
Old 14th November 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by zealer View Post
no luck with my searches... rdomains are poorly documented. I read up the link referring to rdomain setup, but it did not help...
Recognize that most affiliated with this site are not project developers, although some developers read threads here on occasion.

If you feel you have thoroughly exhausted all avenues for finding answers (source code?), post a thorough explanation on the misc@ mailing list. For those that have done their homework, misc@ can be a useful & illuminating resource.
Reply With Quote
Old 14th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

Thanks ocicat, I will carry on with this knowledge from now on.

jggimi, I tried this, but got no luck. Besides, i ping from a machine which is unaware of routing domains. My current test env is:
192.168.2.100 - my PC
192.168.2.200 - virtual OBSD with all interfaces set to down, except vic2 , which is UP and RUNNING, in rdomain1.
Everything looks fine on the .200 BSD... but it's not working. All code in this post is taken from the 192.168.2.200 BSD:
Code:
#pfctl -d
pfctl: pf not enabled

#netstat -T 1 -r -n
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
192.168.2/24       link#3             UC         2        0     -     4 vic2
192.168.2.100      e0:2a:82:e2:30:dd  UHLc       0        2     -     4 vic2
192.168.2.202      00:0c:29:eb:cf:c2  UHLc       0        0     -     4 vic2
#
#ping 192.168.2.100
PING 192.168.2.100 (192.168.2.100): 56 data bytes
64 bytes from 192.168.2.100: icmp_seq=0 ttl=127 time=0.824 ms
64 bytes from 192.168.2.100: icmp_seq=1 ttl=127 time=0.766 ms
--- 192.168.2.100 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.766/0.795/0.824/0.029 ms
#
#ssh -vvv -p 1234 192.168.2.200
OpenSSH_5.8, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.2.200 [192.168.2.200] port 1234.
debug1: connect to address 192.168.2.200 port 1234: Connection refused
ssh: connect to host 192.168.2.200 port 1234: Connection refused
#

Ping is working back and forth, no problems with that.
sshd w/ max level of debug on target does not even indicate any attempt to initiate the session:
Code:
#/usr/sbin/sshd -p1234 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 145
debug2: parse_server_config: config /etc/ssh/sshd_config len 145
debug3: /etc/ssh/sshd_config:99 setting Subsystem sftp  /usr/libexec/sftp-server
debug1: sshd version OpenSSH_5.8
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p1234'
debug1: rexec_argv[2]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 1234 on ::.
Server listening on :: port 1234.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
tcpdump reveals that there is an arp, then a single packet to the target and several replies... and an icmp redirect (??) that comes from a different host, after which I immediately get a connection refused on the client (no more info there with highest verbose output. Just connecting to... and then connection refused:
Code:
#tcpdump -veni vic2
18:47:57.804226 e0:2a:82:e2:30:dd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.2.200 tell 192.168.2.100
18:47:57.804763 00:0c:29:5e:0c:c4 e0:2a:82:e2:30:dd 0806 60: arp reply 192.168.2.200 is-at 00:0c:29:5e:0c:c4
18:47:57.804919 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6748, len 52)
18:47:57.806808 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 3262175013 win 0 (DF) (ttl 63, id 43637, len 40)
18:47:57.806831 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 61113, len 40)
18:47:57.806842 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60075: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 11333, len 40)
18:47:57.806853 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 3947530111 win 0 (DF) (ttl 63, id 57706, len 40)
[...]
18:47:58.304057 e0:2a:82:e2:30:dd 00:0c:29:eb:cf:c2 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6752, len 52)
18:47:58.304076 00:0c:29:eb:cf:c2 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 127, id 6752, len 52)
18:47:58.304084 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 70: 192.168.2.202 > 192.168.2.100: icmp: redirect 192.168.2.200 to host 192.168.2.200 (ttl 255, id 59465, len 56)
18:47:58.304878 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 30479, len 40)
18:47:58.803248 e0:2a:82:e2:30:dd 00:0c:29:eb:cf:c2 0800 62: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 6754, len 48)
18:47:58.803327 00:0c:29:eb:cf:c2 00:0c:29:5e:0c:c4 0800 62: 192.168.2.100.60086 > 192.168.2.200.1234: S [tcp sum ok] 3947530110:3947530110(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 127, id 6754, len 48)
18:47:58.803335 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 70: 192.168.2.202 > 192.168.2.100: icmp: redirect 192.168.2.200 to host 192.168.2.200 (ttl 255, id 1638, len 56)
18:47:58.803683 00:0c:29:eb:cf:c2 e0:2a:82:e2:30:dd 0800 60: 192.168.2.200.1234 > 192.168.2.100.60086: R [tcp sum ok] 0:0(0) ack 1 win 0 (DF) (ttl 63, id 8998, len 40)
192.168.2.202 is another BSD in the subnet. I stopped it, so that it does not send icmp redirects anymore, but then replies are not sent at all:
Code:
#tcpdump -veni vic2
18:53:35.675038 e0:2a:82:e2:30:dd ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.2.200 tell 192.168.2.100
18:53:35.675264 00:0c:29:5e:0c:c4 e0:2a:82:e2:30:dd 0806 60: arp reply 192.168.2.200 is-at 00:0c:29:5e:0c:c4
18:53:35.675399 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60152 > 192.168.2.200.1234: S [tcp sum ok] 1013717570:1013717570(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 7473, len 52)
18:53:38.674506 e0:2a:82:e2:30:dd 00:0c:29:5e:0c:c4 0800 66: 192.168.2.100.60152 > 192.168.2.200.1234: S [tcp sum ok] 1013717570:1013717570(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 7485, len 52)
Max verbose on client says connecting to... connection timed out.

192.168.2.200, as an SSH client, is connecting with no problems to other machines. But it does not accept any incoming connections. Can you help me figure out how to overcome this??

The only thing that comes to my mind is that, by default, rdomain1 routing table is not used at all. My first attempts to ping 192.168.2.200 were failing, until I typed "ping -V 1 192.168.2.200". Since then, pings succeed even without the -V. But this may be because arp requests are sent to rdomain 0 by default.

Thank you in advance for your help,
Simeon
Reply With Quote
Old 14th November 2011
zealer zealer is offline
Port Guard
 
Join Date: Sep 2011
Posts: 10
Default

OK, i figured it out.
In case anyone is interested: sshd should first be started in rdomain1. This can be done with the following:

#route -T 1 exec ksh
#/usr/sbin/sshd -dddp 1234
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ping: sendto: No route to host joostvgh OpenBSD General 2 29th April 2010 12:34 PM
Can't Response Ping Request widhi OpenBSD General 5 24th March 2010 10:40 PM
OpenBSD 4.6 Install Complete, cannot ping Jeff OpenBSD Installation and Upgrading 1 22nd October 2009 04:00 PM
FreeBSD ping issue wooki FreeBSD General 1 2nd October 2009 04:10 PM
Cannot get new installed card to ping other machine Johnny2Bad FreeBSD Installation and Upgrading 2 10th June 2008 08:54 PM


All times are GMT. The time now is 02:36 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick