My OpenBSD Notes

Open BSD has for some while supported 802.1q Virtual LANs (VLAN). This allow you to have a server using only one Network Card/Cable to be a part of multiple distinct network ranges. Now in order to do this you need to be connected to a network switch that understands VLANS (most decent smart switches do), and you need to configure the port that is attached to your server as a trunk port, and optionally supply a list of VLAN identifiers that will pass down that trunk.

Configuring the switch side is an exercise for the reader, since every switch maker has a ‘slightly’ different way to do it, but on a Cisco switch for example

interface FastEthernet0/1

description Trunk link to OpenBSD Server

switchport mode trunks

switchport allowed vlan 1,7,9

speed 100

duplex full

 

would allow access to the Virtual LANs 1, 7, and 9 to be sent towards the server.

 

On the server side, the setup is amazingly simple, thanks to the built in support for the vlan device

First, we need to bring up the master interface (say xl0) but we do not give it an ip address

ifconfig xl0 up

we can then add the required vlans as virtual network interfaces

 

ifconfig vlan1 create

ifconfig vlan7 create

ifconfig vlan9 create

ifconfig vlan1 vlan 1 vlandev xl0

ifconfig vlan7 vlan 7 vlandev xl0

ifconfig vlan9 vlan 9 vlandev xl0

 

In the above examples I have kept the name of the interfaces the same as the vlan they are attached to, but there is no reason why you cannot call them something different if you want to, the important bit is that the number after the vlan keyword must match the vlan definition on the switches

Now that we have our vlan interfaces, we can configure them in the normal way for networking

ifconfig vlan1 inet 10.10.10.1 netmask 255.255.255.0

ifconfig vlan7 inet 10.20.30.1 netmask 255.255.255.0

ifconfig vlan9 inet 10.30.40.1 netmask 255.255.255.0

 

Of course, in order to make this persis after you next reboot the box, we need to configure the /etc/hostname.xxx files in the normal way, this configuration would look like

/etc/hostname.xl0

up

 

/etc/hostname.vlan1

inet 10.10.10.1 255.255.255.0 10.10.10.255 vlandev xl0 description "VLAN1-Net1"

 

/etc/hostname.vlan7

inet 10.20.30.1 255.255.255.0 10.20.30.255 vlandev xl0 description "VLAN7-Net2"

 

and so on

Now that the number of IPv4 addresses is rapidly reducing – at the time of this posting Asia Pacific (APNIC) have about 2.3% of their available address space (about 75,000 /24s), Europe (RIPE) have about 9% (240,000 /24s) and the USA (ARIN) have about 10.5% (522,000 /24s), so it is becoming harder and harder for ISPs (and End-users) to get IPv4 addresses. So what does this mean for you ??

Well, it means, that over the next few months, especially in the Asia Pacific Region, customers will not be able to get any more IPv4 addresses, and will start to use IPv6. Now it is possible that their ISPs will host 6 to 4 gateways, so you can continue to use the IPv4 addresses you already have, OR they will simply not be able to access your sites, because IPv6 and IPv4 cannot talk to each other directly.

So, perhaps you should think about getting IPv6 available for your websites!.

Option 1 – Ask your ISP if they support it !!

If they do, they will probably give you a /48 (about 1,208,925,820,000,000,000,000,000 addresses) or at the very least a /64 (18,446,744,100,000,000,000 addresses) – there are 65,536 /64s in a /48 !

You simply configure this on your Ethernet interface, and away you go !

 

Option 2 – Get an IPv6 Tunnel from a Tunnel Broker

There are a number of providers that will give you IPv6 connectivity over IPv4. I have experience with two providers, but I am sure there are many more.

Hurricane Electric (http://www.tunnelbroker.net)

HE run tunnel pops at most major internet exchanges, and have a number of servers all around the world, so hopefully you should find a low latency server near to you. While you are there, consider signing up for their IPv6 Certification system

SixXS (http://www.sixxs.net)

SixXS also provide a number of POP locations, the majority are in Europe, but there are a number of POPs in the US, one in Brazil, and one in New Zealand,a feature that SixXS offer that Hurricane do not is the fact that you can use the AICCU system to access the SixXS pops if you are sitting behind a NAT. AICCU is part of the OpenBSD ports tree, so a ‘pkg_add aiccu’ should work if a binary package exists, or you can ‘use the source’ to build your own binary

 

When you have successfully signed up with your desired tunnel broker, they will provide instructions for a large variety of *nix operating systems with the configuration instructions

An example with SixXS is

In the file /etc/hostname.gif0 put:

tunnel [Your IPv4 Endpoint] [PoP IPv4 Endpoint]
inet6 [Your IPv6 Endpoint] 128
dest [PoP IPv6 Endpoint]
!/sbin/route add -inet6 default ::1
!/sbin/route change -inet6 default -ifp gif0

 

Congratulations, you should now be available on IPv6!!

Since OpenBSD 4.1 there have been some interesting tools that could be used by an ISP, and one of these is bgplg

bgplg is a BGP Looking Glass, which is a piece of software that allows you to inspect a routing table, and see where you are learning the route to a particular network from.

If you have multiple Internet providers, this tool will show you the ‘preferred’ provider (the one with the shortest and theoretically fastest) path to a given network.

It is not enabled by default on a stock OpenBSD system, but you can enable it easily enough

You need to make the following changes as root to enable the bgplg system

# chmod 0555 /var/www/cgi-bin/bgplg

# chmod 0555 /var/www/bin/bgpctl

# mkdir /var/www/etc

# cp /etc/resolv.conf /var/www/etc

# chmod 4555 /var/www/bin/ping

# chmod 4555 /var/www/bin/ping6

# chmod 4555 /var/www/bin/traceroute

# chmod 4555 /var/www/bin/traceroute6

You will also need to start the Border Gateway Protocol daemon with a second, restricted, control socket that can be used from within the chroot(2) environment. If you are not sure how to do this, see bgpd.conf(5) for more information.
For example, add the following to /etc/bgpd.conf to have bgpd(8) open a second, restricted, control socket:

socket "/var/www/logs/bgpd.rsock" restricted

Start the Apache HyperText Transfer Protocol server.  See httpd(8) for more information.
The Standard output is rather spartan, but can be customised by making some changes to various files in the conf/ directory

/var/www/conf/bgplg.css     Optional bgplg CSS style sheet.

/var/www/conf/bgplg.head    Optional bgplg HTML header.

/var/www/conf/bgplg.foot    Optional bgplg HTML footer.

 

OpenBSD 4.9, the 30th release of the OpenBSD system, was released on May 1st, and is available in all the usual places.

The release notes can be found here