Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Routing problems on VPN servers running FreeBSD 8.0-RELEASE

5 views
Skip to first unread message

Brett Glass

unread,
Feb 2, 2010, 8:34:02 PM2/2/10
to
Everyone:

I've been trying to deploy some new VPN servers (with tunneling
both in and out) running either mpd 5.3 or PoPToP on FreeBSD 8.0.
Alas, I have been having a terrible time doing it. I'm getting
error messages relating to routing, and connections which are
supposed to have proxy ARP aren't getting it.

On mpd 5.3, I'm seeing error messages such as

Feb 2 16:45:22 <kern.info> 9milegate kernel:
ifa_add_loopback_route: insertion failed

and

Feb 2 16:46:02 <kern.info> 9milegate kernel: lla_rt_output:
RTM_ADD publish (proxy only) is invalid

I thought that the problem might be mpd, and so switched to
userland PPP with PoPToP -- a combination that has worked for me
before. But I saw similar messages:

Feb 2 18:22:35 <user.notice> testgate ppp[1184]: tun2: testuser
pptpnocrypto connected as 172.18.4.26
Feb 2 18:22:39 <daemon.warn> testgate ppp[1187]: tun3: Warning:
iface add: ioctl(SIOCAIFADDR, 172.18.0.1 -> 172.18.4.8
9): File exists
Feb 2 18:22:39 <kern.info> testgate kernel:
ifa_add_loopback_route: insertion failed
Feb 2 18:22:39 <kern.info> testgate kernel:
ifa_del_loopback_route: deletion failed

Ideas?

--Brett Glass

P.S. -- Please copy me directly on all responses, as I am not
currently subscribed to the list.

_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"

Li, Qing

unread,
Feb 2, 2010, 8:47:46 PM2/2/10
to
Few of the symptoms you described here were present in the vanilla
8.0-RELEASE but I have been fixing these in 8-STABLE since the official
announcement.

Could you please try 8-STABLE and report back if these problems
persist there?

-- Qing

Brett Glass

unread,
Feb 2, 2010, 11:56:55 PM2/2/10
to
Qing:

Unfortunately, I am heading to Washington DC tomorrow to speak with
the FCC and ask it not to regulate ISPs out of business. But when I
return, I will certainly test it and help you fix whatever is still
broken. The problems seem to be that (a) proxy ARP doesn't get set
up in either the ARP table or the routing table, and (b) the PPP
daemon can't create or destroy many of the routes that the
connections need to work.

I can't believe that a version of a major operating system shipped
without the ability to do PPP, but apparently that's the case!

--Brett Glass

At 06:47 PM 2/2/2010, Li, Qing wrote:

>Few of the symptoms you described here were present in the vanilla
>8.0-RELEASE but I have been fixing these in 8-STABLE since the official
>announcement.
>
>Could you please try 8-STABLE and report back if these problems
>persist there?
>
>-- Qing

_______________________________________________

Li, Qing

unread,
Feb 3, 2010, 4:35:17 AM2/3/10
to
>
> The problems seem to be that (a) proxy ARP doesn't get set
> up in either the ARP table or the routing table, and
>

Proxy ARP entries are not installed into the routing table.

I believe I have fixed this issue in svn r201282 and merged
into 8-STABLE

http://svn.freebsd.org/viewvc/base?view=revision&revision=201282

http://svn.freebsd.org/viewvc/base?view=revision&revision=201614

The keyword "only", as documented in the manpage, requires a
host route to be present or else the proxy arp command will fail.
I can forward you an offline exchange I had with Juergen Lock
on this subject.

>
> (b) the PPP
> daemon can't create or destroy many of the routes that the
> connections need to work.
>

The above patch also include fixes for routing related problem as
you will note in the commit message, although I am uncertain if
your problems fall into this category.

>
> I can't believe that a version of a major operating system shipped
> without the ability to do PPP, but apparently that's the case!
>

Various users reported problems in the vpn/ppp area and those
were addressed before the release.

Given the diverse usage of the operating system, it's fair to say
that I try my best to perform the necessary test coverage, but
it's difficult to be inclusive of all scenarios.

In any case, I am here to work with you to resolve your issues
as quickly as I can.

Brett Glass

unread,
Feb 4, 2010, 8:13:43 AM2/4/10
to
At 02:35 AM 2/3/2010, Li, Qing wrote:

>Proxy ARP entries are not installed into the routing table.

Not since the ARP table and the routing table have been split.
However, the addresses for which the machine is doing proxy ARP do
need to show up there, and they do not.

>I believe I have fixed this issue in svn r201282 and merged
>into 8-STABLE
>
>http://svn.freebsd.org/viewvc/base?view=revision&revision=201282
>
>http://svn.freebsd.org/viewvc/base?view=revision&revision=201614

Is there a way to get patches to run against 8.0-RELEASE? If I do
not install -RELEASE on a machine, I can't use freebsd-update to maintain it.

>The keyword "only", as documented in the manpage, requires a
>host route to be present or else the proxy arp command will fail.

The entry is not being set up from the command line but by a PPP
program (mpd or ppp(8)).

>(b) the PPP
>daemon can't create or destroy many of the routes that the
>connections need to work.
>
>The above patch also include fixes for routing related problem as
>you will note in the commit message, although I am uncertain if
>your problems fall into this category.

I do not know. What I do know is that all PPP implementations I've
tried -- including Somers ppp(8) and mpd 5.3 -- are failing to set
up the host routes for the PPP endpoints and also the loopback
routes for the pseudo-interfaces (ng or tun).

>Various users reported problems in the vpn/ppp area and those
>were addressed before the release.

Some of these actually worsened after the release. When the test
machine was updated recently using freebsd-update, we began to get
even more problems and error messages.

In any event, to put -STABLE on the machine would require either
downloading a snapshot or wiping out a lot of work or setting up
CVS on machines that won't need it in production, so please let me
know if patches are available that will add the recent fixes to 8.0-RELEASE.

--Brett Glass

Li, Qing

unread,
Feb 4, 2010, 9:35:39 PM2/4/10
to
>
> Not since the ARP table and the routing table have been split.
> However, the addresses for which the machine is doing proxy ARP do
> need to show up there, and they do not.
>

You described a bug symptom that should have been fixed.
The proxy ARP entry should be displayed in the ARP table
after you apply the patch I specified.

>
> Is there a way to get patches to run against 8.0-RELEASE? If I do
> not install -RELEASE on a machine, I can't use freebsd-update to
> maintain it.
>

As far as I know patches do not go into 8.0-RELEASE branch, but
I will let the release management team comment on what your options
are.

>
> I do not know. What I do know is that all PPP implementations I've
> tried -- including Somers ppp(8) and mpd 5.3 -- are failing to set
> up the host routes for the PPP endpoints and also the loopback
> routes for the pseudo-interfaces (ng or tun).
>

Again, you describe the symptoms that I believe should be fixed
by the patch I referred to.

>
> In any event, to put -STABLE on the machine would require either
> downloading a snapshot or wiping out a lot of work or setting up
> CVS on machines that won't need it in production, so please let me
> know if patches are available that will add the recent fixes to 8.0-
> RELEASE.
>

See above...

-- Qing

Brett Glass

unread,
Feb 5, 2010, 12:41:38 AM2/5/10
to
Qing:

What about the possibility of going to 7.3-RELEASE? There is a lot
that is good about 8.x, but when I build a production system I
prefer to use a release that will have extended support. After all,
it's awkward to build a production server that will need to be
taken down for a major upgrade in only one year.

I know that 7.2-RELEASE had problems with routing and PPP too, but
they were different ones. Have the 7-STABLE branch been patched
adequately since that time?

--Brett Glass

Li, Qing

unread,
Feb 11, 2010, 1:03:08 PM2/11/10
to

Can you at least build one 8-stable system and see if the latest
patches resolve your problems before we carry on with the
"merge into 8-release" or other alternatives discussion ?

-- Qing

Date: Thu, 04 Feb 2010 22:41:38 -0700
From: Brett Glass <br...@lariat.net>
To: "Li, Qing" <qin...@bluecoat.com>, <n...@freebsd.org>
Subject: RE: Routing problems on VPN servers running FreeBSD 8.0-RELEASE
Message-ID: <2010020505...@lariat.net>
In-Reply-To: <B583FBF374231F4A8960...@bcs-mail03.intern al.cacheflow.com>

Brett Glass

unread,
Feb 11, 2010, 3:32:12 PM2/11/10
to
Qing:

I will try to build a system late tonight. I was stuck in
Washington, DC for four days due to snow and have just returned to
a large backlog of work. Which snapshot would you recommend?

--Brett Glass

0 new messages