Hello,
> You've already been justifiably scolded for inflammatory and ignorant
> remarks regarding the "performance" of OpenBSD in the past, and here
> you are again. Now you're adding "complexity" to this too. You need to
> stop. Stuart is quite patient and can look past this, but there are
> enough people in the community that won't even bother trying to help if
> this nonsense keeps being spewed.
Misinformation by another user, which I was corrected on.
Complexity? are we really doing this? Of course configuring network
through command line is far easier than a web interface designed for
less tech savvy people, and you are saying I wrongly said its more complex?
If you have a problem with me, offlist me, but I will not be dragged
through the dirt publicly due to miscommunication or misinformation, I
have not once intentionally caused any harm to any OpenBSD user, and in
contrast you are proactively trying to.
> How is this for performance? I have four physical interfaces, nine
> vlan(4), and two wg(4) pseudo-devices distributed across two rdomain(4)s
> with 110 pf(4) rules according to pfctl -sr | wc. I run
> dhcpcd(8), dhcpd(8), dovecot(1), httpd(8), nsd(8), ntpd(8), rad(8),
> rspamd(8), smtpd(8), sshd(8), unbound(8), and the Vaultwarden password
> manager. Despite all that, my system _easily_ saturates 2.5 Gbps links.
> Shucks! What "terrible" performance.
I said "even", implying that its possibly less performant. And according
to benchmarks I have seen on devices like the raspberry pi, OpenBSD
routing performance is held back compared to Linux.
When you have security in mind, performance is bound to suffer
somewhere, and I never said it performed terribly.
If you need to dominate others and exert superiority, please send it
offlist so I can simply trash it.
You nitpick everything I say, like the grammar police, maybe you need to
realise some people are not as good as others at communication, and they
don't need you standing there dragging them through the dirt when they
slip up and make mistakes.
Maybe the difference between you and Stuart is that Stuart is happy to
help teach people, while you prefer to sit back and drag people through
the dirt for making mistakes, stop using your knowledge as a means to
abuse, and use it as a means to help others.
> As for "complexity", I believe you are victim to the common fallacy of
> conflating _familiarity_ with simplicity. Worse, you likely haven't
> even attempted to do what you want on a Linux-based OS or other OS. I'd
> be interested to see just how "simple" such a config would be. A naive
> metric would be number of keystrokes. We can contrast the two setups.
It is only easy if you know it. And you are now assuming what I do or
don't know because I never specified that I have or have not attempted
the same setup on Linux.
I do not ever remember saying that Linux would be any simpler, my point
was between OpenWRT (a web interface) against OpenBSD, and I would
kindly ask you to stop taking my words out of context to fuel your hate.
> Stop yourself. No it does not. There is nothing more secure about NAT
> to "hide" devices on your (V)LAN side than assigning globally routable
> IPs to those devices. In both cases, the devices are not on the WAN
> side and both rely on a firewall to prevent traffic from coming into
> the WAN interface and being passed out the (V)LAN interface to the
> device. False security is _worse_ than none since you are more likely
> to falsely believe you are protected from certain attack vectors making
> it more likely you will let your guard down.
I clearly said NAT is not an effective security measure, I explained how
ISPs make it sound like it is a critical security measure.
However, not having a global address on a device/container/vm does make
it harder for inbound connections to reach the device. For servers, this
is bad, you want to be reachable in the shortest path possible, for
clients, you don't want to be reachable at all.
In the pf configuration, I simply allow traffic to flow either way for
the global addresses, and leave it up for the firewall on the
device/container, this allows for better control than having to change
the pf configuration if for example, I want http traffic reaching the
container.
And the security isn't from the NAT, it is from the added complexity of
getting into the NAT because you either must compromise the router, or
you must have the port forwarded, otherwise the packet is simply dropped
by the router. NAT itself isn't what is doing it, its the fact nothing
is actually bound to the port and thus the packet is simply dropped.
And sure you can give me a 100 page lecture on your opinion, but I am
not saying the NAT is what protects the network, you should always have
a firewall on every device within the network, but NAT makes it harder,
mostly in the wrong ways (such as every port you want to use inside the
NAT you got to forward to the respective IP address of the device).
Yet again, please actually read what I say instead of only seeing about
20% of it, and then instantly attacking me.
> A pedant would perhaps argue NAT makes it more _insecure_ since that is
> more code that has to be executed increasing the probability of
> encountering a bug (e.g., a zero-day exploit).
Ok this is just getting excessive, just for the sake of justifying your
point of view.
> Cool, so do I; and some of the devices don't rely on NAT either. The
> ones that do do so because I don't have enough globally routable IPv4
> addresses to assign and not because the absurd notion that it's "more
> secure". You better be using NAT for IPv6 too; otherwise you can add
> inconsistency to your "logic" that NAT is more "secure". If not,
> congrats your logic is now trivialism
> (https://en.wikipedia.org/wiki/Trivialism).
I never said the NAT makes my setup and more secure, like I have said
already, you should still have a firewall on every single device.
Although some rules in the router is always nice to block things such as
spam addresses, you shouldn't trust the router to protect the entire
network.
And again, putting words in my mouth, just to prove your own point of view.
Oh and if you have the exact same setup, why not help instead of
dragging me through the dirt.
Lets go slightly off topic for a moment. Suppose you are reasonably new
to OpenBSD, you have an idea of how the network should look, but you do
not know all of the tools available on OpenBSD, people give suggestions
such as "use inet aliases, it simplifies the problem", and you check it
out and it doesn't work, so you ask for support. Then someone comes
along and drags you through the dirt, for simply wanting to learn. You
wouldn't like it, so why do you do it to others?
I also doubt you like being insulted either, probably makes you feel
pretty bad, so why do you do it to others?
I can't believe your entire vendetta is based on misinformation from
someone else, which I was corrected on (even if it was a little harsh),
and the fact that you nitpick everything I say. I held off asking the
mailing list for this exact reason, and I was anticipating the moment
when someone will be unhelpful and would rather insult others than being
productive.
If you truly hate me, then I suggest setting a filter to ignore all
emails from my address (polarian@polarian.dev), and if you don't, then
stop trying to cause harm and only respond if you are going to be helpful.
It is not right for any user to feel scared to ask for help, end of story!
> "vlan's [sic] increase complexity by a lot"? Seriously? You have an
> absurdly low bar on what you consider "complex" let a lone "very
> complex". We are not doing homotopy type theory here. Let's see how
> "complex" setting up VLANs are on OpenBSD 7.3-stable shall we?
I never said how much it increases the complexity by, but yes in general
addition of virtual interfaces in any capacity adds complexity, it might
even decrease the difficulty. Yet again you are misunderstanding my
point, and instantly jumping out at me assuming I mean something
differently.
Hell I will admit that my communication skills is on par with a mouse,
but I don't even think that is the problem here. "Complexity" !=
"Difficulty", you implied difficulty here.
Can we quit the nitpicking of English, this ain't school, I don't need
someone proof reading every email and shout at me for little mistakes I
have made in my English.
> router$ cat /etc/hostname.ixl0
> up
> router$ cat /etc/hostname.vlan0
> parent ixl0
> vnetid 10
> inet6 fdb5:d87:ae42:1::1 64
> inet 192.168.1.1 255.255.255.0 NONE
Ah look something useful, how nice of you, I had to scroll through all
the insults but I actually got something useful.
> If that is "complex", then you should stop now as you will and likely
> already have encountered things _a lot_ more "complex".
Oh look, the insults are back.
But in all seriousness, if that is your mentality, when you reached a
point where you are unfamiliar (I have only worked with vlan's like...
once I believe? I can't even remember but it wasn't on OpenBSD), you
should simply give up?
Your knowledge you got now is not given to you by some higher power, it
came through trail and error and many MANY hours of learning. So why do
you forget that others need to travel the same path?
I have already admitted to the fact that compared to other things,
networking I am not very experienced at. And your response to this is...
what exactly? Give up because it only gets harder? Seriously?
Life only gets harder, do you simply just give up
> Maybe you were referring to how "complex" the setup is on the switch
> side. Without knowing the specific OS, I cannot say for sure; but I
> doubt it is "complex" to set up VLANs. Some switches have nice pretty
> GUIs you can use where you point, click, and type what VLAN ID you want
> to use: extremely simple. Even on more "advanced" switches, it's still
> easy to configure VLANs. "Proof" on my Juniper switch running
> JUNOS 22.4R1-S2.1:
>
> zack@switch> edit
> Entering configuration mode
>
> {master:0}[edit]
> zack@switch# set vlans foo vlan-id 10
> zack@switch# set interfaces mge-0/0/4 unit 0 family ethernet-switching vlan members foo
> zack@switch# set interfaces xe-0/1/0 unit 0 family ethernet-switching interface-mode trunk vlan members all
> zack@switch# commit
Ok I will admit one thing, this was interesting to see, but the intent
was all wrong.
What exactly was the point here? To prove how much more experience you
have with networking and managed switches?
I have only just turned 18, I am still a student, I do not have money to
burn on managed switches. So yes I have no experienced with managed
switches, or any fancy Juniper or Cisco gear, wouldn't really say fancy
cause they are proprietary and that instantly discourages me.
And now I am sure I will get a whole argument about how mislead I am and
how believing that open source could be used for enterprise level gear
is completely illogical, and how I am naive thinking open source is
possible. Because funny enough, a lot of open source devs I have met
will explain it as "giving back to the community" as they work at some
big corpa earning 6 figures, and they want to give back a little to the
community in their free time. So a lot of the people I have met only see
open source as a hobby, and never see it being able to grow into
something which can be deployed in internet exchanges etc.
Anyways sorry for going off topic, just anticipating the next insult and
trying to cover my ass.
> The reason it is recommended to separate traffic on both L2 and L3
> networks is that it usually makes the most sense. Why would one want to
> separate traffic at the IP layer but not lower? It can be done; and if
> you are doing it for an academic exercise, fine. Personally, the reason
> I put devices in separate IP networks is that I don't want them to
> send traffic to each other without going through a firewall; but if
> they are on the same L2 network, then that's not the case since traffic
> can and will be sent.
Hm, I do not see an argument either way here.
On one hand, it is much more convenient to route by interface, instead
of at IP level, all the addresses are not the easiest thing to keep
track of.
But on the other hand, I do not see any reason against it? Does it
require more processing power? Or is it just a lot harder to maintain?
I want to point out that the reason I have avoided vlans is I do not
want to deal with devices not speaking to one another. This is not some
enterprise setup, I have a dumb switch in which a server is connected,
and that server runs containers with a host bridge, which means each
container should appear as a physical device.
All I simply wanted to do is have the least complex (ie: the least
interfaces to manage, have to specify this or I am sure I will be slated
again) in which containers which require a global address can have it,
and ones which don't, can simply use the NAT, allowing me to be
conservative while also giving specific containers free access, which is
why the pf rules in the previous email simply passes in on both
interfaces and passes out respectively.
I believe this is why I was recommended to keep it on a single interface
and to use inet aliases, because it should have been less work and fit
my needs better. I would like to point out, this was recommended by a
user I still can't remember who it was, nor I could find where it was
mentioned when I checked my email archives. So if it is wrong, please do
not blame me and have an entire rant explaining how stupid I am, instead
simply point me in the right direction.
The same question remains however, what is causing this problem? In
theory the aliases should have just worked (Thanks Stuart for pointing
out I calculated the subnet wrong, stupid mistake).
As much as I know about vlans is they are used to separate off networks
virtually without needing multiple physical interfaces (which can be
costly), I also believe (do not slate me if I am wrong) the performance
of vlans is below those of physical interfaces, which i assume is why
Stuart asked if I had additional physical interfaces as it would be the
fastest and also easiest way of doing this?
I will provide the information Stuart wanted to see in reply to his
email if you are willing to help, but if all you are here to do is crush
me under your many more years of experience, then I request you simply
leave me alone.
Thank you Stuart for the help as well, if I have not already made this
clear :)
Have a good evening,
--
Polarian
GPG signature: 0770E5312238C760
Website: https://polarian.dev
JID/XMPP: polarian@polarian.dev
No comments:
Post a Comment