From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 31 14:03:32 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD3E1D69 for ; Wed, 31 Dec 2014 14:03:32 +0000 (UTC) Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 89C0C64E07 for ; Wed, 31 Dec 2014 14:03:32 +0000 (UTC) Received: by mail-qc0-f172.google.com with SMTP id m20so11681037qcx.31 for ; Wed, 31 Dec 2014 06:03:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=f0Ei6HmVsQzdH+hSDr0yMrIAqFJOHpoGwtsO5P61ISM=; b=kx2ZdOX9sZvAP2wdRx23+sxNatlCTBbxnJXYlqOJkLtSwieSpsrHuoKFBtZdERQiv8 dfEbc76b7zYlSGy5LC4q4renI3XmQnwjMVXEidDBGAEb65UBRQt+aCvQ7An3H97uT9eY mjFbjHG0JcvtXcCPEYz1+3XexQzYckpiI7SgSXWyKjmUQHIwh1DcUJqlNc85S/c1APiN 6vdsA03+B/B6+7SJEUi4+eJQxmnyttkXGqSQZxRoMTTNPpP0bgvvN3xZKvcIKvXyEynY LK1nB6EfhjQ2PU/cnFb6RLakmAewtSAMWehxXQtsR8xJuDCZIqbIzJTw5XAOW+2pQGbQ 59qA== X-Gm-Message-State: ALoCoQn9nQbVHt8TDUGEswC/LbvJxMl6qkyb3XfGWnjSDA/loGkWa74LDLZrgX41QCI1yBT/NKlI X-Received: by 10.229.93.132 with SMTP id v4mr109262896qcm.27.1420034611078; Wed, 31 Dec 2014 06:03:31 -0800 (PST) Received: from [192.168.2.20] (ool-182c6c57.dyn.optonline.net. [24.44.108.87]) by mx.google.com with ESMTPSA id k2sm24853019qay.24.2014.12.31.06.03.29 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 31 Dec 2014 06:03:29 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [FreeBSD 11 Wishlist] Replacing an OpenBSD Firewall From: Mark Saad X-Mailer: iPhone Mail (12B411) In-Reply-To: <1419995051.3716640.208176841.1676669A@webmail.messagingengine.com> Date: Wed, 31 Dec 2014 09:03:28 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <1419995051.3716640.208176841.1676669A@webmail.messagingengine.com> To: Mark Felder Cc: "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2014 14:03:33 -0000 > On Dec 30, 2014, at 10:04 PM, Mark Felder wrote: >=20 > After finding today that some of my intermittent home network problems > are likely due to OpenBSD being unable to keep time* on my PC Engines > APU4 firewall I am attempting yet again to run FreeBSD in this role. >=20 > Here are my pain points that made me go with OpenBSD for so long: >=20 > 1) No IPSEC in GENERIC > 2) if_stf not having 6rd support (paging hrs@) > 3) pf issues: ipv6 checksums, fragments > 4) pf syntax (ok, this is really an "I wish...") >=20 > I noticed net/stf-6rd-kmod now has a patch for FreeBSD 10 so I grabbed > the diff and built an IPSEC kernel with this patch applied. I'm now > mostly up and running except for the fact that I have no idea how to > configure stf for 6rd. There don't seem to be any docs/examples > anywhere. Unfortunately the man page edits in the diff don't give me any > details. I'd love to see a simple example because I'm completely lost > right now. >=20 > In conclusion:=20 > - Let's get IPSEC into GENERIC or make it accessible for users via pkg. > It will need to receive the same treatment as GENERIC's freebsd-update > patches. > - Can we please get 6rd support in head? I understand these shims have > lost a lot of interest/momentum but native IPv6 isn't coming soon for > most people. > - Glad to see pf patches flowing in: ipv6, checksum, vnet, etc. Thanks > everyone! >=20 >=20 > I will say I'm completely baffled by one thing though: the concept of > having rtadvd in base, but no dhcpd in base. That doesn't make any sense > to me. Shouldn't rtadvd be moved to ports? >=20 >=20 >=20 > *For those curious, OpenBSD falls behind several seconds per minute and > sometimes jumps hundreds behind. It's not a hardware issue as FreeBSD > runs fine. Changing time counters in OpenBSD didn't work. This probably > started around the time I upgraded to OpenBSD 5.6, but I'm not sure. Mark Were you running openntpd ? Also did you apply the most recent firmware fo= r the apu ?=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"=