Centroid.EU Blog

(this blog is mostly encrypted - adults only)

Previous Page

Upgraded io.solarscale.de to OpenBSD 6.0

October 13th, 2016

I have upgraded my last FreeBSD VPS to OpenBSD. It wasn't easy but I managed to overwrite the first 64 MB of the partition table with OpenBSD installer. Then I did a network install. Which didn't work for some reason, so I had to ftp the packages manually before doing a disk install. OpenBSD rocks! I now have 3 OpenBSD vps's. I don't think I need any more, I'm quite happy with this.


My core network

October 11th, 2016

I was asked by AVM support to make a drawing of my network, I was having so much fun with xfig that I want to share it with you.

Parts of it is in the german language but it's self explanatory.


Usutu Virus killing Blackbirds

October 8th, 2016

I heard the Usutu Virus is responsible for killing large populations of blackbirds predominantly. I wrote about this in October 2011, seems there is a second large wave coming through now. First read about this in Spiegel Online (german). The blackbirds are victims this year of not only this virus but trees have lesser food such as berries I noticed, due to the summer heat.


Good News

October 6th, 2016

I have fixed a thing that stalled development on my DNS server. In particular the dd-convert.c program was using mktime() erroneously, the fix was to put timegm() in those places. Here is the fix at version 1.19 where this occurred. Much thanks to Habbie who helped me in August of this year to get me back on track. I can now continue programming on dd-convert.c when I have time. I'm looking forward to my winter vacation. Perhaps I'll even finish dd-convert.c then. And New Year 2017 would be around the time to cut a release. Wouldn't it be great to be on time. Oh well.


I got credited to a bug report

October 4th, 2016

OpenBSD fixed a bug in OpenBSD-current and it also existed in 5.9 and 6.0. Here is the credit, and it got fixed today. This is under the "ARP bug" in my panic chronicles. Which I'll remove now.


I've turned on the heat for 2016/2017

October 4th, 2016

The temperature right now is 13 Celsius and it's expected to drop more, so I'm turning on the heat. I read somewhere that in Germany by law the O-O rule stands. O-O stands for Oktober-Ostern so october til easter that is when the heat is expected to be turned on by landlords. Since I control my own heat I am independent of this, but I pay for my own heat as well.


FreeBSD Donation

September 30th, 2016

I have donated $5 to FreeBSD Foundation. This wraps up FreeBSD donations for this year, there is an OpenBSD donation coming in 2 months or so.


Victim of spoofed Mail

September 30th, 2016

I've become victim of spoofed mail. Someone is sending mail with one of my domains to other people, getting them mad, and I receive the bounces. I do have SPF protection records but if the remote SMTP gateways don't enforce SPF records, then it's not helping. Here is the IP's that a "valid" mail from my domains would come from:
This is listed in SPF DNS records for my domains as well. I knew there was a-holes on the Internet, and they finally got to me. Unfortunately there is nothing I can do about this. If there is let me know what. I'm looking for a technical solution.


My IPv6 setup at M-net (german provider)

September 27th, 2016

I recently added IPv6 functionality to my network and had some obstacles to overcome, such as:

  1. How to route deep into my network and assign each host an IP6 that is 2 hops deep.
  2. What to do about rfc1918 IP's, since I want a NAT64/DNS64 setup
  3. How to do NAT66 in order to use deep routes

Well to give you a better idea I'm going to show you my network plan:

Network map:

[gaia]--                    [raspberry pi]
          \                      |              [mercury]
[phone1] - \                     |                  |
            --- [uranus] === [Access Point] --- [gamma] ---- to pppoe cloud
[phone2] - /                    ||
          /                     ||
[beta]--                        ||
                                |   \
                                |    +--[fritzbox LTE]------- to LTE network

Legend:                         Hosts:

--- CAT5 cabling                gaia + spica: apple computers running vmware
=== wifi 5 Ghz                  uranus: OpenBSD i386 on Lanner hw
||  wifi 5 Ghz                  venus: OpenBSD amd64 on Soekris hw
                                gamma: OpenBSD amd64 on PC Engines APU
                                fritzbox: AVM fritzbox router

Here is my dhcp6c.conf file:

keyinfo mnet {
        realm "v6.mnet-online.de";
        keyid 1 ;
        secret "***notshown***";

interface pppoe0 {
        send ia-pd 0 ;
        script "/etc/nat66-up.sh";

id-assoc pd {
        prefix-interface vether0 {
                     sla-id 1 ;
                        sla-len 0 ;
and with that the /etc/nat66-up.sh script:

ADDRESS=`/sbin/ifconfig vether0 | grep inet6 | tail -1 | awk '{print $2}'`
NETWORK=`echo $ADDRESS | awk -F: '{printf("%s:%s:%s:%s:%s:%s::/64\n", $1, \
	$2, $3, $4, $5, $6); }'`

/sbin/pfctl -t nat66 -T flush
/sbin/pfctl -t nat66 -T add $NETWORK

exit 0

I use a vether0 dummy ethernet interface to take on the IPv6 address from my provider (mnet) so that I can give all other interfaces a 2001:db8::/56 address. This address gets translated later in my pf rules and the relevant lines to the pf look like this:

table  persist
table  const { 2001:db8::/56 }
match out on $ext_if inet from  to any nat-to ($ext_if)
match out on $ext_if inet6 from  to any nat-to  round-robin \
pass in on re2 inet6 from any to 64:ff9b::/96 af-to inet from ($ext_if)
pass in on re1 inet6 from any to 64:ff9b::/96 af-to inet from ($ext_if)
I would have liked putting (vether0:network) in place of the but found that it translated to the fe80:: address and not the assigned address from m-net. So I have to do it this way, it's no headache. Also the round-robin was unfortuantely the only mode I got working, I would have liked to use random to get a random IP6 on the outgoing /64.

So let's see what we got, we have native IPv4 NAT44'ed, we have dual-stack IPv6 NAT66'ed and we have NAT64/DNS64 on top of that. It's really cool, to show you how the DNS64 works I'm gonna do a host lookup on censored.net which isn't mine so please look at it just as an example:

beta$ host censored.net
censored.net has address
censored.net has IPv6 address 64:ff9b::4834:45b
censored.net mail is handled by 0 localhost.
Then when I route into 64:ff9b::/96 it gets af-to'ed in the pf rules to an IPv4 address. It's really cool.

What else is missing? I want to show you the DNS setup with BIND from the OpenBSD 6.0 ports, it worked out of the box. Here is what I had to add into the options:

        dns64 64:ff9b::/96 {
                clients { 2001:db8::/56; 192.168/16; };
                mapped { !10/8; !192.168/16; !172.16/12; any; };
                exclude { 64:ff9b::/96; };
                recursive-only yes;

That's really all there is to it, I had a lot of fun doing this and can't wait until some services of mine use IPv6 so that I can drop the native IPv4 completely.


Ordered a book from Amazon

September 20th, 2016

This time I want to learn more about USB. So I got:

  • USB Complete: The Developer's Guide (Complete Guides) - Jan Axelson
Hopefully it was worth it.


Next Page


RSS Feed

Click here for RSS

On this day in

Other links

Have feedback?

By clicking on the header of an article you will be served a cookie. If you do not agree to this do not click on the header. Thanks!

Using a text-based webbrowser?

... such as lynx? Welcome back it's working again for the time being.

Older Blog Entries

Powered by BCHS