Bhyve on FreeBSD 10.1

May 15th, 2015

I recently started a new series of videos on YouTube about my favorite operating system FreeBSD. Below are the commands used in the video to setup the bhyve hypervisor on FreeBSD 10.1 with a virtualized Ubuntu 15 server.


######## prerequisites for bhyve on FreeBSD ##########
pkg install grub2-bhyve
mkdir /virtual_machines
cd /virtual_machines
mkdir iso
cd iso

######    Load kernel modules and set sysctl values ######
kldload if_tap
kldload if_bridge
kldload vmm
kldload nmdm
###### set sysctl values  #######3
sysctl net.inet.ip.forwarding=1
echo “″ >> /etc/sysctl.conf
echo “vm1:dv=/dev/nmdm1B:br#9600:pa=none:” >> /etc/remote
##### create interfaces needed for the vm  ########

ifconfig tap1 create
ifconfig bridge0 create
ifconfig bridge0 addm tap1 addm em0 up

##### create the config files and virtual disk  ########

truncate -s 10g vm1.img
(hd0) /virtual_machines/ubuntu_server/vm1.img
(cd0) /virtual_machines/iso/ubuntu15server.iso

####### Boot the virtual machines ###########
grub-bhyve -r cd0 -m /virtual_machines/ubuntu_server/ -M 1024 vm1

bhyve -c 1 -m 1024M -H -P -A \
-l com1,/dev/nmdm0A \
-s 0:0,hostbridge \
-s 1:0,lpc -s 2:0,virtio-net,tap1 \
-s 3,ahci-cd,/virtual_machines/iso/ubuntu15server.iso \
-s 4,virtio-blk,/virtual_machines/ubuntu_server/vm1.img vm1 &

########### boot into newly installed vm ################333

rub-bhyve -r hd0,msdos1 -m /virtual_machines/ubuntu_server/ -M 1024 vm1

bhyve -c 1 -m 1024M -H -P -A \
-l com1,/dev/nmdm0A \
-s 0:0,hostbridge \
-s 1:0,lpc -s 2:0,virtio-net,tap1 \
-s 4,virtio-blk,/virtual_machines/ubuntu_server/vm1.img vm1 &

#################3 bhyve commands and nice to haves ##########

kill running bhyve machines  bhyvectl –destroy –vm=name_of_vm
create bridge and tap interfaces to provision at system boot


October 20th, 2013

So live your life that the fear of death can never enter your heart.
Trouble no one about their religion
Respect others in their view
And demand that they respect yours
Love your life, perfect your life, beautify all things in your life
Seek to make your life long and its purpose in the service of your people
Prepare a noble death song for the day when you go over the great divide
Always give a word or a sign of salute when meeting or passing a friend
Even a stranger when in a lonely place
Show respect to all people and grovel to none
When you arise in the morning give thanks for the food and for the joy of living
If you see no reason for giving thanks, the fault lies only in yourself
Abuse no one and nothing
For abuse turns the wise ones to fools and robs the spirit of its vision
When it comes your time to die
Be not like those whose hearts are filled with the fear of death
So that when their time comes
They weep and pray for a little more time
To live their lives over again in a different way
Sing your death song
And die like a hero going home

Slow Downloads in Itunes

November 11th, 2012

If you are experiencing slow downloads in iTunes try this:

Shut down iTunes

Disable antivirus/internet security suite

Open itunes and resume downloads.

This is most often caused by the internet security suite which is not capable of scanning large files in real time. If this fixes your problem, you can usually make the fix permanent by disabling the piece of the antivirus that filters web traffic.

New route-server available!

September 3rd, 2010

I have been working on a new project which is to provide a service that would allow you to peer with my router over BGP. My router would then advertise a list of bogons and known malicious networks including botnet command and control networks. You can then drop these networks at your border router thus protecting your network from attacks and saving precious router and firewall resources. Right now I am not offering the peering service but I do have a route-view server available that allows you to login and get a full list of the malicious ip networks for ipv6 and ipv4. To access the router please ssh to If you have ipv6 access there is a AAAA record as well, allowing you to access the router on both ipv4 and ipv6.

New mailing List

July 13th, 2010

I started a new mailing list. this list is for anyone to ask questions about networking design and implimentation. We can help with configuration questions of all gear Juniper, cisco, hp, fortinet…..

Also questions reguarding Linux, Solaris  and BSD are welcome as well

Found This Funny Banner Today!

June 28th, 2010

MPLS VPN Services

February 9th, 2010

This article with aim to take a in depth look at MPLS and explain how your packets get from one side of the MPLS cloud to another. Hopefully this will give you some perspective that will prove useful in troubleshooting issues in your own MPLS implementations.

Most enterprise engineers MPLS experience goes something like this: The company needs to connect the office in Miami and the office in London with the corporate headquarters office in Chicago. The VPN design needs to be flexible, and most importantly the network connecting all 3 sites needs to be full mesh. By this I mean to say that any office should be able to talk to any other office using this MPLS VPN. At this point you contact your MPLS provider and ask them to provision 3 MPLS links, 1 for each of the above mentioned offices. The MPLS Sales team puts you in contact with their engineering department and they ask you a couple questions that they need answered in order to properly provision your lines. the number one question that they ask is “How do you want to send us routes?”  now depending on the size of your organization and the dynamic or static nature of your network you can opt for several options here are 3 of the most common.

1. Static Routes

2. BGP Peering

3. OSPF Peering

Now if your network is very small, say for instance you have 3 shoe stores that need to talk to the corporate office / warehouse, then you might opt for the static route option. If you are a large organization that is publicly traded and has a robust network and security policy in place you will most likely choose the second option as this gives you the most security and control over what routes enter and leave your network.  However the third option is also very popular, mainly because many organizations are already running OSPF, so this makes it that much easier to peer with the ISP. However using the same IGP to peer with your MPLS provider as you use to run your internal networks does leave you at risk. There are a host of vulnerabilities OSPF has that could be exploited even if you are using OSPF MD5 authentication such as LSA injection attacks. However the biggest reason not to do this is that if the ISP makes a mistake they could inadvertently dump hundred or thousands of routes into your routing table which could destabilize your entire network.

Now wouldn’t you know after all that negative talk about ospf peering. The example I am going to talk about below is exactly that OSPF peering.

Please click on the above diagram for a larger view, you may want to download it as well and open it in a image view to zoom in on some of the smaller text and details.

In the example above you have 2 companies. To keep things simple we will call them Company A and Company B. Company A has 2 sites that need to communicate using MPLS, Company B also has 2 sites that need to communicate using MPLS. This ISP is lucky enough to get the business for both Company A and Company B. The ISP has a core network made up of an unspecified number of routers. In this example we will look at a small portion of the companies network. Our little piece of the network shows both customer sites connected to PE routers or (Provider edge) routers. These routers are responsible for providing access to the customers. The core of the network is made of P routers, or Provider routers. This provider has decided to convert their entire network to MPLS. This gives the ISP better performance by allowing the routers to utilize the ASICS built into the routers to switch the packets at incredible speeds. It also allows the ISP to offer many new services such as MPLS VPN’s as well as VPLS or (Virtual Private Lan Service.) In addition to these services the ISP can Use the tunneling aspect of MPLS to create Traffic engineering tunnels that will allow it to very precisely control which paths through the Provider network certain traffic takes. It also allows them to set very specific and granular QOS or COS policies for customers.

MPLS confuses many people because of its amorphous place in the OSI model. MPLs officially is a layer 2.5 protocol because Layer 3 protocols can be encapsulated in MPLS. MPLS stand for Multi Protocol Label Switching. MPLS can carry many different Layer 3 protocols inside it, just as ethernet a layer 2 protocol can carry TCP/IP inside its frames. However MPLS is more complicated than that. Many people can easily be confused because MPLs depends on the routing table in order to function, in this sense you could think of it like a layer 4 protocol. MPLS cannot function if the routing table is not working. MPLS depends on LDP or the Label Distribution Protocol to form adjacencies with neighbors and distribute its list of labels as well as receive labels from peers. LDP forms adjacencies at the layer 3 level and used the routing table to find peers. LDP is similar to OSPF in that is uses the highest Loopback address to identify itself. In our network Diagram each switch has a loopback address. All of the P routers including the PE routers are running OSPF. This OSPF instance is advertising the subnets owned by the ISP, many ISP’s use ISIS for this purpose, in fact many ISP’s use private addresses in their network especially if there network is a transit network. There are many situation in which you have public IP traffic traversing a private network connecting another public network. The 3 P routers and 2 PE routers need to know how to get to all of the non public IP addresses that the ISP is using to connect their network together. OSPF is used to synchronize these addresses as well as advertise each routers loopback address. Once all routers have formed neighbor relationships and all routes have been distributed through OSPF LDP is able to use the routing table to form adjacencies with other routers using their loopback addresses.

Once LDP has formed neighbor relationships with other routers using their loopback addresses it is able to start synchronizing the tag database. MPLS Assigns a tag or label to every route in the routing table. when a packet enters the MPLS PE routers interface, the router does a route lookup to determine the tag for the destination of the packet. Once this decision had been made, the router will push the tag on the packet and send it out the appropriate interface. The next router in line  has a simpler job. This router does not even have to look at the routing table, it can just look at its forwarding table and see what new tag should be assigned to the packet and send the packet on its way. the reason why this is so fast is because the MPLS tags were designed to look like layer 2 frames to the ASICS on the routers. This allows the programmers to leverage the same high speed chips used to route packets from one switch port to another based on mac addresses.

Read the rest of this entry »

SSH Brute Force Mitigation in Junos

November 11th, 2009

I have several Juniper SRX-210 devices configured in remote offices. One of the biggest problems I have is that there are a lot of people that are constantly running scripts against the ssh daemon. Now I could lock it down to only a specified list of allowed IP addresses. This would be the most secure method but i have a business requirement of being able to connect to this device from many different location. There is a command you can use to mitigate brute force attempts.

The command limits the number of ssh attempts per minute per source ip to 2. Just enough incase you make a mistake during login, but not enough for a script kiddie to run 500 attacks a minute against your firewall.

services {
   ssh {
     rate-limit 2;

Public DMVPN network.

October 3rd, 2009

I was thinking about a new project idea. I was thinking of setting up a dynamic multipoint VPN concentrator. Put a small LAN behind it with a couple of servers. Put the configuration instructions on a webpage for Juniper and Cisco devices. I was thinking to run BGP routing protocol over the interface as it scales reasonably well.

The important part here is I wanted to create a web form which requests the internal and external address ranges of anyones network. Once that person submits that information I will have a Peal script pull those messages from the web form, parse the information, insert the networks and IP addresses into a J-Script template and apply it to my Juniper SRX router automatically.

This project will enable Cisco and Juniper students to participate in the environment and create a public VPN network where p2p APPS and anything else can run over the network without having to worry about any prying eyes. I want to see how far this project will scale. I was even envisioning a time when other people with idle equipment can volunteer to become a secondary hub to take some of the load once my connection reaches 10 thousand or so tunnels. Because of the way DMVPN works. The tunnels between sites will open up as needed when a user from site A needs to talk to site B. This combined with using BGP as the routing protocol will mean that it will require very little bandwidth as traffic destined from site A to C will not transit site B if site B in this scenario is the hub.

Anyways if anyone out there is interested please leave a comment.

Send me questions and feedback!

July 20th, 2009

I see a lot of you out there find this site through various search engines and many of you are searching for information on gre tunnels. I just wanted to say how much I appreciate the traffic and I want to let everyone know that creating an account is free and I would love to hear your feedback on articles and any questions you might have.

Support Our site