Ethical implications of selling routers

I write this while back in Italy at my mother’s. As with many of my peers, visiting the family back in old country means having to do free tech support for them. I loathe that, but for politeness I may oblige.

In this particular case, my neighbour asked me to look at his tablet, because it was showing up scammy ads every time he was visiting the website of University of Venice. I checked, and beside some fake-protection apps (sigh) the tablet looked fine. I told him to avoid using the stock Samsung browser and prefer Chrome or Firefox, but then I realized something else was amiss.

A very brief check on his home router found that the problem was clearly with that one: the admin password was the default of admin, the router admin page is accessible from the WAN interface (that is, to the whole Internet) and indeed the DNS servers were hijacked. Stop-gap solution was changing the default admin password, and setting Google Public DNS as the new server in DHCP.

Unfortunately the proper solution (disabling remote access to the admin interface) is not viable for this router, because this router model (TP-Link TD-W8961N v2) does not have a firmware update to fix the absurd ACL system that should lock you up from the outside, and that doesn’t, really. Indeed, the firmware that is installed on the device looks newer than the one on TP-Link’s website, but that’s just because it’s the Italian localized version.

Note: make sure you change the default password of your router even if remote access is disabled! While I used not to care and keep admin:admin/admin:password pairs, it’s getting way too easy to hijack browsers and sidestep the remote access limitations.

Up to here it would be your usual tale of people who don’t (and really shouldn’t need to) have a clue about security being caught on the crossfire. Things changed when he told me that he brought the router to service to the store he bought it from, because he needed to enable port forwarding for some videogame (didn’t say which ones.) Which means a store sold this insecure device, serviced it, and left the customer in a horribly insecure state.

Unfortunately there is really not much I can do about that store. Even though I could leave a negative review to it, I doubt anybody would be checking those reviews over here. And because they are friendly my neighbour is unlikely to stop going to that store, even though I advised against him. He was also sure he found a good deal with this router — it was available online for €55 but they sold it for just €29 — but I have a hunch that the online version would have been the same model in V3 form (which includes a firmware to fix the vulnerability above), while the store sold their previous stock of V2.

This goes again to my previous point that technologists have a responsibility towards their users, whether they are geeks or not. I think OpenWrt was a very good starting point for this, unfortunately for what I see the project stagnated and instead a number of commercial projects around it flourished, which only help to a point. Also, while OpenWrt works great if you need a “pure router”, it becomes vastly useless the moment when you live in a country like Italy, where most of the broadband still arrives in form of DSL, and you then need to look for a modem/router.

FSFE boasts a campaign to let you use whichever router you want but, beside being a very local campaign (compulsory routers were never a thing in Italy, for instance, and as far as I can tell, their campaign only focused on the German market), it also opens the possibility that users will choose cheaper, significantly less secure devices because they don’t care or more properly because they don’t realize how bad that is for them and Internet as we know it.

Some time ago, someone on the Italian parliament (I completely forgot who and I don’t care about it right now) proposed a law for which you would have to have a license to be able to install customer-premises equipment — most of the free software people have been against this proposal, including me. But I sometimes wonder if it made sense, to a point. Unfortunately I doubt acquiring that license would provide you the ethics necessary for this kind of job.

I don’t have easy solutions, but I do think we should be thinking about them. We need devices that are actually secure by default, and where the user has to try to make them insecure. We need ways to reuse devices without having to spend more money for them to be replaced, and after-market ROMs or WRT-style firmwares are that, except, because of targets, too many of those don’t apply to the people who need them the most.

IPv6 and networking pain

I’m honestly reconsidering my scepticism towards curses.. mostly because the past two months don’t make much sense without taking that into consideration. I’ve had a long list of hardware, network and power issues, and jobs ended up being bottled up due to that.

Not the latest, and not the worse (but there on the upper side of the list) of said issue happened with the DAP-1160 bridges/access points I used to connect the network segment in my office to the router downstairs. The problem there is that for a long series of reasons I can’t reach it with either an ethernet cable or a powerline adapter, and so I decided to use gigabit within the office, and jump with wireless to the router.

I’ve got those two bridges for about two years now, and they worked mostly well. Mostly, not perfectly. In the past month, though, they started acting up, requiring too often a reboot… the problem is likely tied with them running continuously for a few months and then being turned on and off repeatedly due to the power company blacking me out (14 hours in 14 days.. two lumps of 5 hours, plus a number of on-and-off spikes).

My original implementation for getting this setup to work involved an OpenWRT powered router, and subnetting the office.. but the subnetting became easily a bother, as it added one more router for me to manage, and I didn’t intend to proceed that way. I then replaced said router with Enterprise/Yamato with a WLAN card, but that had its share of troubles as well. At the end I went with the two D-Link devices that created a seamless Ethernet bridge between the two segments, yai!

And now they started failing, so I had to replace them. And since I was out to replace them I wanted to use 11n hardware to run on the 5GHz band rather than 2.4, to avoid most of the interference otherwise present. So after a bit of googling around I ended up buying two Cisco Linksys devices, a WAP610N access point and a WET610N bridge. They are designed to work together, and thus they should have been perfect. Should being the keyword.

What happens with these? Well, the throughput is nice indeed, it’s much faster to connect to the router now. But at the same time.. I lost all IPv6 capabilities.

Now, I learnt the hard way at the time that the 802.11 specifications do not include provisions for wireless-to-Ethernet transparent bridges, and all implementations of those are custom implementations of the manufacturers. I thought Linksys solved that in such a level as well.. but it turns out it didn’t. It actually did something a tad smarter, for the kind of usage they foresaw their hardware to be used for. They parse the third level packages, in particular it seems they parse the ARP packets, to tell the access point which address to send their way… a sort of Network Address Translation at the second level.

Unfortunately, they do not do the same for what concern the IPv6 NDP, so IPv6 is simply broken here. To be honest, IPv6 works fine in the network segment, becaues the router advertisement is sent in broadcast, and thus received probably, but all the unicast IPv6 traffic from the router to the bridge (not the other way around, btw) is dropped.

I’m not sure if I should just live with it or if I should find a more proper replacement for the 1160 devices. If somebody know hardware capable of doing such a transparent bridge between wireless and ethernet on the 5GHz band, it would definitely be welcome.. in that case, the Linksys bridge will just limit itself to my bedroom (where it would connect just the consoles and TV, none of which is IPv6 compatible anyway), and the access point would replace the current 11g public network I use for the devices outside of my office.

In the mean time I have more issues to solve. Sigh.

Bypassing hostile NATs

This is the first of a possibly long series of posts detailing some of the issues I’ve been having with a job task of mine, for a customer that paid me way less than they should have. I’m not going to deny that some of this can be just vague rants, and some of it might as well be incorrect. I mostly solved my trouble, but if you have corrections to make, feel free to comment on them.

So, a customer of mine has a small shop of two people (and a secretary), but a number of computer, devices and other amenities, with the result that they’d actually need a dedicated sysadmin; I helped them out for a while for just token prices, since one of them is a friend, and they are passing a rough patch, I just hope they’ll be able to pay me for my time properly at some point.

Unfortunately, there is one big trouble with one of the choices they made before I started helping them out: their ISP does not provide public IP addresses, but they rather provide just five IPs in a private NAT (actually using a non-assigned IP range, which is also bad on its own). This became first a problem because they have more than five computers, but now it’s a problem because I cannot just connect to the boxes on their premises to ensure that they run properly (what I’m working on mainly is a backup server to make sure that they won’t lose their data again, and that I need access to).

One relatively easy way to solve this problem, generally speaking, is to provide the boxes with IPv6 addresses; this works peachy when you have control of the NAT (like I do at home), but it’s a bit more complex when you have hostile NATs in front of you.

My first idea was to use Hurricane Electric’s Tunnel Broker since I remember they started providing, some time ago, VPN access to public IPv4 addresses that could be used to set up IPv6 tunnels behind NAT or dynamic IP connections. Unfortunately, they only provide the VPN through the Microsoft-originating PPTP protocol, which uses the (standard) GRE protocol for sending and receiving the packages. Unfortunately, PPTP does not work through that particular NAT, so I cannot use that option.

The Teredo protocol comes as a natural solution as it is designed for that specific purpose: avoiding special-protocol packets, such as 47 (GRE) or 41 (IPv6-in-IPv4). There are just two problems with this option: the first problem is that Teredo only works with one host/address and not a full network, so I have to proxy myself through that to be able to connect to the various boxes. The second is that the IP address the Teredo address is declared from depends on the outgoing NAT access which is not under my control at all.

Since my first direct option (using DynDNS), was out of reach, as it does not support IPv6 addresses, I went to look at a technique that I remember was designed just to solve this kind of trouble: mobility. The Mobile IP technique and technologies are supposed to provide stable addressing for nodes that may be roaming between different networks and network technologies. For instance for laptops that can switch between normal cable-based Ethernet and Wireless LAN, or for mobile phone that can switch cell or move from UMTS to Wireless network on ADSL. All in all, it seems a pretty cool idea.

Unfortunately there are a number of issues with that idea; while Linux nowadays has in-kernel support for Mobile IP, running a Home Agent (router/server for the Mobile IP system) requires some software stack that is not available in Gentoo and as far as I know is not even regularly released at all. Interestingly enough, thorough documentation on MIPv6 is available on the same site that helped me with my Dell laptop so I have to thank again Arnauld.

There are many reasons why I think it’s overkill to work on MIPv6 at this point in time, at least for external routing (I still wonder if it might solve the problem of laptops switching between the two interface within my home network); first of all, there is the encapsulation problem; to be able to use MIPv6 over Teredo, you end up with a very complex stack: IPv4 / UDP / IPv6 / ESP / IPv6 / TCP / data; but not just that, even if it was an acceptable stack, it requires you to run at least two daemons on the Home Agent system, and to use a custom Teredo server, as it requires a higher MTU than the protocol specifies as default.

It wouldn’t be very difficult to do (the miredo package available on Gentoo provides both client and server for miredo, although I guess I wouldn’t mind having a client-only install), if it wasn’t for one particular requirement: to run a miredo server you need two public IP addresses — for compatibility, you also need the two to be one IP from the other. I have the two IPs but I’m not sure if I want to use it for this kind of work. Also, it will make my customer’s access (and internal IPv6 network, which they don’t care about, but I do, when I’m there with my laptop) depend on the availability of my home network which is not a given.

All in all, MIPv6 is a nice thing, but until there will be enough providers to hand out either native, or near-native IPv6 connectivity (6to4, 6rd), it’s probably just going to be some kind of “technology preview”. Sigh, I wish more home routers configured themselves by default to provide at least 6to4 to home networks, that would make it much nicer a tool.

The next solution was obviously to go back to the original idea of using dynamic hosts, but that’ll be a rant for tomorrow.

If my router was a Caterpie, it’s now a Metapod

And this shows just how geek I can be, by using as the title for the post one of the Pokémons whose only natural attack is … Harden!

Somebody made me notice that I’m getting more scrupulous about security lately, writing more often about it and tightening my own systems. I guess this is a good thing, as becoming responsible for this kind of stuff is important for each of us: if Richard Clarke scared us with it we’re now in the midst of an interesting situation with the stuxnet virus, which gained enough attention that even BBC World News talked about it today.

So what am I actually doing for this? Well, beside insisting on fixing packages when there are even possible security issues, which is a general environment solution, I’ve decided to start hardening my systems starting from the main home router.

You might remember my router as I wrote about it before, but to refresh your mind, and explain it to those who didn’t read about it before, my router is not an off-the-shelf blackbox, and neither it is a reflashed off-the-shelf box that runs OpenWRT or similar firmwares. It is, for the most part, a “standard” system. It’s a classic IBM PC-compatible system, with a Celeron D as CPU, 512MB of RAM and, instead of standard HDDs or SDDs, it runs off a good old fashioned CompactFlash card, with a passive adapter to EIDE.

As “firmware” (or in this case we should call it operating system I guess) it always used a pre-built Gentoo; I’m not using binpkgs, I’m rather building the root out of a chroot. Originally, it used a 32-bit system without fortified sources — as of tonight it runs Gentoo Hardened, 64-bit, with PaX and ASLR; full PIE and full SSP enabled. I guess a few explanations for the changes are worth it.

First of all, why 64-bit? As I described it, there is half a gigabyte of RAM, which fits 32-bit just nicely, no need to get over the 4GiB mark; and definitely a network router is not the kind of appliance you expect powerful CPUs to be needed. So why 64-bit? Common sense wants that 64-bit code requires more memory (bigger pointers) and has an increased code size which both increase disk usage and causes cache to be used up earlier. Indeed, at first lance it seems like this does not fall into two of the most common categories for which 64-bit is suggested: databases (for the memory space) and audio/video encoding (for the extra registers and instructions). Well, I’ll add a third category: a security-oriented hardened system of any kind, as long as ASLR is in the mix.

I have written my doubts about ASLR usefulness — well, time passes and one year later I start to see why ASLR can be useful, mostly when you’re dealing with local exploits. For network services, I still maintain that most likely you cannot solve much with ASLR without occasionally restarting them, since less and less of them actually fork one process from another, while most will nowadays prefer using threads to processes for multiprocessing (especially considering the power of modern multicore, multithread systems). But for ASLR to actually be useful you need two things: relocatable code and enough address space to actually randomize the load addresses; the latter is obviously provided by a 64-bit address space (or is it 48-bit?) versus the 32-bit address space x86 provides. Let’s consider a bit the former.

In the post I linked before, you can see that to have ASLR you end up with either having text relocations on all the executables (which are much more memory hungry than standard executables — and collide with another hardened technique) or with Position-Independent Executables (PIE) that are slightly more memory hungry than normal (because of relocations) but also slower because of sacrificing at least one extra register to build PIC. Well, when using x86-64, you’re saved by this problem: PIC is part of the architecture to the point that there isn’t really much to sacrifice when building PIC. So the bottomline is that to use ASLR, 64-bit is a win.

But please, repeat after me: the security enhancement is ASLR, not PIE.

Okay so that covers half of it; what about SSP? Well, Stack Smashing Protection is a great way to … have lots to debug, I’m afraid. While nowadays there should be much fewer bugs, and the wide use of fortified sources caused already a number of issues to be detected even by those not running a hardened compiler, I’m pretty sure sooner or later I’ll hit some bug that nobody hit before, mostly out of my bad karma, or maybe just because I like using things experimental, who knows. At any rate, it also seems to me like the most important protection here; if anything tries to break the stack boundary, kill it before it can become something more serious; if it’s a DoS, well, it’s annoying, but you don’t risk your system to be used as a spambot (and we definitely have enough of those!) — at least for what concerns C code, it does not do any good for bad codebases unfortunately.

Now the two techniques combined require a huge amount of random data, and that data is fetched from the system entropy pool; given that the router is not running with an HDD (which has non-predictable seek times and thus is a source of entropy), has no audio or video devices to use, and has no keyboard/mouse to gather entropy from, it wouldn’t be extremely unlikely to think of a possible entropy depletion attack. Thankfully, I’m using an EntropyKey to solve that problem.

Finally, to be on the safe side, I enabled PaX (which I keep repeating, has a much more meaningful name on the OpenBSD implementation; W^X), which allows for pages of executable code to be marked as read-only, non-writeable, and vice-versa writeable pages are non-executable. This is probably the most important mitigation strategy I can think of. Unfortunately, the Celeron D has no nx bit support (heck, it came way after my first Athlon64 and it lacks such a feature? Shame!) but PaX does not have that much of a hit on a similar system that mostly idles at 2% of CPU usage (even though I can’t seem to get the scaler to work at all).

One thing I had to be wary of is that enabling UDEREF actually caused my router not to start, reporting memory corruption when init started.. so if you see a problem like that, give it a try to disable it.

Unfortunately, this only protects me on the LAN side, since the WAN is still handled through a PCI card that is in truth only a glorified Chinese router using a very old 2.4 kernel.. which makes me shiver to think about. Luckily there is no “trusted” path from there to the rest of the LAN. On the other hand if somebody happens to have an ADSL2+ card that can be used with a standard Linux system, with the standard kernel and no extra modules especially, then I’d be plenty grateful.

More details on how I proceeded to configure the router will come in futher posts, this one is long enough on its own!

I learn from my mistakes: no more black-box routers

For a series of (un)fortunate happenings at home, I decided to move the phone and ADSL subscription for my house from the previous owner (my mother) to myself as a business entity (since the main use of it is, anyway, the internet connection I use for work), back in November.

My previous provider was Wind/Infostrada; while the service wasn’t perfect it was mostly good enough, but I ended up switching provider. Why? Because their accounting system didn’t allow them to transfer my phone number from the previous (personal) account to a new (business) account: they could move it to business only by changing the number, but I really wasn’t keen to the idea of losing my main phone number that has served us for over twenty years over this.

A quick round calls of other providers turned out that the ex-monopolist (Telecom Italia), with their near-mob business practice refuses to move a personal account with a different provider to a business account with them (they suggested me to move to them, then change the subscription from personal to business, but also noted that “it would definitely cost a lot” — and if they consider the thievery of their mobile subscription a good offer, I’m not sure I ant to know what it would mean to “cost a lot”), and that half the other providers don’t provide with ADSL2+-modulated lines (while I cannot reach the promised 20MB because of the distance from the nearest exchange, at least ADSL2+ is generally more noise-resilient than the standard ADSL modulation pushed to 8Mbit — the default for non-2+ lines in Italy).

Tiscali, on the other hand, has a decent offer, it costed me just as much as I paid before, they provided the wireless router without surcharge, 20Mbit ADSL2+ line. The phone line was to be switched to VoIP but that wasn’t much of a problem, I thought, as I still need an UPS to power the cordless phone and I still keep it running for the two laptops. And they were ready to move my phone number from private to business, changing the account holder and provider all in one move. Cool, I thought.

The first problem came when Wind/Infostrada decided to cut my line seven days shorter than it was supposed to: after a few days of bickering with Tiscali people on the phone (not a toll-free call either, since I had to call from my cellphone), they finally told me that they knew of that particular business practice coming from Wind (and from another provider, FastWeb), and that they could only offer to manage the reimburse for me. Okay not their fault, still not a nice thing to have seven days downtime because of that.

Line worked fine up to yesterday: I connect at a variable speed between 4Mbit and 6Mbit, as usual (although I have a mostly-constant 900kbit upstream which is one thing I was very much looking for), static public IP address. One problem though: they don’t allow me to be directly connected to Internet. As their router also is the VoIP client (and provides two RJ11 connectors for the phones — only one is active, the other is for the two-lines configuration), it has to talk with their servers, so you cannot just ask for a DMZ host. The configuration pages for the router allows you to set a bunch of port redirections, even multiple ports at once, but then again you have a lot of “reserved ports” so you have to insert a long list of redirections ignoring the ports that are used by the VoIP connection (this sounded fishy, why couldn’t they assign an internal IP to the router and use that to talk with their VoIP servers?).

Yesterday, the shit it the fan: while I was updating the PostgreSQL installation on vanguard (the vserver hosting my blog), I lost entirely the connection. Thankfully I have a backup line on both the neighbour’s network and on the cellphone so I’m not entirely cut out, but it definitely was some trouble even just for the moment it happened. Okay, no hurry, wait the usual 20 minutes to see if it’s a temporary problem, but no it’s not that.

The router seems not to find the ADSL connection at all for a while, then it finds it, connects, tries to authenticate… sometimes it works, sometimes it doesn’t. When it works, the connection is established for about 40 seconds then it goes away again. The funnier stuff? Each time the wireless network is also restarted entirely, so it’s a software-reboot of the router each time. And this is not all: when I was still waiting for Wind to give up the line to Tiscali I used the router as simply an access point, without Internet connection but with wireless turned on, and it worked great. Now, if it cannot establish an Internet connection, it disables wireless entirely after a few minutes.

What do you say? A firmware update? Yes, it seems to me as well. They can do remote updates, as they need to do that to change the connection parameters; most likely, something went awry with the update, or something in my use of the router is no longer well supported. The result is the same for me though: I’ve lost connectivity on my business line!

Once I called the tech support (again, not a toll-free call) they told me that technicians would be verifying the line, and that the ETA is between 24 hours and 7 solar days. What?! A whole week to check a line? A business line? When the problem is most likely the router itself? Terrific, I’d say. So I ask if they can give me the SIP parameters for the VoIP line (I have a VoIP-capable phone at home because I have my own, ISP-independent office number over VoIP), and they “obviously” tell me that it’s not possible, as they are only hardcoded into the router’s firmware and not available to their own users.

Oh shit.

So the result is that I’m now waiting Monday to call another service provider (Telecom Italia) and move my connection to them; even if the connection problems were to be solved Monday or Tuesday, there are way too many things that don’t work out with their setup:

  • the (static, public) IP they provided me is still masked in quite a bit of different spam blacklists as my provider is considered “unresponsive”; I have no idea what the status of Telecom Italia is but at least I get better chances with that;
  • the VoIP line was quite clear by itself, but having no voicebox, no in-call incoming call warnings, and no way to configure my own phone to handle that is a bit too much to compromise;
  • further, even though I can redirect most ports (I don’t care about the reserved ones) the redirection only works for TCP and UDP protocols, I have no way to configure IPv6 that way, as HE6 doesn’t get through;
  • and the two notes above ar combined with the fact that they force me onto hardware that I have no control of, and that they seem instead to have control of (as the behaviour changed, and the only way to do that is to reflash it remotely).

So at the end, given that from the website, Telecom will let me use my own hardware for connectivity, and will provide me with a real phone line, I’m going to be more than happy to switch. I guess it helps that a friend of mine works for them, so I would know who to “yell” at if something goes wrong.

More router improvements

My router project is the idea of running Gentoo Linux as main home gateway, on an embedded-like system (not really embedded since it’s a Celeron 2.80GHz), without Portage installed in the runtime system, and without some part of the so-called system (that I still think should be reduced).

While there are still lots of minor details I haven’t even started looking into yet, there are a few things that already started being fixed up, for instance last week I cracked down on packages that don’t set RDEPEND/DEPEND properly (hostapd was in that list and I needed it).

Today one more little fix entered the tree that was required by my router: glibc no longer rutnime-depend on binutils; or rather it does no longer need to. Previously the nscd (name service cache daemon) init script used the strings command to find out the pid file to use for each start and stop request. Since the file does not change on disk after the build, at least 2.10.1 now checks for the pidfile at install time and then replace it in the init script. Dropping the dependency.

Now I got to say that the router is working mostly fine, so I don’t think I’ll be tinkering with it for a while, at least until I get the entropy key and I’ll start packaging the ekeyd daemon. This is also due to the fact that I have to reduce the time employed in that to return to work and other more important Gentoo things. This does not mean I’ll abandon the idea of fixing the system set so that it can be vastly reduced.

Hopefully I’ll be able to entangle enough between my normal Gentoo work and the router-specific work in the future. In the mean time, I’m happy to accept gifts (especially useful stuff like the testing strips — the Italian health service only pass me 50 strips every three months, which is less than one test a day) and kudos to prod me on continuing pursuing all free software work I have scheduled.

Avoiding captive redirects on Libero/Wind/Infostrada

New chapter of my router project if you don’t care to follow it you probably don’t want to read this at all.

Libero – or Infostrada, Wind, how the heck do you want to call it today – is my provider. Like other providers in Italy, who have probably noticed their users using OpenDNS instead of the standard DNS they provide, they started providing “captive redirects” on failed urls: when you mistype an URL or you try to access an hostname that does not exist, they redirect to their own servers, using their own “search engine” (nowadays just a Google frontend!).

This breaks quite a few assumption, included the fact that the .local domains won’t resolve in the standard DNS servers, which in turn makes nss-mdns almost unusable.

Up to a couple of months ago, Libero only provided this service in the primary nameserver, and if you switched around primary and secondary servers, you sidestepped the issue (that was the actual advertised procedure by the Libero staff, on the public page that was linked from within the search results). Unfortunately this had other side effects, for instance the time needed for the update of records more than doubled, which was quite boring with dynamic DNS and with newly-created domains.

Luckily, pdnsd supports blocking particular IP returned by the results to avoid the fake records created for captive redirects, and the example configuration file itself provides an example for using that with OpenDNS to avoid falling into their redirected Google host (quite evil of them in my opinion). And in particular, at the time, there was only one host used for captive redirect, so the rule was quite simple.

Fast forwards to today, the rule have changed; first of all it seems like Libero now uses redirects on both servers (or the secondary fails so often that it always responds from the primary), and most importantly they increased the number of IPs the redirects respond from. After counting four different IPs I decided to go with something more drastic, and ended up blacklisting the whole /24 network that they belong to (which is assigned, in RIPE, to Tiscali France… which is quite strange). I’m not sure if I ended up blacklisting more than I should have; for now it blacklists just enough for me to keep on browsing the net without adverse effects that I can see, and it also no longer stop me from enjoying .local domains… and Firefox auto-search with Google when the hostname does not exist.

For those interested, the configuration section is this one:

server {
 label= “libero”;
 ip = 193.70.152.15, 193.70.152.25;
 proxy_only=on;
 timeout=4;
 reject = 195.210.87.131/32, 62.210.183.0/24;
}

The first IP (a single host) is the one that was used earlier, I keep it on the blacklist just to be on the safe side.

New network topology

During the work of my router project, I’ve re-done most of my logical network topology, changing the way subnets are assigned, and so on. This has actually helped me to have dual-homed computers (the iMac and the laptops) with different routing between Internet and local requests, as well as allowing me to have ACLs that work depending on whether a client is listed as known or not.

Topology preview

Together with that, I also decided to draw again my network’s topology , this time using Cisco’s icon library . A few notes on that icon library: while it’s available for free use, they provide the icons only in EPS format; which is fine for Adobe Illustrator users, but not for Inkscape users. Most of the eps-to-svg conversions that you can find around on the net make use of pstoedit with plotutils… for some reason the result of that conversion with the Cisco’s icons is tremendously bad so I went with an alternative approach: I converted them to xfig files, with pstodev (but no plotutils); in turn, inkscape can load xfig files just fine, so I just had to drag and drop the xfig file from Nautilus.

As you can see the physical topology in itself is not really simple: I got at least three fixed rooms, and a handful of handheld devices (sorry for the pun). In my office I got Yamato (that routes all the wired traffic), the iMac, the good old Enterprise, and usually at least one laptop; in my bedroom I got the AppleTV, the PlayStation 3, the Bravia LCD TV (yeah that one connects to the net as well… it also supports DLNA but until I package Rygel it’s unlikely I’m going to have it working), and since yesterday, the Wii (more on this in a moment). The laser printer is, out of convenience, in the living room, connected with an Airport Express AP (I am considering moving this to the hall where the router is, then I can just set up CUPS on the router and be done with it).

Speaking about the Wii, it turns out that, while out of the box it connected to my unprotected network fine, it failed to work after the system update. It worked fine, though, with the neighbour’s protected network. Luckily, the Zyxel AP I’m using is high end enough to support MESSID mode (Multiple-ESSID), with different security configurations, so I simply created a new (hidden) wlan with WPA2-PSK to get it to work.

I’ll write more about the logical topology (subnets and so on) in the next few days, showing how I actually configured the stuff for the router; unfortunately I’m not really completely set myself so I don’t want to write about half-setups just yet.

First startup of the router

Tonight I tried for the first time the router in its official capacity as my main home gateway. It wasn’t really a good start to be honest.

The first problem has been the noise: my mother complained that the fans were too loud, so I wanted to go with my backup plan (replacing the main CPU fan with a fanless heatsink. Unfortunately it didn’t work out at all: there’s a capacitor in the way where the heatsink should go. Minus my intervention in form of a powerdrill over the (quite expensive) copper heatsink, it will never fit; my intervention is cheduled for tomorrow.

Sidestepped that for a moment (“Sure mom, I’ll fix it, just give me tonight to test it out!”), the next problem waiting in line was with the startup: I made a mistake in the hurry of fixing up the init scripts to actually start, and I had to take the nullmodem cable again and fix up the boot with the serial console; unfortunately I wanted to do that with my newly fixed MacBook Pro running the newly updated Snow Leopard, but the nullmodem cable had the WCH314 serial converter rather than the PL2303 (the only one I have at home that works with OS X – note to self: order some more PL2303 converters), so I had to pick up the right one again.

_Queued up to fix tomorrow I got: a very custom init script to convert the ethers file into a dhcpd-compatible list of known clients, and a fix to the pdnsd init script so that it will create the cache directory if it doesn’t exist (otherwise, the daemon will silently fail to work which is definitely not what you want!)._

The final problem is with the DHCP protocol and the modem itself. The modem is actually a so-called modem/router, running Linux itself, as well. Unfortunately, it seems like the way it handles the DHCP requests is not fully compatible with either dhcpcd or dhclient; the former will try to validate the provided address and then times out (failing back to ipv4ll addresses, zeroconf), and the latter tries to renew the lease every 30 seconds, without actually setting up the routes for the Internet connections.

On the other hand, hostapd seems to work fine and seems to handle multiple clients just fine; thanks to the fact that I finally can handle this stuff just like I want it to, I created a single, open, wireless network (I live in the middle of nowhere, whoever comes near my wifi enough to connect would be in my garden!), where the authorized clients will sit in one subnet, and are allowed to talk to each other, and the unauthorized clients are left in a different subnet, able to talk between them but not to the authorized ones, and can still connect to the internet (but only passively). The latter is quite helpful so that I don’t have to register all the laptops I get to fix, or all the PSPs that connect at my home.

For all those who thought that the whole idea was moot and that using Gentoo in such a system is too difficult: the only ebuild I had to locally overlay was file, which is now fixed in Portage and even in the stable systems; the rest worked fine with some tweaks; of course there are a few more issues (for instance a lot of packages install Perl-based scripts that are absolutely not mandatory, and I’d like for those to have a perl USE flag in the future), but the whole idea is not bogus and it woks fine. Using simply emerge --configroot and some custom configuration files, the resulting system is 164MB big, and with the due fixes to device.map even setting up grub was quite painless.

I guess the absolute final step would be to create a Rails application to manage the router, akin to the web interface of most commercial solutions. Yes I know that dd-wrt and other opensource firmware for “classic” routers have interfaces already, but if I have to write something, I’m most certainly going for implementing it in Ruby, as silly as that might sound. And to make stuff worse, if I do, I’ll be using sudo to launch the commands, getting the password via net… okay I’m definitely overthinking something I’m most likely never going to do.

And for those of you who know me and my mania with Star Trek names (even my cellphones are called Danube and Delta Flyer ), this one got a quite famous name: Deep Space 9. After all, it is somewhat of a base station to another quadrant of the net!

P.S.: Here I might as well ask some help to the lazyweb; I am planning on two things that I haven’t started even implementing yet: IPv6 support for my network and QoS for the VoIP connections (I got two in this network usually, my cellphone and the DECT phone). For the former, I did request registration with SIXXS but I missed the “no free mail providers” bit and registered with the GMail address, and was thus rejected, now waiting in the queue to see if the staff can rescue my request or not; in the mean time I have no idea how to set up IPv6 properly to avoid making myself open to the world; ideas?

For what concern QoS does anybody have some easy link that explains how to set it up? All the stuff I found skimming through seem to be trying to explain how it work more than how to make it work; and I really don’t care how it works as much as making sure that all the VoIP traffic can trump the P2P and HTTP traffic (so that if I’m downloading a new ISO of FreeBSD I can still make calls properly). Ideas?

Not always Gentoo’s fault

Continuing the story of building my own custom-tailored router, I have to say that sometimes, the problems present are nowhere near being Gentoo problems: they are upstream problems.

Among these problems you can find for instance ntp forcing readline (my router would work perfectly fine without readline), and lilo not playing nice with installing on an USB compact flash drive without trying to guess what the BIOS will say about it to begin with.

Indeed, most of the problems I’m likely to encounter are due to brokenish software that is not designed to work in those cases; of course this is no good excuse for ignoring the issues altogether: indeed we should most likely fix those things and patch it out (for instance see automagic dependencies which we have documented properly).

And for those who asked, this is a photo of the current status of the router:

dscn2727.jpg

The case is one designed for HTPC; it seemed the best choice to have something that looked at least nice: the bad side is that it has some faux-DVD drives on the front, the good side is that it has the USB ports hidden by default. The mainboard is an ASRock, no clue about the specs themselves, it has a 2.8GHz Celeron CPU, an on-board Via Rhine network card, an Atheros AR5008 wireless card and three Sundance network cards (I bought four to make sure that if one is faulty I don’t have to have three network drivers loaded — I would have preferred having a single model of network cards, but it’s difficult to find the name of the chip on whatever card when you buy the cheapest available in the shop). Since I’m currently considering wiring up my whole house (and possibly the garage so I can actually move my servers out there) with gigabit cables, I might switch one of the cards for the Intel Pro/1000 I have at home so that it would talk the right speed. Inside the case there’s a D-Link ADSL2+ pass-through modem, connected to the Rhine; of the other three cards, one I’ll use as console, and one is going to be connected to the IP phone downstairs.

Also, since this system sounds like the perfect case for it, and the shop opened just today, I wanted to get an entropy key for it (no input from the system, no harddrive, and I’m going to use this with OpenVPN as well). Unfortunately it seems like I was the first European VAT-registered customer, and the procedure isn’t exactly up to speed, yet. Hopefully once this is cleared and I’ll get the keys, I’ll be packaging the software to use them under Gentoo (since I’m going to use it in the router, I’ll be getting two, one connected to Yamato so that I have a test source).

Right now, I’m trying to find how to make syslinux boot my flash drive since lilo fails and I don’t think I want to try with GRUB… SysLinux would be an option, but it looks to me like extlinux (for using with ext2/3/4 partitions) works as intended either. If somebody has another idea, I’ll be happy to know!