Networking

I wanted to increase throughput to our file server based on Windows Server 2012, as it was getting hit pretty hard at peak hours. Of course, that’s much easier now when  Microsoft finally implemented built-in support for NIC teaming so I was very exited to try it out.

On the server side, everything can be done with few simple steps through GUI.

Just go to Server Manager and click on link beside NIC Teaming option or run LbfoAdmin.exe.

nic_teaming1

That will open up a NIC Teaming window, where you’ll see currently set up NIC teams and their statuses as well as adapters available for teaming.

nic_teaming1a

Select available adapters, right click your selection and choose Add to New Team.

On the next screen, enter arbitrary name for the NIC team, select/deselect wanted adapters and open up Additional properties to fine tune your NIC team.

For Teaming mode, choose LACP, and for Load balancing method chooseAddress hash. Load balancing based on address hash seemed most reasonable for machine that was serving multiple users simultaneously.

nic_teaming2

Note that, although Switch Independent NIC teaming sounds cool because it can be used on any switch, even those cheap consumer grade, it has its limitations. It will load balance only server outbound traffic, all inbound traffic will come through one server interface. That may even be useful in some scenarios where you have a lot of outbound traffic like web servers.

On the Cisco switch, in our case Catalyst 3750G, set:

Load balancing mode based on address in global configuration mode:

port-channel load-balance src-dst-ip

Create an interface for you port channel group:

interface Port-channel1

Add physical interfaces to port channel group in interface configuration mode with:

channel-group 1 mode active

and set channel protocol for them:

channel-protocol lacp



Few days ago there was a sale on Namecheap.com and i got a domain for a 0.89$. Mostly because DynDns.com has drastically shrunk canceled  their free services, I wanted it for personal use for my home machine that gets IP dynamically. Since I’m a fan of DD-WRT and have been using it for quite a while on my home router, I wanted it to update my DNS record when its IP changes. Out of the box DD-WRT doesn’t support Namecheap’s DDNS service but can be customized to work with it.

After an hour or so of testing and googling, here is the only configuration that i managed to get working on latest release of DD-WRT v24-sp2 (05/27/13) std (SVN revision 21676).

DDNS Service: Custom
DYNDNS Server: dynamicdns.park-your-domain.com
Username: yourdomain.com
Password: password you got from namecheap ddns service
Hostname: hostname or enter @ if you want to point directly to your domain

URL: /update?domain=yourdomain.com&password=1111111111111111111&host=

Note: Don’t enter anything after &host= even if you have a subdomain.

Capture

One of our lab networks has access to internet only through SOCKS proxy provided by our contractor. That works fine in most cases, but not for OpenSUSE’s package manager (zypper) since there is practically no support for SOCKS proxies .

One easy and fast workaround is to setup a local HTTP proxy server that will redirect all traffic to specified parent SOCKS proxy. From what I’ve read, Squid doesn’t support SOCKS proxy parent, and honestly i didn’t want to go with it as it seemed like an overkill.

Simple solution was Polipo; small, fast and easy to setup proxy server that supports SOCKS parent proxy. RPM package was already available in SUSE’s repository, downloaded it on another machine, SCPed it to a OpenSUSE box, set a few things and viola.

For the quickest and simplest setup i added these three parameters in /etc/polipo/config file.

daemonise = true
socksParentProxy = "proxy.hostname.or.ip:proxyport"
socksProxyType = socks5

Run polipo. Optionally you can add Polipo to Cron so it will start with the system.

 

     Secure Shell or SSH is a highly versatile application layer network protocol used for secure communication between networked hosts (in Server/client model).   Designed as a replacement for telnet with Public-key cryptography  for data confidentiality on unsecured networks ie. Internet.
SSH is most popular on Unix like systems and used for remote administration, tunneling, TCP and X11 forwarding and even file transfer (SFTP and SCP).  This post will focus on SSH on windows as I mostly work with it,  and for me one of the most interesting features – the SSH tunneling / TCP forwarding.

 

Needed software

Most popular flavor on POSIX systems is OpenSSH, that includes ssh (the client),  sshd (the SSH server daemon),  scp, sftp and others.
On Windows: You can actually go with the same OpenSSH package under Cygwin (Unix-like environment for Microsoft Windows).
There are of course some Windows native servers and clients, notable:
KpyM Telnet/SSH Server, freeSSHd, the unbeatable PuTTY and its many forks with my favourite being KiTTY.
DD-WRT and Open-WRT feature Dropbear SSH server and client for its light use of resources.

 

Local port forwarding

Local port forwarding enables you to tunnel TCP traffic from your machine to ssh server or remote network that ssh server has access to.
SSH client  on your local machine listens on specified port and forwards all TCP traffic to the specified destination address and port.

For example: VNC Viewer (with traffic destined to localhost on port 5900 > SSH client listening on port 5900 and forwarding traffic to the specified IP and port on server side of the tunnel -> server ->  Other hosts that server has access to (optional).

 
Note that local port is arbitrary port number as long as you can specifiy it in software that you wish to tunnel.
 
Continue Reading

If you ever had machine with two lan cards that needs to have failover with for example each lan card connected to it`s own router with internet connection, then this article is for you.

While working in one company I had a request that two Cisco routers each needs to be connected to one lan card on the same machine and on the other side they are connected to one mobile operator using IPSec over GRE tunnel. I made the setup on Cisco routers and configure parameters for IPSec and GRE, but the problem starts when I want to access the machine from both sides. If you configure gateway in the normal way you will get only one router as default gateway and all the traffic form the machine will go through that gateway. But in this case you need the traffic that comes from router1 to send using router1 and from router2 to router2. This is done using policy routing. Following commands will configure routing table to route traffic to corresponding gateway:

ip rule add from 192.168.0.10 table uplink1
ip route add default via 192.168.0.1 dev eth0 table uplink1

ip rule add from 192.168.0.20 table uplink2
ip route add default via 192.168.0.2 dev eth1 table uplink2

ip route add default scope global nexthop via 192.168.0.2 dev eth1 weight 1 nexthop via 192.168.0.1 dev eth0 weight 1

First line defines policy that all traffic that comes from ip 192.168.0.10 (eth0) will use routing table uplink1, and second line adds default gateway 192.168.0.1 (router1) to table uplink1 using eth0. Same commands are for eth1 with corresponding IPs. Last line is important because we still don`t have default gateway in the main routing table. Using nexthop we can add several gateways and give them weight if we want to prioritize them or in this case give them the same weight tu use them equally. You can put this commands into /etc/rc.local if you want them to be executed everytime on start up.

In the end we forgot to edit /etc/iproute2/rt_tables and define tables. It should look something like this:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
32767 uplink1
32766 uplink2
#1 inr.ruhep

You can use commands like ip rule show, ip route show table uplink1, ip route and route to debug.

If you use EoIP in bridge mode and you have DHCP server on both sides but you want to separate them to serve only the side that it is working on, you need to block DHCP traffic through the tunnel. This is also useful to offload traffic through the tunnel since internet link is usually bottle neck in the network and we don`t want to load it unnecessary.

Linux is equipped with ebtables that can inspect all ethernet traffic, and filter in our case DHCP brodacasts. To enable it go to Administration->Commands, Edit startup script and add following lines.

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Reboot the router and you will see that machines on both sides will be served with local DHCP and all the DHCP traffic will stay inside.

Recently we have discovered DD-WRT linux distribution that is meant for consumer routers like TP-Link and etc., to get more advanced features. One of the interesting capabilities is Ethernet over IP (EoIP) that creates a tunnel between two points and forward all ethernet packets between. This will bridge two points like there are on the same switch. So you are now wondering why do I need EoIP when I have VPN. VPN is working on IP and it will pass only IP traffic through the tunnel, but if you need some other protocol like (IPX, SCTP, RIP, OSPF etc.), EoIP in bridge mode is the easiest way to do it.

One of the disadvantage in DD-WRT is that you need to have static IP for EoIP tunnels and we have made a solution to make it work with dynamic IPs using any dynamic DNS service. Solution is made up from two scripts. First one checks if the ip of dynamic DNS has changed, and if true it will resolve the ip and change it in the tunnel configuration:

#!/bin/sh
EOIP=`nvram get oet1_en` ;
if [ ${EOIP} -eq 1 ]; then
	NEW_EOIP_IP=`ping -c1 -w1 example.dyndns.org | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' -m 1` ; 
	EOIP_IP=`nvram show | grep oet1_rem= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;` 
	MY_WAN_IP=`nvram show | grep wan_ipaddr= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;`
	if [ ${EOIP_IP} != ${NEW_EOIP_IP} ]; then 
		nvram set oet1_rem=$NEW_EOIP_IP ; 
		ip link set oet1 down ;    
		ip tunnel del oet1 ;
		iptables -I INPUT -p etherip -s $NEW_EOIP_IP -j ACCEPT ;
		ip tunnel add oet1 mode etherip remote $NEW_EOIP_IP local $MY_WAN_IP ;
		brctl addif br0 oet1 ;
		ip link set oet1 up ;
	fi
fi

You need to change example.dyndns.org to dynamic DNS of remote peer for the tunnel and save the script in DD-WRT, and if you are not using tunnel no. 1 then replace oet1 with oetx (where x is the number of EoIP tunnel you are using). You can go to Administration->Commands, Edit custom script and paste the scripte there.

Now that you created script for EoIP, you need to add it to cron job so that the script will be executed periodically. This is second script that will be executed on DD-WRT startup and fixing some problems with cron.

grep -q "^crontabs:" /tmp/etc/passwd || echo 'crontabs:*:0:0:Contab User,,,:/tmp/root:/opt/bin/bash' >> /tmp/etc/passwd 
stopservice cron
sleep 60
startservice cron

Go to Administration->Commands, Edit startup script and paste upper code. Default running script period is 1 minute (60 seconds), you can change it to what ever fit your needs..

Last thing you need to do is to add a cron job. In Administration->Management, make sure that cron is enabled and paste next line to Additional Cron jobs field.

* * * * * root /tmp/custom.sh

Script for EoIP is working only if the tunnel is enabled, so go to Setup->EoIP and enable designated tunnel. You can now reboot your router and everything should work out of the box.