Monday, September 28, 2015

Per Connection Queues on a Mikrotik Home Router

Per Connection Based Queues


Set up the address lists


/ip firewall address-list
add address=10.0.0.0/8 list="RFC 1918 Private"
add address=172.16.0.0/12 list="RFC 1918 Private"
add address=192.168.0.0/16 list="RFC 1918 Private"
add address=255.255.255.0 list="RFC 1918 Private"
add address=255.255.255.255 list="RFC 1918 Private"

/ipv6 firewall address-list
add address=2001:44b8:2143:8c00::/56 list=Local
add address=fe80::/16 list=Local

Now set up the packet tagging.


/ip firewall mangle
add action=mark-packet chain=forward dst-address-list="RFC 1918 Private" \
    new-packet-mark=MARK_LOCAL_TO_LOCAL passthrough=no src-address-list=\
    "RFC 1918 Private"
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY packet-size=0-123 passthrough=no protocol=tcp tcp-flags=\
    ack
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY passthrough=no protocol=udp src-port=53
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY passthrough=no protocol=tcp src-port=53
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_NORMAL_PRIORITY passthrough=no
add action=mark-packet chain=forward in-interface=bridge-local new-packet-mark=\
    MARK_OUTGOING_HIGH_PRIORITY packet-size=0-123 passthrough=no protocol=tcp tcp-flags=\
    ack
add action=mark-packet chain=forward dst-port=53 in-interface=bridge-local \
    new-packet-mark=MARK_OUTGOING_HIGH_PRIORITY passthrough=no protocol=udp
add action=mark-packet chain=forward dst-port=53 in-interface=bridge-local \
    new-packet-mark=MARK_OUTGOING_HIGH_PRIORITY passthrough=no protocol=tcp
add action=mark-packet chain=forward in-interface=bridge-local new-packet-mark=\
    MARK_OUTGOING_NORMAL_PRIORITY passthrough=no
add action=mark-packet chain=forward log=yes log-prefix="Mark: should not get here" \
    new-packet-mark=error passthrough=no


/ipv6 firewall mangle
add action=mark-packet chain=forward dst-address-list=Local new-packet-mark=\
    MARK_LOCAL_TO_LOCAL passthrough=no src-address-list=Local
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY packet-size=0-123 passthrough=no protocol=tcp tcp-flags=\
    ack
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY passthrough=no protocol=udp src-port=53
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_HIGH_PRIORITY passthrough=no protocol=tcp src-port=53
add action=mark-packet chain=forward in-interface=pppoe-out1 new-packet-mark=\
    MARK_INCOMING_NORMAL_PRIORITY passthrough=no
add action=mark-packet chain=forward in-interface=bridge-local new-packet-mark=\
    MARK_OUTGOING_HIGH_PRIORITY packet-size=0-123 passthrough=no protocol=tcp tcp-flags=\
    ack
add action=mark-packet chain=forward dst-port=53 in-interface=bridge-local \
    new-packet-mark=MARK_OUTGOING_HIGH_PRIORITY passthrough=no protocol=udp
add action=mark-packet chain=forward dst-port=53 in-interface=bridge-local \
    new-packet-mark=MARK_OUTGOING_HIGH_PRIORITY passthrough=no protocol=tcp
add action=mark-packet chain=forward in-interface=bridge-local new-packet-mark=\
    MARK_OUTGOING_NORMAL_PRIORITY passthrough=no
add action=mark-packet chain=forward new-packet-mark=error passthrough=no

Add the queue types


/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address pcq-limit=128k \
    pcq-src-address-mask=0 pcq-src-address6-mask=0
add kind=pcq name=pcq-upload pcq-classifier=src-address pcq-dst-address-mask=0 \
    pcq-dst-address6-mask=0 pcq-limit=128k

And now add the queue tree


/queue tree
add burst-limit=20M burst-time=2s limit-at=10M max-limit=18M name=Total_Upload parent=\
    global priority=1 queue=default
add burst-limit=50M burst-time=10s limit-at=25M max-limit=48M name=Total_Download \
    parent=global priority=1 queue=default
add burst-limit=2M burst-threshold=2M burst-time=2s limit-at=256k max-limit=2M name=\
    incoming_high_priority packet-mark=MARK_INCOMING_HIGH_PRIORITY parent=Total_Download \
    priority=1 queue=pcq-download
add burst-limit=50M burst-threshold=50M burst-time=2s limit-at=256k max-limit=50M name=\
    incoming_normal_priority packet-mark=MARK_INCOMING_NORMAL_PRIORITY parent=\
    Total_Download priority=2 queue=pcq-download
add burst-limit=1M burst-threshold=1M burst-time=2s limit-at=256k max-limit=1M name=\
    outgoing_high_priority packet-mark=MARK_OUTGOING_HIGH_PRIORITY parent=Total_Upload \
    priority=1 queue=pcq-upload
add burst-limit=20M burst-threshold=20M burst-time=2s limit-at=256k max-limit=20M name=\
    outgoing_normal_priority packet-mark=MARK_OUTGOING_NORMAL_PRIORITY parent=\
    Total_Upload priority=2 queue=pcq-upload


Posted by at No comments:

Thursday, September 24, 2015

Solaris 11 - adding a new Locale


Solaris 11 - adding a new Locale

# pkg facet

 FACET                                                            VALUE SRC
locale.*                                                         False local
locale.de                                                        True  local
locale.de_DE                                                     True  local
locale.en                                                        True  local
locale.en_US                                                     True  local
locale.es                                                        True  local
locale.es_ES                                                     True  local
locale.fr                                                        True  local
locale.fr_FR                                                     True  local
locale.it                                                        True  local
...

We can add the en_AU.UTF-8 language like so:

# pkg change-facet 'facet.locale.en_AU=True'

Now when we ssh in from our OSX desktop (say), our LANG environment will follow us around:

$ echo $LANG
en_AU.UTF-8
Posted by at No comments:

Sunday, September 20, 2015

Updating VirtualBox Guest software on Solaris


Updating VirtualBox Guest software on Solaris


From the VirtualBox menu, select Devices --> Insert the Guest Additions CD Image

Become root, and verify that the image is mounted.

ls /media
VBOXADDITIONS_5.0.4_102546

Remove the old package, and add the new one.

# pkgrm SUNWvboxguest
# cd /media/VBOXADDITIONS_5.0.4_102546/
# pkgadd -d VBoxSolarisAdditions.pkg

 Restart

# shutdown -i 6 -y -g 0


Keywords: Solaris, VirtualBox, Guest VBoxSolarisAdditions
Posted by at No comments:

Friday, September 18, 2015

Solaris 11 local repository

On Solaris 11

Solaris is indicated where longevity, reliability, and security is of utmost importance.

I recently migrated a Solaris system to newer hardware - a system commissioned 21 years ago, and which has been migrated to newer hardware at least twice before. The system has been quietly labelling, shipping, and invoicing $1m and $2m of goods per day, seven days per week, on a single server. It's impossible to imagine this longevity and reliability on any other environment outside of a mainframe.

Solaris has always been well ahead of Linux in filesystem and virtualisation technology. While Linux has been getting increasingly complex with each release, Solaris has been getting easier. Solaris documentation is delight compared to Linux.

Solaris is also cheap to run. Grey bearded Solaris administrators like me are still astonished when we see SAP environments (say) with clusters of three or four servers per tier for reliability -- as if this is somehow a good thing. The hassle of clustering is often not just not necessary with Solaris -- you only need a pair of servers for DR, or when you don't have *any* maintenance windows.

For some reason, ICT managers usually can't wait to get rid of Solaris, and the market share of the Solaris operating system continues to plummet in favour of Windows and Linux. For Java or Oracle centric environments like SAP and TM1, this approach is misguided; Substituting Solaris with Windows provides the worst of both worlds.

I plan to do some Solaris posts, and the first one is below. The Solaris docs should always be the first point of call - these notes are primarily here for my own re-consumption. If you happen to pass by I hope you find something useful.

Setting up a Solaris 11.2 Package Server

For anything more than trial install of Solaris 11, you want to have a local package repository server.

Package repositories can share their contents via both NFS and HTTP. This post concentrates on HTTP.

You also want to set it up the package server the right way. Here's how I set one up a local package server for my Solaris 11.2 lab environment.

Create a new zpool


The default location for a package repository in Solaris 11.2 is /var/share/pkg/repositories. This is in the root zpool, which is less than ideal for a number of reasons.

So instead I used a separate disk and zpool for the the package repository. 

First I created the new zpool "repositories" on the device c1t2d0:

# MOUNTPOINT=/export/pkg/repositories
# REPO_ROOT=${MOUNTPOINT}/solaris-11
# mkdir -p ${MOUNTPOINT}
# zpool create -m /export/pkg/repositories repositories c1t2d0
# mkdir -p ${REPO_ROOT}
# zfs set recordsize=16k repositories
# zfs set compression=zle repositories

The last two lines are a little bit of sugar; The files in the package repositories have an average size of about 24kB, which is why I specified the smaller record size of 16k (default in ZFS is 128kB). Since the files themselves are already compressed, only the directory indexes and metadata will benefit from compression. The zle compression method probably the best choice here, but to be honest there is probably not a great deal of benefit from compression, so you can leave it off if you like.

I've also tried zfs de-duplication in the past but the performance hit when updating the repository was so crippling I had to disable it. 

Build the package repository

I created a temporary directory to hold the downloads.

# mkdir /var/tmp/repo-files; cd /var/tmp/repo-files

I then copied the package repository download zip files to this directory. You should end up with the following files. The sol-11_2-repo-*of4.zip files are NOT yo be unzipped before the script is run.

# ls
README-zipped-repo.webarchive.txt sol-11_2-repo-1of4.zip            sol-11_2-repo-3of4.zip            sol-11_2-repo-md5sums.txt
install-repo.ksh                  sol-11_2-repo-2of4.zip            sol-11_2-repo-4of4.zip

I then ran the install-repo script

# ksh ./install-repo.ksh -d ${REPO_ROOT}

 And configured the package repository http server:

# svccfg -s application/pkg/server setprop \
  pkg/readonly=true

# svccfg -s application/pkg/server setprop \
  pkg/inst_root=${REPO_ROOT}

 I changed the port to 10,000 (default 8080) so as not to clash with other services that I might wish to run on this machine.

# svccfg -s application/pkg/server setprop \
  pkg/port=10000

 Fire it up, so the package server is available over http

# svcadm refresh application/pkg/server
# svcadm enable application/pkg/server

Sometimes it can be a pain to remember with the repository root is when doing tasks such as updating the repository. So record it in a Readme file in the repository directory:

# echo "The repository root for future commands is\
  \""${REPO_ROOT}\""" \ 
  > ${REPO_ROOT}/Repository_Root.README.txt

Point clients to the package server

I then ran this command on each Solaris server (global zones only). Make sure you don't forget to run also the command on the repository server itself. 

# pkg set-publisher -G '*' -M '*' \
  -g http://<hostname>:10000/ solaris

Where <hostname> is the FQDN of my package repository server. 

Check that a client can see the package repository correctly:

# pkg publisher
PUBLISHER        TYPE     STATUS P LOCATION
solaris          origin   online F http://<hostname>:10000/

You can connect to the above URL with a browser  verify operation and search for files.

Lastly, clean up:

# cd /root
# rm -rf /var/tmp/repo-files


Installing software from the package repository


With the package server setup and clients configured to use it, installing new software is straight forward. For example, the following commands install and start the ftp server:

# pkg install service/network/ftp
# svcadm enable svc:/network/ftp

Updating clients


Updating clients is easy too. In the  global zone of a client, say the following:
# pkg update
# touch /reconfigure && shutdown -i 6 -g 0 -y


Keywords: Solaris 11, pkg, package, publisher, repository
Posted by at No comments:

Wednesday, September 16, 2015

Social Science - and Diversity

Interesting article on the lack of diversity among social scientists. I thought they were almost all from the far Left, since forever, but this appears not to be the case.

"Psychologists have demonstrated the value of diversity – particularly diversity of viewpoints – for enhancing creativity, discovery, and problem solving. But one key type of viewpoint diversity is lacking in academic psychology in general and social psychology in particular: political diversity. This article reviews the available evidence and finds support for four claims: (1) Academic psychology once had considerable political diversity, but has lost nearly all of it in the last 50 years. (2) This lack of political diversity can undermine the validity of social psychological science via mechanisms such as the embedding of liberal values into research questions and methods, steering researchers away from important but politically unpalatable research topics, and producing conclusions that mischaracterize liberals and conservatives alike. (3) Increased political diversity would improve social psychological science by reducing the impact of bias mechanisms such as confirmation bias, and by empowering dissenting minorities to improve the quality of the majority’s thinking. (4) The underrepresentation of non-liberals in social psychology is most likely due to a combination of self-selection, hostile climate, and discrimination. We close with recommendations for increasing political diversity in social psychology."

http://heterodoxacademy.org/2015/09/14/bbs-paper-on-lack-of-political-diversity/

Posted by at No comments:

Tuesday, September 15, 2015

Getting your Mikrotik to work with Internode and the NBN

Yes, you can use a Mikrotok with an NBN connection.

Here's how I hooked up my Mikrotik RB961G and routerOS version 6. My ISP is Internode, who also provide a native IPv6 subnet.

There wasn't a lot out there on getting the Mikrotik to work, particularly with IPv6 networking.

I thought I'd write it up for posterity.  Incidentally, I pay a little more to Internode to get a business grade connection, with static IPV4 and IPv6 links. And Internode tech support to business customers is the very best.

Schematic

Here is a picture on what we want to achieve. The Mikrotik logs in to Internode using PPPoE via the NBN Fibre Connection box. It source-NAT IPv4 traffic from the LAN, while IPv6 traffic from the LAN is native.



The Mikrotik presents five ethernet interfaces. In the default configuration, Port 1 is expected to be the WAN gateway, and Ports 2 - 5 and wireless are bridged together to form the Internal LAN.

The NBN Fibre Connection box sits inside your house, and expects a PPPoE client, such as modem or your Mikrotik, to connect to the port "UNI-D 1" using a regular ethernet cable - Cat 5e is preferable.


Enabling IPv6


The routerOS IPv6 package is not enabled by default. I had to enable it through the WebFig GUI, and reboot. Here's what my settings looked like after the reboot.


PPPoE client:

Of course, you'll need to change the user and password values. You also can also do this quite efficiently through the Webfig quickset interface.

## Even though we have a fixed IP address, we still connect to Internode
## using the PPPoE client.
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1480\
    max-mtu=1480 name=pppoe-out1 password=very-very-secret \
    profile=default-encryption use-peer-dns=yes \
    user=example.user.name@internode.on.net

The PPPoE client will set up my IPv4 static IP and default route each time it connects.

IPv4 config ("/ip export")

Now for the IPv4 part. Some of this is from the defaults so you might get some errors (which can be ignored) if you copy and paste the lines below indiscriminately.

As per the PPPoE setting above, the much of this can be done using the Webfig quick set interface. However, the default firewall rules will be broken and need to be redone.

For completeness, I'm presenting the command line configs here as that is what I use.

## Use the default LAN subnet
/ip address
add address=192.168.88.1/24 comment="LAN address" interface=\
    ether2-master-local network=192.168.88.0

 ## Provide a DHCP server to our LAN subnet
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=3d name=\
    "LAN DHCP server"
/ip dhcp-server network
add address=192.168.88.0/24 comment="LAN address" dns-server=192.168.88.1 \
    domain=int gateway=192.168.88.1 netmask=24

 ## Set up this router up as a caching DNS 
/ip dns
set allow-remote-requests=yes servers=2001:4860:4860::8844
/ip dns static
add address=192.168.88.1 name=router
add address=127.0.0.1 name=vortex-win.data.microsoft.com
add address=127.0.0.1 name=settings-win.data.microsoft.com

 Obviously, we need to include some traffic filtering on our Mikrotik to stop the black hats hacking into our router. Same goes for IPv6.

## Define RFC 1918 private addresses. We'll include broadcast addresses
## for convenience
/ip firewall address-list
add address=10.0.0.0/8 list="RFC 1918 Private"
add address=172.12.0.0/12 list="RFC 1918 Private"
add address=192.168.0.0/16 list="RFC 1918 Private"
add address=255.255.255.0 list="RFC 1918 Private"
add address=255.255.255.255 list="RFC 1918 Private"

 ## Define a second address list for known bad countries, such as China.
## (for demonstration purposes I've included only one subnet).
add address=223.240.0.0/13 list="Bad contries"

 ## Set up the firewall
/ip firewall filter
add chain=input comment="Allow Established Connections" connection-state=\
    established
add chain=input comment="Allow Related Connections" connection-state=related
add chain=input comment=\
    "Allow input from LAN, but only from RFC 1918 private addresses" \
    in-interface=bridge-local src-address-list="RFC 1918 Private"
add action=tarpit chain=input comment="Tarpit known attackers" log-prefix=\
    "Block tcp tarpit" protocol=tcp src-address-list=Tarpit
add action=drop chain=input log-prefix="Tarpit dropped" src-address-list=\
    Tarpit
add chain=input comment=ICMP limit=100,200 protocol=icmp
add action=drop chain=input comment=Invalid connection-state=invalid \
    in-interface=pppoe-out1
add action=add-src-to-address-list address-list=Tarpit address-list-timeout=\
    1h chain=input comment="default configuration" in-interface=pppoe-out1 \
    log=yes log-prefix="Adding to tarpit: " protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list=Tarpit chain=input dst-port=\
    53 in-interface=pppoe-out1 log=yes log-prefix="Add to tarpit" protocol=\
    udp
add action=drop chain=input log-prefix="Final drop" src-address-list=\
    "!RFC 1918 Private"
add chain=forward comment="Established Connections" connection-state=\
    established
add chain=forward comment="Related Connections" connection-state=related
add chain=forward comment="New Connections" connection-state=new \
    src-address-list="RFC 1918 Private"
add action=drop chain=forward comment="Invalid Connections" connection-state=\
    invalid log-prefix="Blocked - Invalid"
add action=reject chain=forward comment=Default log=yes log-prefix=\
    "Rejected forwarding : "

 ## Source NAT on the PPOE interface
/ip firewall nat
add action=masquerade chain=srcnat comment="Source NAT" out-interface=\
    pppoe-out1 to-addresses=0.0.0.0

 ## Make sure only local users can log in to the Mikrotik router. SSH
## port altered to slow down the script kiddies.
/ip service
set telnet disabled=yes
set ftp address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set www address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set ssh address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 port=2222
set api disabled=yes
set winbox address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
set api-ssl address=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8

IPv6 config ("/ipv6 export")

The IPv6 configuration was a the part that took the time to get right. I spent a few nights trying to figure out why it IPv6  initially worked and then stopped working, which was very frustrating.

Without further ado, here is the working example:

## Pick a low number out of your IPv6 subnet and assign it to the
## internal LAN. I've used the second address from my IPv6 subnet 
## "2001:44b9:2143:8c00::/56"
/ipv6 address
add address=2001:44b9:2143:8c00::2 interface=ether2-master-local

 ## In order for Internode's routers to find us, we have to use
## the DHCP client over the PPOE interface. The pppoe-out1 interface
## is already established by the PPPOE client in the IPv4 section
/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=ipv6-pool

 ## Set up a simple firewall. This presumes the bad guys are on the
## outside. A dangerous assumption, but good enough to get started.

 /ipv6 firewall address-list
add address=2001:44b9:2143:8c00::/56 list=Local
add address=fe80::/16 list=Local

 /ipv6 firewall filter
add chain=input comment="Router  Accept established connections" \
    connection-state=established
add chain=input comment="Router  Accept related connections" \
    connection-state=related
add chain=input comment="Router  Allow IPv6 ICMP" protocol=icmpv6
add action=drop chain=input comment="Router  Drop invalid connections" \
    connection-state=invalid
add chain=input comment="Router- PPOE Client" dst-address=fe80::/32 dst-port=\
    546 in-interface=pppoe-out1 protocol=udp src-address=fe80::/32 src-port=\
    547
add chain=input comment="From Local addresses" connection-state=new \
    src-address-list=Local
add action=drop chain=input comment="Router  Drop other traffic"
add chain=forward comment="LAN  Accept established Connections" \
    connection-state=established
add chain=forward comment="LAN  Accept related connections" connection-state=\
    related
add chain=forward comment="LAN accept new connections" connection-state=new \
    protocol=tcp src-address-list=Local
add chain=forward comment="LAN  Accept UDP" protocol=udp
add chain=forward comment="LAN  Accept ICMPv6 " protocol=icmpv6
add action=drop chain=forward comment="LAN  Drop invalid Connections" \
    connection-state=invalid
add action=log chain=forward comment="LAN  Log everything else" log-prefix=\
    "Log IPv6 dropped: "
add action=reject chain=forward comment="LAN  Drop everything else" \
    in-interface=pppoe-out1

 ## Configure IPv6 Neighbour discovery.
/ipv6 nd
set [ find default=yes ] advertise-dns=yes other-configuration=yes \
    ra-lifetime=1h
add advertise-dns=yes interface=bridge-local other-configuration=yes \
    ra-lifetime=1h reachable-time=30m retransmit-interval=15s
/ipv6 nd prefix
add autonomous=no interface=ether2-master-local

You should then be able to access an IPv6 testing site such as http://ipv6-test.com/ and get a positive result.



Thanks to Karl Auer for the pointers at this link: http://into6.com.au/?p=214

Keywords: Microtik, NBN, Internode, PPPoE, IPv6, IP6, Firewall
Posted by at 2 comments:
Location: Townsville QLD, Australia
Subscribe to: Posts (Atom)