3 Very Good Things…

I am back! My blog is migrated to new servers, happy days.

To kick off 3 things which have very much impressed me in the last couple of months:

1) Windows 7 RC. Microsoft have an absolute win here, its faster and feels tidier than Vista, the search is lightening quick, the new combined launch/taskbar kicks ass, the XP fallback mode works, it multithreads properly, I haven’t found any kit I can’t make work with it, and its all incredibly stable. I don’t actually know why anyone currently slogging it out on Vista wouldn’t run as fast as they can to do an in place upgrade today.

2) GMail Apps. I dipped my toe in the water using GMail for benking.me.uk a few months ago, I have now migrated warwicknet.com lock stock and barrel. Having your email all in gmail is pure bliss. The labelling effectively gives ‘3D’ folders, and having the power of Google search on your email is awesome. No longer do I have to slog it out in Outlook/Exchange land sorting my inbox by ‘From’ to find that one email from the 17000 in my inbox (I don’t like filing stuff). Its fair to point out though that that new features in Windows 7, means that it can search your outlook email about as quick as well. The downside of GMail of course is Google owning you.

3) Solwise 3G router. This little toy is a work of  art. Basically its a plug in the wall router, that will do wireless, ethernet, and 3G routing (by plugging your existing USB 3G dongle into the provided USB port). It is a right swiss army knife and will do web cam server, file server, print server. The amazing thing is that my T-Mobile 3G connection is far faster via the solwise and then wireless to my laptop than when plugged directly in my laptop. To be honest I am not doing it justice here, read the full review on The Register here.

I would heartily recommend all of the above.

HSBC 0845 rip-off…

I have just discovered I have been bitten by the 0845 rip-off. My Orange bill arrived and despite me have 1200 inclusive minutes (nowhere near used), I still had an hours worth of calls ‘outside minutes’. This then transpired to be 0845 numbers, one of which cost me £2.81+VAT for 17 minutes… So called ‘local rate’ calls are far from it.

Anyway an angry message to HSBC got the following ‘national alternatives’.

HSBC Premier (08457 707070) -> 01226 260260
HSBC Business (08457 606060) -> 01226 260878

I suspect there are alternates for all HSBC services.

When will these companies stop using these rip-off rate numbers??

£30 license to download music – you saw it here first…

So finally the dense powers that be have realised that a fixed annual license to download whatever you want is a good idea:

http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/07/24/dldownloads124.xml

Really they should put me in charge, as I first suggested it here – http://www.benking.me.uk/2008/01/11/drm-copyright-the-saga-goes-on/

 Even so it is still being reported as a ‘bad thing’ i.e. naughty people will get taxed/fined £30… Get it into your thick heads, I want the flexibility to download what I want from wherever I want, whenever I want, I don’t mind paying for that privilege.

So wheres the form, where do I sign up?! I tell you what call it £60 per year and throw in movies and TV…

Has your Hotmail and Live Messenger been hacked?

I have in the past posted about my experience when I got my Hotmail account hacked and how I subsequently recovered it. To save everyone the hassle of wading through my blog for the answer (and earn me a few quid hopefully), I have now written a handy document that helps you understand:

1) Why and how your Hotmail/Live Messenger was compromised in the first place.
2) How to go about getting it back.
3) How to stop it happening again.

All for a mere $10… you can buy it here.

P.S. I appreciate the irony that if you have had your Hotmail account compromised you have probably lost your Paypal account as well, so can’t actually pay me! Unfortunately its a chicken and egg problem you will have to sort out, as I can’t be arsed to set up another payment mechanism – sorry!

Vyatta – Desert Deployment!

I have deployed Vyatta to a lot of different locations, however the deployment I did last week was a little different…

Yas Island is a naturual island on the coast of the United Arab Emirates of about 2,500 hectares or which 1,700 hectares is being developed. It is to be a $40 billion playground of marinas, shops, theme park, water park, hotels and villas not to mention a Formula 1 track.

At the minute though it is little more than a lot of sand, some mounds of earth, a few roads and a lot of cranes, and I get the pleasure on behalf of my client Benoy (architects), of extending their existing Vyatta network to cover both their Abu Dhabi city office and their Yas Island site office.

There were a number of challenges with the deployment:

  1. The connectivity; we had ordered a 2mbit/s leased line from Etisalat, the UAE telco, this was being delivered via a microwave link back to Abu Dhabi, at the point of landing in the country, we had no idea of the reliability, IP Scheme and weren’t even confident about the presentation!
  2. Disruption; the users were using a shared network provided by the client, which was painfully slow, but worked to give them email and basic web access, we had to minimise downtime.
  3. Reliability; we had to do everything we could to ensure reliability and remote maintainability of the network once we had left.

The Kit

Vyatta was the natural choice not only because we were using it across the rest of the Benoy network, but also because of the cost effectiveness of the hardware required to deploy a resilient configuration.

At each site we deployed 1U Dell 860s, with:

  • Dual core Xeon processors
  • 2GBs of Ram
  • Hardware mirrored Sata drives
  • Additional Intel Dual NIC card (giving 4 ethernet interfaces in total)
  • Vyatta 2.3.1

The Configuration

  • 4 Subnets: Workstations, Servers, Internet 1 (leased line), Internet 2 (ADSL)
  • All subnets clustered across the two routers
  • DHCP for workstation subnets (split across the two routers)
  • Masquerade NAT for internal subnets
  • Incoming NAT for email and video conferencing
  • IPSec VPN tunnels back to the UK network and the other Abu Dhabi site
  • Internal and external firewalling

The Microwave Link

The microwave link was a V35 serial presentation that we passed through a Cisco 1841 before passing onto the Vyattas, the resulting connection performed remarkably well giving us about 14ms round trip on pings back to the main Abu Dhabi office.

The Result

The end result is fantastic, speed and response of performance at both sites far exceeded expectations. At the main site we were replacing a Firebox VPN tunnel back to London, which had proved to be a little unreliable and extremely slow, we were putting this down to the quality of the Etisalat connection, however once we replaced it with the Vyatta VPN the network response and reliability was far in excess of expectations and performs as well as the MPLS circuits we have connecting other sites.

Martin Neal, IT Director of Benoy, said ‘I am really pleased with the speed and also the “feel” of the network.

Photos

The Yas Island site office…

Yas Island Construction office

The Benoy team at Yas Island…

Yas Island Benoy Office

Our Microwave Link…

Our microwave link.

Public transport is Virgin on disaster…

 <rant> 

I live in Coventry, which is as near as damnit slap bang in the middle of the UK, and within spitting distance of our second city, Birmingham, given this fact why is it soo damn difficult to get to the UKs biggest airport (Heathrow) on public transport?!

Normally when I fly its always easier and quicker to get to go from Birmingham to Frankfurt, Schipol or Copenhagen than it is to Heathrow, but this time it just wasn’t possible so I committed to Heathrow.

The options to travel from Coventry to Heathrow are:

  1. Drive, while you have to endure the M40, M25, and the extortionate parking fees at Heathrow, it is nethertheless the flexible option.
  2. Train to London, underground to Heathrow/Paddington then Heathrow express. This always strikes me as a dog leg of a journey and you have to suffer the underground with luggage. At least though the wheels keep turning.
  3. Train to Reading, bus to Heathrow.
  4. Train to Watford, bus to Heathrow.

There really is no optimum choice, and despite knowing better I went for option 4, what really irks me is that I am sure there used to be a train from Watford to Heathrow.

This should be easy but alas… my journey was:

  1. Cab to Coventry Train station (less than a mile, easily done).
  2. Virgin Train to Watford, just like going to London no issues.
  3. 1.5 hours spent stood in the wrong place at Watford, the signs being in the wrong place for the bus. Rather than leaving from the bus terminal at the station, it leaves from over the road and down the street a bit, out of site from the station. There were about 10 of us all stood in the same wrong place, so I am confident it wasn’t just me being stupid. To add insult to injury the bus drivers actually drove past the station and obviously could see a load of people with suitcases stood at the wrong bus stop and drove on regardless with an empty bus. I asked 3 members of station staff, until I got one ansy woman who said testily ‘its obviously over the road’, this deteriorated into a full on argument and she was completely unuseful and totally jobs worth.
  4. Finally I got a bus to Heathrow and once I was on it, it wasn’t too bad.

Coming home.

  1. Land at Heathrow.
  2. Go to designated bus stop, according to time table bus at 19:45, turns up 20:05 and departs with just 2 of us on it immediately, with no regard for the timetable.
  3. Arrive Watford Junction (approx 20:40), train apparently at 20:55 to Coventry, wait on platform 20:55 completely fails to turn up, no warning, just vanished off display and a 21:05 to Preston (calling at Rugby) turns up instead… so I get on that.
  4. £30 cab ride to Coventry from Rugby and I am home.

I may as well have driven, it would have been easy, and probably cheaper in the end.

Until this country gets public transport right, people will stay in their cars. Nuff said!

</rant>

Shanghai – am I really in China??

…is the question I am asking myself right now…

I am in Shanghai, a city of some 18 million people, the biggest city in China and in the top 5 largest in the world, the answer should be obvious.

However, here I am sat in Starbucks (one of two in this building alone, an one of five that I can think of within a couple of minutes walk), sipping on my ‘Venti Cappuccino’ reading the Wall Street Times (Asia edition), looking out across the shopping mall at a McDonalds full of Chinese eagerly stuffing their faces on whatever crap it is that McDonalds sell in the morning, I begin to wonder…

McDonalds and Starbucks in Shanghai

This one of the many many shopping centers along the Nanjing Road, Shanghai showcase shopping experience, it runs 5km East to West through the center of Shanghai. The array of shops is staggering with pretty much every brand (so many Rolex dealerships I have lost count) you care to mention and a string of car dealerships including Mercedes, Porsche, Maserati and Ferrari.

You would be forgiven for thinking that the prices would be cheaper, it being China and all, and to an extent it is, however my cappuccino has set me back 31RMB (about £2.20), and the nice new Samsung LCD screen I am about to buy for home is exactly the same price in the shops here as back in blighty.

So who is buying this stuff?? Westerners? I don’t think so, unlike Hong Kong, when you see another non-Asian here, its still a case ‘oh look someone white like me’, they are generally pretty easy to spot as well due to clearing the surrounding populace by a clear foot. The other day I took a walk the entire length of the Bund, a 1.5km river side walk, it being Chinese new year it was packed with tourists, 1000s of them, during the entire walk I never saw another non Asian, not one!

It is the Chinese, the door is open to western capitalism and they are embracing it as fast as they can, and best of luck to them.

I suspect however they are lining themselves up to a serious class divide issue, there are people paid a minimum amount to do every job, meanwhile people at the other end of the scale are getting very rich.

Shanghai for example is clean, really really clean, you never even the smallest bit of litter, cigarette butts, or even chewing gum, why not? Well thanks to having  plenty of people and not being hindered by such idiocies as minimum wage, they throw manpower at everything, from street cleaners, to traffic assistants on every junction, and not just one, sometimes 3 or 4 people per road junction just to ensure you make it across the road!

 Traffic assistants in Shanghai

There are lots of fine examples of throwing manpower at the problem, the hotel I am staying in for example, okay its 4* and its costing a mighty £48 per night, all week though I haven’t had to open the door to the hotel, 24/7 they have at least 4 people manning the doors! When you go into a restaurant its often the case that the staff outnumber the customers, the same in shops, this Starbucks has 5 staff on at the moment.

I am quite a fan of Shanghai, its lacks the outright outright debauchery and exuberance of Hong Kong, however in its place comes an air of refined proud elegance.

To answer my original question, I am physically in China, however I suspect this far from reflects the real China… I suspect if I travel even 1 hour from Shanghai the picture will be very different…

DRM, Copyright, the saga goes on…

 Commenting on:  http://www.theregister.co.uk/2008/01/11/att_want_to_block_copyrighted_material_at_network_level/

The solution to all this is very very simple.

I want the luxury of being able to download whatever material I want, when I want from where I want in whatever format I want. That as a customer is what I want, and the customer is always right.

The only question is what I am prepared to pay for it, and how. As I don’t want to be bound to any particular channel (iTunes for example), and I don’t want to be paying per use, there is only one option which is some form of Digital Download License, which we pay an amount of money per year (say £150), to do whatever we want online, bit like the TV license.

The question obviously is, how do the respective rights holders get their slice of the pie, well simply offer a discount on the license fee to anyone happy to run some form of software that monitors what copyright material you are downloading and reports that somewhere for statistical analysis for revenue distribution.

This won’t work however if I am required to buy more than one license or there is in anyway some restrictions, for example you can download everything except shows by NBC.
 

Vyatta – Clustering

The latest subscription release of Vyatta, 2.3, has seen the addition of clustering capability, which has added greatly to the high availability features of the product.

Previously high availability was really limited to VRRP, which was great but had a couple of issues:

  • You couldn’t use VRRP across VIF interfaces, which made high availability for ‘router on a stick solutions’ tricky.
  • We experienced a few issues with interface bouncing, especially on gigabit interfaces.

VRRP is however a very nice solution, each virtual address is associated with a virtual MAC address that the currently actively router associates with the appropriate interface, the switchover is nearly instanteous.

The new clustering functionality in Vyatta is based upon the Linux HA project, which takes a slightly more simple but arguably more effective approach to the HA whereby when a failure is detected the virtual IP is reassigned to appropriate interface on the secondary router and a gratuitous arp sent out across the associated network segment to mitigate any arp cache issues.

The HA functionality also allows for failover of the ipsec vpn service, at the moment this works pretty simplistically by simply stopping or starting the service as needed, thus on the currently inactive server the VPN service and therefore tunnels simply aren’t up.

Lets take a look at a relatively simple multisite HA Vyatta solution and the associated configuration.

Vyatta Cluster Example

We have two sites, each with a pair of Vyattas configured as router, vpn, firewall, and nat. Behind them is a multi-segment internal network.

Interfaces

ldn-router1 interfaces:

interfaces { loopback lo { 

 address 10.1.1.251 { 

 	prefix-length: 24 

 } 

} 

ethernet eth0 { 

 description: "Internet" 

 address 98.76.54.31 

 	prefix-length: 28 

 } 

} 

ethernet eth1 { 

 description: "Servers" 

 address 10.1.10.251 { 

 	prefix-length: 24 

 } 

} 

ethernet eth2 { 

 description: "Workstations" 

 address 10.1.101.251 { 

 	prefix-length: 24 

 } 

} 

ldn-router2 interfaces:

interfaces { loopback lo { 

 address 10.1.1.252 { 

 	prefix-length: 24 

 } 

} 

ethernet eth0 { 

 description: "Internet" 

 address 98.76.54.32 { 

 	prefix-length: 28 

 } 

} 

ethernet eth1 { 

 description: "Servers" 

 address 10.1.10.252 { 

 	prefix-length: 24 

 } 

} 

ethernet eth2 { 

 description: "Workstations" 

 address 10.1.101.252 { 

 	prefix-length: 24 

 } 

} 

The important thing to notice here is that, the virtual ‘active’ addresses aren’t configured on the network interfaces themselves, instead they come later in the cluster configuration.

The New York site configuration is the same, except of course the IP addresses are changed accordingly.

Cluster
cluster { interface eth0 

 pre-shared-secret: "!secret!" 

 keepalive-interval: 2 

 dead-interval: 10 

 group "ldn-cluster1" { 

 	primary: "ldn-router1" 

 	secondary "ldn-router2" 

 	auto-failback: true 

 	monitor 12.34.56.73 

 	service "98.76.54.33" 

 	service ipsec 

 	service "10.1.10.1" 

 	service "10.1.101.1" 

 } 

} 

The cluster configuration on each router is identical (unless you want to do certain clever things such as run a different routing configuration in failover!). The interface definition is just for the interface that you want to monitor via. You can have multiple monitors however a failover will occur if any monitor returns a failure, in some ways this is a help and some ways its a hindrance, personally I prefer to just monitor an outside address and if its not available then go to failover where hopefully it will be (especially if we use different external blocks by router).

When a router becomes the active member of the cluster, it scans the route table for matches to the service IP and assigns the service IP to the appropriate interface, it then sends a gratuitous arp out of that interface to avoid any arp cache issues.

Routes

One downside of the Vyatta downing the ipsec tunnel when that router is not active, is that you can then only address that router on its dedicated addresses, for example if I wanted to do some remote maintenance ldn-router2 from the New York site while it wasn’t active, the only way I would be able to do so is either to log onto a machine on the London subnet and go via that, or use the public external IP (which I probably don’t want publically accessible anyway).

The solution is very simple, due to the way that VPN route matching works. When making a packet routing decision Vyatta checks the VPN tunnels for a local/remote match first, then checks against the routing table, therefore if we add a static route to each router for the whole internal network to go via its partner, we get a really neat solution:

protocols { static { 

 	route 10.0.0.0/8 { 

 	next-hop: 10.1.10.252 

 	} 

 } 

} 

Thus if a router has the VPN tunnel up (i.e. its active), it never checks the routing table and traffic goes direct, if the router has no VPN tunnel (i.e. its passive), it simply forwards the traffic to the active router.

VPN

The VPN configuration in a cluster is basically the same as a standard configuration, except the local and remote public IPs are the cluster addresses.

vpn { ipsec { 

 	ipsec-interfaces { 

 	interface eth0 

 } 

 ike-group "ike-ny" { 

 	proposal 1 { 

 		encryption: "aes256" 

 	} 

 	lifetime: 3600 

 } 

 esp-group "esp-ny" { 

 	proposal 1 { 

 		encryption: "aes256" 

 	} 

 	proposal 2 { 

 		encryption: "3des" 

 		hash: "md5" 

 	} 

 	lifetime: 1800 

 } 

 site-to-site { 

 	peer 12.34.56.73 { 

 		authentication { 

 		pre-shared-secret: "secret" 

 	} 

 	ike-group: "ike-ny" 

 	local-ip: 98.76.54.33 

 	tunnel 13 { 

 		local-subnet: 10.1.0.0/16 

 		remote-subnet: 10.3.0.0/16 

 		esp-group: "esp-ny" 

 	} 

 } 

} 

NAT

An easy pitfall on the NAT configuration is to forget that Vyatta processes source NAT before checking vpn or routing table matches. The fix is simply to exclude your internal network as a destination in the NAT configuration.

nat { rule 101 { 

 	type: "source" 

 	outbound-interface: "eth0" 

 	source { 

 		network: "10.1.101.0/24" 

 		} 

 	destination { 

 		network: "!10.0.0.0/8" 

 	} 

 	outside-address { 

 		address: 98.76.54.31 

 	} 

 } 

} 

VIFs

As i mentioned earlier, Vyattas implementation of VRRP doesn’t allow you to use VRRP on virtual VLAN interfaces, which is frankly a little annoying (although it will be fixed in the next release hopefully).

However under clustering it works perfectly, as the service IP can match and be assigned to any interface, real or virtual.

Conclusion

The clustering in Vyatta has added just enough simple HA clustering functionality that ‘just works’ to enable us to deploy far more complex and reliable solutions than was previously possible.

This is also just the tip of the iceberg, in future releases we can expect to see multiple cluster (allowing Active/Active configurations) and extra services added to the failover capability.

Vyatta – Forwarding traffic to Squid

If you are using Vyatta and want to transparently forward traffic at the router level to a separate Squid proxy you will find that the standard firewall configuration in Vyatta just isn’t up to the job (yet!).

The workaround is to use the /etc/rc.local file to make IPTables do the job for you, heres how we did it:

#!/bin/sh -e
#
# rc.local
#
# Modified to forward to squid cache
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will “exit 0″ on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#

IPTABLES=”/sbin/iptables”
IP=”/sbin/ip”
SQUID=”10.1.1.1″      # Internal address of our squid box

# Webcache jump to cache
echo Setting up jump to webcache

# clear any existing entries
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

# Don’t mark webcache traffic
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -s $SQUID
# Internal subnets to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 10.0.0.0/8     #Don’t cache internal

# External sites to exclude
$IPTABLES -t mangle -A PREROUTING -j ACCEPT -p tcp –dport 80 -d 1.2.3.4 #IP address of site you want to exclude from going to the cache

# Now mark our traffic, we have a number of subnets on virtual interfaces we want to grab, if you aren’t using vifs simply use eth1 or whatever you are using
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.102 -p tcp –dport 80
$IPTABLES -t mangle -A PREROUTING -j MARK –set-mark 3 -i eth3.103 -p tcp –dport 80

# Send the marked traffic to table 2 (you can actaully use whatever table you want, i used 2 because we are using eth2 for the subnet squid is on.
$IP rule add fwmark 3 table 2

# set the default route for table 2, change eth2 for the interface you are on
$IP route add default via $SQUID dev eth2 table 2

# Make sure we exit
exit 0