Xaero.org

If you’ve read my article on connecting to the IPv6 Internet, you should be familiar with the principles of IPv6 over IPv4 connectivity and have some basic IPv6 knowledge.

I’ve wanted to use IPv6 with my pfSense firewall for quite some time but it seems that the developers don’t want to be bothered supporting it. Fear not! There is a way to get IPv6 connectivity, though it won’t work through the GUI.

I won’t go into a great amount of detail on configuring your end PCs for IPv6 connectivity except to say that it’s generally turned on by default for Linux, you need to add “ipv6_enable” and reboot for FreeBSD, and that you need to add the IPV6 protocol in Windows XP (newer versions have it enabled by default). From that point on, your computer should send out solicitation messages which your pfSense firewall will respond to and you’ll get allocated an IPv6 address.

For the remainder of this article, I’m using this article (cached version here) for my template. That article is intended for native IPv6 connectivity, not tunneled connectivity. Also note that you should have configured an IPv6 over IPv4 tunnel. I suggest using a provider such as Hurricane Electric. Lastly, once you have a tunnel configured, you’ll want to allow pings from the tunnel’s endpoint to your router so it knows your side is up. I enabled this by going to Firewall/Rules and adding a ping rule that allows only the IPv4 tunnel endpoint to ping your firewall’s external IP. Use ICMP, then Any ICMP type, then specify the host IP of the remote tunnel endpoint. Don’t forget to apply it!

For your pfSense box, you’ll want to be running the latest release (1.2.3-RELEASE as of this writing). Be sure to enable SSH from the web gui since you’ll need to log into the command line. For your tunnel settings, I’ll assume the following addresses:

• WAN IPv6 IP: 2001:db8:0:1::2
• WAN IPv4 IP: 192.0.2.2
• WAN IPv4 Tunnel Destination: 192.0.2.15
• LAN IPv6 allocation: 2001:db8:0:2::/64

Log into your firewall using the credentials you configured when you first set it up. At the menu, use option 8 to drop to a shell. Next, create the following file:

#!/bin/sh
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"
DFGW="2001:db8:0:1::1"

####### Configure the stuff

# Configure the interfaces
ifconfig $IFOUT create
ifconfig $IFOUT tunnel 192.0.2.2 192.0.2.15
ifconfig $IFOUT inet6 2001:db8:0:1::2 prefixlen 64
route -n add -inet6 default 2001:db8:0:1::1
ifconfig $IFOUT up

ifconfig $IFIN inet6 alias 2001:db8:0:2::1 prefixlen 64

# Set the default route
route -n add -inet6 default $DFGW

# Configure IPv6 forwarding
sysctl net.inet6.ip6.forwarding=1

# My /etc/rtadvd.conf looks like this
#
# bce1:\
#   :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:
#
# Startup rtadvd
/usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN

Save this file as 00_config-ipv6-if.sh under /usr/local/etc/rc.d/ so it will automatically be executed upon reboot and change the permissions to 755 so it has permissions to execute. Don’t forget to change the inside interface to the name of your interface.

Next we need to configure the pf firewall to allow the tunnel to work. Create a file with the following contents:

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"

####### Configure the stuff

# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
# pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt

# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e

Save this file as 10_config-ipv6-pf.sh under /usr/local/etc/rc.d/ and chmod it to 755 so it can execute on startup.

Lastly, create /etc/rtadvd.conf and add the following to it:

bge1:\
:addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:

Save that file. At this point you can either reboot your pfSense box or execute the two scripts. You should have IPv6 connectivity through your tunnel. You can test it using traceroute6 and ping6. Another great test to try is to go to http://ipv6.google.com. If the logo bounces, you have IPv6 connectivity.

Enjoy!

Ever since ZFS became production ready on FreeBSD 8 (and backported to 7), I’ve been itching to switch to using it and getting rid of UFS. For one, UFS is OLD. It was first used in 4.2BSD if that gives any indication. The most salient problem with UFS is the lack of real journaling. True, you have the soft-updates feature, but soft-updates are an alternative to journaling. This may not be a problem for users with older hardware and smaller hard disks, but with today’s multi-terabyte drives, a power failure or system crash can lead to painfully long waits as fsck verifies the consistency of your file system.

To that end, I followed this handy guide to installing a FreeBSD system on a pure ZFS-only setup. Note that you’ll end up with a system with no traces of UFS whatsoever, meaning you have to use the ZFS bootloader and can’t dual boot anymore. If that’s not to your liking, have a look at the index of ZFS on root guides. If you need to dual boot, you’ll want to follow one of the MBR guides. For my needs, if I find myself needing to boot to another operating system, I simply hit F12 when my system is performing a POST test and choose a different drive to boot to. It’s simple and separates your operating systems so they don’t affect one another. Another alternative is to use virtualization if your needs aren’t too demanding.

One thing none of the ZFS on root guides show you is also one of the most important: how to update and rebuild your system! If you’re a developer you probably already know how to do this, but for the rest of us, it’s important to know how to properly update your system when needed.

To begin, you’ll want to sync your source tree. Instructions for that are located in the handbook, but it really boils down to using csup to synchronize source from a cvsup server to your local machine. If you do anything that requires building a kernel module, you’re probably familiar with this. With your source tree synchronized to your desired version of FreeBSD, you can follow the the handbook guide to rebuilding world.

Once you have installed the kernel, reboot into single user mode as the guide tells you. Issue the “mount” command. You’ll notice that no filesystems are mounted except for devfs and the root ZFS filesystem you marked as legacy. The handbook tells you to use “mount -a -t ufs” but obviously this won’t work since we have banished UFS from our FreeBSD box. To mount all the ZFS mountpoints you have, simply use “zfs mount -a”. This should mount everything except for / (root) as read-write. To enable a writable file system root, use “mount -uw /” and then “mount -a” to mount anything else. The “-uw” option unsets any mount options and then sets the write bit so you can write to that mount point. At this point you should be able to use mergmaster and installworld to finish rebuilding your system. One important task you must do before rebooting into your updated system is to install updated boot code. This is done with the following command after installing the new world: “gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 disk” where disk is the name of the drive you installed to (usually ad0). With this, you should have an updated system with ZFS as your file system!

Enjoy!

So I’m neck deep in my GRE studies. I’ve already gone through two GRE books and an ebook. I’m close to finishing my third book (this test is NOT easy). I’m learning some interesting properties of numbers such as the following:

Integers:

• Integers are whole numbers (whether positive or negative)
• Fractions are not integers
• Zero is an integer!
• Positive integers get larger as they move farther from zero
• Negative integers get smaller as they move farther from zero

Consecutive numbers:

• Listed in order of increasing value without any numbers missing between them
• Fractions and decimals cannot be consecutive numbers; only integers can!
• You can even have consecutive even integers: 2, 4, 6, 8…

Properties of Zero:

• 0 is even
• 0 plus any other number is equal to that number
• 0 multiplied by any other number is equal to 0.

Positives and Negatives:

• pos x pos = pos
• neg x neg = pos (“two wrongs make a right” is my memorization tool)
• pos x neg = neg

Even or odd?

• Any number that can be cleanly divided by 2 is even (i.e. no remainder)
• Any number that cannot be cleanly divided by 2 is odd (i.e. has a remainder)
• Zero is even
• Fractions are neither even nor odd
• Any integer is even if its units digit is even, and odd if its units digit is odd
• Multiplying and adding odd and even integers
• even x even = even
• odd x odd = odd
• even x odd = even
• even + even = even
• odd + odd = even
• even + odd = odd

Absolute Value:

• Absolute value is how far away a number is from zero
• Absolute value is always a positive integer whether or not the number in question is positive or not

Prime Numbers:

• A number is prime when it is only divisible by itself and the number 1
• Here’s all the prime numbers less than 30: 2,3,5,7,11,13,17,19,23,29
• Zero is not a prime number
• 1 is not a prime number
• 2 is the only even prime number
• Prime numbers are always positive integers. There’s no such thing as a negative prime number

Rules of Divisibility:

• An integer is divisible by 2 if its units digit is divisible by 2. For example, 598,447,896 is divisible by 2 because the units digit (6) is divisible by 2.
• An integer is divisible by 3 if the sum of its digits is divisible by 3. For example, 2,145 is divisible by 3 because (2+1+4+5 = 12) is divisible by 3.
• An integer is divisible by 4 if its last 2 digits form a number that’s divisible by 4. For example, 712 is divisible by 4 because 12 is divisible by 4.
• An integer is divisible by 5 if its units digit is either 0 or 5
• An integer is divisible by 6 if it’s divisible by both 2 and 3
• An integer is divisible by 9 if the sum of its digits is divisible by 9
• An integer is divisible by 10 if its units digit is 0

Remainders:

• When one integer cannot be divided evenly by another, the remainder is what is left over after the division
• When one integer divides evenly by another the remainder is zero (no remainder)

Factors:

• A number is a factor of another number if the second number can be divided by the first with no remainder
• Factors of 12: 1,2,3,4,6,12
• Best to write factors in pairs to make sure you get them all:
• 1 and 12
• 2 and 6
• 3 and 4

Multiples:

• A multiple of a number is that number multiplied by an integer
• Multiples of 10: -20 (10 x -2), -10 (10 x -1), 10 (10 x 1), 20 (10 x 2), etc…

There’s obviously far more to the GRE than these simple concepts but some are quite handy and will make short work of doing calculations for the GRE. Yea, you can’t use a calculator at all. Fire up those neurons!

I’ve been happily using FreeBSD 7.2 on my IBM Thinkpad T40 and decided it was time to upgrade to the latest and greatest: FreeBSD 8. FreeBSD 8.0 brings many changes to the base system, but one of the more significant ones is the configuration of wireless (802.11) networking. After a bit of mucking around, I’ve figured out some interesting things that relate to wireless, especially on the Thinkpad T40.

The biggest change is that you no longer configure the physical device interface. That is, no more “ifconfig_” where interface is either ath or ipw or some variation. Instead, you create a pseudo-interface, map it to the physical interface, and from there, configure your IP settings on the pseudo interface.

Another important point is the the existing ipw2100 driver that the Thinkpad relies on is horribly broken in FreeBSD 8. This means we’ll have to configure the interface using NDIS instead. Don’t worry though, it’s not that difficult.

To begin, go to the Lenovo website and download the wireless drivers. There are several there, so be sure to grab the one for the Intel 2100 802.11b wireless interface. The filename should be 1rwc89ww.exe. Unfortunately, you’ll need a nearby Windows machine to decompress the executable. Alternatively, you could probably download the same driver from Intel’s website directly, but it’s likely to be a self-extracting executable as well. Regardless of which method you use to obtain the driver, the two files we’re interested in are named W70N501.INF and W70N51.SYS. The first file describes how to install the driver on a Windows computer and the second file is the actual driver itself.

Next, we need to convert the Windows driver to a kernel module that FreeBSD understands. To do this, go to the directory containing the two files mentioned above and type “% ndisgen W70N501.INF W70N51.SYS”. From here, the ndisgen utility will prompt you for a few questions. Just continue to keep hitting enter. Note that you’ll want to have a source tree on your system that is in sync with your kernel so ndisgen is able to build a kernel module. Consult the FreeBSD handbook in order to learn how to synchronize a source tree to your system. When finished, you should see a new file named W70N51_SYS.ko in your directory. Copy this file to the /boot/modules directory. You might even convert it to lower case to make things easier.

Now that we have a suitable driver in place, we need to load up the ndis API. To do this, type “sudo kldload if_ndis” and “sudo kldload ndis”. To load our fancy new driver, type “sudo kldload W70N51_SYS” (or the lower case equivalent if you changed case). We’re now ready to configure IP addressing.

I’ll take the simplest use case and assume you’re using WPA authentication and getting an IP address via DHCP. Add the following lines to /etc/rc.conf

#Wireless
wlans_ndis0=”wlan0″
ifconfig_wlan0=”WPA DHCP”

The first line incorporates the new wireless interface in FreeBSD 8. It creates a “wlan0″ pseudo-interface and maps it to the physical ndis interface. The second line simply tells the ifconfig command to use WPA authentication and to grab a dynamic IP. Next, add the following to your /boot/loader.conf to make these changes permanent:

#Wireless
if_ndis_load=”YES”
W70N51_SYS_load=”YES”

At this point, you can either reboot the laptop or restart networking using “/etc/rc.d/netif restart”. If you choose to restart networking, you might have to manually create the pseudo-interface using the following command: “ifconfig wlan0 create wlandev ndis0″. If you are upgrading your laptop, you may wish to remove all the ipw* entries from both configuration files as they are no longer needed.

Using this configuration, one odd bug I’ve run into is that my wireless interface comes up and associates with the WAP but I do not get an IP address. I suspect that this could possibly be due to the fact that the DHCP server is on a different box, but I’ll have to run a few debugs to see where it’s sticking.

Using ndis, while a little clunky initially, has proven to be a much better replacement for the built in ipw driver. While I was on FreeBSD 7.2 and even Linux, my wireless interface would frequently reload the driver firmware. I’m told that’s due to a bursting configuration on the WAP but I don’t have bursting enabled and no other wireless device on my network displays the same behavior. Along with the cool changes in FreeBSD 8, this makes BSD on my laptop that much more enjoyable!

Recently I was mucking around with some stuff on my FreeBSD laptop (7.2) and caused my system to lock up completely. Not thinking much of it, I rebooted the system and everything seemed normal. I went about my business and needed to install some software. I tried to ’su’ on the system (sudo wasn’t yet installed) and got the message “su: who are you?”. Ugh… I took a look at my ‘/etc/passwd’ database and found that it contained parts of ‘/etc/resolv.conf’ and a lot of gibberish. Looks like UFS’s lack of journaling struck again.

Just for grins, I tried to change my password using the ‘passwd’ command and got the same message. After a few Google searches, I ran across the pwd_mkdb command. The man page for this command points you towards ‘/etc/master.passwd’ but again, in my case, it was corrupted. Ugh.

Since I’m an avid user of FreeBSD, I have plenty of systems from which I can copy the password database. So, fingers crossed, I booted my laptop into single user mode and copied the master password database over on a USB flash drive. I then issued the ‘#pwd_mkdb /etc/master.passwd’ command (I copied over the corrupted master password database) and it didn’t return any errors. Fingers still crossed, I rebooted and was pleasantly surprised to no longer see all the “unknown user” messages. After successfully logging in as root, I was able to change my passwords back to what they were using the regular ‘passwd’ command. Whew!

Now that I’ve switched to Gentoo Linux, I had to learn a few tricks about getting my favorite software installed. One application I can’t live without is GNS3, or the Graphical Network Simulator. It allows you to easily simulate a network of Cisco routers in an easy to use, drag and drop interface. I’ve used it to study for a number of Cisco certification tests (and pass them too!) and it really helps. If you have access to a few IOS images that Dynamips supports, I encourage you to install GNS3 to simplify your studies.

Getting GNS3 installed under Gentoo Linux takes a little more work since Gentoo is a source distro (you have to compile the software yourself) but is well worth the effort.

Read on and find out how to get GNS3 working in Gentoo Linux!

Finishing out my Cisco studies (for now), I’ve finally passed the Cisco MPLS (642-611) exam. I have to say, this exam is probably the hardest Cisco exam I’ve taken to date. It even made the QOS exam seem easy. As usual, the easiest way to pass is to know the topics cold. In addition to the test topics, here’s what I recommend knowing:

• MPLS Fundamentals
• Intricacies of MPLS VPNs
• Differences between different types of Internet access
• Configuration of all MPLS topics

By fundamentals, I don’t mean just knowing that LDP runs on TCP port 646. You’ll want to know the nitty gritty details about cell mode and frame mode differences, exactly how labels work, and how labels are distributed throughout the network, among other things.

MPLS VPNs are pretty complicated topic, with such topics as VPN label stacks, route targets, and address families. Knowing those topics, as well as knowing redistribution and how the various routing protocols are configured will help you get past the finish line.

For some reason, Cisco documentation on MPLS Internet access is a bit sparse. I can’t really recommend anything other than picking up a good book on MPLS. Ignore the recommended Cisco Press books; they’re horribly out of date and are priced like they just came out. I recommend both the MPLS Fundamentals book and the MPLS Configuration on Cisco IOS books.

Lastly, you need to know the configuration topics like the back of your hand. To learn them, you’ll either want access to a rack of routers (and ATM switches if you’re lucky) or you can use something like GNS3 and dynamips. This is where the MPLS Configuration book really shines. Aside from teaching you all the basic topics, it also shows you how to configure all the advanced stuff. When you can configure advanced MPLS VPNs such as central service MPLS VPNs without referring to any material, you’re probably good to go. Don’t forget about managed MPLS VPN services like ODAP and NAT.

Overall, the test isn’t impossible but it’s no walk in the park. With plenty of book study and hands on time on some routers, test day should turn out successfully.

I have to admit, I’m a bit of a glutten for punishment. For some reason, I actually enjoy the challenge of lesser-known distributions. While I’ve been taking a good hard look at FreeBSD and how it might meet my needs, it is still lacking several key applications I rely on: VirtualBox (yes, it’s in ports, but have you actually gotten it to work? I haven’t) and the  Adobe Flash player (tried gnash, didn’t work. Adobe won’t cough up an amd64 FreeBSD player). Granted, these are minor hiccups but other things are also keeping me from using FreeBSD on my main desktop.

To that end, I’ve been happily using Debian Lenny. It’s nice because it generally works on anything you throw at it and the apt utility can’t be beat for software management. Apt can also be a royal pain in the ass. I tried for hours to get it to play nicely and install mplayer with the codecs I wanted but there seemed to be a “stuck” package on my system that wouldn’t upgrade. My other annoyance with apt is that applications aren’t always updated as fast as they should be. The main one that comes to mind is Pidgin, the IM client that connects to all the different messenging networks. Again, I wrestled with apt for weeks, trying to get the latest greatest version of Pidgin without having to move over to Sid. I even tried using the backports repository. Still no dice.

That’s when I started thinking about FreeBSD again. I’ve been using it successfully on a new laptop I’ve got (article on that to follow at some point) but there my requirements are much less. So then I thought about Gentoo. Gentoo has all the Linux goodness and a system called portage that isn’t unlike the FreeBSD ports tree. In fact, portage was inspired by FreeBSD’s ports system! So I set out to install Gentoo on my main desktop box.

I’ve got fairly vanilla hardware so I was sure that it was all supported. (specs: Intel Core2 Quad Q6600, 6 GB PC-8500 RAM, 2x 1 TB hard drives (one for backup), EVGA Geforce 9500 GT, Intel Pro/1000 NIC, Gigabyte EP45-3DSL motherboard, Logitech USB mouse and keyboard) I was happy to see that I was right. I simply burned a CD of the weekly minimal installer CD and booted up. Gentoo is interesting because unlike most other distributions of Linux, you aren’t confronted with a happy graphical installer. Nope, you get dropped to a root prompt and have to go from there. Fortunately, the documentation is impeccable and very easy to follow. To take full advantage of my hardware, I followed the AMD64 guide, located here. I was lazy when I installed and opted to use Gentoo’s “genkernel” package to build my kernel for me. I may trim down my kernel at a later point and remove all the junk that’s not needed. After about 45 minutes, I had a bare system up and running.

The fun part is deciding where to take it from there. Since I’m using this machine as a desktop box, I installed Xorg and my current favorite window manager, XFCE. Like FreeBSD, Gentoo compiles all software from source code so you can really take advantage of your hardware. Unlike FreeBSD, however, Gentoo’s portage system is a lot easier to use. Instead of drilling down the ports tree to find what you want, then issuing a “make install clean”, you simply use the ‘emerge’ utility. This is as simple as “emerge –search <someapp>” to search for something and then “emerge <someapp>” to install it. emerge is definitely more powerful than that (I’m using it to update my entire system as I’m writing) so it’s well worth either looking at the man page or the online documentation.

I did run into a few kinks along the way. After having a base system installed along with XFCE, I wanted sound so I can listen to some tunes while working. Since genkernel pretty much gives you a kitchen sink kernel, ALSA support was already in the kernel (which by the way, is how it’s supposed to be moving forward I’m told). The only thing I had to do was to emerge the alsa-utils port so I’d get the mixer app and startup scripts. Documentation for that is located here.

The other kink I ran into was the need to dual boot that other OS. Yes, I still play the occasional game here and there but by and large, my days are spent in Linux doing stuff. The grub section under the installation guide is helpful, but not in a case where you’ve got Windows installed on a different drive. The problem is that Windows wants to be on the first drive and can’t fathom why you’d want to boot into any other OS. To remedy this, I added the following information to my grub.conf file:

title Windows XP
        rootnoverify (hd2,0)
        map (hd0) (hd2)
        map (hd2) (hd0)
        chainloader +1

In my case, my Windows drive is the third physical hard disk installed (the first being the Linux installation and the second being the backup drive). Remember,  in Grub-land, hard disks start at zero. Since Windows doesn’t like not being the first drive, you have to trick its boot loader into thinking it is. This is where the map commands shown above come in handy. The last line just tells grub to seek 1 sector from the start of the partition (usually the boot sector).

So far I’m really impressed with Gentoo. I no longer have to worry about conflicts (emerge takes care of it for you) or outdated packages (emerge builds the latest/greatest depending on your system profile). My system is clean, has only what I actually use, and I have a far more thorough understanding of what’s going on. What’s not to like??

I SSH between my many computers several times in the course of a day. Today when I went to SSH to my web server I couldn’t quite figure out what was wrong. I could ping the IP address but SSH just didn’t want to work. I tried restarting the SSH daemon and when that didn’t work, I rebooted the entire box. After it still didn’t work, it finally hit me: I forgot to renew my domain name and it was set to expire on July 17th! To confirm, I did a simple dig lookup:

; <<>> DiG 9.4.2-P2 <<>> xaero.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46405
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 20 13:08:14 2009
;; MSG SIZE  rcvd: 124

Oops!! Needless to say, I very quickly renewed my domain name and within a few short hours my nameservers were happily serving up DNS again. Thankfully my registrar provides a grace period for renewing expired domains so they don’t immediately get thrown back into the available pot. Next time I’ll stamp a sticky note on my forehead.

I’ve been looking for ways to improve the performance of my web site. Now that the biggest hurdle (MySQL) has seen dramatic improvements on FreeBSD (see article here), the only other hurdle really is PHP.

With a few quick Google searches, I found this article. The author details several of the tools needed to improve Wordpress performance, but the one in general that helps seems to be eaccelerator, a PHP cacheing extension. I’ve noticed a dramatic improvement in performance so far. So what do you think? Is my site any faster?