Xaero.org

If you’ve read my article on connecting to the IPv6 Internet, you should be familiar with the principles of IPv6 over IPv4 connectivity and have some basic IPv6 knowledge.

I’ve wanted to use IPv6 with my pfSense firewall for quite some time but it seems that the developers don’t want to be bothered supporting it. Fear not! There is a way to get IPv6 connectivity, though it won’t work through the GUI.

I won’t go into a great amount of detail on configuring your end PCs for IPv6 connectivity except to say that it’s generally turned on by default for Linux, you need to add “ipv6_enable” and reboot for FreeBSD, and that you need to add the IPV6 protocol in Windows XP (newer versions have it enabled by default). From that point on, your computer should send out solicitation messages which your pfSense firewall will respond to and you’ll get allocated an IPv6 address.

For the remainder of this article, I’m using this article (cached version here) for my template. That article is intended for native IPv6 connectivity, not tunneled connectivity. Also note that you should have configured an IPv6 over IPv4 tunnel. I suggest using a provider such as Hurricane Electric. Lastly, once you have a tunnel configured, you’ll want to allow pings from the tunnel’s endpoint to your router so it knows your side is up. I enabled this by going to Firewall/Rules and adding a ping rule that allows only the IPv4 tunnel endpoint to ping your firewall’s external IP. Use ICMP, then Any ICMP type, then specify the host IP of the remote tunnel endpoint. Don’t forget to apply it!

For your pfSense box, you’ll want to be running the latest release (1.2.3-RELEASE as of this writing). Be sure to enable SSH from the web gui since you’ll need to log into the command line. For your tunnel settings, I’ll assume the following addresses:

• WAN IPv6 IP: 2001:db8:0:1::2
• WAN IPv4 IP: 192.0.2.2
• WAN IPv4 Tunnel Destination: 192.0.2.15
• LAN IPv6 allocation: 2001:db8:0:2::/64

Log into your firewall using the credentials you configured when you first set it up. At the menu, use option 8 to drop to a shell. Next, create the following file:

#!/bin/sh
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"
DFGW="2001:db8:0:1::1"

####### Configure the stuff

# Configure the interfaces
ifconfig $IFOUT create
ifconfig $IFOUT tunnel 192.0.2.2 192.0.2.15
ifconfig $IFOUT inet6 2001:db8:0:1::2 prefixlen 64
route -n add -inet6 default 2001:db8:0:1::1
ifconfig $IFOUT up

ifconfig $IFIN inet6 alias 2001:db8:0:2::1 prefixlen 64

# Set the default route
route -n add -inet6 default $DFGW

# Configure IPv6 forwarding
sysctl net.inet6.ip6.forwarding=1

# My /etc/rtadvd.conf looks like this
#
# bce1:\
#   :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:
#
# Startup rtadvd
/usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN

Save this file as 00_config-ipv6-if.sh under /usr/local/etc/rc.d/ so it will automatically be executed upon reboot and change the permissions to 755 so it has permissions to execute. Don’t forget to change the inside interface to the name of your interface.

Next we need to configure the pf firewall to allow the tunnel to work. Create a file with the following contents:

#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"

####### Configure the stuff

# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
# pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt

# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e

Save this file as 10_config-ipv6-pf.sh under /usr/local/etc/rc.d/ and chmod it to 755 so it can execute on startup.

Lastly, create /etc/rtadvd.conf and add the following to it:

bge1:\
:addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:

Save that file. At this point you can either reboot your pfSense box or execute the two scripts. You should have IPv6 connectivity through your tunnel. You can test it using traceroute6 and ping6. Another great test to try is to go to http://ipv6.google.com. If the logo bounces, you have IPv6 connectivity.

Enjoy!

Ever since ZFS became production ready on FreeBSD 8 (and backported to 7), I’ve been itching to switch to using it and getting rid of UFS. For one, UFS is OLD. It was first used in 4.2BSD if that gives any indication. The most salient problem with UFS is the lack of real journaling. True, you have the soft-updates feature, but soft-updates are an alternative to journaling. This may not be a problem for users with older hardware and smaller hard disks, but with today’s multi-terabyte drives, a power failure or system crash can lead to painfully long waits as fsck verifies the consistency of your file system.

To that end, I followed this handy guide to installing a FreeBSD system on a pure ZFS-only setup. Note that you’ll end up with a system with no traces of UFS whatsoever, meaning you have to use the ZFS bootloader and can’t dual boot anymore. If that’s not to your liking, have a look at the index of ZFS on root guides. If you need to dual boot, you’ll want to follow one of the MBR guides. For my needs, if I find myself needing to boot to another operating system, I simply hit F12 when my system is performing a POST test and choose a different drive to boot to. It’s simple and separates your operating systems so they don’t affect one another. Another alternative is to use virtualization if your needs aren’t too demanding.

One thing none of the ZFS on root guides show you is also one of the most important: how to update and rebuild your system! If you’re a developer you probably already know how to do this, but for the rest of us, it’s important to know how to properly update your system when needed.

To begin, you’ll want to sync your source tree. Instructions for that are located in the handbook, but it really boils down to using csup to synchronize source from a cvsup server to your local machine. If you do anything that requires building a kernel module, you’re probably familiar with this. With your source tree synchronized to your desired version of FreeBSD, you can follow the the handbook guide to rebuilding world.

Once you have installed the kernel, reboot into single user mode as the guide tells you. Issue the “mount” command. You’ll notice that no filesystems are mounted except for devfs and the root ZFS filesystem you marked as legacy. The handbook tells you to use “mount -a -t ufs” but obviously this won’t work since we have banished UFS from our FreeBSD box. To mount all the ZFS mountpoints you have, simply use “zfs mount -a”. This should mount everything except for / (root) as read-write. To enable a writable file system root, use “mount -uw /” and then “mount -a” to mount anything else. The “-uw” option unsets any mount options and then sets the write bit so you can write to that mount point. At this point you should be able to use mergmaster and installworld to finish rebuilding your system. One important task you must do before rebooting into your updated system is to install updated boot code. This is done with the following command after installing the new world: “gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 disk” where disk is the name of the drive you installed to (usually ad0). With this, you should have an updated system with ZFS as your file system!

Enjoy!

I’ve been happily using FreeBSD 7.2 on my IBM Thinkpad T40 and decided it was time to upgrade to the latest and greatest: FreeBSD 8. FreeBSD 8.0 brings many changes to the base system, but one of the more significant ones is the configuration of wireless (802.11) networking. After a bit of mucking around, I’ve figured out some interesting things that relate to wireless, especially on the Thinkpad T40.

The biggest change is that you no longer configure the physical device interface. That is, no more “ifconfig_” where interface is either ath or ipw or some variation. Instead, you create a pseudo-interface, map it to the physical interface, and from there, configure your IP settings on the pseudo interface.

Another important point is the the existing ipw2100 driver that the Thinkpad relies on is horribly broken in FreeBSD 8. This means we’ll have to configure the interface using NDIS instead. Don’t worry though, it’s not that difficult.

To begin, go to the Lenovo website and download the wireless drivers. There are several there, so be sure to grab the one for the Intel 2100 802.11b wireless interface. The filename should be 1rwc89ww.exe. Unfortunately, you’ll need a nearby Windows machine to decompress the executable. Alternatively, you could probably download the same driver from Intel’s website directly, but it’s likely to be a self-extracting executable as well. Regardless of which method you use to obtain the driver, the two files we’re interested in are named W70N501.INF and W70N51.SYS. The first file describes how to install the driver on a Windows computer and the second file is the actual driver itself.

Next, we need to convert the Windows driver to a kernel module that FreeBSD understands. To do this, go to the directory containing the two files mentioned above and type “% ndisgen W70N501.INF W70N51.SYS”. From here, the ndisgen utility will prompt you for a few questions. Just continue to keep hitting enter. Note that you’ll want to have a source tree on your system that is in sync with your kernel so ndisgen is able to build a kernel module. Consult the FreeBSD handbook in order to learn how to synchronize a source tree to your system. When finished, you should see a new file named W70N51_SYS.ko in your directory. Copy this file to the /boot/modules directory. You might even convert it to lower case to make things easier.

Now that we have a suitable driver in place, we need to load up the ndis API. To do this, type “sudo kldload if_ndis” and “sudo kldload ndis”. To load our fancy new driver, type “sudo kldload W70N51_SYS” (or the lower case equivalent if you changed case). We’re now ready to configure IP addressing.

I’ll take the simplest use case and assume you’re using WPA authentication and getting an IP address via DHCP. Add the following lines to /etc/rc.conf

#Wireless
wlans_ndis0=”wlan0″
ifconfig_wlan0=”WPA DHCP”

The first line incorporates the new wireless interface in FreeBSD 8. It creates a “wlan0″ pseudo-interface and maps it to the physical ndis interface. The second line simply tells the ifconfig command to use WPA authentication and to grab a dynamic IP. Next, add the following to your /boot/loader.conf to make these changes permanent:

#Wireless
if_ndis_load=”YES”
W70N51_SYS_load=”YES”

At this point, you can either reboot the laptop or restart networking using “/etc/rc.d/netif restart”. If you choose to restart networking, you might have to manually create the pseudo-interface using the following command: “ifconfig wlan0 create wlandev ndis0″. If you are upgrading your laptop, you may wish to remove all the ipw* entries from both configuration files as they are no longer needed.

Using this configuration, one odd bug I’ve run into is that my wireless interface comes up and associates with the WAP but I do not get an IP address. I suspect that this could possibly be due to the fact that the DHCP server is on a different box, but I’ll have to run a few debugs to see where it’s sticking.

Using ndis, while a little clunky initially, has proven to be a much better replacement for the built in ipw driver. While I was on FreeBSD 7.2 and even Linux, my wireless interface would frequently reload the driver firmware. I’m told that’s due to a bursting configuration on the WAP but I don’t have bursting enabled and no other wireless device on my network displays the same behavior. Along with the cool changes in FreeBSD 8, this makes BSD on my laptop that much more enjoyable!

Recently I was mucking around with some stuff on my FreeBSD laptop (7.2) and caused my system to lock up completely. Not thinking much of it, I rebooted the system and everything seemed normal. I went about my business and needed to install some software. I tried to ’su’ on the system (sudo wasn’t yet installed) and got the message “su: who are you?”. Ugh… I took a look at my ‘/etc/passwd’ database and found that it contained parts of ‘/etc/resolv.conf’ and a lot of gibberish. Looks like UFS’s lack of journaling struck again.

Just for grins, I tried to change my password using the ‘passwd’ command and got the same message. After a few Google searches, I ran across the pwd_mkdb command. The man page for this command points you towards ‘/etc/master.passwd’ but again, in my case, it was corrupted. Ugh.

Since I’m an avid user of FreeBSD, I have plenty of systems from which I can copy the password database. So, fingers crossed, I booted my laptop into single user mode and copied the master password database over on a USB flash drive. I then issued the ‘#pwd_mkdb /etc/master.passwd’ command (I copied over the corrupted master password database) and it didn’t return any errors. Fingers still crossed, I rebooted and was pleasantly surprised to no longer see all the “unknown user” messages. After successfully logging in as root, I was able to change my passwords back to what they were using the regular ‘passwd’ command. Whew!

I’ve been looking for ways to improve the performance of my web site. Now that the biggest hurdle (MySQL) has seen dramatic improvements on FreeBSD (see article here), the only other hurdle really is PHP.

With a few quick Google searches, I found this article. The author details several of the tools needed to improve Wordpress performance, but the one in general that helps seems to be eaccelerator, a PHP cacheing extension. I’ve noticed a dramatic improvement in performance so far. So what do you think? Is my site any faster?

Not too long ago I wrote a how-to article on how to get FreeBSD 7.0 working on my IBM Thinkpad T40. Among other things, I omitted a section on getting proper video drivers working. The graphics chip is an ATI RV250 (Mobility 9000). This means the driver you should use is the ‘radeon’ driver. Use ‘pciconf -lv |grep ATI‘ to see which chip you’ve got. After toiling a bit with it, I figured out how to get the Open Source ATI drivers working.

Because I want to generally keep my systems pretty current, I recently installed FreeBSD 7.1 on my T40. It’s important to know that the FreeBSD project generally breaks up development into three separate releases, namely CURRENT, STABLE, and RELEASE, in order of most bleeding edge to most stable. After building Xorg 1.6.0, I tried to start an X session just to see if I would get the ugly TWM desktop. To my surprise I got just a black screen but that was it. Even more surprising was that the usual “three finger salute” (ctrl + alt + backspace) didn’t kill my X session. I then hit ‘alt + F2′ to log into another vty and manually kill off X. Here’s where the fun began. It killed more than X; it locked my entire machine up. I continued futzing with my xorg.conf, kernel modules, and locking my system up for a good hour. I then threw in the towel and wound up asking a friend who’s a FreeBSD developer WTF was going on. I learned a few interesting facts:

• The DRM code in 7.1 was more than 2 years old
• It is not necessary to manually load or pre-load any kernel modules for video
• X.org should work well with ATI graphics cards (but the amd64 release may not work) since the ATI driver model has had substantial structural changes to it.

On the first point, there’s two ways around the old code: Either download/burn/install the FreeBSD 7.2 release candidate or rebuild world. Since I’m a glutton for punishment, I decided to rebuild world. It’s not actually that hard, just time consuming. Use the ‘csup’ utility to grab the entire CVS source tree from your nearest csup server and follow the directions listed here to rebuild your system using the RELENG_7 tree.

The second point is easy enough. There’s no need to add anything to your /boot/loader.conf file in order to get X working. X.org will load any necessary kernel modules when you type ‘startx‘. As an interesting aside, I actually locked my system up when attempting the unload the radeon.ko kernel module when I had learned that preloading isn’t necessary. Doh!

Once you’ve rebuilt your system and are running 7.2-STABLE, it probably wouldn’t be a bad idea to rebuild your installed ports. This isn’t necessary per se since X.org should work without even building a config file, but it is a good step, just to make sure everything is up to date. I use the portupgrade utility located in /usr/ports/ports-mgmt/ with the following: portupgrade -aRr. That should upgrade all outdated ports recursively as well as recursively rebuilding dependencies.

I’ll expand on the last point a bit. ATI has been much more generous with contributing documentation to the Open Source community than Nvidia. In fact, Nvidia hasn’t contributed anything other than a proprietary driver for Linux and FreeBSD, though there’s a project called Nouveau which aims to build an Open Source Nvidia driver. Because of this, FreeBSD has an Open Source ATI driver (/usr/ports/x11-drivers/xf86-video-radeonhd and usr/ports/x11-drivers/xf86-video-ati) and using the old proprietary fglrx driver is no longer necessary. There’s one hiccup to this though. The driver has to be re-worked every time a new ATI chip comes out. To solve this, ATI is moving towards the same unified driver model Nvidia has used for years and taking it a step further. They now have an Open Source BIOS abstraction layer called ATOMBios. The idea is to make it easier to more rapidly deploy drivers for new graphics cards. Read all about that in this article. Bravo ATI!

By the time you finish reading this, your ports should be up to date and you should be able to use hardware accelerated ATI drivers on your Thinkpad. I’m running XFCE4 on my Thinkpad and it’s causing me to reevaluate the old “FreeBSD vs. Linux” question. Maybe I’ll spend a little more time working on the other parts that I overlooked in my article.

Enjoy!

I don’t actually watch that many movies but occasionally I want to back them up or convert them to a more convenient format. To date, I’ve been using the excellent Handbrake utility on my PowerMac G5 for my video conversion needs. Since I waved goodbye, I now needed at least the same functionality on my Linux machine. Fortunately, Handbrake is open source and under GPL license so it also has a GTK-based Linux equivalent. To get it installed, you’ll need to edit your apt sources and add the following:

#Handbrake
deb http://www.debian-multimedia.org sid main

You’ll notice I specifically used the “sid” release. There is no “stable” prepackaged binary for Handbrake yet unless you’re on Ubuntu, so you have to specify sid. It works regardless so not to worry. With that line added, save the file and install:

$sudo apt-get update
$sudo apt-get install handbrake-gtk

It should install the requisite binaries without a hitch and add Handbrake to your menu under “Multimedia” if you’re using Gnome or XFCE (I don’t use KDE so I couldn’t tell ya). Here’s a screenshot from my machine for the ever-curious (click on the image to enlarge it):

Enjoy!

Since I’m doing the Linux thing, I’m going to start writing more informational articles describing handy tips that I feel are useful. If you read my last post, you’d know I’m now using a Debian GNU/Linux system that has an Nvidia video card.

Video has always been a bit of a sore spot in the Linux and Unix world. It wasn’t until the late 1980’s that Unix systems even had a graphical subsystem (XWindows, as it is still known). Even today, the hardest part of bringing up a useable Unix-based system is getting the video adapter to work with XWindows. Today, most systems use a fork called Xorg.

While it would seem that the only video card you can buy will either contain an Nvidia or ATI chip, that’s not entirely true. It is interesting (at least to someone like me) that Nvidia graphics cards are more often seen on Linux-based systems and ATI-based cards are more often seen in the BSD world (Free/Net/Open). Probably just a coincidence, but when I read forum posts, that’s what I tend to see. Since we’re talking about Linux in this article, let’s get down to the business of installing some accelerated drivers for our Nvidia-based card.

One of the first places to look is the Nvidia Driver Debian wiki. Per the wiki, there are two ways to install the driver. The first method is the Debian method, which, while it may be easier, it also may be lagging behind driver versions. I chose the second method, which involves downloading the driver binary from Nvidia’s website and manually installing it. There are a few caveats, namely that it’s possible to screw up the install, not work, or require a reinstall if you upgrade your kernel since the driver compiles a kernel module. I didn’t run into any installation problems but I would imagine that I’d have some difficulties if I upgraded my kernel. Nothing terrible to worry about though.

One thing to note is that driver availability for older Nvidia cards (made before 2005) is probably non-existant. So while you can probably get by using the generic VESA driver, you probably will no longer be able to use the latest Nvidia driver and therefore the 3D acceleration. See this section on the Debian Nvidia wiki for more info.

First, download the driver from here: driver download. Do remember that this driver is a propriatary, closed source driver. If that offends you, you should probably stop here. My understanding is that there is an open source Nvidia driver on the way so if you don’t need 3D acceleration (obviously you haven’t tried Compiz Fusion), this article isn’t for you. I’m willing to bit the bullet and install a non-free driver for the sake of fully utilizing my hardware and will certainly move to the open source version when it shows up.

Next, you’ll want to download your kernel source. Actually, I got by just getting the header files. Open your favorite terminal and type ‘sudo apt-get install linux-headers-2.6-686‘. If you don’t have the sudo program installed (and you SHOULD), just su to root and issue the apt-get command again without the sudo part. I’m assuming you’re running a 2.6 kernel on 686 hardware. Most people should no longer be running an i386 kernel.

Now for the fun part. You might want to write this down or open this article on another machine. To install the driver, you need to fully exit your X session. No, you can’t open a terminal session from GDM. I’m particularly lazy, so I just rebooted into single user mode. Either way, you need to completely get out of X and be at a root prompt. Change to the directory where you downloaded the driver and chmod it to 755 if needed. Now run it, ignoring the runlevel error. Accept the license. You may get an error about the version of GCC installed on your system not matching what was used to compile the kernel. Do NOT just ignore this. Exit the installer. In my case, GCC 4.1 was used to compile my kernel so I just did a ‘#apt-get install gcc-4.1‘. Next, you’ll want to export the location, so first do a ‘which gcc-4.1‘. In my case, I did a ‘export CC=/usr/bin/gcc-4.1‘. Now rerun the installer. You should be good to go from here. The installer will build a custom kernel module, back up and modify your X config, and tell you if things have completed successfully. If that’s the case, exit the installer and reboot!

Once I was back up I did a test by running Doom3 and was happily surprised to see it come right up. I have to admit, it’s nice to run a system with no proprietary drivers, but I can’t complain that Nvidia is gracious enough to provide a driver. After all, they don’t have to since the majority of their customers are on a Windows system and developing and testing a Linux driver takes resources from that. So I say kudos to Nvidia for making a solid driver that installs easily and just works!

I love the Firefox web browser. Even more than Opera. However, Firefox tends to be a memory hog. The reason for this is that once you load a web page and begin viewing it, Firefox begins prefetching the pages that are linked to the page you’re viewing. I can only assume that this is intended to make subsequent pages you click on load faster. This feature would have been great twelve years ago when everyone was on a 56Kbps dial-up modem but in today’s world of multi-megabit broadband it really isn’t needed.

One very undesirable effect prefetching has is to swell the amount of memory Firefox uses. Don’t believe me? Load up four separate web pages in four tabs and leave them idling over the weekend. When you come back, don’t be surprised if you see that the Firefox executable is using nearly 800 Megs of RAM. Yikes!

Even though you’re probably reading this on a quad core Xeon with 4 Gigs of RAM, you may as well disable prefetching so you can put your memory to other use. To do this, first open a new tab or window. Next, in the location bar, type ‘about:config’ (without the quotes). This will bring up a list of internal Firefox preferences. You can tweak many aspects of the browser but we’re interested in disabling prefetching. In the Filter field, type the word fetch. You should see a screen similar to the one below:

Simply double clicking the ‘network.prefetch-next’ value will set it to false (disable prefetching). Restart Firefox and look in amazement at how much less memory it consumes.

Now that it uses less memory, why not make it faster? Try this other tweak here.

Wrote up a new article on how to connect your home router to the IPv6 Internet. Have fun visiting all 10 IPv6-enabled websites ; ) Check it out here – article.