Monthly Archives: August 2011

Simple iperf usage command

Just keeping a record of this for later.

On the server machine: iperf -s

On the client machine: iperf -c [ip address] -t 60 -i 5 -r
(This is for a time of 60 seconds, a reporting interval on the client of 5 seconds, and for bi-directional bandwidth measurement – which should report the same as non-bi-directional, if the links to and from the client are the same speeds.)

Getting traffic for some networks out of one interface and all other traffic out of another

In this config (I’m using ubuntu 10.04), there are two NICs; eth0 (ip 10.100.160.6) and eth1 (ip 10.120.160.6).  Traffic for the networks 10.100.0.0/16, 10.9.0.0/16 and 192.168.150.0/24 is routed out of eth0, and all other traffic is routed out of eth1.

File: /etc/network/interfaces

## config for eth0
auto eth0
iface eth0 inet static
address 10.100.160.6
netmask 255.255.0.0
network 10.100.0.0
broadcast 10.100.255.255
# routes
post-up route add -net 10.9.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
post-up route add -net 192.168.150.0 netmask 255.255.255.0 gw 10.100.220.1 dev eth0
post-up route add -net 10.100.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
pre-down route del -net 10.9.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
pre-down route del -net 192.168.150.0 netmask 255.255.255.0 gw 10.100.220.1 dev eth0
pre-down route del -net 10.100.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0

# config for eth1
auto eth1
iface eth1 inet static
address 10.120.160.6
gateway 10.120.220.1
netmask 255.255.0.0
network 10.120.0.0
broadcast 10.120.255.255

Then restart the machine (just doing /etc/init.d/networking restart didn’t work for me) and check the routing table using “route”.

Setting up apt-cacher on Ubuntu 10.04

On repository server:

  1. Download:
    apt-get install apt-cacher apache2
  2. Get it to auto-start by editing /etc/default/apt-cacher and change autostart to 1
  3. Modify any config options in /etc/apt-cacher/apt-cacher/conf (not required)
  4. Restart apt-cacher – this will create the log files
    /etc/init.d/apt-cacher restart
  5. Import any existing apt-get cache (not sure exactly what this is for, but the documentation mentions it)
    /usr/share/apt-cacher/apt-cacher-import.pl -s /var/cache/apt/archives

On client server:

  1. Modify the sources list at /etc/apt/sources.list, like so:
    cp /etc/apt/sources.list /etc/apt/sources.list.bak
    vi /etc/apt/sources.list
    :%s/gb.archive.ubuntu.com/[your.repo.server]:3142\/gb.archive.ubuntu.com/g
    :%s/security.ubuntu.com/[your.repo.server]:3142\/security.ubuntu.com/g
    :wq!
  2. Reload the apt list
    apt-get update
  3. Try and install something

Configuring a network-to-network NAT in pfSense

In this case, I’m NATing 10.8.0.0/16 (interface name = vlan8) to 10.120.0.0/16 (interface name = int8), so a packet to 10.8.150.3 will be NATed to 10.120.150.3.

Go to Firewall -> Nat
Create a new 1:1 mapping, and put the settings as follows:
Interface: vlan8
External subnet IP: 10.8.0.0
Internal IP: int8 subnet
Destination: any (you might be able to use int8 subnet here, but it wouldn’t work with my VPN configuration as VPN IPs are on a separate subnet)
NAT reflection: use system default

And save, now to Firewall -> virtual IPs
Create a new virtual IP
I’ve used CARP, but when I get the chance I’ll try Proxy ARP, which would be better for those who have an entire subnet behind the pfsense (I don’t, so I need to put in each address to NAT individually)

And then the settings on your host behind the pfsense:
IP: 10.120.150.3/16 (whatever IP you want)
gw: 10.120.x.x (IP of pfsense’s int8 interface)
(to set the gateway in Ubuntu, using /etc/network/interfaces didn’t seem to want to work for me, so I used “route add default gw 10.120.x.x” instead)

Openfiler 2.99.1 unable to create partitions from the GUI

UPDATE: Creating a new partition in /dev/sdb (second volume) works, but doesn’t use the last 5% of the disk.  I can’t seem to fix this with the Other Solution posted here; regardless of what I do, the partition shows up in the web GUI of openfiler but as unknown partition type.  I’ve tried using mkpart as described below – it gives errors when trying to use ext3; using ext2 and then converting it to ext3 with mkfs.ext3 has the same issue, as does creating the partition with no filesystem.  This is all regardless of what I do with pvcreate.  For now I’ve left it as empty space, hopefully Openfiler will fix their issue creating new volumes soon.

Experienced a lot of Google-fail before finally getting the solution to this, so I’m posting it here.

Problem
New install of Openfiler v2.99.1, trying to create a new partition in /dev/sda, clicking the ‘create’ button does nothing, just refreshes the page.

Easy Solution (but it loses some GB – for some reason, ending cylinder is reduced)
https://forums.openfiler.com/viewtopic.php?pid=25763
Set the ‘starting cylinder’ 80 cylinders more than the recommended number, then try and create again.  It should work.

Other Solution (works properly, hurray)
https://forums.openfiler.com/viewtopic.php?pid=25800
From the cli:
parted
unit cyl
print
mkpart
[name?] // click enter
[file system type? ext2] ext3
[start?] // here, type one cylinder up from the end of the last partition shown by the print command, and space, and then the ending cylinder (for the entire disk, enter the number shown in the print command under the Model, on the line “Disk /dev/sda : ”
print // see the new partition
q
pvcreate /dev/sda4

After this, Openfiler should see the new partition from the GUI.

Connecting to multiple subnets with Shrew Soft VPN and Juniper SSG 5

This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.

I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)

The problem
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!!  policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy

The solution
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking

That was much more difficult than it should have been…

Shrewsoft listening on the wrong IP?

For some reason, it had binded on eth1 rather than eth0 (it’s supposed to bind on both).

Shrewsoft uses IPSEC_Pluto for IKE connections, check out this manpage: http://www.linuxsecurity.com/resource_files/cryptography/FreeSWAN-HOWTO/manpage.d/ipsec_pluto.8.html

To refresh the interfaces (restarting didn’t work for me, but this did), use:

ipsec whack –listen

 

UPDATE: I was wrong!  It’s strongswan that uses IPSEC_PLUTO, Shrewsoft uses it’s own stuff, and the reason my Shrewsoft wasn’t making the connections as it should was because of conflicts with strongswan; once I uninstalled that it started working again.