Category: Linux

Multi-WAN DNS in pfSense

Update: I later figured out there are many other places pfSense restarts Unbound, so this is simply not worth the effort. I reversed the changes & moved Unbound to another box and using just DNS forwarder on pfSense — which is used by the Unbound server.

Having multiple broadband connections at home, I have a pfSense which takes care of load balancing and firewalling. pfSense is pretty good in almost everything, except one thing that was annoying me a lot — That it restarted the DNS Resolver (Unbound) every time either of my WAN connections restarted (one of my ISPs restarts the connection periodically), and the traffic originating from the box itself cannot be load balanced across multiple connections due to a limitation in FreeBSD’s implementation of pf itself – it is unable to set the correct source address.

It’s quite annoying that – even when you use the forwarding mode of Unbound, your DNS still goes through a single WAN interface. Moreover, Unbound doesn’t seem to do parallel querying across DNS servers. So if you have listed multiple DNS servers as forwarders it will try them one by one as they fail. Suppose, the WAN interface from which DNS traffic is outgoing is running at full capacity – a download or somebody is streaming a video, then your browsing becomes slow as well – but the browsing itself may go through another WAN connection. Notably, for having a stable multi-WAN setup in pfSense – you have to use forwarding mode. The gateway switching for the box itself doesn’t work reliably in my experience, due to which I’ve had to face “host not found” error messages even when one of the connections was up.

Continue reading “Multi-WAN DNS in pfSense”

Advertisements
0

Monitoring your internet connections with OpenWRT and a Telegram Bot

For the past 5 years or so, I have been using a single ISP at home and mobile data for backup when it went down. But since last few months, the ISP service became a bit unreliable – this is more related to the rainy season. Mobile data doesn’t give fiber like constant speeds I get on the wire. It’s very annoying to browse at < 10 Mbps on mobile data when you are used to 100 Mbps on the wire.

I decided to get another fiber pipe from a local ISP. One needs to be very unlucky to have both going down at the same time – I hope that never happens. Now the question is how to monitor the two connections: Why do I need monitoring? – so that I can inform the ISP when it goes down, with the fail-over happening automatically thanks to OpenWRT’s mwan3 package, I won’t ever know when I am using which ISP (unless I am checking the public IP address, of course).

Continue reading “Monitoring your internet connections with OpenWRT and a Telegram Bot”

2

Asterisk PJSIP wizard and phone provisioning

So after setting up Asterisk with a working DAHDI configuration for the PBX project, next was configuration for IP phones using PJSIP and provisioning them.

Asterisk has a built-in module called res_phoneprov which handles HTTP based phone provisioning but that didn’t work for me – I just couldn’t have it generate XML configuration for the phones that we had, i.e. Grandstream GXP1625.

The server on which I had configured PBX was multi-homed, as in it was part of multiple networks. But there was no reason to run the service on all interfaces except the VLAN on which we were going to connect the phones.

Continue reading “Asterisk PJSIP wizard and phone provisioning”

5

Asterisk PBX with Reliance PRI Line using Digium TE131F

So I got an opportunity to set up Asterisk PBX with a Reliance Communications E1 line. I have worked with Asterisk PBX, but without PSTN interfacing. This post is about what all stuff I have done to get a Reliance E1 line with Digium TE131F card.

Having explored a lot of other distributions like Fedora, Arch, Gentoo, Sabayon, etc. since I ventured into Linux world and learning the internals of Linux and how different components are stitched together I settled on Ubuntu. It’s my favorite these days because  everything seems to work out of the box… except when it doesn’t, then you have PPAs. 😛 For this project I have installed Ubuntu 16.04 server edition.

Continue reading “Asterisk PBX with Reliance PRI Line using Digium TE131F”

0

ZFS convert stripe to striped-mirror

OpenZFS LogoI’m a huge fan of ZFS because of its performance and other features like snapshots, transparent compression. In fact I had switched to FreeBSD for servers just because it had native ZFS support. But as of Ubuntu 16.04, ZFS is officially supported for non-root partitions.

Now I’m migrating a FreeBSD server to Ubuntu 16.04 with ZFS for data storage – this is happening because I need support for some special hardware which has drivers only for Linux and I do not have a spare server machine of same capacity in terms of memory/disk/processor.

My case –
Here’s the zpool layout on my existing FreeBSD server:

Each of those disks are 1TB in size and the layout here is something known as RAID 10, or striped mirroring. Striped mirroring can be extended to more than four disks but in my case, I have two pairs of disks. Each pair is mirrored and the each such mirror is striped, illustrated as in the image below:

Image taken from techtarget.com, their trademark/copyright holds.

The advantage of this layout is that you get read speed of four disks, and write speed of two disks and a failure tolerance of two disks (but in different mirrors) at the same time.

I have a spare 1TB disk which I can use for preparing a new server using a low-end machine for migration. I remove one of the disks from the live server so the pool there runs in a degraded state. The removed disk is used in the new server. So I create this zpool in Ubuntu:

The pool created here is a plain simple stripe. To convert this into a striped-mirror, the zpool attach command has to be used:

With this, the pool now becomes a striped mirror:

Perfect! 😀

 

0

SystemD FastCGI multiple processes

Of late, many mainstream distributions have been switching to SystemD as their init system. This includes Debian (since Debian 8) and Ubuntu (since Ubuntu 15.04). In the traditional SysV init system we used to have stuff like spawn-fcgi or custom scripts for starting a FastCGI process and having the web server connect to it over Unix or TCP sockets. Such kind of usage decreased when PHP FPM was introduced since it’s safe enough to assume that 90% (probably more) of the FastCGI deployments are just launching PHP interpreters using whatever mechanism is there (spawn-fcgi or custom scripts). PHP FPM does this for you now and it’s pretty good at it.

FastCGI is just a protocol, it can be used by any application. For custom applications which do not support starting their own FastCGI processes and listening on a socket we have to use external mechanisms. SystemD has a couple of good features which can help reduce the amount of custom work needed in terms of process monitoring, socket paths, file ownership, etc.

Continue reading “SystemD FastCGI multiple processes”

4

Group based HTTP basic authentication using Nginx and MySQL with help of Lua

Recently I moved from Apache to Nginx on one of my servers due to increase in traffic. But I was using HTTP Basic authentication with group based authorization on Apache in this manner:

However, there’s no AuthGroupFile  in nginx. But LUA, a programming language is supported in nginx. So here’s how I used LUA and MySQL for achieving this:

Now the real magic comes in the authenticate.lua  script, I’m posting the code below which is available in Github as well:

The group authentication script looks for users and groups in a table called http_users. Since this is a script you can modify the way users are searched for in the database or change the database altogether!
The lua modules required to run this script are: resty.mysql, resty.session, resty.string and cjson. Though the passwords are stored in the database as a SHA224 hash, the comparison of the password is done by the database itself. I did not convert the password to hash before sending it to database, so you may want to review this in case you are using remote database. I’m using local database over Unix socket so it doesn’t matter much.

The table and triggers I have for the same:

The triggers are required to convert the INSERT  or UPDATE statements into SHA224. I’m using MySQL’s SET data type to ensure that the group value is fixed. The same values can be used by Nginx in $user_group  variable before specifying the access_by_lua_file  directive.

2

A networking insight into the past

Back in 2007-2008, when I was just starting out with Linux geekery I had an ISP connection which was working fine for almost a year. Previously I was a Windows user and the hardware I used to run Windows XP was a Pentium 3 with 384 MB RAM.

Now I don’t know whether it was the hardware or issues with Windows itself that caused me so much frustration sufficient to make me move to Linux. After switching to Linux, things had become smooth so it was probably not the hardware. Perhaps the hardware was insufficient to run XP although it was slightly better than the recommended hardware specification at that time.

So yeah, this ISP had installed a telephone wire into my house and provided me an ADSL modem. In those days, it was rather uncommon to have multiple devices at home at least in India, so they had a policy of allowing only one PC at a time to use the Internet. My networking knowledge was pretty limited at that time so I never thought about how or why it was like that.

Then dad’s workplace assigned him a laptop and that’s when there were two devices at home that required Internet. Again due to limited knowledge of networking and Linux, I got a long LAN cable so that dad’s laptop could be wired to the modem having a single Ethernet port. A couple of times this plugging/unplugging; we got tired of it and then bought an unmanaged switch. That helped solve the cabling issue, but still two computers couldn’t use the Internet at the same time. I used to log out when my dad wanted to use Internet and vice versa. The switch model worked because the modem provided by the ISP was in bridge mode as per the settings I found out by poking around.

Both the machines were Windows XP initially. Then I switched to Linux and configured a simple DHCP based Ethernet connection to use Internet and it worked fine. The wizards helped me and the authentication mechanism was to login to the ISP using a Web page you got redirected to once you opened some site after acquiring a lease. But one day, all of a sudden the Internet stopped working on my Linux box. A quick observation was that it worked fine in Windows. Numerous calls to the ISP’s call center and as usual a clueless response by them (this continues even today to some extent) but they eventually sent their technician who couldn’t solve the problem either. Then we switched ISP.

Over the seven years after this I have learned a lot of Linux and Networking and worked in real life scenarios. But today while chatting with my friend Nikhil about ISPs and their reviews, I recalled this issue and now I can make sense why it wasn’t working. Reason is simple, routers generally contain Embedded Linux. In DHCP there’s a field mentioning what OS or which client is it (like a Web browser sends user agent to every website). This cunning ISP wanted to make money by selling their own routers and charging more for allowing multiple computers to use Internet at the same time so they decided to block all Linux DHCP clients (probably excluding their own) because every Linux box is a potential NAT box! It is possible to use Windows as a NAT box as well, but then they had no choice. If they blocked windows nobody would use their services 😂😂

0

CloudFlare Dynamic DNS using OpenWRT

I use dynamic DNS for my home internet connection so that I can access the machines from anywhere on the internet. And I use OpenWRT on my router. Earlier I was using Namecheap for managing DNS but I switched to CloudFlare for performance and security reasons of the website.

Unfortunately CloudFlare doesn’t support updating IP via shell script — well, it sort of does but the JSON stuff gets very messy with quoting in shell scripts, so I wrote a Lua script to update my IP whenever my PPPoE connection starts up; I have dropped the script in /etc/ppp/ip-up.d  so it gets executed by pppd whenever my connection comes up. You can run this script via cron or put it /etc/hotplug  if you wish to. This script uses LuaSocket, LuaSec, JSON4Lua and libubus-lua libraries that are easily installable on an OpenWRT router with 4 MB flash memory.

Now I can have the benefits of CloudFlare without losing out on DDNS :D. Here’s the code:

Suggestions? Post in comments or fork on GitHub.

0

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: