Cyconet Blog » Networking

OpenWRT WDS works like charm

cyco — Sun, 25 Oct 2009 22:20:18 +0000

A try with OpenWRT 8.09 in April to setup a WDS with additional AP functionality and encryption, like described in the documentation, failed. So I keeped with my halfbroken solution running on DD-WRT, which is going a bit too commercial these days in my eyes.
Now I have found time to try OpenWRT again for this purpose, since the issue was fixed really fast. I just did setup a stock 8.09.1 installation and then dropped the following into /etc/config/wireless:

config ‘wifi-device’ ‘wl0′
      option ‘type’ ‘broadcom’
      option ‘channel’ ’5′
      option ‘disabled’ ’0′
config wifi-iface
      option device “wl0″
      option network lan
      option mode ap
      option ssid “OpenWrt”
      option encryption psk2
      option key “keyforclients”
config wifi-iface
      option device “wl0″
      option network lan
      option mode wds
      option bssid 00:16:B6:19:63:C8
      option ssid “OpenWrtWDS”
      option encryption psk2
      option key “pskforWDS”

And guess what? It worked like a charm! So I could replace the odd DD-WRT boxes. Anyways ... does anybody have an idea where to find the sourcecode of anything > v23 SP1?

Bayreuth Festival – Online streaming of “Die Meistersinger von NÃ¼rnberg”

cyco — Wed, 02 Jul 2008 08:00:31 +0000

Actual I’m involved into a project which maybe of interest for you if you like opera particular when you are a Richard Wagner enthusiast.
Since long time, the waiting period for obtaining tickets increases a lot. At the moment I think you have to wait around 8 years, which is a worse.
Time changes also at Bayreuth Festival, they seems to refocus their audience. Looks like the aspects of huge waiting list and new medias influenced that process.

This year the opera “Die Meistersinger” is broadcasted online under the slogan “live dabei” (live there) via the great thing called “Internet” and to a public viewing area in Bayreuth, which is a premiere in both cases. So if you don’t have a ticket for the Festspielhaus and not in a position to make use of the public viewing but interested to have a look at the opera, you may want to check if your system matches the technical requirements and give it a try.

Kabel Deutschland breaks DNS System for it’s customers

cyco — Fri, 23 May 2008 13:59:26 +0000

Last week I noticed, that Kabel Deutschland, a cable provider in germany, returns for any non existing hosts “204.9.89.60″. It seems, thats it is rolled out since last fall. Even for DNSSEC enabled infrastructure it breaks it totally:

; <<>> DiG 9.3.4 <<>> +dnssec web.pixaco.se @83.169.184.161
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
web.pixaco.se. 0 IN A 204.9.89.60

Beside that, this behavour breaks the whole DNS, since many mechanism rely on a negative answer. The most visible effect for the users is, that when having a typo on surfing, he will forwarded to http://suche.kabeldeutschland.de/de.kde.assist/?domain=. Since 204.9.88.0/21 is located at our transatlantic friends from US, there might be some problem with leaking privacy informations. I don’t feel happy, if I had a typo in my URL and getting listed for it on any terror list or providing the newest porno links to my american friends inside the organisations with the tree capitals.

All that for getting some extra money, but racing pricedumping for connectivity, this sucks a lot.
If you are a customer and feel pissed, you can send a friendly note to them:

Kabel Deutschland Vertrieb und Service GmbH & Co. KG
Beschwerdestelle
99116 Erfurt
kundenservice@kabeldeutschland.de
Fax: 01805299925

A quick and dirty workaround for dnsmasq maybe to add “bogus-nxdomain=204.9.89.60″ to your config file. This doesn’t fix the DNSSEC problem.
The problem also pops up at dns-operations and there are traces at google too.

[UPDATE] Over 1 year later zdnet.de discoverd the problem.

Routing Suite in an ISP environment?

cyco — Tue, 19 Feb 2008 23:21:10 +0000

Searching for an alternative for our old Cisco Border Router we are evaluating some software routing suites on “normal” server hardware.
First we tried Vyatta, but the routing software frequently crashed completly. Maybe this is fixed with VC4 Alpha 1, but we didn’t test that.
Next try was the development version (0.99.9) of quagga from Debian testing, but it looks like a peering with one of our cisco router fails after the hold timer expires.

2008/02/19 15:08:06 BGP: Performing BGP general scanning
2008/02/19 15:08:06 BGP: scanning IPv4 Unicast routing tables
2008/02/19 15:08:06 BGP: scanning IPv6 Unicast routing tables
2008/02/19 15:08:07 BGP: Import timer expired.
2008/02/19 15:08:13 BGP: 192.168.96.2 rcvd UPDATE w/ attr: nexthop 212.202.214.150, origin i, localpref 100, metric 0, path 20676 2914 2914 2914 2914 4755 4755 4755 4755 4755 9583
2008/02/19 15:08:13 BGP: 192.168.96.2 rcvd 124.7.35.0/24
2008/02/19 15:08:13 BGP: Zebra send: IPv4 route add 124.7.35.0/24 nexthop 212.202.214.150 metric 0
2008/02/19 15:08:17 BGP: 192.168.96.2 sending KEEPALIVE
2008/02/19 15:08:17 BGP: 192.168.96.2 KEEPALIVE rcvd
2008/02/19 15:08:17 BGP: %NOTIFICATION: received from neighbor 192.168.96.2 4/0 (Hold Timer Expired) 0 bytes
2008/02/19 15:08:17 BGP: %ADJCHANGE: neighbor 192.168.96.2 Down BGP Notification received

Any ideas are welcome … also some other routing suite alternatives.

Ignoring security (usability)

cyco — Fri, 06 Jul 2007 23:39:18 +0000

Since some time, Deutsche Bahn rolled public wireless lan called “WLAN am Bahnhof” out at 25 railroad stations, you can choose between 4 providers. Sounds really nice, but beside the economical conditions, there is also at least one security issue.
Connecting to the network and opening your favorite browser redirects you to a encrypted portal. So far, so good … the really bad news is, that the certificate expired over 6 years ago.

This seems to be a normal behavior, since it happens often, that invalid certificates are used. This leeds to blunted users, which aren’t verifying such certificates anymore, even when it’s important.
Does anybody know a reasonable way to notify anybody who can solve the problem there beside the normal contact forms?

Booting Linux on Cisco 7513

Administrator — Mon, 18 Jun 2007 12:15:57 +0000

Today I was reconfiguring a Cisco 7513 with a RSP 16 and a FastEthernet module inside.
So I did a “erase nvram” and a “reload”. After booting I was surprised to see the following in my Terminal:

Would you like to enter the initial configuration dialog? [yes/no]:
Loading pxelinux.0 from 10.42.10.50 (via FastEthernet4/0/0): !!!
[OK - 13156 bytes]

So the box took an IP via DHCP and tried to netboot. (Un)fortunately it only breaks my terminal, so no worries! ;)

Is DNSSEC ready for wild life?

cyco — Fri, 20 Apr 2007 19:57:11 +0000

Today the RIPE DNS for LIRs Training Course did take place. (some not up to date course material can be found here)
Managing some thousands of zones inclusive nameserver infrastructure behind since several years, I thought it would be neat to provide a secure dns chain to our costumers.
After going deeper into the material within the course, I recognized the following impacts:

only bind9 (>= 9.3) and NSD privides support (yet)
bandwidth will be increased 2-3 times with max. key size
increased memory usage depending on your server software
operational costs will increasing dramaticaly due significant higher amount of regular work
more computing power (hardware) needed to generate dnssec ready zones and signing
unknown influence on resolving nameservers (load/memory/bandwidth)
chain of trust ends at resolving nameserver and is not provided to enduser

Since the last issue isn’t solved (yet), it doesn’t make any sence for me to invest resources into setting up DNSSec infrastructur, cause the end user would not recognize if the communication with the resolving nameserver or the resolving nameserver itself is taken over.

Any complaints and/or hint? Did I missed something?

Wireless Bridge and WPA(2) on Linksys Router … or how to look for a needle in a haystack

cyco — Sun, 02 Jul 2006 19:56:44 +0000

I was searching half a night and 2 hours today to get a Linksys Router working a wireless bridge with WPA(2) encryption. I tried Openwrt White Russian RC5 and DD-Wrt V23 SP1 and many combinations of WPA, WPA2, TKIP, AES. The bridge works well with WEP and without any encryption….

So … after more than one hour googling I found the following in the broadcom kernel module source:

if (val && strstr(v, "psk")) { val = (strstr(v, "psk2") ? 0x84 : 0x4); v = nvram_safe_get(wl_var("wpa_psk")); if ((strlen(v) >= 8) && (strlen(v) < 63)) {
bcom_ioctl(skfd, ifname, WLC_SET_WPA_AUTH, &val, sizeof(val)); if (nvram_match(wl_var("mode"), "wet")) { /* Enable in-driver WPA supplicant */ wsec_pmk_t pmk;
pmk.key_len = (unsigned short) strlen(v); pmk.flags = WSEC_PASSPHRASE; strcpy(pmk.key, v); bcom_ioctl(skfd, ifname, WLC_SET_WSEC_PMK, &pmk, sizeof(pmk)); bcom_set_int(skfd, ifname, "sup_wpa", 1); } } }

So … this means, that the WPA-PSK length has to be >= 8 and < 63, mine was 65. This wasnÃƒâ€šÃ‚Â´t a problem yet, cause I used the routers only in AP mode, where this restriction doesn't effect. Shorting the WPA-PSK length 62 did the trick!

WRTSL54GS debridged

cyco — Wed, 28 Jun 2006 08:47:27 +0000

Okay … we got the serial port running (same like WRT54GS), so we could be more risky. After some tries I decided to work analog the WRT54G models.

Successfull was the following modifications to factory (linksys) defaults:

nvram set vlan0ports=”0 1 2 5*”
nvram set vlan1ports=”4 5*”
nvram set vlan0hwname=”et0″
nvram set vlan2ports=”3 5″
nvram set vlan2hwname=”et0″
nvram set dmz_ifname=”vlan2″
nvram set lan_ifname=”br0″
nvram set lan_ifnames=”vlan0″
nvram set wan_ifname=”ppp0″

Now the door is open to extend the functionality of the openwrt router

# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/root 7296 3420 3876 47% /
none 15276 36 15240 0% /tmp

Hrhrhrhr … :-) Disassemble photos can be found here

We got some Linksys WRTSL54GS imported from US

cyco — Tue, 27 Jun 2006 11:14:43 +0000

DonÃƒâ€šÃ‚Â´t ask how, but we got some units to europe.

The first thing we does, was to install openwrt and to try debridge the switch to have multiple interfaces instead. We was able to remove ports from the switch, but cant create additional working vlans like on WRT54G. So at this point its useless for our purpose. But we will start exploring as son as possible we have a running serial console.