Archives

All posts for the month January, 2013

#dayjob

Some days you just need to do a bit of packet mangling and you don’t want to
write loads of DNAT/SNAT statements, so why not just use the NETMAP target

Take this example (The IP addresses have been changed to protect the innocent)


iptables -t nat -A PREROUTING -d 192.168.55.0/24 -j NETMAP --to 195.44.12.0/24
iptables -t nat -A POSTROUTING -d 195.44.12.0/24 -j NETMAP --to 192.168.55.0/24

It allows you to translate entire networks on a 1:1 mapping basis, so 192.168.55.1
maps to 195.44.12.1 and 192.168.55.2 maps to 195.44.12.2 and so on and so on.

Simples

(Oh and the Postrouting line is for the SNAT on the way back btw)

Whilst doing some other work for #dayjob,  I came across this little outfit based out in Israel doing free Class 1 SSL certificates for a year.

Ok I thought what’s the catch (other than it’s about as trustworthy as a man claiming to be secure , but can’t demonstrate it), it seems there isn’t much of a catch :

  1. The T’s & C’s state it has to be for “non-commercial” activity.
  2. It’s only Class 1, funny enough they do Class 2 and EV certs as well – for a cost naturally.
  3. It’s only for a year, but you can just keep renewing it every year.
  4. Errr and that’s about it really.

All in all, it’s worth signing up and using it for test certs and things like that, I tend to use it for test certs for Loadbalancers/Offload SSL box’s, saves explaining to people why you need to purchase certs for a development environment, anyway it’s worth a punt — https://www.startssl.com/

Whilst fiddling around with the Edgemax Lite I came across a bit of an issue whilst connecting
it to my main OpenVPN hub server, the fact that it couldn’t do comp-lzo compression.
Whilst I don’t need to do compression, it’s switched on by default in most OpenVPN distributions
and without it, in my case it caused immense pain on the server end and refused to work.

I hunted high and low for the answer on Ubiquiti’s very good forum and googled the issue to the
Nth degree, but because it’s so new I don’t think anyone has come across this issue yet (or at
least documented it anywhere). So what to do – do I turn off comp-lzo on the server or do I
run another another copy of OpenVPN on it just for the Edgemax?

In the end, I had a bit of a brainwave and remembered it’s a Vyatta, so I googled for that instead
and that lead me to the answer which is :

openvpn-option --comp-lzo

Here’s my complete Openvpn vtun statement :
openvpn vtun0 {
mode client
openvpn-option --comp-lzo
protocol udp
remote-host endpoint-address.com
remote-port 1194
        tls  {
             ca-cert-file /config/auth/ca.crt
             cert-file /config/auth/cert.crt
             key-file /config/auth/cert.key
             }
}

And literally that’s all you have to do (well apart from SCP the keys/certs into config/auth) to
get OpenVPN in default UDP flavour working on the box. I haven’t yet tried any other configs
but if the client config works this well I can’t imagine server/site-to-site won’t be too
complicated to get working.

edgerouterlite

Well it’s arrived, after quite a wait – the first EdgeMax routers have landed in the UK, was it worth the wait?   For that answer you’ll have to read on and see if it fits with what you are looking for in a small three port router.

 

Here at PM towers it’s happily sat on the end of a BT FTTH (160Mbps) connection and it’s working really well, it does exactly what it says on the box, it’s a three gigabit port router with lot’s of other stuff under the hood (*).

For me personally I can’t rate this box highly enough, Ubiquiti have pulled an absolute blinder :

  1. It’s less than 100 pounds for a true line rate gigabit router (**)
  2. It’s running Linux under the hood.
  3. It’s going to worry a certain big networking equipment manufacturer.
  4. It’s really going to worry a certain smaller networking equipment manufacturer in Latvia.
  5. I’ll go out on a limb here and say if the bigger box’s (TBA) turn up at a sensible price point, I’ll be replacing a lot of kit from other people with them.
  6. You name it, it’ll do it – PPPoE, OpenVPN, IPSec, PPTP, OSPF, BGP, Stateful Firewall, QoS, IPv6,Netflow etc. etc. (you get the picture)

 

As with all good things (especially first couple of revisions on the market), there are a few minor issues :-

  1. Documentation is a little poor, but I hope to document here some of the bits I found useful.
  2. It’s a little quirky, but fiddling with the CLI is definitely advised.
  3. No support for MPLS yet – not the end of the world, but I believe it maybe on the roadmap.
  4. It’s a bit like JunOS, you will get used to it, but you’ll have a hard time getting to the bit you need to start with.
  5. The gui is definitely a work  “In progress”.

 

In short it’s a great buy – a little quirky, quick as you like, cheap, game changer for sure and get’s two thumbs up from myself at PM towers.

 

 

 

(* For those in the know it’s basically a three port box running Vyatta )

(** I haven’t banged it on the Smartbits to see if I can break it – but by the looks of my initial tests it is genuinely line rate when routing)