Repurposing netbook into gateway, firewall, AP

The older netbooks, such as ASUS EEE 900 series, have gone down in price. I bought a refurbed EEEPC 900A w/1GB RAM, 4GB SSD and turned it into my gateway, firewall and local AP.  Upgraded memory to 2GB RAM, and added an external 8GB SD flash.

I loaded Fedora Core 17 Security Distro on it.  Now I have a nice, cheap gateway, firewall and AP (although only 802.11G speed).

I’ll add more to this as I have time…..

Unfortunately the netbook only have one wired 100M enet.  I need at least GigE interfaces.  I am currently looking at the

OEM Production 2550L2D-MxPC

which is an Atom D2550 based system with 2 Broadcom GigE, small, lower power and up to 8GB of RAM.  This should last me a long time as a router/gw/fw.

More to come….

 

File transfer speed over ssh

I’ve known that ssh encryption has an effect on the speed of file xfers. So doing thing such as rsync (which will use ssh) or even plain scp can be pretty darn slow, especially on large files and on system with old/slow CPU.

I also know about the recommendation to use different type of encryption when transferring files. Some people recommend blowfish, others arcfour. So I thought I’d do a little bit of testing in a controlled environment.

I have two recent vintage HP servers with the following specs.

HP ProLiant DL360p Gen8
Dual quad core Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz (8 core, 16 threads total)
64G RAM
4 x 3TB, mdadm RAID10, formatted as XFS, mounted noatime,logbufs=8
Tigon ethernet NIC, connected as GigE, full duplex to HP ProCurve 2848 switch
(both servers connected to same switch)

The test file is:
3921247501 Mar 4 08:22 bigdata.tar.bz2 (3.8GB)

I am using OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
Kernel is 3.8.1-1.el6.elrepo.x86_64 #1 SMP Thu Feb 28 19:15:22 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

I am going to copy this file from hp1 to hp2, using scp, rsync and ftp. With scp, I’ll try different encryption, no compression to see how the different encryption affect the transfers. For comparison purposes, I also timed using plain ole FTP transfer, which mean no encryption and very little system processing; and the timing proves that.  Also tested with plain rsync protocol (direct to rsyncd).

I run this 3 times. Without specifying encryption, ssh/scp will use the default, which depends on the version of OpenSSH (for this version, the default is aes128-ctr).  NOTE: the file is rm’ed each time at the dest before I do copy.

run Xfer type real user system
1 scp -o Compression=no 0m52.175s 0m12.709s 0m6.504s
2 scp -o Compression=no 0m47.872s 0m12.603s 0m6.806s
3 scp -o Compression=no 0m49.317s 0m12.748s 0m6.710s
1 scp -c arcfour -o Compression=no 0m49.536s 0m14.161s 0m6.903s
2 scp -c arcfour -o Compression=no 0m49.088s 0m14.045s 0m6.921s
3 scp -c arcfour -o Compression=no 0m50.698s 0m14.162s 0m6.728s
1 scp -c blowfish-cbc -o Compression=no 0m58.673s 0m44.295s 0m13.495s
2 scp -c blowfish-cbc -o Compression=no 0m56.399s 0m43.860s 0m9.036s
3 scp -c blowfish-cbc -o Compression=no 0m54.869s 0m43.949s 0m10.673s
1 scp -c aes128-cbc -o Compression=no 0m49.776s 0m14.641s 0m7.083s
2 scp -c aes128-cbc -o Compression=no 0m48.527s 0m15.154s 0m7.068s
3 scp -c aes128-cbc -o Compression=no 0m50.554s 0m15.334s 0m6.983s
1 ncftpput -m -u ftptest -p ‘XXXXXX’ hp2 /data/ /data/bigdata.tar.bz2 0m34.306s 0m0.141s 0m4.062s
2 ncftpput -m -u ftptest -p ‘XXXXXX’ hp2 /data/ /data/bigdata.tar.bz2 0m33.351s 0m0.160s 0m3.863s
3 ncftpput -m -u ftptest -p ‘XXXXXX’ hp2 /data/ /data/bigdata.tar.bz2 0m33.839s 0m0.154s 0m3.732s
1 rsync –stats -a /data/bigdata.tar.bz2 hp2::data/bigdata.tar.bz2.1 0m33.485s 0m10.221s 0m6.692s
2 rsync –stats -a /data/bigdata.tar.bz2 hp2::data/bigdata.tar.bz2.2 0m33.490s 0m10.234s 0m6.703s
3 rsync –stats -a /data/bigdata.tar.bz2 hp2::data/bigdata.tar.bz2.3 0m33.497s 0m10.163s 0m6.545s

In terms of speed, we have:

Average over 3 runs

RSYNC:         real=33.491  user=10.206  sys=6.6467
FTP:           real=33.832  user=0.1517  sys=3.8857
AES128-CBC:    real=49.619  user=15.043  sys=7.0447
ARCFOUR:       real=49.774  user=14.1226 sys=6.8507
AES128-CTR:    real=49.788  user=12.687  sys=6.6734
BLOWFISH-CBC:  real=56.647  user=44.0347 sys=11.068

So it look like in modern OpenSSH, using AES, it’s a wash which cipher/encryption method you want to use.

Note that rsync protocol itself is pretty darn efficient, slightly faster than FTP.

3/6/13 Update

AES in SSH.  I’ve tested again from an old Dell using Pentium 4 to the fast HP, with no AES support in hardware and the default AES128-CTR is much slower.  However, good news is that AES128-CBC is still faster than BLOWFISH, but slightly slower than ARCFOUR.  As for FTP and RSYNC, they are neck-and-neck in speed, no clear winner.

So my conclusion is that whether using AES with hardware support (in new Intel CPUs) or software, using the CBC (block mode) variant of AES is usually good enough.

 

 

iSCSI initiator (netbsd-iscsi-initiator) for OS X Mountain Lion (10.8.2)

I am playing around with iSCSI for my macbook pro. Looked around and the used to be free SNS globalSAN iSCSI is no longer free. ATO is too expensive to play with. Saw that macport has a netbsd-iscsi, so went that route.


$ sudo port install netbsd-iscsi-initiator
---> Computing dependencies for netbsd-iscsi-initiator
---> Dependencies to be installed: netbsd-iscsi-lib
---> Building netbsd-iscsi-lib
Error: org.macports.build for port netbsd-iscsi-lib returned: command execution failed
Error: Failed to install netbsd-iscsi-lib
Please see the log file for port netbsd-iscsi-lib for details:
/opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_devel_netbsd-iscsi-lib/netbsd-iscsi-lib/main.log
Error: The following dependencies were not installed: netbsd-iscsi-lib
To report a bug, follow the instructions in the guide:
http://guide.macports.org/#project.tickets
Error: Processing of port netbsd-iscsi-initiator failed

Poking in main.log show the error at compiling disk.c.


:info:build /bin/sh ../../libtool --tag=CC --mode=compile /usr/bin/clang -DHAVE_CONFIG_H -I. -I../../include -I../../include -I/opt/local/include -pipe -O2 -arch x86_64 -MT libiscsi_la-disk.lo -MD -MP -MF .deps/libiscsi_la-disk.Tpo -c -o libiscsi_la-disk.lo `test -f 'disk.c' || echo './'`disk.c
:info:build /usr/bin/clang -DHAVE_CONFIG_H -I. -I../../include -I../../include -I/opt/local/include -pipe -O2 -arch x86_64 -MT libiscsi_la-disk.lo -MD -MP -MF .deps/libiscsi_la-disk.Tpo -c disk.c -fno-common -DPIC -o .libs/libiscsi_la-disk.o
:info:build disk.c:811:40: error: assignment to cast is illegal, lvalue casts are not supported
:info:build *((uint64_t *) ((void *)data + 8)) = (uint64_t) ISCSI_HTONLL(key);
:info:build ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
:info:build 1 error generated.
:info:build make: *** [libiscsi_la-disk.lo] Error 1

So I patched that line.


- *((uint64_t *) (void *)data + 8) = (uint64_t) ISCSI_HTONLL(key);
+ *((uint64_t *) ((void *)data + 8)) = (uint64_t) (ISCSI_HTONLL(key));

and now it builds. I just got to play with this to see if it works. More to report later.

Single DHCP server for multiple subnets (VLANs) one single interface

Surprisingly this was an extremely hard to find piece of information on the topic. At least one that fit my need. There were lots of questions in various online posts, but no completely working answers with all the relevant details in one place.

I am going to document it here.

Aggregation router is a pair of Cisco 6506E in VSS mode, active-active. They have ip helper pointing to my DHCP server.

Multiple VLANs and subnets

There was a pretty useful post about single DHCP server, multiple subnets on one interface here. But this does not work for my situation. He’s using a fairly simple network, and his DHCP server run on the gateway.

I have a gateway/router that aggregates multiple VLANs, one of which is a management VLAN that my DHCP server sits on. All the other VLANs has the DHCP relay helper address pointing to my DHCP server (see graph above).

Using the “shared-network” statement in dhcpd.conf does not work as that will pool all of the subnet declaration into that single network. This is why the blog post uses the classes along with “match if” statements to put DHCP client requests into the correct subnets. I have anywhere from 200 to 300+ servers in each VLAN, and they are a mix of gears/vendors. There is no way that I can use hardware (MAC) address, without it getting very complicated, not to mention the horror of maintaining that mapping.

ISC DHCP actually supports what I wanted out of the box. The trick was to make all the subnet declaration, but don’t use the “shared-network” statement. Make sure the DHCP relay are setup correctly, and when client make DHCP requests, they will arrive at the DHCP server with the relay address in it as the GIADDR (gateway IP address). The DHCP server will see that and know which subnet it should provide addresses from.

Here is the dhcpd.conf portion of the working config. Note that I also do PXE and kickstart boot from this dhcpd server.

authoritative;

# this is the most important line. It specifies the method
# to use to connect to the DNS server and update it.
ddns-update-style none;
ddns-domainname "example.com";
ignore client-updates;
option host-name = config-option server.ddns-hostname;

include "/etc/rndc.key";

option domain-name              "example.com";
option domain-name-servers      10.1.14.10,10.1.14.11,10.1.14.12;
option time-offset              -18000; # Pacific Standard Time
option ntp-servers              10.1.14.11;
one-lease-per-client            off;
default-lease-time              86400;
max-lease-time                  604800;
option                          ip-forwarding off;

# PXE
next-server install;
filename "/linux-install/pxelinux.0";

# Subnet for internal hosts
    subnet 10.1.0.0 netmask 255.255.254.0 {
        range 10.1.1.200 10.1.1.253;
        option routers                  10.1.0.1;
        option subnet-mask              255.255.254.0;
        #failover peer "dhcp";
    }

    subnet 10.1.2.0 netmask 255.255.254.0 {
        range 10.1.3.200 10.1.3.253;
        option routers                  10.1.2.1;
        option subnet-mask              255.255.254.0;
        #failover peer "dhcp";
    }

    subnet 10.1.4.0 netmask 255.255.254.0 {
        range 10.1.5.200 10.1.5.253;
        option routers                  10.1.4.1;
        option subnet-mask              255.255.254.0;
        #failover peer "dhcp";
    }

....and so on....

Using ldap and kerberos with ajaxplorer

12/18/12 Update: not all is peachy keen. Login and autocreate account works, but logout can be an issue. I need to clear the session cookie when someone logout. Have not gotten around to coding that yet.

After a bit of fiddling around, I finally got ajaxplorer working with (ldap) kerberos5 as the backend authentication/access.

We are using ldap for users directory and kerberos5 for password. It’s a little bit different than what I am used to.

Anyway, I needed to get ajaxplorer working on a large filer for users to be able to access — locally and remotely — essentially our private ‘dropbox’. But getting ajaxplorer working with kerberos was a bitch! At first, I tried using ldap, got that working…. except ldap does not have our password, that’s where kerberos comes in. I thought about writing my own plugin, but damn it, I don’t have time for this.

After lots of googling, experimenting, etc. I found mod_auth_pam, which uses pam for basic HTTP auth. And since we are already using pam_krb5 for logins on our boxes, it’s a perfect solution.

Here is the section in my bootstrap_plugins.php:

$PLUGINS = array(
        "CONF_DRIVER" => array(
                "NAME"          => "serial",
                "OPTIONS"       => array(
                        "REPOSITORIES_FILEPATH" => "AJXP_DATA_PATH/plugins/conf.serial/repo.ser",
                        "ROLES_FILEPATH"        => "AJXP_DATA_PATH/plugins/auth.serial/roles.ser",
                        "USERS_DIRPATH"         => "AJXP_DATA_PATH/plugins/auth.serial",
                        "FAST_CHECKS"           => false,
                        "CUSTOM_DATA"           => array(
                                        "email" => "Email",
                                        "country" => "Country"
                                )
                        )
        ),
        "AUTH_DRIVER" => array(
                "NAME"          => "basic_http",
                "OPTIONS"       => array(
                        "USERS_FILEPATH" => "AJXP_DATA_PATH/plugins/auth.pam/users.ser",
                        "AUTOCREATE_AJXPUSER"   => true,
                        "TRANSMIT_CLEAR_PASS"   => false
                )
        ),
        array(
                "NAME"          => "serial",
                "OPTIONS"       => array(
                        "LOGIN_REDIRECT"        => false,
                        "USERS_FILEPATH"        => "AJXP_DATA_PATH/plugins/auth.serial/users.ser",
                        "AUTOCREATE_AJXPUSER"   => false,
                        "FAST_CHECKS"           => false,
                        "TRANSMIT_CLEAR_PASS"   => false
                )
        ),
        "LOG_DRIVER" => array(
                "NAME" => "text",
                "OPTIONS" => array(
                        "LOG_PATH" => (defined("AJXP_FORCE_LOGPATH")?AJXP_FORCE_LOGPATH:"AJXP_INSTALL_PATH/data/logs/"),
                        "LOG_FILE_NAME" => 'log_' . date('m-d-y') . '.txt',
                        "LOG_CHMOD" => 0770
                )
        )
);

And the section in my /etc/httpd/conf.d/ajaxplorer.conf file:

   < Directory "/usr/share/ajaxplorer">
        Options FollowSymLinks
        AllowOverride Limit FileInfo
        Order allow,deny
        Allow from all
        AuthName "Ajaxplorer Access"
        AuthType Basic
        AuthPAM_Enabled on
        Require valid-user
  	php_value error_reporting 2
   < /Directory>

The trick is these two lines for the “basic_http” auth_driver:


"USERS_FILEPATH" => "AJXP_DATA_PATH/plugins/auth.pam/users.ser",
"AUTOCREATE_AJXPUSER" => true,

That then allow my users to login, and on first time, they auth via mod_auth_pam, and ajaxplorer create their account in “AJXP_DATA_PATH/plugins/auth.pam/users.ser”.

NOTE I have to manually create the directory plugins/auth.pam and create an empty users.ser file.

But after that, everything work perfectly.