Category Archives: Networking

Networking related notes.

Vyos first impression

So just started playing with Vyos, a community fork of Vyatta. Vyatta, now owned by Brocade, is a Linux, Debian based firewall / router distro running on X86 hardware. Renamed to Vyatta, a Brocade company, Brocade sell subscription models and appliances, built round the system. Vyatta has a webgui but the command line structure is I gather based on Juniper Networks Junos. A popular rivle to Cisco’s IOS.

Vyos is freely available and like it’s commercial cousin, runs on X86 hardware and a variety of virtulisation platforms. For my purposes I’ve just installed it to a VM under VMware Workstation. It is apparently possible to install to compact flash card for use in single board PCs, such as the PC Engines Alix. However the usual problem of limitting writes to that media apply, so logs need to be redirected.

At time of writing I’m using Vyos Helium, the second major release. V1.1.0. There is no webgui implemented yet, which personly suits me fine. Command line tools have a higher learning curve but are so much faster once you know them. The on board CLI help, like Cisco IOS is very useful. With the usual “?” offering options for the given mode. Yes like Privileged Exec and Global Configure, the familiar dropping into modes to perform sets of tasks applies here. The “configure” command gets you to global config. Changes are only applied once the “commit” command is given and “save” stores to disk.

One of my reasons for wanting to try Vyos, aside curiosity, is that I’ll be working on some Ubiquiti routers shortly. Their Edge OS is another fork of Vyatta and shares the same command syntax, at least thus far.

I’d say I like Vyos a lot at this point except for one major nag. That is, I’m not currently abel to get my Vyos VM working with VMware Virtual Network Adapters in Workstation. So I can’t connect this VM to the rest of my internal virtual networks. This maybe a misunderstanding on my part, some setting I’ve missed or possibly only works on VMware VSphere. The bare metal hypervisor. This is a great shame. I’ve posted to the Vyos forums but not had a reply. Anyway, will continue nosing around this issue.

Raspberry Pi as Wifi Access Point

Have your own Linux router / access point, provide guests with wireless network access.

Obviously using a Pi model with a RJ45 lan port and a usb wifi adapter. When soursing the latter, make sure it is compatible and won’t require a powered usb hub. I purchased one from.
www.thepihut.com

Your Pi will need to be connected to wired LAN, with internet access. It will NAT to it’s ethernet address and use a lightweight DHCP server to give wireless clients IP addresses.

Assuming the pi is already running Raspbian, SD card image has been expanded, default password changed, networking with internet access working. Sudo to root to run following commands.

Install software.
sudo apt-get install hostapd isc-dhcp-server

Configure DHCP server information for our new wifi subnet.

Using example network. 192.168.2.0/24. With the first 10 addresses reserved for static asignment.

nano /etc/dhcp/dhcpd.conf

Comment out the following lines, thus.

#option domain-name “example.org”;
#option domain-name-servers ns1.example.org, ns2.example.org;

Uncomment authoritative in the below line.

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Ad the following lines at the bottom.

subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.10 192.168.2.253;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name “local”;
option domain-name-servers 8.8.8.8, 8.8.4.4;
.}

Save and exit.

The wifi adapter will likely show up as wlan0. To check do.

ifconfig

Or

iwconfig.

You can use the below command to see if your usb adapter is recognised.

lsusb

Shut it down whilst we configure DHCP.

ifdown wlan0

Now edit the main configuration file for DHCP server.
/etc/default/isc-dhcp-server
Add our wifi interface in.

interfaces =”wlan0″

Save and exit.

Configure wlan0.

nano /etc/network/interfaces

Comment out any config lines already present for wlan0 by prepending a #.

Then add

iface wlan0 inet static
address 192.168.2.1
netmask 255.255.255.0

Save and exit.

Configuring the hostapd access point daemon.
In order to get the RTL8187CUS driver working, it was necessary to use this replacement for hostapd below.
wget http://www.daveconroy.com/wp3/wp-content/uploads/2013/07/hostapd.zip

Replace the name of the wifi adapter driver listed in the config with yours if different. Check with.

lsusb

Create the config file and add the below lines.

nano /etc/hostapd/hostapd.conf

interface=wlan0
driver=rtl871xdrv
ssid=my_ssid
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=passphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Save and exit. Then edit the main hostapd config file to point it to the above setup config.

nano /etc/default/hostapd

DAEMON_CONF=”/etc/hostapd/hostapd.conf”
Save and exit.

Because our pi will be acting as a router, forwarding from wlan0 to eth0, we need to enable IP forwarding in the kernel. To enable this at boot edit.

nano /etc/sysctl.conf

Scroll to the bottom and add

net.ipv4.ip_forward=1
on a new line. Save and exit.

To enable IP forwarding immediately do.

sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

Now configure NAT so our wifi users get access to the rest of the network using the pi’s eth0 address.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
To enable this at boot, you can save the rules to a file called nat-rules, for example, and have them read back in. Do

iptables-save nat-rules

In the file, /etc/network/interfaces under the wlan0 config, add the line.

post-up iptables-restore nat-rules

Bring up wlan0 with.

ifup wlan0

To test the access point run it with.

/usr/sbin/hostapd /etc/hostapd/hostapd.conf

Assuming the ap it’s working, to have hostapd and dhcp-server run at boot, do.

update-rc.d hostapd enable
update-rc.d isc-dhcp-server enable

Check status with.

service hostapd status
service isc-dhcp-server status
update-rc.d hostapd enable

Depending on your distro, you may need to remove WPASupplicant. Do so by running this command:

sudo mv /usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service ~/

And then rebooting.
That’s it. :)

VMWare Virtual Network Lab Setup

Example virtual lab using VMWare. I’ll refer to this as Vlab 1 in case I mention it in latter posts.

The general objective is to set up a small virtual network on which I can build. The virtual machines on the network will access the real network and thus the internet through one of them acting as a gateway.

I’m using 4 headless VMs, all running the Debian based Voyage Linux distro, which is tailored for router applications.

One of these VMs will be bridged to my real LAN, the one simulating an internet gateway. It will perform NAT for the networks behind it on the virtual side.

As an aside, these are running single area OSPF with the Quagga router software but I’ll just talk about the basic interface setup in this post.

Let’s call the 4 Voyage routers alpha, beta, gamma, delta. For what it’s worth, they are all installed in 2GB virtual disks, have one processor core each and 256MB RAM.

Alpha will be the gateway. i.e. the one with a bridged interface to the real network. The 4 VMs are connected in a simple line. Alpha – beta – gamma – delta.

In VMWare’s Virtual Network editor, I’ve configured 3 Vnets for these links. For some reason, it seems you can’t use a /30 subnet for Vnets. Which would be the usual point to point link. Virtual Network Editor just won’t allow it. SO I’m using /29’s.

In my case, Vnets 11, 12, 13.

Vnet 11. 172.16.1.0/29
Link between alpha and beta.

Vnet 12. 172.16.1.8/29
Link between beta and gamma.

Vnet 13. 172.16.1.16/29
Link between gamma and delta.

Alpha has 2 interfaces, one on the real LAN.
192.168.1.2

And the Host Only Custom link to beta.
172.16.1.1

The rest are all Host Only Custom links in their respective Vnets.

Beta – alpha:
172.16.1.2

Beta – gamma:
172.16.1.9

Gamma – beta:
172.16.1.10

Gamma – delta:
172.16.1.17

Delta – gamma:
172.16.1.18

Notes:

I have to be organised in how I set these up, more so than perhaps most people. As they’re running headless, no desktop, they have no screenreader running. It may be possible to recompile Voyage with Speakup but that’s beyond me at the moment.

Normally when I’m experimenting with say a single virtual server, I’ll have one interface bridged to my real LAN so I can use my screenreader on the host and SSH in. In this case, I want to force all traffic through the virtual gateway and only have that machine appearing on the LAN. So to reach the others, I need to make sure the routing is setup as I’ll be SSHing to the gateway and hopping from there. As there’s no screenreader on the VMs I can’t just type at the consol.

How I’ve done this is initially set up all VMs with one bridged interface so I can connect and configure the other Host Only connections by editing /etc/network/interfaces. Once I know these are up and reachable from the other VMs, I shut down the bridged interface and comment it out.

As mentioned I am using OSPF and having alpha redistribute the default route that leads out on to the LAN. Were this not the case, I could have used a line in interfaces to set a static default route pointing to the Host Only interface. i.e. through the virtual network towards alpha and the real world.
Post-up route add default gw x.x.x.x

Whilst setting these up it might be worth noting, I did manage to mess up my SSH config file on one of the Vms after I’d already shutdown the bridged interface. Effectively locking myself out due to the no screen reader access on the consol. I fixed it by SSHing into another Voyage VM and counted down how many lines the errant line was. Then did this blind on the misconfigured machine. Cleverer people than I might have used Sed and Grep in some fancy way to fix it…

Links

VMware

Voyage Linux

Intro to VMware’s Virtual Networks

I’m using the popular VMware Workstation 10 on Windows Seven. VMware have a number of products. You can download the free VMware Player if you want to run a compatible virtual machine but you can do more with Workstation. Of course there are a number of other virtualisation platforms for Windows, Mac and Linux but I’m with this one.

The Virtual Network Editor that comes with Workstation is where you can set up to 19 virtual networks. Before going on to look at that, note, Under VMware There are 3 types of network connection. NAT, Bridged and Host Only.

NAT. Network Address Translation. The NAT option creates a virtual network behind your host machine on which your guest resides. It has access to the real network resources through your host but doesn’t appear on the network to other devices on your LAN.

Bridged. This takes your virtual machine’s network adapter and bridges it through the host so the guest will appear on the LAN with its own IP address. Either a static one you configure on the guest or if you’re using DHCP, it will get one from your real DHCP server.

Host only. This configuration provides a virtual connection to another virtual machine. So you can have a network of completely isolated VMs if you choose.

Using the Virtual Network Editor, as an example we’ll add a virtual network for host only connection. This will act as a private network between 2 or more guests. The VMware virtual network editor found in the program group in start menu or just use the search, is where you initially set up virtual networks or Vnets. Some of these Vnets are configured by default. Vnet 0 provides the bridged connection. Vnet 8, is for NAT. Of this latter type, you can have only one anyway.

To add a custom Vnet click add. Choose the Vnet you want to use. You can think of these like virtual switches. When configuring guest’s network interfaces, you effectively connect them to these virtual switches.

Choose Host Only.

To have this network only be available to your guests, not your host. Untick Connect a Host Virtual Adapter to This Network.

VMware has its own DHCP server for these Vnets. In my case I untick this box as I want to either configure static addresses or set up a DHCP server on one of the guests themselves.

Next choose the IP and subnet you want for this network. Click OK, you’re done.

Now from within VMware, VM Menu, Settings, you can add or change the network adapter settings for the selected guest. For example from the Hardware tab, go to add and choose Network Adapter.

Choose the Host Only setting Click OK.

Highlight this new interface in the list view and select the Custom radio button. You can now choose the Vnet you configured earlier to which this virtual network interface will be connected.

Later I’ll give an overview of how I set up a small virtual network lab using these custom networks, with a guest acting as a router, linking them to my real network and thus internet access.

Send email via telnet

A quick way to test your SMTP server is to use telnet. The default well known port for SMTP is 25.

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix (Ubuntu)
helo me.test.com
250 mail.example.com
mail from:me@here.com
250 2.1.0 Ok
rcpt to:you@there.com
250 2.1.5 Ok
data
354 End data with .
subject:a test

blah blah.
.
250 2.0.0 Ok: Queued as ABC123
quit
220 2.0.0 Bye

To use the labels, such as From, To, Subject, add them after the data command. i.e.

data

from:me@here.com
to:you@there.com
subject:testing again.

words
.
quit

There are other commands you can issue such as ehlo (extended helo) instead of helo. This will have the server list it’s capabilities. Other commands such as vrfy (verify and address) may have been disabled by the system administrator.

One of the inherent problems with email is it allows the sender to use arbitry information in the headers. Fake domain addresses and so on. The mail administrator may use a variety of techniques to block spam and otherwise unwanted mail from entering their systems but it’s an ongoing battle.