jyrgenn: Blurred head shot from 2007 (Default)
The IPv6 tunnel via HE worked fine, but I was not really pleased with the roundtrip times to their access point. So, when I got a new server hosted by my former employer last year, one that comes with a /56 IPv6 space, this gave me another tunneling opportunity.

In between I had trashed the Mikrotik router described in an earlier article after it had bricked itself when I tried to reset the configuration just like it was documented. Last straw and all that. The new one is an EdgeRouter PoE from Ubuiqiti, with which I am mostly happy. It has its weak points, too, but it is openly based on Debian and Vyatta, meaning you don't even have to break out of the configuration CLI to access any Unix commands. (The web GUI is nice and shiny, but very limited in its capabilities.) The CLI is modeled after JunOS, which made me feel at home fast.

Vyatta offers OpenVPN out of the box, so it was easy to set up a tunnel configuration to an OpenVPN instance on my server. This way I have a /60 tunneled to my home, which should be plenty. And other than with HE, the roundtrip times are in the single digits of milliseconds.
jyrgenn: Blurred head shot from 2007 (Default)
In the last days I have put a new server for infrastructure services into operation at home.

It does not run as router or firewall, but has an SSHd for remote logins, DHCP and RADIUS server, DNS resolver, and cron jobs to do all those little things that must be done when my outer IP(v4) address changes, like updating dynamic DNS and reconfiguring the IPv6 tunnel with HE. For a few hours now, fail2ban has also been successfully blocking those pesky brute-force ssh attacks from China and the like.

The hardware is a small and — moderately — low power model from PC Engines, but still with a dual-core 1 GHz AMD CPU (amd64) and 4 GB of RAM, so it is quite capable. I have put in an SLC SSD (relatively expensive, but AIUI not as easily worn out by writing), also with 4 GB, which is enough for normal operation.


Despite being low power (≤ 12 W), that little thing runs quite hot. Internally, CPU and south bridge are thermally connected to the case via an aluminium heat spreader:


Still, the case gets so hot that I felt another cooling element is in order, as it is already quite warm on the upper boards of the store-room shelf (the left one in the picture):

from left to right: the new small server with heat sink attached, the router, the switch connecing router and DSL modem

With that, it runs up to 72 °C on the CPU when it is around 30 °C outside. As the CPU is rated for up to 90 °C, that seems to be okay.

The server is connected to my "core" network, to the WLAN segment, and to the DMZ, where incoming SSH connections are terminated.

As it runs security-critical services, I decided to give OpenBSD a try, for the first time. Not a bad idea — while not as much pre-packaged software is available as for, say, FreeBSD or Debian, most things I want are there, and then I should still be able to install most things from source. Or write them myself, dammit!

OpenBSD feels more like a "traditional" BSD than FreeBSD — the installation is rather like that of other systems 20 years ago; the whole setup feels simpler, more straightforward, with fewer automatic tentacles; updates are done by getting the source for the whole system and recompiling. Without being able to give really informed comments yet, I can say it feels good, solid, familiar, definitely likeable.

BTW, the 4 GB SSD proved to be too small for rebuilding the system, so I had to put /usr/src/ and /usr/obj/ on the file server, NFS-mounted over mere Fast Ethernet. I was afraid that this would slow down the system building by much, but building the userland was done after 5h20m, with 63% CPU utilization. Pleasant surprise!

Update: I have to admit that after some time I fell back to FreeBSD for this machine. While that decreases the OS diversity, it is much easier to update two FreeBSD boxen than one FreeBSD and one OpenBSD box. Also, the tunnel isn't to HE any more, but to my own external server, which is much closer, roundtrip-wise, and handled directly by the router (the middle device in the picture) using OpenVPN.
jyrgenn: Blurred head shot from 2007 (Default)
In summer I gave up the additional "luxury" Internet access (with native IPv6 and fixed IPv4 address) to cut costs, leaving me without IPv6 at home. Now, a few weeks ago, one of our local IPv6 evangelists triggered me to try the free tunnel offering from Hurricane Electric (HE), and so I did. This weekend I put together the remaining pieces, so now I have everything in place again, including tunnel updates when my home IP address changes, and reverse DNS delegation.

Getting the tunnel to work was not that easy. On the HE tunnel broker website the information on how to update the tunnel information (i.e. the web API) is not exactly pushed into your face; googling helps. The first script I found for the Mikrotik router, though, seems to use an outdated version of the API, and then you don't want the router to do that anyway – while it has an HTTP client that you can use in scripts, it does not do https (WTF?!), so it sends your password in clear text. And don't get me started on the scripting language.

Anyway, for (IPv4) dynamic DNS updates I have a script on my home server watch the external IP address anyway, so this could as well trigger a script to update the tunnel when the address changed. This is so much easier in a shell script than with a router script...

In case anyone else needs something like it, this is the script:
# update HE ipv6 tunnel with Mikrotik router

USER=he_user # HE account username
PASS=hepassword # HE account password
HOST=12345678 # HE tunnel ID
TNIF=sit1 # Mikrotik router's tunnel interface name
ROUTER=mt_router # router hostname
ADMIN=admin # router admin account
SSHKEY=$HOME/.ssh/id_dsa_$ROUTER # ssh identity key file

curl -s -k "$URL" | while read mode addr; do
case "$mode" in
good) $SSH "/interface 6to4 set [find name=sit1] local-address=$addr"
logger "$0: new address $addr";;
nochg) logger "$0: address unchanged $addr";;
*) logger "$0: unknown response $mode $addr";;
Of course, be sure to understand what this does before you use it. Needs curl, and the approriate ssh key file in place. The ssh key must be good for admin access at the router.
jyrgenn: Blurred head shot from 2007 (Default)
[I enjoyed reading this piece by Daniel Pittman, quoted with permission]

IPv4 exhaustion is just the current part of the natural cycle of rising and falling levels of IPv4 address usage. Besides, many scientists see a significant correlation between sunspot activity and IPv4 consumption.

"The attempts of IPv6 supporters to bolster the myth of human-induced IPv4 exhaustion is downright immoral." Philip Stott, Professor of Bio-geog-ip-ography, University of London

Besides, IPv4 exhaustion is just a theory. It isn't even, like, a real fact or anything. Plenty of scientists believe that there are vast untapped reserves of IPv4 address space lying idle, just waiting for improved routing techniques to release them on the world.

"An IETF IPv4 exhaustion conference in Poland is about to get a surprise from 650 leading scientists who scoff at doomsday reports of man-made IPv4 exhaustion --€“ labeling them variously a lie, a hoax and part of a new religion."
jyrgenn: Blurred head shot from 2007 (Default)
Years ago (yes, I looked it up) I asked my domain registrar Schlund Technologies to make it possible to register glue records with IPv6 addresses for the name servers. They can do it by hand, but experience has shown that this is an error-prone process. In between they have built a whole new web interface with gratuitous JavaScript overload, and you still cannot do it.

[Update: Apparently I have been wrong here and this is actually possible in between. Sorry, I didn't want to give anyone a bad name.]

A while ago I created an account with Domain Discount 24, where this is actually possible. The impending end of my current ISP contract made some changes necessary, so I transferred my main infrastructure domain w21.org there. Before that, I changed the domain's name servers to some outside of that domain (ns{1,2}.w21-4.de -- only the names, though, same servers actually), to avoid glue record confusion. This may have been unnecessary.

This was the first registrar-to-registrar domain transfer I made, and I must say I am impressed. The whole process, once I found out that I had to put not only the domain name, but separated by a space also the authinfo into that box, took well under an hour, with no perceptible service outage. I had canceled the domain with pre-ack at Schlund earlier, though.

Changing the name servers back to ns{1,2}.w21.org (to make lookups a bit faster) was nearly instantly done and visible at the name servers, and the correction of a typo I made (apparently the .org registry checks less strict than .de, or is it Schlund?), showed up inside of one or two minutes at the .org name servers. Obviously they do not do it with a zone file reload every hour.

Maybe I will transfer my domains all to Domain Discount 24. Or should I not put all my eggs in one basket, perhaps?
jyrgenn: Blurred head shot from 2007 (Default)
The need to switch ISPs finally pushed me to configure the Juniper SRX100 router.

As my current ISP, KGT New Media, is giving up their consumer Internet access over T-DSL product and has canceled the contract to end of August, I am a bit under pressure to get everything running with a different ISP. So, back to Titan Networks, although their offer is not quite what I was looking for. For € 24.50 per month, about the same price as with KGT, I get not a traffic flat rate, but a volume of 25GB, with extra traffic for € 5.50/GB. This should usually be enough, but in the past I have had a huge traffic peak once, which suddenly cost me additional 90 Euros. But there are not very many ISPs offering IPv6 for end customer prices to choose from.

Of course, before I switch completely, particularly all the DNS entries for- and backwards, I want to make sure everything works. This gave me another opportunity and additional motivation to finally tackle the SRX100, and I did.

While the Cisco 1712 still runs with KGT, the SRX100 is now running the Titan connection, although in a kind of "client-only" mode, without allowing incoming connections. Making incoming traffic possible requires much more firewall-fu than the little I have already understood. This is really not easy.

Doing the basic configuration -- forwarding IPv4 and IPv6 between the core and the WLAN network and the PPPoE connection to the ISP -- was moderately simple. Junos configuration is indeed a bit less of a pain in the back than IOS. I especially like the method of modifying a configuration until it is done and only then committing it to be activated. Otherwise it would have been more difficult or required a reboot to do reconfigurations that would have cut me off from the router in mid-change.

I also think the explicitly hierarchical configuration makes sense as a way of structuring everything; when I dive into some hierarchy level, I can concentrate on just that and show just that bit, for instance. Ah, yes, you can show the configuration while editing, isn't that just amazing? (I probably have only missed that with IOS, but to me it's still a difference.) And then there are the little things, like being able to go back in the pager (while viewing configuration or the like). I like it.

One thing had me busy for a while, though: There is no possibility to use IPv6 with vlan interfaces. This restriction still puzzles me, but apparently it is intentional, or at least specified. That I was not able to set an IPv6 address on a vlan interface from the CLI but could do that from the web interface added to my confusion. But even if an address has been set on a vlan interface, it cannot actually be used. Took me quite a while to find the final answer.

In the end I gave up and configured the interfaces not as switching group members, but as IP interfaces, and then everything worked. Well, except for the switching, of course -- I need a separate switch now where a port-based vlan on the SRX100 should have been sufficient. That is annoying.

Apart from that and the still unresolved incoming traffic issue, everything works fine now.

Perhaps I will finally just switch the Cisco over to Titan, and then the SRX100 to the currently unused T-Online connection -- I used it briefly for testing the SRX100 and found it that instead of the 30 ms roundtrip to my external server, it gave me 8! The T-Online access is with IPv4 only (currently; IPv6 probably next year) and with changing addresses. But that is fine for the clients, while the server can still use the fixed-address IPv6 and IPv4 access over the Cisco and Titan.
jyrgenn: Blurred head shot from 2007 (Default)
As mentioned before, IOS is a pain in the neck if you don't use it on a day-to-day basis, hence the wish to replace the Cisco 1712 — there are too many things I would like to do in the configuration, but I hesitate out of fear of messing it up completely.

Beginning of the year I got an SRX100, the smallest of Juniper's "Services Gateways", meaning an access router with Firewall. Shiny! Apart from a serial console port, it simply has 8 Fast Ethernet ports, which can be configured freely, including as one or more switching groups with port-based or tagged VLANs. The default configuration even makes some sense with one port as a WAN link acting as DHCP client for configuration and a switch of the other seven with a DHCP server giving out RFC 1918 addresses, NAT, and some appropriate firewalling.

But that doesn't help me much for my setup, and as this is a whole new world of configuration logic, I haven't got further im my Copious Free Time™ than the online training "Junos as a Second Language". This one is really not bad, but far from covering my special case, of course. So the shiny new box just sits around waiting to be properly configured. :–(
jyrgenn: Blurred head shot from 2007 (Default)
After two-and-a-half years, the 12" Powerbook G4, which I had bought already used, two years old, began to feel really old. It had probably been a mistake in the first place to buy a used computer from a line that was already obsolete when they built the last models. (On top of that, the CD/DVD drive was already mostly broken when I bought it, but I noticed that too late to give it back or claim compensation from the seller.)

It mostly felt old playing some kinds of videos. DivX and MPEG-4 in larger formats was too much, as well as some flash video stuff from the net. YouTube was fine, but some others, e. g. those from SPIEGEL Online, were not. And as I had not seen the (technical) point in upgrading from OS X 10.4 Tiger to 10.5, the selection of available software had already begun to shrink noticeably.

After the 2010 tax return it was time now for an up-to-date device again. Months ago I had already resolved to buy a MacBook or 13" MacBook Pro. (The bigger ones don't appeal to me, in particular not at their price.) The white plastic MacBook would have been enough with the RAM upgrade, but with the small Pro costing only 60 Euros more than the MacBook with 4 GB RAM (which the Pro already has), it was the Pro. Good choice. It came with OS X 10.6.3 "Snow Leopard" and runs 10.6.4 now after the first update.

As always, the migration to new hardware and OS version, even from the same manufacturer and in the same product line tradition, brings some, let's say, discoveries. "Same same, but different" or even "sometimes happy, sometimes sad."

Software Update has become much more intrusive. With Tiger, it checked for updates in the background and showed its dock icon only when there was something to do and it needed confirmation from the user. Now it shows the dock icon already when it only checks for updates. When it installs software for which a restart is required, it first asks for restart permission (which is okay), but then immediately shuts down everything and only then begins to install the software, which had previously been done in the background.

Only a short while ago, but still with Tiger, I discovered and learned to appreciate Terminal.app's "New Remote Connection" dialog as a fast and convenient way to open an ssh session to another machine. But now, with Snow Leopard, it wants to start ssh connections by default with SSH protocol version 1, which, for good reason, does not work with any of my servers; after each program restart I have to switch that to automatic or version 2. I have not found anything in the preferences (and I do mean Library/Preferences/com.apple.Terminal.plist) or the application bundle that looked like I could change this default. [Thankfully his has been fixed in OS X 10.6.7 -- ssh is now called without any options by default.]

Other than with my 10.4 installation, IPv6 is no longer consistently preferred with some services - telnet, ssh, http. Sometimes IPv4 is used, sometimes IPv6. I have not yet recognized a pattern. This may well be an application issue, but still it is strange.

X11 seems to work completely different from before.

Regardless if X11 is started or not, each Terminal window has a DISPLAY in its environment that contains the pathname a UNIX domain socket (e. g. /tmp/launch-ghLYjm/org.x:0); the socket exists, but is non-functional if X11 is not running. That confused my mechanism of dectecting the existence of an X server; xdpyinfo simply kept blocking on this socket. No fun. Ok, that could be fixed with an only slightly annoying timeout.

When I try to start X11 myself, it doesn't. Or, sometimes it does. But most of the time, some processes start, but nothing happens in terms of a usable X server.

I thought that my .xinitrc and (rather historic) .xserverrc might cause the problem, but moving them to the side has not really improved the situation. Instead, even without me having done anything (except perhaps checking the socket $DISPLAY for aliveness), it tries every few seconds to start up an X server, fails, tries again, ... you get the idea.

The non-functional DISPLAY variable in the environment causes outgoing ssh logins to fail if ForwardX11 is set to yes in ssh configuration, because the remote host tries to connect to the X server at first. Took me a while to find out that this was the reason why Unison failed to connect to another host.

I guess it is intended like this: Some X11 client connects to the socket $DISPLAY, a monitoring process notices this, starts an X server, passes the socket file descriptor to the X server, and lo! X11 applications can be started just like native ones. Clever, if it would only work.

There is something in the system.log, but I cannot make anything of it.

The new Quicktime Player looks awful. All black!

What is this fascination with black, anyway? When I put the dock on the side, where it belongs (IMO), it turns black! With a bit of transparency, yes, but black. That is ugly compared to the thin and airy dock of 10.4 (and predecessors).

A translucent menubar! WTF? At least I can switch this particular idiocy off again.

There seems to be a general trend towards needless design changes. The new dock (if it is on the bottom of the screen) so three-dimensional with a partial reflection of the icons - wow, that is so much eye candy that I want to take the toothbrush to my eyes. (But black?) Is this a "Yes, we can!" attitude, and "Just because we can"? That sucks.

The rounded upper corners of the windows are less rounded now. I can live with that. The amount of roundness taken from there has apparently been applied to the corners of the pull-down and pop-up menus.

The upper menubar corners are no longer rounded at all. Why did they give up one of the most visible design features of the Macintosh since 1984? Are we no longer nice-looking and a bit cute? This seems to be the most needless design change of all, given that the space previously occupied by the rounded corners has not been put to any other good use.

I like the hardware. Only two annoyances here: the glossy screen (I prefer to use the bathroom mirror when I need a shave) and the sharp edges of the case - because this is where my wrists are when I am typing with the laptop on my belly, lying in my bed. And this is at least 97% of the time when I use it. And the edges are really sharp.

The glossy screen does make for a more brilliant display, with a deeper black, yes. (Hum, does that correlate to that obsession with black I seemed to notice earlier?) Apart from the reflections of my face that I could live without, the display is indeed crisp. I like. (Only after having seen the screen of the new iPhone from a very close distance, I say it could use something more like that in terms of resolution.)

I like the wide format as a good compromise. It lets me put the dock on the side (the black dock) and still have it not steal too much from the screen width. There isn't too much height to spare anyway. The display is now better for watching films not in 3:4, small surprise.

I liked the keyboard of the Powerbook more, but this one is better than I expected. I was afraid that the more or less flat keys offer less guidance to the fingers that the more profiled ones of the Powerbook, but it is not as bad, no insecure feeling. The price paid for being able to shave off 2 millimeters (rough estimate) from the height of the keyboard is not too high. I really like the key illumination, although there is more light coming out from under the sides of the keys than through them.

I love the case. It is gorgeous. The rounded corners, the smooth undisturbed matte surfaces, the flat body - wow. It is often said that Apple sells their hardware more due to its design than its technical qualities. Sure, with this kind of design!

Although I have bought the slowest one, this little machine is screamingly fast compared with the G4. Moments where I had to wait a bit with the old Powerbook are now gone. Good.

The automounter seems to work with less hassle now. I once had a working setup with handcrafted mountpoints via Netinfo with 10.4, but that broke at some point, and I couldn't revive it this way or the other. With 10.6, the /net/$SERVER/ thingy works just like that without any setup required. Joy!

The battery lasts long.

In the end, I am quite happy with the new MacBook Pro. The X11 thing is a real annoyance, all others are minor. The new toy is fast and overall a joy to use.

Update 2011-08-12: After fiddling around over several days it turned out that there was (a) an incompatibility with the decades-old ~/.xserverrc and (b) checking for the existence of an X server at $DISPLAY in my ~/.profile kept it from working. Understandably so, considering that is done during the startup of that exact X server. Why X11 initialization starts a login shell -- perhaps to have the environment variables set up properly -- and has a non-empty $PS1 in there I shall probably never know. At least [ -t 0 ] is false, so I can exclude the check for that case.
jyrgenn: Blurred head shot from 2007 (Default)
"Kleine Sünden bestraft der liebe Gott sofort" (the Lord punishes you for little sins immediately) is a half ironic saying in German. Well, He did in this case. Only five days after calling the IPv6 capabilities of Apple's Airport Extreme "pointless" (see the previous article), my WLAN access point died. After I had tried to switch the speed from "best" to "54 Mbps", it was more or less bricked. No WLAN any more, no reaction at all on the wired interface, not even after an attempted factory reset.

So I had to get a new access point. I was still curious to get my own hands on an Airport Extreme, so I bought one -- not the cheapest choice to fulfill the need of a simple access point, but what the heck.

First I was a bit miffed, because the GUI tool (I'm sorry, Dave, I'm afraid I cannot let you have a web interface) did not want to run on my Powerbook -- OS X 10.4.11 was too old. I had never seen the point to upgrade to 10.5. But to my surprise there was also a version for Windows, which was even less picky about the platform and did not refuse to run with XP.

And lo! There was more to the GUI than I had seen before, namely not only "Node" and "Tunnel" as the IPv6 operation modes, but "Host", "Tunnel", and "Router", which sounds already much better. In the "Tunnel" and "Router" modes, I have an "IPv6 Firewall" tab:

IPv6 Firewall GUI

The form to edit the exceptions looks like this:

IPv6 Firewall exceptions

So, now I have to apologize: The current Airport Extreme does indeed have some degree of usability regarding IPv6, which would be enough for simple home networks except for the missing IPv6 over PPPoE. I haven't tried it yet (as it works only as a simple bridging WLAN access point in my current setup), but that looks much better than I thought only days ago.

(These pictures are not made with Windows, of course. In between I have the new shiny-shiny, which runs OS X 11.6.4, good enough even for the Airport Extreme admin GUI.)
jyrgenn: Blurred head shot from 2007 (Default)
Apple's "Airport Extreme" has been supporting IPv6 for quite a while. So long, in fact, that I thought it might be somthing useful.

Yesterday I took the opportunity of looking at one, or rather, the configuration GUI, in a shop. "Disappointed!", to quote Wanda's brother, is the word. I knew it didn't support IPv6 over PPPoE, okay. But it doesn't support a lot of anything else either. "Tunnel" or "Node" is the first choice, and I don't want tunneling. When I select "Node", I can set the prefix (of which interface?) and the prefix length, and that is it.

That is strange. That is not even barely useable, it is more or less pointless. No per-interface configuration, no firewall, no whatever-you-name-it. Actually I was a bit surprised, as the IPv6 support of the Macs is fine, and I thought they would make their own networking equiment to match that.

[Addition: I think it was a demonstrator of the Airport Extreme administration GUI, perhaps not the real thing. Please see my more-or-less retraction in the next article.]
jyrgenn: Blurred head shot from 2007 (Default)
Not quite happy with Titan-DSL's pricing models (older "Business" flat rate not cheap and with one-year cancellation period, newer 25 GB tariff equally expensive, not a flat rate, and still three months cancellation period) and rh-tec (with their promotional 3 GB/mon. IPv6 offering for € 0) not offering IPv4 connectivity suited for pricate customers, I became customer of KGT New Media. Like Titan a smaller player in the business.

KGT offers an IPv4 flat rate for € 11.90, and the same for IPv6. Meaning I pay € 23.80 for both. This is a bit weird, but still an epsilon cheaper than Titan's 25 GB tariff, has a one-month cancellation period, and they are more flexible - I could choose if I wanted to do v4 and v6 in separate PPPoE sessions or in one. (I chose one so I could do it with the same router; to my knowledge for separate sessions you need separate MAC addresses.) That is more flexibility than with Titan, who insisted (only after a while, weirdly) I do both in one session, so I could not do it with two different routers, as I needed then.

Nearly everything seems to work well with KGT. Reverse lookup of the one fixed IPv4 address was set up well inside of two hours after my request; for the delegation of the reverse zone for IPv6 their support person said he'd have to check a few things first. Unfortunately that was on Friday morning, and apparently he didn't get around to setting it up before the weekend. I am not totally happy with that, but as long as we get that sorted out next week, it's still okay with me.

That it took a day to propagate w21.org's new IPv4 address to the world was no one's but my own fault - I was just too stupid to lower the default TTL to 3600 s as I intended (changed the refresh time in the SOA instead; ouch!).

Addendum: Forgot to mention that IPv6 reverse delegation has been working fine for ages now.
jyrgenn: Blurred head shot from 2007 (Default)
[Today this is kind of obsolete since I use the Cisco 1712 for IPv6 now. I find this device not perfect, but it does everything I want. At least it could if I knew how to configure everything.]

As I have a separate ADSL modem, I am interested only in Ethernet-to-Ethernet routers, and I would prefer one with a point-and-click interface. I want it to be able to speak IPv6 over PPPoE on the WAN side, route to more than one /64 network over the LAN (i. e. have two separate interfaces on the inside, or be able to go through another router), and allow WAN access to services on the LAN specified by IPv6 address and port.

Comments are welcome, particularly with newer information or real-life experience, to <ni@jnickelsen.de>.

These are the devices I have some more information about, in no particular order:

  • DrayTek Vigor 2130: Covers most things. Currently only one /64 on the inside, no DNS or NTP over v6, no RIPng. Otherwise an attractive device for the common SOHO setup. Cool web gui live demo on the web.

  • Cisco: the (EOLed) 831 is the cheapest Cisco IOS router with IPv6 support; the 871 the cheapest with Fast Ethernet on the WAN side. The 831 is available on eBay for less than EUR 100, the 871 for over EUR 200. Very feature-rich, but IOS is in my eyes too arcane for someone how does not work with it daily. Update: Got a 1712 from eBay; together with shipping and a separately bought PSU about 90 Euros. Works fine and can do everything but the dishes, but see my comment above about IOS. I do not use most of the features because it is really hard work to dig out the correct configuration commands, and if you make a mistake, things may suddenly cease to work.

  • Cisco SB WRVS4400N: From the former Linksys product line. According to the manual it can speak IPv6 on the WAN interface only through tunnels. WTF?

  • OpenWRT: this linux-based open source system runs on a variety of hardware platforms. I have it running on a Linksys (now Cisco) WRT54G. It is (in parts) a hassle to set up and it is less well documented and less reliable than I like. I see it only as a temporary solution.

  • AVM Lab Version: a public beta test firmware for their Fritz!Box 7270. Cannot make LAN services available to the WAN. [Update: in between it can.][Update: in between the IPv6 support is part of the official released product. Three cheers!]

  • D-Link DIR-825: As I understand the user manual it can have only one flat /64 network on the inside.

Another possibility is to use a general-purpose computer as a router. Linux and *BSD come to mind as possible platforms. PC Engines and Soekris sell small PC-architecture boards designed for this type of use, and some software distributions are made for this purpose (OpenWRT being one of them). But in my experience a commercial router appliance means much less work to set up and operate.
jyrgenn: Blurred head shot from 2007 (Default)
For about three months I have been writing some blog entries about my joys with IPv6 (the "this-century" Internet Protocol) at home on ipv6.w21n.de. But most of the fun is over now that IPv6 works fine for me. So I think I can move the articles here and spare me the effort of maintaining another site.

I will post them under the original dates, so they'll appear in the past here; if you want to find them, look for the tag "ipv6".
jyrgenn: Blurred head shot from 2007 (Default)
Three days ago I wrote about mail from my system being rejected due to missing reverse DNS entries and complained about rh-tec's customer service interface for creating these entries. I was just a few keypresses ago from sending them another gripe about that thing again, when I had the idea of giving it another try.

This web interface lists the network you get from them (2001:1a50:5097::/48 in my case), and then you can enter "the desired RDNS entry" (my translation of the german text) in a single text field. WTF? I have still not understood how this is supposed to work, but this time I entered the name of the domain everything in there is under, and where my authoritative name servers are in and responsible for, w21.org.

Now (after some time in which they supposedly checked the entry manually) it worked. And not even how I expected it, that perhaps everything in the network is resolved to w21.org, but everything I have in my DNS servers as PTR records is suddenly there! Find me dumbstruck. Especially as I don't know how it actually works - when I look up the NS records for, I find all my name servers in there, but I am not able to follow the delegation chain from ip6.arpa upward. Is this really weird, or am I missing something?

Others have in between pointed out that the delegation chain can indeed be followed, but (a) one of their two authoritative name servers does not know about it and (b) both are not reachable via IPv6. Bugger. [jni 2010-03-31]

Anyway, no more gripe about rh-tec, and kudos to them for making this work so simple I still cannot figure out how. Might as well stay with them until the traffic exceeds the 3 GB volume included in the price of € 0. (Yes, that's a zero.)

And, to get back to the original issue, my mail should no longer be rejected now due to missing PTR records. Only I don't know if anybody has tried to send one to IPv6-listed MXs yet.

DSL 16000

Mar. 26th, 2010 12:00 am
jyrgenn: Blurred head shot from 2007 (Default)
wget says:

2010-03-25 09:55:39 (1.72 MB/s) - `testdata' saved [320192000/320192000]

My DSL link was switched from 6 Mbps to 16 Mbps downlink yesterday, and from 512 kbps to 1 Mbps uplink. Don't know why they needed 15 minutes downtime for that. At first the downlink speed was much less, around 700-800 KB/s; apparently the modems had negotiated something more agreeable an hour later.

I ordered the upgrade mainly for the uplink; it was always a pain to upload largish photo collections or other bandwidth testing material. Should feel at least a bit better now, although a factor of two is not that much. The faster downlink is sure nice, but not really necessary. I'd rather trade the 16/1 Mbps for, say, 12/5. But this is not an option with the DTAG.

But still, yay!

This is, of course, not related to IPv6 at all.
jyrgenn: Blurred head shot from 2007 (Default)
The other day I found an undelivered message from one of my users in the mail queue; the MX on the receiving side had rejected it because my MTA's address had no reverse lookup in the DNS. WTF? Ah, it had no reverse lookup for its IPv6 address! So I learned that freenet does indeed accept mail via IPv6. (Only not from me, currently.) That's nice!

I really have to get that straight. rh-tec's web interface for configuring reverse lookup(s?) is, to say the least, not really self-explanatory, and my question about the interface and about delegation from December is still unanswered. I am going to push that again.
jyrgenn: Blurred head shot from 2007 (Default)
When the power supply for the 1712 arrived, I could begin to play with the 1712. After I while I had a configuration which I have now in production use, replacing the WRT54G running OpenWRT.

The configuration is not really finished yet; I still have to put some more effort into security measures, and at the moment it runs only IPv6 on the outside. (The idea is to have one router doing v4 and v6 over one PPPoE session to one ISP; at the moment I have these with different ISPs, meaning different PPPoE sessions, meaning different MAC addresses needed.) But in terms of stability I trust this solution much more that the OpenWRT one.

That is not to say OpenWRT is bad. As a reliable and accessible product (which it is not meant to be, as far as I understand) it could sure do with some polishing and documentation. But in terms of functionality it is great, and as a playground for enthusiasts it is fantastic.

Most importantly, it was there when I needed it, and it ran on a scrap router I had lying around. So it became my first IPv6 internet access solution, and that was good.

Working with the 1712 showed that it is from an older generation than the 861 - the show run command takes as painfully long to convert the configuration to text as it has always been, for reasons I never have learned, while the 861 has just a very small pause at that point. But fortunately this does not show in slower throughput. I hope this still holds after I have upgraded the DSL line from 6 to 16 Mbps.

[Upgrade: I could pass the WRT54G on to a colleague for a bottle of wine. Would have been a good deal if only the wine had been a bit better.]


Feb. 3rd, 2010 12:00 am
jyrgenn: Blurred head shot from 2007 (Default)
Ignatios Souvatzis maintains a list of german ISPs offering IPv6, posted regularly to the Usenet newsgroup de.comm.provider.suche:

Sixxs has a list in their FAQ.
jyrgenn: Blurred head shot from 2007 (Default)
The Cisco 1712 I had won for a little over EUR 50 incl. shipping on eBay arrived today. Pity I won't get around to trying it out before next weekend. Or so.
jyrgenn: Blurred head shot from 2007 (Default)
Draytek's german support has answered my questions about the DrayTek Vigor 2130. Show stopper for me is it can have only one /64 on the inside. Minor points: DNS and NTP are not supported on v6; no RIPng. Everything else is there, so still an interesting device for the more common SOHO settings, I think.

A very cool idea is a live demo of the web configuration gui of the 2130 on their website.


jyrgenn: Blurred head shot from 2007 (Default)

January 2018

2829 3031   


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags