Home Lab Network Redesign Part 1: The Remote Dedicated Server

Home Lab Diagram
As promised, here is a very very basic diagram of my home lab. This is quite a high level overview of it, and the layer 2 information is not present as I suck at Visio, and all the connectors were getting messy on Visio with the layer 2 stuff present! What is not shown in the digram:

  1. There are two back-to-back links between the edge routers which are in an active-passive bond.
  2. Each edge router has two links going into two switches (one link per switch), both these links are in an active-passive bonded interface.
  3. The two edge firewalls only have two links going to each of those switches. One port is in the “inside” VLAN, and the other is on the “outside” VLAN. I wanted to have two links per VLAN, going to both switches, but the Cisco ASAs don’t do STP, or Port-Channels so I having two links would have made a loop.
  4. The link between the two ASAs is actually going through a single switch on a dedicated failover VLAN. From reading around, the ASAs go a little crazy sometimes if you use a crossover cable as the secondary will see it’s own port go down as well in the event the primary fails. It seems that this can cause some funny things to happen. Using a switch between them means that if the primary goes down, the secondary ASA’s port will still stay up avoiding any funnyness.
  5. The core gateway only has two interfaces, each going two a different switch. One port is on the “inside” VLAN that the firewalls are connected to, and the other port is a trunk port with all my other VLANs. This isn’t very redundant, but I’m hoping to put in a second router when I have some more rack space and use HSRP to allow high availability.

As I mentioned in my previous post, I have a dedicated server hosted with Rapid Switch, through I wanted to route all my connections. There were a few reasons I wanted to do this:

  1. Without routing through the dedicated server, if one of my internet connections went down, and I failed over to the other, then my IP would be different from my primary line. This will mess up some sessions, and create a problem for DNS as I can only really point records at one line or the other.
  2. My ISP only provides dynamic IP addresses. Although the DHCP lease is long enough to not make the IP addresses change often, it’s a pain updating DNS everywhere on the occasions that it does change. Routing via my dedicated server allows me to effectively have a static IP address, I only really need to change the end point IPs for the GRE tunnels should my Virgin Media provided IP change.
  3. I also get the benefit of  being able to order more IPs if needed, Virgin Media do not offer more than one!
  4. Routing via my dedicated server at Rapid Switch also has the benefit of keeping my IP even if I change my home ISP.

The basic setup of the dedicated server is as follows:

  1. There is a GRE tunnel going from the dedicated server (diamond) to each of my edge routers. Both GRE tunnels have a private IPv4 address, and an IPv6 address. The actual GRE tunnel is transported over IPv4.
  2. I used Quagga to add the IPv6 address to the GRE tunnels as the native RedHat ifup scripts for tunnels don’t allow you to add an IPv6 address through them.
  3. I used Quagga’s BGPd to create a iBGP peering over the GRE tunnels to each of the Mikrotik routers, and push down a default route to them. The edge routers also announced my internal networks back to the dedicated server.
  4. I originally wanted to use eBGP between the dedicated servers and the edge routers, but I was having some issues where the BGP session wouldn’t establish if I used different ASNs. I’m still looking into that.
  5. There are some basic iptables rules just forwarding ports, doing NAT, and a cleaning up some packets before passing them over the GRE tunnel, but that’s all really.

Other than that, there isn’t much to see on the dedicated server. It’s quite a simple setup on there. If anyone would like to see more, I can post any relevant config.

Home Lab Network Redesign with Mikrotik Routers

I have two cable connections from Virgin Media coming into my house due to some annoying contract problems.

I originally had one line on the 60Mbit package, and the other on 100mbit, but when Virgin Media upgraded me to 120mbit I downgraded the 60mbit line to 30mbit to reduce costs.

Since I got into this strange arrangement with Virgin Media, I have been using a Cisco 1841 Integrated Services Router on the 30mbit line, and a Cisco 2821 Integrated Services Router on the 120mbit line, but I found that I wasn’t able to max out the faster line using the Cisco 2821 ISR. Looking at Cisco’s performance sheet, the Cisco 2821 ISR is only really designed to support lines of up to around 87 mbit.

So naturally, it was time to upgrade! Initially I wanted to get a faster Cisco router, but looking at the second generation ISRs, it’ll be a bit pricey!

I did actually upgrade all my 7204 VXRs to have NPE-400 modules, which according to the performance sheet should do around 215 mbits, but the 7204s are extremely loud, and I only switch them on when I am using them.

Michael and Jamie have always been talking about Mikrotik routers so I figured since Cisco is a no go, I’ll give Mikrotik a chance. I ended up buying two RouterBOARD 2011UAS-RM from WiFi Stock.

To put the RB-20011UAS-RM boxes in, I decided I was going to restructure my network a bit. I will be making a series of posts discussing my re-designed network.

My goals for the redesign were as follows:

  • The RB-2011UAS-RM boxes will only function as edge routers, encapsulating traffic in GRE tunnels, and that’s all.
  • There will be a link between both edge routers, with a BGP peering for redirecting traffic should one of my lines go down.
  • They will have GRE tunnels to all my dedicated servers/VPSs.
  • I will use Quagga on all dedicated servers, and VPSs outside my network to create BGP peerings with my edge routers.
  • I wanted to route all my internet out of a server I currently have hosted with Rapid Switch, so BGP on the RapidSwitch box (called diamond) will have to push down a default route.
  • I wanted to use my Cisco ASA 5505 Adaptive Security Appliance as firewalls between the edge routers and the core.
  • I recently bought a Cisco 2851 Integrated Services Router, which I will use as a “core” router.
  • I wanted as much redundancy as possible.

In my next post I will create a diagram of what I will be doing, and discussing the setup of the server I have hosted at RapidSwitch.

As I have never used Mikrotik routers before, I will also attempt to discuss my experiences of RouterOS so far as I go along.

Connecting to Usenet via Two Internet Connections

As I mentioned in a earlier post, I have two connections from Virgin Media at home and I wanted to use them both to grab content from usenet.

My Usenet provider is Supernews, I’ve used them for a couple of months, and from what I understand they are actually just a product of Giganews.

Supernews only actually allow you to connect to their servers from one IP per account, so even if I had set up load balancing to split connections over both my connections, it would not have worked very well for usenet as I will be going out via two IP addresses! So for this reason I decided to take another route.

I have a dedicated server with OVH which has a 100mbit line, my two lines with Virgin Media are 60mbit and 30mbit, so I figured if I route my traffic out via my dedicated server, I should be able to saturate my line when usenetting. 🙂

So the way I done this was to create two tunnels on my Cisco 2821 Integrated Services Router going to my dedicated server, one tunnel per WAN connection and basically “port forwarding” port 119 and 443 coming over the tunnels to go to Supernews. It’s working great so far and saturating both lines fully!

So the way I done this was as follows. First I setup the tunnels on my trusty Cisco 2821 ISR:

interface Tunnel1
description Tunnel to Dedi via WAN1
ip address 10.42.42.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/0.10
tunnel mode ipip
tunnel destination 123.123.123.123

interface Tunnel2
description Tunnel to Dedi via WAN2
ip address 10.42.42.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip tcp adjust-mss 1420
tunnel source GigabitEthernet0/1.11
tunnel mode ipip
tunnel destination 123.123.123.123

That isn’t the complete configuration, I also decided to NAT my home network to the IPs of the two tunnels. This was just in order to do it quickly. If I had not used NAT on the two tunnels, I would have to put a route on my dedicated server for my home network’s private IP range. Although this is easy, I was mainly doing this out of curiosity to see if it would work, and to do it without NAT on the tunnels I would have had to figure out how to do policy based routing in order to overcome asymmetric routing on Linux. That can be a project for another day. 🙂

My dedicated is running RHEL6, so to set up the tunnel on the dedicated server I created the relevant ifcfg-tunl* files:

[root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl1
DEVICE="tunl1"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="IPIP"
PEER_OUTER_IPADDR="IP_OF_WAN_1"
PEER_INNER_IPADDR="10.42.42.1"
MY_OUTER_IPADDR="123.123.123.123"
MY_INNER_IPADDR="10.42.42.2"

[root@moka ~]# cat /etc/sysconfig/network-scripts/ifcfg-tunl2
DEVICE="tunl2"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="IPIP"
PEER_OUTER_IPADDR="IP_OF_WAN_2"
PEER_INNER_IPADDR="10.42.42.5"
MY_OUTER_IPADDR="123.123.123.123"
MY_INNER_IPADDR="10.42.42.6"

I don’t really want to go into detail on how configure netfilter rules using IPtables, so I will only paste the relevant lines of my firewall script:

# This rule masquerades all packets going out of eth0 to the IP of eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Forward packets coming in from tunl1 with the destination IP of 10.42.42.2 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP
iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 119 -j DNAT --to 138.199.67.30
iptables -t nat -A PREROUTING -p tcp -i tunl1 -d 10.42.42.2 --dport 443 -j DNAT --to 138.199.67.30

# Forward packets coming in from tunl2 with the destination IP of 10.42.42.6 and a source port of either 119 or 443 (Supernews use 443 for NNTP SSL port) to Supernews' server IP
iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 119 -j DNAT --to 138.199.67.30
iptables -t nat -A PREROUTING -p tcp -i tunl2 -d 10.42.42.6 --dport 443 -j DNAT --to 138.199.67.30

That’s all there is to it really! Of course I have a more complete rule set, but I don’t really want to go into that in this post!

Next, I just added two servers in my usenet client, one pointing at 10.42.42.2 and the other at 10.42.42.6. And magic! Now both lines will be used when my usenet client is doing its thing!

Note: If you got to the end of this post, I apologize if I make no sense, I was pretty tired while writing this post, and really just wanted to go to sleep. If you have any questions or suggestions on how to do this better, I’d be very interested in hearing them.  :~)

RedHat Enterprise Linux 6 Beta

RedHat Enterprise Linux 6 Beta 1 has finally been released as a public beta. It is available as an ISO from the public RedHat FTP site.

A couple of days ago, I decided to play with the beta, and I discovered, as expected, there are a lot of significant differences between RHEL5 and RHEL6.

The the main difference which I found to be very frustrating is that there is no longer any support for Xen dom0.

I had heard about RedHat’s decision to stop supporting Xen, but I did not think that this would mean they would stop shipping it with the distribution.

The loss of dom0 support means that you can no longer use RHEL as a Xen virtualization host, rather only as a guest under other Xen supporting distributions.

Xen has been dropped in favour of Kernel-based Virtual Machine (KVM), which is a  virtualization infrastructure included with the Linux kernel. Linux KVM is a hardware-assisted virtualization infrastructure which requires the CPU to have a special CPU feature called Intel-VT on Intel CPUs and AMD-V on AMD CPUs.

KVM has limited paravirtulization support, but I found in my very simple tests that fully paravirtualizaed guests inside Xen had much better performance.

This latest release of RHEL also means that my RHCE will soon expire. I am hoping to get re-certified as soon as I can. At the same time, I am also considering taking the “Red Hat Certified Virtualization Administrator” course and exam, but I still have some time to think over that. 🙂