Code Blog

Displaying 1-5 of 5 results.
2017/06/05 Network

The GL-MT300A from GL.iNet is a tiny usb-powered router with pretty good hardware that comes with OpenWRT pre-installed and with GL-iNet's on GUI on top of OpenWRT.

WDS (Wireless Distribution System) is a protocol for extending the range of wireless router, so that a secondary layer of wireless routers can act as relays to the base wireless router. GL-MT300A comes with WDS support, but for this to work the base router must also support WDS.

Obviously the best way to extend a wireless network is by connecting them with ethernet cables (aka wireless multiple AP / roaming network). If this is not possible then WDS may be the only option available. It will come with a hefty performance penalty as the base router will have to half its bandwidth to communicate with clients and relay routers (in WDS static mode).

My base router is an Apple Airport Time Capsule so had to check what's available from Apple. Apple's website actually recommends "Wirelessly Extended Network" for newer routers supporting 802.11n (2.4 & 5GHz support, up to 600Mbps) and "WDS" for older routers that only have 802.11g (54Mbps). This is somewhat confusing but from another post online it seems Apple's terminology actually refers to two types of WDS - static and dynamic. The dynamic version supports the faster 802.11n wifi standard and will also not suffer as bad for the half duplex mode of communication between base and relay routers. 

Using OpenWRT there is also another way to set up wireless bridging and that is using "relayd" (pseudobridge). This works even if WDS is not supported on the base router. This is what I will be using for my GL-MT300A router.

Click on the "advanced" link in upper right corner to enter OpenWRT Luci interface. 

1. Install relayd and luci-proto-relay (GUI) packages.

2. Go to System -> Startup and find relayd in the list. Set relayd to enabled.

3. Go to Network->Interfaces, click "Add new interface".

4. Set the name of the new interface to for example "relaybridge", set proto type to be "Relay bridge", and then click "Submit".

5. In the detailed page of this interface set the IP address to the IP address assigned from the base router. For "Relay between networks" select both "Lan" and "Wan", then click "Save".

6. Next click on "LAN" tab on the top to edit Lan settings. Set the gateway to be your main router’s IP. Set
the DNS to be your main router’s DNS. Scroll down to the "DHCP Server" section, check
"Ignore Interface" and click "Save".

7. Go to Network -> Firewall, and click to edit the "Lan" zone. 

8. In "Covered networks" select "Wan", then click "Save".

9. In the top right corner, there is a notification saying "UNSAVED CHANGES"; click on it to enter a detailed listing of changes, then click “Save & Apply”. Now the changes are applied and hopefully the router will start working as a relay bridge.

 

Useful links:

How to flash the router firmware via Uboot Web UI / Debricking the router:
https://www.gl-inet.com/how-to-enter-the-uboot-web-ui/

Firmware download location:
http://www.gl-inet.com/firmware/mt300a/

GL.iNet article - How to set up a repeater bridge
https://www.gl-inet.com/how-to-setup-repeater-bridge-using-openwrt-on-gli-mini-routers/ 

GL.iNet PDF guide - How to set up a repeater bridge
http://www.gl-inet.com/wordpress/wp-content/uploads/2016/05/relayd.pdf

OpenWRT article - Routed Client with relayd (Pseudobridge)
https://wiki.openwrt.org/doc/recipes/relayclient 

Wireless Distribution System (Wikipedia)
https://en.wikipedia.org/wiki/Wireless_distribution_system 

 

2017/04/13 Hosting,Network,Linux

Set hostname and timezone

Setting the hostname in Debian 8 / Ubuntu 15.04 and later

hostnamectl set-hostname hostname

Update /etc/hosts

127.0.0.1 localhost.localdomain localhost
203.0.113.10 hostname.example.com hostname

Set the timezone
dpkg-reconfigure tzdata

Security settings

Linode has a good guide on increasing security for the linux installation, see https://www.linode.com/docs/security/securing-your-server

Topics covered:

  • Enable automatic security updates
  • Create a limited user account
  • Only use 4096-bit RSA key-pair for SSH login (don't accept passwords)
  • Disable root login over SSH (run sudo on limited user instead)
  • Turn off IPv6 if not needed
  • Set up Fail2ban (block IP after multiple failed login attempts)
  • Remove unnecessary packages (i.e. EXIM and RPC) to reduce number of open ports
  • Set up a firewall (IPTABLES or i.e. UFW for Debian/Ubuntu)

The article also has links for more security features such as intrusion detection.

URL rewrite

In /etc/apache2/apache2.conf add a <Directory> block and add "AllowOverride All". Then also run "sudo a2enmod rewrite" and restart Apache with "sudo service apache2 restart".

 
2016/09/05 MacOSX,Network,iOS

 

PortTCP or UDPService or Protocol NameRFCService NameUsed by / Additional information
192 UDP OSU Network Monitoring System - osu-nms AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant

500
UDP Wi-Fi Calling 5996 IKEv2 Wi-Fi Calling
           
515 TCP Line Printer (LPR), Line Printer Daemon (LPD) - printer Used for printing to a network printer, Printer Sharing in Mac OS X
554 TCP/UDP Real Time Streaming Protocol (RTSP) 2326 rtsp QuickTime Streaming Server (QTSS), streaming media players, AirPlay
631 TCP Internet Printing Protocol (IPP) 2910 ipp Mac OS X Printer Sharing, Printing to many common printers
1900 UDP SSDP - ssdp Bonjour, Back to My Mac
3689 TCP Digital Audio Access Protocol (DAAP) - daap iTunes Music Sharing, AirPlay

 

Bonjour 

Bonjour is Apple's implementation of zero-configuration networking (zeroconf), a group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records.

AirDrop

AirDrop is a handy method of sharing data with any Mac equipped with OS X Lion (or later) and a Wi-Fi connection that supports PAN (Personal Area Networking). PAN is a somewhat recent standard that has been added to the Wi-Fi alphabet soup of capabilities. The idea of PAN is that two or more devices that come within range of each other can communicate using a peer-to-peer connection method. Apple's implementation of AirDrop relies on WiFi chipsets that have built-in PAN support. This reliance on hardware-based PAN capabilities in WiFi chipsets has the unfortunate consequences of limiting the use of AirDrop to Macs from late 2008 or later.

AirDrop uses Apple's Bonjour technology to listen in on a WiFi connection for another Mac to announce AirDrop capabilities. It seems AirDrop will announce itself over any available network connection, but when AirDrop listens, it only pays attention to Wi-Fi connections, even if AirDrop announcements are present on other network interfaces.

defaults write com.apple.NetworkBrowser BrowseAllInterfaces 1

// Enable AirDrop Over Any Network Connection

To use AirDrop, both Bluetooth and Wi-Fi must be turned on. AirDrop uses Bluetooth to locate other AirDrop-enabled devices nearby and uses the faster Wi-Fi network to transfer the files. Because AirDrop uses Bluetooth, it adheres to a common Bluetooth range, which requires devices to be within 33 feet/10 meters of each other.

When AirDrop is enabled, it triggers Bluetooth to look for other AirDrop-enabled iOS devices that are in the area. This process is similar to pairing your iPhone with your car’s Bluetooth system. The devices “advertise” that they are open for business, and if they are within range of each other, then they start the connection process. Once the connection is made, a simple device-to-device Wi-Fi link, called Wi-Fi Direct, is created between the two. The Wi-Fi Direct link can be created even if you are in the middle of nowhere, without a Wi-Fi network. So, you get the fast file transfer speed of Wi-Fi without a router or an internet connection.

To limit who can see your device to only the people in your Contacts, you’ll need to sign in to iCloud with your Apple ID.

Only some Apple iOS devices have both Bluetooth 4.0 and Wi-Fi Direct capabilities: i.e. iPhone 5 (and later) iPad (4th generation and later). iOS 8 and OS X Yosemite (10.10) allowed the use of AirDrop between Macs and iOS devices.

I had some problems to get the iphone/macbook AirDrop connection to work. I think the main reason is that I turned on "contact only" on the Macbook. When I use a router with VPN it works good, but not with another router. As the connection is setup via an independent PAN network, the router shouldn't be a factor at all. But maybe for getting the contacts list from iCloud it is?

Some other tips I found online for troubleshooting AirDrop (and Handoff)

  1. Turn off Bluetooth on your Mac
  2. Delete /Library/Preferences/com.apple.Bluetooth.plist
  3. Turn Bluetooth back on 

 In your WiFi router, change it from Wireless Encryption WPA2 (Mixed) to Wireless Encryption WPA2(AES).

 

AirDrop information from: http://www.peachpit.com/articles/article.aspx?p=2231456&seqNum=2

See full port numbers listing at https://support.apple.com/en-gb/HT202944

 

 

2016/04/03 Network

Linux comes with a built-in firewall called IPTables. It has 3 default chains - INPUT, OUTPUT and FORWARD.

Input chain Coming from outside the firewall to destination inside the firewall
Output chain From inside the firewall going to outside the firewall
Forward chain Routing through the firewall (coming from the outside the firewall passing on to outside the firewall) 

 IPTables rules are normally put in a script file and run during start-up. Each chain will need to have a default policy (set with -P, see example below). The default policy for a chain can be either DROP or ACCEPT. 

Usage Examples:

iptables -P INPUT DROP // Set policy for chain to deny connections (drop packets)

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT   // Add rule to end of chain: Accept incoming tcp connections at port 8080

iptables -A INPUT -j SHADOWSOCKS // Add to end of chain: Jump from Input chain to Shadowssocks chain (and will automatically go back to Input chain after finishing Shadowsocks rules)  

 Nat table (network address translation)

 iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 // Redirect incoming tcp traffic from port 80 to port 8080

 iptables -I INPUT -j SHADOWSOCKS // Insert at beginning of Input chain

// Count traffic coming in/out from 192.168.0.117

iptables -A FORWARD -s 192.168.0.117

iptables -A FORWARD -d 192.168.0.117 

iptables -nvx -L FORWARD // Print traffic counters

iptables -Z  // Clear all counters (for all rules)

iptables -Z FORWARD // Clear counters for Forward rule

iptables -R FORWARD 1 -s 192.168.0.117 // Replace rule nr 1 in Forward chain with same rule. This will reset counter

iptables -I FORWARD -i eth0 -j TRAFFIC_ACCT_IN // incoming interface eth0

iptables -I FORWARD -o eth0 -j TRAFFIC_ACCT_OUT // outgoing interface eth0

iptables -vnxL FORWARD | awk '{print $2}' // print the 2nd column

iptables -vnxL FORWARD | awk '/delegate_forward/ {print $2}' // Print 2nd word in line that contains 'delegate_forward' text

The important rules regarding NAT are found in the 'nat'-table. This table has three predefinded chains: PREROUTING, OUTPUT und POSTROUTING.

 

// How is Shadowsocks set-up? I want to count the total traffic going through the router, but I also want to count the amount of data sent through Shadowsocks tunnel. The Shadowsocks tunnel is listening at port 1080. 

iptables -N SHADOWSOCKS // Create new chain with name "Shadowsocks"

iptables -A INPUT -j SHADOWSOCKS

iptables -A SHADOWSOCKS -p tcp // Count all incoming traffic

iptables -A SHADOWSOCKS -p tcp -dport 1080 // Does this work?

iptables -L SHADOWSOCKS -n -v -x // Display traffic data for Shadowsocks chain

The -x flag means you will get the exact value of the packet and byte counters, instead of only the rounded number in K’s (multiples of 1000) M’s (multiples of 1000K) or G’s (multiples of 1000M). 

 

2015/01/15 MacOSX,Network

I had some troubles connection to a server as the local subnet and the vpn office subnet used the same address range. The default route would therefore be to find the computer in the local subnet (via local gateway). In order to connect to the computer at the other end of the VPN I needed to add a specific rule to the routing table so that it must use the VPN network interface. See commands for Mac OS X (v 10.10) below.

View routing table

netstat -rn    (where "n" stands for numeric addresses)

List network interfaces

ifconfig

Add route

sudo route -v add 192.168.1.10 -interface ppp0

(where ppp0 is the interface for my VPN connection)