tag:blogger.com,1999:blog-275537172024-03-08T05:08:52.584-08:00Developing RapidsPractical I.T. / Practical Software DevelopmentJonathan & Karen Nghttp://www.blogger.com/profile/08305170810914026430noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-27553717.post-53939123705907658552008-04-17T17:48:00.000-07:002008-04-18T14:11:48.333-07:00Installing VMware Server on Ubuntu 7.10If you're thinking about virtualizing your IT environment but you don't necessarily have a lot of budget/money to do it with, here are a few tips that may help you on your way.<br /><br />Most of us already know about <a href="http://www.vmware.com/">VMware</a>'s offering of <a href="http://www.vmware.com/products/server/">VMware Server for free</a>. This, coupled with some great <a href="http://developingrapids.blogspot.com/2008/03/best-things-in-life-are-free.html">open-sourced operating systems</a> can make for some pretty efficient <a href="http://en.wikipedia.org/wiki/Hypervisor">hypervisors</a>.<br /><br />I recently had to install a few VMware Server hosts using <a href="http://www.ubuntu.com/products/WhatIsUbuntu/serveredition">Ubuntu 7.10 Gutsy</a> as the base host system. We chose Ubuntu because: the distribution CD is relatively small (~510Mb), it is simple to install and it provides the basic functionality needed. Furthermore, it uses the Debian packaging system which means you have access to potentially hundreds of additional packages (such as <a href="http://developingrapids.blogspot.com/2008/04/installing-webmin-on-ubuntu-710.html">webmin</a>) - should you choose to install them.<br /><br />The process is pretty simple:<br /><br /><span style="font-weight: bold;">Step 1: Install your new system using the Ubuntu Server CD.</span><br /><br /><span style="font-weight: bold;">Step 2: Answer through the normal set of questions. </span><br /><br />The actual Ubuntu installation procedure is a bit beyond the scope of this post, but suffice it to say that you should provide a nice big partition for where your VMs will reside. We like to put them in <span style="font-family:courier new;">/home/vm</span>)<br /><br />When prompted to configure your server, select the options you want. We selected "OpenSSH server" and "Samba File Server" (we work in a mixed Linux/Windows environment here). Generally, it is a good idea to keep these selections to a minimum to save resources.<br /><br />Once the install has finished, reboot.<br /><br /><span style="font-weight: bold;">Step 3: Next, install some packages that are necessary for VMware but that the base installer doesn't install by default, namely:</span><br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >sudo apt-get install linux-headers-`uname -r` libx11-6 libx11-dev libxrender1 libxt6 libxtst6 libxext6 psmisc build-essential iceauth xinetd.</span><br /><br />Note, you need to do this as a sudo user.<br /><br />(Incidentally, if you don't install these packages, you will probably get an error like this if you try to install VMware Server:)<br /><span style="font-size:85%;"><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >The correct version of one or more libraries needed to run VMware Server may be </span><br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >missing. This is the output of ldd /usr/bin/vmware:</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >linux-gate.so.1 => (0xffffe000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libm.so.6 => /lib32/libm.so.6 (0xf7f93000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libdl.so.2 => /lib32/libdl.so.2 (0xf7f8f000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libpthread.so.0 => /lib32/libpthread.so.0 (0xf7f76000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libX11.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libXtst.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libXext.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libXt.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libICE.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libSM.so.6 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libXrender.so.1 => not found</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libz.so.1 => /usr/lib32/libz.so.1 (0xf7f60000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >libc.so.6 => /lib32/libc.so.6 (0xf7e16000)</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >/lib/ld-linux.so.2 (0xf7fc6000)</span></span><br /><br /><br />Now you're ready to install VMWare.<br /><br /><span style="font-weight: bold;">Step 4: Obtaining VMware Server.</span><br /><br />Go to <a href="http://www.vmware.com/download/server/">http://www.vmware.com/download/server/</a> and download the latest version of<br />the VMware Server install package. The way I did this was to browse to the appropriate page on VMware's site using another computer (my workstation), register and accept license agreements then when it came time to actually download the file, I copied the link onto my clipboard and pasted it into my ssh session with my new server.<br /><br />At the time of writing, this is what I executed:<br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >wget <a href="http://download3.vmware.com/software/vmserver/VMware-server-1.0.5-80187.tar.gz">http://download3.vmware.com/software/vmserver/VMware-server-1.0.5-80187.tar.gz</a></span><br /><br />Similarly for the management interface and client packages:<br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >wget <a href="http://download3.vmware.com/software/vmserver/VMware-mui-1.0.5-80187.tar.gz">http://download3.vmware.com/software/vmserver/VMware-mui-1.0.5-80187.tar.gz</a></span><br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >wget <a href="http://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.0.5-80187.zip">http://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.0.5-80187.zip</a></span><a href="http://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.0.5-80187.zip"><br /></a><br /><br />Once you have the files, untar/gunzip them using the following command:<br /><br /><span style="font-family:courier new;"> tar -xvzf ./VMware-server-1.0.x-xxxxx.tar.gz</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" > tar -xvzf ./VMware-mui-1.0.x-xxxxx.tar.gz</span><br /><br />where <span style="font-style: italic;">xxxxx </span>represents the proper version numbers.<br /><br />Two new directories called vmware-server-distrib and vmware-mui-distrib will be created.<br /><br /><span style="font-weight: bold;">Step 5: Installing VMware</span><br /><br />Change directories to vmware-server-distrib. Run the vmware-install.pl script. In our case, we answered the default for most questions except where we wanted the VMs to reside. We entered "/home/vm" for this but it is up to you where you want to put them on your system.<br /><br /><span style="font-weight: bold;">Step 6: Installing the VMware Management UI.</span><br /><br />The VMware Management UI is a good way to get an overall view of the VMware server host. It presents you with helpful averages of CPU and memory usage per VM. We use it to guage approximately how many VMs a given physical server can handle.<br /><br />To install it, change to your vmware-mui-distrib directory and run the vmware-installer.pl script. When you do this, you *may* get a message indicating that VMware is not installed. This error is in fact a misnomer - as it just means you have some missing libraries, AND it also may mean that your "sh" is pointing to something called "dash" instead of the more full fledged "bash".<br /><br />To resolve these problems, try any or all of the following:<br /><br /><span style="font-weight: bold;">Needed packages not installed</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >sudo apt-get install libx11-6 libxtst6 libXt6 libXrender1 libXi6 libstdc++5 libssl0.9.7 libcrypto++5.2c2a</span><br /><br /><span style="font-family:courier new;"><span style="font-weight: bold;font-family:georgia;" >Incorrectly linked Library</span><br /><span style="color: rgb(0, 0, 0);">ln -s /usr/lib/libdb-4.3.so </span></span><span style="color: rgb(0, 0, 0);font-family:courier new;" > /usr/lib/libdb.so.3</span><br /><br /><span style="font-weight: bold;">Incorrectly pointed sh command</span><br />Determine if it is the case by doing an <span style="font-family:courier new;">"ls -l /bin/sh" </span>... if it shows that sh is actually pointing to a program called "dash", remove the link and relink it to bash. (You may safely do this, then reverse it back to dash after running the install script).<br /><br />Then correct the problem by:<br /><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >rm /bin/sh</span><br /><span style="color: rgb(0, 0, 0);font-family:courier new;" >ln -s /bin/bash /bin/sh</span><br /><br /><span style="font-weight: bold;">One more note...</span><br />In our case, we decided to use a single user on our server host for all VMs. All VMs were then owned and write permissible for this single user. Depending on your environement, this approach may be feasible, or it may not. The advantage is simplicity, the disadvantage is privacy and flexibility. You decide.<br /><br /><span style="font-weight: bold;">Conclusion and Verification</span><br />If you've done the above steps correctly, you now have a functional VMware Server host machine. To verify:<br /><br />1. Try installing and connecting with a VMware Server Console client. You should be able to create new virtual machines.<br /><br />2. Try connecting to the management console, by pointing your browser to https://servername:8333.<br /><br />If you've found this article useful or you have any compliments, constructive criticisms etc., please feel free to leave a comment!Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com1tag:blogger.com,1999:blog-27553717.post-91645815507434762972008-04-10T22:59:00.001-07:002008-04-10T23:16:23.739-07:00Installing webmin on Ubuntu 7.10Recently, I've discovered a very neat tool for administering some of my linux servers. It is called <a href="http://www.webmin.com/">webmin</a>, and it may be one of the more complete web based system administration tools I have seen for linux.<br /><br />Admittedly, I was a bit apprehensive at first trusting a web interface to do administration. After all, I am not one to shy away from the command line. But the more I used the webmin console, the more I could really see the benefit of using such a tool. In particular, I found the custom commands, and scheduled monitoring two particularly useful features.<br /><br />I had been configuring small single-application virtual machines lately with Ubuntu, and found webmin to be a very robust tool in which to write custom commands to administer the various function of that server. With webmin, it made each VM more like a virtual appliance -- something we just turn on and off -- rather than something we had to learn oodles of commands to maintain.<br /><br />Now installatin of webmin on Ubuntu isn't quite as straight forward as just saying "apt-get install webmin", so I've written a small HOWTO guide on how to install on Ubuntu. If you find this useful, please do leave a comment. It's nice to know what people find useful, and what things people don't.<br /><br /><span style="font-weight: bold;">Step 1:</span> Get the latest webmin debian package from webmin's site. Since the bare bones Ubuntu Server won't have a graphical browser, the easiest way to do this is to find the download link via another machine, then use wget to download it onto your server. For me, this was a close sourceforge mirror from which to obtain it. Therefore, I issued a command like this:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;"></span></span><blockquote><span style="font-weight: bold;font-size:85%;" ><span style="font-family:courier new;">wget http://internap.dl.sourceforge.net/sourceforge/webadmin/webmin_1.410_all.deb</span></span><br /></blockquote><br />This was the response:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;"></span></span><blockquote style="font-weight: bold;"><span style="font-size:85%;"><span style="font-family:courier new;">--12:57:12-- http://internap.dl.sourceforge.net/sourceforge/webadmin/webmin_1.410_all.deb</span><br /><span style="font-family:courier new;"> => `webmin_1.410_all.deb'</span><br /><span style="font-family:courier new;">Resolving internap.dl.sourceforge.net... 74.201.26.4</span><br /><span style="font-family:courier new;">Connecting to internap.dl.sourceforge.net|74.201.26.4|:80... connected.</span><br /><span style="font-family:courier new;">HTTP request sent, awaiting response... 200 OK</span><br /><span style="font-family:courier new;">Length: 13,140,062 (13M) [text/plain]</span><br /><br /><span style="font-family:courier new;">100%[====================================================================================================>] 13,140,062 417.00K/s ETA 00:00</span><br /><br /><span style="font-family:courier new;">12:57:44 (416.17 KB/s) - `webmin_1.410_all.deb' saved [13140062/13140062]</span></span></blockquote><br /><span style="font-weight: bold;">Step 2:</span> Next, install the appropriate libraries (as a sudo user) to get webmin to run:<br /><br /><span style="font-size:85%;"><span style="font-weight: bold;font-family:courier new;" ></span></span><blockquote><span style="font-size:85%;"><span style="font-weight: bold;font-family:courier new;" >sudo apt-get install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl libmd5-perl openssl</span></span></blockquote>This was the response:<br /><span style="font-size:85%;"><span style="font-family:courier new;"></span></span><blockquote style="font-weight: bold;"><span style="font-size:85%;"><span style="font-family:courier new;">Reading package lists... Done</span><br /><span style="font-family:courier new;">Building dependency tree</span><br /><span style="font-family:courier new;">Reading state information... Done</span><br /><span style="font-family:courier new;">Suggested packages:</span><br /><span style="font-family:courier new;"> ca-certificates</span><br /><span style="font-family:courier new;">The following NEW packages will be installed:</span><br /><span style="font-family:courier new;"> libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl openssl</span><br /><span style="font-family:courier new;">0 upgraded, 5 newly installed, 0 to remove and 39 not upgraded.</span><br /><span style="font-family:courier new;">Need to get 1138kB of archives.</span><br /><span style="font-family:courier new;">After unpacking 3555kB of additional disk space will be used.</span><br /><span style="font-family:courier new;">Get:1 http://ca.archive.ubuntu.com gutsy/universe libauthen-pam-perl 0.16-1 [32.2kB]</span><br /><span style="font-family:courier new;">Get:2 http://ca.archive.ubuntu.com gutsy/universe libio-pty-perl 1:1.07-1 [42.3kB]</span><br /><span style="font-family:courier new;">Get:3 http://ca.archive.ubuntu.com gutsy/universe libmd5-perl 2.03-1 [5680B]</span><br /><span style="font-family:courier new;">Get:4 http://ca.archive.ubuntu.com gutsy/main libnet-ssleay-perl 1.30-1 [186kB]</span><br /><span style="font-family:courier new;">Get:5 http://ca.archive.ubuntu.com gutsy-updates/main openssl 0.9.8e-5ubuntu3.1 [872kB]</span><br /><span style="font-family:courier new;">Fetched 1138kB in 9s (117kB/s)</span><br /><span style="font-family:courier new;">Selecting previously deselected package libauthen-pam-perl.</span><br /><span style="font-family:courier new;">(Reading database ... 33264 files and directories currently installed.)</span><br /><span style="font-family:courier new;">Unpacking libauthen-pam-perl (from .../libauthen-pam-perl_0.16-1_i386.deb) ...</span><br /><span style="font-family:courier new;">Selecting previously deselected package libio-pty-perl.</span><br /><span style="font-family:courier new;">Unpacking libio-pty-perl (from .../libio-pty-perl_1%3a1.07-1_i386.deb) ...</span><br /><span style="font-family:courier new;">Selecting previously deselected package libmd5-perl.</span><br /><span style="font-family:courier new;">Unpacking libmd5-perl (from .../libmd5-perl_2.03-1_all.deb) ...</span><br /><span style="font-family:courier new;">Selecting previously deselected package libnet-ssleay-perl.</span><br /><span style="font-family:courier new;">Unpacking libnet-ssleay-perl (from .../libnet-ssleay-perl_1.30-1_i386.deb) ...</span><br /><span style="font-family:courier new;">Selecting previously deselected package openssl.</span><br /><span style="font-family:courier new;">Unpacking openssl (from .../openssl_0.9.8e-5ubuntu3.1_i386.deb) ...</span><br /><span style="font-family:courier new;">Creating directory /etc/ssl</span><br /><span style="font-family:courier new;">Setting up libauthen-pam-perl (0.16-1) ...</span><br /><span style="font-family:courier new;">Setting up libio-pty-perl (1:1.07-1) ...</span><br /><span style="font-family:courier new;">Setting up libmd5-perl (2.03-1) ...</span><br /><span style="font-family:courier new;">Setting up libnet-ssleay-perl (1.30-1) ...</span><br /><span style="font-family:courier new;">Setting up openssl (0.9.8e-5ubuntu3.1) ...</span></span></blockquote><br /><br /><span style="font-weight: bold;">Step 3:</span> Install the webmin package as root using dpkg.<br /><blockquote><span style="font-size:85%;"><br /><span style="font-weight: bold;font-family:courier new;" >sudo dpkg -i webmin_1.410_all.deb</span></span></blockquote>This was the response:<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;"></span><blockquote style="font-weight: bold;"><span style="font-family:courier new;">Selecting previously deselected package webmin.</span><br /><span style="font-family:courier new;">(Reading database ... 33791 files and directories currently installed.)</span><br /><span style="font-family:courier new;">Unpacking webmin (from webmin_1.410_all.deb) ...</span><br /><span style="font-family:courier new;">Setting up webmin (1.410) ...</span><br /><span style="font-family:courier new;">Webmin install complete. You can now login to https://myserver:10000/</span><br /><span style="font-family:courier new;">as root with your root password, or as any user who can use sudo</span><br /><span style="font-family:courier new;">to run commands as root.</span></blockquote><span style="font-weight: bold;font-family:courier new;" ></span></span><br /><span style="font-weight: bold;">Step 4:</span> You're done! Login to the server using your web browser and point it to the address it indicates.Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com4tag:blogger.com,1999:blog-27553717.post-35804426490932294312008-03-23T14:56:00.000-07:002008-03-23T23:11:34.203-07:00The best things in life are freeEver had one of those weird moments when you check out what's stuck in your wallet and compare it with that of your buddies? I'm not talking about how much money you have, but all of the other things - receipts, drivers license, club cards, gym memberships, packs of sugar, ...? (<a href="http://www.sonypictures.com/tv/shows/seinfeld/episode_guide/?sl=episode&ep=912">Think George in that old episode of <span class="Apple-style-span" style="font-style: italic;">Seinfeld</span>...</a>)<br /><br />Well, this post is all about what's stuck in your development environment. Perhaps one of the biggest lessons I have learned over the past few years is that some of the best development and I.T. tools out there don't have to cost you an arm and a leg. There was once upon a time when we subscribed to a different model: the pay-as-you-go model, where every time we ran into a problem, we'd call up our favourite vendor and "discover" what next big purchase we would need to make to solve the problem.<br /><br />No longer. Now, thanks to a plethora of good open-source or economical commercial software, one no longer has to pay big bucks to develop good software.<br /><br />Here's what I have installed:<br /><ul><li><a href="http://www.eclipse.org/">Eclipse Europa</a> -- this is my main integrated development environment. Within Eclipse, I use a variety of plugins and environments. I develop using <a href="http://java.sun.com/">Java 6</a>, unit test with <a href="http://www.junit.org/">JUnit</a>, manage my configuration using <a href="http://subversion.tigris.org/">Subversion</a> and <a href="http://subclipse.tigris.org/">Subclipse</a>, integrate using <a href="http://ant.apache.org/">Ant</a>, and task manage using <a href="http://www.eclipse.org/mylyn/">Mylyn.</a></li><li><a href="http://www.getfirefox.com/">Mozilla Firefox</a> -- this is my main browser. I enjoy using this browser immensely because it is cross-platform, and because it is not tied to my operating system, is relatively secure.</li><li><a href="http://www.vim.org/download.php">GVIM</a> - for all editing tasks I don't use Eclipse for. It is a trusty, albeit expert-friendly friend (vi) ported over to Windows. It is free and even does colour syntax highlighting.</li><li><a href="http://www.scootersoftware.com/">Beyond Compare</a> - about the best diff/compare/merge tool out there for Windows. It is not free, but the $30 license fee isn't going to kill you either. I highly recommend this tool as it does not only file comparisons, but does wonderful directory comparisons which is great for synchronizing directories.</li><br /></ul>Now for some of the back office stuff:<ul><li><a href="http://www.bugzilla.org/">Bugzilla Bug Tracking System</a> - tracks our defects and bugs and integrates nicely into Eclipse thanks to a nifty <a href="http://www.eclipse.org/mylyn/downloads/">Mylyn connector plugin</a>.</li><li><a href="http://subversion.tigris.org/">Subversion</a> - handles all of our source control and configuration management</li><li>Bugzilla uses <a href="http://www.php.net/">PHP</a>, and <a href="http://www.mysql.com/">MySQL</a> extensively while both use the <a href="http://httpd.apache.org/">Apache Web Server</a> which <a href="http://www.ubuntu.com/products/WhatIsUbuntu/serveredition">Ubuntu Server</a> (based on the very versatile <a href="http://www.debian.org/">Debian</a> linux distribution) does a nice job of pre-installing for you.</li><li>Almost all of these servers run as virtual machines on <a href="http://www.vmware.com/products/server/">VMServer</a> - a commercial but free product from VMWare that allows you to run more than one virtual machine on a given server. Great for lab testing products and hosting virtual servers.</li><li>The remaining stuff such as our Java Web Start deployment server runs on an instance of <a href="http://tomcat.apache.org/">Apache Tomcat.</a></li><li><a href="http://activemq.apache.org/">Apache ActiveMQ</a> acts as our messaging server.</li><br /></ul><p>We have made similar utilizations in everything from our networking to even the on-hold music on our telephone system. It's not that we don't run commercial products. But, with the availability of open-source, community driven, community debugged programs available, IT professionals and developers are offered a much greater choice. The focus shifts from product-driven focus (and trying to find which product fits the budget) to a problem solving focus where real problems can be solved by expertise, experience and knowledge of how best to integrate the available open-sourced or commercial products together to make a working environment. Best of all, you can keep most of that big fat wallet of yours in your back pocket because you won't have to take it out very often. :-)</p><br /><br /><p>Those are my two bits. What about yours? What are the pros and cons of open source software in your environment? Hit me up in the comments.</p><br /><br />Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com0tag:blogger.com,1999:blog-27553717.post-18658482369674742952008-03-17T23:37:00.000-07:002008-04-29T16:20:13.060-07:00Review of the Asus P5N-MX (LGA775) mainboard for use as a Linux File Server<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://ca.asus.com/999%5Cimages%5Cproducts%5C2010%5C2010_m.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 200px;" src="http://ca.asus.com/999%5Cimages%5Cproducts%5C2010%5C2010_m.jpg" alt="" border="0" /></a>I'm kind of an odd person. In my house, I have a closet that serves as the central hub for all my networking. It's sort of an odd hybrid of cheap IKEA utility shelves coupled with some rack mounted equipment.<br /><br />I put "servers" in this closet too and serve files from this closet. Back in my university days, it was the "geek" thing to do: in fact it <span style="font-weight: bold; font-style: italic;">helped</span> me tremendously during an advanced networking course as it meant I had my own in-house lab. Nowadays, it is more of a carry-over tradition. I have gone from a huge network of many servers to an array of embedded devices (WRT54GLs running <a href="http://www.openwrt.org/">OpenWRT</a>) and one/two PCs running Linux.<br /><br />Recently, one of the hard drives on one of these PCs decided to quit working. I had been mildly expecting it to happen (after all, hard drives nowadays tend to only last their warranty period...) so I had been diligently backing up to a mirror drive each day. When it finally died, I decided it was also time to upgrade the computer.<br /><br />So, I went looking for a decent, low-powered, fast computer solution and came across the <a href="http://ca.asus.com/products.aspx?l1=3&l2=11&l3=614&l4=0&model=2010&modelmenu=2">Asus P5N-MX motherboard</a>. Now this isn't your gamer's motherboard, but what it does have is built in LAN, Video, Sound and RAID functionality, and a price tag that fits the budget: perfect for what I wanted to do with it. I purchased it along with a Pentium Dual-Core CPU - about the <a href="http://www.tomshardware.com/2007/09/12/pentium_dual_core/">best Intel dual core CPU you can get on the market for under $100</a> that isn't a Celeron. I considered getting one of the higher end CPUs (such as a Core 2 Duo or higher) but I was on a budget, and frankly it was wasting money for the intended function of the machine.<br /><br />Total price for case, CPU, motherboard, memory and new hard drive came to $300. Not bad considering I'm upgrading from a Pentium III 800Mhz!<br /><br /><span style="font-weight: bold;">Assembly and Regret</span><br /><br />I bought the parts at a local computer shop, and two hours later, I had the thing assembled; gave it its first boot when all I heard was one long beeeeep! My heart sank. Out came the tools again, and soon through the process of elimination, I discovered I had a stick of faulty RAM.<br /><br />(Side note: Now the funny thing was that a couple of years ago, I had vowed never to buy a home-built computer again - not that I was afraid of them, but simply that they had outlived their usefulness. One used to get home-built computers because they were no worse than the stuff you got from Dell or HP, but nowadays, things are different. I had convinced myself after working in IT for many years that purchasing name-brand actually was justified on warranty and heavy integration testing purposes alone. But, like many-a-times before, I was lured by the price and convenience of a home built computer. So when I discovered the faulty RAM, it reconfirmed my previous fears.)<br /><br /><span style="font-weight: bold;">Problem #1: Faulty RAM and/or lousy BIOS</span><br /><br />After replacing the RAM (and kicking myself for not following my own advice and buying Dell), I got the machine working... sort of. All would seem to work except for a memory test failure every time I booted the computer. So I replaced the RAM yet again, and began to think to myself whether it might be something else. After much searching and at the advice of the technician at the local shop, I decided it might be a BIOS problem, so I upgraded the BIOS from version 01xx to 0402. Mysteriously the RAM problem went away.<br /><br /><span style="font-weight: bold;">Problem #2: Lousy ASUS documentation</span><br /><br />One of the things I was quick to discover was the though ASUS is a reputable motherboard manufacturer, they really lack good documentation. Nowhere in the BIOS readme file did it even so much as mention that the upgrade solves memory problems. It brings to mind two questions:<br /><br />-- Why did the motherboard not ship with a newer BIOS?<br />-- Why do they not document new BIOS features and fixes in detail?<br /><span style="font-weight: bold;"><br />Problem #3: False reports of an overheating CPU</span><br /><br />I then focused my attention of another problem that had appeared in the meantime. The reported temperature of the CPU (according to the BIOS) was 71C! I knew this was erroneous because of the very cool heat sink sitting snugly attached to the CPU. It wouldn't really be that annoying except that all of the fan speeds are tied to this temperature! So even though the CPU was cool, the fans spun at full speed.<br /><br />I searched all over, but could only find vague references to the problem - and in almost every case where it was mentioned, the defacto answer was that the fan assembly was somehow to blame.<br /><br />True as that may sound, it was not the case, and in the end, I concluded it must be yet another BIOS error. This time however, I was out of "released" BIOSes to upgrade to, so only after reading a <a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16813131230">vague review on Newegg.com</a> did I figure that upgrading to the latest "beta" BIOS (version 0601) <span style="font-style: italic;">might</span> solve my problem.<br /><br />I did upgrade, and it did solve my problem. I am finally happy with my new server on which I have installed Ubuntu server and created a giant file share using CIFS and NFS on my RAIDed hard drives.<br /><br /><script type="text/javascript"><!--<br />google_ad_client = "pub-0530746495564531";<br />/* 468x60, created 4/29/08 - for Asus MB page */<br />google_ad_slot = "8358979567";<br />google_ad_width = 468;<br />google_ad_height = 60;<br />//--><br /></script><br /><script type="text/javascript"<br />src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script><br /><br /><br /><span style="font-weight: bold;">Conclusion</span><br /><br />It has been several years since I have bought and assembled a home-built computer, but now, more than ever I am convinced that it may not always be the best option. Until motherboard companies can begin to act responsibly and provide adequate testing of their BIOSes and provide detailed documentation of their upgrades, it seems like a lot of work and frustration for having saved not that much money.Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com7tag:blogger.com,1999:blog-27553717.post-75742892989340061102008-03-14T06:37:00.000-07:002008-03-18T23:03:44.365-07:00Sysclean - a little known secret<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.trendmicro.com"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 200px;" src="http://us.trendmicro.com/images/common/LogoTrendMicro_3d.gif" alt="" border="0" /></a>One of the things that our I.T. department deals with on occasion (much to our frustration) is virus / malware / spyware / grayware infected computers. Though we do have a layered system in place, there is no system that will ultimately prevent every type of malware out there all the time.<br /><br />(We also get lots of questions from our users about their home machines. Though we don't officially support home machines, developing good I.T. practices is part of our mandate and so we often encourage and help out with this out of good-will.)<br /><br />In addition to telling them about some of the online scanners available (such as <a href="http://housecall.trendmicro.com/">Trend Micro's Housecall</a> or <a href="http://security.symantec.com/">Symantec/Norton's equivalent</a>) we also send them home with a rescue CD. On the CD is a little known secret... and it's free.<span style="font-weight: bold;"><br /><br />First, the secret </span>- then I will tell you why we do this in addition to online scanners.<br /><br /><a href="http://www.trendmicro.com/">Trend Micro</a> offers an offline system cleaner called "sysclean". It isn't the most elegant of solutions, but it is thorough. It will detect most viruses, spyware as well as other forms of malware and it does a reasonable job of cleaning them up.<br /><br />You can download the sysclean program here:<ul><li><a href="http://www.trendmicro.com/ftp/products/tsc/sysclean.com">http://www.trendmicro.com/ftp/products/tsc/sysclean.com</a></li></ul><p>Once you have downloaded it, you will also need to download their latest pattern files. You can find those here:</p><ul><li><a href="http://www.trendmicro.com/download/pattern.asp">http://www.trendmicro.com/download/pattern.asp</a></li></ul><p>You need both the <a href="http://www.trendmicro.com/download/viruspattern.asp">Virus pattern</a> as well as the <a href="http://www.trendmicro.com/download/spywarepattern.asp">Spyware pattern</a>. Download the "new" pattern files titled SSAPIPTN.DA5.Put all the files into one directory, and unzip all pattern files. Then, run sysclean.com and let it scan away.</p><p style="font-weight: bold;"><br /></p><p style="font-weight: bold;">If you intend on putting this on a CD, there are several catches:</p><ol><li>On the target computer, you will need to copy the files off the CD onto a local directory and make them NOT read-only. This is because sysclean.com will actually extract other programs and require write access.</li><li>Note that the patterns change almost daily - so be sure to keep the CD up to date.</li></ol><p><span style="font-weight: bold;">Why do we encourage this in addition to online scanners?</span></p><p>For system recovery, this solution works well - it does not require plugins, or java to be installed. In fact, it does not even require an internet connection. But most importantly, it is not as suceptible to browser hijacks. (If we assume that the browser on the target computer is already infected, what good is a scanner that also requires that browser?)</p>Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com0tag:blogger.com,1999:blog-27553717.post-77650917809191864262008-03-13T21:09:00.000-07:002008-03-13T23:09:29.204-07:00Start a knowledge baseI work with a relatively small I.T. team. Being half developer and half I.T. administrator, human resources can get quite stretched when it comes to domain knowledge. When one person goes on vacation, their absence is felt.<br /><br />One of the things we did a couple of years ago to mitigate this is to start a knowledge base. Knowledge bases used to be these huge complicated things that people would have to manage. I still remember the times when I worked for a big consulting firm that had whole teams dedicated to maintaining and producing the knowledge base. But with the advent of "Web 2.0" and the popularity of blogs and WIKIs, this hurdle has been greatly overcome. The focus becomes on the content rather than the presentation. The fact that everyone can contribute to its content makes the content that much more relevant and useful.<br /><br /><span style="font-weight: bold;">Here are some tips to starting a successful knowledge base:</span><br /><br /><span style="font-weight: bold;">1. Encourage and convince your team (and other stakeholders) that this is a good thing. </span> Resistance can be hard to overcome. It may come in the form of people who have ingrained knowledge of systems and fear losing their jobs. But job replacement is not the goal of a knowledge system. By documenting knowledge, you not only spread the wealth of knowledge, you encourage reproduction of leadership, and you encourage those that have the knowledge to learn more. (Don't they say that the best student is often the teacher?)<br /><br /><span style="font-weight: bold;">2. Identify some areas that desperately need documentation. </span> Keep a running list of topics.<br /><br /><span style="font-weight: bold;">3. Find a repository. </span> In our team, we prefer to use a WIKI. We find the collaborative nature of WIKIs suitable for something that changes constantly like a knowledge base. As we find new problems and new solutions, we update the WIKI. There are many WIKIs out there of varying size - find one that suits the size of your organization, and run with it. For us, we decided to use <a href="http://www.jspwiki.org/">JSPWiki</a> - mostly because of its simplicity, and the fact that it uses the file system as a repository. This made for simple backups as well as maintenance. Others will want to chose a more robust system such as <a href="http://www.twiki.org/">TWiki</a> or <a href="http://www.mediawiki.org/wiki/MediaWiki">MediaWIKI</a> where the UI is more full featured. Again, the emphasis should be on content, not presentation.<br /><br /><a href="http://en.wikipedia.org">Wikipedia</a> (a wiki in an of itself) has a great <a href="http://en.wikipedia.org/wiki/Comparison_of_wiki_software">comparison page on wiki engines</a>.<br /><br /><span style="font-weight: bold;">3. Have a reasonable organizational structure in mind.</span> I'm cautious about saying this a little bit because sometimes finding the structure can be daunting. If this is the case, do step 4 first. But it is a good idea to have a general idea of a structure you may wish to use. It helps you to seed the Wiki with initial ideas. Then you can refine the structure later.<br /><br />In our team, we decided to use the <a href="http://en.wikipedia.org/wiki/OSI_model">OSI layers</a> as an initial structure. Because many of the things we wanted to write about in our knowledge base fell under one of these layers, this was a logical point to start. Other teams may wish to use other forms of organization. Whatever you choose, do try to make sure that it ties into some sort of existing context that your users will understand.<br /><br /><span style="font-weight: bold;">4. Start writing!</span> In our team, many of our initial pages were just simply a description of what that page was intended to be. For instance, we may have a page called "ListOfServerIPs" that just contains the intention for that page. Then, as problems came up, we all made a commitment to find the relevant page and update it. In other words, there is not always a need to do this huge "dump" of initial information - just start using the knowledge base from this point forward, and the background will often fill itself in.<br /><br /><span style="font-weight: bold;">5. Repeat steps 2 through 4.</span> Knowledge bases (like the people who remember the knowledge) are meant to be organic. It is only as good as the last person who maintained it - so, make it an <span style="font-weight: bold; font-style: italic;">iterative</span> process. As your knowledge base grows, reevaluate if there might be a better way of organizing the information and write/rewrite pages accordingly. Of course, one nice thing about Wikis is that they are also web pages with full hyperlink capabilities so creating new "index" pages can be easy. A lot of WIKIs nowadays also employ tag and search systems allowing for greater flexibility in structure.Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com1tag:blogger.com,1999:blog-27553717.post-39005703559406006482008-03-12T23:18:00.000-07:002008-03-12T23:21:10.637-07:00Blog resurrectionAfter a long hiatus of over a year, I am dusting off this blog, revamping it with a new look, and committing to updating it more regularly. Check back here soon and often for new tips on how to practice practical I.T.Jonathan Nghttp://www.blogger.com/profile/15878862238010376243noreply@blogger.com0tag:blogger.com,1999:blog-27553717.post-1147730322330365012006-05-14T14:49:00.000-07:002006-05-15T14:58:42.343-07:00That's Neat!In addition to working with network and systems, I am also an amateur photographer. For the longest time, I was an unconvinced film addict and stuck to my film based equipment as the picture quality is undeniably better than what most digital cameras can produce particularly at higher ISOs. However, with a recent discovery, this perception is starting to change.<br /><br />I read in a digital photography book recently about a noise-reduction filter/program called <a href="http://www.neatimage.com">NeatImage</a>. When I tried out the program, and applied its noise reduction algorithms to my digital photographs, I was amazed. Pictures I used to consider second-rate because of the noise could now be filtered to look so much better. See the <a href="http://www.neatimage.com/examples.html">examples</a> they have on their Web site.<br /><br /><a href="http://www.neatimage.com/download.html">Give it a try</a>. The demo version allows you to process an unlimited number of images, one image at a time, provided you are ok with the output being lossy jpg. That isn't so bad if you do the noise reduction part as your last step in your workflow. For a nominal fee, you can purchase Home and Professional versions of the program which don't have these limitations.Jonathan & Karen Nghttp://www.blogger.com/profile/08305170810914026430noreply@blogger.com0tag:blogger.com,1999:blog-27553717.post-1147133470059112102006-05-08T16:59:00.000-07:002006-05-10T09:34:49.233-07:00Multiwan connections addendumAfter some testing and some thought, there are several things I felt I should also document regarding the <a href="http://developingrapids.blogspot.com/2006/05/conning-mark-multiwan-connections.html">multiwan connection solution I posted earlier</a>.<br /><br /><span style="font-weight: bold;">Turn rp_filter OFF<br /><span style="font-weight: bold;"><br /></span></span>It appears that rp_filter causes problems with NAT and connection marking. From what I could tell, packets tend to 'lose' their mark and thus get routed out the wrong interface without this turned off. However, it should be noted that if you turn this off, you need to take care of the anti-spoofing functionality it provides in your firewall script.<br /><br />To turn it off, I edited this file: /etc/init.d/networking; and set it to echo "0" to /proc/sys/net/ipv4/conf/*/rp_filter instead of "1". Don't forget to change the text in the function spoofprotect() to say "NOT setting up IP spoofing protection".<br /><br /><span style="font-weight: bold;">Traffic destined for the router itself (TCP, ICMP and otherwise)<br /><br /></span>The posted solution also will not route packets to the router itself correctly. It may not be entirely noticable as some traffic may loop around (come in one interface, exit another). To solve this, add two additional rules to the routing policy database:<br /><br />ip rule add from <span style="font-style: italic;">{ip_wan1_interface_on_router}</span> table wan_one<br />ip rule add from <span style="font-style: italic;">{ip_wan2_interface_on_router}</span> table wan_two<br /><br /><span style="font-weight: bold;">Optimizations to the MARK rules<br /><span style="font-weight: bold;"><br /></span></span>Here are some minor optimizations to the MARK rules which make them more specific to what we are marking. They are not <span style="font-style: italic;">strictly</span> necessary but may provide some more <span style="font-style: italic;">insight</span> into someone just looking at your mangle table and trying to figure out what is going on.<br /><br />instead of:<br /><span style="font-family:courier new;">iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1</span><br /><br />use:<br /><span style="font-family:courier new;">iptables -t mangle -A PREROUTING -i eth1 -m state --state NEW -m mark --mark 0 -j MARK --set-mark 1</span><br /><br />instead of:<br /><span style="font-family:courier new;">iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 2</span><br /><br />use:<br /><span style="font-family:courier new;">iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW -m mark --mark 0 -j MARK --set-mark 2</span><br /><br />Empirical tests indicate that packets that are not explicitly marked otherwise have a mark of 0.<br /><br /><br /><span style="font-weight: bold;"><span style="font-weight: bold;"></span></span>Jonathan & Karen Nghttp://www.blogger.com/profile/08305170810914026430noreply@blogger.com2tag:blogger.com,1999:blog-27553717.post-1146784508289071332006-05-05T12:22:00.000-07:002006-05-15T11:04:13.486-07:00Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2Over the past few months, I have been configuring a replacement multi-wan NAT router/firewall for work. My collegues and I decided to use <a href="http://www.voyage.hk">Voyage Linux</a> (a derivative of <a href="http://www.debian.org">Debian Linux</a> for embedded devices) on a <a href="http://www.soekris.com">Soekris net4801</a> box. See also the pictures on <a href="http://cybocshardware.blogspot.com/2006/02/soekris-net4801-pictures.html">my coworker's (cyboc) blog.</a><br /><br />Unlike other organizations who use their multi wan connections to do automatic load balancing, and traffic shaping, we simply use our extra WAN connection for redundancy. Both connections DNAT to an internal server with two distinct external IP addresses. The idea is that users can access the server using either of the IP addresses, though they might normally prefer one over the other. Users would be able to switch to the other connection should the one they were using provide a less than optimal result. No automatic load balancing is required nor desired. In simple terms, our network looks something like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://photos1.blogger.com/blogger/3351/1192/1600/SimplifiedMultiWanDiagram.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://photos1.blogger.com/blogger/3351/1192/400/SimplifiedMultiWanDiagram.jpg" alt="" border="0" /></a><br />As part of this configuration, we wanted to have network traffic that came in on one interface properly exit again through that same interface. I was able to configure most of the firewall and NAT parts of the router with relative ease using iptables but was stumped when it came to the routing table and how to route packets in and out of their own respective interfaces.<br /><br /><span style="font-weight: bold;">The Problem Defined<br /><br /></span>Traditional routing tables generally only allow for one default gateway at a time. <span style="font-style: italic;">Multiple default gateways have to be specified in priority sequence. </span>Thus, there is no guarantee that an incoming packet on one line will receive a reply routed back through that same interface. At best, the return packet will go out the default gateway or some other static gateway defined according to the routing table. Furthermore, traditional routing tables only allow destination based routing.<span style="font-style: italic;"> </span>That is, we can create specific routing entries to dictate a route given a destination address but not based on the source address.<br /><br /><span style="font-weight: bold;">Enter IPROUTE2</span><br /><br />After some research, I discovered that IPROUTE2 solves a lot of my problems. IPRoute2, amongst many other things, allows for source based routing, and also allows for routing based on packet markers. More on packet markers later.<br /><br />Be warned though, IPROUTE2 is a rather complex beast! The <a href="http://www.policyrouting.org/iproute2.doc.html">user manual</a> is far from friendly, and it took me a few tries to get it to do what I wanted to do.<br /><br /><span style="font-weight: bold;">Attempt 1: Source based routing</span><br /><br />My first attempt at my problem involved source-based routing: Since most of the time, users will be using WAN connection #1 for this server, route all traffic originating from the IP address of my server out WAN connection 1. This works, however, it requires a manual change to the routing table when WAN connection 1 goes down. An administrator would have to switch the source based routing rule to now say route all traffic originating from server IP address out WAN connection #2.<br /><br />Wouldn't it be simpler if the router could somehow just remember what connection the packet came in and route subsequent replies through that same interface?<br /><br /><span style="font-weight: bold;">Attempt 2: Packet marking based routing<br /><span style="font-weight: bold;"><span style="font-weight: bold;"><span style="font-weight: bold;"></span></span></span></span><br />My second attempt at my problem centered around being able to track connections and routing accordingly. To do this, I discovered iptables' packet marking and connection marking.<br /><br />In short, iptables has two types of targets that one can use to mark packets: CONNMARK and MARK. CONNMARK marks a connection. Once marked, packets in the same "conversation" are also marked with the same CONNMARK indicator.<br /><br />Another marker is the packet marker denoted by iptables' MARK target. (Couldn't they have come up with better names?!) The MARK target only marks individual packets. They are not resilient like the connmark indicators - i.e. they only retain their value for the duration of that one packet's lifespan.<br /><br />Now when I first went diving into this, I erroneously thought that one could simply set the CONNMARK when a packet came in one WAN line, and have the routing tables detect that connmark and route accordingly. As I soon discovered though, iproute2 only recognizes packet MARKs not CONNMARKs. Thus, to do what I wanted, the CONNMARK value had to be copied to the MARK value each time a packet was about to be routed.<br /><br /><span style="font-weight: bold;">Solution Part 1: Configuring the mangle table in iptables<br /></span><br />Given the above restrictions with CONNMARK and MARK, I devised in plain English the steps I want my router to take when marking packets and when routing.<br /><br /><ul><li>If this is the first packet in a connection (i.e. it doesn't have a CONNMARK nor a MARK) then, set the MARK of the packet to 1 or 2 depending on which line it came in. Save this MARK to the CONNMARK value and accept the packet for routing.</li><li>If, however, a CONNMARK does exist, then restore that CONNMARK to the MARK value. Check to see what the MARK value is. If it is 1 or 2, then ACCEPT the packet for routing.</li></ul>Once the packet is accepted for routing, route basis these rules:<br /><br /><ul><li>If the packet has a MARK value of 1 then use the routing table for WAN connection #1.</li><li>Else if the packet has a MARK value of 2, then use the routing table for WAN connection #2.</li></ul><br />Now that you understand the English algorithm, I will translate it into pseudocode in the same order in which it must appear in iptables' mangle table:<br /><br /><ul><li>Restore the packet's CONNMARK to the MARK. (If one doesn't exist, then no mark is set.)</li><li>If packet MARK is 1, then it means that there is already a connection mark and the original packet came in on WAN #1, so ACCEPT.</li><li>Else, we need to mark the packet. If the packet is incoming on eth1 then set MARK to 1</li><li>If packet MARK is 2, then it means there is already a connection mark and the original packet came in on WAN #2, so ACCEPT.</li><li>Else, we need to mark the packet. If the packet is incoming on eth2 then set MARK to 2</li><li>Save MARK to CONNMARK. This rule will be hit only if the previous rules (2, and 4) did not match. A new mark would have been written according to rules (3 and 5) and it is saved here to the connection mark indicator.</li></ul><br />Finally, the actual iptables commands:<br /><pre>iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark<br />iptables -A PREROUTING -t mangle --match mark --mark 1 -j ACCEPT<br />iptables -A PREROUTING -t mangle -i eth1 -j MARK --set-mark 1<br />iptables -A PREROUTING -t mangle --match mark --mark 2 -j ACCEPT<br />iptables -A PREROUTING -t mangle -i eth2 -j MARK --set-mark 2<br />iptables -A PREROUTING -t mangle -j CONNMARK --save-mark</pre><br /><span style="font-weight: bold;">Solution Part 2: Configuring iproute2 to route according to the packet markers<br /><br /></span>Now that the connection and packets are marked as they come in, we need to instruct the routing table to route according to the markers on each packet. This is done using the Routing Policy database available in iproute2. In essence, this database defines a bunch of rules which when matched, ask the router to consider specific routing tables rather than the default routing table. In this way, we can define specific rules that say when the packet has a marker value of say "1", use wan_one routing table. Similarly if the packet has marker value of "2", use the wan_two routing table.<br /><br />Several things need to be done in order to put all this together:<br /><br />1. Modify the file /etc/iproute2/rt_tables.<br />2. Add two custom tables at the bottom of the file. Number the table numbers similar to your packet marker numbers for simplicity.<br /><pre>myrouter:/etc/iproute2# more rt_tables<br />#<br /># reserved values<br />#<br />255 local<br />254 main<br />253 default<br />0 unspec<br />#<br /># local<br />#<br />1 wan_one<br />2 wan_two</pre><br />3. Define each routing table (wan_one and wan_two) by specifying rules specific to that connection. <span style="font-weight: bold;">Note, however, that you must also specify rules that dictate how other packets will behave as well (notably packets destined for the local LAN)</span>. This is because once in the special routing table, the routing process does not consult your default routing table anymore. This is what I have in my two routing tables:<br /><pre>myrouter:/etc/iproute2# ip route show table wan_one<br />172.16.1.0/24 dev eth0 scope link<br />default via 149.99.251.145 dev eth1<br /><br />myrouter:/etc/iproute2# ip route show table wan_two<br />172.16.1.0/24 dev eth0 scope link<br />default via 66.119.160.1 dev eth2</pre><br />These are the commands I entered to get the routing tables above:<br /><pre>ip route add 172.16.1.0/24 dev eth0 table wan_one<br />ip route add default via 149.99.251.145 dev eth1 table wan_one<br /><br />ip route add 172.16.1.0/24 dev eth0 table wan_two<br />ip route add default via 66.119.160.1 dev eth2 table wan_two</pre><br />4. Next, you must define the iproute2 rules that will tell iproute2 to use the special routing tables. Do this by issuing the following commands:<br /><pre>ip rule add fwmark 1 table wan_one prio 1024<br />ip rule add fwmark 2 table wan_two prio 1025</pre><br />Note: the prio (priority) numbers are simply there to ensure that they get placed in the right order and relatively near the top of the rules. You may need to adjust this number if you have other rules in your policy database.<br /><br />You can verify that the rules were entered correctly by issuing an <span style="font-family:courier new;">ip rule show</span> command.<br /><pre>myrouter:/usr/local/sbin# ip rule show<br />0: from all lookup local<br />1024: from all fwmark 0x1 lookup wan_one<br />1025: from all fwmark 0x2 lookup wan_two<br />32766: from all lookup main<br />32767: from all lookup default</pre><br />5. Add a default gateway to the default routing table to define the default path unmarked packets must take.<br /><br /><span style="font-weight: bold;">Conclusion<br /></span><br />You're done! Packets now coming in wan connection one should be marked with 1, which then get routed according to table wan_one. Similarly for wan_two.<br /><br />A few interesting notes in addition:<br /><ul><li>I have not described here any of the firewalling or nat processes. Obviously you need to have these setup and tested correctly before doing the CONNMARKing and MARKing.<br /></li><li>Packets originating from inside the LAN will not receive a connection mark at first, and thus will fall through to the default routing table. They will route out the default gateway specified there. However, the first ack packet and every subsequent related packet should receive a connection mark, and follow one of the special routing tables.<br /></li><li>Because of this peculiar behaviour for packets originating from inside the LAN, and because of the nature of network address translation, it is necessary to explicitly state the ISP's gateway in each of the default rules in the special tables. In other words, it is not enough to simply put "ip route add default dev eth2 table wan_two". Instead, this should be issued: "ip route add default via 66.119.160.1 dev eth2 table wan_two".</li><li>Debugging the above solution can be a bit of a pain. I found that the iptables (mangling) part of the whole exercise can be done relatively easily through logging and the "iptables -L --line-numbers -n -v -t mangle" command, but there is no equivalent functionality in iproute2. This, probably more than anything caused more grief when things weren't working than anything else.</li><li>I have posted <a href="http://developingrapids.blogspot.com/2006/05/multiwan-connections-addendum.html">an addendum to this article</a> which includes a few important details left out in this article.<br /></li></ul>Jonathan & Karen Nghttp://www.blogger.com/profile/08305170810914026430noreply@blogger.com3tag:blogger.com,1999:blog-27553717.post-1146804409277137132006-05-04T21:16:00.000-07:002006-05-05T12:31:21.420-07:00What's in a name? Welcome to my technical blog.Many years ago (1999), long before the age of blogs, I was asked to write a column for an online e-zine called Hello World. Although the magazine never survived more than a few pilot issues, I was pleasantly surprised, while doing a google search, to find my articles still hanging around. I've always been meaning to resurrect my column, and I think that now, during the age of blogs, is possibly the right time.<br /><br />Though a bit dated, I have provided links to the old articles for continuity sake.<br /><ul><li><a href="http://www.cosc.brocku.ca/%7Ecspress/HelloWorld/1999/02-feb/development.html">Developing Rapids: Effective examples of how to drown your software development schedules</a></li><li><a href="http://www.cosc.brocku.ca/%7Ecspress/HelloWorld/1999/03-mar/developing_rapids_p2.html">Developing Waterfalls: How to Effectively Drown Your Software Schedules</a></li><li><a href="http://www.cosc.brocku.ca/%7Ecspress/HelloWorld/1999/04-apr/developing_in_thin_air.html">Developing in Thin Air: How to Effectively Drown Your Software Schedules</a></li></ul>By the way, in case you are wondering where the name "Developing Rapids" comes from, it is a play on the late 90s cliche "Rapid Development". It is also the title of my first article.Jonathan & Karen Nghttp://www.blogger.com/profile/08305170810914026430noreply@blogger.com0