Category Archives: software

Subnetting and Serial over SSH

hardware, ipv6, software

Subnetting:

 

Given my general lazyness in all things requiring pen and pencil; I like many others am prone to using a subnet calculator in day to day network building. That and when you think about it.. which is more likely to be correct, a computer with static algorithms or a coffee-fueled network administrator adding things up in his head? 😛

That spiel over; I discovered the following program by a company called ‘BitCricket’ whilst searching for an IPv6 compatible subnet calculator I could use offline.

http://www.bitcricket.com/ip-subnet-calculator.html – Both a Mac and Windows version are available and I’ve also been able to confirm the Windows version will run under wine for those of you using linux (one would assume your Linux computers already have Wine installed to run Winbox right? :-D)

It nicely grabs a list of all the IP (v4 and v6) addresses on the local machine and adds them to a drop down box so you can quickly check your own subnets, or just clear the address box and type in your required range.

While at this time it doesn’t actually “Subnet” IPv6 ranges for you, it does have the handy function of telling you what standard each address on a machine belongs to (or any address you type in) and we all know that /64 should be the smallest range you’re allocating to anything anyway?

I realise I’m doing a lot of this “telling you how to run your network” stuff today, but I’m a big fan of the standards defined for IPv6 and they make everyones job easier if you stick to them!

Serial over SSH:

 

I mentioned to some of the MUM participants the other day that there was an easy way to use the serial port on a Mikrotik to gain remote access to a device, logging in via an ssh user on the MikroTik. It seemed very few people were aware of this option so I figured I’d put a basic tutorial together on how to get it working.

Edit: There’s actually a rather complete explanation on the wiki – http://wiki.mikrotik.com/wiki/Manual:Special_Login

Edit 2: Another one (more in depth info in the manual) – http://wiki.mikrotik.com/wiki/Serial_Port_Usage#Accessing_a_serial_device_directly_by_SSH_.2F_telnet_.2F_mac-telnet

Serial

Bug spotting – PPPoE and Hotspot

software, , , , , , , , ,

Came across an interesting (yet to be verified) bug today.

The info:

RouterOS v4.10 running on x86 server

Site runs both a hotspot and PPPoE server on the same interface.

Users can decide to login via the captive portal (which most do) or for those who understand and wish to use a pppoe connection, they have the option to use that instead, as it comes with a public IP.

The problem:

Support call came in saying that a user was unable to access www.google.com (which for the sake of this example we’ll say resolves to 192.0.2.1). I checked and confirmed I could indeed ping and trace to the address and put it down to a user issue, but left the ticket open to have one of our on-site techs give a try.

— later on–

Onsite tech indicated he to had become unable to access www.google.com via the pppoe login option and after getting a first hop response from the gateway the connection simply timed out.

The cause:

I’ll save you from having to hear about everything I tested and tried over the next hour however the actual cause was rather interesting.

The “hosts list” on the hotspot, had old entries from someone with an improperly configured IP address (in this case 192.0.2.1) which had tried to access the login page sometime in the past couple of days and was being held there. This meant that for users connected behind the pppoe interfaces, traffic to 192.0.2.1 was trying to go to that host RATHER than going out the correct default route.

Why? No idea.

The solution:

When the hotspot was setup (we’d reinstalled the machine just recently) it appears someone had forgotten to set the ‘idle-timeout’ value on the hotspot user-profile. This meant all these hosts were being held and the table was getting larger and larger (there were other incorrect addresses in there too).

Better solution: Provided by Mikrotik support
You have an option to allow only specific subnet to reach the HotSpot network.
Add the to ip-binding, specify subnets you would like to allow and set type=regular.
Block any other unneeded subnet by type=blocked.

Eg:

/ip hotspot ip-binding
add address=10.10.40.0/21 comment="Accept (not bypass) anything in the LAN range" disabled=no
add address=0.0.0.0/0 comment="block all else" disabled=no type=blocked

Side note: We don’t use the address-pool option on the hotspots as this causes LAN traffic to pass back (and be counted by) the router which we don’t want (as we let our users have unlimited LAN access to each other) so I’m at quite a loss as to why this routing pattern would occur.

IPv6 and Mikrotik – Using 6to4

scripts, software, , , , , , , ,

Please note this guide assumes some basic knowledge of IPv4 and IPv6 address space.

Many of you may know of the impending doom that surrounds the IPv4 network and lack of remaining IP ranges.

The question is, how many people are actually doing anything about it? Given the slow take up worldwide I thought it worthwhile I do a post here to explain how you can get IPv6 on your network now.
No support required from your upstream ISP and without having to send your traffic half way around the world to a Hurricane Electric tunnel (hopefully).

So, what is 6to4?

From: http://en.wikipedia.org/wiki/6to4

6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.
6to4 is especially relevant during the initial phases of deployment to full, native IPv6 connectivity, since IPv6 is not required on nodes between the host and the destination. However, it is intended only as transition mechanism and is not meant to be used permanently.

Continue reading IPv6 and Mikrotik – Using 6to4

Freebies in SA (or How to download IP address lists to a Mikrotik)

scripts, software, , , , , , , , , , ,

In the state of Australia I currently live in, there are 2 major ISP’s – Internode and Adam Internet.
Being a typical nerd and living with other typical nerds we of course have 2 ADSL connections, 1 to each of these providers which are shared out amongst the house.

Internet Cafe. Now where's my Mocha?

However each of these providers have what we call in Australia – “unmetered content” that is to say download traffic from these sources is not measured and removed from our download allowances (yes, we have limits on what we can download).

So anyway, I’ll make like a sharp stick and get to the point.

We wanted to make sure that free traffic from each ISP would always go via that ISP’s link to save us on downloads and each ISP offers a list of the free IP’s in a nice text format: Continue reading Freebies in SA (or How to download IP address lists to a Mikrotik)

Mikrotik Hotspot Authentication for IPv6 dual-stacked clients

scripts, software, , , , , , , , , , , ,

In preparation for some IPv6 testing of our hotspot systems, I’ve come up with the following temporary authentication method for dual-stacked users.

Seeing as the login redirect goes via an IPv4 webserver, if enabled IPv6 traffic passes by the hotspot unhindered. This is my work on enabling the IPv6 side of things when a user logs in or out of the hotspot with a dual stacked client.

This has been implemented on my demo v4.10 router and tested with both Mac OS X 10.6 and Windows 7 Ultimate x64 Continue reading Mikrotik Hotspot Authentication for IPv6 dual-stacked clients