Monday, 28 November 2011

Running Django on Fasthosts

Yes, you read that right. This post contains details of how to run Django application on Fasthsots.

You will need:

  1. A fasthosts linux hosting account with a MySQL database and SSH access, and with CGI enabled.
  2. A Centos 5.6 virtual machine to set everything up on.
On your new fresh Centos virtual machine, run the following:

yum install mysql-devel gcc

Download and extract the python source code:

wget http://python.org/ftp/python/2.7.2/Python-2.7.2.tgz
tar xzvf Python-2.7.2.tgz
cd Python-2.7.2

Configure, make and install python:

./configure
make
make install

Now install setuptools:

wget http://pypi.python.org/packages/source/s/setuptools/setuptools-0.6c11.tar.gz
tar xzvf setuptools-0.6c11.tar.gz
cd setuptools-0.6c11
python setup.py install

This will allow us to use easy_install to install pip and virtualenv

easy_install pip virtualenv

Right, now log in to fasthosts via SSH, and run

pwd

This is your home folder. Back on your Centos box, create a folder using the exact path pwd gave you on fasthosts:

mkdir -p <folder>
cd <folder>

Now create self-contained python environment:

virtualenv --distribute --no-site-packages django

Activate the virtual environment:

source django/bin/activate

And you should now be able to install any packages you need for your application to run.

pip install django MySQL-python

You will also need the standard python libraries:

cp -R /usr/local/lib/python2.7/* django/lib/python2.7/

Copy your Django project to the django folder and scp to the root of you home folder on fasthosts.

scp -r django <user>@<host>:./

You should now be able to ssh into fasthosts and run syncdb.

source django/bin/activate
cd django/<app name>
python manage.py syncdb

Copy any media files to htdocs/media and htdocs/static as required.

Finally, you need just two more files. This .htaccess in htdocs folder:

RewriteEngine on
RewriteRule ^cgi-bin/ - [L]
RewriteRule ^static/ - [L]
RewriteRule ^media/ - [L]
RewriteRule ^(.*)$ /cgi-bin/django.cgi/$1 [QSA,L]

The final file you need is django.cgi to go in your cgi-bin. Instructions of what you need to change can be found here: http://joemaller.com/1467/django-via-cgi-on-shared-hosting/

Wednesday, 8 June 2011

World IPv6 Day

I don't know how I managed to forget this, but today is World IPv6 Day. What this means is some of the major players have switched on IPv6 properly, disabling any white listing or any other means they have to stop it breaking the Internet for people who are not ready for IPv6.

What does this mean for most people? Nothing, unless Facebook has stopped working for you.

What does this mean for people who care and know what IPv6 means? Connections to Google and Facebook (amongst others) should be done over IPv6 connections. A quick netstat and a few reverse lookups are showing that it is working for me. About a third of all current TCP connections from the machine I am writing this post from right now are IPv6. It's a good step in the right direction.

Thursday, 26 May 2011

Expert Phone Support

Hi all, I can now reveal to you the commercial project I have been working on the past month, and they are currently accepting registrations.

The idea is, you post a question, and experts offer answers. You get an email with a premium rate number to call to be connected to the expert. The expert gets a percentage of the call revenue.

Why I think this idea is different:

  • You pay per minute of the call, not for full hours like a computer repair shop would
  • You time with the expert is one-to-one, you don't drop it off, leave it and wait for a call
  • You can supervise the expert if you give them remote access. This means they can't go through your holiday snaps while you're not looking (sadly, this is a common practice)
Of course, I also see some issues with the way it works, but nothing that cannot be solved with a proper complaints procedure (required by law anyway). If you're interested check out the website at www.expertphonesupport.com and the Facebook Page.

Monday, 23 May 2011

Long Time, No Post

Has it really been a month since my last post? Well, basically I haven't posted in a while as all my spare time has been taken up by commercial projects, which I am not at liberty to discuss at this time. Once they are finished and out of the way I'll be able to point you towards them and get back on to IPSEC in DD-WRT.

Wednesday, 20 April 2011

UK Alternative Vote

Hi all, yesterday it occurred to me that I didn't really understand how votes are reallocated after each round in the proposed Alternative Vote system here in the UK. The Yes2AV group didn't help the case by explaining it almost as badly as the No2AV group, but after much discussion with friends I did refine it to a process that I did understand.

The basic idea is that you mark your preferences in order. This is simple enough to grasp. What isn't is when all the first preferences are added up and there is no majority (more than 50%), what happens next. The Eelctoral Reform Society has it as this:
If no candidate gains a majority on first preferences, then the second-preference votes of the candidate who finished last on the first count are redistributed. This process is repeated until someone gets over 50 per cent.
To me that is just not clear about what is going on. I spent over an hour on the phone and still did not understand. So we began our own based around Ice Cream to help demonstrate what is going on. Full details can be found on Kitty's blog. It also includes the raw data and my Python implementation amongst others. I recommend you check it out, but I'll come back to it later.

The way I found best to understand this was this:
  1. Imagine your ballot paper is a queue, you choose who is first, second, third and so on in that queue.
  2. When the votes are counted, you count ONLY the first person of each queue.
  3. If one candidate has more that 50%, that candidate wins. If not, the lowest candidate is eliminated, and removed from ALL queues, meaning anyone behind them moves forward into their place. Any that were 2nd choices have now been effectively added to the first choices. 
  4. Go to 2.
That may sound just as cryptic, but lets look at some visual examples. Say we have 3 candidates and 5 voters, and they vote the following. The votes are displayed horizontally, the preferences vertically, the green area being the first preference area.

So, blue has the least 1st preference votes, so is eliminated from the running, leaving this:


Now all the remaining votes move forward, like so:

And we now recount the votes in the green section. If there is still no majority, you continue eliminating the last place and moving votes forward until you do. In this case red wins even though all parties had the same number of votes, because it had the higher preference votes.

If a vote runs out of preferences, it is just discarded (and the quota is decreased accordingly) and the rules for tie-breaking depend upon the rules of the particular ballot you are participating in.

Hopefully you've understood that analogy. Now I'll talk some more about our test ballot. We took 70 votes for 5 candidate flavors of ice cream. Now using First Past The Post, Mint won, with 22 votes for and 44 votes against (the other 4 ballots were spoiled and invalidated). So more people would prefer not to have Mint than to have it.

This is where Alternative Vote comes in. The lowest vote was Strawberry, so we removed it from the votes, and moved the 2nd preferences forward. This was followed by the elimination of Fudge and Chocolate. What this left us with was Vanilla as the winner. It may not have had the most first preference votes, but because more people would accept it than mint (33 instead of 22), it's the least objectionable option, something the majority can enjoy.

So what does AV get us? More than one vote? No. Our first choice? Not necessarily. Someone we'd prefer over another candidate? Most definitely.

I'm not going to try sway anyone's vote for May 5th, everyone is entitled to their own opinion. Whatever your view, I hope this has helped you to understand the counting process under AV. 

Sunday, 17 April 2011

DD-WRT and wide-dhcp6-server

Hi all, it's been a little while since my last DD-WRT related post, but this will help anyone trying to fit all these extra features on a space budget.

Previously, I built ISC DHCP to get DHCPv6 onto my DD-WRT router. This is all well and good, but the required files to make it run are a little on the large side, considering the small amount of flash available on consumer routers. Wide is a whole 250k, making it much more suitable. It's also a lot simpler to compile.

As I mentioned before, my Netgear died, and I now have a Buffalo, therefore the --host section from here on will be different from my previous posts. So, lets get started by downloading and extracting the source:

# wget http://downloads.sourceforge.net/project/wide-dhcpv6/wide-dhcpv6/wide-dhcpv6-20080615/wide-dhcpv6-20080615.tar.gz
# tar xzvf dhcpv6-20080615.tar.gz
# cd dhcpv6-20080615

First thing we need to do is add this line to a new file called config.cache, to sort out things the configure script cannot for itself:

ac_cv_func_setpgrp_void=yes

From here, it's pretty much a simple configure and make, then copy the binary to the router:

# ./configure --prefix=/opt --host=mips-linux-uclibc --cache-file=config.cache LDFLAGS="-L -L/opt/lib -static" --with-localdbdir=/tmp
# make

That's that! If all went well, you should have a dhcp6s binary to copy to your router. Configuring it to serve just dns details is a single line config file, mine is /opt/etc/dhcp6s.conf. Simply replace with your IPv6 DNS servers.

option domain-name-servers 2001:db8::1;

To start the server, it's just a quick

# dhcp6s -c /opt/etc/dhcp6s.conf br0

Which you can also add to your startup script. That's it, you should now have a smaller working DHCPv6 server dishing out IPv6 DNS servers!

Monday, 11 April 2011

I'm still here! Also VoIP.

Again, sorry all for not keeping up with my old rate of blog posting. I recently became a father, and spent most of this weekend tidying the garden (it needed some urgent attention!).

I haven't had chance to sit down and get on with the DD-WRT stuff lately. On top of IPSEC, I also need to find a smaller DHCPv6 implementation that I can cross compile. 6MB is a bit large considering most routers have 4-8MB of flash. I've been looking at dibbler and wide-dhcpv6.

What I have done recently that may interest a number of you, is I've been getting my VoIP equipment set up again. A few friends and I started our own federated VoIP network a few years ago to call each other for free with no limitations, but I've extended my end to include DID numbers and (semi-)free international calls. I've been using asterisk to manage all my different inbound and outbound accounts as I have many VoIP devices I wish to use, although the came can be done without.

So, here's the setup for a single device:
For outbound calls, the absolute cheapest is voipcheap. They have many subsidiaries for varies countries and continents so the site you need may be different. The main two are VoipCheap.co.uk and VoipCheap.com. You set this account up on your SIP device. VoipCheap will give you 300 free minutes a week to selected destinations as long as you top up the account every 90 days. The minimum seems to be £10 for the UK one.

For a UK inbound number, try numbergroup.com. As far as I can tell, it's free for inbound numbers. Simply choose SIP as the destination and enter <voipcheap username>@sip.voipcheap.co.uk (or .com if you registered with .com). For a US inbound number (WA state), ipkall.com setup is similar, but they do make an automated call occasionally to make sure the number is still in use. If you want one in a different state, you can try Google Voice, although you need to set this up from a US IP address. This sets up a basic forwarding number, forward it to your ipkall assigned one.

That's it, you should now be able to make and receive calls to standard PSTN lines using your sip device. Remember to always dial the full number, including international and area codes. The only thing you're missing is caller ID. The first thing you need to do is verify the number with voipcheap. This will involve an automated call and typing in the digits read to you into your account settings page. You can only do this for the region you registered for VoipCheap in, mind. Once you've verified it, to actually use it you'll have to set it up on your SIP device. How to do this will vary so I'm not going to cover that here.

This setup works fine for a single user as you can only set one caller ID with voipcheap at a time, so if you're using this kind of setup to handle multiple numbers and phones, I'd consider using a paid outbound provider, numbergroup.com have very competitive rates and can often provide you with a contiguous group of numbers.

Anyway, hopefully that'll keep you all occupied for a while, with all the free international calls you'll all be making!

Wednesday, 30 March 2011

Netgear SPLODE!

It looks like new posts are going to be delayed further, thanks to the untimely death of my WNR3500L. I'm now in the process of replicating all my previous work for the WZR-HP-G300NH.

Wednesday, 23 March 2011

BusyBusyBusy

Hi everyone,

Just a quick one to say that I am still working on IPSEC in DD-WRT (it's taking much longer than expected).

I also spent some time creating a web application that notifies you via Gmail or Google Talk when new episodes of your favorite programmes appear on BBC iPlayer. You can find and sign up for the service here: http://iplayernotifier.appspot.com/

That project makes extensive use of one of the best web API's I have ever come across. The BBC makes all programme information (details, schedules, episodes available on iPlayer) available in an array of formats, including xml and json. More details at http://www.bbc.co.uk/programmes/developers

Sunday, 6 March 2011

Adding DNS Records to Zones You Don't Have Access to

This particular problem came to me whilst setting up some internal services at the office. We're a small office for a much larger company, and we're not part of their network infrastructure. So in order to access our email, we have to VPN back to the main office using the cisco vpn client, which takes it upon itself to change your DNS suffixes, meaning if (like me) you Disable NetBIOS, anything on your local network will become inaccessible as soon as you connect to the VPN.

I've been googling around to try and get awnsers to this myself, only to find that a number of people are having similar problems. And then remembered my work with DD-WRT and IPv6, so gave the following a try.

This is because if we override the zone here, we cannot access the email servers at the other end of the tunnel, but when we connect it changes our local search order. We do not have access to change the DNS zone at the other end.

It does not however, modify your DNS servers or connection order, so there is something you can do. Install DNSmasq. You can specify results for certain queries in the configuration file, for example:

address=/test/test.localdomain/test.remotedomain/10.0.0.30
address=/test/test.localdomain/test.remotedomain/2001:0DB8::1

You can also configure this on the same machine as your existing DNS server, simply set it to run on a different port, then set DNSmasq to forward any queries it cannot answer itself to it, either in resolv.conf or in the config file itself.

server=10.0.0.30:2053

This can interfere with DNS registration, so be careful and creative with your solution if you still require it. You can also use DNSmasq as a DHCP server if necessary, but I do not have the access to disable the existing one here.

Sunday, 27 February 2011

Compiling ping6 for DD-WRT

Hi all, time for another relatively easy build, but one I've been asked for before, ping6. I used gun inetutils ping6, here's how to get going.

With your cross compile environment set up using instructions from my previous post, get and unpack the inetutils source:

# wget http://ftp.gnu.org/gnu/inetutils/inetutils-1.8.tar.gz
# tar xzvf inetutils-1.8.tar.gz
# cd inetutils-1.8

You'll see what I mean when I say this is one of the easy ones. This package contains a lot of other applications with you probably don't want, including ifconfig (which I haven't yet worked out how to compile). To configure and build ping6, just do the following 2 commands:

# ./configure --host=mipsel-linux-uclibc --disable-clients --disable-servers --disable-ifconfig
# make

Assuming that went without a hitch, your new shiny ping6 binary can be found in the ping6 subdirectory. Copy that to your router and give it a go!

Next week I have a quick guide to an alternative use for DNSmasq.

Sunday, 20 February 2011

Compiling ISC DHCP 4.2.0 DD-WRT

Afternoon all, time for me to share how I compiled dhcpv6. This is not the smallest implementation by a long way, so make sure you have plenty of free space on your rotuer for it. I have been looking at compiling other, smaller implementations but as yet I don't have any working builds. Here's how I got ISC DHCP 4.2 compiled and working.

Firstly you'll need to grab and unpack the source:
# wget http://ftp.isc.org/isc/dhcp/dhcp-4.2.0-P2.tar.gz
# tar xzvf dhcp-4.2.0-P2.tar.gz
# cd dhcp-4.2.0-P2

As I said before, this one was a little tricky, and getting it passed the configure stage involved many hours of Googling. The first issue is that it fails trying to work out where /dev/random should be as it is a cross compile environment, the for the bind libraries it fails to set the correct compilers up. So here's what we do.

# echo ac_cv_file__dev_random=yes > config.cache

This fools the configure script into thinking it's found /dev/random, we can now configure.

# ./configure --prefix=/opt --host=mipsel-linux-uclibc --cache-file=config.cache

The next bit is a little strange, but it works. We will run make, but we will cancel it as soon as it has unpacked the bind source with Ctrl+C. So:

# make

As soon as it says "Configuring BIND Export libraries for DHCP" press Ctrl+C to cancel. We need to make some small changes. (I probably should do a patch for this).

Open this file in your favorite text editor:

bind/bind-9.7.1/lib/export/dns/Makefile.in

Change ${CC} on line 163 to ${BUILD_CC}. Next modify this Makefile:
bind/Makefile

Line 48, replace ./configure with
BUILD_CC=gcc ./configure --host=mipsel-linux-uclibc --with-randomdev=/dev/random

Change back into the DHCP directory and start the build again.

# make
# make install

Copy the files over the same way we did last time. Now you've got it installed, time to get it working. DHCPv6 does not work the same way as DHCP, and is not the first port of call for clients. First, tell radvd that we have DHCPv6 for 'other' configuration information, not IPv6 addresses, so modify radvd config to look like to following in the UI:

interface br0 { 
    AdvSendAdvert on; 
    AdvHomeAgentFlag on; 
    AdvLinkMTU 1480; 
    MinRtrAdvInterval 3; 
    MaxRtrAdvInterval 10;
    AdvOtherConfigFlag on; // this is the new flag to add
    prefix 2001:db8:: { 
        AdvOnLink on; 
        AdvAutonomous on; 
        AdvRouterAddr on; 
    };
};

Next, we need to configure DHCP itself. Create the /opt/etc/dhcpd6.conf

default-lease-time 600;
max-lease-time 7200;

lease-file-name "/tmp/dhcp6.leases";

subnet6 2001:db8::/64 {
        option dhcp6.name-servers 2001:db8::1;
}

This is all that is required to tell clients to use IPv6 DNS servers. Change the prefix and name server as applicable for your network. DNSmasq supports IPv6 for dns forwarding, so we'll configure that next. In the UI for DNSmasq Additional Options, add:

interface=br0
server=2a01:348:0:1::e:1
server=2a01:348:0:1::f:1
server=8.8.8.8
server=8.8.4.4
no-resolv
strict-order

Replacing all the server= lines with the addresses of the upstream DNS servers you wish to use. The eagle eyed amongst you will notice that the IPv4 addresses are Google's dns service. The IPv6 ones are provided by Goscomb Technologies. Upstream IPv6 DNS servers are a requirement to access services that use what is known as 'dns whitelisting', that is, AAAA records are only served with end-to-end IPv6 connectivity.

The other 2 options override the resolv.conf and force it to try the IPv6 DNS servers first.

We now need to allow these new services in the firewall, with these commands:

# ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
# ip6tables -A INPUT -i br0 -p tcp -m tcp --dport 547 -j ACCEPT
# ip6tables -A INPUT -i br0 -p udp -m udp --dport 547 -j ACCEPT

Add these to startup/firewall.

Also add this following line to startup make DHCPv6 start at boot:
dhcpd -6 -cf /opt/etc/dhcpd6.conf br0

Because of the amount of settings we've just change, I recommend you reboot your router. Once it's started you should have a working DHCPv6 server! Not all clients support DHCPv6 out of the box so you may need to do some tweaking. I can however confirm that this setup does work with Windows 7.

Now assuming I've not made any silly mistakes, that should be all you need to get that going. If there are any I'm sure you guys will be kind enough to point them out for me. I will be attempting other implementations of DHCPv6 that will hopefully be smaller and more lightweight. Next time (by request) will be instructions on compiling your own ping6. Those of you who asked about kismet will have to wait a while, as I am having more difficulty with that than DHCP.

Edit 2011-02-22: Added interface=br0 to the DNSmasq options as I discovered it didn't listen on IPv6 by default.

Sunday, 13 February 2011

Compiling ip6tables DD-WRT

Firstly, I'd just like to inform you all that it appears that I'm not the only person to have done this. Whilst Googleing certain terms, I discovered another blog containing posts on setting up aiccu, radvd and ip6tables on DD-WRT here: http://blog.dest-unreach.be/. Please be aware that these blog have both been written independently no-one has stolen anything from the other.

Right then, back to the post topic, compiling ip6tables. For this, not only did I compile the kernel modules but the ip6tables binaries. From last time you should have the cross-compile environment set up. Add the toolchain relevant to you to you path:
# PATH=$PATH:/opt/toolchain-mipsel_3.3.6_BRCM24/bin
I've used the gcc3.3 version of the toolchain as I had some display issues when compiling with 4.2.

First, we'll compile the needed kernel modules. This line I did steal from the other blog. I distinctly remeber running into this error, so in you linux source directory, run
# echo "#define JHASH_GOLDEN_RATIO    0x9e3779b9" >> include/linux/jhash2.h
I added to following kernel options to .config
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_OWNER=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_RAW=m
Once you've added that, make sure that all dependencies are selected. You may also be asked for more options.
# make oldconfig
And to compile
# make modules
If you get errors about madwifi that force the build to fail, and don't need the madwifi drivers, the other blog mentioned earlier has a small snippet to get rid if that error.

The next thing to do is cd into the folder with the ip6tables modules and strip debugging symbols to make it nice and small.
# cd net/ipv6/netfilter
# mipsel-linux-uclibc-strip --strip-unneeded *.ko
And that should be it. You have now compiled all the modules we need to make ip6tables work. Copy these onto your router.

Now we'll move on to something more useful to our followers, compiling applications. The first one we'll do is the ip6tables userspace utilities. Please bear in mind that not all applications will compile easily or without tweaking. Firstly, grab and unpack the source code.
# wget http://www.netfilter.org/projects/iptables/files/iptables-1.4.10.tar.bz2
# tar -xjvf iptables-1.4.10.tar.bz2
# cd iptables-1.4.10
Now ip6tables is one of the easiest things to compile, as it seems to need little or now tweaking. Most configure scripts support a --host parameter which enables you to specify which platform to cross compile to. I also use --prefix=/opt so I can find just the binaries once compiled easily. We also only want the IPv6 version, as the IPv4 version is already installed.
# ./configure --prefix=/opt --host=mipsel-linux-uclibc --disable-ipv4
If that worked without any errors, you can now build ip6tables and optionally install them to whatever you set prefix as above. If you need to, run the install as root.
# make
# sudo make install
As I install DD-WRT stuff only to /opt, we can go though all the directories to strip the binaries to make them smaller.
$ cd /opt/bin
$ mipsel-linux-uclibc-strip --strip-unneeded *
$ cd /opt/sbin
$ mipsel-linux-uclibc-strip --strip-unneeded *
$ cd /opt/lib
$ mipsel-linux-uclibc-strip --strip-unneeded *.so
$ cd /opt/libexec/xtables
$ mipsel-linux-uclibc-strip --strip-unneeded *.so
We can also dispense with any man pages
$ rm -rf /opt/share
I find the easiest way to get these files onto the router is to tar them, scp the tar and extract it on the router. I have my usb stick mounted to /opt, too.
$ tar czvf ~/opt.tar.gz /opt
$ scp ~/opt.tar.gz root@router:/tmp
$ ssh root@router
(ssh) $ tar xzvf /tmp/opt.tar.gz -C /
(ssh) $ rm /tmp/opt.tar.gz
If all went well, you should now be able to run the following command without errors:
$ ip6tables -L
That's about it really, doesn't that look less painful. No we just need to create some rules! There are some things to remember here, certain classes of icmpv6 messages are required in all cases. I've not distinguished between them, however. For now, this should be sufficient:
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -P INPUT DROP
That allows the required icmpv6, related connections and ssh connections over IPv6 to the router. We'll add more later on when we come to use DHCPv6 and then DNS over IPv6. It may be wise to add these commands to startup.

Next time we'll have a go at DHCPv6, a more complicated example which took me many hours and much Googling just to get passed the configure stage. I'm also going to attempt kismet drone at some point in the near future.

Monday, 7 February 2011

DD-WRT Cross Compile Environment

At some stage you'll want to build and run software on your router that wasn't bundled with it, especially if you bought an open source one like I did. You will need a 64bit Linux environment, as the DD-WRT mips toolchains are built for I used Debian Lenny in Virtual Box to do this. You'll need a basic toolchain and subversion installed, so if like me you use Debian you'll need to install the subversion and build-essential packages. This page is adapted from the guides on the DD-WRT wiki.


Firstly get yourself the toolchains from http://www.dd-wrt.com/dd-wrtv2/downloads/others/sourcecode/toolchains/current-toolchains.tar.bz2 and extract. Be sure to add them to your path.

The next thing you need is the kernel source for the kernel you are running. I'm currently using 2.6.24.111 (which is wrongly labelled 2.6.23 in subversion). To get that run

svn co svn://svn.dd-wrt.com/DD-WRT/src/linux/brcm/linux-2.6.23

This also quite handily comes with the configuration they used to build the image. To use it:

cp .config_std .config
make oldconfig

That's the kernel sorted. From what I can remember at this stage, that's all I required to get going. Next time, we'll build ip6tables and get that installed on the router.

Sunday, 30 January 2011

PC Troubles

Hi all, sorry this week's post is not the anticipated Cross-Compile guide, this is due to the fact that I am having some PC problems at home which I am still trying to resolve. I've just had to RMA a brand new motherboard that arrived DOA.

I have already started writing the post, I just need to get the time with a non-broken computer to do so.

Sunday, 23 January 2011

DD-WRT IPv6 to Your Local Network

Last time I showed you how to get a dynamic tunnel from SixXs to a DD-WRT router. This time, we're going to get Router Advertisment going, the simplest way to distribute a routed subnet to your network. Router Advertisment only works with /64 prefixes, so if you have a larger one just pad out the extra with anything, just make sure you use the same prefix throughout.

The first thing you'll need to do is enable IPv6 forwarding and set up an address for your prefix on the local network. Although the latter is technically not required, it makes more sense than setting it as a route when you come to try fix any problems later. Run these two commands and add to startup, replacing with addresses that apply to you:

ip -6 addr add 2001:0DB8::1/64 dev br0
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

I should have mentioned in the last post that I am using the Big DD-WRT pack, which includes some basic IPv6 support, including the Router Advertisement Daemon, RADVD. This can be enabled from the web interface, and the configuration specified there too. Your configuration will look like the one below. I'm not sure what the comment character is, so you may need to remove them.

interface br0 {
AdvSendAdvert on; // Send adverts
AdvLinkMTU 1280; // Default tunnel MTU, stop fragmentation
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:0DB8::/64 { // replace with your prefix
AdvOnLink on; // this prefix is on the local link
AdvAutonomous on; // generate
AdvRouterAddr on;
};
};

Even though the options are in the browser user interface, radvd does not start automatically. To start it, run

radvd -C /tmp/radvd.conf

As with aiccu, it's probably a good idea to add this line to your startup script. Any IPv6 enabled machines should pick up and IPv6 address or two, and you should also see the router's link-local address in your default gateway list. That's it, you should be able to ping6 from any of your ipv6 enabled machines, and begin browsing via IPv6. Some sites (such as Google) will not server AAAA records over IPv4 DNS queries. We'll detail how to get that working later on.

Seeing as this is a short post, I'll let you in to some options you can add to DNSmasq to make your network run a bit more smoothly, especially if you don't want to remember IPv6 addresses.

Firstly, set up a local domain name, something like 'home.local' and set that up as the domain name in the web interface. Enable the 'Local DNS' setting. Local machines acquiring an IPv4 address via DHCP will be automatically added to DNS. Of course, this doesn't help for IPv6.

As generated IPv6 addresses when using RA don't change (unless they are Temporary Addresses), you can maunually add records to be served using the 'Additional DNSMasq Options'. Here's an example:

address=/pc1/pc1.home.local/2001:0DB8::5555

Well that should keep you going for a little longer. Next time, setting up a cross compile environment. There are some shortcomings in DD-WRT that we'll need to sort out ourselves. Namely DHCPv6 to distribute nameserver addresses, ip6tables for stateful firewalling, and ping6 as it's one of the search terms the gets referred here, so I assume there's a need for it. I may also post my binaries for each at a later date.

Sunday, 16 January 2011

DD-WRT IPv6 Support

Right, I suppose I started writing some technical content!

Recently, I purchased a Netgear WNR3500L router, basically because it is marketed as an open source router. The main features that make it particularly useful are its relatively large flash size, a USB port, and 64MB RAM, which make it more than good enough to run a few extra applications. This seemed like a good choice, as support for IPv6 in routers (including custom firmware) is limited, and there is some patchy documentation on getting everything working. I started off by flashing it to DD-WRT, a free custom firmware with basic IPv6 support.

My current ISP does not currently have support for native IPv6, so I need to use either 6to4 or a tunnel broker. As 6to4 is way down on the priority list, I headed over to SixXs and requested a tunnel. Signing up and requesting tunnels and subnets from them requires manual approval by staff, so some people may prefer to use Hurricane Electric instead.

While leaving the requests to go though, it's a good idea to start preparing the router. Basic set up was pretty simple, from here the fun begins. You need some space in which to install extra applications. This can either be in free space on the internal flash, or on an external USB stick (or even in RAM). I took the USB stick approach. You'll need to format it to a filesystem supported by the router. FAT32 is fine, but it's better to use ext2 (some packages need symbolic links). Once it's formatted, enable USB support through the Web UI, and set up automatic mounting, and plug it in. Also make sure to enable Jffs2 support, even if you're not going to use it, as the ipkg command will complain otherwise.

Most of the rest of this setup needs to be done via ssh. Make sure the USB stick is mounted to your chosen mount point. I chose /opt. To actually use the tunnel we need aiccu, which automatically sets up dynamic tunnels (I wont cover static tunnels here). To install it, issue the following command:

ipkg -d /opt install http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/aiccu_20070115-2.1_mipsel.ipk

Now to configure it. Assuming you've had your account and tunnel requests accepted, you should have a username and password. The DD-WRT includes 'vi', a popular text editor (Again, I'll assume you know how to use it). Open /opt/etc/config/aiccu and clear it. It needs to look something like this:

username ABCD-SIXXS # SixXs username
password ******** # SixXs password
protocol tic
server tic.sixxs.net
ipv6_interface sixxs
tunnel_id T***** # SixXs tunnel ID
verbose false
daemonize true
requiretls true # optional
defaultroute true


Now just get it up and running by issuing this command:

aiccu start /opt/etc/config/aiccu

That's it, you should now have tunnelled IPv6 connectivity to your DD-WRT router. Try using and online ping6 utility to ping it. I'm sure you'll also want to start the tunnel on boot; so from the web interface, modify the startup script to contain the line you just executed.

Now having IPv6 end at your router is not massively helpful, so my next post will be about how to configure router advertisement and distribute a routed subnet to your local network.

Until next time,
Andee out.

Monday, 10 January 2011

New Blog

Evening all, welcome to this, my new blog. This blog will contain only posts of a technical nature, following the development of this blog system and any other projects I take on, including those as a member of Canterbury Hackspace, an organisation founded by myself and naxxfish to promote and aid innovation by creating a pool of resources and knowledge. More information at canterbury.hackspace.org.uk

Now, I did start writing a totally new blog system in C and FCGI. This seemed like a good idea at the time to keep server resource use down. But as with a lot of my projects, I lost interest as there are plenty of free alternatives I can use without having to run them on my own server. This leaves it free to host my SVN repositories, my IP PBX and be my always-on shell server.