Posted on

11-Feb-2013

Vigor and IPTV
Last friday I received the hardware to receive TV over IP for each TV, I now have a Motorola Setupbox, that will receive it’s software over the network. Different from the previous ISP, these are to be connected to the router. The signal is relayed in a different VLAN, not to be mixed with Internet traffic (so IPTV is not mixed with “normal” internet traffic) and VoIP – each of them travel in their own VLAN. So I had already setup the Vigor router to have this VLAN bridged to a particular port and separate LAN, and the switch to be used locally has been devided as well. Because of this separate VLAN, it is addressed separatedly. I hooked up the Fritz!Box onto that LAN, as I am told it contains specific software to faciliate the Motorola boxes, connected one of the bocxes to the Fritz!Box and had it boot.
It didn’t work as expected.
First of all, the receiver tries to connect to the network, but if found a DHCP service, which shouldn’t be there. Hoeverer, this separate LAN doesn’t have one , I deliberately disabled this service. Nevertheless, the receiver complaints about a DHCP-service on the “home LAN”. Obviously, there is one, but it resides on the LAN on which the normal internet traffic runs – and due to the setup, this IPTV-LAN should not locate it!
I did some experiments in setup in both the Vigor and the Fritz!box and at some point, the Motorola bootloader didn’t locate this DHCP service, and started loading software, and when that was done, I could watch television – but just the basics: no HD as I was expecting. It might have been too early 🙂
So that was one set working, so I saved both configurations and tried the second one.

Alas: the very same problem occurred: it ran onto a service similar to DHCP. The first one however, seemed to have been basically prepared, did no longe complain, started to load screens and data but it did not complete – it seemed to wait, and wait, and wait …for an answer that didn’t come. In the end, I decided to install the Fritz!Box for the time being, since it had already been set up to forward all internet traffic, so my experiments would not block any TV activity. Retesting will have to be done on moments that watching TV is no priority….

However, there now is one advantage: It could well be that changing the address of the LAN on which IPTV is to be served, will do the trick to pass IPTV through the Vigor: Since both Motorola boxes have now been initialized, I know their address and their default gateway – and that should be the address of this LAN interface. Probably – it is to be determined shortly.

Another thing: I also have a facility to use a fixed prefix so that all services will eb available over IPv6; and since this is a fixed one as well, it is likely that I can set this fixed in the Vigor router, bypassing the prefix-delegation problem. It is no problem either to have this router function as the DHCPv6 server in the home LAN, but that remains to be tested on OpenVMS. It might be that this server is not yet available….
Worst case, the Fritz!Box has to remain the main entrance, in that case I want all traffic but IPTV be passed to the Vigor. It is possible to bridge the normal IP traffic only – including IPv6 – and leave VoIP on the fritz!Box as well.
So this story is “To be continued”

Posted on

02-Feb-2013

Maintenance
No suprises.
PMAS statistics for January
Total messages    :   4578 = 100.0 o/o
DNS Blacklisted   :    677 =  14.7 o/o (Files: 31)
Relay attempts    :    155 =   3.3 o/o (Files: 31)
Accepted by PMAS  :   3746 =  81.8 o/o (Files: 31)
 Handled by explicit rule
        Rejected :   3101 =  82.7 o/o (processed),  67.7 o/o (all)
        Accepted :    304 =   8.1 o/o (processed),   6.6 o/o (all)
 Handled by content
       Discarded :     87 =   2.3 o/o (processed),   1.9 o/o (all)
    Quarantained :    203 =   5.4 o/o (processed),   4.4 o/o (all)
       Delivered :     51 =   1.3 o/o (processed),   1.1 o/o (all)
Just that on 01-Jan-2013, there have been 146 relay attempts where From: and To: were al the same, but the sender address was different. I guess the sender and recipient addresses have been forged; “test@live.com” would reside on one domain, not a bunch of seemingly random addresses :), every 5 – 6 minutes all day long…
Since it is a new year, all 2012 data have been consolidated.
New ISP connection works, but…
I started with a Fritz!Box 3790 that was delivered by the ISP, but that does not have facilities to block addresses or networks, nor does it log the connections made, both incoming and outgoing.
But it does set up both an IPv4 and IPv6 connection.
The disadvantages however outweigh the advantages, so I bought a Draytek Vigor 2920Vn – the successor of the previously used Vigor 2910VGi – which doesn’t support IPv6.
Connecting the box to the ISP was no problem at all, as far as IPv4 is involved, but the IPv6 connection is not created, though I have set up the router according the requirements: DHCPv6_PD. But where the Fritz!box doen’t need anything special, the Draytek requests a IAID – Identity Authentication ID. Like the standard puts it: “A number, specified by the client, that must be consistent for this connection”.
Interpreted as : I can set up that number, and it can be any, as long as it is used each time the connection should be set up”. That raises a question: What number – if any – has been specified by the Fritz!Box and where does it come from? I did save the configuration, and it is a readable file; however, it doesn’t mention anything like such an ID.
I have contacted Draytek support, the only thing still to try: change the MAC address the the one of the Fritz!Box – but I doubt that would be the solution since, IFAIK, IPv6 doesn’t use these hardware addresses for assigning IP addresses (what use would an IAID have). But it’s worth a try….
Another possibility is to switch down the connection – including the modem- for at least one hour, preferably longer. Who knows it would trigger the DCHPv6 server to allow a new IAID.
I could also try to figure out what the Fritz!Box is generating, it could well be it uses it’s MAC address to create an IAID. Since this address cannot be changed in that router (at least, I didn’t see a possibility to do that) it could well be that this is the base fro the ID to request an IPv6 prefix. I’ll have to ask the manufacturer…
Apart from this: the telephone connection works, the explanation of the ISP site on this matter is very clear and easy to follow – better than the IPv6 figures – which is VERY BASIC indeed. After I followed the instructions, the phones worked. For the moment only outgoing, because the numbers are not yeat assigned since they have been de-activated by the previous ISP when the connection was dropped – by mistake. Next Monday, all should work as intended, incoming as well.
Two more weeks (!) before IPTV is present.
Don’t ask me why these two actions cannot be done in parallel. It’s the administration at the ISP that can handle one request at a time.
WASD + PHP + WordPress
On the testbed, there is a problem with WordPress under WASD. On the main system (Diana), this parameter is 4 times as high, and I’m still using an older version that doesn’t redirect as much as the newer one. So I never ran into the problem. Nor does UMA – the biggest WASD user in the world, where a lot of PHP code is handled by a few permanent worker processes – including WordPress. Why don’t they have this problem ???
It’s not a matter of mapping, I got that right with some advise from Mark Daniel, but for some reason, the workerprocess that runs PHPWASD (the wrapper around PHPSHR) stops because of an IO error on a file – that has been opened several times before. I already found out that system parameter CHANNELCNT may play a role here, because at that moment, the process has 512 channels open – the default value – and channel 513 will fail. SWS however doesn’t have this problem, and I think I know why: WordPress replies with status 301 several times (Redirected) and the worker process, running MOD_PHP (SWS’s wrapper around PHPSHR), will either end, or clear it’s environment, freeing all channels; de redirection is then passed to either the same, or another process (and that is what I have observed), so there will never be an accumulation of open channels. WASD on the other hand, will pass the REDIRECT to the worker process that returned the 301-status – with all channels still open (since the process wasn’t stopped) – and the new request will not re-initiate (closing all open channels), nor re-use channels already open. Instead, it will start from scratch, leaving open channels as they are – which in the end will lead to exhaustion of CHANNELCNT.
This is however, still more speculation that proven. I still have to prove it, the problem however is that these processes will die after some time, so there is too little time to dig into the process…I did have a course on crash dump analysis a few years ago, so that shouldn’t be too much of a problem. But 6 years – without regular exercise – requires a refreshment of knowledge, and I knew I had the documentation somewhere….But I found it, and know I’m able to look into the process – hopefully.
UMA would look on their systems why it doesn’t happen there – but I didn’t hear from them since they had other, urgent matters on their hands….

Posted on

27-Jan-2013

New router installed
For a few years, I used a Draytek Vigor 2910 router, that includes Wifi and VoIP, and the ability to connect over ISDN (which I never used). That worked fine until the new ISP connection has been delivered. The new ISP has higher demands: IPv6 and multi-VLAN, to begin with. For all easy, they offer a router that is pre-configured for their connections: a AVM Fritz!Box 3790. It makes installation very easy, but the system has a few disadvantages compared to the Draytek: No logging to a syslog daemon; no facilities to block specific systems, ranges or networks. And, appearently, it cuases delays on internal traffic.
So I bought its successor: VG2920 Vn, it supports IPv6 and multiple VLANs.
Since this is the same line as its predecesssor, you could expect that configuration would be just a matter of loading the last saved configuration and adjust what’s added (and changed). But that is too simple. You have to do it all by hand, but that is not as bad as it sounds: access both of the routers and copy setiings from one side to the other. In most aspects, the UI is the same, in others, you really need to look further…But at some point, the basic configuration was such that I could connect to the ISP, and all Internet traffic – both outgoing and incoming – passes the router properly. Blocking works as well.
But accessing the FritzBox as an internal router – for VoIP – was a different matter, so I moved the phones to the Vigor as well. Both numbers now call out – calling them isn’t yet possible since the numbers were deactived by the errorenous deactivation of the connectrion in the beginning of December and not yet installed at the new ISP. But I followed the instructions and it should work.
Another thing to test is IPTV, which has been set up in it’s own VLAN and bridged to a specific port(though it is yet another protocol) so the Fritz!Box will have its use as a normal device – I hope that will work. It seems there is specific software in that box so I’ll need it for IPTV – but if it works without it, even better. That will become clear when IPTV is enabled. Three more weeks….
There is still a minor issue, though it seems to have no real implications – for now, at least: the Vigor doesn’t get an IP6 address. The ISP expects a DHCPv6-client that supports prefix delegation, but this router does not have a choice for “DHCPV6_IA_PD” as is mentioned in the manuals of the ISP. The configuration does show “DCCPV6_client” and a button for “prefix delegation” – and it requires an ID, but as the client, I can define my own. So I did, but still I don’t get an IP6 address….
It might help to take down the connection for some time, in order to run into a timeout so it must be re-initiated from the ground up. It won’t pose a problem in IP4 since it is assured the address won;t change, and it will actually re-initiate the IP6 DHCP again.
Asking the ISP – and the supplier of the router – may also help.
Spam comments arrived
I got a few “comments” – actually: spam messages – though you need to login to comment, and these comments do not come from a logged-in user. The other source of these messages might be a trackback. So I disabled pings alltogether

Posted on

16-Jan-2013

New ISP activated
Yesterday, even before the estimated time, the engineer came long to install the new Fiber modem and the new router. No IPTV yet, nor VoIP, although the connections are present: it seems there is some administration to attend first, but the new ISP has promised to work on it as fast as possible, since we’re unreachable by phone for over a month now….Worst case it could take another 2-3 weeks…
Next was the challenge to have DNS updated as soon as possible, so a mail was sent after a phone call, but it was impossible to handle the request that night. But it would certainly be the next working day – that is: today. Indeed, it looks that between 15:00 and 15:30 (local time) the domain registrations were updated.
Outgoing internet was (mostly) working. But incoming wasn’t because of the DNS issue.
But that alone doesn’t mean all is well…
The new router (Fritz!Box 3790) is not connected to be a router: all connections are on the LAN-switch, even the incoming from the modem. No real problem since the router uses VLAN tagging, and the different VLANs are bridged to different ports; it seems that the one carrying the incoming signal is passing the firewall to connect to the port routing into the LAN – presumably all traffic would pass to the Vigor router that is taking care of the boundary for years. In this respect, it would need to get another (fixed, of dynamic) address on the WAN port, and it would need to route all traffic over the new router.
However, that didn’t work as expected. Although I saw packages coming in, they were addresses to the internal address if the new router, and passing the answer back failed altogether, the default route being defined properly the software. The answer would be to bypass the Fritz!box – setting the VLAN up as a bridge, which has been done before (by a script) but that was not at all recommended.
This morning the first attempt was to use the Vigor 2910 insetad, but that fails to connect, because it doesn’t support IPV6 and VLAN tagging, as does its successor (Vigor 2920) or its smaller brother 2310 – though it looks that misses the highly validated security facilities. And because of the difference in price is not that big, I’ll purchase the first.
But to be able to be accessed in the mean time, I copied the port forwarding specification into the Fritz!Box; it didn’t help first since there was a route left over from earlier attempts…Once that was taken off, it all seems to work now.

That is: until a message sent from one of the PC’s was rejected due to denied access. Duh. The SMTP configuration still mentioned the SMTP-server from the previous ISP as alternate gateway. After I changed that, mail also worked. Now it is a matter of waiting for the DNS update has passed over the Internet so mails in transit will be delivered – on the right spot.

Posted on

14-Jan-2013

Connection troubles – once more
At 12:21 local time (11:21 system time) the connection broke down again. Not just Internet (which O experienced), also phone and TV were gone. After waiting at the phone for about 20 minutes, I was able to contact my (then expected current) ISP to find out that the line had been taken over, presumably by my (then new) ISP, by which all services were gone, even the analogue and digital signal that are converted from fiber to coax. SO I called the new ISP and, after again, some waiting, I learned the line was indeed transferred and the new signal was all available on that connection. It’s just that the modem wasn’t installed.
This was weird, since I already had an appointment with the company that was to install that modem: on Feb. 1st, after postponing from Dec 28th. Indeed – but it was brought to today by the ISP, a ticket was created but since there already was an appointment set, there was no need to re-assign it to today.
Not too bright.
Anyway: the connection will be brought to life tomorrow (15-Jan-2013) between 1600 and 1700 – local time. Because the IP address for the new connection has been assign already (at least, I got an address in the confirmation letter) I can ask my DNS-registrar to reassign my addresses tonight. Or tomorrow morning, after confirmation from my ISP.
In the mean time, I can get on by specifying the addresses in the local configuration.