IP Access list. Deny ICMP

  • 0
L3-AE-IOU1(config)#do sh run
Building configuration...

Current configuration : 1967 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname L3-AE-IOU1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
!
!
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!        
!
!
!
interface Ethernet0/0
 duplex auto
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Ethernet0/2
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Ethernet0/3
 duplex auto
!
interface Ethernet1/0
 shutdown
 duplex auto
!        
interface Ethernet1/1
 shutdown
 duplex auto
!
interface Ethernet1/2
 shutdown
 duplex auto
!
interface Ethernet1/3
 shutdown
 duplex auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Vlan1
 ip address 10.0.32.1 255.255.255.0
!
interface Vlan10
 ip address 10.0.33.1 255.255.255.0
 ip access-group 100 in
!
!
no ip http server
!
ip route 0.0.0.0 0.0.0.0 10.0.32.20
!
access-list 100 deny   icmp host 10.0.33.37 any
access-list 100 permit ip any any
!
!
!        
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

The above config blocks PC2 from sending any Ping in the given diagram:

Adding multiple IP address to a single interface in Cisco Router

interface Vlan10
 ip address 10.0.33.1 255.255.255.0 secondary
 ip address 10.0.34.1 255.255.255.0


VLAN Routing


L3-AE-IOU1#sh run
Building configuration...

Current configuration : 1923 bytes
!
! Last configuration change at 12:42:13 UTC Wed Oct 25 2017
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname L3-AE-IOU1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
ip cef
!
!      
no ip domain-lookup
no ipv6 cef
ipv6 multicast rpf use-bgp
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!      
!
!
!
!
!
interface Ethernet0/0
 duplex auto
!
interface Ethernet0/1
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Ethernet0/2
 switchport access vlan 10
 switchport mode access
 duplex auto
!
interface Ethernet0/3
 duplex auto
!
interface Ethernet1/0
 shutdown
 duplex auto
!
interface Ethernet1/1
 shutdown
 duplex auto
!
interface Ethernet1/2
 shutdown
 duplex auto
!
interface Ethernet1/3
 shutdown
 duplex auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial3/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Vlan1
 ip address 10.0.32.1 255.255.255.0
!
interface Vlan10
 ip address 10.0.33.1 255.255.255.0
!
!
no ip http server
!
ip route 0.0.0.0 0.0.0.0 10.0.32.20
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
end

L3-AE-IOU1#

Router Config:

/ip address
add address=10.0.32.20/24 interface=ether1 network=10.0.32.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add check-gateway=ping distance=1 dst-address=10.0.33.0/24 gateway=10.0.32.1

How to connect to GNS3 from Local Windows System?

  • 1
This article also tries to answer the following questions:
1. How to connect to remote topology running on GNS3 VM?
2. How to access Mikrotik Routers running inside GNS3 VM from Local System using Winbox?

=> Steps to follow:
1. Install OpenVPN Tap driver. Download and Install the OpenVPN Client.
2. Check the following:
By default the connection is showing Unplugged. See the TAP #1 in the given snap. Its up. You need an UP interface. To set the connection up, do the following:

Open Properties- Advanced and Change the following:

And you are done. Now to connect to Remote Topology running on GNS3 VM do the following shown in the snap:


And that's all.

Using a "Microsoft Loopback Adapter" also accomplishes the same thing.

How to remove the Suspend option from Ubuntu Desktop?

  • 0
Edit the following file with root privileges:
sudo gedit /usr/share/polkit-1/actions/org.freedesktop.login1.policy

search for each of the following
org.freedesktop.login1.suspend
org.freedesktop.login1.suspend-multiple-sessions
org.freedesktop.login1.suspend-ignore-inhibit

For each of the above action ids scroll down change the following from yes or whatever to no:
    <defaults>
         <allow_any>no</allow_any>
         <allow_inactive>no</allow_inactive>
         <allow_active>no</allow_active>
    </defaults>
Save the file and reboot.

Following are the snaps depicting the whole process and before and after Results:



Huawei Router Basics

  • 2
Set up multiple IP Addresses to a single interface:

[R1-Ethernet0/0/0]ip address 10.0.0.5 30
[R1-Ethernet0/0/0]ip address 10.0.0.1 30 sub

the "sub" at the end is vital for this, otherwise the second IP Address will replace the first one when Entered.

Setting up a Banner at Login Prompt:
[R1]header ?
  login  Specify the login authentication banner
  shell  Specify the start banner of session

[R1]header login information "All activities are Logged and Reported"

To setup a Welcome Message do the following from system-view:
[R1]header shell information "Don't fuck the Router!"



=> Full Configuration of a Huawei Router:
[R1]display current-configuration
[V200R003C00]
#
 sysname R1
 header shell information "Dont fuck Me!"
 header login information "All activities are Logged and Reported"
#
 snmp-agent local-engineid 800007DB03000000000000
 snmp-agent
#
 clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
 drop illegal-mac alarm
#
 set cpu-usage threshold 80 restore 75
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
 local-user admin service-type http
#
firewall zone Local
 priority 15
#
interface Ethernet0/0/0
 undo portswitch
 ip address 10.0.0.5 255.255.255.252
 ip address 10.0.0.1 255.255.255.252 sub
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface NULL0
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %$%$K:.D5\N-`HV3!!QH)FWM,#@yXUz6WS!/BL74f'~K
)]CE#@|,%$%$
 idle-timeout 20 0
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return

Web Filtering solution for Network Administrators

Following are some of the options to filter ad and unnecessary garbage:
1. Filtering Proxy [Privoxy]
2. DNS [Bind Loopback Zone]
3. Browser Addons.
4. Filtering Gateways

Setting up Console Password in Huawei Router.

Following is the snippet to set Console Password:

<Huawei>system
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]user-in
[Huawei]user-interface con
[Huawei]user-interface console ?
  INTEGER<0-0>  The first user terminal interface to be configured
[Huawei]user-interface console 0
[Huawei-ui-console0]auth
[Huawei-ui-console0]authentication-mode pass
[Huawei-ui-console0]authentication-mode password ?
  <cr>  Please press ENTER to execute command
[Huawei-ui-console0]authentication-mode password
Please configure the login password (maximum length 16):5
[Huawei-ui-console0]set auth
[Huawei-ui-console0]set authentication ?
  password  Set the password for a user interface
[Huawei-ui-console0]set authentication pas
[Huawei-ui-console0]set authentication password cip
[Huawei-ui-console0]set authentication password cipher soham
[Huawei-ui-console0]display this
[V200R003C00]
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %$%$/Dm-2^"<q%@._VF2XstE,.8B"%PwT:]*e<Q(@oX=
\*@!.8E,%$%$
user-interface vty 0 4
user-interface vty 16 20
#
return
[Huawei-ui-console0]

Fix network driver issue without Restarting. Fix Local Area Connection properties window showing Blank.

Sometime you might find a situation where you install net filter driver on windows and it makes Local Area Connection Properties show a blank window.

Following is a Screenshot of the Problem:


You can fix the situation by doing whats shown on Screenshot-

net stop npf
net start npf

Run this on a elevated command prompt. This will reload the netfilter drivers on Windows.

Remove Desktops such as Plasma, Mate etc from Desktop Switcher menu in Ubuntu

  • 0
Do the following as shown in Screenshot to remove Desktop Enviornment Entry - Plasma from Ubuntu Login Screen's Desktop Enviornment Menu. Lightdm Menu.

Network Simulators for Windows


Above is eNSP. It allows you to simulate Huawei Devices.

Following is HP Network Simulator which simulates HP Devices:


You must install VirtualBox-5.0.16-105871-Win on Windows 7 as that only particular version works perfectly with both eNSP and HP Network Simulator. Also need to set this enviornment variable: Vbox_Install_Path=

Deleting VMNET Adapters from Windows PC

Following is the code you need to run in elevated CMD:

"C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet2 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet3 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet4 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet5 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet6 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet7 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet9 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet10 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet11 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet12 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet13 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet14 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet15 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet16 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet17 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet18 "C:\Program Files (x86)\VMware\VMware Workstation\vnetlib.exe" -- remove adapter vmnet19

Adding "Open Command Prompt" in Windows Right Click Context Menu


Above is a screenshot depicting the Open cmd here as Administrator/Open command promt and Open elevated command prompt.

All three does exactly what it does.

Following is the code to add the menus. Copy the code, save in as 1.reg and then Double click the .reg file to run and merge the code to Windows Registry:
Open cmd here as Administrator
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\Directory\shell\runas]
[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Open command window here as Administrator"
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /s /k pushd \"%V\""
[-HKEY_CLASSES_ROOT\Directory\Background\shell\runas]
[HKEY_CLASSES_ROOT\Directory\Background\shell\runas]
@="Open command window here as Administrator"
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\Directory\Background\shell\runas\command]
@="cmd.exe /s /k pushd \"%V\""
[-HKEY_CLASSES_ROOT\Drive\shell\runas]
[HKEY_CLASSES_ROOT\Drive\shell\runas]
@="Open command window here as Administrator"
"HasLUAShield"=""
[HKEY_CLASSES_ROOT\Drive\shell\runas\command]
@="cmd.exe /s /k pushd \"%V\""
[-HKEY_CLASSES_ROOT\LibraryFolder\background\shell\runas]
[HKEY_CLASSES_ROOT\LibraryFolder\background\shell\runas]
"HasLUAShield"=""
@="Open command window here as Administrator"
[HKEY_CLASSES_ROOT\LibraryFolder\background\shell\runas\command]
@="cmd.exe /s /k pushd \"%V\""
For always running Windows CMD as Administrator, you can add the following:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Windows\\System32\\cmd.exe"="~ RUNASADMIN"
"C:\\Windows\\SysWOW64\\cmd.exe"="~ RUNASADMIN"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\\Windows\\System32\\cmd.exe"="~ RUNASADMIN"
"C:\\Windows\\SysWOW64\\cmd.exe"="~ RUNASADMIN"
For the later two Menus, you need to download and install - CmdOpenInstall-2.1.0.exe
Search for the application in Google and Install it.

Creating VLANS in GNS3 with MROS and Cisco

When you create VLAN in GNS3 in MROS its crucial to know what adapter model you are selecting under network interfaces. To be specific the intel e1000 adapter is capable of handling VLAN tags in hardware, thus when you select it the software will try to emulate that exact behavior. This will produce incorrect results.

Use RealTek Adapter model for all MROS emulations. It works well.

For QEMU emulated Windows XP, you must use e1000 adapter as this allows you to set VLAN in Ethernet Adapter. You will need to install the IntelPro Ethernet Adapter and its Advanced Services.

Browser Choices available for Windows Platform

Following is a screenshot containing list of Browsers available for Windows Platform:


OSPF Basics - MultiArea OSPF with three Routers in GNS3

  • 0
Requirement: Connect two routers on l3 using OSPF using different area ID.
Following is a snap of the current Topology:
R2 is the mediator and will make R1 and R3 communicate to each other. But R1 and R3 are in area 1 and area 2 respectively.

Following are the OSPF Configurations of three Routers:

R1:
c3725-R1(config)#do sh run | begin ospf
router ospf 1
 log-adjacency-changes
 network 1.1.1.0 0.0.0.255 area 1

R2:
c3725-R2(config)#do sh run | begin ospf
router ospf 1
 log-adjacency-changes
 redistribute connected
 network 1.1.1.0 0.0.0.255 area 1
 network 1.1.2.0 0.0.0.255 area 2
 default-information originate always

R3:
c3725-R3(config)#do sh run | begin ospf
router ospf 1
 log-adjacency-changes
 network 1.1.2.0 0.0.0.255 area 2

The above configuration produces the following routes:

R1:
c3725-R1(config)#do sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.1.2 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 1.1.1.2, 00:06:15, Serial1/0

R2:
c3725-R2(config)#do sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     1.0.0.0/24 is subnetted, 2 subnets
C       1.1.1.0 is directly connected, Serial1/0
C       1.1.2.0 is directly connected, Serial1/1

R3:
c3725-R3(config)#do sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 1.1.2.1 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.2.0 is directly connected, Serial1/0
O*E2 0.0.0.0/0 [110/1] via 1.1.2.1, 00:06:17, Serial1/0

Debugging and Fixing Audacity Crash on Ubuntu 16.04.

  • 0
I was having crash of Audacity Audio Editor at Start. No error message was shown except - 

(Audacity:14109): Gtk-WARNING **: gtk_disable_setlocale() must be called before gtk_init()
,which was never the actual problem. 

I have tried to fix the issue by installing old version, new version and also i386 version of the same. None fixed that. 

I had to remove naspro-bridges to correct the issue. But that's not the agenda of this post. The way I found the solution is subject of interest here. 

The first step is to install Valgrind. Second is to run Audacity via valgrind to find the faulting module. 
sudo apt install valgrind
valgrind /usr/bin/audacity
This will generate the error report. Find the faulty module there and remove it via Synaptic. 

 

Fix Mouse Pointer regression on GNS3 QEMU VMs

In some VMs you will notice connecting via VNC gives a very bad mouse cursor movement experience.

You need to add the following after -nographic to fix the issue:

Add the following in place of -nographic:

-nographic -usbdevice tablet -vga std -nodefaults

Adding new Context Menus in Nemo File Manager running under Ubuntu 16.04

You might have heard of the tool nautilus-actions configuration Tool. There is no similar alternative for nemo file manager.

You need to manually create the configuration files under /usr/share/nemo/actions/

Im assuming application 'gmrun' and mousepad both are installed.
sudo apt install gmrun mousepad

Save the following as -  open-gmrun-as-root.nemo_action (The extension part .nemo_action is trival).

[Nemo Action]
Active=true
Name=Run Program as Root
Comment=Run Program as Root
Exec=gksu gmrun
Icon-Name=nemo
Selection=none
Extensions=any
EscapeSpaces=true

Exit Nemo and re-open it. You will see the newly created Context menu there.

Following are the others configs I have-

=> edit-with-mousepad.nemo_action

[Nemo Action]
Active=true
Name=Edit with Mousepad
Comment=Edit with Mousepads
Exec=mousepad %F
Icon-Name=mousepad
Selection=s
Extensions=nodirs
EscapeSpaces=true



=> open-gmrun.nemo_action

[Nemo Action]
Active=true
Name=Run Program
Comment=Run Program
Exec=gmrun
Icon-Name=nemo
Selection=none
Extensions=any
EscapeSpaces=true

Following are the screen-shots for your information:








Creating bridge on CentOS.

  • 0
brctl addbr br0
brctl addif enp0s8

brctl delif enp0s8

ip link set br0 up
ifconfig br0 0.0.0.0 0.0.0.0 up

Setting up static IPs from same subnet through one gateway?

1. Enabled ARP filtering: 
# sysctl -w net.ipv4.conf.all.arp_filter=1
# echo "net.ipv4.conf.all.arp_filter = 1" >> /etc/sysctl.conf
 
2. Configure /etc/network/interfaces as following:

# The loopback network interface
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
   address 7.7.7.4
   network 7.7.7.0
   netmask 255.255.255.0
   broadcast 7.7.7.255
   up ip route add 7.7.7.0/24 dev eth0 src 7.7.7.4 table eth0table
   up ip route add default via 7.7.7.1 dev eth0 table eth0table
   up ip rule add from 7.7.7.4 table eth0table
   up ip route add 7.7.7.0/24 dev eth0 src 7.7.7.4

auto eth1
iface eth1 inet static
   address 7.7.7.5
   network 7.7.7.0
   netmask 255.255.255.0
   broadcast 7.7.7.255
   up ip route add 7.7.7.0/24 dev eth1 src 7.7.7.5 table eth1table
   up ip route add default via 7.7.7.1 dev eth1 table eth1table
   up ip rule add from 7.7.7.5 table eth1table
   up ip route add default via 7.7.7.1 dev eth1
   up ip route add 7.7.7.0/24 dev eth1 src 7.7.7.5
 
Add the following two lines to /etc/iproute2/rt_tables

10 eth0table
20 eth1table
 
 
The following is also relevant:



A common configuration is the following, in which there are two providers that connect a local network (or even a single machine) to the big Internet. 
                                                                 ________
                                          +------------+        /
                                          |            |       |
                            +-------------+ Provider 1 +-------
        __                  |             |            |     /
    ___/  \_         +------+-------+     +------------+    |
  _/        \__      |     if1      |                      /
 /             \     |              |                      |
| Local network -----+ Linux router |                      |     Internet
 \_           __/    |              |                      |
   \__     __/       |     if2      |                      \
      \___/          +------+-------+     +------------+    |
                            |             |            |     \
                            +-------------+ Provider 2 +-------
                                          |            |       |
                                          +------------+        \________
There are usually two questions given this setup.

4.2.1. Split access

The first is how to route answers to packets coming in over a particular provider, say Provider 1, back out again over that same provider.
Let us first set some symbolical names. Let $IF1 be the name of the first interface (if1 in the picture above) and $IF2 the name of the second interface. Then let $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in.
One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows: 

   ip route add $P1_NET dev $IF1 src $IP1 table T1
   ip route add default via $P1 table T1
   ip route add $P2_NET dev $IF2 src $IP2 table T2
   ip route add default via $P2 table T2
Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above. Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen. 

     ip route add $P1_NET dev $IF1 src $IP1
     ip route add $P2_NET dev $IF2 src $IP2
Then, your preference for default route:

     ip route add default via $P1
Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address: 
     ip rule add from $IP1 table T1
     ip rule add from $IP2 table T2
This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.

notes: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable: 

ip route add $P0_NET     dev $IF0 table T1
ip route add $P2_NET     dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo   table T1
ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo   table T2


Now, this is just the very basic setup. It will work for all processes running on the router itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both providers or you are going to want to masquerade to one of the two providers. In both cases you will want to add rules selecting which provider to route out from based on the IP address of the machine in the local network.

4.2.2. Load balancing

The second question is how to balance traffic going out over the two providers. This is actually not hard if you already have set up split access as above.
Instead of choosing one of the two providers as your default route, you now set up the default route to be a multipath route. In the default kernel this will balance routes over the two providers. It is done as follows (once more building on the example in the section on split-access):

     ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \
     nexthop via $P2 dev $IF2 weight 1
This will balance the routes over both providers. The weight parameters can be tweaked to favor one provider over the other. Note that balancing will not be perfect, as it is route based, and routes are cached. This means that routes to often-used sites will always be over the same provider.
Furthermore, if you really want to do this, you probably also want to look at Julian Anastasov's patches at http://www.ssi.bg/~ja/#routes , Julian's route patch page. They will make things nicer to work with. 
 

Open malicious websites safely!

  • 0














=> Install Links:

1. "Private Tab": https://addons.mozilla.org/en-US/firefox/addon/private-tab
2. "No-Script": https://addons.mozilla.org/en-US/firefox/addon/noscript 















In the following screenshot you can see "No-Script" blocked JavaScript!














Now this is where I have landed following that Rouge Link. As Most of the malicious scripts were blocked by "No-Script" this is what is being displayed to me:

Prerouting and Post Routing

NAT table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins:
PREROUTING (for altering packets as soon as they come in),
OUTPUT (for altering locally-generated packets before routing), and 
POSTROUTING (for altering packets as they are about to go out).

PREROUTING - DNAT for incoming packets
OUTPUT - DNAT for outgoing local packets
POSTROUTING - SNAT for outgoing local/forwarded packets

Configuring Inventum Software NAS

----------------------------------------------------------
=>Inventum Login:
User: root
Password: inventumadmin
----------------------------------------------------------
=> Initial Setup
main->show
----------------------------------------------------------
=>Displaying the Connected Interfaces:
main->diag
ifconfig
=>Verify: BROADCAST RUNNING MULTICAST
=>To exit from DIAG: quit
=>List all PCI devices:
main->config->pci
----------------------------------------------------------
=> To load Drivers:
main->config
help
list drivers
=>Look at the driver name. For ex: e1000
=>Press Enter to continue till the list ends.
load e1000
=>To display what is already loaded:
loaded
=>To unload/uninstall:
unload e1000
save
=>To reboot the NAS:
main
reset/restart
----------------------------------------------------------
=>Change Default Inventum Password:
main->config
change user root password 145236
----------------------------------------------------------
=> List all Users:
main->config
list users
=> Delete User:
del user soham
=>Add User:
add user soham password 145236789 role mgr
----------------------------------------------------------
=>Set IPs to Interfaces:
main->interface
set eth0 10.11.12.2 mask 255.255.255.240
set eth1 10.11.12.1 mask 255.255.255.240
----------------------------------------------------------
=>Inventum Set Default Route/Gateway:
main->route
set default 10.11.12.1

>Display All Routes:
main->diag
route
----------------------------------------------------------
=> Setting up DNS:
main->dns->show
add ns 8.8.8.8
del ns 208.67.222.222
----------------------------------------------------------
=>Set SNAT
main->snat
help
----------------------------------------------------------
=> Set Policy Url:
main->url
help
set policy url 203.12.122.122
----------------------------------------------------------
=>Set Firewall:
main->firewall
show

dd allow from 203.12.122.122 to any protocol any
add allow from any to 203.12.122.122 protocol any

dd allow from any to any protocol tcp/80/
add allow from any to any protocol tcp//80
----------------------------------------------------------
=> Show running Processes:
main->diag-> ?
ps
=>Check NAS Uptime:
uptime
=> Free RAM:
free

cpdump
iptraf
netstat
arp
clear-ssh-identity
----------------------------------------------------------
=>To do nslookup:
main
nslookup
----------------------------------------------------------
=>Enabling Authsrv service:
main->authsrv
show

ervice on
set port eth1 wan
set port eth0 lan
qos on
----------------------------------------------------------
=> Enable Packet Logging:
main->plog
set logging on
format extended
reload

et logging to 10.11.12.5 8080
----------------------------------------------------------
=> Enable Syslog Logging:
set logging on
set logging to 10.11.12.5 8080
set log level err
reload
----------------------------------------------------------
Subscribe to: Posts (Atom)