Tiernan's Comms Closet

Geek, Programmer, Photographer, network egineer…

RouterOS Dynamic IP Updates

I have been using a MikroTik RouterBoard RB750 for a while now, and i love it! Over the weekend, i upgraded it to a RB1100. Its the same software running the device, but the device is faster (800Mhz PowerPC chip VS MIPS-BE at 680Mhz), has more memory (512Mb upgradable to 1.5Gb vs 32Mb) and more storage (think its 512Mb on board, plus 4Gb MicroSD card vs 32mb…). It also has more ports (13 GigE VS 5) and 2 Switch Groups, which i have no idea what they do just yet…

Anyway, part of getting the RB1100 online and taking over from my existing router was getting Dynamic DNS updating. I use both Dyndns and NoIP for DNS, but I also like the look of Amazon Route 53. For updating NoIP, I am using the Alternitive script from The Mikrotik Wiki. To get this to work with DynDNS, it would just be a matter of chaning the URL you point to… I am going to write a web script which will sit internally on the network, use that instead of the No-IP url. When that script gets called, i can log the info, update DynDNS, NoIP and Router53 all in one go. I will be posting more about that soon…

And while we are on the topic of Scripting RouterOS, checkout the Mikrotik Script Example Page. Lots of good stuff up there!

Custom MSDeploy OverWrite Rules

I have a project which we are trying to automate the deployment system. The plan is to automatically deploy the project to a staging server anytime the build succeeds from SVN.

I have had a few problems with this, but here are some of the links which may come in handy for you.

Still some tweaks to get this to work… If i find any more links i will put them here… The problem we are haivng is when a deploy happens, the WebDeployment tool cannot overwrite the log files directory, since they are in use… one option would be to restart IIS, which would be ok in staging, but we want to keep the logs in test and production, so, we need to figure out how to tell Web Deploy not to over write the files.

WANProxy and Squid with Upstream Servers

In my previous post on WANProxy, i did not really go into detail about what it actually was. The direct quote from their site is WANProxy is a free, portable TCP proxy which makes TCP connections send less data, which improves TCP performance and throughput over lossy links, slow links and long links. This is just what you need to improve performance over satellite, wireless and WAN links. This is something that has interested me for a while, so i have been looking into it, and so far so good… In my last post i mentioned i was proxying Squid traffic, in todays post, i still am, but with some tweaks.

  • i have a Squid box running in the house. It is connected to 2 Cable Modems, giving me 250Mbits/s down and 20Mbits/s upload connection. It is caching data locally also.
  • on my laptop i have Squid running also. It connects to a WANProxy server at home and proxies the Squid server. The local squid box is using the home Squid box as an upstream connection.
  • for upstream connections i used the following lines in the squid.conf:

I have set it to never use a direct connection, which is probably silly, since if i loose the WANProxy connection, i loose connectivity… Also, port 3300 is the WANProxy port its listening on.

So far, so good… I am also thinking this could be an interesting thing to get working on a Raspberry Pi…. Just a though… 🙂

Building WANProxy on Ubuntu 12.04

[Updated 2016/04/09] I had to use this today to build on Debian 8.3 for 2 different boxes. So, making minor changes (url to git proxy, and where you build from) to make sure this works now.

I have been looking into WANProxy for a while now, but never successfully got it to build… I have been more successfull reciently, so here is what you need to do.

** NOTE **: I built this on Ubuntu 12.04, so these are the tips for that… Not sure about other Distros…
** Second NOTE ** : I am using the Digows GitHub Repo for downloads… There is also the WANProxy SVN Server and their official downloads page.

sudo apt-get install build-essential git-core libssl-dev uuid-dev

git clone https://github.com/wanproxy/wanproxy.git

cd wanproxy/programs/wanproxy

make
  • Note -: git-core is needed to checkout code, build-essentails gives you your essential build utils, and the -dev files are needed for the build
    *- NOTE -: I have tried it on a couple VMs and they take about 5 min to build… If you are building on Physical hardware, it may be faster. Also, as a general note, if you are building with multiple processors, try add the -jX option, where x is your CPU count +1. for example, make -j5 if you have CPUs or Cores. or make -j17 if you have 16 cores…

    cp wanproxy ~/local/bin

~~Now, this is, so far, as far as i have gotten… but given its building, and its further than I was a few weeks back, i though i would post incase i can help someone else… ~~

** UPDATE ** I have successfully managed to get a WANProxy working. The way i have it setup is as follows:
** UPDATE 2016 ** as part of my series on getting double internet speed, I am back looking at WANProxy… more on that later..

  • Linux box in house, and VM on laptop.
  • both have WANProxy installed
  • use the ** Proxying over SSH ** example from the WANProxy examples site which shows you how to proxy a single web server over SSH.
  • in my case, i pointed the port at my proxy server inhouse. I also changed the if0.host address from 127.0.0.1 (only accessable from that machine) to its internal IP address (can be seen by anyone on that network)
  • finally, I told my browser to use the WANProxy ip and port 3300 (see the if0 config section) as its proxy.

Works grand so far. no idea yet if its “faster” but its working, which is a start…

Raspberry Pi now with 512MB RAM, other random links…

Earlier on today, the Raspberry Pi Foundation announced that the Model B will now be shipping with 512Mb RAM as standard, with no price change. I posted the link up on Hacker News and its caused quite a lot of happy people!

So, with the news of extra RAM, its started making me think of more things the Pi could be used for…

  • An Austrian hosting company are offering free Co-Location for Raspberry Pis with a 100Mb/s uplink and 100Gb bandwidth! FREE! with 512Mb RAM (or even 256Mb RAM) thats enough for a small site. or even a medium site (like this one) running statically.
  • Since the Pi can connect to the internet using 3G, you could install a copy of Squid and use an SSH tunnel back to your main office or home, have have multiple levels of caching going on… It would also secure your browsing.
  • Sending SMS messages though the Raspberry Pi could be useful for sending diagnostic info if the device is remote…
  • [XBMC on the Raspberry Pi] would make your media center a lot smaller, use less power, etc.

just a note on the idea of using 3G and Squid for the Pi… This is something i am interested in, so its something i want to start playing with. The idea would be as follows:

  • have a linux box in house with Squid and SSH enabled, and port forward SSH to the linux box.
  • tell the pi, on boot, to try and connect to a 3G connection.
  • once connection is live, connect to SSH tunnel
  • Squid should already be configued to load and use the upstream Squid box as an upstream cache
  • local squid should use some storage on either USB or SD for local cache

Also, using something like WANProxy on both ends should make things faster also… Having the Pi, a 3G modem, USB key (optional) and a battery pack, all in a small box, with a Wifi Adapter, should give you a faster mobile internet connection… And if you could get 2 or more 3G modems (using a Powered USB Hub of some sort), you could do load balancing…

more raspberry pi and camera antics

A while back I posted about the Raspberry Pi, and in the post was a link to a Photographer who was embeding a Raspberry Pi into a Canon 5D MKII battery grip. Well, its been a while, and i have been thinking about the Pi and Cameras, so I went looking around… Here is what i found.

The one thing i have not been able to figure out is how to tell the Pi to take the photos out of the camera wihtout having a monitor plugged in. I was thinking either tell it, on boot, to start monitoring the camera and download everything. This way, if you have it plugged into a external power source, it will be monitoring and downloading to somewhere… USB HDD, USB Key, etc. If there is a Wifi spot around, try uploading them to a location, posibily manageable via web interface of some sort… Lots of interesting ideas can be done… its just a matter of doing them… 🙂

RouterOS Using Host names in Firewall Rules

As a follow-up to yesterday’s post on RouterOS Blocking Machine access to all but one IP, I thought I would show how to add extra IPs to that list, without having a shedload of firewall filters.

  • First things first, get your list of IPs you allow access to. In my case, I just did an NSLOOKUP on the name and got the IPs.
  • Create an “Address List” in RouterOS. This can be done on the Web Interface by going to IP / Firewall / Address List and clicking Add. I had none previously, so I created a new rule, naming it ExpressVPN (the lads I use for VPN access) and added the first address.
  • this is where things get interesting. for extra IP (for ExpressVPN, I have 4) you create a new address with the SAME name, but different IP.
  • in your firewall rule, you should have either an src address or a dst address. in my case, I had both, but this was a change for the dst address. I removed the address from the rule, and I added it as a dst address list entry. If you have multiple address lists, you will see them here.

to do this at the command prompt:

this will block any traffic, other than the IPs in the expressVPN address list, for the machine 192.168.0.123.

RouterOS Blocking Machine access to all but one IP

So, I have a machine on my network, which should be only connecting to the internet through a VPN. I needed to tell my RouterOS box to block all access, except to this said IP address… The following should do the trick… YMMV

this will drop any packets from the srcaddress (IP address) that are not for the destination dstaddress (IP address). in my case, dstaddress is the VPN server I want to connect to. So, in theory, all packets should just go through the VPN and not leak out into the rest of the network… again, still testing this so be careful!