Keith Smith - My Blog

Network

Keith Smith - My Blog > Network

Initial NAS Setup headache

Sunday, May 10, 2015 - Posted by Keith A. Smith, in Network

This Post is private, you need to be a active susbcriber to vew this Post. Click here to Subscribe
View Comments 0 Comments
Share Post   


Packet filters converted to proxy policy types

Monday, March 9, 2015 - Posted by Keith A. Smith, in Network

I decided to clean up and consolidate my firewall rule base last week. I originally had multiple rules for the same policy type for each subnet that need access, it ended up that way because I needed to get things up and running ASAP because the change took place late in the evening. Anyway I created some http-proxy, https-proxy and dns proxy policy types to lump all the vlans into, once that was done I tested most of the services and things seemed ok.

I found out on 3/7/15 that Netflix had not working in a few days; I took a look online twitter and etc and found others had issues also so I figured our problem with the amazon fire tv's could be related to that issue. I called Netflix and they were no help basically, so I had a thought...which was to split out the vlan that contains the amazon fire tv’s from the proxy policies and to place it in to a non proxy http, https and dns packet filter. Once that change was committed I proceeded to test it out on one of the fire tv's and bam it worked! I didn't see a whole lot of traffic being blocked before the change.

The one entry on the traffic monitor that tipped me off was

2015-03-09 16:52:26 Deny x.x.x.x 176.32.101.52 https/tcp 47763 443 3-vlan 0-External ProxyDrop: HTTPS timeout (HTTPS-proxy-00) proc_id="https-proxy" rc="594" msg_id="2CFF-0008"

The 176.32.101.52 belongs to one of amazon's cdn's

I also discovered that the amazon fire tv's don't like non u.s. dns servers.

All is well now. Note to self never use proxy policy types for things like media.

View Comments 0 Comments
Share Post   


Wi-Fi woes...

Saturday, September 6, 2014 - Posted by Keith A. Smith, in Network

I’ve had many issues with the DHCP on one of the cisco 350n AP’s, I figured I should place this part of the Wi-Fi network on its own vlan. After about 10mins of fighting with subnet masks, it seems like ddwrt doesn't like any smaller than a /27 for its WAN allocation. I figured this out after trying a /30 and etc. Wi-Fi is such a pain! Censored.


A win is a win and you have to take them when you get them. 

View Comments 0 Comments
Share Post   


The start of the madness

Friday, August 29, 2014 - Posted by Keith A. Smith, in Network, Xen, Journal of thoughts

After deciding to cut the cord in February of 2014 I thought I should build a network to support our entertainment needs. I cancelled our FIOS tv service because of the annual rate hikes and went internet only in order to save more $$$, besides we didn't watch a whole lot of tv and when we did it was only certain channels.  After killing the tv service i was to negotiate a bump in the bandwidth from 25/25 to 75/75 which was much needed. I started by purchasing a box of CAT6 and since i already had the other items (e.g. connectors, crimper, etc.) I made a weekend project out it. I put in drops in every room and in a few other areas which was a pain to get to, those areas were costly because i put holes in the ceiling while in the attic. Next i purchased the 1513+ synology nas for about $842 from amazon in july of 2014, I got it diskless because i didn't know what drives i wanted to put in it at the time. I settled on 5 of the Western Digital Caviar Green 3 TB SATA III drives which ran about $674 from tigerdirect.

At this point i had to make a call on what switch and new firewall i was going to use, i thought to go cisco and grab a 3750x along with an ASA 5510. That never happen because IOS requires you to have SMARTnet to download the bits now, so with that i moved on to HP (which used to be 3com) and i used those switches before and they worked great. I managed to fined a 1810g procurve managed switch from amazon for $169, i then started doing some research on firewalls again. It now was down to juniper,fortinet and sonicwall, i always liked sonicwall along with juniper but sonicwall was still more than what i wanted to pay and juniper seemed limited on throughput in the price range i was looking in. I checked out fortinet but i still wanted to find something else to compare it to, i somehow stumbled upon the watchguard line.

I did some deeper internet research on the watchguard products and i liked what i saw on them. I managed to find a demo of what the web interface was like from a management stand point and i was sold on it, at that point i started looking for models and prices for watchguard. The T10 ended up being the one i was willing to start out with, i purchased it from Newegg for $200 and the license from cdw for $60. All the network gear arrived on a Friday which was perfect because i would have time to get it all setup over the weekend, i started with the firewall thinking it would be the fastest to setup. I was wrong on that thought....i setup the rules that was needed along with the vlans on the 1810g, the main issue was that nothing had outbound access to the internet. I tinkered with the rule base for hours, i then came to point where i knew i had setup everything correctly and the cause had to be something else. It was late (around 2am) i went to sleep because i was out of ideas at the time and kids were driving me nuts because they couldn't watch tv thanks to me.

I woke up around 7ish to get back at it, i finished the config on the switch and i was sure that i setup the firewall correctly but still no outbound traffic was allowed. I did a lot of internet research but didn't find anything that really helped, i proceeded to review all the docs that came with the T10 again to see if it was something that i missed. At this point it was around 7pm Saturday and i was able to find everything i needed to call support because i had a thought that perhaps this device needed to be activated before use. After speaking to support i was right, they have a live subscription that needs to be activated so we took care of that and bam outbound internet access. It's always the small things that cause the bigger issues, once that was resolved i was able to bring all the amazon fire tv's up along with the wi-fi.

Now that the internet was up i could move to the NAS. I setup the 1513+ synology with the 3TB drives i bought and setup the lacp along with the bond, that was pain mostly because of the way i setup the interfaces on the switch. For some reason the 14, 16, 18, and 20 were apart of trunk4 but the trunk it self was untagged and the ports were still tagged. I removed the ports from the trunk then made sure they were on vlan4 and untagged, then i put them back into trunk4 as members with LACP and it works like a champ 4GBPS on the throughput. After that i migrated all my data from all the "cloud" services, once that was done i enabled some of the sync features so i could get the things i needed while on the go.

The next thing i figured i would work on would be the wifi service improvements, my old cisco/linksys router wrt350n was due to be relocate to light duty since it was the edge gateway/router/wifi ap. I started looking around for the newest wifi routers out on the market, for me it came down to the Asus's RT-AC68U and the netgear nighthawk triband router. The features were about the same so it came down to price, i went with the Asus's RT-AC68U from amazon for $199 and i haven't looked back since. I used the default merlin firmware that came with the Asus's RT-AC68U but it couldn't achieve all that i wanted so i ended up flashing it with dd-wrt which i had used before on previous devices, i was able to setup my hp printer on it so we could print wirelessly but i could get the guest network setup work as i needed it to.

The guest network was not stable and it was really because of a bug in the dhcpd, after doing much testing and research i found that it was some sort of issue with the dhcpd on the version of dd-wrt i was running. Enter the wrt350n once again...this time i set it up on its own vlan to for guest wifi devices that needed internet only, this way i could have a proper "guest network".

A few months went by then i started working on things again, i purchased a tv/wall mount kit for my mancave and setup my xbox along with a mac mini for entertainment. I also got a few dell optiplex 780's that had been retired from work, i setup xenserver on those and connected them to the 1513+. I started looking at the core of the network and thought well i should buy a rack now so i can organize everything because everything worked but it was an eye sore. I didn't want a 42U rack because i knew i would never have that much gear, i found a neat little Tripp Lite SRW12US 12U Wall Mount Rack Enclosure Server Cabinet on ebay. The specs were perfect on it

Height    25"
Width    23.6"
Depth    21.6"
Rack Width    19"
Rack Height    12U

They seemed to sell in the $400 range on ebay and amazon, which to me seemed to be a bit much for a 12U rack. I spotted one on ebay which was in bidding state, i snipped from everyone at the last minute for $132. At that price it was a total steal and it came with the case nuts along keys for the doors. I bought a universal rack tray to sit the nas on, i also bought another 2gig module for $50 for the 1513+, wire organizer panel $18 and a rackmount PDU for $40 all from amazon. I re-wired all the cables for everything that was close and connected to the 1810g, then i installed everything into the rack. It was sort painful at the time of doing some of the work but end the end it was all worth it and looking back i would even say that it was fun, the next and thing i have on my list is to obtain more powerful servers that will be my next set of hypervisors, i thought to build my own but it looks like it cost around $2000 or so to do that. I have moved on from that idea and looking at used servers that will have enough resources (CPU & RAM) to support the vm's that i want to run, the tough part is finding enterprise type servers that will fit in my small rack.

I started looking at older sun and apple servers on ebay because they were cheap, i had a thought to check the HCL for xenserver to make sure this was going to work. I found out that other people had managed to get some versions of xen on to sun and apple servers but i didn't want to chance it, i did decide to use the HCL as a guide that could help me find me next set of servers. I started looking at the dell models and checking out the chassis specs to make sure that the server would fit in the rack, i found a poweredge r210 which looked like it would fit the bill. I ended up buying a 2 of the poweredge r210's and more ram to max them out at 32GB each, after receiving them i went ahead and unpacked them. Anytime i order a used server i check to make sure everything is seated properly (e.g. ram, processor, etc) so far so good, so i rack them and proceed to power them on so i can get an idea of just how noise these servers are going to be together. I let them run for a few hours and i determine that they aren't as loud as a normal 1U server would be, but still a bit too noisy for my liking, so i power them off and un-rack them so i can inspect the fans because they are always the culprit for noisy servers. I did notice that one of the servers was slightly noise-yer than the other, upon my 2nd inspection i notice that they have miss matching fans in them so i decided to order more and remove 1 fan from each. The servers run very quitely now, which is exactly what i wanted.
View Comments 0 Comments
Share Post   


Procurve inter-vlan routing with cisco asa firewall's

Wednesday, July 9, 2014 - Posted by Keith A. Smith, in Network

Long-winded network post ahead! You have been warned. 

As part of my network overhaul, I wanted to transform our current semi-flat network in to a multi-teared, access controlled, dynamic network that could grow with the company. Our existing network has been plagued with broadcast storms caused by the rouge engineering DHCP server being accidentily connected to the office network. To do this I purchased new switch gear that supports L3 routing and VLANs. This new gear allows me to seperate our large broadcase domain in to smaller, department based broadast domains using VLANs and Inter-vlan routing. The existing network gear, while functional, lacked the capability of Inter-vlan routing and strugged under our daily office load with only two VLANs. I can't say I will miss the old Netgear switches, but they were barely able to support the traffic when we were a 30 person company and are unstable with the 70+ now.

Wanting to keep a fairly tight budget, I ended up choosing HP Procurve 2510 and 2520 POE switches for distribution and a 5406zl loaded with 1Gb modules for my core. The 2510/2520 are layer 2 gigabit switches and the 5406 is layer 3. If I had a larger budget, EDU discount, or was purchasing a huge lot of gear, I would probably have gone Cisco 3750G/2960G. The HP gear is very competitive, offering a lifetime warranty, lifetime support, and the cheapest 10G-baseT I could find. I have worked with HP in the past and have found it very simmilar to manage. The menu based cmd line interface makes it a breeze for the novice, but I still prefer the straight old cmd line.

My firewalls were a tough choice. I wanted something that could support 250+ VPN SSL vpn connections, a Gigabit Metro-E line, a 100Mb EDI line, and have enough throughoput to handle all of this. After looking at Forigate, Juniper, and Cisco, I ended up choosing four Cisco ASA 5515-x's. Each site will have two, setup in Active/Active serving up a maximum of 500 SSL VPN connections per site. I sacrificed the ability to load balance across two or more internet connections, but our EDI line makes up for that. These, at least for now should be able to handle everything we throw at them.

In the last few weeks, I setup all of the HP switch gear in a test enviroment, along with a ESXi host with multiple quad port nics. I wanted to simmulate having multiple machines across multiple switches to ensure my configs would work. Starting out, I got everything up and working. I could ping between Vlans, but I did not have a DHCP server to test ip helper-addresses or a internet connection. This week I added a Server 2008 R2 box and setup DHCP/AD/DNS and connected a spare Cisco ASA 5505 running 8.4. After a few hours of research through somewhat helpful posts, I came up with the following basics to using Inter-vlan routing on HP Procure switches with a Cisco ASA.

Helpful tips:
1) Your core must be a Layer 3 switch. In my lab it is the hp2910al-24g. It is not possible to do this without a L3 switch.
2) On the core, there should be no default gateway. I have seen this far to often as the problem in my research.
3) Enable ip routing on the core switch.
hp2910al-24g:# ip routing

4) Once you create additional VLAN's, only use the default VLAN for switch management if possible.
               hp2910al-24g:# config
               hp2910al-24g:# vlan 10
               hp2910al-24g:(Vlan 10)#

5) Assign IP addresses to each VLAN- only on the core!
               hp2910al-24g:(Vlan 10)# ip address 10.1.0.1/24

6) Assign a ip helper-address for your DHCP server to each VLAN on the core switch (except the one it natively lives on) and add each scope to the DHCP server.
               hp2910al-24g:(Vlan 20)# ip helper-address 10.1.0.2
              
              
7) Be sure to TAG (tagged) the VLANS on your trunks (trk 1-24) to the distribution switches, and on the distribution back to the core. Otherwise only local traffic on the untagged ports will flow on the core.
                hp2910al-24g:(Vlan 10)# tagged Trk1

8) Set a static route to your routers IP, (Replacing 10.1.0.1 with your routers IP.)
                hp2910al-24g:#ip route 0.0.0.0 0.0.0.0 10.1.0.1

9) Set a static route on the ASA back to your core switch: (Where 10.0.0.0 255.0.0.0 is your inside subnet and 10.1.0.254 is the core switch. My router is plugged in to VLAN 10, which is 10.1.0.0- this must match! Your routers interal IP must be on the same subnet as the core switches VLAN IP.)
                ciscoasa5505:#route Inside 10.0.0.0 255.0.0.0 10.1.0.254

10) ALWAYS use the IP of the VLAN as the DHCP default gateway- otherwise nothing will work!
                Example: Vlan 20- IP 10.1.1.254
                                 xptestbox:# ipconfig -a
                                                     IP:10.1.1.100
                                                     Subnet: 255.255.255.0
                                                     Gateway: 10.1.1.254
                                                     DNS:10.1.0.2
11) Restart everything once the configs are made and SAVED.
                 hp2910al-24g:#wr mem
12) Enjoy your working network!

Example configs:

2910al-24g:

; J9145A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-24G"
module 1 type j9145a
trunk 23-24 trk1 trunk
ip route 0.0.0.0 0.0.0.0 10.1.0.1
ip routing
snmp-server community "public" unrestricted
spanning-tree Trk1 priority 4
vlan 1
   name "DEFAULT_VLAN"
   no untagged 1-22
   tagged Trk1
   ip address 10.0.0.254 255.255.255.0
   exit
vlan 10
   name "VLAN10"
   untagged 1-10
   tagged Trk1
   ip address 10.1.0.254 255.255.255.0
   exit
vlan 20
   name "VLAN20"
   untagged 11-20
   tagged Trk1
   ip address 10.1.1.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 30
   name "Vlan30"
   tagged Trk1
   ip address 10.20.30.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit
vlan 99
   name "VLAN99"
   untagged 21-22
   tagged Trk1
   ip address 10.1.99.254 255.255.255.0
   ip helper-address 10.1.0.2
   exit

2510G-24:
hostname "00005- 2510-24g"
trunk 23-24 Trk1 Trunk
ip default-gateway 10.0.0.254
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   ip address 10.0.0.253 255.255.255.0
   tagged Trk1
   no untagged 1-22
   exit
vlan 10
   name "VLAN 10"
   tagged Trk1
   exit
vlan 20
   name "VLAN 20"
   tagged Trk1
   exit
vlan 99
   name "Vlan 99"
   tagged Trk1
   exit
vlan 30
   name "VLAN 30"
   untagged 1-22
   tagged Trk1
   exit
spanning-tree Trk1 priority 4

Cisco ASA 5505:

route 10.0.0.0 255.0.0.0 10.1.0.254
View Comments 0 Comments
Share Post   


Page  <1234>