IPv6 Introduction

First, the basics….

Understanding IPv6 networking may first come off as an extremely complicated endeavor however it’s not that much different from IPv4.  The biggest thing about IPv6 is the massive amount of IPs that are made available by the change in the network protocol.  To put it in perspective, the entirety of the existing IPv4 address space consists of approximately 4,228,250,625 addresses (from 0.0.0.0 to 255.255.255.255, or 255^4 including private network blocks and multicast addresses) An IPv6 network block (like the /64 network block that we’ll get from Hurricane Electric) contains  18,446,744,073,709,551,616 IPs.  The /64 network assigned to us from Hurricane Electric is only a minuscule fraction of the entire IPv6 address space.

An IP address in IPv4 uses four numbers in a dotted quad notation with numbers between 0 and 255, like 192.168.1.4 and will include a subnet mask like 255.255.255.0.  This is used to establish the “network” that an IP address is a member of. An IPv6 address is radically different, with 8 hexidecimal (from 0000 to FFF) numbers seperated by a colon (:), then following up with a subnet mask in CIDR notation. An example of an IPv6 address (in this case, ipv6.google.com) is 2001:4860:4002:0802:0000:0000:0000:1010.  Rather than spell all that out, you can use :: to represent one contiguous block of zeros, and leading zeros can be removed.  The formidable example address now becomes slightly less scary 2001:4860:4002:802::1010.  Another example of an IPv6 address in this “compressed” notation, would be the IP address for Facebook 2620:0:1cfe:face:b00c::3 (faceb00c, lol). Yet another funny IPv6 address is cisco.com, at 2001:420:80:1:c:15:c0:d06:f00d (c15co, f00d).

Some differences in IPv4 and IPv6

The biggest difference in IPv6 from a network standpoint is that it virtually eliminates the requirement for Network Address Translation.  Instead of proxying an IP address for multiple home networks/hosts, your IPv6 network is fully routable, meaning that you can access your home computer from the Internet without the need of using port forwarding or IP masquerading.  While you technically can NAT an IPv6 address, it’s no longer an absolute requirement for Internet access. Because the Internet can now access your network, it is especially important that your firewall is configured to deny incoming connections from the Internet and explicitly allow connections on an as-needed basis (like running a web server from home, etc..). We will establish a common ruleset later on, once we have completed the IPv6 configuration.

Another significant change in IPv6 is changes made to the DHCP protocol.  Instead of a DHCP server telling a host what the default gateway is for the attached network, the host will instead listen for a router advertisement and will use that in its internal routing table to know how to get to the public Internet.  This router advertisement is handled by radvd which announces the router’s IP address to the network.

A few things to consider

When World IPv6 Test Day was enacted and executed last June, many major websites went online and started offering IPv4 and IPv6 dual stack websites for the purpose of testing the world’s readiness for IPv6.  Many important things were discovered that day including the fact that most CPE devices (like Linksys routers, DSL and Cable modems and other devices) were not IPv6 compatible.  This was later broadened to include many Internet-connected devices like DVRs, Media machines and other devices were also not ready for IPv6. While some sites maintain IPv6 connectivity, once World IPv6 Test Day closed, so did many sites on IPv6 connectivity.

Before you start out on bringing IPv6 into your network, it is important to understand that IPv6 is still regarded as being an experimental protocol. Most of the sites you are used to won’t work in a pure IPv6 environment so we are going to set up a dual-stack network.  This means that you will be able to bring in IPv6 connectivity for IPv6 only sites and still be able to access your IPv4 sites just like your network has done in the past.

It is also important to realize that most embedded class devices will not use IPv6.  Devices like embedded media players, game systems, WiFi access points, printers and the like  may not support IPv6 even with firmware updates from the manufacturer.  Some devices may get support later on through vendor updates however many devices will probably not work.

At the very least you will learn a lot about IPv6 deployment, and you will have plenty of time to test your equipment prior to IPv6 becoming mandatory.

Enough of the theory already, Let’s get started.

In order to bring IPv6 into your home, we will be using an IPb6 tunnel provided by Hurricane Electric’s TunnelBroker.net service.  The service is free, and they provide you with a full /64 IPv6 network to play with.  In addition, they provide a certification service to test your IPv6 knowledge and skills once your IPv6 connectivity is up and running.  They give you a series of goals to accomplish even after your tunnel is up and you’re routing away and plus, it makes for great bragging rights.

In order to pull this off, you’ll need the following:

• PfSense 2.0 installed and working at the edge router on your network.
• A client computer for testing. ( Windows Xp, Windows Vista, Windows 7, Linux, etc..)
• Network switch, etc to make sure your client computer is connected to your router.
• A WAN Internet connection.  (DHCP, Static, PPPoE, etc does not matter as long as it’s broadband)

Please Note: Due to the fact that we are using git to sync experimental code, you cannot use pfSense Embedded.  I tried to find a way around this, but unfortunately even at the 4GB disk image size, I was never able to get it to fit and work.

The IPv6 configuration will be split up into six sections:

1. Configuring your existing pfSense router to sync up the latest IPv6 code.
2. Registering for an IPv6 Tunnel from Hurricane Electric.
3. Configuring pfSense for the tunnel, and DHCPv6.
4. Configuring workstations for IPv6.
5. Performing website testing

1: Sync up the latest IPv6 code

We’ll start off with our already established and running pfSense router. We will need to enable SSH on the router so we can get to the commandline.  This will be the only time you will need to access the commandline however I do recommend leaving it enabled so you can troubleshoot the IPv6 connection later on.

Start off by logging into the router.  Click on “System”, then “Advanced”.  Place a check box next to “Enable Secure Shell”.  If you don’t want to use the standard port of “22″, you can specify a different port below.  Scroll down to the bottom and hit “Save”.  Don’t worry about opening up your SSH port, this does not enable it on the WAN interface.

Enabling SSH in pfSense

Open up PuTTY and type in the IP address of your router.  If you specified an SSH port, be sure to specify it here as well.  For reference, here is my PuTTY configuration.

PuTTY settings

Upon successful connection, you will be prompted for a username.  Use the same username and password you use for the Web UI (admin/pfsense).  Once you have successfully logged in, you will get the same status screen like you see on the serial port showing the WAN and LAN statuses and a menu.

SSH menu

Select option 8 (Shell) and then type in the following command:  pkg_add -r http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-8.1-release/Latest/git.tbz  This will install GIT and perform the update.  This will take several minutes to download and install all of the packages required to perform the sync.

Installing Git

Once it has completed, type in exit or hit Ctrl-D to return to the SSH menu. At the SSH menu, type option 12 for the “pfSense Developer Menu”.

Accessing the Developer Shell

Now we will do the GIT sync. It is important to follow these instructions exactly as this is where the current running pfSense code is synched up with the pfSense developer code.    At the pfSense developer shell prompt, type in playback gitsync and hit enter.

Performing the Git sync

You will be prompted for the git branch to sync against.  Type in master and hit enter.  The next prompt will be for a custom RCS branch, just hit enter as we want to use the master branch only.  After you hit enter, the GIT Sync will begin.

Specifying the Git Branch

Ok, now here’s the kicker.  You must reboot! In the screenshot below, it looks like the upgrade has terminated and the device has restarted services however there are settings that have been changed that will only take effect on the next reboot.  The SSH Session should drop you back to the main SSH menu (what you saw when you initially logged in).  From here, select option 5 and answer y to reboot the device.

Reboot after your SSH session gets terminated

When the router has successfully rebooted, check that your Internet connection works and that all is working well.  The one thing that remains is to set up an ICMP rule to allow Hurricane Electric to ping your WAN interface.  This is required as part of the tunnel setup. Login to your router, click on “Firewall“, then “Rules“.  Click the “+” add button at the bottom and add a new rule.  Set the interface to WAN, protocol to ICMP, and ICMP Type to Any.  (This can be modified later).  For the source, set the type to “Single Host or Alias” and enter the IP address of 66.24.2.74.  This is the IP address of the IPv6 test endpoint.  Set the destination to “WAN Address” and lastly, enter a description.   Refer to the screenshot below if you need help.

WAN Ping rule

Now that everything is in place in your router, it’s time to get your tunnel.

2:Registering with Hurricane Electric

Now that our router is prepped for the IPv6 installation, it’s time to register the account with Hurricane Electric.  Head on over to tunnelbroker.net and register an account.  Once you’ve registered the account, you will get an email with the account information and a validation link.  After you validate, click on the “Create Regular Tunnel” on the left hand sidebar and you will be provided a form similar to the one in the screenshot below.  Be sure to select an endpoint that is as geographically close to you as possible or let the tool recommend the closest endpoint.  (Note: Hurricane Electric allows you to create up to five tunnels. If this is your first tunnel, you will not see the “You currently have 1 of 5 tunnels” message.)  Type your WAN IP address into the “IPv4 Endpoint” field, select the endpoint, then scroll down and hit “Create Tunnel”.

Hurricane Electric Tunnel Setup

After your tunnel has been successfully created, you will get a page that shows your tunnel information.  At the bottom of the page, you will notice that the rDNS delegation fields are blank. Click the “delegate to dns.he.net” link to autofill the reverse nameservers with Hurricane Electric’s default nameservers.  Click “Save” to commit the changes, then print this page. You will need it for the pfSense page.  Keep in mind that the tunnel IP address and the Routed /64 are off by one digit. This will be important later on.

Tunnel Information Page

If you are on a dynamic IP connection (DSL, Cable Internet, FiOS, etc…), there’s one more thing you need to be aware of.  Should your WAN IP change, you will need to update your tunnel. When you login to Hurricane Electric, you will get a page similar to the below, showing all of the configured tunnels on your account.

Tunnel List Page

To edit the tunnel, click on the tunnel name and you’ll be taken to the Tunnel Information page.  Click on the Client IPv4 address and make your IP change then simply click elsewhere on the page (not on a link) and wait for the text field to turn back to a link.  If it does not, it will provide an error message indicating the error (usually that it can not ping the WAN).

WAN IP Setup Error

3: Configuring pfSense

Building up our tunnel endpoint

Note:  From here on out, I will be using the example IPs of 2001:470:1234:5678:: for the IPv6 tunnel and 2001:470:1234:5679:: for the Routed /64.  In your tunnelbroker.net configuration, you should have a similar offset (your tunnel is one IP less than your routed netblock).  Please keep this in mind as we go through the next steps as you can not get the two confused.

We have a synched router and we have our tunnel configuration. Now it’s time to start configuring pfSense.  We will start out by building out the tunnel endpoint. Login to the router and click on Interfaces > Assign and click on the GIF tab.  We will be adding a GIF tunnel in order to bring in the IPv6 connectivity to our router. GIF uses RFC2893 to encapsulate IPv6 into an IPv4 packet.  When we receive an encapsulated packet, pfSense will “unpack” it and reassemble it into an IPv6 packet before acting on it according to the firewall policy.  On the GIF tab, click the “+” link and enter your IPv6 tunnel endpoint information.

• Parent Interface should be set to WAN
• GIF Remote Address should be the “Server IPv4 address”
• GIF Tunnel Local Address should be the “Client IPv6 address”
• GIF Tunnel Remote Address should be the “Server IPv6 address”
• Description should be something descriptive but can be freeform.

GIF interface page

Once complete, hit “Save”. This will add the tunnel endpoint to the router. Click on Interface Assignments so we can assign it to a virtual interface.  To do this, click on the “+” icon and the GIF tunnel should show up as an OPT interface as shown in the screenshot below.

Interfaces page

Now we need to configure the OPT interface. Click on Interfaces > OPT1.  This will be the equivalent to the “WAN” of our IPv6 network.  Since it has never been used before, it is disabled by default. Place a checkbox next to “Enable Interface” which will add the IPv6 configuration section shown here. Set the

Click on the text “Add a new one” in the Gateway section and enter the configuration as shown.

• Default v6 Gateway should be Checked.
• Gateway Name IPV6 is a brief one-word name to help you identify the gateway.  I have chosen “IPV6GW”.
• Gateway IPv6 should be the Server IPv6 Address.
• Description is an arbitrary length text to describe this gateway definition.

When you’re done, you should have something similar to what is in the below screenshot.  For some reason, the gateway text showed up very small, so I increased the zoom so it was readable.

IPV6WAN setup

Click on “Save Gateway” first to commit the gateway information. You should see te IPv6 gateway show up in a dropdown.  Next, scroll down and click “Save” to save the Interface information.  Finally, click “Apply Changes” to apply the interface configuration and start the tunnel.  You can validate the tunnel’s operation by checking the dashboard (click on the pfSense logo).  If you don’t have the Interfaces and the Gateways windows, they can be added by clicking on the “+“  and selecting the relevant options.

Dashboard status page

Now that the endpoint is up and running, it’s time to configure the LAN interface.

Setting up the LAN interface

Since we’re running in a dual-stack configuration, we are going to just add the IPv6 information to the existing IPv4 interface.  As an option, you could theoretically set up a VLAN and a new LAN interface and create an IPv6 only network.  This is something I’m planning on my network and something I’m sure I’ll cover in another article. Let’s start off by pulling up the LAN configuration via Interfaces > LAN.

First thing to do is set the IPv6 Configuration Type to Static IPv6. This will show the IPv6 configuration section.  Enter the first IP address in the Routed /64 section from the tunnel information.  When complete, you should have something like the screenshot below.  Scroll down and hit Save to write the settings, then Apply to make the new settings active.

LAN configuration page

Setting up DHCPv6

In order to bring the IPv6 configuration to your workstations, we will set up DHCPv6.  This is entirely optional as right now you could go ahead and set up static IPv6 addresses just as well as using DHCP however rather than typing insanely larger addresses into all of your workstations, it’s easier and faster to set up DHCPv6 and let the client OSes pull the DHCPv6 as needed.  To get started, click on Services > DHCPv6 Server and then on the LAN tab.

• Set the Router Advertisements to Assisted.  This controls the radvd daemon mentioned earlier.  By setting the mode to “Assisted”, you are telling radvd to perform router advertisements on the local network. The radvd broadcasts are used by the DHCP client applications to set the default router.
• Place a check next to Enable the DHCPv6 server on the LAN interface.
• Enter the desired start and end addresses for your network DHCP range. Please note that unlike the “short notation” using the double colon, you must explicitly declare the zeroes for all octets.  In my example, I’m using 2001:470:1234:5679:0:0:0:100 as my start point and 2001:470:1234:5679:0:0:0:200 as my end point, allocating 256 addresses to DHCP (remember, IPv6 addresses are hexidecimal.)
• Enter the Anycasted IPv6 DNS server from the Hurricane Electric tunnel configuration into the DNS server field.

DHCPv6 configuration

Configure some Firewall rules

At this point, we have the router configured however without some firewall rules in place, we will not be able to route out or get a DHCP address. We will need to add a rule so that our IPv6 traffic can get out.  Click on Firewall -> Rules then click on the LAN tab.  We are going to duplicate the outbound rule created for the LAN outbound.   In the rule listing, click on the “+” icon to the right of the IPv4 outbound rule and change the protocol from IPv4 to IPv6.  Once done, hit Save then Apply.  When you’re done, your LAN rules should look like the below.

Duplicated Firewall rules

 4: Configure your workstations

After you get the router configured, it’s time to set up a workstation.  For this test, I used a Linux box and a Windows 7 workstation.  For Windows, all that is needed is to make sure that the NIC has IPv6 support bound to it.  To do this, go to the Network and Sharing Center and click on the “Adapter Settings” on the left hand sidebar.  Right click the adapter and go to Properties.  Make sure that IPv6 is listed and checked as shown below:

Windows 7 Network protocols list

To test that it’s working properly, open up a command prompt and check to see that ipconfig is showing the proper IP address.  Disregard any fe80:: addresses as these are link-local and not routable for our purposes. Your output should look something similar to my output below:

Windows 7 ipconfig

In Linux, the setup is even easier.   Most Linux operating systems already have IPv6 enabled, so it’s just a matter of pulling an IP address.  Run sudo dhclient -6 -v {interface} where {interface} is your network interface.  In my output below, I am using wlan0.  The -v parameter is optional, this is only to show what dhclient is doing and that it picked up the address from pfSense.

Linux dhcpcd output

This next screenshot shows ifconfig with three IP addresses: One IPv4 address, one link local IPv6 address and the routeable IPv6 address.

Linux ifconfig output

If you want to make the IPv6 settings permanent, you can set this information in Network Manager.  Edit your existing network connection, click on IPv6 Network, set the “Method” dropdown to Automatic and hit Save.  I didn’t provide screenshots on this because it depends on the network type and connection name and it ended up being way more complex than necessary.  IPv6 connectivity should work on both wired and wireless Ethernet adapters.

5: Time to test!

There are several sites that are available that allow IPv6 testing and IPv6/v4 dual-stack testing. My favorite is http://test-ipv6.net.  The site does IPv6 and IPv4 dual stack testing and ensures that you are able to connect to IPv6 and IPv4 sites.  There is also test surfing to http://ipv6.google.com which is an IPv6 only site.   If all goes well, you should receive output like the below:

Test-ipv6.com test results

So, what now?

With IPv6 properly working on your network, you are good to go however there’s probably not much to look at.  Most of the sites I tested were IPv4 only and the few IPv6 sites I could find were mostly broken.    From a consumer-side standpoint, you will notice no difference in the operation of websites.  From a server standpoint, each IP address is routeable meaning that each and every IP in your netblock can run web-accessible services.  The thing now is to pay close attention to your firewall.

Remember that all IPs are routeable!  Prior to this setup, your router implicitly “protected” your LAN by using network address translation. By default, the router would allow LAN connections to exit the router but any unsolicited connection from the Internet could not access the LAN workstations due to how NAT works.  We used port forwarding to allow outside Internet computers inside to access local services.  IPv6 has no such requirement and all IPv6 addresses are public.  You need to make sure that your router’s firewall is set up properly and only allows incoming connections to IPs as needed by your network.  Our firewall configuration is set up with a default deny policy with an explicit LAN outbound rule.  This means that inside IPv6 addresses can surf the Internet uninhibited but any unsolicited connection from the Internet is automatically blocked.

Test your network devices! Test all of your devices, from your computers to your smartphones, printers and anything else that plugs into the network.  You’ll get a quick idea of what works on IPv6 and what doesn’t. You’ll also have a good idea of which manufacturers and what devices to look for firmware updates in order to get ready for when IPv6 goes live.

For further things to do with your tunnel, take a look at Hurricane Electric’s IPv6 certification test.  The IPv6 certification test will test your knowledge of IPv6 and setting up various services on an IPv6 server including email and a Web server.  It’s a good idea to give it a shot so you can get experience working with the new IPv6 network.

Hopefully all went well in your IPv6 configuration and you’re up and running. If not, post a reply and I’ll try my best to help out.

Happy Hacking!
FIRESTORM_v1

After publishing the last post on networking and the security series, I felt it was necessary to go ahead and publish a piece on building a custom router.  I have been a fan of pfSense for the past four years and swear by it. It has the ease of use of a commercial GUI-driven router and unrivaled flexibility limited only by the hardware it is installed on.  In this howto article, we will cover installing pfSense on an embedded platform and initial configuration for getting your router up and running.

First, an introduction to pfSense

PfSense is a lightweight FreeBSD based distribution geared towards router and firewall installations. It has been around since 2004 when it was forked from the m0n0wall project and has since turned into an excellent stand-alone distribution for routing and firewalling.  Although pfSense is generally intended towards full-PC installations, they offer an embedded image for use without skimping on the features.  pfSense is well known in the Linux/Unix/BSD community and is very highly regarded for both it’s feature set and it’s flexibility.

A question I get asked a lot is “Why pfSense? Why not just buy a Linksys?”  The answer is about hardware and software.  While I do own a couple of Linksys routers and do admire Linksys for bringing NAT devices to the common user, their hardware is restrictive and is only usable in the standard configuration (1 WAN and 4 LAN/WIFI) Even though it has been proven several times that the hardware they use for the LAN portion can support advanced features like VLAN support, bridging, multiple interfaces/IP’s, they will never release this functionality to those that want it and will instead force the advanced user to look elsewhere. In Linksys’s view, the router dictates the network.  With pfSense, I can build a custom configuration however I deem fit, with multiple NICs for WAN and LAN, with custom configurations and with VLAN support.  Not to mention that “stock” pfSense even supports DHCP, Captive Portal (like “free wifi”) , DNS, VPN support, Fail Over mode and many other options that Linksys wouldn’t ever make available.  Even if I never use VPN support or use the Failover mode, it’s nice to know those features are there should I ever need them.

Hardware Requirements:

In order to use pfSense Embedded, you will need a computer that adheres to the below spec.  Of course more is better, but these are the minimum specs as posted on the pfSense website.

• CPU: 100MHZ x86 Pentium or equivalent.
• RAM: 128 MB RAM
• Serial Port
• 512MB Flash storage or 1GB hard drive
• Two Network Adapters (NICs)

Please note that some of the advanced features like VPN support, Captive Portal and some high-bandwidth connections may require faster processors than what is outlined below.  If you want to make sure your embedded platform matches spec, take a look at pfSense’s hardware sizing guide which covers some of the items more in depth.

A note on storage:

The pfSense distribution comes in two flavors.  You have the “desktop PC” version for full-size computers with a CD ROM and a hard drive, and you have an “embedded” version which is for devices without a CDROM or hard drive and use some method of flash storage.  While you may be able to install the desktop PC version on the embedded device, it is not recommended as the distribution will be tailored for running on a hard drive, not a solid state memory device.  If you intend to use a hard drive, install the PC version.

You can use any IDE device for storage as long as it is recognized by your computer’s BIOS and is supported by FreeBSD.  I have not had a problem with either of these two stipulations, so you should not have any problems with it. One thing to consider is the use of an IDE to CF adapter like this one on Newegg.  This particular device fits right into the IDE header on the motherboard and allows you to use a Compact Flash cartridge as an IDE hard drive which is perfect for installing and running pfSense.  The router in my home is a slightly different model, but is running on a Sandisk 4GB CF cartridge and has been doing so for the last two years without fail.

My hardware:

In this howto, I will be using a Transcend 1GB IDE solid-state device that I got on Ebay. This device plugs into the 40 pin IDE header and mimics a standard hard drive.  It is fast and will definitely get the job done.  The hardware I will be using is a set top box device I scavenged from a computer show a long time ago.  It has a 233MHz Cyrix processor , 512MB RAM, an onboard serial port, an IDE port, an onboard NIC and a single PCI riser slot where I will be installing a dual 10/100 Intel NIC.

Getting Started:

If you are using the CF to IDE adapter mentioned earlier, you can use a USB-CF reader and an application to burn the image to the CF cartridge.

In order to proceed, you will need the following items

• A Linux based computer with one free IDE port
• An IDE-CF adapter with an appropriately sized CF card minimum 512MB, recommended 1GB, referred hereafter as flash cartridge.
• The “target system” that will ultimately run pfSense with at least two NICs.
• A third NIC (optional, for guest network, discussed in the “Advanced” section below).
• A serial cable (Female to Female) and a Null Modem Adapter.
• A pocket switch with a small patch cord.

Identify your Flash device

First, attach your flash cartridge to your Linux PC and boot it.  Make sure that it boots your Linux distribution first and does not attempt to boot from the flash cartridge.  Once booted, login as root and run dmesg. Look for the /dev entry for your flash module.  You may be able to look for the manufacturer name as is the case in my output below:

My dmesg output.

In the output above, my Transcend module was recognized as hda (primary master HD), so my /dev entry is /dev/hda.  We will need this later on to burn the image.

Download, validate, burn:

Now that we know what device we need to burn to, it’s time to get the image.  Head on over to the pfSense Mirror selection page and pick a server that’s closest to you.

You should then be presented with a list of images named pfSense-1.2.3-RELEASE-XXXX-nanobsd.img.gz where XXXX is a choice of 512mb, 1g, 2g and 4g images.  In my particular case, I will be using pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz as it is pre-built to a 1gig flash cartridge.

Use wget to download the image along with the accompanying .md5 file as shown in the sample output below. Note: URLs in the below image may differ depending on the mirror you are using, but the filenames will be the same.

wget download of files

Once both files have downloaded, use md5sum -c to check the file for consistency against the provided md5 checksum as shown in the sample output below.

md5sum validation

If the MD5 check returns OK then you are clear to proceed. If not, go back and re-download the file again. Make sure you downloaded the same file and md5 checksum.  In order to burn it, we will use zcat to cat the zipped image out to the /dev entry mentioned earlier.  My syntax will be zcat pfSense-1.2.3-RELEASE-1g-nanobsd.img.gz | dd of=/dev/hda bs=16khowever, if your flash cartridge shows up at another location other than /dev/hda, be sure that you change the command above to point to the proper device.  Once the command completes, it should look like this:

Image Burn Completed

Now that the image burn is done, shutdown the Linux box and pull your flash cartridge out and install it in the device that is going to run pfSense.  Go ahead and connect it up but do not attach any network cables to the interfaces just yet.  You will also need to connect the serial cable with a null modem adapter to the device to continue initial setup.

Initial Configuration and Setup

Now that we’ve burned the image, we are ready to do the initial setup.  This entails doing some NIC probing to find the network adapters in the system and to assign them to their respective duties (WAN, LAN, Optional Interface 1, etc).  You should only ever need to do this once as once the NICs are set up and the router is running, you can do everything including re-assign the interfaces from the web-based GUI.

Open up PuTTY, Hypertrm or your favorite terminal application and set the serial port parameters to 9600 baud, no parity 8 data bits, 1 stop bit.  Turn on the embedded device and after a moment, you should see some BSD boot stuff flash past.  Wait until it prompts you to set up VLAN information as shown below:

Vlan Setup Prompt

If you are lucky, you should see two interfaces, one for each NIC.  If you have three network cards in your system, you will see three different interfaces.  In the above screenshot, I have em0, em1 and fxp0.  Since we will not use VLANs for our basic or our advanced configurations, we will answer “N” here.

Now, we will do some network probing to figure out exactly which NIC  goes to which interface using the pocket switch and the patch cord.  Don’t plug anything in yet.

Probe for LAN interface

With nothing plugged into the network interfaces, hit a and hit enter.  This will start the autodetection process. When prompted, attach the pocket switch to the interface you will use as the LAN interface and make sure that the LINK light on the switch and the NIC come on.  Hit Enter and you should see a message where it detected the LAN interface link come up.  It will then prompt you for the WAN interface.  Hit a then enter again and move the patch cord to the WAN interface and hit enter.  Repeat this process for the Optional interface (OPT1) or if your router only has two NICs, just hit enter.  Refer to the below output.

Assigned NICs

Be sure that you only change the patch cord when it tells you to.  If you disconnect the cable at the “hit A for autodetect” prompt, it may not detect link when it should.  If you run into this issue, disconnect the patch cord and restart your router.  Allow it to boot up and start over.  Once you get done assigning interfaces, simply hit Enter to exit assignment.  It will print the current assignments of the interfaces and ask you to validate.  Answer Y if the displayed assignments are correct and hit Enter, otherwise hit N and start over or restart the device.

Assuming all went well, you will see it do a bunch of additional configuration.  Once you get to the menu as shown below, you can then disconnect the serial cable and proceed with the configuration of the pfSense router.

Configuration Completed

Continuing the Configuration

Connect the pocket switch up to the LAN port of the router and connect your router’s WAN port to your Internet connection.  Connect a computer to an unused port on the pocket switch and start it up. Once booted, you should have an IP address in the 192.168.1.x subnet and depending on whether or not your Internet connection is DHCP, you may already be able to surf.

Open a browser and go to http://192.168.1.1 and when prompted login with the username of admin and the password of pfsense.  If all goes well, you should see a screen that looks like the one below.

pfSense Wizard

Click “Next”

On this screen, you will set some basic network configuration parameters like the pfSense’s hostname, local domain and the two DNS servers.  Use the ISP provided DNS servers here and click Next.

pfSense Wizard, page 2

On this screen, we will set up the timeserver and the timezone of the firewall.  Set the timezone where appropriate and then either use the provided time server or set your own.  I left it default and have not noticed any issues with time reporting.

pfSense Wizard, page 3

The next screen is where we will set up the WAN parameters.  Start off with selecting which type of WAN link you have.  Choices are DHCP (default),  Static IP, PPPoE and PPTP.  For each selection, there is a relevant section that must be completed.  Since I use DHCP, I left it as default.

pfSense Wizard, page 4

Pay special attention to the bottom two options.  The first option “Block RFC1918 networks” prevents LAN IP addresses from the “private” networks from entering from the WAN interface. Private networks are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.  Unless you are using this router inside another NAT environment, this option is best left turned on.

The other option “Block Bogon Networks” should be left enabled. This prevents non-routed and not-assigned networks from being routed against from your WAN interface. Since these addresses are not routed and not assigned, they should never contact your router anyways.

pfSense Wizard, page4, Bogon networks and RFC1918 options

Now we are at the LAN configuration.  This is where we can change the router’s internal IP address and subnet mask.  Please note that most of pfSense uses CIDR notation, so you may want to get familiar with it or have a CIDR calculator at the ready. Tip: a /24 is the same as 255.255.255.0

pfSense Wizard, page 5

This screen allows us to change the default password of pfsense.  I highly recommend changing it to something memorable.  If you forget it, you can always reset it via a serial connection without resetting the router back to factory settings.

pfSense Wizard, page 6

Finally we have reached the end of the wizard.  Click “Reload” and wait a few minutes.  During this time, the router will reboot itself to get adjusted into the new environment.  Let the web page reload the router’s admin page and it should take you to a configuration page like the one below.

pfSense main status page

Once you are at this screen, you should be able to browse the Internet.

Some basic tips:

• Portforwarding can be set up under Firewall -> NAT and works pretty much like you would expect a Linksys box to work.  Be sure to leave the “Auto Add a firewall rule to permit traffic through this NAT rule” at the bottom checked.  This will create a matching rule on the WAN side to allow traffic along with the rule to bring the traffic from the WAN to your destination computer.
• You can see each interface’s status by going to Status -> Interfaces.  If you are on a PPPoE or PPTP connection, you can disconnect and reconnect from this page.  If you are using DHCP, you can also release and renew your IP here.
• If you run into trouble performing port forwarding, you can access the system firewall logs via Status -> System Logs.  Be sure to turn on Logging on your rules so you can see new connections as they are being performed.
• If you’re having problems with a specific host, you can access a packet capture utility via Diagnostics -> Packet Capture
• If you want to diagnose upstream Internet connectivity issues, you can access Traceroute via Diagnostics -> Traceroute. and a ping utility via Diagnostics -> Ping
• Like numbers and graphs? Check out the system traffic graph (Status-> Traffic Graph) and the system RRD graph (Status -> RRD Graphs).  You may need to install the Adobe SVG viewer to view these graphs.
• Unlike a Linksys box, it is recommended to halt the router before powering down and use the reboot function if a restart is needed.  Both options appear under Diagnostics with the labels “Halt system” and “Reboot system” respectively.

What’s next?

Even in its basic configuration you already have a very powerful router on your hands.  The sky’s the limit. The pfSense installation can support a great many different configurations and options so don’t think that you’re locked into a single configuration.  Out of the box, pfSense has the software support for DHCP, DNS server, and other basic functionality as well as more things like CARP Failover, Open NTPD (Time server), OpenVPN, Remote Syslog, Traffic aggregation, and many other features that warrant exploration.

In a follow up article, I will explore setting up an advanced configuration, establishing a VLAN to isolate a wireless network from the wired network while still providing Internet access.  This is a useful configuration for you that like to share your Internet access but don’t want to make your home network vulnerable.

Happy Hacking!

FIRESTORM_v1

In this post, I will review a recently acquired WD TV Live Plus purchased from Microcenter for around $100.  The quest was to find a media player solution that could read media from network shares and play them with minimal fuss.  Since this is going to be attached to the primary TV, it has to be “Girlfriend Approved” and easy to use.  I believe that the WD TV Live Plus fits this requirement adequately however the installation of the device could be easier.  Once done, the device is wonderful.  Read the full review after the break.

Foreword

One of the things that I’ve been keeping a close eye on is the development of the media center computer.  A non-PC PC that is used to play local network content and can provide other services through the TV and still maintain the ease of use of a standard DVD player.  I had previously experimented with XBMC and was pleased with it’s overall hardware support and the features it supported “out of the box” however the UI was a bit kludgy and having to predefine all media sources and items before it would show up.  It also didn’t help much that the only device that I had that would work properly was an old Averatec laptop which did work very well, even with the embedded Intel graphics.

I skipped the newer iterations of XBMC partially due to lack of time and due to the fact that I was still not looking forward to using the Averatec laptop as it required a mouse and I didn’t have the money to pony up for Windows Media remote (which would have been supported).  Time grew on and by then my needs for additional storage had exceeded a single drive.  I built a Windows based NAS server using a 3ware card donated by a friend and buit a 2Tb storage array.  Soon after that, I got to the point where looking at a media player began to become feasible again as now I had plenty of storage and lots of plans.  I ultimately wanted to rip and encode my DVDs so that I could play them without needing to swap disks endlessly.

I was already accustomed to using Netflix on the Xbox360, however I wanted the same convenience of couch-surfing with all my local media.  A bonus through work found me with extra cash to finally take a look at a media player.  My requirements were simple.

• It must support a variety of media in a variety of formats and codecs.
• It must have a remote and be easily operated.
• It must have a variety of outputs including HDMI and Component.
• It must be able to read SMB shares easily and remember credentials.
• It must be inexpensive.
• The box, UI and remote have to not look fugly.

Research, research, research

I started looking around at a lot of the common media players that are out there.  The Apple TV was too “hipster” and I really didn’t feel like dealing with iTunes after the fiasco that was my iPod.  The price was right and the Apple TV did have the right connectors, but dependence on the iTunes application really made it a deal killer.

Boxee was an attractive option and had high ratings however when I saw the final product and it’s cubelike design, it was an instant turnoff. While the hardware was more than adequate, the box itself looked rather ugly. When I did some additional research, the price point (at almost $250 at initial research, now $199) it was still out of my price range. While Boxee did have the free software option like XBMC, I had no “decent” hardware on it to make it not suck. so unfortunately this option was nixed.

There were some other media devices that I had found however they were really proprietary and for various reasons, they don’t even merit mention.  That said, I reluctantly asked around work and several coworkers offered suggestions, most of which were either Apple TV, XBMC, Boxee.  A couple of guys mentioned the WDTV Live Plus so I started doing research.

The WD TV Live Plus appeared to support all of my requirements although several forum posts came up about difficulty with networking.  At $100 a unit, this appeared to be a viable option so I decided to gamble.

Hardware

Without further ado, let’s take a look at what we’re up against.

WD TV Live Plus box

This is the outside of the box.  Inside the box, you get a remote, two AAA batteries, the WDTV Live Plus, a 1/4in to AV (Video, L and R Audio) cable, a 1/4in to Component (Y,Pb,Pr) cable and power supply adapter.

WDTV size comparison

To put a size comparison on things, this thing is SMALL.  It’s about the size of a large pocket switch roughly 4inches deep, five inches wide and about an inch tall. The remote control is about three inches long  and an inch wide and roughly a half-inch deep. Although it is small, it does fit in either hand comfortably thanks in part to a finger wide notch cut into the bottom of the remote.

Back Ports

The rear of the WDTV contains several ports as shown above.  The ports from left to right are Power, USB, HDMI, Optical Audio TOSLINK, Ethernet, Component, Composite+Audio.

Top view

The Top of the WDTV features an additional USB port and the always good-to-have reset pinhole.  In the event of a device failure, you can use the pinhole to factory reset the device and to perform software updates.

My WDTV installed and running.

Here is a picture of my WDTV installed and running.  To put it in persepective, that is a Netgear 8 port switch it is sitting on top of and the salt rock to the right is about the size of a 2 liter bottle of soda.

Other things worth mentioning:

• The two USB ports can support a variety of USB Mass Storage devices including cameras, USB Hard drives, Thumb drives and Media Card readers.  It can also support a limited range of wireless adapters, USB keyboards and other options. Although Wireless options are available, my network does not run Wireless N and as stated in the link, Wireless G may be too slow for streaming.  I did not get the ability to test Wireless connectivity as my network is primarily wired 10/100 network.
• There is no HDMI cable included with this kit so you will need to buy one if you intend to use HDMI.

Software

As mentioned earlier, I required that the device be easy to use and able to pick up SMB shares While the UI appeared to be quite usable, there were difficulties in getting the network shares to show up.  Several posts to the WD Customer Support forum complained about this very same issue however I was able to overcome the issue once I found out what the root issue was. If you want a further review of the software, skip this section.

Not all SMB networks are the same

As stated on the box, this device should be able to read content from SMB (MS Network) shares and play it however there was a significant issue with the implementation of the SMB protocol in the WD TV Live Plus.  My network is largely Windows clients seeing as how my NAS is a Windows XP computer with a storage array and that most of my computers are Windows XP based (except for my core networking equipment and my laptop which uses Ubuntu.)  This ended up causing more hell than I was expecting and I’ll explain.

Oh master, where art thou?

In a Windows network where there is no domain controller, Windows computers will get into an election process to attempt to establish a browse master.  This browse master is a Windows computer that maintains a list of active computers on the network.  This behavior is part of NetBIOS and SMB sharing and allows the computers to “discover” each other.  Once the browse master is established, additional computers will communicate with the master to “register” themselves, and once registered can discover each other’s network shares.  This share list is populated each time someone tries to browse the network.

I’m talking, but no one’s listening!

The WDTV on boot, will perform a broadcast to the network on UDP port 137 (NetBIOS Name service) which is according to the NetBIOS protocol.  It waits for a browse master to return the broadcast so it can then download the browse list. The issue is that Microsoft has altered the way NetBIOS works and in doing so, has altered the way NetBIOS operates.  One of the alterations is that Windows computers (whether browse master or not) is that the computers will no longer respond to broadcasts to port 137.  The result is that the WDTV will never receive the response it’s looking for and it’s server list will never get updated.

You are my slave now!

The workaround is to install NetBIOS (part of the SAMBA package) on a Linux box and set “local master = yes” in samba.conf.  This will also give you the added benefit of sped up network browsing on your computers and the installation of NetBIOS is very simple, requiring only one modification to a configuration file and a service restart.  In my testing of the WDTV,  I was unable to get the WDTV to show any network shares prior to the installation of the NetBIOS service.  Once I installed the NetBIOS service, it was a matter of seconds that the network shares listed out all of the active computers on the network.

Carrying on….

Testing the UI under component, composite and HDMI cables showed little difference in the display resolution aside from the appreciable differences in the three connection technologues themselves. In each test, the UI was sharp and clear with menu options easily highlighted. The UI is a dark-blue theme and reminds me a lot of the Playstation 3 interface.

UI main image

In the above image, I have highlighted the server “Zeus” from Videos -> Network shares.   The icons scroll vertically to allow you to select options, while horizontal movement allows you to proceed or go back via the four way D-pad on the remote.  Hitting “OK” is only required on media titles, menu options (like Configuration Settings) and various sub-menus as needed.

Media List

The Media List view shows up once a server has been selected and allows you to drill down to find the content you want.  On the “Zeus” server, I have several shares dedicated to each type of media that the WDTV supports.  This is the list of the “Movies” fileshare.  Photos and Music are other fileshares available.  In this view, you can simply highlight a movie and without further action, it will start playing in the preview window on the right.  If you want to play it fullscreen, just select the preview window and hit OK.  The display will then go full size without missing a beat.

All in all, the UI is simple to use, easy to navigate and offers a lot of functionality without cluttering up the display.

It also has apps

I hesitate to mention this as I didn’t purchase the WDTV for applications, but it does bear mentioning.  This device supports games and apps including Youtube, Facebook and Netflix support. While I did briefly try out the Netflix and Youtube options and they appeared to work as expected, I did not try the Facebook app and felt that the inclusion of Facebook on a media client to be in excess.  I can’t contemplate using my media client to check my Facebook as I have phones, laptops and full-size computers for that.

Final Verdict

To summarize the total experience of the WD TV Live Plus, let’s break down the experience into the Good and the Bad. It may be cliche to do it, but it works well.

The Good

• Small Form Factor
• Includes remote, component and composite cables and battery
• Supports HDMI, DVI (via HDMI to DVI cable), Composite and Component connections.
• Includes TOSLINK optical audio out for connectivity to a surround sound system.
• Plays a wide variety of video formats: AVI(Xvid, AVC, MPEG 1,2 and 4, WMV9, VC-1, MPEG/MPG, VOB (DVD), MKV, TS/TP/M2T, MP4/MOV, M2TS and WMV9.  I have not tested DivX format as I don’t have any DivX formatted media.
• Plays a wide variety of audio formats: MP3, WAV, PCM, LPCM, WMA, AAC, FLAC, MKA, AIF/AIFF, OGG, Dolby Digital.
• Picture is clear regardless of connector type
• Menu navigation is easy and intuitive without clutter.

The Bad

• No HDMI cable included in kit.
• Networking requires NetBIOS browse master and setup can be daunting for non-Linux networks or unexperienced users.
• Will not play DRM protected content.
• No Web-based interface or control application.

My Thoughts

The WDTV Live Plus is a great addition to the network and will work very well for playing media. After getting the network issue resolved, this device has flawlessly performed without issue for the last week.  I have started a project to rip all my DVDs to the NAS so I can watch all my movies and TV shows without having to touch a single DVD disc.  This product gets a firm thumbs up from me.

My Girlfriend’s Thoughts

Of course, being a geek means I have a high tolerance for making stuff work, but since I live with my girlfriend, it doesn’t get a thumbs up if she can’t use it.  In this particular case, she liked the menu configuration and ease of navigation.  She was able to look at video content with very little prompting from me unlike the initial case of the failed XBMC attempt. The WDTV Live “just worked” and she was very pleased with it.  She says it’s definitely Girlfriend Approved and she can’t wait until I get the DVDs ripped.

In the next month or so, I will provide a follow up on how to establish a NetBIOS browse master, rip and encode DVDs and how to set up fileshares in Windows to allow you to use your WDTV effectively.  Minus the initial configuration issue, this device is cheap on cost without being cheap on features. It is a well designed product that will help integrate computer media into your existing entertainment system without significantly impacting your wallet or your sanity.

Verdict:  Buy!

Cost: around $100, sometimes on sale for around $70-80

Availability: Most Online Retailers, and some brick-and-mortar stores like Best buy, Fry’s, etc..

Have fun!

FIRESTORM_v1

Structured wiring in businesses and the enterprise are as expected as the sun shining and a regular paycheck, however in the home a structured wiring solution can be an unexpected gift from the Gods of Ethernet.  While structured wiring in an apartment complex is usually done central to a utility closet or shelf, sometimes the central point isn’t always convenient for your router or you find yourself needing to run multiple networks.  In this tutorial, I will show you how to turn one structured wiring drop into two drops for carrying two different network segments, something that can be of benefit should you ever need it.

What these splitters do and what they don’t do.

Before we begin slicing up cables, it’s important to understand what is going on here so you can decide if this will work for you.  Generally speaking, these splitters can be used if you want to carry two different networks over the same drop. If you are simply looking for more connections to your home network, and you are not doing anything special, you will more than likely want to save some time and get a mini-switch instead.  Here’s a good rundown of some scenarios of why you should and should not consider these splitters:

These splitters would be a good idea for the following scenarios:

• Moving your router from the default ingress point.  In my case, the central “panel” is in the utility closet, but I want my router on my desk.  I use the “1″ portion of the splitter to transport the WAN segment to the WAN port of my router, then use the “2″ portion of the splitter to transport the LAN segment to a mini-hub in the closet to activate the rest of the jacks in the house.
• Moving a “hostile” segment or Guest network to another location.  An example would be having a router installed at the ingress point and using a splitter to transport a “Guest Network” and a “LAN” connection via the same drop.  In this case, the Guest Network feeds an open access point, while the LAN feeds a desktop computer. In this application, the Guest Network is kept physically separate from the LAN via the splitters but allows you to position the access point somewhere more convenient while maintaining the availability of the LAN.
• Transporting two Ethernet drops to a managed switch located in a central closet.  An example for this would be to allow per-port monitoring and administration of both drops individually as opposed to using a mini-switch which would force you to  perform the change across all devices attached to the mini-switch.

These splitters would not be a good idea for the following scenarios:

• Creating more Ethernet ports for the same network and you are not using a managed switch.   If you are plugging two devices into your LAN at the same location, just use a mini-switch and save yourself the trouble. There’s no benefit to using splitters in a non-managed switch environment. Additionally, you may incur additional costs with having to buy an additional mini-switch to split the connections off at the central panel anyways.
• You are using Gigabit Ethernet and do not want to drop the line speed in the location you are looking at.
• You are using Power over Ethernet at this location and do not want to move the power supply.

A little bit on structured wiring and Ethernet standards

In a structured wiring environment, a “drop” is the term for a 4 pair (8 wire) cable run through ceilings, walls, etc from a faceplate with proper termination to a central wiring panel with proper termination (usually a patch panel of sorts).  It’s called structured wiring as the wiring is usually planned out first with attention to detail and locations of equipment like access points, computers, etc.  Generally speaking, if you are in a structured wiring location and you see an RJ-45 jack marked “Cat-5″ this generally means that it’s an Ethernet jack and that the cabling and connectors comply with the Cat-5 standard.

Speaking of wiring standards, you may want to take a look at this link which provides more detail into the wiring convention commonly used in structured wiring for Ethernet networks.

In standard 10/100 Ethernet cabling that uses an RJ-45 jack, you have two wires(a pair) for transmit and two wires(a pair) for receive.  In most locations, the extra two pairs (four wires) are simply left idle and untouched. In rare situations (at least in residential equipment) these extra pairs are used for Power over Ethernet which use these spare pairs to deliver power to a network device where it is not convenient to use a standard “wall-wart” power supply. This requires special adapters (not unlike our splitters) to send power and network connectivity over the same drop, then split it again at the device end.   As mentioned before, if you are using PoE to feed a device using a drop that you need two connections for, you will either need to move the PoE power supply to another location or use our splitter elsewhere.

Unfortunately, Gigabit Ethernet requires all four pairs be used for sending and receiving at Gig-E speeds. If you are not willing to move the Gig-E device and are not willing to drop the speed to 10/100 , you will need to use the splitter elsewhere.

Do the Splits!

In order to pull this off, you will need the following:

• Two Cat-5 patch cords
• A RJ45 crimper
• Four RJ45 Crimp Ends suitable for the wire in your patch cords. (more if you are new at this, just in case)
• Heatshrink that is big enough to accommodate twice the diameter of your patch cords.
• Lighter
• Diagonal cutters
• Sharpie (not pictured)
• Cat-5 tester (Optional, not pictured)
• Cat-5 Female to Female junction adapter (optional, not pictured)

Tools

To start off, cut one CAT-5 end off of your patch cord and determine how far back you want to strip the jacket off.  In my example, I wanted this splitter to go next to a managed switch where the ports are close together so I used about 8 inches which leaves about 4 inches for each “branch”.   If you are using a pocket switch and a computer, you may want to use one foot (12 inches) which leaves you with two 6 inch branches.

Start snipping the jacket of the patch cord, paying close attention to not damage any of the wires underneath. If you do snip a wire, cut the rest of them at the same length and repeat the process.   Once you have managed to snip the jacket clean, begin pulling the jacket off of the cable in one piece.  When completed, you should have eight wires similar to the below picture.

Stripped Wiring

Split the wires into two groups.  Separate the White/Blue and the White/Brown pairs from the White/Green and White/Orange pairs.  Slip the heatshrink tube over all four pairs down past the cut jacket.

Fold the stripped away jacket in half and cut at the half line.  Slip one piece of the jacket over the White/Blue and White/Brown pairs, and thread the White/Green and White/Orange pairs through the remaining piece of the jacket.  Use the image below as a guide.

Wires threaded through Jacket

Slide the two jacket pieces down as far as they will go, then push the heatshrink tube at least one inch past the split.  This will toughen the split to ensure it doesn’t fall apart with use.  Use the lighter to shrink the tubing around the three pieces of jacket.

Now for the fun part.  At the ends of the two pieces of jacket, you now have one piece with a White/Blue pair and a White/Brown pair and another piece with White/Orange and White/Green. We need to put ends on these wires so we can start using them.  Start off by spreading the wires out and untwisting them like in the image below.

Separated Wires

Trim the wires so that there is approximately one inch sticking out of the jacket and make sure that the wires are laid out like so:

• Solid Green (or green with white dots)
• White/Green – white wire with green stripe
• Solid Orange (or orange with white dots)
• White/Orange – white wire with orange stripe

The important part is when you insert them into the crimp end, the solid green wire must go into position 3, and the rest will go into positions 6, 7 and 8 as shown below.  Please take note that the orientation of the RJ-45 crimp end is that the spring clip is pointing towards you, and the wiring enters from the left.

• Position 1 – Blank
• Position 2 – Blank
• Position 3 – Solid Green
• Position 4 – Blank
• Position 5 – Blank
• Position 6 – White/Green
• Position 7 – Solid Orange
• Position 8 – White/Orange

Before you crimp the RJ45 onto the wires, hold the whole thing up to a bright light and ensure that the wires are long enough to hit the end of the connector.  Sometimes, a bad crimp can result if the wires are too short.  Use the below image as a reference and take some time to make sure your wiring is correct.  If all looks good, go ahead and crimp!

Visual Inspection

Now for the White/Blue and White/Brown pairs, you must perform the same process, except this time we will use White/Brown in place of the White/Orange pair and the White/Blue will substitute the White/Green.  Our wiring diagram will change to below:

• Position 1 – Blank
• Position 2 – Blank
• Position 3 – Solid Blue (or Blue wire with White dots)
• Position 4 – Blank
• Position 5 – Blank
• Position 6 – White/Blue
• Position 7 – Solid Brown (or Brown wire with White dots)
• Position 8 – White/Brown

Do the same inspection as you did for the first crimp and check, recheck and crimp your second connector.    Mark the crimp with the White/Orange and White/Green wires as “1″ and the other crimp with the White/Blue and White/Brown wires as “2″.  This will be important later on when you implement your splitters.

Do it again, Sam!

Now that you have one splitter, go ahead and do it again with the other Cat-5 patch cord.  When you are complete, your patch cord should look like the following image.

Finished Splitter

Final Thoughts

Now that you have a pair of these splitters, you should be able to enjoy a bit more freedom when setting up your network in a structured wiring environment where additional cable runs are simply not feasible.  In my particular installation, I am using my splitters to feed the router’s output that carries VLAN tagged traffic into a managed switch.  The other leg of the splitter, goes back to the wiring closet to feed a mini-switch with network connectivity.  VLAN tagged traffic will not traverse a non-managed switch so for me this was the only way to be able to use my VLAN tagged network and my “primary” network without having to give up either.  Below is an image of my splitter feeding my 24 port switch. Yes the switch is on however it appears that the flash washed the lights out.

Installed Splitter

I hope you enjoyed this quick post as I did making the splitters.  Reply to this post and tell others how you intend to use your splitters.

Happy Hacking!

FIRESTORM_v1

The Challenge:

The trick was to figure out how to get certain “four letter words” past the chat app’s filter and into the main chat window without the word being munged by the system.  Most chat applications filter out obscene words through a string matching system and replaces it with something that is much less offensive, usually a series of asterisks.  The only thing I could use was straight ASCII characters, and I couldn’t use any “img src” HTML tags to do the dirty work (literally).

The Analysis:

All HTML code that is rendered is associated with something called a character set (or code page from the old MS-DOS days).  These character sets associate any character with a certain number (often called it’s ASCII value).  Although some characters are standard on all character sets, (like “a” = 97),  some control characters and characters above 256(decimal) change significantly.  In order to properly convey these control characters via the web, urlencoding was created and implemented as part of the HTML spec.  What this means is that every character in a character set can be represented in HTML through the use of the percent sign (%) modifier. The syntax for this was %(ASCII value in hexadecimal). The general idea was that if you typed in a russian name using symbols not found in the Latin alphabet, these symbols could be properly represented on the server side.

With that in mind, I examined the UTF-8 character set.  In this example, I’ll use the word “taco” to represent the offending word.

How it’s done:

The process for this is as follows:

1. Find the ASCII value for each character in the word
2. Find the hexadecimal value for the ASCII value
3. Add “%” in front of that number
4. Insert a “null” character somewhere.

For reference, you can use this chart which gives you the ASCII and the ASCII in hex values already

From the chart, we see the following information:

t = 116 (decimal) or 74(hex)

a=97(decimal) or 61(hex)

c= 99(decimal) or 63(hex)

o = 111(decimal) or 6f(hex)

Using this information, we can then create our string, inserting the % where needed.  %74 %61 %63 %6f

Only one item remains.  In order to spoof some of the more intelligent content filters, you need to put a null character in there somewhere. This throws off the content filter and makes it think that there are different characters represented.  For this, I used character 0B which does not have latin equivalent and is a control code that does not render in HTML.  I used 0B because 08 rendered as a tab in testing.

Knowing this, I inserted the null character between the urlencoded “a” and the urlencoded “c”: %74 %61 %0B %63 %6F

Testing it out:

All that is needed to test it is to copy and paste the above string into any chat application and hit send. You will need to remove the spaces from between the characters otherwise your application will treat them as renderable characters as well.  If it works, you’ll see the word “taco” in your window.  Now you know how to get past content filters.  If you are in the business of building content filters, now you have a new strategy for blocking people abusing them.

Don’t be a prick!

I posted this information with the hopes that people may find it useful, not so that script kiddies can run around and make asses of themselves.  Be smart about how you use this information and last but not least, DON’T BE A PRICK!

This howto will cover performing the necessary steps for configuring Ubuntu Server 9.04 to distribute pxelinux images over the network for you to use to install Ubuntu or your favorite Linux distribution over the network. No more fumbling for installation CDs or boot floppies!

I have done countless Linux installations where a Boot CD or a boot floppy was required to install with. Typically I’d find that media was scratched or otherwise inoperable. Fed up with it, I sought out a solution to make it work to where I didn’t need a CD or a floppy disk. This HOWTO will take you from a Ubuntu server to an Ubuntu Server that now allows for TFTP booting! It’s not as hard as it sounds and I completed my installation in little over an hour. The longest part was to mount the CDROM images and perform the copy.

While not all network adapters support PXE booting, most onboard NICs do. If unsure, there’s nothing wrong with keeping a network bootable NIC in your parts drawer for use later.

Prerequisites:

Required:

• Root access on a computer already set up with Ubuntu Server that has a valid IP address and is connected to the network.
• A computer with a bootable network card (I recommend the Intel Pro 100 series) or an installation of VMware for testing the TFTP boot environment.
• A Hub, Switch or router that can act like a hub or switch.
• Linux installation CDs of the distribution you want to use. (For this installation, I will be using CentOS 5 as the install to make available on the network)
• Access to edit the DHCP configuration of the server handing out IP addresses.
• A copy of the Ultimate Boot CD, or the ISO image to the UBCD. The UBCD can be downloaded from http://www.ultimatebootcd.com/
• A copy of the pxelinux.0 file from http://syslinux.zytor.com/

This document assumes that you have basic knowledge of Linux as far as navigating the filesystem and filesystem structure. Since this is considered “administration level” work, this will require that you work as the “root” user and understand the ramifications of using this level of access. If you have questions about a specific command, either continue reading without performing the step or perform some Google searches to find out what the command does. This document will not require you to compile anything or know any significant amount of code and examples are provided so that you can cut and paste as much as possible.

Overview

This howto is broken up into several sections to make reading a bit easier. Feel free to leave comments on what works and what doesn’t and ask for help if you desire.

• Installation and configuration of tftpd-hpa for Ubuntu
• File placement in the /tftpboot directory
• Configuration of pxelinux.0 and the DHCP server
• Installation of VSFTPd for Ubuntu
• MD5sum, Mounting, Copying and Unmounting the disk images
• Configuring boot menus using the menu.c32 from the UBCD
• Troubleshooting
• Tips and Tricks

Commands that you can use are highlighted in bold with examples being shown in a code box.

WARNING: This signifies a critical message that needs to be read and understood prior to command execution otherwise system damage may result

NOTE: This is an informational note that you might want to consider for better understanding od a command used.

Options in italics are parameters to a command that need to be supplied. If an option is surrounded by curly brackets {like this} it is indicating an additional option that may vary on your system. If an option shows up in bold and italics , then it is meant to be used together as a command referenced.

“Files in quotes” are either representative of screen output or a file that will be worked with. This will be context sensitive.

Installation and Configuration of TFTPD-HPA for Ubuntu

With all that prep talk out of the way, let’s get started. Go ahead and log into the server that you will be performing the install on.

First off, let’s make sure that you’re root, by typing whoami in the login window:

root@littleblackbox:~# whoami
root

If whoami returns something other than “root”, then either su – and become root or ask for assistance.

Now that you’re root, we will tell the server to get the tftpd-hpa package from the Ubuntu repository. We’ll use the command apt-get install tftpd-hpa This will tell apt-get to fetch the application and install it to your machine so you can use it.

root@littleblackbox:~# apt-get install tftpd-hpa
 

You will see a lot of fetch text scroll back but as long as it shows up that “tftpd-hpa installed successfully” then you are good to go on to the next step. First off, we need to decide where the “tftpboot” directory will live that is used by tftpd-hpa to distribute.

NOTE: Ubuntu by default will create a “/var/lib/tftpboot” directory as part of the tftpd-hpa installation. You can keep this path if you want, however in my installation I chose to go with “/tftpboot” instead. If you wish to use “/var/lib/tftpboot” then be sure to substitute that path in place of “/tftpboot”.

I went ahead and created the “/tftpboot” directory by using the following command:

 root@littleblackbox:~# mkdir /tftpboot

Now that we have the directory, we need to edit the “/etc/defaut/tftpd-hpa” file so that the application has the correct information to start:

#Defaults for tftpd-hpa
RUN_DAEMON="no"
OPTIONS="-l -s /var/lib/tftpboot"

Change the “RUN_DAEMON” from no to yes, and change the “OPTIONS” to reflect where you want the tftpboot files to go. My file looks like the one below:

#Defaults for tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -s /tftpboot"
 

This tells the tftpd-hpa application to always run and that we want to use the “/tftpboot” directory to serve our image. Now we need to start the service:

root@littleblackbox:~# /etc/init.d/tftpd-hpa start
Starting HPA's tftpd: in.tftpd.

If the display shows “in.tftpd.” then you’re successful, Pretty easy so far, but now we get into the harder stuff.

File Placement in the /tftpboot directory

Now that we have our tftp server running, let’s put some files in place.

• Copy the pxelinux.0 to /tftpboot
• Copy the menu.c32, chain.c32 from the UBCD to /tftpboot
• Copy the memtest image from the UBCD to /tftpboot/images
• Copy the defaults.cfg from the UBCD to /tftpboot/menus/

While you’re at it, let’s make two directories as well:

root@littleblackbox:/tftpboot#mkdir menus
root@littleblackbox:/tftpboot#mkdir images
root@littleblackbox:/tftpboot#mkdir pxelinux.cfg

The “menus” directory will be where we will place the menu files, the “images” directory is for the boot disk images that we’ll link to in the menus that we’ll create, and the “pxelinux.cfg” directory will be where we place the configuration file for the PXE loader. The PXE loader is capable of so much more than just what we’re doing here, but that is way outside the scope of this howto.

NOTE: Keeping this directory organized is important. Duplicate filenames and mis-coded directory paths are the most common foul-ups when working with tftp or when working with files in general. Cleanliness may be next to Godliness, but in a linux server, it’s vital to prevent “oops”es.

Configuration of pxelinux.0 and the DHCP server

Some of you that did some prior research may be screaming “What about the DHCP server?” Well that’s coming up, but first we gotta finish building the TFTP configuration so we can test it first.

First off, let’s create a file in “/tftpboot/pxelinux.cfg” called “default”. This is important because as soon as PXElinux bootstraps the machine, it’s going to want to find a configuration file. If no file is specified, the machine will scout about looking for a configuration in the “pxelinux.cfg” directory until it either finds one at which point it will boot the image specified or it will give up and sit there with some error on the screen.

For the “default” configuration file, copy and paste this in.

default main
 prompt 1
 timeout 15
 label main
 kernel menu.c32
 append menus/main.mnu
 

The first line default tells pxelinux to show the item with the same label as the default selected boot option. If the timeout value is reached (15 seconds), then that boot image is started if it is available.

The second line prompt 1 forces pxelinux to show the “boot:” prompt after it has loaded.

The third line timeout 15 sets the boot delay to give you the option of entering a boot image. It’s not really used in this configuration as we will be “booting” the menu system, but it’s there to keep the configuration standards compliant, which is always a good thing.

The fourth, fifth and sixth lines make up the default boot image that we want to load and is a format you’ll want to remember for later. It will come back to you again.

1. LABEL main – This is how the item is presented at boot time (or menu generation time).
2. KERNEL menu.c32 – This is the kernel image to boot if the option is selected.
3. APPEND menus/main.mnu – This line specifies any additional kernel level options that the kernel needs to operate. Typically there may be a call to an initrd (initial ramdisk) or some other commands. This specific line tells the “menu.c32″ menu kernel to load the “menus/main.mnu” menu as a boot parameter to get the menu to render.

Save the file as “default” within the “/tftpboot/pxelinux.cfg” directory. Now that we have the default configuration created, it’s time to create the first menu. Don’t worry too much about the parameters right now as we’ll go over them in the next section. Copy and past this into a text editor and save it as “main.mnu”

MENU INCLUDE /menus/defaults.cfg
LABEL memtest
 MENU LABEL Memtest86 V3.3
 KERNEL /images/memtest

This will be the first menu in your menu system. Since we’ve finished with the tftpboot directory, let’s compare. I use the command tree to print out this list, you can apt-get install tree to compare it or just compare the list with your “/tftpboot” directory contents:

root@littleblackbox:/# tree /tftpboot
/tftpboot
|-- images
| `-- memtest
|-- menu.c32
|-- menus
| |-- defaults.cfg
| `-- main.mnu
|-- pxelinux.0
`-- pxelinux.cfg
     `-- default

Now, there is one critical bad thing that we’ve been missing. It’s also the only thing preventing us from testing the installation at this point. We need to configure the DHCP server!

NOTE: The following instructions are for Linux and are tailored for a situation where the DHCP server is on the same computer as the TFTP server. This is important as the directives we add to your configuration tell the TFTP client where to go to get the image needed to boot the machine. If you have another server that serves IP addresses via DHCP, then you will need to adjust the IP address to point to the IP of the tftp server. If you cannot adjust your DHCP server’s parameters, consider starting a DHCP server on this machine instead of using the unadjustable DHCP server.

When the PXE (or Preboot eXecution Environment) starts a machine, it has just enough software to initialize the NIC and pull for an IP address. When the DHCP server responds to the PXE’s request, along with the IP address, it will provide a TFTP server address and the image name for booting. The PXE then takes this information and attempts to download and execute the image from the TFTP server.

What this means is that you don’t have to have the TFTP server on the same machine as the DHCP server but you DO have to be able to get the TFTP server’s IP and the image name into the DHCP server. Otherwise, the PXE will be attempting to talk to a server that doesn’t exist or doesn’t have a TFTP service running or worse yet doesn’t have the image you’re looking for.

WARNING: Editing the DHCP configuration file is platform dependent. On Ubuntu, the configuration file is named “dhcpd.conf” and is located in “/etc/dhcp3″ while Redhat on the other hand still calls their file name “dhcpd.conf” but stores it directly in “/etc”. Your configuration may differ, you will need to find your configuration file and edit manually.

Edit the DHCP configuration file and within your subnet declaration, add two lines:

next-server 192.168.0.2;
filename "/pxelinux.0";

Here is a sample subnet declaration from my dhcpd.conf. Don’t copy and paste the below text into your configuration as the directives may not match yours.

subnet 192.168.0.0 netmask 255.255.255.0 {
 range 192.168.0.20 192.168.0.50;
 default-lease-time 86400;
 max-lease-time 86400;
 option routers 192.168.0.1;
 option broadcast-address 192.168.0.255;
 option subnet-mask 255.255.255.0;
 next-server 192.168.0.2;
 filename "/pxelinux.0";

The next-server directive specifies the IP address of the TFTP server and the filename directive specifies the path to the image to boot.

NOTE: All paths are relative according to “/” (the root) of the TFTP server. So even though the file is “/tftpboot/pxelinux.0″ the filename specified here is just “/pxelinux.0″ because the “/” of the TFTP server is the directory “/tftpboot”. Confused? Good. :p

Restart your DHCP Server with the command below:

root@littleblackbox:/# /etc/init.d/dhcp3-server restart
* Stopping DHCP server dhcpd3 [ OK ]
* Starting DHCP server dhcpd3 [ OK ]
root@littleblackbox:/#

If your server restarted, let’s test it out! Get your test rig or VMware installation together and try it out. If everything is properly in place, you should boot to a blue screen with “Memtest 86 V3.3″ highlighted. Hit the “enter” key and see if it starts Memtest. If it does, then congratulations, you’re up and running. If it doesn’t work, scroll down to “Troubleshooting” and take a look at possible causes.

Here is a screenshot of PXElinux booting:

Here is an image of the PXEboot menu.  You will only have the first option.  I configured my server first then thought this would make a good HOWTO so the other menu entries come up later.

Hit enter and launch Memtest.  It should drop you to a screen that looks something like this:

If you’ve gotten this far and your test station launched Memtest with no errors, it’s time to go to the next section and set up VSFTPd so we can actually have stuff to install. As it is, you have a fully capable memory tester on your hands.  All you need now is a computer that boots from TFTP and you no longer need to look for those long lost Memtest floppies! Of course, this is merely scratching the surface of what you can do.  Let’s go on to the next section where we will start getting a major distribution in place for installation.

Installation of VSFTPd for Ubuntu

Well, we have made it this far and we’re actually closer to completion than you would think.  So far we have accomplished the following tasks:

1. We’ve set up tftpd-hpa on our Ubuntu server.
2. We’ve configured it to stay running in memory and given it a location and files to serve.
3. We’ve configured pxelinux so that the client can find all the files necessary to boot the menu system.
4. We’ve configured the menu system with a test image to distribute and,
5. We have successfully TFTPbooted pxelinux, the menu system and the memtest image and know it all works.

Now we need to install VSFTPd which is an FTP server for Linux.  “Why FTP?”, you ask.  The reason is simple.  FTP is easier to configure than Apache (the Linux Webserver) and is the default network installation method for most linux distributions.  While technically you could install using HTTP, you’d have to configure Apache on your server and if you’re using Apache to host files to the public internet, then you’d have to create a virtual host and all that mess.  FTP is much easier to set up and easier in this case is a good thing.

So, let’s start off by installing VSFTPd

root@littleblackbox:/# apt-get install vsftpd

You’ll see a lot of text fly by and at the end you will see that the server was started.  Unlike most FTP servers, VSFTPd has it’s own home directory in “/home” and not “/var/lib/ftp” or “/var/ftp” (as is common on some RedHat systems.  Now that we have the VSFTPd server installed, it’s time for more directory creating.  Since I use my FTP server for more than just storing images and installation media, I recommend the below hierachy to keep everything making sense.   Remember the note from the file placement section about keeping things clean?  Well now it’s going to get implemented to the extreme.  Since this is YOUR ftp server, you can do whatever you want, but take these guidelines into advisement:

• Keep your installation files away from other files by placing them in a different directory
• Keep your directory structure simple, but don’t afraid to use subdirectories.
• On the other hand, don’t use too many subdirectories.  You don’t want to have to remember a long path like “/dist/var/ftp/server/os/i386/redhat/Centos/5.2/installer” but simply copying everything into the FTP server’s “/” is strongly discouraged.

With my server, I have chosen this directory heirachy:

• /bootdisks – images for boot floppies, should I ever need one, here they are.
• /dist – This tells me that there are complete linux distributions available in this folder.
• /dist/iso – This tells me that the .iso CD images of the distributions available are here.
• /dist/installer – This tells me that the installers I’m looking for are located here.
• /dist/installer/centos5 – This tells me that the installer distribution for CentOS5 is in this directory.  This is the directory I give to the installer later.

Note: As stated previously, you don’t HAVE to use this heirachy, you could use /centos5 as your installation directory if you want.  If you are net-installing a bunch of distributions however, your FTP server root could get messy.

Ok, enough talk about orginazation, let’s get to making files:

root@littleblackbox:/# cd /home/ftp
root@littleblackbox:/home/ftp# mkdir bootdisks
root@littleblackbox:/home/ftp# mkdir dist
root@littleblackbox:/home/ftp# mkdir dist/iso
root@littleblackbox:/home/ftp# mkdir dist/installer
root@littleblackbox:/home/ftp# mkdir dist/installer/centos5

MD5sum, Mounting, Copying and Unmounting the disk images

If you haven’t already done so, go ahead and copy the CD images into your Ubuntu server.  You can use any folder, although a temporary empty folder is recommended.  I copied my files into ~/CentOS5. If available, make sure you copy the MD5sum file along with them to your temporary directory on the server.

CD into the directory and we can use MD5 to check these files using the syntax below:

root@littleblackbox:~/Centos5# md5sum -c md5sum.txt

This command ‘md5sum’ generates an MD5 hash which should be identical to what is in md5sum.txt. The MD5 hash is like a special checksum validation that you can use to validate that downloaded files match their sources on the server you downloaded them from. Using the above command, I get the below results indicating a valid match. If one of the files had been changed by even so much as a comma in a configuration file on the ISO, the test would have failed.

root@littleblackbox:~/Centos5# md5sum -c md5sum.txt
CentOS-5.3-i386-bin-1of6.iso: OK
CentOS-5.3-i386-bin-2of6.iso: OK
CentOS-5.3-i386-bin-3of6.iso: OK
CentOS-5.3-i386-bin-4of6.iso: OK
CentOS-5.3-i386-bin-5of6.iso: OK
CentOS-5.3-i386-bin-6of6.iso: OK
root@littleblackbox:~/Centos5#

If you don’t have the md5sum.txt, you can still use the md5sum application. Use the command below to generate the MD5 checksums of the ISO images:

root@littleblackbox:~/Centos5# md5sum *.iso

This command will output the MD5 checksum and the filename for each of the files. You then compare this to what is listed on the server where you got them and compare the numbers. If they do not match, you know you got a corrupted download. Here is the MD5sums of the ISO images I have:

dd93a6da1b900548825159206099603c  CentOS-5.3-i386-bin-1of6.iso
 5441ae0a3c9efd47cd8bfab873fe20c1  CentOS-5.3-i386-bin-2of6.iso
 024ca72da4e14f79522a90bf8f4fdf9f  CentOS-5.3-i386-bin-3of6.iso
 95e5e446754e76b3fa07aaf4946c0aa9  CentOS-5.3-i386-bin-4of6.iso
 0cda242797ded4b6b2ea0469984aca82  CentOS-5.3-i386-bin-5of6.iso
 889ff6389108a85780a06cd38b7375e7  CentOS-5.3-i386-bin-6of6.iso

We have our FTP server and we have our validated ISO images. Now it’s time to get messy. The next part comes in mounting these CD iso images, then copying their contents to the FTP directory we made earlier. This can be tedious and can be done incorrectly, rendering a good amount of time wasted if you aren’t careful.

NOTE: The instructions here are specific for CentOS 5.3 but are commonly applied to most CD based distribution  installers. When in doubt, check with your distribution’s web site about what you need to do to perform a network installation.  Some distribution vendors may require a different file path be created.

We’ll start off by creating a temporary directory within the temporary directory called “source” and another one called “destination” and then mount the first ISO image into the source directory by use of the loopback option. Once mounted, we’re going to copy everything from source and put it in destination, then unmount the ISO image and repeat for the other 5 images. You can see the commands I used below.

root@littleblackbox:~/Centos5# mkdir source
root@littleblackbox:~/Centos5# mkdir destination
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-1of6.iso /source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-2of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-3of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-3of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-4of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-5of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source
root@littleblackbox:~/Centos5# mount -o loop CentOS-5.3-i386-bin-6of6.iso ./source
root@littleblackbox:~/Centos5# cp -R ./source/* ./destination
root@littleblackbox:~/Centos5# umount ./source

What we’ve done now, is created a directory called “destination” and copied every CD to that directory, overlapping them. What this does is it puts all the CentOS install packages into one directory and adds the necessary additional files to the root of the directory where the installer can find them. Now that we’ve done this, we can move the ISO files to the FTP server’s ISO directory and the “destination” files to the centos5 directory. I also moved the md5sum.txt and renamed it to CentOS5-i386-MD5SUM.txt so that way I know that the md5sum.txt is related to those ISO images.

root@littleblackbox:~/Centos5# mv *.iso /home/ftp/dist/iso
root@littleblackbox:~/Centos5# mv md5sum.txt /home/ftp/dist/iso
root@littleblackbox:~/Centos5# mv /home/ftp/dist/iso/md5sum.txt /home/ftp/dist/iso/CentOS-5.3-i386-MD5.txt
root@littleblackbox:~/Centos5# mv destination/* /home/ftp/dist/installer/centos5/
root@littleblackbox:~/Centos5# cd /home/ftp
root@littleblackbox:/home/ftp# chgrp -R nogroup *

The last step is key.  This makes sure that all the files in /home/ftp have the same group as the FTP user that VSFTPd runs with. Ok, so that’s the hard part. Now we have our installation files in place, our ISOs are in place (in case we need them again) and we’re ready to get those bootdisk images. Let’s take a look and see what we’re up against:

Every distribution has a directory of boot disks that they make available in case you’re doing an installation on a machine that doesn’t support CD booting.  All they do is start the system up with enough resources to start the machine and get it to the point where it can run the installation off of a CD.  Most installations also provide a network booting image that we can place in our TFTP server to netboot the entire installation.

Thankfully, Centos5 has that available.  There is a directory called “images” and within that there is a directory called “pxeboot”.  cd into the directory and let’s take a look.

root@littleblackbox:/home/ftp# cd dist/installer/centos5/images/pxeboot
root@littleblackbox:/home/ftp/dist/installer/centos5/images/pxeboot# ls
initrd.img  README  TRANS.TBL  vmlinuz
root@littleblackbox:/home/ftp/dist/installer/centos5/images/pxeboot#

Of course, it helps to read the README file.  This may contain important information on what we need to get this image to work properly.

root@littleblackbox:/home/ftp/dist/installer/centos5/images/pxeboot# cat README
The files in this directory are useful for booting a machine via PXE.

The following files are available:
vmlinuz - the kernel used for the installer
initrd.img - an initrd with support for all install methods and
 drivers supported for installation of CentOS

It doesn’t get any simpler than that.  The “vmlinuz” file is the kernel and “initrd.img” is the initial ramdisk for the install kernel.  Pretty simple.  The README did not make any mention of any boot options or parameters so for now we’ll just keep these two files in mind.  Other distributions may require some additional options be passed to the installer.

Copy the initrd.img and vmlinuz files to “/tftpboot/images” and we’ll cd into that directory for a little bit more work. Remember when I told you about keeping your “/tftpboot” directory clean?  Well, we’re vising that once again.  (Getting tired of it yet?) The name “vmlinuz” and “initrd.img” may make sense for one version of Linux to install, however those are very common names.  Let’s say you get  a copy of CentOS4 and you want to do network boot/install on that too?  There’s a pretty darn good chance that CentOS4 uses the same filenames! Since the initrd.img and vmlinuz are compiled for each other, you can’t go about using CentOS5′s initrd on CentOS4′s vmlinuz, they just won’t work.

So let’s start off by renaming the two files to something more descriptive.

root@littleblackbox:/tftpboot/images# mv vmlinuz vmlinuz-Centos5-netboot
root@littleblackbox:/tftpboot/images# mv initrd.img initrd-Centos5-netboot

Now that we have new names for the files, it’s time for the section that I’m sure you’ve been dying to read.

Configuring boot menus using the menu.c32 from the UBCD

And to much fanfare, I’d expect.   So, let’s review again:

1. We’ve set up tftpd-hpa on our Ubuntu server.
2. We’ve configured it to stay running in memory and given it a location and files to serve.
3. We’ve configured pxelinux so that the client can find all the files necessary to boot the menu system.
4. We’ve configured the menu system with a test image to distribute and,
5. We’ve successfully TFTPbooted pxelinux, the menu system and the memtest image and know it all works.
6. We’ve got our installation media in place on the FTP server with the proper file structure
7. We’ve got our boot images in place in “/tftpboot/images” and given them descriptive filenames

Now we need to build a menu to select a menu and start the installer.  This is almost the last step, I promise.  Remember the main.mnu file from earlier? (Look down, I saved you the scrolling. )

MENU INCLUDE /menus/defaults.cfg
LABEL memtest
 MENU LABEL Memtest86 V3.3
 KERNEL /images/memtest

Well here is where we’re going to go over the options and add another image. Firstly, we are going to review what we have here:

• MENU INCLUDE /menus/defaults.cfg – This line should appear first at the top of every menu file. This tells the menu.c32 how to render your menu (colors, etc)
• LABEL memtest – This tells the menu system that we are creating a new entry definition and that it’s name is “memtest”.  All label declarations must be unique.
• MENU LABEL Memtest86 V3.3 – This tells the menu system that the menu should display “Memtest86 V3.3″ in it’s text as the selectable item
• KERNEL /images/memtest – This tells the menu system that if this menu item is selected to boot the “/images/memtest” image and execute it.

At this point, we could go ahead and declare a new entry definition and copy and paste however this will cause the machine to fail once the image is selected.  Remember, the image we want to make available is comprised of the kernel (vmlinuz) and the initial ramdisk (initrd.img).  The menu system will take an additional parameter called APPEND with additional options that are needed to get the kernel to work like installer parameters and initrd statements.

NOTE: Does this look familiar to you?  If you are thinking that it looks similar to the LILO boot menu then you are absoloutely correct.  There are some differences but mostly the same configuration for LILO can be used here.

All we need to do is to add APPEND to the menu for our new item and we can save it and test.  Add the following text into your main.mnu and let’s test it out

label Centos5
 menu label Install Centos 5
 kernel /images/vmlinuz-Centos5-netboot
 append initrd=/images/initrd-Centos5-netboot

That’s all there is to it.  We have our label, our menu label, our kernel statement and our append statement with the initrd in there. Try booting your test PC now.

If you select the “Install CentOS 5″ option and after a few moments of watching text scroll around, you see the following screen, then congratulations! You have finished making your Ubuntu server network boot a Linux installer.

Go ahead and navigate the menus and when you come to the menu asking for FTP credentials, put the following information in:

When you hit OK to this screen, the installer will be attempting to fetch the information from the FTP server. Remember, until now we have been in the Preboot Execution Environment and are running in the initrd that was loaded when we selected to install CentOS5.  We have not even attempted FTP connectivity at this point.  A few nailbiting secconds later, and you should see this screen:

Go ahead and finish the installation if you’d like, or turn off the testing machine.

You’re all done.  I do hope that you enjoyed this HOWTO.  If you have any comments or suggestions, please leave them in the comments section of this article.  If you experienced any issues, please keep reading.

Troubleshooting

So you got through the HOWTO but something didn’t go quite right, Hopefully we can get you running again.

My onboard NIC  won’t boot. My computer shows TFTP followed by a bunch of periods and eventually says “TFTP OPEN TIMEOUT” .

If you look at the top of the screen, I’m guessing you’ll see something that says “INTEL LANDesk (R) Service Agent, version 0.99b”.  If so, you will have to use a different NIC.  There was a firmware bug in .99B that resulted in a lot of PXEboot clients not being able to properly connect to a TFTP server.  Unfortunately the only fix was to update the NIC’s firmware which is a dicey thing to do anyways, especially with an onboard NIC.  I would recommend just going out and getting a different card.

When booting my CentOS image, it says “KERNEL PANIC: No Init Found”

This means that the booted kernel vmlinuz-Centos5-netboot couldn’t find the initrd to go with it.  I would start by looking at your menu file (main.mnu) and see if the APPEND initrd=/images/initrd-Centos5-netboot image name is specified correctly.  Try your boot again after editing the file and you should be good to go.

My PXE client says “File Not Found”

Check “/etc/default/tftpd-hpa” and make sure that the path specified on the OPTIONS line is pointed to “/tftpboot” and make sure that the directory has the pxelinux.0 file in it.

My PXE client pulls an IP address but times out when trying to download pxelinux.0.

This means that either the wrong address was specified on the next-server line or that the TFTP server is not responding.  Check it by performing this command: /etc/init.d/tftpd-hpa restart and verify it’s running with ps auwxf | grep tftpd

My menu for CentOS 5 shows “CentOS5″ instead of “Install CentOS 5″.

Check your menu file and make sure that you have a MENU ITEM specified for this image. If no MENU ITEM is present, the menu system will fall back on to the name assigned on the LABEL line instead.

How can I tell if my NIC will network boot?

Without sticking it in to a machine and finding out if it works, there’s no guarantee that the NIC you have will boot.  There are clues that may help you though.  Look at the card and see if there is a chip on there that has the word “ATMEL” on it.  If there’s no ATMEL chip, but there’s a large socket where a chip should go, then unfortunately that card will not network boot.   If you plug it in to your computer doesn’t show any text or banner about UNDI, PXE or Etherboot, then you also may be out of luck.  If you have an onboard NIC, take a look in your BIOS and see if there is an option to enable network booting and try again.

Will this PXE booting work over USB?  What about Wireless?

• USB – Unfortunately there is not a PXE boot installation available for USB devices.  They get initialized by the OS far after the PXE hooks in to execute
• Wireless – The same applies for USB, except if you are doing an installation to  a WIRED machine and you use a wireless bridge, you might be able to.  The wireless bridge is transparent to the network and PXE so it should function as if you were directly connected to a switch.

Tips and Tricks

Ok, so you got the basics down, let’s examine some of the more advanced aspects of the menu system.

Menu timeout to load a default image – Good for the memtest image.  Add “timeout 30” and “default memtest” to the main.mnu.  This will tell the menu system  to boot the memtest image if no key is pressed in 30 seconds.

Add a sub-menu – Want to add a submenu to the menu system?  This one’s easy.  Create a new LABEL in your main.mnu and add the following

LABEL submenu1
 MENU LABEL Sub Menu 1
 KERNEL menu.c32
 APPEND /menus/submenu1.mnu

Change the LABEL, MENU LABEL to reflect the new entry and change the APPEND line to point to your new submenu.  Copy your main.mnu to your submenu1.mnu file.  Edit it and add the necessary entries to that file.  If you want to have a “Go Back…” option, make your first entry’s APPEND line load “/menus/main.mnu”

Change your menu’s  title.

One thing overlooked here was that my defaults.cfg was already edited for my server.  If you copied the one from the UBCD directly, then yours still will say “Ultimate Boot CD” at the top which is kind of funny because the machine you’re installing might not even have a CDROM to boot from.  Edit the defaults.cfg in the “/tftpboot/menus” directory and change the MENU TITLE directive to whatever you want.  Remember that you can not exceed 76 columns (80 columns – 4 for the borders) otherwise your menu may not display properly.

Afterword

If you would like more information on how to customize your boot menu, check out http://syslinux.zytor.com/wiki/index.php/Comboot/menu.c32 They go through the entire exhaustive option set with code examples and explanations of each option.  I have only posted information here that I have used and know works.

I have enjoyed writing this HOWTO and hope that someone out there finds it useful.  If you would like to make any comments about this HOWTO or want to share your netboot experience, please by all means leave me a comment.

Thank you for reading, Happy netbooting!

FIRESTORM_v1

I’ve been hacking hardware for the last ten years of my life.  It’s started out with the old 486 computer that someone from school gave me and has escalated from there.  I’ve used a ton of tools ranging from the super expensive to the super cheap but I have managed to find that the following list of items invaluable when it comes to modifying hardware:

Tools:

1. A good multimeter – Although most people’s definition of “good” can vary, I mean “good” as in accurate with a lot of options available.  I recommend a multimeter that can read up to 500V AC or DC voltage, Amperage, Ohms, Polarity check (usually with a diode icon) and Continuity with a buzzer.  I highly recommend the buzzer for continuity because the act of turning to look at the display could cause your leads to shift.  It doesn’t have to be expensive or fancy, but one with a good set of test leads (alligator clips or pokey-sticks) will do fine.  My multimeter is one that was produced by Archer (part of RadioShack) for $20,  Catalog # 22-802.
2. A soldering iron – Think of a soldering iron as the surgeon’s scalpel.  While some hardware hacking can be performed easily without the need for a soldering iron, most of the heavy, deep getting down to it requires the use of a good quality soldering iron.  Mine is about 23 watts which provides enough heat to be able to make the solder melt and distribute evenly.  Too much heat can damage components while too little heat can cause issues with solder.  My soldering iron is a Weller SP23. NOTE: Because a lot of these hacks involve sensitive electronic components, I strongly discourage the use of a soldering “gun” unless you can verify it produces heat via resistance and not via a transformer.  These soldering “guns” make it very hard to work on smaller components as the unregulated heat and the magnetic interference produced by these guns will oftentimes damage components.
3. Soldering Stand- A soldering stand is pretty much a requirement as you need somewhere safe you can put your soldering iron while it’s not in use or it is heating up/cooling off.  I think Radio Shack sells these for $10 standalone or $20 for a kit that comes with a soldering iron as well.
4. Solder Wick- This is a small spool of flux-treated copper braiding and it makes it almost painless to desolder things for removal or repair.  It’s a lot easier to use in tight spaces where a solder sucker won’t work very well.
5. Multi-bin parts container – Don’t let your projects take over your house.  Get a parts container that has multiple compartments or drawers.  I bought mine at a hardware store on clearance for $15 and have never regretted it.  A container that has multiple compartments is highly recommended for those odds-and-ends that just won’t fit in a smaller parts container.
6. A powerstrip – You’d think that this would be a no-brainer, but it surprises me to see some people with extension cords stretched all over creation.  This is both unsafe and an electrical hazard.  What if your soldering iron slips and manages to burn through it while you’re distracted?  Not the good kind of fireworks.  My bench has something similar to this one and it has yet to fail me.  Ample places to plug stuff in and lots of space.  This one is firmly attached to the back of my bench in arms reach if I need it.
7. A desktop power supply- Before you freak out on me here, I am serious.  You don’t have to go spend a kajillion dollars on a fancy EE grade power supply.  If you have an AT power supply, this will be more than ample.  You’re looking for one that can output 5VDC, 12VDC or one that is adjustable.  I will be posting a howto shortly on how you can make your own AT power supply for your bench.
8. Screwdrivers, screwdrivers and more screwdrivers! – How are you going to get the case off if you have nothing to get the case off with.  I recommend a good phillips (+) or common (-) screwdriver set or one that is reversible.  I have one I found in a grocery store that cost me $5 and it has done me quite well for the many months I’ve had it.    I also recommend a torx (star shaped) set, a precision/micro screwdriver set (don’t fall for the $4 set at the dollar store) and a security bit set.
9. Needle Nose Pliers and Diagonal cutters – Needle nose pliers and diagonal cutters are important additions to your bench as they can get into places that your fingers or larger tools can’t.
10. The Dremel, prized amongst hardware hackers! -The dremel tool is quite possibly one of the most important tools you’ll need in your adventure of hardware hacking.  This useful tool allows you to cut and grind where a hacksaw won’t go and a file won’t fit.  I highly recommend one, along with a healthy supply of cutting disks.
11. A large supply of electrical tape – Whether it’s used to get that one wire out of the way or to tape up a splice, electrical tape is very important to keep on-hand

It’s not just tools that make a good bench It also takes a good computer and some other things you normally wouldn’t expect to find on a hardware bench.  Nowadays hacking has gone a lot further than just soldering connections and that’s all she wrote.  With computers getting smaller and smaller, you are able to find them in the darndest of places.  These items are also recommended as they do come in handy quite often.

• RS-232 Cable Tester
• A combination of serial port cables and adapters: 9 pin male to 9pin male, 9 pin male to 9 pin female, 9 pin male to 25 pin male, 9 pin male to 25 pin female, 9 pin male-male gender changer, 9 pin female-female gender changer, 25 pin male-male gender changer and a 25 pin female-female gender changer
• A computer with a true -12V/+12V serial port. *note: USB dongles don’t supply the standard voltages that some devices require for serial communication and will sometimes inhibit connectivity to the device.
• A USB hub with a power brick
• USB Zip100 in the clear “old-school” style.  Most embedded devices can boot off of a USB Zip100 and as such might prove useful to have one ready.
• USB Keydrive (any size, preferrably 512M or more)
• USB network adapter based off the pegasus driver.  I use a 3com USB network adapter and it has served me quite well.
• A 10/100 HUB – I said HUB because I meant it.  NOT A SWITCH.   The reason for this is due to the nature of switches and hubs, it’s easier to do packet sniffing for network analysis if your target and your analyzer are plugged into a hub.  A switch won’t necessarily broadcast all packets which makes analysis a bit harder.
• A linux computer with the following utilities: Wireshark, NMAP, TELNET, SSH and with multiple network interfaces (for isolation.) I will also post a howto on how tobuild a good network analyser soon.
• A good digital camera – for documenting your hacks and mods!

There are certainly more advanced hacks that might require additional items and some unexpected things may come up, but this list (at least the first one) will put most of the hardware hacks into your scope of ability.  In all the hacks documented on this site, I will outline which tools are required so you can read and know which ones you’ll need before you get started.

Hapy Hacking!

FIRESTORM_v1