Cisco 1841 Router with HWIC1-ADSL

• Dialer0 is a PPPoE dialer to a VDSL modem via fa0/0
• Dialer1 is a PPPoATM dialer of ADSL via ATM0/1/0
• The IP I am pinging to detect failure is 83.218.143.225
• The ATM0/1/0 interface is shutdown when not in use

First we’ll add a Track and IP SLA to monitor our primary connection (Dialer0) by pinging our monitor IP (83.218.143.225). This track configuration delays actioning a failure for 10 seconds and a restore by 60 seconds. This is to prevent flip-flopping on the lines:

Source code

track 1 rtr 123 reachability
 delay down 10 up 60
 
ip sla 123
 icmp-echo 83.218.143.225 source-interface Dialer0
 timeout 2000
 frequency 4
ip sla schedule 123 life forever start-time now

Next we’ll add default routes for Dialer0 (linked to Track1) and Dialer1 (with a higher metric). If you already have default routes, remove these first:

Source code

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 254

Finally we’ll use EEMWikipedia: Cisco Embedded Event Manager (EEM) is a feature included in Cisco's IOS operating system (and some other Cisco OSes such as IOS-XR, IOS-XE, and NX-OS) that allow programmability and automation capabil... applets to monitor track 1 and bring up the ATM interface on failure (and visa versa). This also e-mails us about the event:

Source code

event manager applet TRACK-1-TIMEOUT
 event track 1 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "config terminal"
 action 3.0 cli command "interface atm0/1/0"
 action 4.0 cli command "no shutdown"
 action 5.0 mail server "55.33.44.22" to "to@mail.com" from "from@mail.com" subject "IP SLA 123 Timeout" body "Timeout on primary line"
event manager applet TRACK-1-OK
 event track 1 state up
 action 1.0 cli command "enable"
 action 2.0 cli command "config terminal"
 action 3.0 cli command "interface atm0/1/0"
 action 4.0 cli command "shutdown"
 action 5.0 mail server "55.33.44.22" to "to@mail.com" from "from@mail.com" subject "IP SLA 123 Restored" body "Primary line restored"

You should replace 55.33.44.22 with a valid SMTP server that this router has access to send through and change to@mail.com/from@mail.com to the to/from e-mail addresses respectively.

A full example config (with some bits redacted) can be found here.

Here’s a diagram of the approximate topology that this will cater to:

Network Diagram

I shall assert the following facts:

1. The “ISP’s Router” is IP address 1.1.1.1
2. The DSL model is IP address 2.2.2.2
3. The source interface that connects to the ISP router is FastEthernet0/0
4. There is an SMTP server that this router has permission to send via at 99.99.99.99
5. Your e-mail address is you@mail.com

First we use “track” to create 2 track entries to do route tracking. The first defines a “reachability” track which will be used to monitor for and perform actions on the failure of the primary route. This also delays the actions it performs on failure and restore by 20 and 60 seconds respectively to negate the effect of temporary blips. The second is a stub which allows us to take the secondary route up or down.

Source code

track 1 rtr 123 reachability
 delay down 20 up 60
track 2 stub-object
 default-state down

Next we add the routes. There’s 2 default gateways added, each associated with the track entries. There is also a route to ensure that all traffic to the “ISP’s Router” is sent out of the fa0/0 interface. This is for monitoring.

Source code

ip route 0.0.0.0 0.0.0.0 1.1.1.1 name FIBRE track 1
ip route 0.0.0.0 0.0.0.0 2.2.2.2 254 name ADSL_BACKUP track 2
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0

Now we use ip sla to provide the details for our reachability track regarding what it should test. In this case, it pings the “ISP’s Router” every 4 seconds:

Source code

ip sla 123
 icmp-echo 1.1.1.1 source-interface FastEthernet0/0
 timeout 2000
 frequency 4
ip sla schedule 123 life forever start-time now

Finally we add some event handling to perform some actions on the failure and restore of the primary line. These bring up the second route and e-mail you a notification:

Source code

event manager applet TRACK-1-TIMEOUT
 event track 1 state down
 action 1.0 track set 2 state up
 action 1.1 mail server "99.99.99.99" to "you@mail.com" from "monitor@router.local" subject "IP SLA 123 Timeout" body "Timeout on the primary line"
event manager applet TRACK-1-OK
 event track 1 state up
 action 1.0 track set 2 state down
 action 1.1 mail server "99.99.99.99" to "you@mail.com" from "monitor@router.local" subject "IP SLA 123 Restored" body "Primary line restored"

That’s largely it. It contrasts with my earlier post in such that it ignores the effect of temporary blips in the line and also sends e-mail notifications.

To disable this on pfSense, go to System->Advanced and change to the System Tunables tab. Edit net.inet.ip.redirect and/or net.inet6.ip6.redirect to change their values to 0 (zero).

Anycast is used primarily for load balancingWikipedia: Load balancing is a computer networking method to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achi... to allow the server topographically closest to a user to handle their request. This helps cut down on latency and bandwidth costs and improves load time for users.

Anycast is linked with the Border Gateway ProtocolWikipedia: Border Gateway Protocol (BGP) is the protocol which is used to make core routing decisions on the Internet; it involves a table of IP networks or "prefixes" which designate network reachability among .... This is a protocol used between routersWikipedia: A router is a device that forwards data packets between computer networks, creating an overlay internetwork. A router is connected to two or more data lines from different networks. When a data packet... on the Internet with the intent of ensuring that all of a router’s neighbours are aware of the networks that can be reached through that router and the topographical distance to those networks. The principal of Anycast is that a single IP address is advertised in the BGP messages of multiple routers. As this propagates across the Internet, routers become aware of which of their neighbours provides the short topographical path to the advertised IP address.

IP addresses used in Anycast are often purchased directly from a Regional Internet registryWikipedia: A regional Internet registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Internet number resources inclu.... Some data centersWikipedia: A data center or computer centre (also datacenter) is a facility used to house computer systems and associated components, such as telecommunications and storage systems. It generally includes redunda... are known to rent IP addresses to customers and allow them to be advertised by other data centres.

As with all routing, it cannot be guaranteed that a packet will take the same path across the Internet as its predecessor. With Anycast, it cannot be guaranteed that a packet will reach the same destination server as its predecessor. As such, Anycast is not suitable for protocols which track state. TCP is an example of one of these. UDP, however, is perfect for Anycast providing it does not try to track state at a higher level of the OSI model and that the application layer protocol does not rely on a large number of fragemented datagrams to transfer data.

The typical scenario for Anycast as a load balancer is thus:

• A server in London has its own IP address 3.3.3.3 and a shared Anycast IP address 1.1.1.1.
• A server in New York has its own IP address 4.4.4.4 and a shared Anycast IP address 1.1.1.1.
• Each of the above servers runs a DNSWikipedia: The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with... server listening on 1.1.1.1.
• The DNS servers serve up an A record for anycastdomain.com. London would serve up 3.3.3.3 and New York would serve up 4.4.4.4.
• When a DNS request is made for anycastdomain.com, Anycast would route this request to its topographically closest DNS server. This DNS server would, in turn, serve up the unique IP address of its own server and a TCP connection would be established over standard unicast.

Feedback from companies such as ScaleEngine is that it’s quite difficult to persuade data centres to add IP addresses to their BGP. This appears to be best suited to larger organisations who lease their own transitWikipedia: Internet transit is the service of allowing network traffic to cross or "transit" a computer network, usually used to connect a smaller Internet service provider (ISP) to the larger Internet. Technica... and have BGP agreements with their transit providers.

1. They can’t be stepped through and debugged by your standard IDE. Admittedly, neither can the other dirty SQL you shove in your code however because the majority of SQL lacks logic beyond IF() this is less of a problem.
2. The errors created by the DBMS on the failure of a stored procedure are often very cryptic and relate to an underlying database error caused by a single line in the stored procedure.
3. You’re passing off the processing load to your database server. Databases, for example MySQL, are a lot harder to scale than hosting environments such as PHP-FPM. Research shows a very marginal performance boost in using stored procedures but I don’t think that this is enough to hide the fact that your database server will process less transactions per second.
4. You lose portability. A good database abstraction layer in your code should make it portable between databases. Using stored procedures negates this.
5. In the words of @altreus… they’re not in the code base, they’re not in the code base, they’re not in the code base. As such, they don’t track via version control systems. Of course, your database migrations should contain the stored procedures but each change is a new file. This isn’t how version control works.
6. Further to the above, they’re anti-version control. Not only must a developer have his own version of a codebase, he must also have his own version of the database. When working in a team, this adds further complexities and makes it a fruitless task for individual developers to unit test builds prior to committing.
7. Stored procedures aren’t reusable in the same way that code is. This is because they lack library support.

Any number or indeed all of the above may be total bollocks. Nevermind. At least it’ll serve to troll those in favor of stored procedures.

When adding funds to your PayPal account, there’s now 2 options:

Adding Funds with PayPal

The left hand one is the interesting one. Using it allows you to make a direct transfer from your bank to PayPal. The money showed up within seconds. This is particularly useful as it makes PayPal a more viable option for paying friends and family as PayPal payments which are funded from PayPal funds (within the same country) don’t carry any fees.

I have also dealt with a few companies who accept PayPal but charge a hefty surplus to cover the fees. Using this option allows you to pay them instantly and not incur such an excess.

• Some Fireboxes come with pre-installed 512MB CF cards whereas most come with 256MB cards. If you’re unlucky enough to get a box with a 512MB card, you’ll need to purchase a 256MB card for flashing the BIOS. The 512MB card will not work for this purpose.
• When Daniel notes that the “Baud Rate is going to change” it’s a little unclear what should be done here. You should allow the Firebox to boot until you start seeing gibberish coming out of the serial port. At this point, connect to the firebox with a baud rate of 115200 and power cycle it. After this, you can change the BIOS settings.
• Use a fast compact flash card. I’ve had a lot of problems on pfSense 2.1 with slow CF cards. A 200x card works great. I used a Sandisk 4GB 30MB/s card. This has the side effect documented here but this is purely cosmetic and does not affect the running of the system.
• The firebox has a spare RAM slot. This will happily take an extra 512MB DDR2 PC2-4200 533MHz DIMM to give your router a bit of a memory boost. These DIMMs are going so cheap on eBay it’s silly not to.
• At time of writing, the LCD screen is supported natively by the LCDproc-dev package. To use, do the following:
  • Install the LCDproc-dev package
  • Go to services->LCDproc
  • Tick “Enable LCDproc at startup”
  • Select the “Watchguard Firebox with SDEC (x86 only)” driver
  • Leave everything else as is
  • Click Save
  • Tick the “Screens” that you want to show on the screens tab
  • Go to status->services and start the LCDProc service
  • Use the up/down button on the firebox to turn on the back-light and move between “screens”

This firebox range has turned out to be fast and reliable on production networks.

Edit: As per Stephen’s comment below, here’s a definitive reference source for Pfsense on Watchguard Firebox devices.

Below are mirrors of the files hosted by Daniel, just in-case they’ve vanished. These are possibly out of date. Use the pfsense docs link above as the definitive source.

The image for flashing the BIOS
The BIOS
WGXepc
MD5 sums of all the above

Source code

kill -USR1 pid_here

Or use killall to send the signal to all dd processes:

Source code

killall -USR1 dd

You’ll see output similar to this in the terminal dd is running in:

Source code

45900+0 records in
45900+0 records out
752025600 bytes (752 MB) copied, 541.855 s, 1.4 MB/s

If you don’t need Telnet access, you should disable it. The commands are as follows:

Source code

line vty 0 4
 transport input none

If you do need remote terminal access, you should switch Telnet to SSH where possible. Be sure to set a secure password.

Source code

ip domain-name your.domain.com
crypto key generate rsa
username yourusername secret supersecretpassword
line vty 0 4
 transport input ssh
 login local

The crypto key generate rsa command will ask you “How many bits in the modulus”. It is recommended to use at least 2048.

Full credit should be given to http://www.learningjquery.com/2009/04/better-stronger-safer-jquerify-bookmarklet.

Code which you can put into your browser’s debugging console is as follows:

Source code

(function getScript(url){
	var script=document.createElement('script');
	script.src=url;
 
	var head=document.getElementsByTagName('head')[0],
	done=false;
 
	// Attach handlers for all browsers
	script.onload=script.onreadystatechange = function() {
		if ( !done && (!this.readyState || this.readyState == 'loaded' || this.readyState == 'complete') ) {
			done=true;
 
			script.onload = script.onreadystatechange = null;
			head.removeChild(script);
		}
	};
 
	head.appendChild(script);
})('http://code.jquery.com/jquery.min.js');