What is anycast? Anycast explained at a very basic level

What is anycast? Anycast explained at a very basic level

Anycast, at a very basic level, is when a collection of servers share the same IP address and data is sent from a source computer to the server that is topographically closest. It is important to remember that topographically closer does not inherently mean geographically closer, though this is often the case.

Anycast is used primarily for load balancing to allow the server topographically closest to a user to handle their request. This helps cut down on latency and bandwidth costs and improves load time for users.

Anycast is linked with the Border Gateway Protocol. This is a protocol used between routers on the Internet with the intent of ensuring that all of a router’s neighbours are aware of the networks that can be reached through that router and the topographical distance to those networks. The principal of Anycast is that a single IP address is advertised in the BGP messages of multiple routers. As this propagates across the Internet, routers become aware of which of their neighbours provides the short topographical path to the advertised IP address.

IP addresses used in Anycast are often purchased directly from a Regional Internet registry. Some data centers are known to rent IP addresses to customers and allow them to be advertised by other data centres.

As with all routing, it cannot be guaranteed that a packet will take the same path across the Internet as its predecessor. With Anycast, it cannot be guaranteed that a packet will reach the same destination server as its predecessor. As such, Anycast is not suitable for protocols which track state. TCP is an example of one of these. UDP, however, is perfect for Anycast providing it does not try to track state at a higher level of the OSI model and that the application layer protocol does not rely on a large number of fragemented datagrams to transfer data.

The typical scenario for Anycast as a load balancer is thus:

  • A server in London has its own IP address 3.3.3.3 and a shared Anycast IP address 1.1.1.1.
  • A server in New York has its own IP address 4.4.4.4 and a shared Anycast IP address 1.1.1.1.
  • Each of the above servers runs a DNS server listening on 1.1.1.1.
  • The DNS servers serve up an A record for anycastdomain.com. London would serve up 3.3.3.3 and New York would serve up 4.4.4.4.
  • When a DNS request is made for anycastdomain.com, Anycast would route this request to its topographically closest DNS server. This DNS server would, in turn, serve up the unique IP address of its own server and a TCP connection would be established over standard unicast.

Feedback from companies such as ScaleEngine is that it’s quite difficult to persuade data centres to add IP addresses to their BGP. This appears to be best suited to larger organisations who lease their own transit and have BGP agreements with their transit providers.

Configuring Cisco IOS switches for Cisco VOIP phones

Some Cisco switches, such as our Catalyst 3560 series, have Smartports which can be configured via the switch’s web interface to have roles. These roles provide the ports with typical settings for network security and QOS. If your switch doesn’t have Smartports these are Cisco’s recommended settings for each switch interface which is supporting a Cisco VOIP phone. It is taken in the content of interface fa0/1

  1. interface FastEthernet0/1
  2. switchport access vlan 14
  3. switchport mode access
  4. switchport voice vlan 5
  5. switchport port-security maximum 2
  6. switchport port-security
  7. switchport port-security aging time 2
  8. switchport port-security violation restrict
  9. switchport port-security aging type inactivity
  10. macro description cisco-phone
  11. auto qos voip cisco-phone
  12. spanning-tree portfast
  13. spanning-tree bpduguard enable

 

You’ll need to change the access VLAN ID and voice VLAN ID to relate to your own PCs VLAN and voice VLAN.

PHP: Interfacing with HeatMiser WiFi thermostats

PHP: Interfacing with HeatMiser WiFi thermostats

I’m quite a big fan of writing code that interfaces with physical data. It somehow feels more fulfilling to see or feel the results.

On top of my repertoire of the Foscam FI8908W Recorder and TK110 GPS Tracker Server, comes a PHP interface for HeatMiser WiFi Thermostats. This too can be found on GitHub. The code is fairly self explanatory and the docs should point you in the right direction. The library will read from and write to HeatMiser WiFi thermostats. It’s tested on the PRT-TS but should probably work on others. If not, fix it up and submit a pull request on Github (or comment here).

If you came looking for an insight into this Theromstat’s binary network protocol, there’s a decent guide released by HeatMiser on the topic. This can be found on their website. The guide can be a lot to get your head around so hopefully my code will be enough to aid you in this area. Failing that, or if you’re more of a camel, there’s a good Perl implementation on Google Code. The Perl implementation is more of an example than an interface-able library but it’s a great starting point and provided a lot of inspiration for my PHP implementation.

 

Creating a “Guest Wifi” with 802.1Q VLAN Tagging in pfSense and DD-WRT

Creating a “Guest Wifi” with 802.1Q VLAN Tagging in pfSense and DD-WRT

Preface: For explanation of VLAN tagging, see this post

This seems quite a common thing to do yet it’s proved to be a huge ball-ache with DD-WRT. Here’s the result of many days of faffing about attempting to get this working.

The usecase is thus… We have an established wifi network comprising of D-Link DIR-615 access points flashed with DD-WRT, a router running pfSense and a managed Gigabit switch supporting 802.1Q VLAN tagging. It was required to have a second wifi network for guests of the office to get online. The guest wifi had to be separate from the main wifi in such that the main network was secure from intrusion, guests should be sent to the company website when they log in and we didn’t want to have to double up the access points or run more structured cabling to connect them.

To cut a long story short, the D-Link DIR-615 didn’t work out. This is because only Broadcom based hardware supports hardware VLAN tagging on DD-WRT and the DD-WRT software VLAN tagging just plain doesn’t work – even on Broadcom based hardware. I ended up, after days of faffing, buying some Linksys E1000 and flashing them with DD-WRT myself. Any of the devices listed here that support 802.1Q VLAN tagging should be fine.

The start point was easy. On pfSense, under Interfaces -> (assign) -> VLANs, I created 2 VLANs on the interface that is the LAN. In my case, sk1. These were tagged 1 (primary LAN VLAN ID) and 4 (guest LAN VLAN ID).

pfSense VLAN Config

pfSense VLAN Config

This created 2 new “Network ports” under Interfaces -> (assign) -> Interface assignments called “VLAN1 on sk1” and “VLAN4 on sk1”. VLAN1 was assigned to the existing LAN interface, in place of sk1, and I added another interface called “GuestNet” and assigned VLAN4 to this.

pfSense Interface Assignment

pfSense Interface Assignment

On setting up the switch to tag the port that the pfSense interface was connected to, into VLANs 1 and 4, the router worked as expected.

I set up a static IP address on the GuestNet interface and also set up DHCP to issue IP addresses. I initially added an “allow all” firewall rule to the interface and enabled Captive Portal. Finally, I set up outbound NAT so this interface could access the Internet. Our remote server firewall rules permit traffic from our primary NAT IP so I NAT’ed to an alternative public IP for added security. I won’t go into the details of these – they’re all fairly self explanatory. Drop me a comment to this post if you’re stuck with any of this.

I tested the Captive Portal setup by hooking a laptop up to a port on the switch which was set to untagged VLAN 4. This got an IP address from DHCP and was forced to authorize through Captive Portal before getting onto the network.

Now the bit that took me a long time to figure out – DD-WRT. The first step, which works great, is to add a second wifi network. This is done as a Virtual Interface under Wireless -> Basic Settings. 

DD-WRT Virtual Wifi Network

DD-WRT Virtual Wifi Network

Assign security to this, if you require. If you’re using Captive Portal, this shouldn’t be needed.

Next, you’ll need to break this away from the primary bridge. To do this, under Setup -> Networking, create a new bridge called br1 and click “Apply Settings”. Assign the guest wifi interface that DD-WRT created to this bridge. This will typically be called wl0.1 on Broadcom devices. All being well, you shouldn’t be able to connect to guest Wifi but you should be able to connect to the private wifi.

Now we have to jump into Telnet to VLAN tag ports. Apparently, on some devices, this is possible via the Setup -> VLANs web interface but support is seemingly very flaky. There’s some great docs on doing this via Telnet on the wiki. It seems the best support is on the LAN ports and much of the time you cannot VLAN tag the WAN port.

First look at the existing LAN VLAN (often VLAN1) and see how it’s setup.

root@Propeller Communications 1:~# nvram show | grep vlan1ports
vlan1ports=1 2 3 4 5*

You can see which VLAN is the LAN one from br0 on the Setup -> Networking page. It’ll always be the lowest numbered VLAN of the two in the bridge. So if you have vlan1 and vlan2 bridged, vlan1 is the LAN. If you have vlan0 and vlan1 bridged, vlan0 is the LAN.

You’ll see here that this VLAN has ports 1-4 (all the LAN ports) as well as 5*. The 5 is the router’s internal CPU and must be in all VLANs; apparently this is 8 on Gigabit routers. The * signifies that this is the default VLAN for untagged packets and should only be on one VLAN (this doesn’t work on some hardware, like the E1000). Port 0 is typically the WAN interface – as I said, this often can’t be tagged. To tag ports, you simply suffix the port number with a t. Thus, to assign port 1 tagged to VLAN1 and VLAN4, we’d do this:

nvram set vlan1ports=”1t 2 3 4 5*”
nvram set vlan4ports=”1t 5″
nvram set port1vlans=”1 4″
nvram set vlan4hwname=et0
nvram commit
reboot

This should hopefully be self explanatory. The vlan4hwname activates VLAN4.

Be sure to tag the port on your switch into the appropriate VLANs.

NOTE: On some routers (E1000 included), the ports are labeled backwards. If it doesn’t work as intended when you plug the network into Port1, try plugging into Port4. What I did was to untag the port on the switch and ping the DD-WRT device. I then swapped the network cable between the LAN ports until the ping didn’t work, even after waiting a few moments. I enabled tagging on the switch port and the pinging started up.

Once the device has rebooted, you should be able to assign vlan4 to br1 under Setup -> Networking.

DD-WRT Network Setup

DD-WRT Network Setup

All being well, your guest wifi network should start working from the DHCP server on VLAN4.

Finally, I removed the temporary “Allow All” rules on the pfSense firewall for this and replaced them with a rule to allow ICMP echo requests to the GuestNet interface, a block of all IPv4 traffic to private networks (via an alias called PrivateNets), a block of all IPv6 traffic and finally an allow of everything else. This means guest devices cannot access any private networks by IP address, including their own, but can access the Internet.

pfSense Guest Firewall Rules

pfSense Guest Firewall Rules

And that’s it. A bit of a balls but great when you get it right. Comment if you have any Qs.

How to install public access Wi-Fi for your business

I have recently spent a short period of time in the USA. One of the major differences I have noticed, as compared to the UK, is that the majority of pubs, bars, restaurants and cafes all have free wi-fi access. This is cheap, easy to set up and boosts your repeat business. There’s really little excuse not to do it.

I am, in fact, typing this blog post using on-board wi-fi on a plane at 32,000 feet. It’s disgustingly slow, but cool none the less.

American Airlines Wifi Speed Test

American Airlines Wi-fi Speed Test

Here’s a few things to consider when you’re doing a DIY public access wi-fi installation:

The Internet Connection

It doesn’t need to be anything spectacular. People will should not be using it for heafty downloads. A cheap residential Internet connection from the likes of BT, talktalk, etc. would probably suffice. Be sure to read the small print so that you won’t get in trouble for using it for business purposes. BT’s business ‘infinity’ (fibre) service is cheap as chips, also, and can be used for this purpose.

The Wi-fi Hardware

The aforementioned BT business infinity service comes complete with a ‘BT business hub’ wireless router. Most other services will come complete with wi-fi hardware. If placed somewhat centrally in a small to medium sized establishment, you’ll undoubtedly get full coverage of the area. If you struggling to get full coverage, either because you cannot place the device centrally due to the location of the phone line or because the area is too big, you have a couple of options…

Wi-fi Range Extenders

Devices called ‘wi-fi range extenders’ act as relays in your wireless network. They take the wi-fi signal from your main wireless router and re-broadcast it. These devices are relatively easy to install and don’t require any physical connection to the main wi-fi router.

Additional Wireless Access Points

You can connect multiple access points onto a network very simply. Giving them the same SSID and encryption credentials makes them appear as a single access point, on most devices. This is further detailed in an earlier article on this blog.

Channel Selection

Wireless networks work with ‘channels’. These channels represent frequency sub-ranges in the larger frequency range allocated to wi-fi as a whole. These are numbered 1 to 14. If I’m not mistaken, channel 14 is not allowed in the UK and you should stick with 1 to 13, to ensure compatibility. This Kioskia article explains channels in depth and gives you advice on selecting the best one to use.

Security

Your home network should always be secured with a password. Public access wi-fi should not do this, as it makes it difficult to use. This is not a particularly great security concern because your wi-fi signal will barely reach beyond the external walls of your premises and no private data should be shared over the network.

Covering Your Ass

It’s often a good idea to force people to agree to your terms and conditions in order to connect. This is possible using a technology called captive portal. The opensource DD-WRT router firmware supports this well and other proprietary closed source alternatives exist. This technology is often also called hotspot authentication. Google around for wireless hardware which supports this. You can also use this technology to direct people who connect to your wi-fi to your own website.

Summary

To summarize, adding public access wi-fi to your business does not need to be difficult or expensive. It will encourage repeat business and make your customer experience that little bit better.