Foil-backed insulation blocking WIFI

Client has fixed up an old building and has used solid insulation which has an aluminium foil backing that acts as a heat and vapour block. It also stops WIFI dead.

Normally this wouldn’t be a problem and all your signals would be under the roof but this client has a 3-story rustic building with the office at the top and a bedroom at the back on the ground floor with a new roof. Whilst the WIFI signals are fine from the top to the bottom of the main building, immediately you pass under the foil-insulation of the extension then the signals stop.

The most cost effective solution to get WIFI to this back room without running Ethernet cables through meter thick stone walls is to use powerline adapters. Recently I have seen the retail prices for these plummet to less than 50 Euros per pair (for TP-Link brand from Amazon.it or Amazon.co.uk). Currently testing these out and they are looking fine but there is one caution that you need to consider.

These units give off a high frequency audible noise. It is like the flyback transformer of an old style CRT or TV. From experience with different customers these high frequencies can be annoying and frustrating to remove. So you may need to use powerline technology to sneak through the building and then for the last few meters use a cheap switch plus long pre-made ethernet cables or another WIFI AP.

Enabling IPv6 in Ubuntu ufw

I was creating a new web site dogstarplanet.com and as I was installing it on my IPv6 enabled host I thought I would setup the A and AAAA records for the same CNAME.

Windows based PCs without any IPv6 routing obviously ignore any AAAA records and the browser connects to the site as expected but an Ubuntu desktop I was using was unable to get to the site – both Firefox and Opera not connecting.

I loaded Wireshark to see if my traffic was leaving and though I could see the DNS queries for AAAA and A records there was no TSP traffic (Tunnel Setup Protocol) to the freenet6.net IPv4 address  (I’m using gogoc package out of the box). This means that the browser connection was not getting to the tunnel interface. This means firewalling or kernel.

If I run the Firestarter then I also see the tun (routed IP tunnel) but no traffic passes (note: that I have since removed Firestarter and now run Gufw).

Well the IPv6 is in the kernel but I had ufw enabled and that doesn’t have IPv6 enabled by default so you get the error message if you try and use ping6 of e.g.

ping6 ipv6.google.com
 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted
 ping: sendmsg: Operation not permitted
 ...

If it is safe you can quickly test this is your problem by turning off the ufw with the command,

sudo ufw disable

Now your ping6 should work. If it does not then you have a tunnel problem. Use the command netstat  -rn6  to see if you have tun entries.

It is easy to enable IPv6 in ufw by editing /etc/default/ufw and towards the top there is a line of IPV6=no which you change to IPV6=yes

Save that and then disable and then enable the firewall i.e. sudo ufw enable or do a sudo ufw reload if it was still running.

Now you will be able to ping6 and connect to IPv6 enable hosts using a browser. Note that when you ping6 then there is a PTR query (that you would only see in wireshark) and you may get a no such name response if you have not configured your host DNS records right so if you are committed to setting up IPv6 on your host then please check you have added a suitable DNS PTR entry for the dotted nibble PTR part of your IPv6 address. Very few protocols, perhaps only mail connections and obviously ping6, use IPv6 PTR queries.

Address collision on range extended LAN after re-numbering main LAN

Client had decided to change ADSL provider. They got sent a new ADSL modem and I had to install this. The modem didn’t need any configuring as it was ready-to-go out of the box but its default LAN that it allocated  DHCP was 192.168.1.0/24 rather than the old LAN of 192.168.0.0/24

The client site has a SITECOM AP on this LAN and in another part of the building, a Belkin WIFI universal range extender that extended the WIFI. I had power cycled the SITECOM AP as it got its internet facing IP address from the DHCP server in the ADSL modem, but I never rebooted the range extender as it is in another part of the building and shouldn’t need to be rebooted.

The laptop that connects via the range extender was working fine but every few minutes Windows complained about an address collision.  The laptop is the only device on this range extender. The fix was easy – power cycled the range extender.  So though it shouldn’t need this as it’s using the different address space of the SITECOM AP (which is doing NAT), it did actually need doing.

http://No.More.gTLD.Please.ICANN/

We do not agree with the ICANN program of allocating new (generic) gTLD.  Their claim that the “expansion of the generic top-level domain (gTLD) space will allow for a greater degree of innovation and choice. ” is, in our view in a word, nonsense.

An existing brand will already have their BRAND plus .COM, .NET and .ORG gTLD. The innovation and choice has already settled at that second level.

A small startup won’t be able to afford to run or own a .BRAND gTLD but must make do with the existing  .COM and other gTLD or ccTLD space. You would be a moron to come up with a great new name and go ahead with your branding without getting the  .COM even if ICANN go ahead with their plans. Your ability to spend a vast amount of money and get a new gTLD isn’t going to make the fact that if you don’t have the .COM then you are still doomed to try a reverse domain name hijack or throw lots of money at the existing .COM owner to grab that too. So much for your choice.

“Innvovation” and “choice” is an application layer problem.  It is not a network problem. ICANN need to go back to school with a wall chart of the ISO 7-layer model if they think that semantically overloading the DNS is a way to “Innovation” and “choice”.

For the past 10 years of the ICANN existence there are basically two problems that ICANN should be focusing on with all their hearts, minds and our money and that is the exhaustion of the IPv4 address space (i.e. IPv6) and the security of the DNS infrastructure (i.e. DNSSEC). Given IPv4 has started to exhaust but many ISP are only in beta programs for IPv6 then we’ll leave you to make a call as to how successful that has been.

We, the existing domain name owners, all pay the ICANN money as a levy on our gTLD domain names that we buy, so we all have a right to complain about what they are doing. Like many domain name owners  we’ve accumulated the main top level domains for our own company, Open Mutual Limited, but being a small company we have ignored the ccTLD and the more esoteric gTLD. With the new ICANN plans we’ll be looking at potentially many hundreds of new gTLD which will segment the domain name space into a vast number of silos and the further out you go from the traditional .COM then these new gTLD seem to get progressively more expensive to buy (if existing .info, .biz or .xxx are anything to go by).

If we wanted to semantically overload our domain names for application reasons then we do this at the 3rd level i.e. http://idea.openmutual.com. Our customers would always go to the existing domain name and then at an application level we would route them to the 3rd level domain and in all probability this would be done behind the scenes without the customer even knowing this domain name existed.

At a company level we would not be able to afford a new gTLD of http://openmutual.idea/ or http://idea.openmutual/and neither would 99.9% of the rest of the world and neither would this be the focus of any startups unless those startups were just in the business of allocating domain names. I fail to see where the innovation and choice is in filling out the ICANN forms to be just another registry for just another gTLD.

http://No.More.gTLD.Please.ICANN/

P2P and IPv6

Curious I was looking at the connections from a GNU/Linux machine running a BitTorrent (Transmission) client and I noticed about 50% of the connections were to IPv6 peers for a particular tracker.

The IPs were a mixture of freenet (probably due to the very simple gogoc package use – this is the Gateway6 client that was in a package called gw6c or tspc)  plus others but the most were Freenet.

Why is this ? Well with the gogoc package then you get an anonymous freenet IPv6 address for your client machine without configuring a thing. From a corporate point of view this does add an extra layer of complexity to managing internet traffic to and from your LANs. You may block P2P traffic but P2P over IPv6 tunnels may be leaking through.

IPv6 Testing

Just provisioned an IPv6 address on this server. I’d initially tried using an IP6 over IP4 tunnel but this server uses venet virtual interfaces and they don’t seem to be very friendly with the sit interface (nor tun). After managing to lock myself out of the server (had to edit the /etc/network/interface and interface.template to remove my changes and then reload) I went with the Host Europe allocated IP address. I kind of wanted my own range (i.e. /64 from Hurricane Electric) but then I also want the server to run as dual-stack IPv6 so I’ll live with the hosting provided address for the moment.

You need to have Plesk version 10.2.0. If you have added the IPv6 on top of an existing installation then you will have to go into each of the subscriptions for the domains that you want IPv6 support and select Change Host Settings and then pick the IPv6 address. It is your hosting provider that issues you the IPv6 address through their provisioning system.

In your DNS provider you need to add a name that points to the IPv6 address (an AAAA record). I have used ipv6 thus ipv6.openmutual.org can now be connected to from a IPv6 client.