Stats

Comments Posted By Andryan

Displaying 1 To 21 Of 21 Comments

MikroTik simple script to update ZoneEdit Dynamic DNS

They could have fixed it by now. Maybe you can drop the first “/tool fetch url=\”http://dynamic.zoneedit.com/auth/dynamic.html\?host=dyndns.example.com&dnsto=127.0.0.1\” user=ZEUser password=ZEPass keep-result=no\r\n/delay 30\r\n” part.

» Posted By Andryan On August 23, 2012 @ 16:54

Really? My Linux server at home also runs a script that checks its current IP address and sends an update ONLY if it has changed (the IP address change was so rare, I didn’t notice that the script had failed me for quite sometime until a few weeks ago), but it was also showing the same problem. The reply I got was a success code of 201 “No records need updating” when the IP address HAD changed, but ZoneEdit server didn’t do any update until I force-changed it using the dnsto parameter.

I will try and update the MikroTik script to be smarter and send update only when its IP address has changed.

» Posted By Andryan On April 24, 2010 @ 11:25

errno.h problem

Did you add the line after trying to compile and failed? If so, please sure make clean is executed before make-ing again.

» Posted By Andryan On September 5, 2013 @ 03:32

Did you make clean and re-make?

» Posted By Andryan On January 29, 2010 @ 21:17

Painfully slow CentOS system

AHA, yes.. Good point. Thanks for pointing this out. :)
I didn’t consider that scenario when I wrote that post.

» Posted By Andryan On May 25, 2009 @ 01:50

krb5-telnet != telnet-server

Because these servers are connected to an internal network which is isolated and sniffing is impossible. Anyway, that was my task at work and there is no security concern.

Before you post your comment, this is my technical notes and I don’t need people telling me that telnet is insecure. The idea of this blog is to share knowledge that is probably not documented elsewhere. I know what I’m doing, people.

For those who need this information, they should know what they are doing and know the risks involved by using telnet.

» Posted By Andryan On May 8, 2008 @ 07:46

MikroTik RouterOS Interface Bonding

This is how I did the fiber links bonding using MikroTik RB333 + RouterOS v3.0rc13:

I used 2x MikroTik RB333 to utilize both links simultaneously, one at each end. I specifically used RouterOS v3.0rc13 because there is a random disconnection issue (every few minutes/hours the bonded link will be disconnected for a few seconds and resume without any signs of symptoms anywhere else) with later versions of RouterOS v3.x (though I haven’t tried RouterOS v4.x).

This configuration also doesn’t give you a fully-working auto fail-over, in case one of the links is broken in the middle — since link state doesn’t change as mentioned in the post (though if it’s physically dead, the auto fail-over will work).

I used ARP detection to check if the links are both up but apparently it didn’t work as expected. So every time there is a broken link, I will disconnect the broken link from the RB333 manually. This way the RB333 will detect the link state change from the disconnected link as down and force all packets to go through the other link. If you don’t disconnect the broken link manually (disabling the ether interface of the broken link is acceptable) from the RB333, it will route 50% of the packets through the broken link (since it doesn’t know the broken link is in fact broken) and you will start seeing major packet losses.

» Posted By Andryan On January 29, 2010 @ 21:47

Site 2 (Sunter end):

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment=”" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
name=”bridge1″ priority=0×8000 protocol-mode=none transmit-hold-count=6

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1D:1E:1B mtu=1500 name=”ether1″ speed=100Mbps
set 1 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1D:1E:1C mtu=1500 name=”ether2″ speed=100Mbps
set 2 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1D:1E:1D mtu=1500 name=”ether3″ speed=100Mbps

/interface eoip
add arp=enabled comment=”" disabled=yes mac-address=FE:6E:99:E5:DB:2C mtu=1500 \
name=”eoip-tunnel1″ remote-address=172.16.1.1 tunnel-id=1
add arp=enabled comment=”" disabled=yes mac-address=FE:E8:5A:6D:5B:70 mtu=1500 \
name=”eoip-tunnel2″ remote-address=172.16.2.1 tunnel-id=2

/interface bonding
add arp=enabled arp-interval=100ms arp-ip-targets=172.16.0.1 comment=”" \
disabled=no down-delay=0s lacp-rate=30secs link-monitoring=arp \
mii-interval=100ms mode=balance-rr mtu=1500 name=”bonding1″ primary=none \
slaves=ether2,ether3 up-delay=0s

/ip address
add address=10.255.255.101/24 broadcast=10.255.255.255 comment=”" disabled=no \
interface=bridge1 network=10.255.255.0
add address=172.16.0.2/24 broadcast=172.16.0.255 comment=”" disabled=no \
interface=bonding1 network=172.16.0.0
add address=172.16.1.2/24 broadcast=172.16.1.255 comment=”" disabled=yes \
interface=ether2 network=172.16.1.0
add address=172.16.2.2/24 broadcast=172.16.2.255 comment=”" disabled=yes \
interface=ether3 network=172.16.2.0

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
primary-dns=208.67.222.222 secondary-dns=208.67.220.220

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.255.255.254 \
scope=255 target-scope=10

/system identity
set name=”RB333-Sunter”

/system ntp client
set enabled=yes mode=unicast primary-ntp=202.169.237.2 secondary-ntp=202.169.224.16

» Posted By Andryan On January 29, 2010 @ 21:31

Site 1 (IDC end):

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment=”" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
name=”bridge1″ priority=0×8000 protocol-mode=none transmit-hold-count=6

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1C:9B:B1 mtu=1500 name=”ether1″ speed=100Mbps
set 1 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1C:9B:B2 mtu=1500 name=”ether2″ speed=100Mbps
set 2 arp=enabled auto-negotiation=yes comment=”" disabled=no full-duplex=yes \
mac-address=00:0C:42:1C:9B:B3 mtu=1500 name=”ether3″ speed=100Mbps

/interface eoip
add arp=enabled comment=”" disabled=yes mac-address=FE:61:49:D3:D4:4A mtu=1500 \
name=”eoip-tunnel1″ remote-address=172.16.1.2 tunnel-id=1
add arp=enabled comment=”" disabled=yes mac-address=FE:F6:DF:A4:78:24 mtu=1500 \
name=”eoip-tunnel2″ remote-address=172.16.2.2 tunnel-id=2

/interface bonding
add arp=enabled arp-interval=100ms arp-ip-targets=172.16.0.2 comment=”" \
disabled=no down-delay=0s lacp-rate=30secs link-monitoring=arp \
mii-interval=100ms mode=balance-rr mtu=1500 name=”bonding1″ primary=none \
slaves=ether2,ether3 up-delay=0s

/interface bridge port
add bridge=bridge1 comment=”" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether1 path-cost=10 point-to-point=auto \
priority=0×80
add bridge=bridge1 comment=”" disabled=no edge=auto external-fdb=auto \
horizon=none interface=bonding1 path-cost=10 point-to-point=auto \
priority=0×80

/ip address
add address=10.255.255.100/24 broadcast=10.255.255.255 comment=”" disabled=no \
interface=bridge1 network=10.255.255.0
add address=172.16.0.1/24 broadcast=172.16.0.255 comment=”" disabled=no \
interface=bonding1 network=172.16.0.0
add address=172.16.1.1/24 broadcast=172.16.1.255 comment=”" disabled=yes \
interface=ether2 network=172.16.1.0
add address=172.16.2.1/24 broadcast=172.16.2.255 comment=”" disabled=yes \
interface=ether3 network=172.16.2.0

/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
primary-dns=208.67.222.222 secondary-dns=208.67.220.220

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.255.255.254 \
scope=255 target-scope=10

/system identity
set name=”RB333-IDC”

/system ntp client
set enabled=yes mode=unicast primary-ntp=202.169.237.2 secondary-ntp=202.169.224.16

» Posted By Andryan On January 29, 2010 @ 21:23

RP-PPPoE server problem in Fedora Core 5, 6, Fedora 7, 8

That makes sense because the problem is in the ppp package, not the rp-pppoe (pppoe-server) package.

» Posted By Andryan On July 9, 2007 @ 12:21

I can confirm that this issue exists in Fedora 7.

» Posted By Andryan On July 3, 2007 @ 16:32

iptables mangle and NAT notes, etc.

Oh, I forgot to mention when there are multiple upstream interfaces (different directions, e.g. IXP to/from client and transit to/from client), use the forward chain for the connection marking mangle rules and prerouting chain for the packet marking mangle rules. Since the packet marking mangle rules are in prerouting chain, global-in queue parent can be used. Can still use global-in with prerouting chain packet marking mangle rules if there is a dst-address-list to classify the different flows, because this method doesn’t require any explicit in/out-interface settings.

» Posted By Andryan On June 7, 2010 @ 01:20

MikroTik RouterOS — BGP

Hi Arif,

This is the example:
from /routing filter
0 ;;; Advertise 116.0.0.0/21 to OpenIXP in /24s
chain=to_OpenIXP prefix=116.0.0.0/21 prefix-length=24 invert-match=no action=accept

1 ;;; Advertise 61.45.224.0/20 to OpenIXP in /24s
chain=to_OpenIXP prefix=61.45.224.0/20 prefix-length=24 invert-match=no action=accept

2 ;;; Advertise only our prefixes to OpenIXP, do not redistribute transit routes to IX
chain=to_OpenIXP invert-match=no action=discard

3 ;;; Discard default route from OpenIXP
chain=from_OpenIXP prefix=0.0.0.0/0 invert-match=no action=discard

4 ;;; IX routes should get higher priority
chain=from_OpenIXP invert-match=no action=accept set-bgp-local-pref=200

5 ;;; Advertise 61.45.224.0/20 to NAP
chain=to_NAP prefix=61.45.224.0/20 prefix-length=20 invert-match=no action=accept

6 ;;; Advertise 116.0.0.0/21 to NAP
chain=to_NAP prefix=116.0.0.0/21 prefix-length=21 invert-match=no action=accept

7 ;;; Advertise only our prefixes to NAP, do not redistribute IX routes/other transit routes to this transit
chain=to_NAP invert-match=no action=discard

8 X ;;; Only use default route from NAP’s BGP feed, opposite the following rule
chain=from_NAP prefix=0.0.0.0/0 invert-match=yes action=discard

9 ;;; Discard default route from NAP
chain=from_NAP prefix=0.0.0.0/0 invert-match=no action=discard

from /routing bgp network
0 A 116.0.0.0/21 no
1 A 116.0.0.0/24 no
2 A 116.0.1.0/24 no
3 A 116.0.2.0/24 no
4 A 116.0.3.0/24 no
5 A 116.0.4.0/24 no
6 A 116.0.5.0/24 no
7 A 116.0.6.0/24 no
8 A 116.0.7.0/24 no
9 A 61.45.224.0/20 no
10 A 61.45.224.0/24 no
11 A 61.45.225.0/24 no
12 A 61.45.226.0/24 no
13 A 61.45.227.0/24 no
14 A 61.45.228.0/24 no
15 A 61.45.229.0/24 no
16 A 61.45.230.0/24 no
17 A 61.45.231.0/24 no
18 A 61.45.232.0/24 no
19 A 61.45.233.0/24 no
20 A 61.45.234.0/24 no
21 A 61.45.235.0/24 no
22 A 61.45.236.0/24 no
23 A 61.45.237.0/24 no
24 A 61.45.238.0/24 no
25 A 61.45.239.0/24 no

Please note that OpenIXP advertises the smaller prefixes (/24) to make sure that local IX traffic takes the OpenIXP path rather than the NAP path. I also choose to drop default route from NAP to receive full BGP feed from my NAP. If you wish to receive only the default route (make sure your NAP does provide a default route otherwise your packets will go nowhere), enable filter #8 and disable #9.

Good luck!

» Posted By Andryan On December 7, 2008 @ 22:17

ipt_account HOWTO for Fedora Core 6

You’re welcome! Actually I haven’t implemented this on my production server. Currently it’s still running IPFM.
At the moment I’m looking for a tool (something like iptraf or trafshow), which taps the interface and shows real-time (may be accumulative) statistics on a specified IP address. Unfortunately trafshow and iptraf monitor per-flow instead of per-IP (total per IP address). A real-time IPFM would be nice too if there were one. :)

» Posted By Andryan On November 22, 2007 @ 13:11

ipp2p HOWTO for Fedora Core 6

If you get invalid module format, probably you are using a different kernel version’s source tree to build the modules. Remember to always check dmesg for more informative error messages.

» Posted By Andryan On November 23, 2007 @ 08:43

Hmm, have you checked dmesg for more descriptive error messages?

» Posted By Andryan On September 15, 2007 @ 04:39

Have a look at this:
http://www.ashberg.de/hacks/ipp2p-0.8.2-kernel-2.6.21-patch.php

» Posted By Andryan On September 11, 2007 @ 14:03

Have you copied over the libipt_ipp2p.so file to /lib/iptables/?

» Posted By Andryan On June 23, 2007 @ 06:32

Do make scripts/kconfig/ instead of make scripts/mod/modpost.

» Posted By Andryan On February 14, 2007 @ 23:56

avast! AntiVirus

Indeed, last time I tried installing Clamwin, it wasn’t an always-on virus scanner. These days it’s REALLY important to have an always-on virus scanner on Windows.
free-av.com also provides a good free AV, but its interface is not as good as avast’s.
Unfortunately many people here in Indonesia (specifically Jakarta) still prefer to use warez version of Norton or McAfee. I don’t see how Norton is better than avast!. One thing for sure, Norton sucks because it’s getting ‘heavier’ and ‘heavier’ (bloated) to run every time they release a new version.

» Posted By Andryan On August 25, 2006 @ 20:12

PowerDNS with Plesk servers

Hi Sam,

I haven’t used PowerDNS nor Plesk for quite sometime. However, I would try dumping the DNS packets (using tcpdump on both servers) when you add a new domain on the Plesk server. Check if the notification actually gets sent from BIND. If it does, then check the SOA record (as indicated in my post), perhaps the latest Plesk changed something or rearranged the NS RRs. Lastly, check the PDNS server’s log to see if it receives and acknowledge/parse the notifications sent from Plesk server’s BIND.

Please let me know if you managed to solve this and share how you managed to fix it.

Cheers,
Andryan

» Posted By Andryan On September 8, 2013 @ 03:26

«« Back To Stats Page

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>