Crumpled Thoughts

I’ve used a lot of different broadband Internet service since 2000. In 2000 I got DSL from Micron.net at an apartment. I got Qwest DSL in 2000 when I bought my house. Switched to cable in 2004 when it became available at my house. Switched back to Qwest DSL in 2008. I’ve also supported Clearwire wireless, Satellite ISPs, and data T1s from numerous providers for local businesses.

Qwest DSL is the best option right now for a residential ISP, for the following reasons:

Price: 

If you can get Qwest’s fiber service, you can get 12M down, 896k up for $55/month. Qwest offers 7M down, 896k up for $38/month. CableOne charges $49 for 5M down, 500K up, or $59/month for 10M down, 1M up. I know it doesn’t seem like a big difference on the higher plans, but what CableOne doesn’t make obvious is how they throttle bandwidth. It’s the thing that made me move back to Qwest. After you download a couple of gigabytes in a day, CableOne will drop your speed significantly. It will stay slow until midnight, then go back up. Say a new Linux distro comes out that you want to download, and you’re on the 5M plan. After you download 3GB CableOne will drop you from 5M download to about 1.5M. Keep downloading, it keeps falling. At Midnight it goes back up. Even on the 10M plan, they drop your speed after downloading 5GB. At 10M you can download 5GB in about an hour. Say hello to slow until midnight. With Qwest, you get your 1.5M, 7M, 12M, or 20M all day, every day as long as you have service. I’ve downloaded over 40GB in a day and not slowed down.

Uptime:

In the past 10 months of having Qwest fiber 12M service, I have had zero downtime. DSL is typically more stable than cable. With CableOne at least every 2—3 months I would have an outage. I have actually had better uptime with my DSL than we have had with our 3 data T1s at the office (thunderstorm took out a repeater and we had 2 circuits go down). Cable is more finicky.

Network tampering/management:

CableOne tampers with your internet access. They won’t let you connect to TCP port 25 on any mail server but theirs. If they think your bandwidth is being used for BitTorrents, or newsgroups they will restrict your speed. They decide what traffic gets priority. Qwest doesn’t do that. If you pay for your service, they’ll provide it. I think CableOne has a right to do that, it is in their Terms of Service. I, as a customer, have a right to think it sucks and go to another provider.

Acceptable Use:

If someone complains to CableOne about how you’re using the Internet, they will shut you off before asking you about it. It can take from several hours, to several days to get service back. I had just travelled to Portland to set up a remote office for a client when CableOne shut off my Internet connection at home. Someone had hacked a Linux box on my home network and was using it for bad things. I called from my hotel in Portland, but couldn’t do anything about it because they shut the connection down. I was going to be there for 3 days before returning home. It really pissed me off. If they had at least emailed me before shutting down the connection I could have remotely powered down the box and still had internet at the house. Their policy of terminate first, ask questions later bothers me.

I’ve been very happy with Qwest DSL since switching back. It is the only Qwest service I use, even though my girlfriend works there. I run Asterisk at home for phone service and pay $1.50/month plus 1 penny per minute for my calls. It’s usually about $4 per month.

That is my opinion. Feel free to leave a comment if you think I’m wrong

I recently took a bunch of photos for an event that Paula’s office put on, and needed to find a good script to display them on the web. I came across a really nice Javascript/CSS based script works really well. Check it out: Galleria. I did make one small javascript tweak to allow me to put a link to the hi-res photo in the image comment.

You can see my album here.

At my office we use a Microsoft ISA server for our firewall/VPN server. We have three discreet IP subnets within our private network. 192.168.5.0/24, 192.168.6.0/24, and 192.168.7/24. When I establish a VPN connection from the external network I get an IP address on the 192.168.6.0/24 network.

I have my VPN connection set up to not use the default gateway on the remote network. This prevents all of my internet traffic from being routed over the VPN while I am connected to it… the problem is that if I need to access a resource on the 192.168.5.0/24 or 192.168.7.0/24 networks, I have to manually add routes to them across the VPN.

The process was:

• Find out what IP I was assigned on the VPN
• Add an IP route to 192.168.5.0/24
• Add an IP route to 192.168.7.0/24

If I was always assigned the same IP address on the VPN, I could have just put the commands in a batch file, but the IP address is dynamically assigned from a DHCP server and is always different than it was the last time. So this is what I used to do:

That is a lot of typing! I’d been meaning to play around with Windows PowerShell anyhow, and decided to write a script to automate this task in PowerShell. This is what I came up with:

# vpn.ps1
#
# Add IP routes across a VPN via a DHCP assigned IP address
#
# Get the IP address of the VPN connection
$vpnip = ipconfig | findstr "192.168.6."
# If we don't have an IP address on the VPN, error and quit
if (!$vpnip) {
"You do not have an IP address on the VPN"
exit
}
# Trim any leading/trailing whitespace
$vpnip = $vpnip.Trim()
# Split the contents of $vpnip in to an array
$vpnip = $vpnip.Split(" ")
# Find out the depth of our IP address in the array
$bit = $vpnip.Length - 1
# Get out just our IP address on the VPN
$vpnip = $vpnip[$bit]
# Add whatever routes we need
route add 192.168.5.0 MASK 255.255.255.0 $vpnip
route add 192.168.7.0 MASK 255.255.255.0 $vpnip

I save the script as vpn.ps1 and put it in my “scripts” directory in my profile directory. Then I just put a shortcut on my desktop to powershell.exe C:\Users\chillman\scripts\vpn.ps1. Now I just connect to the vpn, launch my shortcut and I’m ready to go. Hopefully this will be useful to someone.

Normally I’m an early adopter of new Windows operating systems, but with Vista I’ve been slow to take the plunge. After running various beta releases and release candidates I was hesitant to use it on my ‘production’ computers. Well, I finally took the plunge last weekend and my work laptop is now running Vista business edition.

I’ve been getting really annoyed at how slow the Vista start menu is, navigating “All Programs”. I discovered a way to speed it up drastically. Customize the start menu and un-check “Highlight newly installed programs”.

The navigation will get much faster. Now if I can just figure out how to get the program folders to expand outside of the start menu, like Windows XP did by default.

I’m driving up to Portland, Oregon tomorrow to do an install for work on Friday. Oliver Russell & Associates is doing a major technology upgrade and we’re rolling out over eight terrabytes of storage in new servers at the Boise and Portland offices. This project has kind of been my baby, and the Portland piece is the final part. We’re implementing some cool new replication technology and linking the sites via a point to point T1. Exciting Stuff . Friday I get to set up the server in Portland and configure the Cisco routers between the sites. I’m hoping I don’t hit any major storms on the drive… I’ll be picking up some chains just in case before I head out of town. The forcast is a bit borderline… my route is the little red squiggle in the upper left.

A couple of months ago I started having some serious issues with my cable modem. The modem would randomly disconnect and reconnect throughout the day. I called my ISP, and they would tell me everything seemed fine. Then sent a guy to the house who redid some of the connectors on the outside of the house, but it did not help at all.

In a fit of frustration, after it had done this ten times in a 30 minute period, I ran off to Walmart and bought a new modem. Things seemed to be better for a couple weeks, then it started again. When the cable company was of little help, I found that Motorola modems provide some data through a web interface at http://192.168.100.1. I started plotting graphs of Power Level, and Signal/Noise ratio using rrdtool. I was hoping to find a correlation between the disconnects and these values. Today I was looking at the graphs and noticed a strange boost in the upstream power level:

I’m not sure what these values mean, but I would think that higher is better. I didn’t notice any disconnects during the period of improved upstream power level. Anyone know what these values mean?

Well, I’m waiting for the folks at Jiffy Lube to change my oil, and the Treo is really helping pass the time. I’ve caught up on unread email, read Jason’s latest blog post, and checked Slashdot headlines.

I really like this device. It’s not nearly as bad as a phone as I was afraid it would be. I’ve been able to be much more reponsive to email than I was without it.

Now, all of the little breaks in my day I can use productively. Filling up the car with gas, bathroom breaks, smoke breaks, and waiting rooms are all productive. Now, when I get back to the office I don’t have to spend 30 minutes catching up on email… I can get right to work.

One of the clients I work for has a Mac OS X server which handles most of the file shares on the network. They have two internet connections, one on their T1, and a secondary DSL connection for redundancy. The Mac OS X server has two network interfaces; one with an internet IP (behind a BSD firewall) and another on the private network. The default gateway on the Mac server is on the internet interface, and a seperate router on the internal network routes traffic to 5 local IP subnets for remote offices, and co-located servers.

Since the default gateway points to the internet, routes have to be added for the four other local subnets to send traffic for those subnets to the router on the internal network. These routes need to survive a reboot— they need to be persistent.

On a Windows box it is simple to add a persistent IP route. Along with your ‘route add’ command, you add a ‘-p’ to make it persistent. Easy enough. Not so simple on Mac OS X. On Linux you could just add the ‘route add’ statements to the /etc/rc.local file and they would be executed at startup, effectively making them persistent. Easy enough. This is not so easy on Mac OS X… but I found a way to do it.

Let me add my standard disclaimer that you do this at your own risk. I won’t be held responsible for any trouble you experience trying to do this. It is working great for me though

Open up terminal, and switch to the root user:

sudo su -

You’ll have to type in your password, and have ‘Administer the Server’ rights.

Change to the /Library/StartupItems directory

cd /Library/StartupItems/

The way I created my script was by copying one that was created by a MySQL 4 installer. You should be able to copy any of the directories in /Library/StartupItems to give you a starting point. Just substitute the one you’re using where you see me use ‘MySQLCOM’.

cp -rp MySQLCOM PersistentRoutes

Now change to the PersistentRoutes directory.

cd PersistentRoutes

If you list the contents of this directory you should see two files, one named for the service you copied, and StartupParameters.plist. We need to rename the service you copied to ‘PersistentRoutes’

mv MySQLCOM PersistentRoutes

Now we edit PersistentRoutes with your favorite text editor… mine’s vi.

vi PersistentRoutes

Go ahead and empty the file. If you’re using vi type ‘1000dd’ (no quotes) and it will delete 1000 lines. That should empty it . This is the contents of my PersistentRoutes file:

#!/bin/sh
. /etc/rc.common
ConsoleMessage "Adding Persistent IP Routes"
/sbin/route add 10.0.0.0/24 10.1.2.1 #Route to Boise Colo Facility
/sbin/route add 10.1.3.0/24 10.1.2.1 #Route for SonicWall L2TP Group VPN
/sbin/route add 10.1.4.0/24 10.1.2.1 #Route to Portland Office
/sbin/route add 192.168.69.0/24 10.1.2.1 #Route to Chris' House 

Save, and exit your text editor. ‘:wq’ in vi (write, quit)

Now we need to edit the StartupParameters.plist. Mine looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” 
“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
        <key>Description</key>
        <string>Persistent Routes for VPN Tunnels</string>
        <key>OrderPreference</key>
        <string>Last</string>
        <key>Provides</key>
        <array>
                <string>PersistentRoutes</string>
        </array>
        <key>Uses</key>
        <array>
                <string>Network</string>
                <string>NetworkExtensions</string>
        </array>
        </dict>
</plist>

That’s it! Now your routes will be added when you reboot. Need to add a new route?.. manually add it from the terminal using ‘/sbin/route add…’ then update the /Library/StartupItems/PersistentRoutes/PersistentRoutes file. Easy!

Hope this helps someone. It was causing me a bit of aggravation. Perhaps someday Apple will make this a bit easier. Use ‘netstat -r’ to display your routing table.

Cheers,
Chris

Today I had to set up a Treo 650 to access a user’s Exchange mailbox over the web. I did not imagine it would be as difficult as it turned out to be.

At this site we run a Linux router/firewall that handles all traffic coming into, and leaving the network. We use Apache’s mod_proxy to proxy web connections from the internet to IIS servers on the private network. Having had more than a couple 36+ hour days cleaning up viruses due to exploited IIS servers, I feel much more comfortable having Apache handle the web requests.

One of the “Gotcha’s” to using mod_proxy is that you have to disable “Integrated Windows Authentication” on any sites you proxy with Apache. Apache doesn’t understand the headers involved. No big deal, because these requests are typically coming from the internet over SSL.

I started the setup at about 12:00 noon today. The first thing I did was add the following bits of code to the Apache configuration file to Proxy the ActiveSync connections:

#ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://webmail.example.com/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://webmail.example.com/Microsoft-Server-ActiveSync

I then put the appropriate settings into the Treo, and tested connectivity. This is where things started to piss me off.

The software on the Treo has terrible, non-intuitive error codes. The documentation is even worse. This is what I discovered (over about 4 hours of trying to get it to work):

• For the ProxyPass directives to work, you can not use Integrated Windows Authentication on the IIS site.
• For the Treo VersaMail app to use Exchange ActiveSync it must use kerberos authentication, which requires enabling Integrated Windows Authentication.
• Palm’s software engineers don’t really give a shit whether the error message you get is in any way helpful, just as long as you understand it’s not working.

So the thing that sucks about this is that we run “stuff” on the gateway which requires us to use Apache on Linux. It provides remote access for employees through a web interface, and dynamically modifies iptables firewall rules when folks need access.

This was my fix, which I think is as good of a fix as is possible.

• Exported the IIS web site that handled OWA, OMA, and ActiveSync to a file.
• Created a new web site from the exported file.
• Changed the TCP ports for HTTP and HTTPS to obscure, high ports.
• Modified the document root on the IIS site, as all the magic happens in Virtual Directories.
• Requested/Installed a new SSL certificate from an internal enterprise CA with a common name matching the internet FQDN.
• Enabled “Integrated Windows Authentication” on the “Exchange” virtual directory in this new web site.
• Forwarded the obscure, high SSL port from the firewall into the Exchange server.

Now the Treo works… just had to set the obscure high port in the advanced settings on the Treo. I didn’t want to go down the forwarded port road, because it seems like a compromise in security. All too often I see people bypass security measures in order to get things to work, and I hate it. This seems like a small compromise I’ll have to settle for.

Got a better solution? Let me know.

-Chris

It’s Sunday night and we’re back in Boise. McCall was really nice, even though it was a bit chilly at times. Paula & Kairi went up to McCall with Paula’s parents last Monday… and I joined them Wednesday afternoon. I took three days of vacation from work and it felt really nice. My boss insisted that I leave my cell phone and laptop in Boise to make sure I had a true vacation. Last year at this time I kept my laptop on a constant VPN connection to the office to monitor email and stay in touch. This year I cheated once and checked my email Thursday night.

It’s funny… I need an internet connection to stay sane. If I’m without internet access it feels like being without electricity. I use the internet for everything. I haven’t opened a phone book in probably 4 years, when my cable internet access was down and I needed the number to call the cable company. I order pizza online, bank online, shop online, pay bills online, get movies, books, and software online. For better or worse I need internet access, and it has to be fast.

I saw a job posting for an IT position at the Tamarack Resort in Donnelly Idaho and just about sent a resume over. Then I thought about how internet access in Donnelly would probably be. I’m thinking slow, with frequent outages. I couldn’t handle that. It would kill me.

So, we’re back in Boise. As much as I’m not looking forward to going in to the office in the morning, it was great to get home to my cable modem. Downloaded a movie to watch tonight… transferred a full DVD in 4 hours. If you haven’t seen Failure to Launch, I recommend it. It wasn’t the typical Matthew McConaughey chick flick. It got terrible reviews, but I really enjoyed it.

Anyhow… I guess I’m rambling at this point, better go unpack