│NAND GATE https://hexgleam.com/en Mon, 16 Mar 2020 05:57:24 +0000 en-US hourly 1 https://wordpress.org/?v=5.5.3 Server Buying Guides for hosting wordpress blog at home https://hexgleam.com/en/blog/server-for-hosting-wordpress-blog/ https://hexgleam.com/en/blog/server-for-hosting-wordpress-blog/#respond Mon, 16 Mar 2020 05:57:23 +0000 https://hexgleam.com/en/?p=174 As mentioned in the previous article, there are serval ways to host a personal blog. I decided to buy a server and run it at home, just for fun.

Server buying guide

First, you may not need to buy a server. An old PC is definitely OK to use as a server.
Unfortunately, I don't have one,so I have to buy something.
I collected information about the types of server machines that are suitable for personal use (mainly on the aspect of price) in 2020.

HP Microserver Gen8

This is the most appropriate and popular ones.
microserver gen8
The 8th generation of HP's Microserver series designed from the start for small offices or home use.

The previous generation N54L may not called a real server because of insufficient processing power, lack of virtualization support and lack of remote management function which is a standard feature of a server.

The 8th generation Microserver Gen8 is built as a "real server" with Xeon E3 processor and iLO4 remote management. Even the successor model (microserver gen10) don't come with iLO remote management on board, so microserver gen8 is still the best choice in 2020.

The price of the model with Xeon 1220v2 CPU is about $200 to $300, not very expensive, but not cheap as well.

Tower server

Tower servers looks like a normal PC or workstation, with server specialized equipments such as hot-swap HDDs, remote management, redundant power supplies and more NICs. It is suitable for office and home use because it can be placed anywhere without a rack, and is really quiet.

HP Proliant ML series, and DELL PowerEdge T series are tower servers.
It takes up a little more space than Microserver, so it's less popular and the price is lower. The Proliant ML310e Gen8, which has almost the same configuration as Microserver Gen8, are available for half the price of about $100 in Japan.

Rack server

This is the most "professional" ones. HP's Proliant DL series and DELL's PowerEdge R series are rack mount servers.

As the name suggests, it is a server that has a chassis standardized to be 19 inches (482.6 mm) wide and 1.75 inches (44.45 mm) in height (thickness) to fit into a rack. It is the most common format in datacenters due to its high installation density and easy management.

To that extent, there is a large amount of end of life ones on the market and have less buyers, for some disadvantages such as loud noise. So the price is also lowest for the same processing power.
In addition, there are several benefits besides cheapness.

  • Since it is a industrial standard product, it has the best robustness and durability.
  • Because it is a standardized size, installing multiple units may save space compared to the tower server. (You can even get racks from IKEA!)
  • It's cool

HP Proliant DL320e gen8

I got a HP Proliant DL320e gen8 from something like Ebay in Japan.
dl320e gen8

CPU: E3-1220Lv2
RAM: 16GB DDR3 RDIMM ECC
RAID: P222 512MB FBWC
HDD: 600GB 15K SAS * 2
NIC: 4port GbE

Entry-level spec, but should be enough for a blog.

Install an SSD on ODD SATA port

This server is equipped with ODD, but most people don't need a physical ODD since iLO's virtual media do the same thing in a much convenience way. So I tried to attach an SSD using its SATA port.

The ODD of DL320e gen8 is connected to the system board with a normal SATA cable, but the power interface is microSATA, converted from a floopy mini 4Pin power connector. So you need to procure a FDD to SATA power cable or use a microSATA-> SATA conversion adapter.

Also, since the power supply for this ODD is +5V only, some SDDs with +12V requirement like intel DC series should not work.

Redundant power supply

This DL320e gen8 comes with redundant power supply. It will work with only one PSU plugged in, but if only one power supply is powered on, the healthy status LED on the front panel flashes amber indicates a warning. It is OK in issuing the warning itself, but you may miss some "real warning" that needs to be mentioned, so plug both PSU and keep health indicator green is a better choice.

Fan noise of DL320e gen8

Since this is an one CPU entry level server, it's quite quiet after completely booted. It is audible, but not loud than my desktop PC even with two 15K SAS HDD.
(I had a Proliant DL360p gen8 later and it's much louder)

]]>
https://hexgleam.com/en/blog/server-for-hosting-wordpress-blog/feed/ 0
Choose hosting for my personal wordpress blog https://hexgleam.com/en/blog/server-for-wordpress/ https://hexgleam.com/en/blog/server-for-wordpress/#respond Sat, 29 Feb 2020 05:39:58 +0000 https://hexgleam.com/en/?p=115 The router configuration has come to an end. I have registered a domain for the VPN server, and now I got the idea to host a blog with that domain.

So I checked for information on the Internet and learned about the virtual host and VPS. I have never paid attention to this aspect before, this brought me to a new world.

Server Considerations

Virtual Hosting

A vHost is a http server software environment built with Nginx(or may be Apache), some kind of database and PHP. Everything is ready so you can build a site with a few clicks.

Pros:

  • Easy to configure and use.
  • Since a large number of vHosts can be built on one server, it's cheap.

Cons:

  • The environment is almost fixed, and basically can only be used to host websites, nothing else.
  • Poor performance(While it may be enough for a small blog for hobby).

VPS

VPS means Virtual Private Server. You rent a virtual machine, so you can install the operating system yourself, and install any software and run any service you want.

Pros:

  • The performance is relatively better, you can fully obtain several CPU cores and RAM resources according to your VPS plan.
  • Much more flexible, you can configure the environment to any purpose.

Cons:

  • According to the configuration, the price varies greatly, can be quite expensive for better performance.
  • Total traffic and bandwidth may be limited.

Physical server

In fact, you could buy a server yourself, of course. If you compare a virtual host to a shared dormitory and a VPS to a condominium, then you can say that you bought a piece of land in the internet world by buying a server yourself.

Pros:

  • All yours, no limitations. Even google starts from some PC servers in a garage.
  • A lot of fun, and a lot of knowlege.

Cons:

  • Requires some initial investment
  • Electricity bills may make you sad. (in fact, VPS also use electricity, so they are much more expensive with the same hardware spec.)
  • You have to manage and maintenance everything, it's fun for some people but not true for everyone.
  • Noise issues (Tower servers is much more quiet than rack mount ones.)

Summary

vHost VPS physical server
Easy to use One-click A lot of settings are required, but usually comes with useful presets Do everything from hardware to software
Cost Cheap Price changes depending on the spec not cheap, but less than VPS for the same specifications
Specs only for small sites enough for hosting Depends on your machine, but is generally better than a VPS
Functionality Web server anyting within one VM anything you want

Conclusion

  • If you just want to create a blog for hobby, cheap and convenient vHost would be nice.
  • If you want to run a blog seriously, or want to run something else for example a game server in addition to a website, a VPS is the most suitable.
  • I think that you should consider to run physical servers at home only if you like /r/homelab
]]>
https://hexgleam.com/en/blog/server-for-wordpress/feed/ 0
Common examples for CISCO access control list and port forwarding https://hexgleam.com/en/blog/acl-and-port-forward/ https://hexgleam.com/en/blog/acl-and-port-forward/#respond Wed, 26 Feb 2020 05:11:09 +0000 https://hexgleam.com/en/?p=112 So far, we've implemented most useful functions for home use on the router.
This article briefly introduces how to configure access control and port mapping.

Network Security Configuration

In fact, as mentioned before, enterprise class routers will do nothing under default config for security reason, so all common ports are closed to the outside by default. This is enough for most cases.
If you want to further refine the configuration, here are some examples of security policies:

Access Control List (ACL)

Reject incoming data from internal IP

access-list 100 deny ip 0.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.0.2.0 0.0.0.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 224.0.0.0 15.255.255.255 any
access-list 100 deny ip 240.0.0.0 15.255.255.255 any

Disable Microsoft File Sharing Service

access-list 100 deny tcp any any range 137 139
access-list 100 deny tcp any range 137 139 any

Deny NetBios Request

access-list 100 deny udp any any range netbios-ns netbios-ss
access-list 100 deny udp any range netbios-ns netbios-ss any

#Prohibit SMB protocol

access-list 100 deny tcp any any eq 445
access-list 100 deny tcp any eq 445 any
access-list 100 deny udp any any eq 445
access-list 100 deny udp any eq 445 any

#Prohibit telnet connection

access-list 100 deny tcp any any eq telnet

Allow all other traffic

access-list 100 permit ip any any

The ACL is for incoming traffic from WAN, so apply it to the Dialer.

interface Dialer1
    ip access-group 100 in
exit

Recursive ACL

Using access lists to manually control access traffic is intuitive, but it is inevitable that there are omissions. If you do not need to establish a server that can be accessed outside, you may use recursive ACLs.
Whether the client browses a webpage or communicates with an external server through some software, the client first sends a request and then receives the response from the server.
The recursive ACL uses this feature:

  • Router will record outgoing packets
  • When receiving a data packet, determine whether it is a reply to the sent data packet, and if not, drop it.
ip access-list extended IN_LSIT
evaluate ICMP
deny icmp any any
permit ip any any

ip access-list extended OUT_LIST
permit icmp any any reflect ICMP
permit ip any any

interface Vlan1
ip access-group IN_LIST in
ip access-group OUT_LIST out

Recursive ACL eliminats all access starts from outside world.

Port Forward

Driven by my interest, I decided to run a server in my home and build my own blog site.
(now I'm a fun of /r/homelab)

In order to make this website available to public, I also need to perform port mapping on the router and open ports 80 (http) and 443 (https).

Assuming the server's internal network IP address is 192.168.1.200:

ip nat inside source static tcp 192.168.1.200 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.200 443 interface Dialer1 443

Also don't forget to modify the access list to allow external access to the server:

access-list 100 permit tcp any host Dialer1 eq 80
access-list 100 permit tcp any host Dialer1 eq 443
]]>
https://hexgleam.com/en/blog/acl-and-port-forward/feed/ 0
Config L2TP/IPSec VPN server on cisco IOS https://hexgleam.com/en/blog/l2tp-ipsec-server-on-cisco-router/ https://hexgleam.com/en/blog/l2tp-ipsec-server-on-cisco-router/#respond Wed, 26 Feb 2020 04:37:22 +0000 https://hexgleam.com/en/?p=105 Configure VPN server on cisco IOS

Most Routers come with a VPN function, and same for Cisco ones. For personal case, a VPN connection to home router may be used for a security connection to home LAN, and also useful to secure your device under a public Wifi.
This section introduces the configs for setting up a VPN access with L2TP/IPSec protocol on Cisco routers.

Prerequisites

For convenience, this article use the following prerequisites:

  • Global external IP is 219.107.1.1
  • L2TP's pre-shared key is "preshared_key"
  • User name for connection is "user1" and password is "password1"

Configs

Configs in this article is also besed on previous ones

#Start VPN service under L2TP protocol
vpdn enable
vpdn-group VPN_L2TP-IPsec
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    exit

#Create user
username user1 password 0 password1

#Set the encryption method
crypto isakmp policy 100
    encr 3des
    authentication pre-share
    group 2
    exit
crypto isakmp key preshared_key address 0.0.0.0
crypto isakmp keepalive 3600
crypto ipsec transform-set TRANS-SET esp-3des esp-sha-hmac
    mode transport
    exit
crypto dynamic-map DYNAMIC_MAP 10
    set nat demux
    set transform-set TRANS-SET
    exit
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic DYNAMIC_MAP

#Create a virtual Template
interface Virtual-Template1
    ip unnumbered Dialer1
    ip mtu 1280
    ip nat inside
    ip virtual-reassembly in
    peer default ip address pool VPN_POOL_ADDR
    ppp encrypt mppe auto
    ppp authentication ms-chap-v2
    exit

#Specify the address pool for VPN clients
ip local pool VPN_POOL_ADDR 10.10.10.1 10.10.10.10
ip forward-protocol nd
no ip http server
no ip http secure-server

#Allow traffics from VPN clients
access-list 1 permit 10.10.10.0 0.0.0.255

DDNS

Now the VPN server is up on the router, but obviously, you must specify the IP address of the VPN server, which is also the WAN IP of the router when connecting from outside world.
Many ISPs provide dynamic IP, that is, the WAN IP address may change everytime a dialup session is established or after a certain period of time.
So you may also want a DDNS (Dynamic DNS) service to update the IP binding to a certain domain name, and connect to VPN server with domain name instead of IP address.

Fortunately, there are a few free DDNS available, and they also provide free sub-domain names.

However, register a domain name is easy and not expensive. I'd like to have my own ones so I registered a .com domain with about $5.

Regarding updating DNS records, the DDNS service usually provides some API interface for automatic updates. And automatic updates can also be implemented on the router.

Update MyDNS record automatically

I'm using MyDNS, below is the config codes for updating MyDNS record on my cisco router.
Prerequisites:

  • Domain name is "hexgleam.com"
  • MyDNS username is "mydns_user" and password is "mydns_password"
#Create update task
ip ddns update method MyDNS
 HTTP
  add http://mydns_user:mydns_password@www.mydns.jp/login.html
 interval maximum 1 0 0 0

#Add update task to Dialer1
interface Dialer1
    ip ddns update hostname hexgleam.com
    ip ddns update MyDNS
]]>
https://hexgleam.com/en/blog/l2tp-ipsec-server-on-cisco-router/feed/ 0
PPPoE and IPoE https://hexgleam.com/en/blog/pppoe-and-ipoe/ https://hexgleam.com/en/blog/pppoe-and-ipoe/#respond Fri, 21 Feb 2020 04:32:26 +0000 https://hexgleam.com/en/?p=101 In the previous articles, the term PPPoE was mentioned many times. Most people who have configured a broadband network will be familiar with this term. But what exactly is PPPoE and why we are using it?

What is PPPoE

To tell what is PPPoE (Point to Point Protocol over Ethernet), we must first understand PPP (Point to Point Protocol). PPP is a protocol that uses a telephone line to do real "dial-up" to accessing the Internet in the past. With this protocol, point-to-point communication between a PC and an ISP's equipment can be achieved on a telephone line that was originally for voice phone calls without adding extra lines. Later, with the development of the Internet, dedicated lines such as ADSL, and now optics fibre are developed to transmit IP packets of the Ethernet network directly. Physically, PPP was no longer needed. But in order to take advantage of the user authentication function included in PPP to charge for what they provided, the ISPs packed PPP into Ethernet frames, and PPP over Ethernet was born.
Then the question comes, just for authentication, and in 2019, the ancient telephone based protocol is still used. Isn't there any other authentication method?

IPoE

With the birth of ipv6, the redesigned IPoE (IP over Ethernet) protocol based high-speed Ethernet connections has entered the stage. IPoE allows transmit IP packets on the Internet directly as what we did in a LAN network, eliminating the boilerplates to deal with PPP protocol and conversion steps.
In terms of authentication, IPoE authenticates user access through physical lines. After the line is completed, a fixed ipv6 network segment will be assigned and used for access. No username and password and corresponding auto-dial settings are required.
In addition to user authentication, IPv6-based IPoE has the following advantages over PPPoE based on telephone line connections of the last century:

Stability

Using PPPoE, users need to generate PPPoE frames containing authentication information on the router, and then the modem perform modulation and demodulation in accordance with the PPP protocol. On the ISP's side, each Ethernet frame needs to be disassembled, and the PPP authentication infos taken out of it must be sent to a special device for authentication. These steps that do not help the communication itself increase the communication delay and instability of the network. IPoE can achieve the same native IP communication as the local area network without introducing other special protocols, making the entire network more concise and stable.

Speed

Because of the point-to-point characteristics of PPP, the ISP's equipment (NTE) needs to maintain a connection session for each Internet user. With the increase of access users, this NTE device will become the bottleneck of the entire network, limiting the transmission speed. IPoE that directly transmits the IP protocol does not need to go through such a point-to-point connection, and the more recent IPoE device itself can provide a much higher throughput rate than in the PPPoE era, so the data transmission speed of the IPoE connection is much higher than that of the traditional PPPoE network.

I made a test on my own network that showed a clear difference between PPPoE and IPoE.

related

In the previous section we configured IPv4 pppoe connection, and I'll talk about IPv6 in this article. IPv6 connection s[…]

]]>
https://hexgleam.com/en/blog/pppoe-and-ipoe/feed/ 0
Configure IPv6 dual stack connection on CISCO router https://hexgleam.com/en/blog/ipv6-dual-stack-connection/ https://hexgleam.com/en/blog/ipv6-dual-stack-connection/#respond Tue, 18 Feb 2020 05:11:22 +0000 https://hexgleam.com/en/?p=96 In the previous section we configured IPv4 pppoe connection, and I'll talk about IPv6 in this article.

IPv6 connection support

In fact, many websites now support IPv6, and ISPs are ready to providing IPv6 network access in different forms.
There are two main ways for user to get access to IPv6:

  • Obtain a / 64 prefix from the ISP with the IP through the DHCP-PD protocol, and then your router assigns the host addresses under this prefix to the device connected to it. (Approximately 18 billion-billion host addresses can be allocated, more than enough to let every grain of sand in the home go online)
  • The router only plays the role of a Layer 2 switch for IPv6 communication, and all devices are independently connected to the ISP's network. The so-called IPv6 passthrough or IPv6 bridge mode.

Dual stack

Both of these methods are called dual stack, that is, two sets of completely unrelated communication protocols are deployed on the same network equipment (ipv4 and ipv6 operate independently and do not interfere with each other).
IPv6 communication does not need to pass through the crowded old IPv4 network infrastructure, so it has a great advantage in transmission speed. But IPv4 connections won't be affected.You have to use IPv4 protocol to access IPv4 sites.

IPv4 over IPv6 technologies

In order to make IPv4 connections benefits from IPv4 connection, some so-called "IPv4 over IPv6" techs have been developed, such as MAP-E and DS-LITE. The main idea is to package the IPv4 data packet into the IPv6 data packet and transmit it through the IPv6 network.
Now ISPs in Japan are promoting this technology for free, because using this technology, user will only need some IPv6 address, reducing the pressure to the crowded IPv4 network.
ipv4 vs ipv6 speed test
For users, making ipv4 traffic reach the speed of ipv6 for free would be beneficial, but I still want an IPv4 public IP (this is the choice that gave birth to this website later), so I'll stay with dual stack solution.

Configure IPv6 passthrough on the router

The configuration based on Previous Article.
Start configuration mode first, add a bridge irb command to start the bridge function of the router.

enable
config terminal

bridge irb

Then add the WAN port to the bridge group.

interface GigabitEthernet8
bridge-group 1
bridge-group 1 input-type-list 200
exit

In the previous article, we directly set the IP address of Vlan1 as the gateway of the subnet. Now we need a virtual bridge interface (BVI) as the gateway to implement IPv6 bridging. So first use

default interface Vlan1

to clear all configurations under Vlan1, and then use the following commands to add Vlan1 to the bridge group.

interface Vlan1
no ip address
bridge-group 1

Then create BVI1 as gateway

interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1414
exit

Finally set up bridging rules and access control (ACL)

control-plane
bridge 1 protocol ieee
bridge 1 route ip
exit

access-list 200 permit 0x86DD 0x0000
access-list 200 permit 0x0800 0x0000
access-list 200 permit 0x0806 0x0000

0x86DD corresponds to IPv6 protocol, 0x0800 corresponds to ipv4 protocol, and 0x0806 is for ARP protocol.
Once complete, you should see that the PC has obtained a IPv6 address.

In this way, the router works as a layer 2 switch for ipv6 and does not have its own IPv6 address.

Configure dhcp-pd on the router

The dhcp-pd method allows the router to work as a real router, obtain its own IPv6 prefix, and assign an IPv6 address to the devices as needed.
The dhcp-pd method is almost the same as the dhcp intranet mode of IPv4.
First enable IPv6 routing and establish IPv6 dhcp:

ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool STATELESS
import dns-server
import domain-name
exit

Start ipv6 on the WAN port and get the prefix from hdcp-pd:

interface GigabitEthernet8
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd PREFIX
exit

Setup gateway and DHCP on Vlan1:

interface Vlan1
ipv6 address PREFIX :: 1: 0: 0: 0: 1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server STATELESS

The STATELESS mode is to not save the allocation of ipv6 addresses, and re-assign a new ipv6 address to the device every time it connects.

About the security

If you are accustomed to NAT translation of subnets in IPv4 networks, you may have questions about the security of IPv6. However, NAT technology itself is not to solve the problem of network security. Instead, it should be considered as the excessive application of NAT technology.
For most user who does not log the host address to the external DNS, the huge address space of ipv6 actually guarantees the security because even if an external attacker knows your ipv6 prefix segment, scanning billions of billions address space under this prefix is an impossible task.

]]>
https://hexgleam.com/en/blog/ipv6-dual-stack-connection/feed/ 0
Set config register and backup configs on cisco router https://hexgleam.com/en/blog/setting-config-register/ https://hexgleam.com/en/blog/setting-config-register/#respond Wed, 12 Feb 2020 07:08:08 +0000 https://hexgleam.com/en/?p=86 In the previous article I finally connected to the Internet through the new router. After opening a few web pages to confirm that everything is normal, I decided to put the router in a no-obstructive corner and arrange the power and network cables. There was a power outage so the router rebooted after everything is in position. After that, I lost the internet access!

connect to management terminal and use

show running-config

command to view the configuration, I found that the previous configuration has all disappeared. At the end of the configuration, I have written the configuration to startup-config. In theory, since it is called "startup-config", it should be automatically loaded at startup. There must be something wrong with some configs.
Finally, it turns out that there is something called config register in the router. The config register is 16 bits in total, used to control the startup process of the router by setting each bit in it.

Configuration register

Use

show version

command to view the router information, which contains the value of the current config register.
My router shows:

Configuration register is 0x2142

According to some documents, definition of the 6th bit is

If it is 1, ignore the startup-config in NVRAM and do not load the configuration file.

Put it in the hexadecimal value above, that is 4.
So I need to modify it with the following command:

enable
config terminal
config-register 0x2102
exit

Use the show version command again to view the registers, it shows

Configuration register is 0x2142 (will be 0x2102 at next reload)

At this time, reboot it by a hard powercycle, or use the reload command, the config register will be set to new value and configurations in startup-config should be loaded automatically.

Manage configuration files

If there are multiple configurations that need to be backed up and managed, or if you want to edit the configuration file more intuitively in the text editor on a PC, you can upload the configuration to the PC or download a configuration file to the router via tftp (yes, the one used to install IOS).

Assume that the PC address running the tftp service is 192.168.1.1
Upload the current configuration to tftp:

copy running-config tftp:
Address or name of remote host []? 192.168.1.1
Destination filename []? Backup_running_config

After the upload is complete, a file called backup_running_config will be generated in the tftp working directory.

Downloading the configuration to the router is similar:

copy tftp: running-config
Address or name of remote host []? 192.168.1.1
Source filename []? Backup_running_config
Destination filename [running-config]? Startup-config

The brackets are the default parameters given by the system. You can also download the configuration to running-config by simply press the enter key, but if you made some changes to the configuration file, the download may fail due to conflicts with the current working configuration. So it is recommended to download to startup-config first, and then use the reload command to reload.

About TFTP

So far we have used tftp twice. T in tftp is an abbreviation for trivial.

The main differences between trivial-ftp and ftp are:

TFTP uses UDP transmission, while FTP uses TCP.
TFTP could transfer only one file at a time.
TFTP Does not require any security authentication.

]]>
https://hexgleam.com/en/blog/setting-config-register/feed/ 0
Configure PPPoE Dial-up Connection on Cisco Router https://hexgleam.com/en/blog/pppoe-dhcp-config/ https://hexgleam.com/en/blog/pppoe-dhcp-config/#respond Mon, 10 Feb 2020 07:32:10 +0000 https://hexgleam.com/en/?p=78 Preconditions

For convenience, this article sets the following example configs:

  • Connect the WAN port of the router to the modem, dial up to the Internet through pppoe
  • The username obtained from the ISP is user_id and the password is user_pass
  • There is a Vlan on the internal network, the subnet is 192.168.1.0/24
  • The Vlan's gateway address is 192.168.1.254
  • Use 192.168.1.1 to 192.168.1.100 as dynamically assigned addresses, leaving the rest for static assignment
  • MTU of the ISP network is 1492

About MTU MRU and MSS:

The default values ​​commonly used in Ethernet networks (also the maximum values ​​without using extension standards such as JumboFrame) are as follows:

MTU (Maximum Transmission Unit): 1500byte
MRU (Maximum Receive Unit): 1500byte
MSS (Maximum Segment Size): MTU minus IP header (20byte), TCP header (20byte): 1460byte
With a PPPoE dial-up connection, the PPPoE header needs to occupy 8 bytes, so the maximum MTU / MRU is 1492 and the maximum mss is 1452
The actual value varies according to the ISP. For example, the MTU of the most widely used network in Japan is set to 1454.

Configuration for basic internet connection

Use the enable command to gain administrative privileges, and then enter the configuration mode through the console.
The "router-config#" indicates that this is the root of configuration hierarchy. The configuration should starts from the root hierarchy, and finally returns to root with "exit" command.

router> enable
router# config terminal
router-config#

PPPOE dial-up virtual interface

Create dialer1 virtual dialer interface and enter interface configuration

interface dialer1
  mtu 1494
  ip address negotiated
  ip tcp adjust-mss 1454
  ip nat outside
  dialer pool 1
  dialer-group 1
  encapsulation ppp
  ppp authentication chap callin
  ppp chap hostname user_id
  ppp chap password user_pass
  ppp pap sent-username user_id password user_pass
  ppp ipcp dns request accept
  exit

There are two similar commands: mtu and ip mtu .
ip mtu affects ipv4 packets through this port, while mtu commands affects all packets. so use mtu command to match mtu with the ISP's network.
Regarding the two authentication methods of chap and pap, if you know which method your ISP uses, you only need to set the corresponding authentication information. If not sure, write both.

Wait for a few seconds, and display the port information with the following command:

show interface dialer1

If you see that the port has obtained an external IP address, it indicates that the PPPoE dial-up connection has been successfully established.

Configure VLAN

Now the external network is already connected to the Internet. Next, we need to configure the internal network so that our devices can connect to the external network through the internal LAN.
The router automatically generates a Vlan1 by default and automatically assigns all 8 LAN ports in Vlan1. If there is no special requirement, you can just configure on the Vlan1.

interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  no shutdown
  exit

In Cisco's IOS configuration commands, almost all commands can be preceded by a "no" to cancel or perform the opposite operation.
Because the default state of interfaces are shutdown, you need to ensure that the interface enters the UP state with no shutdown command.

NAT and routing rules

It is the same as the default state of the interface is shutdown, Enterprise routers does nothing by default for security reasons.
So although Vlan is configured, routing between Vlan and WAN ports is not performed by default. You need to manually configure internal routing rules:

ip nat inside source list 1 interface dialer 1 overload
dialer-list 1 protocol ip permit
ip route 0.0.0.0 0.0.0.0 dialer 1 permanent

Since we have only one external network interface, we simply route everything to dialer 1. permanent indicates that this routing rule will be retained even if the dialer1 link is down.

Configure DHCP

PC, NAS, and other fixed devices can be assigned to static IP for easy management. But we also need to connect mobile devices such as mobile phones, tablets and some IoT devices. So it's necessary to allocate a part of the IP from the address pool as an automatic allocation segment through DHCP.

ip dhcp pool lan
  network 192.168.1.0 255.255.255.0
  default-router 192.168.1.254
  dns-server 8.8.8.8 8.8.4.4
  exit

ip dhcp excluded-address 192.168.1.101 192.168.1.254

It should be noted here that the last command is for EXCLUDED IPs, not IPs for dhcp allocation.

Save Configs

At this point, our router should be able to dial up to the Internet automatically like a normal home router. But the current configuration is saved in the system RAM, so don't forget to use the write command to write the configuration to NVRAM, otherwise all the configuration will disappear after the next restart due to power outage or other reasons!

]]>
https://hexgleam.com/en/blog/pppoe-dhcp-config/feed/ 0
How to Install Cisco IOS From Image https://hexgleam.com/en/blog/how-to-install-cisco-ios-from-image/ https://hexgleam.com/en/blog/how-to-install-cisco-ios-from-image/#respond Mon, 10 Feb 2020 07:30:12 +0000 https://hexgleam.com/en/?p=61 This is Where This Blog Start

Some time ago, a colleague said that he wanted to buy a wireless router and asked if anyone had a recommended model, which caused a heated discussion.

I remembered that my tp-link router was working unstable recently. Although restarting can solve everything, but the occationally delay and packet loss is really unpleasant, expecially during gaming. So I want to look for a new one that following these requirements:

  • Able to work stably for a long time without restarting.
  • Embedded switch with 8 ports is appreciate (though 4 is also OK) because I have multiple cabled devices such as desktop PCs and NAS.
  • With embedded VPN server.
  • My Old tp-link router can be used as a wireless AP, so the wireless function is not required
  • As cheap as possible

After listing the requirements, I start looking at enterprise routers instead of the usual wifi routers for home.
There is no doubt that the enterprise router was designed according to 7x24 hours, which can meet the needs of stability. As for the functions, the enterprise router is essentially a dedicated computer, and various functions should be able to be achieved through a certain configuration.

So in the end it was only a matter of price. The price of the brand new ones is really "enterprise", but a used one is cheap and easy to get on sites such as e-bay.

C892FSP

I got this one with about $30.
c892fsp front panel

Cisco C892FSP-K9 Integrated Service Router
The Cisco 892FSP Desktop Router is a powerful management tool that delivers secure and reliable internet access across your mid-size> business or home. With a zone-based firewall, you will be able to block unwanted traffic and prevent intrusion into your system.

Cisco officially calls it ISR (Integrated Service Router), which means that it integrates three major network functionalities: router, firewall, and switch. Makes it suitable for small and medium offices.
The seller said that the system was reset. That's OK. (I realized that the "reset" is not what I thought, in a while later.)

Rear panel interface:

cisco c892fsp rear ports
The router part provides two 1GbE RJ45 interfaces and one SFP interface.
The switch part has 8 switching ports, which are internally connected to the router.
In addition, there is a terminal interface for management.
But my PCs dont have the serial port anymore:(, so I bought another USB serial cable for this.
The cable is almost a half price of the router.
DB-9 serial port

A small goal

First set a small goal for myself: complete the basic configuration, make a PPPoE dial-up and connect to the internet. This is what most wifi home routers did in default.

A little Trouble

I used MobaXTerm for terminal emulator. Connect the management port, set the serial port parameters according to the official documentation.

baud rate: 9600
data bits: 8
parity: None
Stop bits: 1
Flow control: None

Then there comes the CLI for configuration!
Something weird appeared on the screen:

rommon 1>

I cant enter configuration mode.

After spent some time on google, I realized that this is because there is no operating system in the flash memory, and a basic BIOS-like recovery system started when the boot fails.

Remember that the seller said it had a RESET, I realized that this is not the same "reset" as I thought.
The operating system of cisco router is called IOS(Internetwork Operating System).
To download IOS on the CISCO official site, you need to be a partner of cisco as a company or orgnization.
No way.
Fortunately I found the proper IOS for my router on the internet.
Thanks for your sharing guys.

Install Cisco IOS from image

Cisco IOS could be installed through TFTP. I used "tftpd64" to run a tftp server on my PC, use my old router to put PC and Cisco router in a subnet, and download image to router via tftp:

rommon 1> IP_ADDRESS = * ip address of router interface *
rommon 2> IP_SUBNET_MASK = * Subnet mask for LAN *
rommon 3> DEFAULT_GATEWAY = * LAN gateway *
rommon 4> TFTP_SERVER = * pc's ip address *
rommon 5> TFTP_FILE = * file name of system image *
rommon 6> tftpdnld

After completed, the router will start varification and installation automatically. And the normal CLI finally appears:

Router>

Thanks again for the guy who provided the image.

I failed to achieve the goal of accessing internet with new router in this article. But I will do it in the next article

Related

Preconditions For convenience, this article sets the following example configs: Connect the WAN port of the router to t[…]

]]>
https://hexgleam.com/en/blog/how-to-install-cisco-ios-from-image/feed/ 0
Getting My New Blog Adsense Approved https://hexgleam.com/en/blog/beginners-guide-to-adsense/ https://hexgleam.com/en/blog/beginners-guide-to-adsense/#respond Sun, 09 Feb 2020 11:39:57 +0000 https://hexgleam.com/en/?p=53 Here Comes New Blogger

I built my first blog in Dec.2019 in Japan. After few days of tunning and a new year holiday, I put it into normal operation on the first day of 2020.
As most new blogs, I had virtually no PVs in the at the first time, but I do want to acquire the adsense approval as a good start.
pageviews when applying adsense
According to Google's document, PVs wont affect adsense approval, as long as your contents are original and helpful so I decided to give it a try.
I submitted my site on Jan. 22 and surprisingly got the approved notification on the next morning.

Adsense Beginner's Guide

Acquire a Adsense Account

Adsense is a part of google services so normal google account is OK for adsense.
Dedicated account also works well, of course.

Insert Javascript Code for Approval

Once adsense account is activited, a piece of code snippet is available on the adsense administration page.
Copy the code into head tag of site's homepage

<head>
#AdSense Code Snippet
</head>

For a site powered by wordpress, there are a few approches to insert the code:

  1. Some themes provide custom code injection in theme costmization menu, put adsense code in header block。
  2. Edit header.php of the theme, insert code snippet into head tag. It's better to do this in a child theme so theme update won't affect your code。
  3. Use plugins such as "header & footer" to inject code snippet into head tag。

After that, validate your site in adsense control panel. Approval start once adsense recognized the code in your site.

Waiting for Approval

Google will inspect your site, check if the sites is "valuable" and fits google's policy. It says will take up to two weeks ,but usualy done in a few days. Push new post as usual will help "might" help, but not neccesery.
Once done, google will point out the problem, or just congratulations, the site is now adsense approved.
After approved, adsense will provide a new code snippet with same publisher ID as the code before for auto Ads.The new one is slightly shorter, but both of them will work.

Setup Ads

There are two types of Ads:

Auto Ads

Auto Ads are ads that appears automatically, with only one code snippet in the head tag.
Adsense will parse the page and insert ads in proper position, with proper size and contents that matches the page.
It also detects fixed Ads on the page and adjust the amount of auto ads accordingly.

Fixed Ad Units

Google claims that auto ads will appear in proper position with proper size, and do works well in most cases. But it still may break your layout occasionally.
Another choice is Fixed Ad Units. To use fixed ads, build fixed units at adsense control panel, adjust sizes to make sure it matches the site, and paste the code to the specified location.
Some Adsense optimized theme provides fixed ad slot but for other themes you have to tune the design and code to support fixed ads.

This site is using fixed ads for header and footer, leaving other components to auto ads.

Key Points for Adsense Approval

Must-Haves

There are some policies for adsense approval, and some of them are really important.

Original and Useful Contents

"Contents is King".Only original and useful contents are considered "High Quality" and valuable for Ads.
Amount is not that importent, 10 posts or less is enough as long as the posts are really helpful.
High quality contents is also the best SEO, as google's search algorithms are intelligence enough to recognize which site is useful for their users.

"Privacy Policy" Page

In WordPress, there comes with a "Privacy Policy" draft, and it is really important.
Adsense will collect user's cookies and browsing history for pushing specified ads, so any site uses adsense have to claim this behavier in their privacy policy.

My Privacy Policy

Privacy Policy about google adsense

Google is one of a third-party vendor on our site. It also uses cookies, known as DART cookies, to serve ads to our site visitors based upon their visit to www.hexgleam.com and other sites on the internet. However, visitors may choose to decline the use of DART cookies by visiting the Google ad and content network Privacy Policy at the following URL – https://policies.google.com/technologies/ads

Features That Makes The Site Better

About page and Contact page

These pages increase reliability of the site.

Usability

  1. Pages with a clear layout and a proper font.
  2. Stable and fast loading speed. - less waiting time, more audience。

Mobile friendly

As more people browsing on smartphones, google also moved their focus from desktop to mobile.
Site speed for mobile device is used as a factor of impression position.
A mobile friendly page helps the site to have more impressions as well as getting more audience.

Features That Are Not Important

Page Views

According to my experience, there is no relationship between PVs and adsense approval.
well, the revenue is another story.

"SEO"

SEO it self is not a factor for adsense approval. Also, it's won't help for impression position as well, in most times.
Google's search algorithm is already optimized for finding valuable site.
Content is King.

]]>
https://hexgleam.com/en/blog/beginners-guide-to-adsense/feed/ 0