Posts Tagged ‘openbsd’

It feels slow – testing and verifying your network connection

May 1, 2010

So I have a backup network link (working from home means you need two network links) and it was feeling kind of slow. I had a Linksys BEsFx41 connected to it, which according to the specifications is an ok unit (does VPN, etc.) but in practice it felt really slow (web browsing was not fun). So let’s test this objectively I thought.

First obviously was to check the speed, am I getting what I paid for? a quick visit to www.speedtest.net showed that I was indeed getting the 4 megabits down and 1 megabit up (it’s a wireless link, so not super fast, but I don’t have to worry about backhoe fade) that I pay for. So if I’m getting good upload/download speeds why would it feel slow?

DNS

Luckily the DNSSEC has been in the news a lot recently and several DNS testing sites have come up in various blogs/conversations/etc. So I headed over to the ICSI Netalyzr which promises to “Debug your Internet.” It’s a java based test and takes a while, but I have to say the results are worth it. It checks for connection speed, filtering, DNS speed and filtering and a few other things. Turns out DNS lookups were horribly slow (on the order of several thousand milliseconds… aka seconds). No wonder web browsing felt slow!

Turns out the BEFSX41 intercepts DNS lookups and proxies them, good for filtering, terrible for performance.

So I tried out a Dlink EBR-2310, which had even worse DNS performance. To add insult to injury it doesn’t support routing properly. On the BEFSX41 I can specify static routes, i.e. a router on 192.168.1.1 can get to 10.1.2.0/255.255.255.0 through the machine at 192.168.1.2. The EBR-2310 simply doesn’t support any routing. It also does the DNS proxy intercept, worse than the BEFSX41 (about twice as slow, in other words completely unusable).

So off to the store I go for a Netgear RP614v4. I was hoping that because it was a relatively recent device it would have slightly better hardware and firmware. Luckily I was right. It’s a mildly retarded device; you can set it up as a DHCP server but you don’t really have many (well any) options as to what it serves out via DHCP (domain, DNS servers, default gateway, etc., it does these all with a brain dead default set). But it does DNS lookups in an average if 70-80ms (as opposed to 1-3 seconds).

On my main subnet Internet access is brokered through a pretty vanilla OpenBSD machine (apart from having IPv6 enabled it’s pretty bog standard) and DNS lookups/etc are much faster. If anything this experience has taught me that if you want performance go find a small cheap machine, load it up with OpenBSD and be happy. Time to buy a Soekris I suppose. Oh and if you want DNSSEC these hardware firewalls aren’t going to do the trick, they all pretty much only support short DNS replies, meaning that longer DNSSEC replies will be truncated (and thus broken). To test this you can use the OARC reply size test:

dig +short rs.dns-oarc.net txt

I also decided to test my network links for traffic shaping/etc., turns out my primary ISP does and my backups ISP doesn’t. To see if yours does/doesn’t check out the EFF page covering this.

IPv6 and OpenBSD (Part 2)

May 1, 2010

So now that you’re online with an IPv6 enabled OpenBSD machine what can you do? The first thing I ran into is noticing that not all OpenBSD ftp sites are IPv6 enabled. The following is a list of IPv6 capable FTP sites for OpenBSD:

  • anga.funkfeuer.at
  • ftp5.usa.openbsd.org
  • ftp.arcane-networks.fr
  • ftp.belnet.be
  • ftp.esat.net
  • ftp.estpak.ee
  • ftp.eu.openbsd.org
  • ftp.freenet.de
  • ftp.fsn.hu
  • ftp.heanet.ie
  • ftp.irisa.fr
  • ftp.kddlabs.co.jp
  • ftp.nluug.nl
  • ftp.obsd.si
  • ftp.openbsd.dk
  • ftp.piotrkosoft.net
  • piotrkosoft.net
  • ftp.rediris.es
  • ftp.task.gda.pl
  • ftp.tcc.edu.tw
  • ftp.ulak.net.tr
  • mirror.aarnet.edu.au
  • mirror.bytemark.co.uk
  • mirror.corbina.net
  • mirror.planetunix.net
  • mirrors.nic.funet.fi
  • mirror.switch.ch
  • stacken.kth.se
  • http://www.obsd.si

What I find most interesting is how few North American sites are represented as compared to the European and Asian sites.

IPv6 and OpenBSD (Part 1)

April 26, 2010

So I finally took the plunge and got IPv6 going. My setup is pretty simple: OpenBSD firewall attached to the Internet, switch and a bunch of machines attached to the OpenBSD firewall. My ISP doesn’t support IPv6 yet (I’d be truly shocked if they do anytime in the next 5 years) so I choose Hurricane Electric as my IPv6 tunnel broker. The server setup isn’t to bad, but there are a lot of small steps:

Step1: Sign up at Hurricane Electric for a free IPv6 tunnel: http://tunnelbroker.net/

Step 2: Create a tunnel and note down the info they give you. You will get a /64 assignment which is a lot of addresses (more than you’ll probably ever need). This makes IP assigned convenient, just take your IPv6 prefix, and tack on the MAC address and you’re almost guaranteed to get a unique IP address (notwithstanding really bad network card makers).

Step 3: Setup tunnel on OpenBSD, notice the “Example OS Configurations (Windows, Linux, etc.):” at the bottom and select OpenBSD wghich spits out something like:

ifconfig gif0 tunnel your.ip.add.ress 72.52.104.74
ifconfig gif0 inet6 alias 2001:500:6666:333::2 2001:500:6666:333::1 prefixlen 128
route -n add -inet6 default 2001:500:6666:333::1

Go edit your /etc/hostname.gif0 file so it looks like this:

tunnel 68.151.57.38 72.52.104.74
!ifconfig gif0 inet6 alias 2001:500:6666:333::22001:500:6666:333::1 prefixlen 128
!route -n add -inet6 default 2001:500:6666:333::1

The !command runs the command, I got tired of trying to figure out the correct syntax and just put the command in instead.

Step 4: Setup your internal interface to have an IPv6 address (hostname.fxp0):

inet 192.168.0.1 255.255.255.0
inet6 2001:500:6666:333:123:45ff:fe1d:3456 64
inet6 alias 2001:500:6666:333:: 64 anycast

I basically choose the network card’s MAC address for the middle part of the IPv6 address, this way it is unlikely to ever conflict with anything else.

Step 5: Setup and configure the route advertisement daemon, in rc.conf:

rtadvd_flags=” fxp0″

And your /etc/rtadvd.conf should look like:

fxp0:\
:addrs#1:addr=”2001:500:6666:333::”:prefixlen#64:raflags#64:

This will allow you to configure other clients to use the route advertisement daemon which basically makes IPv6 0 hassle to setup.

Step 6: IPv6 routing and routed. Edit rc.conf to enable route6d:

route6d_flags=””

You’ll also want to enable forwarding of IPv6 traffic:

net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.mforwarding=1     # 1=Permit forwarding (routing) of IPv6 multicast packets
net.inet6.ip6.multipath=1       # 1=Enable IPv6 multipath routing

Step 7: Reboot, you should be good to go. To test it try something like:

ping6 ipv6.google.com

The client setup is pretty easy on OpenBSD at least, during network configuration choose “rtsol” when prompted for IPv6 setup, if your machine is already setup simple edit the hostname.if file and add “rtsol” to it, this will result in automatic IPv6 configuration. You’ll also want to enable the rtsold daemon in rc.conf:

rtsold_flags=”fxp0″

Adding an IPv6 name server to resolv.conf is also easy:

nameserver 2001:470:20::2

Reboot and your client should be ready to get an IP from your OpenBSD firewall and connect onwards to the Internet.