Latest Publications

FreePBX for Proxmox / OpenVZ

Download it here:

http://dl.dropbox.com/u/7219062/vzdump-openvz-765-2010_05_18-14_56_01.tar to your /var/lib/vz/dump/ folder

Installation:

1. Move the downloaded file ( vzdump-openvz-765-2010_05_18-14_56_01.tar ) to /var/lib/vz/dump
2.    /usr/sbin/vzrestore vzdump-openvz-765-2010_05_18-14_56_01.tar 765
3.    /usr/sbin/vzctl set 765 –ipadd <the ip address of your new FreePBX>

Read more here

A nice way to do failover with BGP, OSPF and HSRP

My setup is as follows:

Two 3550 switches, each connected to a different provider via BGP. I would like to have redundancy between the two switches/providers. Here’s what I did:

1. Routing:
a) Each switch should have a route preference 190 towards the other switch. While BGP is up, we will have a default route [preference 20] towards the corresponding provider. If BGP is down, route will switch to the 190 preference route we just added. So we will go out via our second L3 switch.
b) Each router will be connected in both switches. I was thinking first to use bridge irb, but it looks more natural to use ospf. So I setup two IP ranges (172.16.1.0/24 [sw1] and 172.16.2.0/24 [sw2] ) to use with OSPF. Lets take for example one of the routers, a 2651XM. Fa0/0 is connected to port fa0/2 in SW1 and Fa0/1 is connected to port fa0/2 in SW2.

Below, an example config (we will discuss this below the sample config)
[sw1]

interface FastEthernet0/2
description to R01, fa0/0
switchport trunk encapsulation dot1q
switchport mode trunk

router ospf 1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
network 129.x.x.0 0.0.0.255 area0
default-information originate always

interface vlan 100
ip address 129.x.x.11 netmask 255.255.255.0
standby 100 ip 129.x.x.1
standby 100 priority 255
standby 100 preempt

ip route 0.0.0.0 0.0.0.0 129.x.x.12 190

[sw2]

interface FastEthernet0/2
description to R01, fa0/1
switchport trunk encapsulation dot1q
switchport mode trunk

router ospf 1
network 172.16.1.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
network 129.x.x.0 0.0.0.255 area0
default-information originate always

interface vlan 100
ip address 129.x.x.12 netmask 255.255.255.0
standby 100 ip 129.x.x.1
standby 100 priority 101
standby 100 preempt

ip route 0.0.0.0 0.0.0.0 129.x.x.11 190

[r01]

interface FastEthernet0/0
description to SW1, fa0/2
no ip address

interface FastEthernet0/0.1
encapsulation dot1q 101
ip address 172.16.1.3 255.255.255.0

interface FastEthernet0/1
description to SW2, fa0/2
no ip address

interface FastEthernet0/1.1
encapsulation dot1q 102
ip address 172.16.2.3 255.255.255.0

interface Loopback0
ip address 129.x.x.54 255.255.255.255
ip ospf 1 area 0

router ospf 1
log-adjacency-changes
network 129.x.x.54 0.0.0.0 area 0
network 172.16.1.0 0.0.0.255 area 0

ip route 0.0.0.0 0.0.0.0 129.x.x.1

Now, how does this work?

- each router has a default route towards the other, preference 190 . As said above, when BGP fails on any of the switches, traffic goes out via the other switch.
- if both bgp sessions fail then…. well, thats just bad luck :)

How will my packets select a certain ISP?

- its gonna be due to HSRP protocol (hot standby router protocol). Notice on the second switch the ’standby 100 priority 101′ statement. Default is 100, but I put it to 101 to make the config more self explanatory. The first switch has priority 255, which means in the HSRP group, the first switch will always be elected as default gateway.

What if HSRP fails?

- hsrp won’t fail. If one of the switches fails, the switch still up will take the role as default gateway. (and use that switches bgp connection).

Other things: OSPF will always let know the switches on which interface they can find the 129.x.x.54 IP address. Check this out:

<————————————————————>
sw2# sh ip route ospf
129.x.x.0/24 is variably subnetted, 11 subnets, 5 masks
O 129.x.x.54/32 [110/2] via 172.16.1.3, 3d01h, Vlan101
[110/2] via 172.16.2.3, 3d01h, Vlan102
<————————————————————>

What else can I do?

- have each provider connect in each switch. In my config I could only afford provider A in switch 1 and provider B in switch 2. If you will be able to setup provider A & B in switch 1 and provider A & B in switch 2 as well, then this is going to be 100% redundant.

Any ideas, comments?

iDirect upgrade howto

I run into this a couple of days ago. I had to upgrade a idirect router (upload a new options file), but i did not had the password for iSite anymore. Here’s how i did it:

1. Reload the idirect router.
2. Connect to the router with a cisco console cable
3. Login with username root and password iDirect (defaults)
4. ps ax ; and kill all the falcon processes.
5. # cd /etc/idirect/falcon/
# ls

falcon.opt falcon.opt.old

#
6. # mv falcon.opt falcon.opt.old
7. set your computer’s ip address to be whatever the router connected to the idirect
modem/router was.
8. start a webserver on your computer
9. on falcon router : wget http://your-computers-ip-address/name-of-new-conf-file.opt
10.reload falcon router

that’s it. Too simple, but worth writing for the future.

A thought on multihoming on Cisco

Lets presume that one of your customers is buying two internet connections. One is from you, the other one is from the competition. Since he is not buying alot of bandwidth, he won’t have much options regarding the usage of bgp, or some other routing protocol to switch between providers when one of his links is down. Here’s a quick solution:

PS: this was a cisco 851

no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname example-customer
!
boot-start-marker
boot-end-marker
!
logging buffered 65535 debugging
!
aaa new-model
!
!
aaa authentication password-prompt password:
aaa authentication username-prompt Username:
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone GMT+1 1
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool example-customer
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server
domain-name example-customer.com
lease 2
!
!
ip tcp path-mtu-discovery
no ip bootp server
ip domain name example-customer.com
ip name-server
ip name-server
ip sla 1
icmp-echo source-ip
request-data-size 500
threshold 2000
tag providers-rtr
frequency 45
ip sla schedule 1 start-time now
ip sla 2
icmp-echo source-ip
request-data-size 500
threshold 3000
tag providers-rtr
frequency 45
ip sla schedule 2 start-time now
!
!
!
!
!
!
track 1 rtr 1
!
track 2 rtr 2
!
!
!
!
!
interface FastEthernet0
description Link to Provider1
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet1
description Link to Provider2
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Local LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
description Link to Provider1
ip address 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface Vlan3
description Link to Provider2
ip address 255.255.255.248
ip nat outside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 track 1
ip route 0.0.0.0 0.0.0.0 10 track 2
!
no ip http server
no ip http secure-server
ip nat pool provider1 prefix-length 29
ip nat pool provider2 prefix-length 29
ip nat inside source route-map nat-provider1-out pool provider1 overload
ip nat inside source route-map nat-provider2-out pool provider2 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 11 permit
access-list 12 permit
access-list 20 permit 192.168.2.0 0.0.0.255

no cdp run
!
route-map nat-provider1-out permit 10
match ip next-hop 12
!
route-map nat-provider2-out permit 10
match ip next-hop 11
!
!
control-plane
!
banner motd ^C
welcome dude.
^C
!
line con 0
exec-timeout 30 0
no modem enable
line aux 0
line vty 0 4
access-class 160 in
exec-timeout 30 0
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
end

I took out some parts of the config and changed it a bit from what it looks like on the router, but it should work without problems.

Exim+Domainkeys Howto

I ran into this problem a couple of months ago: all the mail one of my customers was sending ended up in bulk folder in Yahoo, Hotmail and other big free mail providers. While I was aware this will not solve the problem entirely, due to the fact that they open blindly any attachment in any email they receive (and thus get viruses which start sending emails/spam the next minute), I thought that I should also implement DomainKeys, since I was doing alot of maintenance work (like updating clamav, spamassasin and so on and so forth).

It took me a couple of days to finally get it working the right way due to different factors (dns, not being able to find a very comprehensive documentation, etc).

Here is what I came up with:

This is a quick tutorial on how to enable domainkeys (http://domainkeys.sourceforge.net/) on Exim on a FreeBSD server.

First, if you have not installed yet Exim, you have to install it. If you have installed it already, you have to recompile it.

The way to do it:

cd /usr/ports/mail/exim
ee Makefile    (or use joe / vi /whatever you like)

Search for the following lines:

# Enable DomainKeys support
#WITH_DOMAINKEYS=       yes

..and uncomment the “#WITH_DOMAINKEYS= yes”.

Now you will have:

# Enable DomainKeys support
WITH_DOMAINKEYS=       yes

Save and exit the text editor.

Do the following:

make clean
make rmconfig
make
make FORCE_PKG_REGISTER=1 install  <-- if you already have exim installed.
make install                       <-- if you don't have yet exim installed.

Copy & paste in your console:

cd /usr/local/etc/exim
mkdir dk
cd dk
openssl genrsa -out rsa.private 768
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
cat rsa.public

After all this you will have a result which will look something like that:

-----BEGIN PUBLIC KEY-----
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6l
MIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7E
XzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB
-----END PUBLIC KEY-----

Save whats between —BEGIN PUBLIC KEY— and —END PUBLIC KEY— for later use.

Edit with your favorite text editor /usr/local/etc/exim/configure

find the line which starts with “remote_smtp:” . This should be under the “begin transports” section of the file.

It looks like that:

remote_smtp:
  driver = smtp

Edit there and make it look like that:

remote_smtp:
  driver = smtp
  dk_selector = myselector    # you will need this later when you will alter your dns config
  dk_private_key = /usr/local/etc/exim/dk/rsa.private
  dk_canon = nofws

Save the file, exit and start/restart exim :

sh /usr/local/etc/rc.d/exim.sh restart

Login to the server that serves as DNS server for the domain name for which you are configuring this domainkey thing.

Go to /etc/namedb/

Find the file corresponding to your domain (look for it in named.conf and you will find the path to it).

Let’s presume is /etc/namedb/pri/com/yourdomain.com. Edit this file, and just after/below the IN MX statement, add the following things:

_domainkey.yourdomain.com.       IN      TXT     "t=y; o=-"

myselector._domainkey.yourdomain.com.  IN      TXT     "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB"

Alter the serial (for example, if today is 28-aug-2007, make your serial look like 2007082800 or 2007082801, etc), save the file and reload named.

if your domain is something like customer.yourdomain.com, then the records will look like that:

_domainkey.customer.yourdomain.com.       IN      TXT     "t=y; o=-"

myselector._domainkey.customer.yourdomain.com.  IN      TXT     "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKJ2lzDLZ8XlVambQfMXn3LRGKOD5o6lMIgulclWjZwP56LRqdg5ZX15bhc/GsvW8xW/R5Sh1NnkJNyL/cqY1a+GzzL47t7EXzVc+nRLWT1kwTvFNGIoAUsFUq+J6+OprwIDAQAB"

Remember to also modify /etc/namedb/named.conf:

Add the following to your options { … } section of named.conf

        check-names master ignore;

This will allow you to use _ (underscore).

You will have to edit and add that “check-names master ignore;” thing if you get the following error in your logs:

Aug 28 15:02:33 noc1 named[83277]: pri/com/yourdomain.com:15: myselector._domainkey.yourdomain.com: bad owner name (check-names)
Aug 28 15:02:33 noc1 named[83277]: zone yourdomain.com/IN: loading master file pri/com/yourdomain.com: bad owner name (check-names)

The long string after …..”k=rsa; t=y; p= is your public key which i said you should keep for later use.

To test send an e-mail to dk at dk.crynwr.com . You will receive about 5 messages back from different addresses with test results.

If any of them says test passed you should be ok. Send an e-mail to a yahoo.com e-mail address and check the headers.They should look like this:

From Dan Caescu Tue Aug 28 06:20:08 2007
Return-Path:
Authentication-Results: mta233.mail.mud.yahoo.com  from=yourdomain.com; domainkeys=pass (ok)
Received: from x.x.x.x  (EHLO relay.yourdomain.com) (x.x.x.y)
  by mta233.mail.mud.yahoo.com with SMTP; Tue, 28 Aug 2007 08:16:56 -0700
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=myselector; d=yourdomain.com;

That should be all.

Good luck!

PS: I also posted this here: http://wiki.exim.org/DomainKeys You will also find there some other useful documentation.