i summon one kim

I got a new MBP a couple of weeks ago and I’ve been migrating things to it from my previous 2015 MBP. A couple of days ago I went to a different site on my UniFi network, and unexpectedly WiFi performance on the new MBP M2 was abysmal (more…)

Predictable network interface names are all the rage in Linux distros these days. My systems are of various vintage so most have carried on with eth0 and eth1 through upgrades by having old udev rules kept around.

To get with the times a few steps are needed: (more…)

By default many Linux network interface card drivers set their SMP affinity mask to either all zeroes or all ones (“ff” — the length of the mask depends on the number of CPUs on the system). The former results in all queues and interfaces running on CPU ID 0, which can become a performance bottleneck due to insufficient computing power. The latter results in all queues and interfaces being scheduled on multiple CPUs, which can become a performance bottleneck due to increased CPU memory cache misses. (more…)

DNA Welho has added IPv6 support to all their cable hookups on June 9th,¹ which was a national IPv6 deployment flag day in Finland. I only heard about it from Facebook comments today. Until now I’ve had IPv6 disabled on the private VRF because my fast cable hookup only provided IPv4. Using IPv6 from the DSL hookup would have just slowed things down.

After some poking around I was able to get my VRF-separated home network connected using a delegated prefix. (more…)

I would like to forward SSH from my cable modem interface to an internal box in a different VRF, but this for some reason is only possible using static IP addresses. The global IP address in the NAT statement must be a static one to be able to also include a VRF reference.

This is what I would like to add:

ip nat source static tcp 10.0.0.11 22 interface Vlan6 22 vrf private extendable

However, neither “vrf” nor “extendable” is allowed after “interface” has been entered.

Yet, if Vlan6 has the IP address 192.0.2.123 from DHCP, I can add the following static NAT entry and it works as one would expect:

ip nat source static tcp 10.0.0.11 22 192.0.2.123 22 vrf private extendable

I don’t see why it wouldn’t be possible to add the VRF to an entry that uses an interface reference for the global IP address. (more…)

I wanted to use the OS X VPN client to connect to my home network while on the road. I guess using an OS X server would be the easiest way to get a Mac-compatible VPN server up and running. Using a Cisco running IOS required quite a few lines of configuration.

The OS X VPN client provides terrible feedback. It will happily tell you that there was “no response from the VPN server” when in reality the server responds with a rejection of all the ISAKMP or IPsec transforms proposed by the client. Fortunately both the Cisco debugging messages and verbose output from tcpdump were quite helpful.

In about 3 hours I got it all working, including routing with other VRFs and DMVPN sites. (more…)

I’m not sure what failed last night, but I’m guessing the cable Internet connection was down. Interestingly, unbound had stopped resolving even local zones configured with stub-zone and stub-addr directives. This was unexpected: stub-zones are supposed to work “without referring to the public Internet” per the unbound.conf manual page.

To mitigate the issue I wanted to have backup name servers in resolv.conf (ones using a different Internet connection) even on the resolving name server hosts themselves. With resolvconf that boiled down to creating /etc/default/resolvconf with the following setting in it:

TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS=no

This way name servers configured in /etc/network/interfaces (using dns-nameservers directives) are included in resolv.conf even when unbound has been started.

However, this is a poor workaround, as I don’t have multiple Internet connections at every site.