Nov 08
Categories: sysadmin Tags: , , ,

I recently noticed that the downstream bit-rate on my ADSL modem was fluctuating. This can happen because the noise on the copper pair between the house and the exchange can vary over time. There isn’t much you can do about that, but it is possible to somewhat influence the performance at the house end by reducing the length of the wire from the master socket to the modem, by using better quality wire and even by disconnecting the bell terminal at the master socket.

But before making any changes, I needed to be able to monitor the effects, so I thought this Muinin plug-in was in order. This plugin monitors the upstream and downstream bit-rates of my ZyXEL Prestige P-660HWP-D1 ADSL modem. I’m sure it’ll work with any Prestige modem. Here is an example plot.

Munin graph of modem bitrates

Munin graph of modem bitrates from zyxel_prestige_adsl_chandata plugin

You can get the script here: http://ccgi.ambrosia.plus.com/debian/zyxel_prestige_adsl_chandata. See the documentation therein for set-up instructions.

You can see the bitrate drop twice during Friday evening. On Saturday morning I moved the modem from an extension socket to the master socket. Initial indications were that I had improved the downstream bitrate significantly. However by the evening you can see that it subsequently dropped back to a rate slightly lower than at the same time 24 hours earlier.

No Comments
Nov 03
Categories: opensource Tags: , ,

TWiki is a well established and popular open source wiki platform, of which there are many to choose from. I’ve used it for years and I like it a lot. I’d heard rumblings of a change at the project and I’ve just read a Slashdot article that gives a good summary of the recent goings on and their consequences. Unfortunately it seems that the sole owner of the TWiki trademark, Peter Thoeny, has found previously untapped commercial opportunites more compelling than the principles of the open source community that has built TWiki into what it is today. He has alienated most — if not all — of the development community and forced them to fork the code.

The new project hasn’t even named the successor to TWiki yet, so for now it’s being called nextwiki and is hosted at http://nextwiki.org/. Let’s wish the project every success in developing what I expect will be an even better wiki than ever.

No Comments
Oct 16

Moon Rings

By ste
Categories: Uncategorized Tags:

I’d heard about this effect before, but I hadn’t seen it for real. Well tonight we got a pretty good view of this halo effect around the moon. As the sunlight reflected from the moon passes through the clouds, hexagonal ice crystals refract it into a halo with a 22° radius and even a second one at 44°.

Here’s my attempt at a photograph of the effect. There are some prettier ones at http://www.lumis.com/pictures/Moon_Ring/.

Moon Rings over Horrabridge

Moon Rings over Horrabridge

1 Comment
Oct 13
Categories: funny Tags: , ,

I’ve been found out. This is me. Though, I don’t think it was an EEG back then…

No Comments
Oct 02
Categories: sysadmin Tags: , ,

How Shorewall Can Break OpenVPN

I’ve been administering OpenVPN for years now, and I’ve been quite happy with it. For the most part it’s given me very little grief. The only frequent problem comes from users with a personal firewall who unwittingly block all VPN traffic.

I’ve recently upgraded to version 2.0.9, without memorable incident. It has caused me, however, to revisit the problem I had with the old installation concerning MTUs. I had found — as have many others out there — that the only way to get a reliable tunnel over UDP was to fiddle with the various MTU and fragmentation parameters, settling on a configuration that apparently worked but without the satisfaction of understanding why.

This time round I left all that mssfix and fragment guff out of the configuration to see what would happen. Maybe it’s not necessary any more? Well apparently it won’t go away that easily. Once again I find that an OpenVPN client can connect reliably but cannot necessarily get any traffic through the tunnel. In fact it depends on the client: most users don’t have a problem, but one usually does. The distinguishing features of this client is that it’s across the pond in the US and that it’s connecting through a cable router (PPPoE). The evidence of the problem appears in the OpenVPN log like this:

Wed Oct  1 17:25:49 2008 69.19.60.64:33041 [fred] Peer Connection Initiated with 69.19.60.64:33041
Wed Oct  1 17:25:50 2008 fred/69.19.60.64:33041 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct  1 17:25:50 2008 fred/69.19.60.64:33041 SENT CONTROL [fred] 'PUSH_REPLY,route-gateway 10.0.10.254 255.255.255.0,route 192.168.0.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.150.1 255.255.255.255,route 172.16.0.0 255.255.255.0,route 172.17.0.0 255.255.255.0,ping 10,ping-restart 120' (status=1)
Wed Oct  1 17:31:21 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
Wed Oct  1 17:31:31 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
Wed Oct  1 17:31:41 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
.
.
.
Wed Oct  1 17:34:15 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
Wed Oct  1 17:34:26 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
Wed Oct  1 17:34:35 2008 read UDPv4 [ECONNREFUSED]: Connection refused (code=61)
Wed Oct  1 17:34:45 2008 NOTE: --mute triggered...
Wed Oct  1 17:35:11 2008 fred/69.19.60.64:33041 3 variation(s) on previous 20 message(s) suppressed by --mute
Wed Oct  1 17:35:11 2008 fred/69.19.60.64:33041 [fred] Inactivity timeout (--ping-restart), restarting
Wed Oct  1 17:35:11 2008 fred/69.19.60.64:33041 SIGUSR1[soft,ping-restart] received, client-instance restarting

After some fresh research I now have a better grasp of what might be going on. Surprisingly, it would appear to be my Shorewall set-up that’s to blame.

Here’s the theory: the path between the client and the server has a reduced MTU (at the cable modem at the least) and that the path MTU discovery is not effective, causing the OpenVPN server to be unaware that its packets are not reaching the client. Why? Because the path MTU discovery is effected by sending an ICMP type 3 datagram from the node with the reduced MTU back to the sending server, and the example Shorewall configuration that I started from blocks all incoming ICMP except ping!

The example configuration I started from is in examples/three-interfaces/ in the distribution. The relevant section is as follows.

Ping/ACCEPT     loc             $FW
Ping/ACCEPT     dmz             $FW
Ping/ACCEPT     loc             dmz
Ping/ACCEPT     dmz             loc
Ping/ACCEPT     dmz             net

ACCEPT          $FW             net             icmp
ACCEPT          $FW             loc             icmp
ACCEPT          $FW             dmz             icmp

The default policy for net->$FW is DROP, so the configuration above does not permit any incoming ICMP packets except PING. Unless there’s some back-door exception for ICMP type 3 that I can’t see, the path MTU discovery will be broken by this configuration.

References

[1] – PMTU (Path MTU) Discovery – http://www.netheaven.com/pmtu.html

[2] – OpenVPN FAQ – http://openvpn.net/index.php/documentation/faq.html#mtu

No Comments
Sep 17
Categories: sysadmin Tags: , ,

I’ve been having intermittent problems with my internet access for a while (who hasn’t?) where everything would be really slow for a day or so and then it would mysteriously recover. I’d kick the modem, the squid cache, the local caching DNS server, etc but I was never sure where the problem lay.

Recently it got so bad that I investigated a bit harder. When it’s all gone bad (which is most of the time now, is seems) It looks like my DNS queries are transmitted as expected but the replies are never forthcoming. All the while I have solid connectivity. I can even flood ping the DNS servers that are not responding!

Before I go hassle my ISP, I thought I’d collect some evidence. Hopefully this will help me bypass the stupid “have you tried rebooting?” questions. So I’ve written a Munin plugin which I will configure to poll my ISP’s DNS servers. I expect that this will show that I frequently don’t get a response, in the evenings at least; I wonder if their traffic shaping is broken…

You can find the plugin at http://ccgi.ambrosia.plus.com/debian/dnsresponsetime. See the documentation therein.

Example daily plot from Munin plugin dnsresponsetime

Example daily plot from Munin plugin dnsresponsetime

No Comments
Aug 10
Categories: cycle, funny Tags:

Caution: Waves


Yesterday, having resigned myself to the fact that the front shifter on my shiny new bike is not nearly as shiny as the rest of it, I decided to go for a quick burn round any way. It was raining really hard which for me has some sort of perverse appeal — but only when it’s not cold — so these cloudburst style afternoons we’ve been having recently (all summer?) are just the ticket.

Without the use of the top chain ring, I reasoned a proper hilly route was in order so I decided to set off on the climb up to Harford. There’s the odd, brief decent on the way up and I realised it was just as well I couldn’t get into top gear, on account of already not being able to see very well in the pouring rain. Any faster and I really wouldn’t be able to see what I was crashing into.

So I’m having a nice time playing with the higher ratios, feeling the benefit of the lighter frame, liking the responsiveness of the 105 derailleur (the back one of course), noticing that the brakes cope better that I expected in the wet conditions, enjoying the view, all lovely. No, not the view actually. Three hundred yards of visibility isn’t a view.

Having reached the ‘summit’ I carried on in the direction of Cornwood below, brakes at the ready. This is when things got interesting. You see, all the fields above the lane are already saturated with days of rain and now they’ve just had who knows how many thousand gallons of extra rain tipped on them. The only place left for all this water to go was down the little lane that I’m pootling along. At first it was amusing, weaving between the little rivulets. But as I descended, more and more rainwater flooded the lane.

My little burn round the lanes became interesting. The gullies at the sides are bursting, the rivulets are ganging together in a concerted effort to form a stream, it’s still pouring and there’s no way left for me to go but down. I can’t actually see the tarmac any more, since there’s about an inch of rainwater flowing down it. There is a surreal effect as the whole lane ripples and ebbs, as if the tarmac has suddenly melted and is flowing away. If I stare down at the front wheel, it’s kind of dizzying. Don’t do that then.

This was becoming the kind of interesting that you don’t need. It’s getting steeper and it’s getting deeper, and my hands ache from the braking. I pass a sign: “Road works starting here for three weeks due to flood damage”. No kidding. Now I’m worried about disappearing into a hidden crevasse. My new bike might be hurt! It’s here that I encounter my first bit of traffic climbing up the hill. It’s a digger on caterpillar tracks. I feel somewhat outclassed in the using-the-appropriate-vehicle-for-the-conditions category. My mountain bike with its tractor tyres would be oh so much more appropriate right now but I’d left it at work, and besides, it’s not shiny new.

There are small waves in this river I’m cycling down now. I can see pebbles washing along in the water. Judging by how much of the front rim I cant see, I make it just over three inches deep now. This isn’t the kind of surfing I’m accustomed to.

Ah, I reach the bottom of the hill and the humpback bridge, under which a raging torrent runs, bolstered by the lane I’ve come down. Back on dry land at last, phew. Well, not actually dry of course, but it’s not moving past me any more. This counts as dry by recent experience. There’s a car here with a couple in it, looking thoughtfully up the hill, and with amusement at the plonker coming down it. I stop to give them the benefit of my recent experience. He winds down the window and I notice him glance down to where the water is gushing over my shoe and around my ankle. He doesn’t comment. I adopt the manic smile of the soggy and relieved, and advise him that the way is passable. He’s got four wheels after all.

I look back as I cycle on to Cornwood. They’re still peering up the hill. They didn’t believe me. Fair enough, I wouldn’t if I was me. I got a laugh from the sign by the road in Cornwood. I looked back to read: “Caution. Uneven Surface”. Funny.

2 Comments
Aug 09
Categories: cycle Tags:

So the new bike experience has propelled me into the blogosphere, in which I will enthuse accordingly. Since this blog comes about somewhat after the fact of choosing, purchasing and receiving said bike, a little history first…

BNB (Before New Bike)

When I was at school I cycled a lot, especially in the summer holidays. At uni I cycled lots too. It was then that I built a road bike from a new cro-moly frame; Shimano 105 chain-set; decent Mavic rims; and from parts cannibalised from the bike’s predecessor. I was actually fit then. I could do crazy things like cycle from Bangor to the base of Snowdon, jog to the top, eat a banana, jog back down again and cycle back to Bangor all in good time for lunch. Then I got work, got car, got fat, etc. Got a mountain bike (Haro Escape A1) and played with that on and off for years.

For the past couple of seasons, I’ve got back into riding the old road bike — yes the same old bike. But I really wanted to replace it with a shiny new one that would weigh considerably less and go as fast as possible. With the birthday coming up, I awarded myself a New Bike present. (It’s socks and jumpers for years, then I splash out). It wouldn’t be hard to end up with something lighter than the old steel frame by choosing an alloy model; I decided that a carbon frame was a technology too far for me (late adopter remember) never mind the impressive cost. So I searched for a road racer with an alloy frame, carbon forks and as good a group-set as I could justify.

Giant SCR 1 2008.5

I chose the Giant SCR 1 2008.5. During my Googlings, I found the blog eep! where a similar story of bike joy has recently played out. There’s a mini review of the SCR 1 there. Truth be told, I was suffering from bike and blog envy, so here I am correcting the balance.

ANB (After New Bike)

Ash Cycles has a particularly good offer for the SCR 1 so I ordered quick before they ran out. It turned up promptly and I promptly fitted the wheels, adjusted the seat and set off for a quick blast. Then the front gear shifter promptly broke. My nice new bike experience went crash.
After discussing it with Ash today, we concluded that ‘broke’ was about as good a diagnosis as we could manage. He’s ordering a replacement lever for me so I hope that by, say, Thursday I’ll be sorted. Apologies to the wife for sulking miserably yesterday.

2 Comments
Aug 09
Categories: Uncategorized Tags:

Hello cruel world. It’s me, and this is my blog. Don’t expect much from here on. In fact, you might as well just surf off right now.

Still there? Oh, fine. Now I feel pressurised into writing something intelligent and interesting.

First off, why do I suddenly manage to get round to creating a blog today? I’m not exactly an early adopter, so now that blogging is old hat. here I am finally getting going. Actually, the answer to the question is that I’ve just finished my second ride on my new bike and I like it so much that I feel the need to write it down so that the whole world can know, and this blog is clearly going to meet that very objective. Well you’re still reading, right?

No Comments
previous page