News items for tag homeserver - Koos van den Hout

2018-07-19 Configuring sendmail authentication like imaps access to allow secondary passwords 1 month ago
I needed to configure sendmail authenticated access because I want a strict SPF record for idefix.net which means I always have to make outgoing mail originate from the right server.

For the sendmail authenticated smtp bit I used How to setup and test SMTP AUTH within Sendmail with some configuration details from Setting up SMTP AUTH with sendmail and Cyrus-SASL. To get this running saslauthd is needed to get authentication at all and I decided to let it use the pam authentication mechanism. The relevant part of sendmail.mc:
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
And now I can login to sendmail only in an encrypted session. And due to sendmail and other services now having valid certificates I can set up all devices to fully check the certificate so I make it difficult to intercept this password.

And after I got that working I decided I wanted 'secondary passwords' just like I configured extra passwords for IMAPS access so I set up /etc/pam.d/smtp to allow other passwords than the unix password and restrict access to the right class of users.
auth    required    pam_succeed_if.so quiet user ingroup users
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
Now I can set up my devices that insist on saving the password for outgoing smtp and if it ever gets compromised I just have to change that password without it biting me too hard.

Tags: , , ,
2018-06-17 Apache 2.2 Proxy and default block for everything but the .well-known/acme-challenge urls 2 months ago
I'm setting up a website on a new virtual machine on the new homeserver and I want a valid letsencrypt certificate. It's a site I don't want to migrate so I'll have to use the Apache proxy on the 'old' server to allow the site to be accessed via IPv4/IPv6 (for consistency I am now setting up everything via a proxy).

So first I set up a proxy to pass all requests for the new server to the backend, something like:
        ProxyPass / http://newsite-back.idefix.net/
        ProxyPassReverse / http://newsite-back.idefix.net/
But now the requests for /.well-known/acme-challenge also go there and they are blocked needing a username/password since the new site is not open yet.

So to set up the proxy correctly AND avoid the username checks for /.well-known/acme-challenge the order has to be correct. In the ProxyPass rules the rule for the specific URL has to come first and in the Location setup it has to come last.
        ProxyPass /.well-known/acme-challenge !
        ProxyPass / http://newsite-back.idefix.net/
        ProxyPassReverse / http://newsite-back.idefix.net/

        <Location />
        Deny from all
        AuthName "Site not open yet"
        [..]
        </Location>

        <Location /.well-known/acme-challenge>
            Order allow,deny
            Allow from all
        </Location>
And now the acme-challenge is done locally on the server and all other requests get forwarded to the backend after authentication.

Tags: , , ,
2018-05-03 The preferring IPv6 policy is working 3 months ago
Yesterday I changed some IPv4 addresses on virtual machines on the new homeserver to make autofs work. This is a known issue with autofs: autofs does not appear to support IPv6 hostname lookups for NFS mounts - Debian Bug #737679 and for me the easy solution is to do NFS mounts over rfc1918 ipv4 addresses. I prefer autofs over 'fixed' NFS mounts for those filesystems that are nice to be available but aren't needed constantly.

It took about 9 hours before arpwatch on the central router noticed the new activity. I guess the policy to try to do everything over IPv6 is working.

Tags: , , ,
2018-04-24 KVM and os-specific defaults 3 months ago
Today I wanted to install a new virtual machine on the new homeserver and virt-install gave me a new warning:
WARNING  No operating system detected, VM performance may suffer. Specify an OS with --os-variant for optimal results.
According to the virt-install manpage the --os-variant can be found with osinfo-query os which I can't find in Devuan jessie. But the same information is available via Installing Virtual Machines with virt-install, plus copy pastable distro install one-liners.

I chose debian7 as that is probably the closest to Devuan Jessie to be upgraded to Devuan ascii immediately.

The interesting change is that the resulting linux suddenly has virtio networkcards and a disk /dev/vda. That last bit is quite different from earlier virtual machines.

Tags: , ,
2018-04-06 Keeping squid webproxy running for network mismatches 4 months ago
I considered stopping using squid when upgrading to the new homeserver but I have now changed that decision: I need to keep it running for applications that want to do http connections to IPv6-only systems but can't handle those. There are some old scripts running that need it but it's also the way to fix the problem I noticed with linuxcounter.

Tags: , ,
2018-03-15 Working on having the right IP address in the apache logs 5 months ago
I noticed the access_log for various websites being tested on the new homeserver all had the IPv6 address of the haproxy I configured in the logs and not the original IP address.

The fun bit is I have set up the right Apache mod_remoteip settings, RemoteIPHeader and RemoteIPInternalProxy and this was tested and working with Require ip rules. But it turns out the default logging formats use the %h logging variable which is not changed by mod_remoteip. Since I want IPv6/IPv4 addresses in the logs that can be resolved later I changed to the %a variable which is the Client IP address which can be changed by mod_remoteip.

Changed options:
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%a %{HOST}i %l %u %t \"%r\" %s %b %{User-agent}i %{Referer}i -> %U" vcommon

Tags: , ,
2018-01-27 I caused an interesting problem with the VDSL pppoe session 6 months ago
Normally being active on certain HF bands causes one-time VDSL disconnects but what I have currently done seems to have triggered something else. After the connection dropped it refuses to come back at the moment. The entire session looks like:
22:49:28.466922 PPPoE PADI [Service-Name]
22:49:28.490394 PPPoE PADO [AC-Name "dr12.d12"] [Service-Name] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83] [EOL]
22:49:28.490603 PPPoE PADR [Service-Name] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83]
22:49:28.517063 PPPoE PADS [ses 0x40c] [Service-Name] [AC-Name "dr12.d12"] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83] [EOL]
22:49:28.575266 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 72, length 16
22:49:28.575776 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 99, length 22
22:49:28.575798 PPPoE  [ses 0x40c] LCP, Conf-Reject (0x04), id 72, length 10
22:49:28.589161 PPPoE  [ses 0x40c] LCP, Conf-Ack (0x02), id 99, length 22
22:49:28.589164 PPPoE  [ses 0x40c] LCP, Conf-Request (0x01), id 73, length 12
22:49:28.589666 PPPoE  [ses 0x40c] LCP, Conf-Ack (0x02), id 73, length 12
22:49:28.589682 PPPoE  [ses 0x40c] LCP, Echo-Request (0x09), id 0, length 10
22:49:28.589693 PPPoE  [ses 0x40c] CCP, Conf-Request (0x01), id 89, length 17
22:49:28.589702 PPPoE  [ses 0x40c] IPCP, Conf-Request (0x01), id 89, length 18
22:49:28.589711 PPPoE  [ses 0x40c] IP6CP, Conf-Request (0x01), id 89, length 16
22:49:28.603265 PPPoE  [ses 0x40c] LCP, Echo-Reply (0x0a), id 0, length 10
22:49:28.603267 PPPoE  [ses 0x40c] LCP, Term-Request (0x05), id 74, length 6
22:49:28.604033 PPPoE  [ses 0x40c] LCP, Term-Ack (0x06), id 74, length 6
22:49:31.623454 PPPoE PADT [ses 0x40c] [Generic-Error "RP-PPPoE: System call error: Input/output error"] [AC-Cookie 0xA3FE109A222CE73945C23FCE85E03F83]
So in the end the router at my ISP decides to terminate the connection. On the connection failing I decided to change the configuration to use the kernel mode pppoe driver but after this started showing I reverted that change. Which made no difference, the connection is still not coming up.

Update: I went looking at other changes I made to enable the pppoe server test and reverting the /etc/ppp/pap-secrets file to its original format fixed the problem. I guess I somehow started to authenticate the remote end.

And changing from user-mode pppoe to kernel-mode pppoe does lower the MTU to 1492, so that test is also finished. Back to user-mode pppoe.

Tags: , , ,
2018-01-25 Building a testing server for pppoe 6 months ago
The new homeserver will have to run the same pppoe client setup as the current server. But I want to get the whole setup tested before the migration to minimize disruption.

Since I'm not going to get a free extra vdsl line and vdsl modem to test with and the complicated part is in the pppoe and ppp client part I decided to use a test vlan and set up a pppoe-server and ppp server on that vlan.

The pppoe server part is started with
# pppoe-server -I eth0.99 -C kzdoos -L 172.16.19.1 -R 172.16.21.19
And it's indeed available from the client:
# pppoe-discovery -I eth2
Access-Concentrator: kzdoos
Got a cookie: 84 39 c6 51 13 fe 32 00 2c 06 2a b4 38 0e 30 87 46 7b 00 00
--------------------------------------------------
AC-Ethernet-Address: 00:1f:c6:59:76:f6
So that part works. Next is to get an actual ppp session working over it.

The server part was a bit of work as I want to get the whole configuration including password checks. Server configuration in /etc/ppp/pppoe-server-options on the server system:
require-pap
lcp-echo-interval 10
lcp-echo-failure 2
hide-password
noipx
ipv6 ,
And the client configuration in /etc/ppp/peers/dray-vdsl:
user testkees
password topsecret
+pap
noauth
noipdefault
ipv6 ,
ipv6cp-use-persistent
defaultroute
persist
maxfail 0
noproxyarp
ipparam xs4all
lcp-echo-interval 10
lcp-echo-failure 6
pty "pppoe -I eth2"
Lots of options to make the setup exactly the same as the current. It took a lot of tries before password authentication was working. I could not get the client-side password in /etc/ppp/pap-secrets to work, but as show above the password in the ppp configuration did work.

And the setup in /etc/network/interfaces on the client just the same as the known configuration:
iface pppdray inet ppp
        provider dray-vdsl

And it works!
# ifup pppdray
Plugin rp-pppoe.so loaded.
# ifconfig ppp0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492
        inet 172.16.21.45  netmask 255.255.255.255  destination 172.16.19.1
        inet6 fe80::5254:ff:fe3c:2014  prefixlen 10  scopeid 0x20<link>
        ppp  txqueuelen 3  (Point-to-Point Protocol)
        RX packets 9  bytes 252 (252.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 202 (202.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# ping -c 3 172.16.19.1
PING 172.16.19.1 (172.16.19.1) 56(84) bytes of data.
64 bytes from 172.16.19.1: icmp_seq=1 ttl=64 time=0.721 ms
64 bytes from 172.16.19.1: icmp_seq=2 ttl=64 time=0.436 ms
64 bytes from 172.16.19.1: icmp_seq=3 ttl=64 time=0.449 ms

--- 172.16.19.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2029ms
rtt min/avg/max/mdev = 0.436/0.535/0.721/0.132 ms
The mtu is not yet what I want, but the session is alive.

Tags: , ,
2018-01-03 Fixing stuff in The Virtual Bookcase for PHP 7 7 months ago
After spending an evening fixing scripts on The Virtual Bookcase to make them run in PHP 7 and make them safer at the same time I came to the conclusion that I still don't like php.

My conclusion is that if I want to maintain sites I'd rather redo them in perl. I noticed any serious maintenance on the scripts of The Virtual Bookcase was 9 years ago (!). That was also when I had the habit of writing maintenance scripts in perl and web code in php. The upside is that a part of the page-generating code is already available in perl.

But a rewrite is a task for another day. For now the site works cleanly in PHP 7 (and 5) and I can go on to the next task for moving the homeserver.
Read the rest of Fixing stuff in The Virtual Bookcase for PHP 7

Tags: , , , ,
2018-01-01 Making my own web stuff more robust 7 months ago
In building the new homeserver there is also time to test things and improve robustness a bit (although I should not overdo it).

The one thing that forces me to look at some web-code again is that the new servers run PHP version 7. Some of my code is giving warnings, time to fix that. But I haven't written any serious PHP in ages, I just rewrote sites in mod_perl. So my PHP is rusty and needs work, especially with PHP 7.

It's a good thing I use version management, which allows me to test the fixes on the development version(s) of the site and push them to the production version when I'm happy with the results.

Some of the things I notice that could improve go on the todo list. One thing I did notice and fixed right away was that the CVS metadata inside the web directories could be requested too. Although I find no serious security information in there it is still an unwanted information leak.

Tags: , , ,
2017-12-28 Learning Apache 2.4 access control 7 months ago
Before I expose anything to the outside world I want the access controls to work as I expect, but things have changed a lot in Apache 2.4.

Standard for a site that's normally available is now in 2.4:
        <Directory "/home/httpd/idefix/html">
                Require all granted
        </Directory>
(and any other needed options). But for development systems I want a username/password request to access them. This part took a bit of work to get right. First I found Upgrading to 2.4 from 2.2 - Apache HTTP Server Version 2.4 has a repeating typo in the authorization samples:
AuthBasicProvider File
isn't going to work, giving
Unknown Authn provider: File
error messages. The right bit is:
AuthBasicProvider file
The difference one letter makes.

That also did not give me a working configuration, leading to interesting errors in the log of type:
AH00027: No authentication done but request not allowed without authentication for /. Authentication not configured?
Which turned out to be a missing bit in the samples in the same document: the AuthType is needed too.

The full now working access rule is:
    <Location "/">
        AuthType Basic
        AuthBasicProvider file
        AuthUserFile /home/httpd/data/sitemanagers
        AuthName "Koos z'n Doos beheer"
        <RequireAny>
            Require valid-user
        </RequireAny>
    </Location>
The use of RequireAny allows me to add trusted IP ranges so that the site is reachable from a trusted IP address or after using http basic authentication.

The good news is that the samples in Authentication and Authorization - Apache HTTP Server Version 2.4 are correct.

Tags: , ,
2017-12-28 Getting haproxy to do what I want 7 months ago
In the new homeserver I want an haproxy running on the "router" so it can route http requests to the right backend. At the moment I am testing this and after the 'http' config I'm now testing the 'https' part. To keep things consistent things that come in via https also get requested via https from the backends.

For testing I have some ports on the main server forwarded to haproxy so I can test with all aspects of host-header based routing. After some searching I found out that when I visit http://developer.urlurl.org:8080/ the header is set to
Host: developer.urlurl.org:8080
And this wasn't routed to the 'development' server. The production server is the 'default' so I searched for the right incantation to test the domain name part and found:
acl devsite hdr_dom(host) -i developer.urlurl.org
And now it's a config that will test on developer.urlurl.org port 8080 and will run on port 80 too. I like configurations that I can test before bringing them into production.

Tags: , ,
2017-12-28 Non-predictable interface names biting me 7 months ago
While doing some upgrades on new homeserver I ran into a problem with the tun/tap network driver which is needed for virtual machines, giving the error message
Dec 27 21:41:51 conway kernel: [  266.832675] tun: Unknown symbol dev_get_valid_name (err 0)
Since virtual machines are the main thing to run in this machine I needed this driver to work. Searching for solutions found the suggestion to reinstall the linux kernel image, which I did:
# apt-get install --reinstall linux-image-$(uname -r)
# apt-mark auto linux-image-$(uname -r)
After which the system came up fine but without a network connection it seemed. This is irritating as the homeserver is in the attic and I found out the VGA screen up there does not cooperate with the new server. So another VGA screen got dragged up there to fix it.

Some searching later I found the eth2 and eth3 interfaces got swapped from what I expected. These are the two mainboard interfaces, both Intel interfaces but with different chipsets. There is a /etc/udev/rules.d/70-persistent-net.rules which sets this up but it isn't working at the moment:

In the system logs:
[    2.833442] udevd[542]: Error changing net interface name eth2 to eth3: File exists
[    2.834309] udevd[542]: could not rename interface '4' from 'eth2' to 'eth3': File exists
[    2.866356] udevd[538]: Error changing net interface name eth3 to eth2: File exists
[    2.868197] udevd[538]: could not rename interface '5' from 'eth3' to 'eth2': File exists
Maybe different names that don't start with eth will work better to get truely persistant names as the current situation isn't very stable and reliable.

After all the work the tun/tap driver works again so the virtual machines now start fine.

Tags: , ,
2017-11-10 Really disabling framebuffer on a modern linux 9 months ago
Framebuffer is nice but I want it really disabled on my new homeserver 2017 because that will end up in the attic where I don't want a repeat of the earlier Linux-related radio interference problem. And for virtual machines it's a bit of overkill too.

To disable framebuffer in both grub and the running Linux it has to be disabled twice. Both in /etc/default/grub which now has these two lines:
GRUB_CMDLINE_LINUX_DEFAULT="nomodeset"

GRUB_TERMINAL=console

Tags: , ,
2017-11-10 NFSv4 on the synology isn't complete NFSv4 until you do some special configuration 9 months ago
This solution fails at the moment I start using rsync to sync directories to the Synology. Update when I find out where that goes wrong.

I am now using a synology for storage in the home network. Linux clients use NFS to access the Synology, and nowadays the default NFS version is version 4, which does things quite differently from version 3. NFS version 4 is supposed to use user names with NFS domain names and rpc.idmapd instead of numeric user and group IDs.

After serious debugging I found out NFSv4 with the synology doesn't use names as I expected. I kept looking at nfs client settings but eventually I used tcpdump, wireshark and tshark to find out owner names aren't used at all. Numerical UIDs are used as text in the NFSv4 answers, even for files that have an owner that is known in the synology. As if the nfs4_disable_idmapping=0 is never set for the NFS server.

I confirmed this with capturing the NFS traffic with tcpdump and analyzing the pcap files with wireshark and tshark. I indeed see:
                        reco_attr: Owner (36)
                            fattr4_owner: 1026
                                length: 4
                                contents: 1026

A lot of google searching confirms this, including anyone have nfsv4 actually working? - Synology Forum. The next step is to adjust the idmapping in the running kernel on the synology, using:
# echo N > /sys/module/nfsd/parameters/nfs4_disable_idmapping
Now I indeed see the right strings in the NFSv4 traffic, but the idmapd on the client doesn't translate for some reason. Fixing the /etc/idmapd.conf file helped.

The next step is to make this change permanent on the synology. Adding a file /etc/modules.local.conf with
module_nfsd_args="nfs4_disable_idmapping=0"
does the trick. This I learned from reading the startup file /etc/rc.subr which loads the kernel modules.

And now I see the right data in the NFS traffic:
                        reco_attr: Owner (36)
                            fattr4_owner: koos@idefix.net
                                length: 15
                                contents: koos@idefix.net
And the user mapping works. On an older system I have UID 501, on the synology I have UID 1026 and on a new system I have UID 1000, and I'm owner of the files everywhere.

Tags: , ,
2017-10-11 Haproxy on the new home server and devuan upgrades 10 months ago
I got around again to working on the new homeserver 2017 and I worked on the installation of a 'testing' virtual machine with virt-install. This test machine also runs devuan linux. The first application I was testing on there is haproxy.

haproxy I noticed some defaults I did not expect (such as preferring IPv4 over IPv6). It seems the 'stable' devuan has the same age issues as 'stable' debian. Otherwise haproxy does what it is supposed to and I may standardize on it.

Upgrading was easy, I looked at Upgrading Devuan Jessie to Ascii and just changed jessie to ascii in /etc/apt/sources.list and did an apt-get dist-upgrade. The only minor issue afterwards is that the system now insists on using framebuffer video, which I find overkill for a virtual machine. VGA 80x25 is fine.

Tags: , , ,
2017-07-28 Already doing a casemod on the new home server 1 year ago
The new homeserver 2017 has arrived and I'm working on installing it. But first I had to do my first 'casemod' which was just rerouting a few cables. The case comes with a fan control, but I want all fan control to come from the mainboard and monitor the fans from the operating system. So I disconnected the fans from the case fan control and reconnected them to fan connectors on the mainboard that allow for voltage based fan control and monitoring.

The case is a bit overkill, but looks really good and offers lots of routes for airflow. New to me was that the case has cableguides which allow it to look really nice internally and have really good airflow. So I used those cableguides when I rerouted the fan cables and even tie-wrapped the cables to keep them looking nice.

Tags: ,
2017-04-19 En nu is de MTU wel naar 1500 van de VDSL PPPoE sessie 1 year ago
Recent postte 'Coen' in xs4all.adsl een stappenplan om onder Ubuntu 12.04 de MTU van de PPP verbinding naar 1500 bytes te krijgen. Alle lof dus naar Coen, want met zijn stappenplan is het me wel gelukt en is alles nu doorgaand MTU 1500, wat minder issues zou moeten geven.
Na een gezellig avondje stoeien is het gelukt om dit met terugwerkende
kracht voor Ubuntu 12.04 op te lossen met een nieuwe pppd en pppoe versie.

Voor wie durft en bovendien wat Linux ervaring heeft hier de te volgen
stappen:

Nieuwe pppd builden:

mkdir ppp
cd ppp
apt-get source ppp
cd ppp-2.4.5/
wget -O debian/patches/zz_pppoe1500
"http://git.ozlabs.org/?p=ppp.git;a=patch;h=fd1dcdf758418f040da3ed801ab001b5e46854e7"
dch -i
dpkg-buildpackage -us -uc

[[ppp en ppp-dev installeren]]

Nieuwe pppoe builden:

mkdir pppoe
cd pppoe
wget -4
http://archive.ubuntu.com/ubuntu/pool/universe/r/rp-pppoe/rp-pppoe_3.11-0ubuntu1.dsc
wget
http://archive.ubuntu.com/ubuntu/pool/universe/r/rp-pppoe/rp-pppoe_3.11.orig.tar.gz
wget
http://archive.ubuntu.com/ubuntu/pool/universe/r/rp-pppoe/rp-pppoe_3.11-0ubuntu1.debian.tar.xz
tar -xzvf rp-pppoe_3.11.orig.tar.gz
cd rp-pppoe-3.11/
tar -xf ../rp-pppoe_3.11-0ubuntu1.debian.tar.xz
dch -i
dpkg-buildpackage -us -uc

[[pppoe installeren]]

Mtu op 1500 zetten: klaar!
Vanaf een losse client leek toch nog MTU 1492 gebruikt te worden, dus heb ik /etc/radvd.conf aangepast om expliciet MTU 1500 mee te geven:
interface eth0.3
{  
   AdvSendAdvert on;
   AdvLinkMTU 1500;
En dan de verdere opties. En dan werkt het inderdaad:
koos@kernighan:~$ tracepath6 ping.xs4all.nl
 1?: [LOCALHOST]                        0.018ms pmtu 1500
 1:  eth0-3.idefix.net                                     1.983ms 
 1:  eth0-3.idefix.net                                     1.858ms 
 2:  lo0.dr12.d12.xs4all.net                              17.910ms 
 3:  0.ae22.xr3.3d12.xs4all.net                           17.957ms 
 4:  no reply

Tags: , , ,
2017-02-06 Squeezing a bit more powersaving from Linux 1 year ago
The c't magazine this month had a few tips on linux powersaving. I tried them on the homeserver and saw indeed a very slight reduction in power use as logged by the UPS.

For powersaving in sound card(s):
# echo 1 > /sys/module/snd_hda_intel/parameters/power_save
This can cause plopping sounds on some sound cards.

For powersaving in disk communication:
# cd /sys/class/scsi_host/
# for i in host*/link_power_management_policy; do echo min_power > "$i"; done

Tags: , ,
2017-01-23 Ontbrekende stukje grotere MTU met VDSL op DrayTek Vigor 130 en Ubuntu 1 year ago
Ongeveer een jaar geleden ging ik over op het Draytek Vigor 130 VDSL modem om weer een configuratie te krijgen waar ik maximale controle heb.

Het nog openstaande punt is dat ik de ppp configuratie graag naar een MTU van 1500 bytes wil. En dat dat toen niet lukte in Vigor VDSL modem in gebruik en Xs4all VDSL met DrayTek Vigor 130 VDSL modem en PPP eindpunt op Linux (ubuntu) server.

Wat ik al goed had was de MTU van de ethernet interfaces hoger en het vinkje op de Draytek aangepast. Maar als ik de mtu/mru hoger forceerde in de ppp opties ging het mis.

Nu kwam voorbij in xs4all.general over dit onderwerp:
> 1500 wordt ondersteund door Xs4all en je test eerst bij 1492 welk pakket
> via ping erdoor gaat zonder in stukken gebroken te worden.
> Daarna zet je de MTU naar 1500 en kijkt of je inderdaad 8 bits meer door
> router kunt drukken zonder dat die gebroken wordt.

Wel zorgen dat het apparaat waar je de PPPoE termineert RFC4638
implementeert.
Die moet dan in de PADI een extra tag plaatsen (PPP payload is 1500
bytes), en de BRAS zet dat ook weet in zijn PADO antwoord.
Zo maar een grotere MTU gebruiken gaat niet werken...
De PPPoE sessie komt bij mij vanaf de thuisserver met rp-pppoe. Even zoeken leverde mij op dat voor rp-pppoe met MaxPayload onderhandeling ik minstens 3.11 nodig heb, en bij de huidige ubuntu versie zit nog 3.8. Tijd om een nieuwere versie te testen.

Update: Daarvoor moeten zowel de pppoe binary als de rp-pppoe.so plugin voor pppd bijgewerkt worden, en dat lukt me op dit moment even niet. Gelukkig had ik de oude pppoe binaries expres klaar staan en kon ik dus heel snel terug.
Read the rest of Ontbrekende stukje grotere MTU met VDSL op DrayTek Vigor 130 en Ubuntu

Tags: , , ,
  Older news items for tag homeserver ⇒
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews