News items for tag network - Koos van den Hout

2020-08-31 Adding static IPv4 routes for devices that still need those 1 month ago
I decided to have a look whether I can set up the static routes like those needed to get ads-b data out to plane finder via the dhcp server. This works a lot better than having to set those routes by hand after a reboot.

This can be done with the rfc3442 classless static routes extension in DHCP, which isn't supported out of the box by isc dhcpd. But there is support in the dhclient configuration on raspbian, so I only had to add the server side.

All the samples I could find for adding this to the server side added arrays of bytes which is harder to read/comprehend. I had a look at the dhcp-options manpage which showed the option to add a structured record with IPv4 addresses.

Main configuration adding the option:
option rfc3442-classless-static-routes code 121 = array of { integer 8, ip-address, ip-address };
# netmask bit count, destination, via
Specific host configuration using the option with the current address for Which may change!
        host joy {
            hardware ethernet b8:27:eb:ae:ad:47;
            option rfc3442-classless-static-routes 32;
This pushes route to via

Hosts that get this option via dhcp should ignore the default router option so if you need that too you will need to add a route for In my specific usecase I don't want to set a default IPv4 route.

Tags: , , ,
2020-05-01 Probable lightning damage to a network switch 5 months ago
Today I noticed weird problems with the network in a desktop computer. It kept losing packets on the local network, with other computers in the same switch having no problems. In the end I switched to a different networkcard in the same computer to get rid of the problem. And that solved the problem.

The most probable reason is a lightning storm that came very close yesterday evening.

Update: The original 'suspect' was an Intel E1000 network card which had the first problems so I changed to a different card in the same computer. A week or so later similar problems started happening with a different computer on the same switch. I changed the switch which made the problem go away.

On opening the suspect switch I saw a capacitor with a big bulge on the top so the internal power is probably unstable, which can be the root cause of really weird problems.

Update: The replacement switch has only 5 ports, so I ordered an 8-port switch (my home office needs enough ports). After putting the 8-port switch in place I tested with the Intel E1000 again and it worked fine.

Tags: , , ,
2017-07-17 Wireless access-point TP-LINK TL-WDR4300 firmware 3 years ago
Recently the wireless access-point decided that I should not have access to the management interface. I even tried both the IPv4 address I assigned and the default IPv4 address it gets. And the last days I noticed strange delays, which may have been caused by channel overlaps. So I wanted access to the management interface to check the channel settings. I noticed the management interface decided to respond again on the IPv4 address I assigned, and I saw new firmware available which should also help with some stability issues.

Firmware upgraded, and after the upgrade and automatic reboot my access was gone again. Time for the suggested factory reset to get everything back to normal. Done, and I was able to set it up again from scratch with the right configuration.

Maybe I should start running some kind of wiki or something to keep internal documentation of my home network. I had a hard time remembering several details of my own setup recently.

Tags: , ,
2017-05-14 Upgrading the home network to shielded/foiled cable (s/ftp) 3 years ago
I was looking at on-line offers of shielded/foiled network cable and found out it's not that expensive anymore. And with the 'keystone' connectors it looks like it's not that complicated to make neat and very well shielded connections.

But it's always a good plan to check the local electronics hobby shop. We still have one in the center of Utrecht: radio centrum where they had 1 meter and 2 meter patchcables for a very nice price (competitive with on-line shops) right up for grabs. So the first set of short cables that are always in use for gigabit are now s/ftp category 6 cables. I hope this improves radio reception.

I still think I will order longer cable and keystone connectors and holders for the longer cables.

Tags: , , ,
2016-11-12 Disabling IPv4 on the Raspberry Pi 3 years ago
I have two Raspberry Pi's running in the house, currently with IPv4 still enabled on them. They both run Raspbian 8.0. I was wondering whether I can disable IPv4 on the Raspberry Pi, but a google search does not yield very helpful answers, most of the search terms I try still find pages about disabling IPv6. I want to disable the legacy IP protocol.

Only one way to find out: go for it. Now rebooting one with the statement ipv6only in /etc/dhcpcd.conf.

First thing I noticed was that the searchdomain was not set in /etc/resolv.conf which was indeed only available via the DHCP process for IPv4. So now radvd advertises the search domain via the DNSSL option in /etc/radvd.conf:
   RDNSS 2001:980:14ca:42::18 {
   DNSSL {
The first results are:
  • It turned out the ntp config on the raspberry had one IPv6-only and one IPv4-only server. Added a dual-stack server.
  • And ndpmon really does not like the DNSSL option, even when I add it in the config_ndpmon.xml file as
                        <domain lifetime="600"></domain>
    Fixed by changing it to
                        <domain lifetime="600">^Fidefix^Cnet</domain>
    yes, with literal ctrl-F and ctrl-C characters, showing that there is some error in the parsing somewhere.
  • rwhod is IPv4-only so the status is not visible in my network anymore. A workaround for that is not disabling IPv4 completely but just removing the default route, not using ipv6only in /etc/dhcpcd.conf but using the option nooption routers.

Tags: , , ,
2016-11-10 Backup to .. the cloud! 3 years ago
So I now have some cloudstorage space available also via webdav and I am working on using this for backups. The main idea is to have a daily backup to the cloud service and do the tape backups less often.

I still want incremental backups so I can go back to specific older versions of files. So I want to use amanda for backups. I installed the davfs2 package to be able to mount the webdav filesystem and access it from Linux. The first few clues come from Set Up Virtual Tapes - Amanda Howto but I had to switch to the chg-multi driver as described in Backup to Virtual Tapes on a non-UNIX Filesystem - Amanda Howto because the webdav filesystem does not support symlinks.

I/O performance during the backup isn't ideal and the vdsl uplink is completely full during the filetransfer. Maybe I need to slow down the backup process a bit and ratelimit the webdav transfer.

Tags: , ,
2016-11-07 The future of the Internet is IPv6 3 years ago
Just read Internet Architecture Board Statement on IPv6 with:
The IAB expects that the IETF will stop requiring IPv4 compatibility in new or extended protocols. Future IETF protocol work will then optimize for and depend on IPv6.

Preparation for this transition requires ensuring that many different environments are capable of operating completely on IPv6 without being dependent on IPv4 [see RFC 6540]. We recommend that all networking standards assume the use of IPv6, and be written so they do not require IPv4. We recommend that existing standards be reviewed to ensure they will work with IPv6, and use IPv6 examples. Backward connectivity to IPv4, via dual-stack or a transition technology, will be needed for some time.

Tags: , ,
2015-03-05 Am I part of an interesting attack? 5 years ago
Noticable traffic:
13:06:15.787470 IP (tos 0x0, ttl 110, id 27178, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0x48c7 (correct), 2310054019:2310054019(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:16.188187 IP (tos 0x0, ttl 92, id 14152, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0x2c3a (correct), 1627317698:1627317698(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:16.588698 IP (tos 0x0, ttl 96, id 64188, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0x6e9f (correct), 249296256:249296256(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:16.989469 IP (tos 0x0, ttl 97, id 54770, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0xa3fc (correct), 3532061815:3532061815(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:17.390192 IP (tos 0x0, ttl 92, id 5400, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0xaae9 (correct), 1786797457:1786797457(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:17.792734 IP (tos 0x0, ttl 81, id 42621, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0x925d (correct), 3619031271:3619031271(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
13:06:18.193910 IP (tos 0x0, ttl 81, id 6384, offset 0, flags [DF], proto TCP (6), length 52) > xx.xx.xx.xx.53: S, cksum 0x5712 (correct), 841083335:841083335(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
The variation in ttl values suggests a distributed denial of service attack trying to make me part of it.

Tags: , ,
2015-02-25 Samsung TV decides the Internet is broken 5 years ago
Currently our Samsung 'smart' TV is convinced the Internet is broken and refuses to start any of the applications. According to some network protocol sniffing the TV decides this purely based on a DNS query for which takes an interesting CNAME tour. According to what I can find this hasn't changed when the smart TV stopped working so this must be something in the software in the TV itself.
; <<>> DiG 9.4.2-P2.1 <<>> a
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39167
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;               IN      A

;; ANSWER SECTION:        253     IN      CNAME 3171 IN    CNAME 253 IN      CNAME 2765 IN CNAME 853 IN CNAME 14      IN      A

;; Query time: 0 msec
;; SERVER: 2001:980:14ca:42::18#53(2001:980:14ca:42::18)
;; WHEN: Wed Feb 25 20:20:34 2015
;; MSG SIZE  rcvd: 244
Online there are some similar messages: Smart TV mayhem for Sony and Samsung users after central servers go down, Internet-Ausfall bei Samsung Smart-TV

According to some reports the fix is simple: Users fix Samsung Smart TV down time themselves – Two workarounds known which both hardcode an Akamai IP for and skip the CNAME chain. Remember when DNS manuals told you CNAME chains were a bad idea? They still are, I guess. I implemented the fix locally with pdns-recursor and the export-etc-hosts option which allows me to serve an A record for (the IP I get from the CNAME chain). And indeed, the smart TV applications work again.
Read the rest of Samsung TV decides the Internet is broken

Tags: , ,
2014-03-01 Netgear GS716Tv2 switch and IPv6 management 6 years ago
Sharing my earlier experiences with the hidden telnet interface on the Netgear GS716T switch was appreciated by someone else with a Netgear GS110p switch: "Hidden" CLI interface on Netgear GS110TP. So I guess this is a feature on multiple netgear switches.

And that article made me look at the firmware version, finding in the release notes for the newer version:
New Features:
* Add IPv6 management, IPv6 ACL, and IPv6 DiffServ support.
I like that feature a lot! And indeed, after upgrade and setting the IPv6 management address:
Read the rest of Netgear GS716Tv2 switch and IPv6 management

Tags: , ,
2013-12-16 (#) 6 years ago
Ik vroeg me recent af wat het aanbod is in access-points voor thuis met dual-radio support, dus tegelijkertijd actief op 2.4 GHz en 5 GHz. Op de 5 GHz band is minder storing maar niet alle apparaten die wifi gebruiken ondersteunen 5 GHz. En 802.11n op 2.4 GHz doen is volgens mij asociaal omdat je dan helemaal andere netwerken in de buurt stoort.

Toevallig blijkt het agentschap telecom het met me eens te zijn: Met een combi-router ben je goed voorbereid op de Wi-Fi van de toekomst - Agentschap Telecom.

Dus liefst heb ik een access-point met dual-radio, 802.11n ondersteuning alleen op 5 GHz, WPA2 en niet te veel stroomgebruik. Het lijkt soms dat 2 access-points met verschillende settings wel eens goedkoper in aanschaf kunnen zijn dan eentje met al deze opties, alleen dan vast in stroomgebruik niet.

Tags: , , ,
2013-12-10 (#) 6 years ago
Conrad maakt in z'n laatste mailing reclame voor een Conrad POF thuisnetwerkkabel starterkit. Alleen ik kan nergens terugvinden hoe snel data over plastic optic fiber (POF) kan. Ik dacht uit het verleden dat dit beperkt was tot 100 megabit maar misschien is er een nieuwe standaard die wel tot gigabit gaat.

Plastic optic fiber kan een goeie aanpak zijn om in huis langere afstanden te overbruggen zonder terug te vallen op ethernet over stroomnet. In de voordelen van plastic optic fiber noemt Conrad ook Geen afstraling (elektrosmog). Ik zou 'geen radiostoring' een betere omschrijving vinden, maar dit spreekt natuurlijk meer aan.

Tags: , ,
2013-11-19 (#) 6 years ago
Interesting DNS problem:
hout0101@monitoring:~$ getent hosts
hout0101@monitoring:~$ telnet 80
telnet: Name or service not known Unknown host
Found out after serious searching that this was caused by the /etc/resolv.conf line:
options rotate
Of the 3 available nameservers, numbers 2 and 3 decided to negatively cache for good reasons earlier. Options rotate counts per program which means the impact isn't that big for short-lived programs. I guess telnet does a query before querying the nameserver for the needed address to connect to.

Tags: , ,
2013-07-19 (#) 7 years ago
My speedtest on T-Mobile umts The predicted change from KPN to T-Mobile took a bit longer than predicted but it has finally happened. Network speed is now 1 mbit down and 32 kbit up according to speedtest.

Somebody I spoke about it wondered whether there was a data subscription included at all or this was the rate at which things could get expensive fast but the T-Mobile business website confirms that this is the slowest data subscription available from T-Mobile NL.

Tags: , , ,
2013-05-29 (#) 7 years ago
I checked for updates of NDPMon, an IPv6 neighbour discovery protocol monitor and noticed I was way behind the current times. I also found out it can now monitor multiple network interfaces in once instance of the program, so I can keep an eye on both wired and wireless networks at home.

Do take the advice of using the 'learning' mode of NDPMon as mentioned in the documentation for NDPMon. It makes getting the entire correct router advertisment correct into the datafile correctly so much easier. Downside is you have to run at a quiet time and after each IPv6 network reconfiguration.

It would also be nice if NDPMon would report on which interface certain traffic was seen.

Update: Ok, NDPMon still manages to warn about a router configuration it has learned itself. I found a remark in the NDPMon documentation/configuration page:
Under the tag addresses are listed the IPv6 global addresses of the router. This is not required for the tool to work properly, but can be useful is the router send NA messages for its global addresses (to avoid raising NA router flag alerts).
So I added the global IPv6 addresses of the routers, let's see if this decreases the noise.

Tags: , , ,
2013-05-08 (#) 7 years ago
multicast stream test image: Philips PM5544 testcard I had to test some part of the multicast setup on the work network and fired up VLC.

And from the department of 'some things never change' or 'still going strong', Bratislava STV2 testcard is still available under the title 'Monoskop' on vlc url rtp://@ This stream must have been going for years, I remember using it in tests years ago.

And during the day when STV2 has no program, it still transmits an actual Philips PM5544 testcard.

Tags: , , ,
2013-03-09 Searching for sourcce of interference and PLC network 7 years ago
In the search for the source of the interference I do note the Devolo dlan powerline network has lousy performance when I compare the speed the devolo utilities say I will get compared to what iperf says:
koos@metcalfe:~$ dlanlist eth0
Type    MAC address        Mbps TX/RX       Version/Product
local   00:0B:3B:5F:95:AB  ---.-- / ---.--  INT6000-MAC-3-3-3348-00-2764-20080808-FINAL-B devolo dLAN 200 AVplus [MT2165]
remote  00:0B:3B:6F:AE:90   73.50 / 112.88  INT6000-MAC-3-3-3348-00-2764-20080808-FINAL-B
And from iperf:
[  3]  0.0-10.2 sec  1.43 MBytes  1.18 Mbits/sec
Interesting difference of opinion there, 73/112 megabit versus 1.18 megabit.

Update: it helps when I remember the setup of the system: I installed the wondershaper on that system which throttles bandwidth at .. 1 megabit. Re-running the test with the throttle disabled gives totally different results:
[  3]  0.0-120.1 sec    308 MBytes  21.5 Mbits/sec
Testing with udp gives even higher speeds:
[  3]  0.0-120.0 sec  1.34 GBytes  95.6 Mbits/sec
And in the other direction:
[  3]  0.0-120.3 sec    649 MBytes  45.2 Mbits/sec  0.204 ms 1075187/1538185 (70%)

Reception of 2 meter radio doesn't get worse/better during these tests. According to the devolo dlan 200 faq the devices work in the range of 0 to 30 MHz with notches for HF amateur frequencies. With the software defined radio I also see no change in the 2 meter band when running bandwidth tests. Which doesn't say a lot: I can't even find the output from PI3UTR at 145.625 MHz in the output plot, even with a receiver nearby receiving that same signal fine. The output plot does show APRS active on 144.800 MHz.

Tags: , ,
2012-12-18 (#) 7 years ago
Another thing I puppetized: setting static routes on redhat-like servers. We have two rfc1918 ranges for management network so systems with a public IPv4 address and a management IPv4 address need a static route to the other half of the management network. Time for puppet which distributes the /etc/sysconfig/network-scripts/route-* files and does an ifdown and ifup of the affected interface. Using the variables from facter I can find whether a host is on one of the management IPv4 ranges and on which interface, and create routes accordingly.

Tags: , , ,
2012-11-10 (#) 7 years ago
I just tried to visit Laser charged glowing display - Hack a Day but the page kept loading forever. The problem is with loading page content (images and scripts) from,, All of which seem to be part of wordpress hosting and come via the edgecast content distribution network:
koos@machiavelli:~$ host is an alias for has address has IPv6 address 2606:2800:234:1922:15a7:17bf:bb7:f09
koos@machiavelli:~$ host is an alias for has address has IPv6 address 2606:2800:234:1922:15a7:17bf:bb7:f09
koos@machiavelli:~$ host is an alias for has address has IPv6 address 2606:2800:234:1922:15a7:17bf:bb7:f09
And all suffer from a reachability problem via IPv6:
koos@machiavelli:~$ telnet 80
Trying 2606:2800:234:1922:15a7:17bf:bb7:f09...
Taking a while to fall back to IPv4, which results in long page loading times. I noticed this on other sites too, like pages using gravatar. Which uses the same cdn with the same problem:
koos@machiavelli:~$ host is an alias for has address has IPv6 address 2606:2800:234:124e:17ca:871:eb2:2067
koos@machiavelli:~$ telnet 80
Trying 2606:2800:234:124e:17ca:871:eb2:2067...
Seems edgecast has an IPv6 reachability problem from here (home, xs4all IPv6) but not from other places. I can't reach the edgecast site either since it's on their own network. Or at least I can't via the squid proxy, I can when not using a proxy, since firefox has its own ideas about timeouts.

I tried to notify edgecast via e-mail and twitter.

Update 2012-11-12: Noted by others: WordPress IPv6 Issues - seeing something more like PMTU problems.
And Edgecast is working on it: Thanks, @jmccrohan and @khoos. We're working hard on this right now. More soon. cc @florianoverkamp @cwoodfield
After a few changes and a lot of testing, we believe the IPv6 issue experienced by some users is now resolved.
But I'm still seeing routing issues:
$ traceroute6
traceroute to (2606:2800:234:1df9:13d:1d4e:6b0:10cf) from 2001:980:14ca:61::13, port 33434, from port 44865, 30 hops max, 60 byte packets
 1 (2001:888:0:4401::1)  15.529 ms  14.870 ms  16.175 ms 
 2 (2001:888:0:4403::2)  15.349 ms  16.757 ms  14.426 ms 
 3 (2001:888:1:4005::1)  17.594 ms  16.123 ms  15.212 ms 
 4 (2001:7f8:1::a500:2914:1)  17.108 ms  16.405 ms  15.552 ms 
 5 (2001:728:0:2000::12a)  18.093 ms  17.441 ms  16.083 ms 
 6  * * *         
 7  * * *         
 8  * * *         
 9  * * *         

Update 2012-11-15: More traceroutes to test. It seems the only thing unreachable is exactly the /48 which holds the IPv6 content server(s).

Update 2012-12-07: A network engineer at xs4all contacted Edgecast and got the problem solved pronto. I guess he has a better entry point!
koos@greenblatt:~$ telnet -6 80
Trying 2606:2800:234:1df9:13d:1d4e:6b0:10cf...
Connected to
Escape character is '^]'.

Tags: , ,
2012-11-04 (#) 7 years ago
Some updates to the findings on playing with a cablemodem after getting access to a second cablemodem. The interesting conclusion is that the first one still seems to be 'blacklisted' as I can't get an answer to DHCP requests when using that one.

Tags: , , ,
  Older news items for tag network ⇒
, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews