Posts Tagged ‘network’


Google Fiber – Gigabit Speeds, Your Router Part 2: QoS

25 February 2014 – 22:06 CST

This is a continuation of Google Fiber – Gigabit Speeds, Your Router.  Part 1 covered the required VLAN configuration.  Here, we walk through the QoS settings you’ll need to get your upload speed over 10Mb/s using a Netgear GS108Tv2 switch.

Part 2: QoS

The QoS settings are tricky, and how to set them up varies widely from switch to switch.  The GS108T is probably a little worse than most.  It isn’t a Cisco 2800.  It also doesn’t cost what a 2800 does.  First, ignore the first section under QoS called “CoS”.  For our purposes, it is useless.  Skip it and go to the DiffServ section.

For review, the QoS settings we need are:

  • DHCP traffic should have 802.1p bit = 2
  • IGMP traffic should have 802.1p bit = 6
  • All other internet traffic 802.1p bit = 3

Technically, we only need the settings for “all other internet traffic” but to play nicely, make it less likely for Google to have a problem with our router, and completeness here, we’ll set it up as above.

The 108’s QoS is configured in three parts: class, policy, and service.  They must be configured in this order, and unconfigured (if you choose to do so) in reverse order.  The class sets up the matching rules, the policy modifies the packets to include the proper QoS bits, and the service applies the rules to a switch port.

Choose Advanced > DiffServ Configuration

Class Configuration

Add the three classes, but don’t configure them yet.  Enter DHCP into the Class Name box, select All from the Class Type. (All is the only choice.)  Click the Add button from the bottom right.  Do the same for IGMP and Default.

GS108T: Classes

Click on the class you created for DHCP.  Enter the following settings, leave the rest blank.

  • VLAN = 2
  • Source L4 Port = Other 68
  • Destination L4 Port = Other 67

GS108T: QoS: Class: DHCP

Click the apply button in the lower right.

Go back to the Class Configuration screen, and configure the IGMP class.  Leave the other settings blank.

  • VLAN = 2
  • Protocol Type = IGMP (Ignore the box, it will fill itself)

GS108T: QoS: Policy: IGMP

Click the apply button in the lower right.

Go back to the Class Configuration screen, and configure the Default class.  Leave the empty settings blank.

  • VLAN = 2

GS108T: QoS: Class: Default

Click the apply button in the lower right.

Policy Configuration

Basically, the policy is where you’re going to tell the switch what to do with the packets that match the classes you set up.  This is also one of the nasty places in the UI where it is easy to think you’re stuck.

Go to Policy Configuration.  Please read the next couple of paragraphs carefully before continuing.  The way you create the policies is a little confusing.

Enter a policy name of GF and select DHCP as the member class.  Click the Add button in the lower right.

Now, to add the IGMP policy, check the box next to the row you just created for the DHCP policy, and select IGMP as the member class.  Click the Apply button in the lower right.  The reason it works this way is because you need to group all of your classes under one policy.  The Add button will add a new policy, which is not what you want.  You want to add a class to the policy you already created.  Confusing until you understand what the UI is doing.

To add the Default policy, check the box next to the row you just created for the IGMP policy, select Default as the member class.  Click the Apply button in the lower right.  Your screen should look like so:

GS108T: Policies: Assigning the classes

Note: If you need to remove a class from the policy, you have to do so from the bottom up.  Make sure you re-add any in the way and order described above.  Once you set a policy’s configuration (next section), you will have to delete the policy to change it.  This means that if you need to change the policy for the DHCP class, you will have to remove both the Default and IGMP policies from the class first.

To set the policy for the DHCP class, click on GF on the first row where DHCP is the member class.

Select the Policy Attribute > Mark COS and set the value to 2.  Make sure you mark the radio button for Mark COS.

GS108T: QoS: Policy: DHCP

Click the apply button in the lower right.

Go back to the Policy Configuration.

To set the policy for the IGMP class, click on GF on the second row where IGMP is the member class.

Select the Policy Attribute > Mark COS and set the value to 6.  Make sure you mark the radio button for Mark COS.

GS108T: QoS: Policy: IGMP

Go back to the Policy Configuration.

To set the policy for the Default class, click on GF on the third row where Default is the member class.

Select the Policy Attribute > Mark COS and set the value to 3.  Make sure you mark the radio button for Mark COS.

GS108T: Qos: Policy: Default

Click the apply button in the lower right.

Service Configuration

Almost there.  Go to the Service Configuration.

Mark the box next to g2 and choose the policy GF.

GS108T: QoS: Service Configuration

Note: g2 is not a typo.  This isn’t true of all switches, but here make sure to choose your router WAN port for the service configuration.  The GS108T QoS only acts on packets coming into a switch port, not packets leaving a port.  You need to mark the packets for QoS as they’re leaving the router coming into switch port 2, then outbound on switch port 1 to the OTN.

Click the apply button in the lower right.

Conclusion

That’s it.  Go back and run your speed test and compare it with your baseline to make sure everything is working properly.

If you need to make adjustments to the QoS, you’re going to have to walk backwards through the configuration.  That means first removing the policy in the Service Configuration.

If you have questions, come find us on the Google Fiber thread, or the pfSense thread, or leave them in the comments below.

Google Fiber – Gigabit Speeds, Your Router Part 1: VLANs

25 February 2014 – 22:03 CST

Google Fiber is great.  True symmetric gigabit speeds — both downstream and upstream — for $70/month.  ComcastTimeWarner should be shaking in their market monopoly boots.

Background

However, the Google Fiber “Network Box” (GFNB) is, to put it plainly, a piece of junk.  This device is what we know as a router.  Any advanced feature such as port forwarding is allowed in the advanced interface, but may or may not work.  Not much else is supported.  Unlike any other $20 router there is no bridge mode, no way to turn off the DHCP server, no DMZ, etc.  At one point while I was trying to troubleshoot a port forwarding issue, the GFNB created a hidden (read: could-not-be-deleted-because-it-wasn’t-visible) access rule that prevented my main computer from getting online at all.  A factory reset was required to fix this.  A group of us on the Google Fiber product forums decided to pool our knowledge and figure out how to use our own router, despite the insistence from Google that this was either not possible, or only with a double NAT — their router had to remain between you and the Interwebs.

Following a tip which set us on the right path, Atlantisman did most of the hard work to figure out how to get pfSense set up, so all due credit to him and JeffV in the GF product forum and the pfSense forums.  Atlantisman wrote up how to to set up pfSense, and gave some general guidance about the switch.  This post will focus on the setting up the Netgear GS108Tv2.  The switch configuration falls into two main parts: setting up the VLANs, and the QoS.  pfSense is not required, most any modern router will do, but a VLAN + QoS capable switch is required.  The VLAN configuration is required to get your router online.  Without the proper QoS, uploads are limited to 10Mb/s.

This following assumes that you’re following Atlantisman’s guide.  Specifically, you have port 1 plugged into your OTN and port 2 plugged into the WAN port for your router of choice.

One more note: I’ve had a bunch of trouble with the Google Fiber speed test lately  I recommend running an initial test with the GFNB before you make any modifications to the network to get a baseline.  You may wish to also get some baseline numbers from speedtest.net.

Optional: UI Session Timeout

The default idle timeout for the 108’s UI is 5 minutes.  I find this annoying when I’m trying to comprehend their manual and change settings.  If you want to change this, go to Security > Access > HTTP Configuration > Soft Session Timeout and set it to something more reasonable.  I have mine at 30 minutes.

Part 1: The VLANs

The traffic in and out of the OTN (the Fiber Jack) must be tagged with VLAN2.  The easiest way to do this is to put the OTN and your router on VLAN2, and everything else on VLAN1.  In the GS108T, you must set up the VLAN in two different places.

First, to avoid any troubles, disable the Voice VLAN in Switching > Voice VLAN > Properties.  You won’t be able to dedicate VOIP applications to VLAN2 with this switch because the OTN already uses it.GS108T: Voice VLAN

Port Grouping

Next, configure the port grouping.  Go to Switching > VLAN.  From the menu on the left, choose Advanced > VLAN Membership.  Don’t bother trying to rename the first 3 VLANs.  It won’t let you.

Ensure that VLAN ID 1 is selected, click the annoyingly small triangle next to the word PORT, and then click each port (3 – 8) until they all say ‘U’.

GS108T: VLAN1 - Grouping

Note: I have port 3 ungrouped in the screenshot here because I am using it for other purposes.

Click the apply button in the lower right.

Select VLAN ID 2 from the drop down, click the annoyingly small triangle next to the word PORT, and then click port 1 to make it say ‘T’.  Click port 2 to make it say ‘U’.

GS108T: VLAN2 - Grouping

Click the apply button in the lower right.

Port Assignment

Choose Port PVID Configuration from the menu on the left.  Mark the boxes for g1 and g2, enter a value of 2 into the box PVID Configured.  Click the apply button in the lower right.

GS108T: Port Assignment

Note: I have port g3 assigned to VLAN3 in the screenshot here because I am using it for other purposes.

That all there is to the VLAN configuration.  Your router, pfSense or otherwise, should now be able to obtain a public address from the Google DHCP server, and you can get online.  At this point, you should stop and make sure your router is functioning correctly, and that you’re able to run a speed test.

Upload speeds are limited to 10Mb/s until you get QoS configured, but it is better to get the VLAN configuration settled and confirmed working before moving on.

 

Update 15 Aug 2014: Atlantisman’s guide is back on dropbox, and has a few updates so I’ve changed the links in the post back directly to his guide.  The archived guide is still available if needed.

Next – Part 2: QoS

If you have questions, come find us on the Google Fiber thread, or the pfSense thread, or leave them in the comments below.

 

Talking to your IT admins

21 June 2008 – 16:02 CST

Looking for thoughts/ideas on how to talk to an IT admin. Started a job a few weeks ago where basically everything outbound except http and https are blocked. This means that ssh tunneling does not work. The traffic is packet inspected by the firewall and the http proxy requires authentication, so just moving ssh to port 443 doesn’t work either. The web traffic is filtered, so many things are blocked including gmail.

I’ve looked into solutions like corkscrew but it looks like it is going to take me a combination of ssh-over-https-proxies to get through it, because some of the tools only support Basic auth and the ISA server only accepts NTLM, Kerberos, and something else. It would be much easier to get to my box at home with its “library of files and tools” if they would just open up port 22.

I’m looking for anyone with ideas on how to talk to the IT admin staff about this. I’ve emailed them several times, and am not getting any response at all. I even included my MAC addresses and suggested they just unblock those. I’ve talked to my supervisor, and so far no luck – they mostly just don’t know what to do about it and the answers provided by the IT team range from the absurd to just dumb. Unfortunately, this is the same IT staff who:

– don’t know that terminal services is running on one of the windows 2003 servers I need access to (or insist that it isn’t running on the system at all)
– apparently when their company bought our company, dismantled the VPN because it was “insecure”
– set up a remote terminal services system exposed to the internet with the entire thing locked down (only one app is available, and the start menu is useless) as a solution for VPN/remote access.
– block gmail because it “has viruses”
– refuse to give the software developers, including those writing drivers, admin rights to their windows box

I don’t know who is responsible for these guys or who made up these “policies” but it seems like they just do whatever they want. My impression is that this team (who work out of the parent company’s office) is led by a guy who only cares that giving local admin rights to anyone would supposedly cause him to have to do more work to fix broken systems. Obviously that means that he is actively interfering with the business process of the org, but since no one seems to know what to do about it I’m throwing it out there to the three readers of this journal :)

How would you talk to your IT administrators about opening up port 22? Unblocking gmail? Putting the VPN back up? The only way the developers have admin rights on their own computers is the local VPs have domain admin rights to log in and let us reconfigure our own boxes – but this is not something we discuss with or even talk to the IT people about, which I don’t think is right, but we don’t seem to have much choice because they’re basically uncooperative. The local folks can’t modify the network or add new services like VPN though.

So how would you talk to windows sysadmins and convince them that they’re being unreasonable?

No more spying

18 October 2006 – 20:58 CST

So I came across a page last night titled SSH Tunneling For Dummies. Now I’m no dummy, but there are a few things I still don’t know. I was hunting for an easy way to tunnel my IM traffic to an external system, outside of my corporate network, to keep Big Brother out. Francks’s setup assumes that you just want to proxy out your web browsing. But what if you could do more?

It turns out that Gaim supports the use of a SOCKS proxy. I don’t recall ever having used one of these before, but I figured I’d give it a shot. Turns out that openSSH can act as a SOCKS server. I had no idea. The bottom line is that any client application which supports the use of a SOCKS proxy can be tunneled over SSH.

This means that a) the traffic looks like ssh traffic to anyone watching and b) the traffic itself is encrypted until it reaches the SOCKS proxy. It works amazingly well. The easiest way really on a win client system is to install cygwin and make sure that the ssh packages get installed. Then you just have to

ssh -Dlocalport username@desthost

where localport is something >1024 (to avoid conflicts) like 1080. It doesn’t really matter to the network which port you choose. Anyone watching will only see that you’ve got an outbound ssh connection to a remote server. If they look carefully, they may see that your system is listening on 1080, so picking a high random port may or may not make more sense. Or there is probably a way to bind the listener only to 127.0.0.1.

Obviously, this won’t stop your boss from peering over your shoulder. But it will stop the corporate network hounds from sniffing your traffic.