Expat-IT Tech Bits




Search this site:


/ (289)
  Admin/ (123)
    Apache/ (10)
      HTTPS-SSL/ (4)
      PHP/ (3)
      performance/ (2)
    Cherokee/ (1)
    LAN/ (4)
    LVM/ (6)
    Monitoring/ (2)
      munin/ (2)
    SSH/ (6)
    SSL/ (1)
    Samba/ (1)
    VPN-options/ (7)
      OpenVPN/ (1)
      SSH-Proxy/ (3)
      Tinc/ (1)
      sshuttle/ (1)
    backups/ (17)
      SpiderOak/ (1)
      backuppc/ (5)
      dirvish/ (1)
      misc/ (6)
      rdiff-backup/ (1)
      rsync/ (1)
      unison/ (2)
    commandLine/ (24)
      files/ (8)
      misc/ (10)
      network/ (6)
    crontab/ (1)
    databases/ (15)
      MSSQL/ (2)
      MySQL/ (8)
      Oracle/ (3)
      PostgreSQL/ (1)
    dynamicDNS/ (2)
    email/ (11)
      Dovecot/ (1)
      deliverability/ (1)
      misc/ (1)
      postfix/ (7)
      puppet/ (1)
    iptables/ (3)
    tripwire/ (1)
    virtualization/ (9)
      VMware/ (1)
      virtualBox/ (8)
  Coding/ (14)
    bash/ (1)
    gdb/ (1)
    git/ (3)
    php/ (5)
    python/ (4)
      Django/ (2)
  Education/ (1)
  Hosting/ (27)
    Amazon/ (18)
      EBS/ (3)
      EC2/ (10)
      S3/ (1)
      commandline/ (4)
    Godaddy/ (2)
    NearlyFreeSpeech/ (3)
    Rackspace/ (1)
    vpslink/ (3)
  Linux/ (31)
    Android/ (1)
    Awesome/ (3)
    CPUfreq/ (1)
    China/ (2)
    Debian/ (8)
      APT/ (3)
      WPA/ (1)
    audio/ (1)
    encryption/ (3)
    fonts/ (1)
    misc/ (6)
    remoteDesktop/ (1)
    router-bridge/ (3)
  SW/ (45)
    Micro$soft/ (1)
    browser/ (2)
      Chrome/ (1)
      Firefox/ (1)
    business/ (28)
      Drupal/ (9)
      KnowledgeTree/ (6)
      Redmine/ (2)
      SugarCRM/ (7)
      WebERP/ (2)
      WordPress/ (1)
      eGroupware/ (1)
    chat/ (1)
    email/ (1)
    fileSharing/ (2)
      btsync/ (1)
      mldonkey/ (1)
    graphics/ (2)
    research/ (2)
    website/ (6)
      blog/ (6)
        blosxom/ (3)
        rss2email/ (1)
        webgen/ (1)
  Security/ (15)
    IMchat/ (2)
    circumvention/ (2)
    cryptoCurrency/ (1)
    e-mail/ (4)
    greatFirewall/ (1)
    hacking/ (1)
    password/ (1)
    privacy/ (2)
    skype/ (1)
  Services/ (1)
    fileSharing/ (1)
  TechWriting/ (1)
  xHW/ (14)
    Lenovo/ (1)
    Motorola_A1200/ (2)
    Thinkpad_600e/ (1)
    Thinkpad_a21m/ (3)
    Thinkpad_i1300/ (1)
    Thinkpad_x24/ (1)
    USB_audio/ (1)
    scanner/ (1)
    wirelessCards/ (2)
  xLife/ (17)
    China/ (9)
      Beijing/ (5)
        OpenSource/ (3)
    Expatriation/ (1)
    Vietnam/ (7)


  • 2019/06
  • 2016/07
  • 2016/05
  • 2016/02
  • 2016/01
  • 2015/12
  • 2015/11
  • 2015/06
  • 2015/01
  • 2014/12
  • 2014/11
  • 2014/10
  • 2014/09
  • 2014/07
  • 2014/04
  • 2014/02
  • 2014/01
  • 2013/12
  • 2013/10
  • 2013/08
  • 2013/07
  • 2013/06
  • 2013/05
  • 2013/04
  • 2013/02
  • 2013/01
  • 2012/12
  • 2012/10
  • 2012/09
  • 2012/08
  • 2012/07
  • 2012/06
  • 2012/05
  • 2012/04
  • 2012/03
  • 2012/01
  • 2011/12
  • 2011/11
  • 2011/10
  • 2011/09
  • 2011/08
  • 2011/07
  • 2011/06
  • 2011/05
  • 2011/04
  • 2011/02
  • 2010/12
  • 2010/11
  • 2010/10
  • 2010/09
  • 2010/08
  • 2010/07
  • 2010/06
  • 2010/05
  • 2010/04
  • 2010/03
  • 2010/02
  • 2010/01
  • 2009/12
  • 2009/11
  • 2009/10
  • 2009/09
  • 2009/08
  • 2009/07
  • 2009/06
  • 2009/05
  • 2009/04
  • 2009/03
  • 2009/02
  • 2009/01
  • 2008/12
  • 2008/11
  • 2008/10
  • 2008/09
  • Subscribe XML RSS Feed

    Creative Commons License
    This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

    This site has no ads. To help with hosting, crypto donations are accepted:
    Bitcoin: 1JErV8ga9UY7wE8Bbf1KYsA5bkdh8n1Bxc
    Zcash: zcLYqtXYFEWHFtEfM6wg5eCV8frxWtZYkT8WyxvevzNC6SBgmqPS3tkg6nBarmzRzWYAurgs4ThkpkD5QgiSwxqoB7xrCxs

    Fri, 10 Apr 2009

    /Admin/LAN: How to Build Your Own Linux Network Router

    Gentoo is justifiably held in great esteem for their very good documentation. I am going to give you a simplified version of this guide[1], from a Debian perspective, and also, some of the things I do while building a router are simpler by design. Here are a couple other interesting links for background reading: [2][3]

    Why would you want to do this? Cheap commercial routers often do not work very well, choking up on certain kinds of traffic, even locking up regularly so that someone must manually cycle the power to restart them. If you build your own router, you can keep the software up-to-date, which is a big security advantage over the commercial competition. And you can install any software you want on it, like your own web and e-mail server, for instance. This is not meant to be an exhaustive list....

    Start with the cheapest, oldest laptop you can find with the capacity for the number of network cards you want to use (two for a wired *or* wireless local network, three for a wired *and* wireless local network). One network card is needed to connect to the outside world (presumably, the internet) and another one for *each* local network that you want to connect to the internet (typically, a wired and / or a wireless network).

    Note that a really old laptop, like the Pentium One that I use, has no CD and no USB. The easiest way to install Linux on it is to remove the hard drive and place it temporarily in another computer (or a USB enclosure) for the Linux installation. A minimal install is all that is necessary, just enough to get a terminal command prompt and functioning networking. Note that at least on Debian, standard kernels will work right off the shelf. Then replace the newly installed drive in your soon-to-be router.

    Get a Wireless Card that Will Work

    Setting up a router for a wired LAN (Local Area Network) is actually a subset of setting up a wireless router, so I will just describe a wireless router here. (Turning a wireless configuration into a wired configuration just requires a minor alteration or two....) You need a wireless card that will talk to the hostap_cs kernel driver, and also supports "Master" mode. These are not easy to find in, in my experience. I have stumbled across two, one of which broke and I am now having quite a hard time replacing it.

    The orinoco_cs and hostap_cs drivers support many of the same cards. Best to just blacklist the orinoco_cs driver and take your laptop shopping for cards. You really need to test the card before buying it (easy in the second hand Chinese markets I shop in). If you find a card that the hostap_cs driver recognizes, test for Master mode with the iwconfig command:

    iwconfig wlan0 mode Master
    If the card does not like Master mode, you will get an error something like:
    # iwconfig eth1 mode Master
    Error for wireless request "Set Mode" (8B06) :
    SET failed on device eth1 ; Invalid argument.
    If it works, ifconfig will show, in part:
    wlan0 IEEE 802.11b ESSID:"clayton" Nickname:""
    Mode:Master Frequency:2.462 GHz
    (Note the "Mode:Master" part.)

    Configure Networking

    I will avoid great detail here. The most probable options are, your "outside world" network card will either connect directly and probably be called "eth0", or it will connect using PPPOE which you will probably configure with a very simple and straight-forward piece of software called "pppoeconf" and result in a "ppp0" interface. For routing purposes, all you need to know is what the interface is called, and that it works.

    As for the wireless card: give it a static IP and set it to Master mode in /etc/network/interfaces:

    auto eth0
    iface eth0 inet dhcp

    auto wlan0
    iface wlan0 inet static
      wireless-essid somename
      wireless-mode Master
      wireless-channel 11
      wireless-key somepassword

    Note that in the above, eth0 connects to the internet, and therefore in this case I am not using PPPOE. I will address the slightly more complicated case of PPP in /etc/network/interfaces at a later date.

    Set Up Routing and Firewall

    We will do them at the same time because the same software does both! Install the "firehol" package. Then create a /etc/firehol/firehol.conf file as follows:

    # firehol configuration for a masquerading server
    version 5
    # The network of our internal LAN.
    # try "mac  " to filter on MAC addresses
    # blacklist full
    # DHCP needs access.
    interface wlan0 dhcp1
      policy return
      server dhcp accept
    # interface eth0 internet src not "${UNROUTABLE_IPS}"
    interface eth0 internet
       protection strong 10/sec 10
       server "smtp http icmp ssh"  accept
       server donkey2 accept
       server ident reject with tcp-reset
       client all   accept
       # reduce noise in the syslog by dropping this stuff silently
       server "dhcp samba" drop
    interface wlan0 wlan src "${home_ips}"
       policy reject
       server "http dns ssh icmp" accept
       client all   accept
       # server dhcp drop
    interface eth1 lan src "${home_ips}"
       policy reject
       server "http dns ssh icmp" accept
       client all   accept
    router internet2wlan inface eth0 outface wlan0
       masquerade reverse
       client all      accept
       server ident    reject with tcp-reset
    router internet2lan inface eth0 outface eth1
       masquerade reverse
       client all      accept
       server ident    reject with tcp-reset

    There are tutorials out there that will step you through the creation of this file, which is how I started, but if you are careful about the customizaion process, you should be able to use my config as your starting point.

    Some salient points:

    DHCP with dnsmasq

    Install the dnsmasq package. Add the following line to /etc/dnsmasq.conf:


    Restart dnsmasq, and your router should now respond to DHCP requests from the wireless network.

    Wasn't that simple? Comments / errata welcome.

    [1] http://www.gentoo.org/doc/en/home-router-howto.xml
    [2] http://www.bit-tech.net/bits/2008/06/27/build-your-own-router/1
    [3] http://thoughtattic.com/security/MakeYourOwnRouter.html

    posted at: 03:32 | path: /Admin/LAN | permanent link to this entry

    Fri, 26 Sep 2008

    /Admin/LAN: Wondershaper: Give Interactive Users Priority

    Over Downloaders / Uploaders

    If you have a LAN where downloads / uploads that you have no direct control over are saturating your internet connection, "wondershaper"[5] is a relatively simple solution: cap total download and upload bandwidth so as not to saturate the connection, and give interactive users priority use of bandwidth. The tricky part is tuning, as wondershaper is invoked by:

    wondershaper eth0 1000 300

    where the first number is supposed to be maximum sustained download rate, and the second should be maximum sustained upload rate. Note that wondershaper must be run on your router, on the internet-facing ethernet interface (here, "eth0").

    Unfortunately, at least where I live (in Asia) available bandwidth can be highly variable with the day of the week and the time of the day. No bandwidth guarantees. Just be happy both the ISP network and the power are up today....

    I used various "speedtest" websites[1][2][3][4] to get some numbers. Note that the units of the wondershaper parameters are kilo BITS per second, *not* kilo BYTES per second, so the numbers will be quite a lot bigger then you might think. Docs emphasize experimenting to find the right numbers.

    In practice, I find myself keeping a terminal open on my wireless router, and tuning wondershaper sometimes several times a day. If interactive response (ie. surfing, etc.) is sluggish, I reduce the parameters. And sure enough, in my own download client, I will see an immediate reduction in bandwidth consumption. If I am going out or working "offline" for a while, I increase the parameters, or turn wondershaper off entirely.

    The nearest thing I can find to upstream for wondershaper is here[6]. Its a shame the author did not document his work in greater detail, because reading the source (a script) is not helpful either. The script is very compact, but I have no idea what it is doing without becoming an expert on "Linux Advanced Routing & Traffic Control"[7].

    [1] http://wwitv.com/speedtest/asia.htm
    [2] http://www.speedtest.jp/
    [3] http://www.sijiwae.net/speedtest/
    [4] http://www.numion.com/
    [5] http://packages.debian.org/unstable/net/wondershaper
    [6] http://lartc.org/wondershaper/
    [7] http://lartc.org/

    posted at: 09:41 | path: /Admin/LAN | permanent link to this entry

    Mon, 22 Sep 2008

    /Admin/LAN: (Not Working) Use CBQ.init to Control / Limit Bandwidth Useage by IP

    Otherwise known as "bandwidth shaping".

    Next (in Debian) install the "shaper" package, which contains the CBQ.init[1] init script. Its not very well documented, but there is a little bit[2]. The best source for information in the installed package is the comments of the script itself: /etc/init.d/shaper.

    I dropped the hammer on my bandwidth abuser by creating two files: /etc/shaper/cbq-20.101-internet:

    and /etc/shaper/cbq-20.internet-101:

    Note that this configuration has on the wlan0 wireless network, and eth0 is the internet-facing interface.

    If you wish to watch the bandwidth in real-time, install the "nload" terminal utility. And of course, do not forget to restart shaper:

    /etc/init.d/shaper restart

    According to the docs, shaper can do a lot more complicated things, like limiting aggregrate traffic to a block of IPs, or limiting traffic to a specified port. It also would appear to be able to use priorities and the concept of aggregation to allow a lower priority user to borrow unused bandwidth from a higher priority user.

    Unfortunately, as of this writing, shaper / CBQ.init seems to be not working. It seems to make the network almost unusable for the user being capped, no matter how big the RATE setting. I have issued a bug report and will continue investigating.

    [1] http://sourceforge.net/projects/cbqinit/
    [2] http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html#CBQ

    posted at: 08:23 | path: /Admin/LAN | permanent link to this entry

    /Admin/LAN: How to Monitor Bandwidth Useage on your LAN

    Suppose you have roomates who like downloading, and "someone" does not have the common-sense to limit their download rate, bringing your whole network to its knees so that no one else can get anything done. Suppose this goes on all day. Suppose you also just happen to be the one providing wireless to the whole house with your very own home-made Linux wireless router. That makes dealing with bandwidth hogs much easier.

    First step: collect date. Install apache and the bandwidthd package on your wireless router. Create a /var/www/bandwidth directory, and edit /etc/bandwidthd/bandwidthd.conf to tell it to put the graphs it generates in that directory (/var/www/bandwidth) and which network interface to monitor (wlan0):

    htdocs_dir "/var/www/bandwidth"
    dev "wlan0"

    Start bandwidthd, wait a couple of minutes, then point your web browser at

    where is assumed to be the IP address of your wireless router. You will be presented with a graph of the bandwidth rate and total useage of every IP (computer) pushing traffic through the selected network interface (wlan0 in this example).

    It should soon become apparent who the culprit is.

    posted at: 08:18 | path: /Admin/LAN | permanent link to this entry